tag:blogger.com,1999:blog-29384931232690266982024-02-07T20:15:33.057-08:00InfoSec & Forensics LawCyber evidence, security, commerce, privacy, complianceBenjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.comBlogger187125tag:blogger.com,1999:blog-2938493123269026698.post-35577690071736743902022-03-22T12:19:00.000-07:002022-03-22T12:19:14.099-07:00Asserting Legal Terms in Smart Contract Relationship<p> Blockchain and smart contract commerce are expanding rapidly. Parties do business relying that software will execute transactions as intended. But software can be flawed, and one trading partner can behave in a way that the other partner did not expect.</p><p><br /></p><p>Here is an example of an alleged software flaw that has given rise to a lawsuit: The owner of a non-fungible token says a flaw in NFT platform Oversea allowed a hacker to steal the NFT. In February the owner sued Oversea in federal court seeking compensation. McKimmy v. OpenSea (Civil Action No. 4:22-CV-00545) S. District of Texas.</p><p><br /></p><p>Often, the legal expectations in a smart contract are not well articulated. Example from the Livepeer Web 3.0 ecosystem: The holder of an LPT token might <a href="https://hack-igations.blogspot.com/2022/03/staking-tokens-in-ethereum-web-30.html" target="_blank">"stake" the token with an orchestrator (node operator)</a>, expecting the financial returns advertised by the orchestrator.</p><p><br /></p><p>Livepeer is based on Ethereum, but uses some words that are different from the usual words in Ethereum. Use of different words could cause legal confusion.</p><p><br /></p><p>The precise, easy-to-understand legal relationship between the parties might not be stated anywhere. One response from the token holder would be unilaterally to communicate terms to the orchestrator.</p><p><br /></p><p>The token holder might, for example, send an email to the orchestrator saying something roughly like this: "These are the terms on which I delegate (stake) my LPT token with you. You agree to these terms by moving forward with our relationship. You will give me rewards XYZ. You will provide me those rewards even if Livepeer software fails to deliver those rewards to me. Neither you nor your creditors may assert control over my token beyond what is considered as "staking" generally within the Ethereum community. If I successfully sue you to enforce these terms, you will pay my attorney's fees. These terms are governed by the law of the state of ABC."</p><p><br /></p><p>Be careful when stating terms this way. A party like the token holder should not state terms that are unfair or onerous. The stated terms should honestly reflect the expectations of the parties based on the context. Fairness and honesty go to the core of good human relations (justice and human dignity) and are much more likely to win favor in court.</p><p><br /></p><p>What do you think?</p><p>(This post is just for public discussion and not legal advice for any particular situation.)</p>Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-19983040579434360612022-03-22T08:43:00.005-07:002022-03-22T08:43:52.445-07:00Staking Tokens in Ethereum, Web 3.0<p>I am studying Web 3.0 in the Ethereum ecosystem. I don't understand much yet. As research, I think out loud here, in public. I'm looking at an example web 3.0 project, Livepeer, a decentralized blockchain platform for video streaming, which delivers a concrete, real-world service.</p><p>Livepeer issues a token called LPT, which powers the blockchain, causing the video streaming service to operate. Someone who purchases LPT tokens has the option to delegate (stake) those tokens with a different party, an "orchestrator." This process of delegating (staking) tokens is common in Ethereum world. Ethereum is a proof-of-stake blockchain, and participants cause the blockchain to function by proving they have staked so many tokens. Participants thereby earn rewards.</p><p>In Livepeer, the participants, that is, the orchestrators (aka node operators), need tokens they can "stake" so they can cause ("fuel") the Livepeer blockchain to function and so they can earn rewards.</p><p>In Livepeer, multiple orchestrators compete to persuade LPT holders to delegate/stake LPT tokens with each orchestrator. Each orchestrator publishes terms indicating the orchestrator will take a stated cut of rewards earned from using staked tokens and will deliver a stated reward to the token holder.</p><p>I'll bet the relationship between orchestrator and token holder is governed by a "smart contract." But, around that smart contract could be legal problems. The smart contract code might be flawed. Or surprises like bankruptcy could happen. So I imagine disputes between orchestrator and token holder. I'll bet there's room for written terms and conditions between orchestrator and token holder. Ts&Cs might address: Is orchestrator legally liable if the process doesn't work as token holder expects? Is that liability limited or unlimited? Are there circumstances where orchestrator or its creditors may seize staked tokens or the rewards? </p><p>I'll bet there is industry custom within Ethereum world answering these kinds of questions, but I'll bet that custom is often ambiguous.</p><p>I imagine one party or the other publishing Ts&Cs, stating if we do business, here are the terms. I wonder whether there are any standard Ts&Cs for orchestrators and token holders in Ethereum world.</p><p>I imagine one party publishing terms that conflict with the published terms of the other party. This conflict would manifest a new instance of an old controversy in contract law: "battle of the forms" (topic in my SANS LEG523 course).</p><p>Can anyone enlighten me? What have I gotten wrong? Where can I find insights on questions above? Thanks!</p>Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-7930786825214487592021-08-11T09:22:00.000-07:002021-08-11T09:22:55.512-07:00<h1 style="text-align: left;"> Complying with GDPR when Transferring EU Data to US</h1><p>Authorities on both sides of the Atlantic struggle to find a convenient way to support the transfer of personal data from the European Union to the United States. Here I discuss possible paths forward: <a href="https://www.unboundsecurity.com/blog/data-privacy-protection-from-eu-to-usa/">https://www.unboundsecurity.com/blog/data-privacy-protection-from-eu-to-usa/</a></p>Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-88767583656497148882018-10-24T09:05:00.001-07:002020-07-08T13:44:09.785-07:00GDPR as Barrier to Market Entry?<div dir="ltr" style="text-align: left;" trbidi="on">
Tim Cook's embrace of the EU's General Data Protection Regulation (GDPR) is a major development. All of us in infosec need to pay attention.<br />
<br />
But Cook's privacy vision challenges organizations, large and small: How in practice does any organization actually comply with GDPR's vague standards? GDPR's principles are easy to express in a speech on stage. But they are difficult to understand and apply in diverse organizations on a day-to-day basis.<br />
<br />
A substantial step any organization can take is to appoint a chief data protection officer (or something like that). But the appointment and genuine support of a DPO entails a great deal of work by policy and legal professionals.<br />
<br />
What Cook does not acknowledge is that it is relatively easy for trillion dollar company (Apple) to throw armies of lawyers and policy wonks at the task of privacy "compliance." But it is much more difficult for smaller and start-up organizations.<br />
<br />
Vague privacy standards can become a barrier to entry into the market. If small organizations lack the bureaucratic resources to debate and evaluate privacy day-in and day-out, then large corporations have a new competitive advantage. When Apple started in a garage it could not afford a team of wonks and lawyers to evaluate and document privacy compliance. Apple is different today.<br />
<br />
I do not question Tim Cook's sincerity or good faith.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/kVhOLkIs20A/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/kVhOLkIs20A?feature=player_embedded" width="320"></iframe></div>
<br /></div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-58489288489953197472018-05-07T16:31:00.000-07:002018-05-07T16:31:20.064-07:00Three reasons investigators should take the Law of Data Security and Investigations (SANS Legal 523 course)<div dir="ltr" style="text-align: left;" trbidi="on">
I have the honor of teaching a 5-day course at the SANS Institute: "Law of Data Security and Investigations" (SANS <a href="https://www.sans.org/course/law-data-security-investigations" target="_blank">Legal 523</a>).<br />
<br />
The course is an intensive bootcamp on how to manage risk in cyber law, including GDPR, privacy, contracts, data breaches, forensic investigations and other kinds of cyber attacks. It emphasizes the careful selection of words -- in reports, policies, contracts, answers to infosec questionnaires and the like -- to achieve a better outcome from a legal controversy.<br />
<br />
An important audience for the course is the cyber investigator, including an incident responder, a penetration tester and a digital forensic expert.<br />
<br />
Here are three reasons investigators should take the course.<br />
<br />
<b>1. To understand the unpredictable ways your evidence might be used in law.</b><br />
<br />
Cyber investigators are busy these days. There is so much evidence to collect and evaluate from computers, the cloud, mobile devices and so on. Many investigators lack training to help them understand all they different ways their evidence might be used, such as in civil or criminal court, in arbitration, in contract disputes, in business negotiation and in internal decision-making. When investigators learn to see how many different (and unpredictable) ways their evidence might be used, they will follow different procedures and prepare better reports.<br />
<br />
<b>2. To learn how to promote yourself as a professional skeptic.</b><br />
<br />
The course teaches that it is very common for cyber evidence to be misinterpreted. Cyber investigators can reduce misinterpretation by learning to be professional skeptics about evidence. They learn how to avoid jumping to conclusions about evidence and thereby help others, such as their management, to make better legal decisions about the evidence. The course teaches specific techniques for exercising and promoting professional skepticism.<br />
<br />
<b>3. To obtain GLEG certification that burnishes your credentials.</b><br />
<br />
Like other leading SANS courses, Legal 523 comes with a GIAC exam. If a student passes the exam the are awarded the <a href="https://www.giac.org/certification/law-data-security-investigations-gleg" target="_blank">GLEG</a> certification.<br />
<br />
A GLEG certification can help to confirm to an employer that an investigator has completed rigorous training in the law applicable to cyber investigations. In addition, GLEG certification can inform an authority such as a judge or regulator that the investigator possesses cyberlaw qualifications.<br />
<br />
The course is delivered in live classrooms and online.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsB4eCLs7YBvNaBAbYPDoDsXQQvIWSE_RW_JZ4BzchnPKucyhyphenhyphenwgwu2WgLD4kdZKX9TzhyphenhyphenuGDPU7B6iPi1wimG2MfHP-z0y6ju2MdWRj9H0_pfIxmvqUUCh2XokW76tSNQTZhaPhnER2k/s1600/cyberlaw+training.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1025" data-original-width="1600" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsB4eCLs7YBvNaBAbYPDoDsXQQvIWSE_RW_JZ4BzchnPKucyhyphenhyphenwgwu2WgLD4kdZKX9TzhyphenhyphenuGDPU7B6iPi1wimG2MfHP-z0y6ju2MdWRj9H0_pfIxmvqUUCh2XokW76tSNQTZhaPhnER2k/s320/cyberlaw+training.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Learning Investigation Law</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
Photo credit: @chrisfurtick</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-31149708891927839592017-05-23T14:44:00.001-07:002017-06-06T09:51:25.480-07:00Online Cyber Law Training<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/awOUFsN9ezw/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/awOUFsN9ezw?feature=player_embedded" width="320"></iframe></div>
<br />
<a href="https://www.sans.org/ondemand/course/law-data-security-investigations" target="_blank">OnDemand version</a> of SANS Institute's Legal 523 course "Law of Data Security and Investigations" is popular with students in a hurry. The course is paired with the coveted GLEG certification.<br />
<br />
Another reason some students prefer the OnDemand version is it allows them to absorb the material in bite-sized chunks. You can listen for a few minutes, stop the audio, read the notes, think, and then continue.</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-77972201065203032752017-05-01T09:08:00.000-07:002017-05-01T09:12:05.723-07:00EU's General Data Protection Regulation<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
SANS Institute Publishes White Paper by Benjamin Wright</h2>
<h3 style="text-align: left;">
<br /></h3>
<h3 style="text-align: left;">
Executive Summary</h3>
Adoption of the new General Data Protection Regulation (GDPR) is motivating organizations worldwide to improve existing technical controls for securing personal information. Organizations should be especially aware that the GDPR and other recent legal developments amplify the negative repercussions of a data security breach -- meaning organizations have increased incentives to avoid a breach.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyX53fAjJ7mz2tR65Tc9MzeOgPLRdbpx8HzQSb-WnqpvY1bOy8wJOon9qBmW0v1pE1CgGrGuwULXTAkpO9oIe4rzbG5kkM3qKO9VhMIJ7TB64FpJBJqm67hCRbwxdb9ugMinaHDPaSkCQ/s1600/Compliance.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyX53fAjJ7mz2tR65Tc9MzeOgPLRdbpx8HzQSb-WnqpvY1bOy8wJOon9qBmW0v1pE1CgGrGuwULXTAkpO9oIe4rzbG5kkM3qKO9VhMIJ7TB64FpJBJqm67hCRbwxdb9ugMinaHDPaSkCQ/s320/Compliance.JPG" width="320" /></a></div>
<br />
Data security law in Europe continues to evolve. Enactment of the GDPR, which takes effect May 25, 2018, will impose formal, new data security requirements on organizations within the European Union, affecting many companies.<br />
<br />
In parallel, in October 2016, France adopted the Digital Republic Bill. It dramatically increases fines on those organizations that fall short on security. For larger, multinational organizations, these types of new security regulations reflect three major trends:<br />
<br />
<br />
<ul style="text-align: left;">
<li>Greater potential monetary penalties imposed by regulators</li>
<li>More rules for disclosure of data breaches</li>
<li>Increased exposure to diverse proceedings and investigations into whether data security is adequate</li>
</ul>
<br />
As a consequence, larger organizations should begin immediately to redouble the implementation of information security controls and technologies, which includes automated IT security monitoring, testing and measuring.<br />
<br />
This paper provides recommendations and a checklist for technical compliance with the GDPR. These recommendations are equally imperative for avoiding a painful data security breach. Included are several case studies showing how companies can effectively use advanced technology for regulatory compliance and reduced breach risk.<br />
<br />
Read the full paper titled <a href="https://www.sans.org/reading-room/whitepapers/legal/preparing-compliance-general-data-protection-regulation-gdpr-technology-guide-security-practitioners-37667" target="_blank">Preparing for Compliance with the General Data Protection Regulation (GDPR): A Technology Guide for Security Practitioners</a>.</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-55895197714081276822017-01-19T13:35:00.001-08:002017-01-19T15:07:09.249-08:00How to Keep InfoSec Investigation Secret<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Confidentiality Labels as Compliance with Professional Ethics</h2>
In the investigation of a data security incident, proper use of confidentiality labels can help a lawyer or other professional show they are complying with ethical requirements for confidentiality.<br />
<br />
Consider the American Bar Association Model Rules of Professional Conduct, “Client-Lawyer Relationship, Rule 1.6 Confidentiality of Information.” Rule 1.6(c) reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”<br />
<br />
Official commentary to that Rule says: “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. … Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”<br />
<br />
<h2 style="text-align: left;">
<a href="https://twitter.com/benjaminwright/status/744929689601380352" target="_blank">Not Every Security Incident is a Breach</a></h2>
<br />
So let’s consider how this Rule 1.6(c) might apply to a data security investigation. A data security investigation can be very sensitive for an enterprise. The investigation can require much work and analysis to determine the legal impact of a security incident. The analysis may conclude that the enterprise has suffered a data security “breach” for which notice must be given and for which the enterprise is legally liable. On the other hand, the analysis may conclude there was no “breach” and therefore no requirement for notice and no liability.<br />
<br />
Accordingly, it is in the best interests of the enterprise that the investigation be kept legally confidential. The enterprise does not want its legal adversaries (such as regulators or class action plaintiff lawyers) to know anything about the investigation. If the adversaries possess details from the investigation, they might use those details to penalize, hassle or assert liability against the enterprise.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXQ6LRabQECPCQnFuPoJHyb8zSP85iaYZ8jtKsDDRM7d1qTJL_WiUo33DWAjrO_076jWaW3Aqj6N15c8eIPlqFlfr5qDO-ok__d_jCWKuizyc2Hr7mV6ZLR2bGjSqs_EWX38wh6V0UtA/s1600/Secrecy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXQ6LRabQECPCQnFuPoJHyb8zSP85iaYZ8jtKsDDRM7d1qTJL_WiUo33DWAjrO_076jWaW3Aqj6N15c8eIPlqFlfr5qDO-ok__d_jCWKuizyc2Hr7mV6ZLR2bGjSqs_EWX38wh6V0UtA/s320/Secrecy.jpg" width="320" /></a></div>
An attorney working for the enterprise can help to promote the confidentiality of the investigation -- and all information and communications related to it -- by ensuring that the information and communications are properly labeled as “Confidential attorney-client communication,” “Confidential attorney work product created in preparation for dispute” or something like that.<br />
<br />
In many cases law respects confidentiality associated with attorney communications and work. For this reason, non-lawyer professionals, like infosec experts, are motivated to involve a lawyer in their investigations.<br />
<br />
Labels like those above can be powerful to prevent the unintended or unauthorized disclosure of sensitive information. The labels warn anyone who sees the information (police, vigilantes, regulators, contractors, employees, whistleblowers and so on) that it is confidential and protected by law. The labels can also help to prevent disclosure of the information through legal process such as a <a href="http://hack-igations.blogspot.com/2012/08/demand.html" target="_blank">subpoena</a>, a police raid or discovery in a civil lawsuit.<br />
<br />
Thus, the labels would be a crucial part of a lawyer’s reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information belonging to the lawyer’s enterprise client. Furthermore, the labels could be evidence of a reasonable expectation by the lawyer that the information will be treated as confidential by law.<br />
<br />
In other words, proper use of these labels can help an infosec lawyer comply with ethics Rule 1.6(c) quoted above.<br />
<br />
<br />
<div>
<br /></div>
<div>
-<a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-79132035831537761662016-12-28T09:30:00.001-08:002017-01-17T14:57:20.696-08:00How to Make a Legal Recording of Mixed Reality<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
Evidence of Digital Interaction in Physical Space</h3>
<div>
<br />
This blog post teaches how to make an evidence-rich record of <i>mixed reality</i>. Mixed reality is like virtual or augmented reality, but doesn’t necessarily involve a headset. It shows information from both the real world and the cyber world (e.g., "<a href="http://hack-igations.blogspot.com/2013/09/permission.html" target="_blank">nearables</a>," wearable computers or <a href="http://hack-igations.blogspot.com/2014/01/sensors.html" target="_blank">SCADA devices</a>). The information in a mixed reality environment can be much more complex that what a user perceives through a virtual reality headset.<br />
<br /></div>
<h2 style="text-align: left;">
The Internet of Things (IoT) Creates a Mixed Reality.</h2>
<div>
<br />
In the video below the mixed reality involves interaction among a Bluetooth location Tile, the apps on a smartphone and the cameras and microphone on the phone. As the video is made, the phone is physically moving from one place to another.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0aFvCKTYroV0FA-ZpmUpSuOfP3Gk5ByIAQV4bjthyjlpAUPJ9H5ymMfjAtqEVp2Ge-yrMII62C4e-H8QPJjYhJl8gsyHXJk-SCg8VesGI9iYrqmqmhJk8qDYw_vcr7yUGHzUe0oOCgME/s1600/Bluetooth+Tile.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0aFvCKTYroV0FA-ZpmUpSuOfP3Gk5ByIAQV4bjthyjlpAUPJ9H5ymMfjAtqEVp2Ge-yrMII62C4e-H8QPJjYhJl8gsyHXJk-SCg8VesGI9iYrqmqmhJk8qDYw_vcr7yUGHzUe0oOCgME/s320/Bluetooth+Tile.jpg" title="Sounds and Bluetooth Signals " width="181" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Internet of Things - Attached to pet cat</td></tr>
</tbody></table>
</div>
<div>
Details of the interaction are memorialized in a video that shows:</div>
<div>
<ul style="text-align: left;">
<li>images and sounds from the real, physical world; </li>
<li>activity happening on or through the phone; </li>
<li>sounds and Bluetooth signals emitted from the tracking Tile (which is attached to a cat) when the Tile is prompted by an app on the phone;</li>
<li>distinctive visual change in the Tile app as the phone draws nearer to the physical location of the cat:</li>
</ul>
<ol><ol><span style="text-align: center;">
<li style="text-align: left;">circle displayed in the app changes from gray, to dotted green to solid green</li>
<li style="text-align: left;">then the tile icon in the app swings back and forth to show the physical Tile is emitting sounds that can be heard through the air (You can actually hear the sound from the Tile as it is detected by the microphone on the smartphone.) </li>
</span></ol>
<span style="text-align: center;">
</span></ol>
<span style="text-align: center;">
</span>
<br />
<ul style="text-align: left;">
</ul>
</div>
<div>
The video includes narration from an eyewitness -- the “investigator” -- who explains what is happening in real time.<br />
<br />
<h2 style="text-align: left;">
The Video Records Images from Both the Front Camera and the Back Camera on the Phone.</h2>
In parts of the video, the investigator appears on the left side. When the investigator appears, the investigator is being recorded with the front-facing camera on the phone. The right side of the video shows what the investigator sees and records with the back-facing camera on the phone.<br />
<br />
The narrated explanation helps the observer – such as a judge or jury who watches the video in the future – understand and believe the evidence so that the observer can reach legal conclusions. (Examples of legal conclusions are that a party is guilty, or innocent, or liable, or trespassing or in compliance with a regulation.)<br />
<br />
Notice that the sound of the narrator's voice changes as he walks with the phone. The phone's microphone picks up an echo as the narrator walks through a narrow space (a stairwell). Subtle details like this could have forensic significance when the video is analyzed later. They help to show whether the video is fake or authentic. </div>
<div>
<br /></div>
<div>
A video record like this might be valuable in resolving:</div>
<div>
<ul style="text-align: left;">
<li>a lawsuit</li>
<li>a tax audit </li>
<li>a police investigation </li>
<li>a child custody dispute</li>
<li>a dispute over assets in probate court</li>
<li>a response to an information security incident </li>
</ul>
</div>
<div>
The video reliably captures facts as they appear at the time. It captures the facts in chronological sequence. The video is a version of <a href="http://hack-igations.blogspot.com/2013/11/objective-evidence.html" target="_blank">"screencast" evidence record</a> I have explained elsewhere.<br />
<br /></div>
<iframe allowfullscreen="" frameborder="0" height="260" src="https://www.youtube.com/embed/UVRIUklkMtk" width="400"></iframe>
<br />
<h3 style="text-align: left;">
</h3>
<h2 style="text-align: left;">
Mixed Reality Is Here Only Momentarily.</h2>
<div>
<br />
The facts captured in a video like this might be ephemeral. They might not be reproducible later. The digital world is in constant flux. For example, the Tile might behave a certain way at the time the video is made, but behave a different way an hour later due to an update to the software that runs the Tile or the app that controls it on the phone.</div>
<div>
<br /></div>
<div>
The investigator lends credibility to the video record by ending his narration with a legally binding statement of <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication.html" target="_blank">authentication</a>: “I Ben Wright hereby sign and affirm this video as my official work.” He concludes by stating date and time with his voice and his lips. That date/time statement can be linked with related representations of the <a href="http://hack-igations.blogspot.com/2011/11/electronic-contracts.html" target="_blank">date and time</a>, including the time displayed on the screen of the phone itself in the final moments of the video. The representations of date and time make it harder for a fraudster to counterfeit or manipulate the video later.</div>
<h3 style="text-align: left;">
</h3>
<h2 style="text-align: left;">
Trustworthiness Depends on the Investigator’s Credibility.</h2>
<div>
<br />
Obviously the investigator could fabricate this video, just as other eyewitnesses could fabricate their testimony about what they saw. But if the investigator has a good reputation, then the observer of the video (judge or jury) has more reason to believe what is depicted in the video.</div>
<div>
<br /></div>
<div>
The video can serve as evidence of what happened, even if the investigator is not available later to vouch for it.<br />
<br />
Legal records like this video might be needed in court many years after their original creation. Therefore the multitude of visual and auditory details captured in the video, together with the voice authentication stated by the investigator, can be invaluable to a court that is trying to understand and evaluate what happened long ago.</div>
<h3 style="text-align: left;">
</h3>
<h2 style="text-align: left;">
Video is Efficient Tool for Professional Investigator.</h2>
<div>
<br />
Historically a professional investigator made records by snapping a few photographs and writing a text report. But to write a report takes a long time. This video captures a great deal of compelling evidence in a short time.</div>
<div>
<br /></div>
<div>
Notice that the end of the video records details about how the video was made. For example it shows the video was captured with the AZ Screen Recorder App. Details like that might help answer questions by a judge if the video were used in court.<br />
<br />
<h2 style="text-align: left;">
Mixed Reality is Rapidly Growing More Common.</h2>
The modern world sports a spellbinding array of digital devices and sensors that can detect and transmit information useful to an investigator like a police officer. Mixed reality devices include;<br />
<ul style="text-align: left;">
<li><a href="http://hack-igations.blogspot.com/2013/12/robot-sensor.html" target="_blank">drones</a></li>
<li>security cameras and microphones</li>
<li><a href="http://hack-igations.blogspot.com/2008/03/robots-as-keepers-of-legal-records.html" target="_blank">robots</a> </li>
<li><a href="http://hack-igations.blogspot.com/2013/10/partnership.html" target="_blank">telepresence</a> or video conference systems</li>
<li><a href="http://hack-igations.blogspot.com/2013/11/risk.html" target="_blank">telemedicine</a> monitors</li>
<li><a href="https://cyber-defense.sans.org/blog/2016/02/16/automotive-infotainment-systems-collect-sensitive-data/" target="_blank">automotive infotainment</a> systems</li>
<li>vehicle navigation displays</li>
<li><a href="http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/" target="_blank">Fitbits</a></li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZJ8iiclCFWDkZEd7zAguTYzA46-JkfMqXYh_QMS6dupjsq_ZOddc1YRmoFRM91nfNjLYrRTD11-Rxz5GvselzzbMRh6JWaLOBcoxvq9qgf2_Z8Ke5c1VW741j8Up-kg48VT8sRv2OzI/s1600/Fitness+Tracker.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZJ8iiclCFWDkZEd7zAguTYzA46-JkfMqXYh_QMS6dupjsq_ZOddc1YRmoFRM91nfNjLYrRTD11-Rxz5GvselzzbMRh6JWaLOBcoxvq9qgf2_Z8Ke5c1VW741j8Up-kg48VT8sRv2OzI/s320/Fitness+Tracker.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fitbit</td></tr>
</tbody></table>
<div>
<br /></div>
<h2 style="text-align: left;">
The backup camera/sensor on a car begets a mixed reality. </h2>
<div style="text-align: left;">
The driver sees a video image from the camera. But the driver experiences much more than just a video image.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuiI8H5qb18oH9FL787Cw2Q1g_ZH4ZNuPae9mM2zDlTG7_GPaSRzdRAUZvQmzBHq9cV2voUv0w7uFApH2MQ3Rd8tIwSujZLpXSfWqqYGWb4aOdXf5Ls9eRc_59Tueb8w4kPDXBZT9KYKk/s1600/Backup+sensor.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuiI8H5qb18oH9FL787Cw2Q1g_ZH4ZNuPae9mM2zDlTG7_GPaSRzdRAUZvQmzBHq9cV2voUv0w7uFApH2MQ3Rd8tIwSujZLpXSfWqqYGWb4aOdXf5Ls9eRc_59Tueb8w4kPDXBZT9KYKk/s320/Backup+sensor.jpg" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Mixed Reality for Motorist</td></tr>
</tbody></table>
Superimposed on the image are colored guidelines. Plus the system, which includes multiple cameras and sensors, presents a simulated image of what the car and its surroundings look like from 20 feet above! (Cool)<br />
<br />
The cameras/sensors may emit audio if the car approaches danger. Moreover, the sensors may give the driver <a href="http://hack-igations.blogspot.com/2016/02/virtualrealityterms.html" target="_blank">haptic feedback</a> through the driver's seat. All of this "reality" transpires in a physical space where the driver also directly hears, sees and feels what is happening in and around the car.</div>
<br />
I invite your comments.</div>
<div>
<br /></div>
<div>
--<a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a></div>
<div>
<br /></div>
<div>
Related Blog Posts: </div>
<div>
<br /></div>
<div>
<a href="http://hack-igations.blogspot.com/2015/12/virtual-reality.html" target="_blank">Legal Video of Augmented Reality</a></div>
<div>
<br /></div>
<div>
<a href="http://hack-igations.blogspot.com/2014/08/video-testimony.html" target="_blank">How to Record Evidence from a Mobile Device</a></div>
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-18743753220308691032016-02-11T13:10:00.000-08:002017-02-06T11:58:18.550-08:00How to Write Terms of Service for Virtual Reality<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="line-height: 100%;">Legal contracts will
pervade and regulate virtual reality. Just as end user license
agreements (<a href="http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html" target="_blank">EULA</a>) govern the use of software, legal <i>terms of use</i> will govern virtual
reality "space." Some terms of use will be like No
Trespassing signs. Others will will be warnings or disclaimers of
liability. </span><br />
<span style="line-height: 100%;"><br /></span>
<span style="line-height: 100%;">Like the terms of use for web sites or mobile apps, some virtual reality terms of use will prohibit unauthorized activity (example: "You agree not to simulate sexual acts.)</span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<h2 style="text-align: left;">
Legal Notices Are
Common.</h2>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Modern life is
filled with legal notices and contracts. For example, as a visitor
enters a physical building, it is common that the manager of the
building will notify the visitor -- with a legible sign -- that guns
are prohibited inside the building. Notices like this can be legally
enforceable against a visitor: bring a gun into that building, and
you can be ejected and perhaps arrested.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjADrHneRJLpwrnMTEL-6yA25jspX4qmtgYkU5QnZA4-7owCIkkKdIetURLJz01ZQOlHbcPUGDX7gW41EJC4bumjjbNGZ5Ns0HHoPL_CTWp1ppGhAXC0e3O4D9G6xQdrzr3ECSPbTJTOMU/s1600/Trespass.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjADrHneRJLpwrnMTEL-6yA25jspX4qmtgYkU5QnZA4-7owCIkkKdIetURLJz01ZQOlHbcPUGDX7gW41EJC4bumjjbNGZ5Ns0HHoPL_CTWp1ppGhAXC0e3O4D9G6xQdrzr3ECSPbTJTOMU/s320/Trespass.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Property Rules</td></tr>
</tbody></table>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<h2 style="text-align: left;">
Legal Terms in VR
Could Impose a Binding Contract.</h2>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
In a virtual reality
environment, the terms of use could cover myriad topics. They could
confirm the intellectual property rights of the VR developer. Or they
could restrict the legal power of a user to violate intellectual
property (e.g., a work of art) by, for instance, forbidding the user
from recording the property.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjNeLafTXUKrh7tM4APk7Gvbsfds81jWs21O-0V2Rpii6eeFs3UmOrs7LooCNk0frBUZem_rksOUkJmZEwacU3hctbIZFD3FzLEOaCHCySQoVUuHiIpGDVCZgwx6LGkzjcZTHt10UF6gs/s1600/Augmented+Reality.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="virtual reality contract" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjNeLafTXUKrh7tM4APk7Gvbsfds81jWs21O-0V2Rpii6eeFs3UmOrs7LooCNk0frBUZem_rksOUkJmZEwacU3hctbIZFD3FzLEOaCHCySQoVUuHiIpGDVCZgwx6LGkzjcZTHt10UF6gs/s320/Augmented+Reality.PNG" width="187" /></a></div>
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
The terms could
limit the power of a user to sue the developer if its data security
is weak. (Example: "You give us your personally-identifiable
information at your own risk. We cannot assure the security of your
information, and we take no liability for any compromise of your
information.")</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Or ... the terms
could impose legally-binding fees on a visitor. (Example: "If
you enter this virtual room, you agree to pay VR Dev, Inc. $5.")</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Enforcement of terms
would often require the gathering evidence of the terms and how they
appeared in the virtual space. See blog post about capturing <a href="http://hack-igations.blogspot.com/2015/12/virtual-reality.html" target="_blank">legal evidence in virtual or augmented reality</a>. </div>
<div style="line-height: 100%; margin-bottom: 0in;">
<h2 style="text-align: left;">
<br />Legal Terms Might Be
Enforced on Bots.</h2>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Google reported that
its DeepMind bot is able to <a href="http://www.popsci.com/google-deepminds-algorithm-can-now-explore-3d-mazes" target="_blank">navigate a Doom-like 3D maze</a> similar to
how a physical robot can navigate through a physical building. Cool.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
But when a bot
visits a virtual space, legal terms -- written in natural language
not robot language like robots.txt -- might be imposed on it, even
though no human actually set eyes on the terms or interprets the
legal meaning of the terms.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Why do I say that?
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Refer to the famous
case <i>Internet Archive v. Shell</i>. Ms. Shell published a web site, and
posted legal terms on that site. The terms said that any visitor to
the site agreed by contract that if it made a copy of a page from the
site it would pay Ms. Shell $5000 per page. Internet Archive engages
in the public service of archiving the Web. Using an automated
program (a bot), Internet Archive made copies from Ms. Shell's
website. Then, Ms. Shell sued Internet Archive for breach of
contract, seeking money! Internet Archive argued in court that it was
impossible for it to enter a contract with her because the copying
was performed by an automated program and no human had reviewed the
terms posted on Ms. Shell's site.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
However, on a
first-blush review, the court sided with Ms. Shell. The <a href="http://cyberlaw.stanford.edu/blog/2007/03/action-against-internet-archive-breach-contract-will-proceed" target="_blank">court ruled</a>
she had sufficiently proven the possibility of breach of contract so
as to force the lawsuit into deeper proceedings.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
The risk of deeper
proceedings meant greater cost to Internet Archive and the
possibility of an embarrassing loss in court.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Then Internet
Archive and Ms. Shell <a href="https://en.wikipedia.org/wiki/Suzanne_Shell" target="_blank">settled their dispute</a>. Internet Archive apologized to her,
and she accepted the apology. She dropped her demand for money from Internet Archive.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Ms. Shell achieved a
victory and established the possibility that a bot could be legally
bound to contract terms communicated by natural language.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<h2 style="text-align: left;">
Legal Notices Will
Be Published as Audio.</h2>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
When Time Magazine's
Lisa Eadicicco tried Microsoft's HoloLens, what surprised her were
the sounds. Through HoloLens, she saw 3D objects as she expected. But
she did not anticipate that the audio would be so meaningful.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
She could hear
objects that were out of view! <a href="http://time.com/4190843/microsoft-hololens-demo-2016/" target="_blank">She reported</a>
that she could hear them moving, similar to how we can hear creatures
moving in real space, even though we don't see them. In other words,
a rich VR experience will communicate by way of audio as much as by
video.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Accordingly, some
legal notices and contracts will be posted as audio, and/or they will
attract attention by audio. For instance, as a VR explorer enters a
landscape, she may hear a certain tone to indicate that <a href="http://hack-igations.blogspot.com/2013/10/protect-privacy.html" target="_blank">legal terms apply</a>
to that landscape and she can read them if she so elects.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<h2 style="text-align: left;">
<br />Notice of a Contract
Might Be Given By Haptic Vibration.</h2>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Instead of audio,
however, legal notices might bring attention to themselves through
<a href="https://draft.blogger.com/haptic%20http://hack-igations.blogspot.com/2015/12/virtual-reality.html" target="_blank">haptic feedback</a>. For instance, a little vibration on the left side of
a headset might indicate that</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
<ul style="text-align: left;">
<li><span style="line-height: 100%;">a legal notice is
present,</span></li>
<li><span style="line-height: 100%;">the legal notice
is binding, and</span></li>
<li><span style="line-height: 100%;">the user can
access the notice (similar to clicking "Legal Terms" link
at bottom of web page) if the user so desires.</span></li>
</ul>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="line-height: 100%;">I am interested to
hear comments on this topic.</span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
--<a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
See also:<br />
<br />
<ol style="text-align: left;">
<li>How to make a <a href="http://hack-igations.blogspot.com/2016/12/video-proof.html" target="_blank">legal recording of a "mixed reality</a>" experience.</li>
<li>Legal measures brand and property owners may take to <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2011/09/qr-eula.html" target="_blank">regulate augmented reality</a>. </li>
</ol>
</div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-62425228801046463502016-01-04T13:27:00.002-08:002017-03-23T12:00:49.927-07:00How to Write Information Security Policy<div dir="ltr" style="text-align: left;" trbidi="on">
In the 5-day SANS Institute course called "Legal 523," <a href="https://www.sans.org/course/law-data-security-investigations" target="_blank">Law of Data Security and Investigations</a>, I teach these general tips for how to write infosec policy for an organization. These tips are equally applicable to responding to a cyber security questionnaire from a regulator, a cyber insurer or a corporate customer.<br />
<br />
1. The organization is wise to have some kind of written Risk Assessment. For a less-complex organization, the Risk Assessment need not be very long, but a Risk Assessment shows the organization is evaluating infosec risk (such as risk of breach of credit card data) and setting priorities based on that risk.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9t1g5N7LBjx9zHhLyaDtDaZJMC7dX6_b3IWzX5LcBp5ns7qgABp3z7bPsBarr_5tyU50HYH8dbcUTWD7czuzLTeWiZKhB6Ar9gtkHqopIXuT42b2H92AS-636kYY3_PqYq_wsKv8rn_I/s1600/IMAG0333+%25282%2529.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9t1g5N7LBjx9zHhLyaDtDaZJMC7dX6_b3IWzX5LcBp5ns7qgABp3z7bPsBarr_5tyU50HYH8dbcUTWD7czuzLTeWiZKhB6Ar9gtkHqopIXuT42b2H92AS-636kYY3_PqYq_wsKv8rn_I/s200/IMAG0333+%25282%2529.jpg" width="77" /></a></div>
2. The organization is wise to identify a high officer as having responsibility for overseeing privacy and data security.<br />
<br />
3. As I explain in the course, I like this statement as an accurate, overarching rule of infosec policy: "Company strives to maintain a reasonable, continuous process for implementing, reviewing, improving and documenting security and privacy in information technology. This process places more emphasis on the never-ending professional efforts of Company's IT staff than on paperwork, recognizing perfection is impossible." I like making clear in all policies that the quoted language is the ultimate policy, and everything else is subordinate to that quoted language.<br />
<br />
4. As I teach in the course, I am wary of any statements of absolute in policy. When an organization says that the organization "will" or "must" or "shall" do anything in IT, the organization is setting itself up for potential failure. No organization can always do any particular IT thing. Therefore, I prefer using words like "the organization strives …" or "the organization aspires …". And of course, if an organization says that it strives or aspires to do some thing, then the organization should in fact work hard to do that thing.<br />
<br />
5. An organization can responsibly require staff to do certain things (assuming those things are in fact achievable). For instance, an organization can require staff to maintain passwords that meet certain characteristics. (Example: "Each staff member must have a password for that is no shorter than 12 characters.")<br />
<br />
6. In my experience, the bigger problem is not whether an organization fails to cover particular topic X or topic Y in written policy. Instead, the problem is that the organization writes too many policies, which are too long, too hard to read, and too prescriptive and are disconnected from the reality of the fluid, dynamic challenges of modern infosec. The best standard is nimble, never-ending "<a href="http://hack-igations.blogspot.com/2015/06/liability.html" target="_blank">professional attention</a>" by the infosec team rather than satisfaction of a checklist covering particular topics (firewall, anti-virus, intrusion detection etc.).<br />
<br />
7. Published "privacy policies" need to be carefully written so as not to promise privacy or security that is unrealistic.<br />
<br />
The foregoing ideas are applicable generically. An organization subject to particular laws or threats may need to behave differently.<br />
<br />
I welcome comments. I know some smart people will disagree with me on some of the ideas above.<br />
<br />
-<a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a></div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-52783674551872583442015-12-02T16:42:00.002-08:002017-01-17T15:08:31.957-08:00How to Record Augmented Reality Legal Evidence<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;">Audits and Official
Inspections | Virtual Reality</span></h2>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">Digital
evidence can be faked. One way to enhance the reliability of digital evidence
is to have a responsible person attest to its creation and authenticity.<o:p></o:p></span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<h2 style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;">Real-time
narration bears witness to the truth. </span></h2>
</div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;">This video
demonstrates the recording of evidence from augmented reality.</span></div>
<div style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/vTUb81BNRZU" width="420"></iframe> </span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">The video
records “reality,” which is the footage captured with the back camera on a
smartphone as the inspector walks. The reality is “augmented” with information
that is superimposed over the footage. Here the augmenting information includes
compass and geolocation data that change as the inspector walks.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBDFdh7UNg-ji816_oV4WgM0rHfhd4Q-ZJujlN8aH0TnBKg4TH1z054_0tcK2wfysdxcv0Bdf6uzxHXVf3tEqkzzCbGQgkopKiCZKvpt8tq_36giNxTnLrFrGIASNuJ_7rcF1kamzzJA/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBDFdh7UNg-ji816_oV4WgM0rHfhd4Q-ZJujlN8aH0TnBKg4TH1z054_0tcK2wfysdxcv0Bdf6uzxHXVf3tEqkzzCbGQgkopKiCZKvpt8tq_36giNxTnLrFrGIASNuJ_7rcF1kamzzJA/s320/Capture.PNG" width="205" /></a></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">The video
could constitute legal or audit evidence showing precisely what happened as the
inspector moved about a certain parcel of land. The evidence might be used in a
court of law or other official proceeding, or it might be used to support tax
or financial statements. </span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">The video might show, for example, that the inspector encountered a "no trespassing" sign in the augmented environment.</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">It might show he accepted or rejected legal terms and conditions (like an <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/09/no-trespassing.html" target="_blank">end-user license agreement</a> or EULA).</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">Alternatively, it might be used to show how the
compass app functioned (or malfunctioned) or used intellectual property such as
trademarks or copyrighted images.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<h2 style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;">Legal
affidavit makes record more credible.</span></h2>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">The lower left-hand
corner of the video displays real-time footage from the phone’s front camera.
It shows the inspector narrating the record, explaining what is happening
step-by-step. The video also records audio of his voice as he talks and walks.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">The
inspector takes these measures to authenticate the video:<o:p></o:p></span></div>
<div class="MsoNormal">
</div>
<ul style="text-align: left;">
<li><span style="font-size: 14pt; line-height: 107%;">shows his face with his moving lips as he narrates,</span></li>
<li><span style="font-size: 14pt; line-height: 107%;">identifies
himself,</span></li>
<li><span style="font-size: 14pt; line-height: 107%;">identifies
the technology he is using,</span></li>
<li><span style="font-size: 14pt; line-height: 107%;">describes
the data as it appears on the screen of his phone,</span></li>
<li><span style="font-size: 14pt; line-height: 107%;">closes by
<a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication.html" target="_blank">formally signing</a> the video with these words recorded in both the audio and the small video window on the lower left corner: “I Ben Wright hereby sign and affirm
this record as my official work.”,</span></li>
<li><span style="font-size: 14pt; line-height: 107%;">vocalizes
the date and time.</span></li>
</ul>
<br />
<div class="MsoNormal">
<span style="font-size: 14pt; line-height: 107%;">In effect
the audio and video of the inspector constitute a </span><a href="https://digital-forensics.sans.org/blog/2010/10/08/affidavit-support-digital-forensic-investigation" style="font-size: 14pt; line-height: 107%;" target="_blank">legal affidavit</a><span style="font-size: 14pt; line-height: 107%;"> confirming
the augmented reality record.</span><span style="font-size: 14pt; line-height: 107%;"> The investigator is placing his professional reputation behind the evidence
depicted in the video.</span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">Something
similar could be done with a record of <i><a href="http://hack-igations.blogspot.com/2016/02/virtualrealityterms.html" target="_blank">virtual reality</a></i> or other <i>immersive environment</i>. <o:p></o:p></span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<br />
<h2 style="text-align: left;">
<span style="font-size: 14.0pt; line-height: 107%;">Augmented reality can entail more than audio and visual feedback.</span></h2>
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">Augmented reality could provide haptic feedback. So for example as the inspector walks, his smartphone could vibrate. The visual video record might not capture this vibration. However, the inspector could describe it in his vocal narration of events.</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">A pattern of ominous vibrations might signal danger or <i>no trespassing</i>. A calm vibration might signal approval or "thank you".</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">Augmented and virtual reality could (someday) even provide smell and taste feedback, which the inspector could describe vocally in a record like the video above.</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<br />
<h2 style="text-align: left;">
<span style="font-size: 18.6667px; line-height: 19.9733px;">More on this topic</span></h2>
</div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">For more analysis of these ideas, please see :
<a href="http://hack-igations.blogspot.com/2011/11/electronic-contracts.html" target="_blank">Attestation of record captured from website</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 14.0pt; line-height: 107%;">See related ideas on <a href="http://hack-igations.blogspot.com/2008/03/robots-as-keepers-of-legal-records.html" target="_blank">legal records made by robots and cyborgs</a> and <a href="http://hack-igations.blogspot.com/2016/12/video-proof.html" target="_blank">how to record legal evidence from mixed reality</a>.</span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">I would be
pleased to hear comments.<o:p></o:p></span><br />
<span style="font-size: 14.0pt; line-height: 107%;"><br /></span>
<span style="font-size: 14.0pt; line-height: 107%;">-<a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a></span></div>
<div class="MsoNormal">
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-73271341860189945222015-09-28T12:12:00.001-07:002017-01-17T16:37:42.803-08:00Active Defense for the Internet of Things<div dir="ltr" style="text-align: left;" trbidi="on">
<i><u>Summary</u>: Attackers will hack the Internet of Things. Then defenders will invoke "active defense." To support unexpected and unconventional active defense, defenders can post <a href="http://hack-igations.blogspot.com/2015/12/virtual-reality.html" target="_blank">legal terms</a> and warnings.</i><br />
<br />
Today, a hot topic is hacking -- breaking into -- the Internet of Things.<br />
<br />
The Internet of Thinks includes myriad little devices -- like smart Nest thermostats -- that are connected to the net via channels like wifi and bluetooth.<br />
<br />
At SANS Institute's Network Security 2015 conference, experts demonstrated how to manipulate things remotely, in ways that are not intended by the designers of the things. Experts <a href="http://hack-igations.blogspot.com/2013/09/permission.html" target="_blank" title="hijack">hacked into a flying drone</a>, a wireless teddy bear and a doll.<br />
<br />
<blockquote class="twitter-tweet" lang="en">
<div dir="ltr" lang="en">
A sampling of IoT things to hack tonight at <a href="https://twitter.com/hashtag/SANSNetworkSecurity?src=hash">#SANSNetworkSecurity</a>!! <a href="https://twitter.com/jameslyne">@jameslyne</a> <a href="https://twitter.com/timmedin">@timmedin</a> <a href="https://twitter.com/edskoudis">@edskoudis</a> <a href="https://twitter.com/joswr1ght">@joswr1ght</a> <a href="http://t.co/wSf16xuK0x">pic.twitter.com/wSf16xuK0x</a></div>
— Stephen Sims (@Steph3nSims) <a href="https://twitter.com/Steph3nSims/status/644207224739381248">September 16, 2015</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script><br />
<br />
<blockquote class="twitter-tweet" lang="en">
<div dir="ltr" lang="en">
<a href="https://twitter.com/haxorthematrix">@haxorthematrix</a> at the SANS IOT evening. He pwned my doll. <a href="https://twitter.com/Steph3nSims">@Steph3nSims</a> <a href="https://twitter.com/timmedin">@timmedin</a> <a href="https://twitter.com/joswr1ght">@joswr1ght</a> <a href="https://twitter.com/hashtag/SANSNetworkSecurity?src=hash">#SANSNetworkSecurity</a> <a href="http://t.co/UK2J7tAIQF">pic.twitter.com/UK2J7tAIQF</a></div>
— James Lyne (@jameslyne) <a href="https://twitter.com/jameslyne/status/644350298375348224">September 17, 2015</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
<br />
<h2 style="text-align: left;">
Active Defense to the Rescue?</h2>
But if attackers will hack into "things," then defenders will use so-called Active Defense to defend the things.<br />
<br />
SANS Instructor John Strand for example teaches a whole array of techniques for tricking or annoying attackers or for collecting threat intelligence from them.<br />
<br />
One technique is <a href="https://cyber-defense.sans.org/blog/2015/06/01/what-you-need-to-know-about-active-defense-and-threat-intelligence" target="_blank">Kippo</a>, a fake SSH server that captures the attacker's commands on his local machine, even after the attacker thinks he has logged out of the SSH server. Dick Dastardly would be proud.<br />
<br />
Another tool Strand teaches is a <a href="https://www.youtube.com/watch?v=uAjQRB4iT7U" target="_blank">spider trap or WebLabrynth</a>. It serves up to an attacker an endless supply of junk data that could crash the attacker's web crawler software and possibly even the hard drive that supports the web crawler. What a surprise to the attacker who thought she was just hacking into a toy!<br />
<br />
<h2 style="text-align: left;">
Active Defense Law</h2>
<br />
What are the legal implications of Active Defense techniques? Generally speaking a good active defender would have legal justification for thwarting and snooping on an attacker.<br />
<br />
But Active Defense is an evolving, loosely-defined style of cyberdefense. It might embrace a zany repertoire of tricks, spoofs and unconventional maneuvers.<br />
<br />
To reinforce legal justification, an Active Defender might post a legal notice that says the attacker consents to being tricked or tracked.<br />
<br />
So for example, a wireless teddy bear might post a statement like this:<br />
<br />
<blockquote class="tr_bq">
<b>“Warning. No trespassing. If you hack this device, you consent to us deceiving you, tracking you and taking other unconventional steps to stop you and prosecute you to the fullest extent of the law.”
</b></blockquote>
<br />
According to SANS instructor Josh Wright, this statement might be published "in the mobile application or the web UI of the device, using a modal dialog or other splash/landing page." It might be published many different ways. The statement needs to be accessible to the attacker, though not necessarily screaming in his face.<br />
<br />
<h2 style="text-align: left;">
Posted Warnings Affect the Legal Interpretation of an Activity.</h2>
<br />
My point is that the publication of warnings and statements of legal consent can help to confirm the legal justification for Active Defense of lots of things connected to the Internet, including drones, <a href="http://hack-igations.blogspot.com/2008/03/robots-as-keepers-of-legal-records.html" target="_blank">robots</a>, teddy bears and creepy dolls.<br />
<br />
Furthermore, such statements can help to confirm that the professionals who execute or give advice about Active Defense are behaving ethically.<br />
<br />
Compare my discussion of <a href="http://hack-igations.blogspot.com/2013/09/permission.html" target="_blank" title="legal consent">Offensive Countermeasures that warn a trespasser</a> away from physical danger.<br />
<br />
What do you think?<br />
<br />
==<br />
Attorney <a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a> teaches the <a href="https://www.sans.org/course/law-data-security-investigations" target="_blank">law of data security and investigations</a> at the SANS Institute.<br />
==
<br />
<br />
Post Script. At SANS Institute's Network Security 2015 conference, my fellow instructors were handing out coveted Hack the Internet of Things badges. You should have been there.<br />
<blockquote class="twitter-tweet" lang="en">
<div dir="ltr" lang="en">
You need one of these for IoT hacking night. Find me, <a href="https://twitter.com/joswr1ght">@joswr1ght</a>, <a href="https://twitter.com/jameslyne">@jameslyne</a> or <a href="https://twitter.com/Steph3nSims">@Steph3nSims</a>. <a href="https://twitter.com/hashtag/SANSNetworkSecurity?src=hash">#SANSNetworkSecurity</a> <a href="http://t.co/rgMX7yk4KP">pic.twitter.com/rgMX7yk4KP</a></div>
— timmedin (@timmedin) <a href="https://twitter.com/timmedin/status/643473643503140864">September 14, 2015</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-62328186951838556102015-06-22T13:02:00.002-07:002017-01-18T13:33:00.119-08:00A Standard of Professional Attention for Data Security<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Better than a Checklist of Minimum Requirements</h2>
<br />
By what legal standard should the holder of PII be held? PII means personally identifiable information like social security numbers and medical information.<br />
<br />
I argue the standard should be this: A data holder must have an on-going process for devoting professional attention to security.<br />
<br />
Under this standard, a sizable data holder like a hospital or a retail chain deploys a team of professionals to work all the time, every day. Any legal review of the data holder is an enormous amount of work . . . an utterly massive amount of work. Under this standard courts, insurers or regulatory authorities must undertake an exhausting analysis to conclude whether a data holder met the standard.<br />
<br />
<h2 style="text-align: left;">
“Minimum Technical Requirements” Is a Common But Flawed Standard.</h2>
<br />
But the professional attention standard that I advocate is not universally acknowledged by authorities.<br />
<br />
Instead, a commonly-articulated standard is that the data holder must achieve some “minimum requirements.” Those minimum requirements amount to a <a href="http://hack-igations.blogspot.com/2016/01/infosec-policy.html" target="_blank">prescriptive checklist</a> of <i>specific</i> technical measures the data holder must take.
The authority promoting the minimum requirements argues that each and every requirement is easy to do, so failure to do any one of them merits some kind of penalty.<br />
<br />
Here are two examples of a legal authority arguing that a data holder failed to meet minimum, easy requirements for data security:<br />
<br />
<h2 style="text-align: left;">
One: Cyber-insurer Denies Coverage Because Hospital Failed to Do Everything on Minimum Checklist. </h2>
<br />
In <i>Columbia Casualty Company vs. Cottage Health System</i> a hospital had paid for cyber insurance. Then a breach happened. The insurer sued the hospital, seeking to deny coverage because – in good part – the hospital failed to satisfy some specific minimum requirements like <a href="http://insurancethoughtleadership.com/tag/columbia-casualty-company-vs-cottage-health-system/" target="_blank">installing patches</a> on servers.<br />
<br />
<h2>
Two: FTC Says Medical Laboratory Violated Law Because It Missed Some Specific Checklist Points. </h2>
<br />
The Federal Trade Commission is locked in an epic struggle against the victim of a cyber attack, LabMD. In this proceeding FTC’s lawyers maintain that LabMD violated data security law because LabMD failed to implement specific low-cost checklist items, such as adoption of written security policy (which is different from an unwritten policy), formal training of employees, destruction of data on people for whom no healthcare was performed and failure to update operating system.<br />
<br />
See Footnotes 5-14 and accompanying text, Complaint Counsel’s Opposition to Respondent’s Motion to Dismiss. Public Document <a href="https://www.ftc.gov/system/files/documents/cases/150506labmdccoppmtndismiss.pdf" target="_blank">Number 9357</a>, filed May 6, 2015.<br />
<br />
It is important to observe that FTC’s lawyers give no credit to LabMD for what it did right; LabMD did in fact have a substantial, on-going InfoSec program. But FTC’s lawyers simplistically say: You missed some specific technical points in our checklist; therefore, you violated the law. No deeper analysis is necessary. [See update below.]<br />
<br />
<h2 style="text-align: left;">
The Minimum Requirements Checklist Does Not Align with Reality.</h2>
<br />
The minimum requirements approach is easy for an authority like FTC to enforce. An audit will always find that a data holder did not meet some specific minimum requirement. That is reality. So any time the FTC looks, it will find that the data holder failed to meet this requirement or that requirement, even if the data holder maintained a substantial, professional, good faith InfoSec process.<br />
<br />
But the minimum requirements approach is ineffective.<br />
<br />
Every day, major data breaches happen. The reason is that data security is astonishingly hard to achieve in a functioning organization. As I write this post today, the big breach in the news is <a href="http://www.businessinsider.com/the-china-based-hack-on-us-government-computers-is-worse-than-anyone-knows-2015-6" target="_blank">US Office of Personnel Management</a>. Breaches are routine. Breaches are normal.<br />
<br />
<a href="http://schneier.com/blog/archives/2015/06/the_secrecy_of_.html" target="_blank">According</a> to InfoSec pundit Bruce Schneier:<br />
<br />
“In general, it is far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s a statement about how computer and network security work today. A former NSA deputy director recently said [link omitted] that if we were to score cyber the way we score soccer, the tally would be 462456 twenty minutes into the game. In other words, it’s all offense and no defense. … In this kind of environment we simply have to assume that even our classified networks have been penetrated.”<br />
<br />
In practice, achieving all of the minimum, low-cost requirements – 24 hours a day, 365 days a year -- is exceedingly hard to do. Each little requirement viewed in isolation might be “low cost,” but collectively they are not low cost. More importantly, striving for minimum requirements is not the most effective approach to security. As a multitude of institutions have proven, the data holder can invest great resources in security and still be breached.<br />
<br />
InfoSec is a fierce competition, and you might not win that competition even if you work hard at it. Like a rugby game, security invariably involves tradeoffs, judgment calls and good faith mistakes.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0zWA6C-bwdlWRAuGc0kqQBzaUnUEpZnme4hLdmBycWoKUAMGqtOzwat0BJdtS5myl9kgmSPPCQyySMl2AQDLcs9ClPcSfwqQw93uF8Qc1O-le0kQN9uztkj4mOHgT629waT8GH1NnsI/s1600/IMAG0230_BURST_01.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0zWA6C-bwdlWRAuGc0kqQBzaUnUEpZnme4hLdmBycWoKUAMGqtOzwat0BJdtS5myl9kgmSPPCQyySMl2AQDLcs9ClPcSfwqQw93uF8Qc1O-le0kQN9uztkj4mOHgT629waT8GH1NnsI/s1600/IMAG0230_BURST_01.gif" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Cyber Defense as competition.</td></tr>
</tbody></table>
Even “easy” measures might not make sense on account of such things as compensating controls, prioritization of attention, rapidly-changing threats and technology, disruption caused by “patches” or the operational needs of the data holder.<br />
<br />
<h2 style="text-align: left;">
The Better Standard Is Professional Attention.</h2>
<br />
So the better standard is not that the data holder meet specific minimum requirements on a prescriptive checklist. The better standard is that the data holder maintain a professional program to attend to security.<br />
<br />
To understand that standard, let’s look at an example. A hospital (Massachusetts Ear and Eye Infirmary) lost a laptop containing patient data. The Department of Health and Human Services investigated. HHS concluded that the hospital violated HIPAA data security requirements and imposed a $1.5 million fine.<br />
<br />
But the analysis by HHS was telling. HHS emphasized the violation and fine were not about a specific security measure, i.e., encryption on a laptop. HHS did not say, "Encryption is easy. You did not encrypt. Therefore you broke the law."<br />
<br />
Instead, said HHS, the violation was that the hospital failed over time to maintain an effective, on-going <i>process</i> for evaluating the security of portable devices and responding to that evaluation. See Resolution <a href="http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf" target="_blank">Agreement</a> September 13, 2012.<br />
<br />
<h2 style="text-align: left;">
Perfection in Information Security Will Never Be Achieved.</h2>
<br />
If data holders like hospitals must achieve perfect minimum data security – if they must always meet all the “low-cost” measures that can be dreamed up -- then they should cease operating. They will never get to legal compliance, and they will owe infinite fines and infinite compensation to victims like patients. That outcome is absurd.<br />
<br />
A better approach is to motivate data holders to maintain a process, a responsible on-going program. It is like motivating a sports team to train rigorously and play its heart out on the field.<br />
<br />
That approach includes recognizing that oftentimes organizations with good programs will be breached. Organizations with good programs should be rewarded for having the programs. They should be spared penalty when a breach happens.<br />
<br />
Data holders, like sports teams, should be cheered for playing hard, even when they lose.<br />
<br />
This topic keeps me humble. I'd be pleased to hear comments.<br />
<br />
--<a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a><br />
<br />
Disclosure: Mr. Wright has performed work for LabMD.<br />
<br />
Update on LabMD: Administrative Law Judge <a href="https://plus.google.com/+BenjaminWright1/posts/bG6MJFEUiia" target="_blank">ruled against FTC</a> and the standard of liability it was advancing.</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-73999841769956288952015-04-26T10:38:00.002-07:002017-01-17T16:40:16.298-08:00eDiscovery: Opportunities for Creative Thinking by IT Professionals<div dir="ltr" style="text-align: left;" trbidi="on">
Deep knowledge of technology is critical to winning modern lawsuits. When an enterprise is in litigation, the legal team needs advice and ideas from IT staff and other forensic experts.<br />
<br />
<h3 style="text-align: left;">
Discovery of Records Resolves Lawsuits</h3>
Consider in particular the <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/plaintiff-policy.html" target="_blank">discovery</a> phase of a commercial lawsuit. The lawyers representing an enterprise wish to request, through the rules of discovery in litigation, that the adversary turn over records that are relevant to the lawsuit. The adversary’s records can help to resolve the lawsuit.<br />
<br />
<h3 style="text-align: left;">
Fishing Expedition Not Tolerated</h3>
But under the rules, the lawyers must have some reason to believe that specific kinds of records exist in order to ask for them. The lawyers can’t simply ask that the adversary rummage through all of its digital stuff – all email, text messages, files, folders, images, metadata, tapes, hard drives, backup, cloud-computing accounts and on and on -- and turn over “all relevant records.” Such a request would be an open-ended <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/fishing-expedition/" target="_blank">fishing expedition</a>, which the court will not tolerate. Such a request would be far too broad and therefore not enforceable.<br />
<br />
So the lawyers face a chicken-and-egg paradox. They want the adversary’s records, and they are entitled to get some of those records. But if they don’t know which specific kinds records the adversary might have, then they don’t possess the technical knowledge necessary to frame a request for them.<br />
<br />
<h3 style="text-align: left;">
The Internet of Things Is an eDiscovery Bonanza</h3>
<br />
Enter the Internet of Things.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGcol5Mk4NZ7RIWEbrsi98XVsuBFUtDPcA-7s0wGiGpfzsSAnYkN_CNW_SJeDVPKhKSGqCYH0UiDAXhBRQCZwLQng0I7FF-zqBGwFUpJHgM6UHzEthnxtOYco19uM_esv06B4G2eD_Ci0/s1600/IoT.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="forensics" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGcol5Mk4NZ7RIWEbrsi98XVsuBFUtDPcA-7s0wGiGpfzsSAnYkN_CNW_SJeDVPKhKSGqCYH0UiDAXhBRQCZwLQng0I7FF-zqBGwFUpJHgM6UHzEthnxtOYco19uM_esv06B4G2eD_Ci0/s1600/IoT.gif" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Evidence from Small Connected Devices</td></tr>
</tbody></table>
New technology – like smartphones, smart-watches and smart-grid power meters – begets prodigious quantities of heretofore unimaginable records. The records can show, for instance, who was at a certain place at a certain time or when a particular event occurred in a work room. The technology changes and advances constantly. Many new and surprising kinds of records – records that could be very impactful in a lawsuit – emerge every day.<br />
<br />
<h3 style="text-align: left;">
A Demonstration from Investigative Journalism</h3>
Here’s an example of how new technology breeds surprisingly influential new records and evidence. News media investigated the spending habits of former Congressman Aaron Schock. Congressman Schock relished using social media to tell the world what he was doing all the time. But unbeknownst to him, he was telegraphing little clues – little records – about himself that would prove to be embarrassing.<br />
<br />
Schock published Instagram photos that included time and geolocation data.
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLEaBfa66mmQS2-x-pFhY7-frI3566w-j_hT_rv86Jf8lou4ij7VRU4Dk3fNZp3X4MZexNzcs1q4-m2OtGozsLcAIC-CLkrEScbGqPJhkvFfl1R6rr1SNB6uqtVNVmj-zmSsVcmrACwlE/s1600/metadata.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="investigation" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLEaBfa66mmQS2-x-pFhY7-frI3566w-j_hT_rv86Jf8lou4ij7VRU4Dk3fNZp3X4MZexNzcs1q4-m2OtGozsLcAIC-CLkrEScbGqPJhkvFfl1R6rr1SNB6uqtVNVmj-zmSsVcmrACwlE/s1600/metadata.PNG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Geographic Location on Photograph</td></tr>
</tbody></table>
The ever-watchful Associated Press matched this data with his official (publicly available) expense reports. The AP deduced, for instance, that he <a href="http://www.engadget.com/2015/03/18/aaron-schock-resigns/" target="_blank">illicitly rented a private jet</a>, at taxpayer expense, for his transportation connected with a particular fundraising event in Peoria, Illinois. Ouch.<br />
<br />
As an investigative journalist, AP published its analysis and concluded that Schock was abusing his travel expense budget. This and similar revelations contributed to Schock’s resignation.<br />
<br />
<h3 style="text-align: left;">
Now Let’s Apply that Example to Litigation</h3>
Just as digital details like geolocation data can help the news media scrutinize spending by a politician, they can be decisive in a commercial lawsuit. But often the lawyers handling a lawsuit need help from people with technical expertise. Lawyers may not realize that, for example, if a video is stored in Sharepoint at an adversary enterprise, then <a href="http://hack-igations.blogspot.com/2011/11/electronic-contracts.html" target="_blank">Sharepoint may store reliable metadata</a> about the date of the video and the dates of each revision to that video.<br />
<br />
Very often, under the rules of discovery, the lawyer’s request for something like Sharepoint metadata must be predicated on more than a mere guess that “some kind of meta data somewhere exists with respect to the video in question.” In their eDiscovery request for records from the adversary, the lawyers need to refer to some empirical evidence that Sharepoint metadata would be relevant to the case at hand.<br />
<br />
That’s precisely where an alert IT staffer can add value. If the staffer understands the details of the case, he or she may be able to divine that the adversary was using Sharepoint to store a video. Further, the staffer might know enough about Sharepoint (or be able to learn through quick research) to advise the lawyers they should target Sharepoint metadata in their eDiscovery request. That kind of advice can make or break a case!<br />
<br />
<h3 style="text-align: left;">
IT Experts: You Should Be Inspired and Empowered </h3>
A person with technical knowledge should be inspired to be creative … and to think outside their normal roles … to help their legal team to discern and articulate that the adversary possesses unconventional records that should be produced.<br />
<br />
By <a href="https://plus.google.com/+BenjaminWright1?rel=author" target="_blank">Benjamin Wright</a><br />
<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-78080007095495297062015-03-02T10:59:00.002-08:002017-01-18T09:03:39.195-08:00What is Best Practice for Government Email Retention Policy?<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Central archive promotes internal control, deters corruption.</h2>
Enterprises like businesses and government entities should generously retain the email of important employees in a central archive. A central archive is controlled by the IT department, not the employees whose email is in the archive. Such an archive ensures records are <a href="http://hack-igations.blogspot.com/2013/12/audit-proof.html" target="_blank">conveniently available</a> and searchable for audit, e-discovery and internal investigations.<br />
<br />
<h3 style="text-align: left;">
IRS investigation nightmare proves the need for a central archive.</h3>
<br />
The current poster child in favor of central archives is the Internal Revenue Service. IRS is currently enduring a nightmare owing to its failure to archive employee email centrally. This nightmare is not over. But it has transpired enough to teach painful, timeless lessons.<br />
<br />
The nightmare in question is the investigation into the emails of an IRS executive named Lois Lerner. Lerner headed an IRS division handling sensitive tasks (evaluating the tax status of nonprofits).<br />
<br />
The Inspector General at IRS <a href="http://www.washingtonpost.com/blogs/federal-eye/wp/2015/02/27/investigators-probing-for-criminal-activity-with-lois-lerners-missing-emails/" target="_blank">recently opened</a> a criminal investigation into whether one or more employees at IRS attempted to destroy or hide Lerner’s emails (that is, government records). If an employee did that, the employee could go to jail.<br />
<br />
<h3 style="text-align: left;">
Scandals often hinge on electronic mail.</h3>
Here’s the story. A political controversy erupted over Lerner’s work. Congress demanded her emails. (Logically, emails are a very relevant thing for an investigator or legal adversary to demand in today’s age. In modern enterprises, emails record most of the action by managers and executives.)<br />
<br />
Astonishingly, IRS replied to Congress that all of Lerner’s emails had been destroyed because the hard drive on her single laptop had crashed. What?!<br />
<br />
Furthermore the Commissioner of the IRS (its top executive) testified to Congress that Lerner’s emails were irretrievable . . . could not be recovered by any means. What?!<br />
<br />
A manager’s emails need to be archived and segregated from the manager.<br />
In effect IRS was saying that its IT systems were designed so that the retention of many important emails depended upon the function of a single PC hard drive. That’s nuts . . . for two reasons.<br />
<br />
First, PC hard drives commonly fail; important records like management emails need to be copied some other place. Reliance on a single PC hard drive constitutes gross mismanagement.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDmw09sHJuuR6Qb12vFgubI2aZspS177rUqqCpYsQXQcw0QT7TSKkIxOdazTGvXrieiJvXnmElc3AeElF0c1x-mux0SLZIWB6mVvMQfFvriaTjOUYedQX1aMqaD8udt_RnhLW8_g1Treo/s1600/single+point+of+failure.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="electronic mail archive" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDmw09sHJuuR6Qb12vFgubI2aZspS177rUqqCpYsQXQcw0QT7TSKkIxOdazTGvXrieiJvXnmElc3AeElF0c1x-mux0SLZIWB6mVvMQfFvriaTjOUYedQX1aMqaD8udt_RnhLW8_g1Treo/s1600/single+point+of+failure.jpg" width="181" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PC hard drives can fail.</td></tr>
</tbody></table>
<br />
Second, if sensitive records are stockpiled in a single place under the control of a single employee, then that employee has the ability to destroy her records. She has the ability to cover up her own wrongdoing in the event of an investigation into her performance or malfeasance.<br />
<br />
What’s more, it strains credulity for an enterprise to say that large numbers of emails of an executive are irretrievable, even after a hard drive has crashed. Copies of those emails are likely <a href="http://hack-igations.blogspot.com/2014/07/synced-evidence.html" target="_blank">scattered far, wide and deep</a>, especially in backups and on servers.<br />
<br />
And in fact, when the IG investigated, that’s what IG discovered. Lots of Lerner’s emails are on <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2009/09/investigate.html" target="_blank">backup tapes</a> and (potentially) on server hard drives. Recovering all this is much work. But it can be done by patient, well-resourced investigators.<br />
<br />
The emails were not "irretrievable" as the IRS Commissioner had testified to Congress. One can't expect the IRS Commissioner to be an expert on computers and records. Obviously he has to base his testimony on advice from other people. And obviously he got horrible advice, in good part because IRS had failed to archive Lerner's emails in a centralized, competent archive.<br />
<br />
<h3 style="text-align: left;">
IRS could have avoided this embarrassment.</h3>
<br />
For IRS as an enterprise, this investigation is becoming a long, expensive and embarrassing saga. A protracted criminal investigation like this can be very damaging to the reputation of the enterprise and to overall employee morale, even if the investigation concludes that no crimes were committed.<br />
<br />
An enterprise like IRS is wiser to archive email centrally, under the control of the IT department and outside the control of individual employees. If IRS had at the outset archived Lois Lerner’s emails in a centrally-controlled appliance, they would not have (seemingly) disappeared and the IRS would be spared from this debilitating forensic investigation. <br />
<br />
By <a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a></div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-12425260493253147692015-02-17T08:26:00.003-08:002015-02-17T17:06:00.551-08:00Legal Training for New CISSP Exam | CPE Too<div dir="ltr" style="text-align: left;" trbidi="on">
The information security world is in turmoil. For infosec professionals, the adoption of smart legal practices is becoming more urgent.<br />
<br />
Keeping with the times, the CISSP exam -- and related CPE requirements -- are being refreshed as of April 15, 2015. (CISSP stands for Certified Information Systems Security Professional.)<br />
<br />
<h3 style="text-align: left;">
Cyber Threats Rise</h3>
<br />
The refresh reflects the alarming new reality of information security around the globe. 2014 was a banner year for data breaches and cyber attacks: Home Depot, Sony Pictures Entertainment, Community Health Systems, et al. And already for 2015 we’ve seen records breached for 80 million people at health insurer Anthem.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwACraQ84D2z489FkE0ps4Zg4kqkjNp5RfqfBFYcXFfuhBXqqM-U94yTgR4g4ql8yGIb8HJEkThfRqES3uzDhtqM8xsMEcGMqvsHvzBepuZarVhXHw5lxBwyV67ziUjc7q_At5s81S9X0/s1600/Non+disclosure.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="confidentiality" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwACraQ84D2z489FkE0ps4Zg4kqkjNp5RfqfBFYcXFfuhBXqqM-U94yTgR4g4ql8yGIb8HJEkThfRqES3uzDhtqM8xsMEcGMqvsHvzBepuZarVhXHw5lxBwyV67ziUjc7q_At5s81S9X0/s1600/Non+disclosure.JPG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Privacy Law</td></tr>
</tbody></table>
As a consequence of this bad news, lawsuits are becoming more common and government audits & investigations are becoming more intrusive. For example, in the wake of the Sony Pictures attack, former employees of Sony have sued the company for allowing their personal information to be exposed.<br />
<br />
<h3 style="text-align: left;">
CISSP Exam Covers Legal Issues</h3>
<br />
In this context the CISSP exam is changing. Among the topics in the exam are:<br />
<br />
<ul style="text-align: left;">
<li>Law</li>
<li>Compliance</li>
<li>Regulations</li>
<li>Privacy</li>
<li>Policy</li>
<li>Investigations</li>
<li>Evidence</li>
<li>Ethics</li>
</ul>
<br />
These are all topics I address in a five-day bootcamp, “Law of Data Security and Investigations,” taught at the SANS Institute. SANS and I have been delivering and updating this course – known as LEGAL 523 --for many years. This course has <a href="http://hack-igations.blogspot.com/2012/04/training-law-of-data-security-and.html" target="_blank">served</a> many hundreds of students from around the world.<br />
<br />
Like the CISSP exam, the course embraces both old (timeless) lessons and new lessons. Through the years, the process of teaching the class -- engaging with smart students -- has improved my understanding of the topic; it has helped me refine the material, iteration after iteration.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="302" src="https://www.youtube.com/embed/40FLll0zMco?rel=0" width="515"></iframe>
LEGAL 523 is unique in the world. I am aware of no other course that seriously competes with it. It is taught by a practicing lawyer, who has years of experience. He devotes his professional life to keeping up with latest developments, such as New Jersey’s new law S.562 that (more or less) requires health insurers to encrypt personally identifiable information.<br />
<br />
<a href="http://www.sans.org/course/law-data-security-investigations" target="_blank">SANS LEGAL 523 | Law of Data Security and Investigations</a><br />
<br />
By <a href="https://plus.google.com/+BenjaminWright1/about" target="_blank">Benjamin Wright</a><br />
<br />
<br />
Note: LEGAL 523 is not a cram course for the CISSP exam. It aims to teach all professionals (CISSPs, lawyers, auditors, investigators, penetration testers, managers and others) how to cope with the most pressing legal risks in data security and data investigations.<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-44729240843606396522015-02-03T12:04:00.001-08:002017-01-18T13:36:04.455-08:00Blockchain Smart Contracts | Fraud, Taxes & Evidence<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
The Case for Supporting Automated Contracts with Traditional Legal and Audit Documentation</h2>
<br />
Blockchain enthusiasts envision smart contracts, where assets and transactions are governed on the type of <a href="http://hack-igations.blogspot.com/2014/10/open-ledger.html" target="_blank">shared ledger</a> that controls Bitcoin.<br />
<br />
<u>Here is an example of a “smart contract:”</u> Alice, Inc. earns bitcoin by mining. Alice controls a bitcoin account to which earned bitcoin is added from time to time. Alice, Inc. promises to pay Bob Corp. 25% of the bitcoin added to the account each week. (Assume the value to be paid Bob is around $250,000 per year.) Alice management sets up this transaction by adopting rules on a functioning, publicly-accessible Ethereum-based blockchain. The functions of the blockchain automatically execute the transaction and cause the requisite bitcoin to move from Alice’s account to Bob’s bitcoin account.<br />
<br />
<h3 style="text-align: left;">
The transaction is functionally complete, but poorly documented.</h3>
<br />
In principle, this transaction is functionally complete. In principle the code on the blockchain could control and execute the transaction as intended by Alice and Bob.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPw4kjYHY-Kgb0T6vw5lizb9JFbbMAVxRxQJQGNhoEw5rmUa7epWtpUIkr5CtfzqgvYi_WfHHrPu1b99GZO9gfYqWd5Jz8vAQuml3MzIre4CglyY57U0aPS5AsIf7DqD0uIKJm3kly9Ak/s1600/Memorialize.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPw4kjYHY-Kgb0T6vw5lizb9JFbbMAVxRxQJQGNhoEw5rmUa7epWtpUIkr5CtfzqgvYi_WfHHrPu1b99GZO9gfYqWd5Jz8vAQuml3MzIre4CglyY57U0aPS5AsIf7DqD0uIKJm3kly9Ak/s1600/Memorialize.gif" title="legal document" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "calibri" , sans-serif; font-size: 16.0pt; line-height: 107%;">Crypto
2.0 Needs Scrivener</span></td></tr>
</tbody></table>
<br />
However, I argue that for many businesses like Alice, Inc. the transaction needs more legal and audit documentation. The establishment of rules on a public blockchain ledger may not be enough to satisfy Alice, Inc.’s responsibilities to stakeholders, including shareholders, creditors and tax authorities.<br />
<br />
Now, management at Alice, Inc. might (hypothetically) disagree with me. Management might argue that by setting up the transaction on the blockchain it has undertaken and documented a transaction that is just as legally-binding as a promise made with paper and ink. The blockchain is open for public inspection. Anyone can inspect the function of the blockchain and the <a href="http://hack-igations.blogspot.com/2015/01/decentralization.html" target="_blank">open-source code that runs it</a>. Anyone can monitor the transactions recorded and executed on the blockchain. The transactions are executed under publicly-known, publicly-validated cryptographic security measures, including hash algorithms and digital signatures.<br />
<br />
Accordingly, argues management, even if the smart contract does not execute, Bob Corp. can still refer to the code recorded in the blockchain as evidence of the intent of the contract and thereby enforce the contract in a court of law just as if it were written in ink on paper.<br />
<br />
<h3 style="text-align: left;">
Judicial cases support the proposition that a smart contract could be enforced in court.</h3>
<br />
In support of its position Alice management might cite case law interpreting security measures instituted with respect to property such as land. Courts have long evaluated the “security measures” instituted on land to ascertain whether rights of ownership to land have changed by way of “adverse possession.” Those security measures have included gates, locks, fences and the like.<br />
<br />
So, for example, a New Mexico court said that adverse possession of land could be interpreted from the history of locks used on a gate that controlled access to the land. <i>Dethlefsen v. Weddle</i>, <a href="http://www.nmcompcomm.us/nmcases/nmca/2012/12ca-077.pdf" target="_blank">Opinion Number: 2012-NMCA-077</a>, New Mexico Court of Appeals, 2012.<br />
<br />
Similarly <a href="http://www.fortenberrylaw.com/mississippi-adverse-possession/" target="_blank">Mississippi courts have said</a> that adverse possession of a parcel of land could be interpreted by examining fences on the land, including their location, history and purpose.<br />
<br />
To understand evidence of security measures, a court may need to hear testimony from witnesses, such as people who understand the land in question.<br />
<br />
In other words courts have much experience examining publicly gatherable evidence of security measures used to control property and then interpreting that evidence as a record of the rights and ownership pertaining to the property. Another way to say it is that the function of fences, gates and locks is a form of language, and with enough effort a court can come to understand that language.<br />
<br />
Courts can interpret security measures, just as they can interpret words written on paper.<br />
<br />
If courts can do that for land, argues Alice Inc.’s management, then courts can do it for logical evidence that can be seen by all on a blockchain. Just as courts can hear testimony from witnesses who know land, courts can hear testimony from cryptographic experts who understand blockchains.<br />
<br />
In theory, if the blockchain stopped functioning, and Alice otherwise refused to transfer the bitcoin to Bob Corp., Bob could <a href="http://hack-igations.blogspot.com/2014/09/Cryptocurrency-Agreement.html" target="_blank">sue for breach of contract</a> and win a judgment against Alice. With the help of qualified witnesses, Bob could prove the existence and meaning of the smart contract by referring to the code and security measures used in the blockchain.<br />
<br />
A contract need not be written in natural language in order for a court to understand it or enforce it. So argues management at Alice, Inc., who believes no additional documentation is necessary.<br />
<br />
<h3 style="text-align: left;">
Good business documentation seeks more than just enforceability in court.</h3>
<br />
But I have a rebuttal to the foregoing hypothetical argument by management at Alice, Inc. Just because a contract is legally enforceable does not mean it is documented well enough for accounting purposes.<br />
<br />
Alice’s management may be correct that the smart contract is written, recorded, understandable and enforceable.<br />
<br />
Nonetheless, Alice, Inc. still has problems with this transaction. Good business practices expect businesses to better document substantial transactions like a promise to transfer roughly $250,000 in value per year.<br />
<br />
A promissory note is greater documentation than is a mere notation in a ledger.<br />
<br />
A business like Alice, Inc. needs to account to stakeholders. One example of a stakeholder might be a bank that has lent money to Alice and expects Alice to repay the loan and otherwise maintain a strong balance sheet. Another example of a stakeholder would be a corporate shareholder. If Alice is a larger corporation, it could well have numerous shareholders, including founders (and their heirs and family members) angel investors, venture capitalists and employees.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgckHnLkxxmuj9YyDAc0479u6ZbM9jvz6amQ7405ofmcUoNSgIYnamxmzgNGaTqNepw7DComjICTf4KlCE5sVAHCCyUbf9AhA4JFlO4rP2k3JTRwJe6jgu_1Crylgf_naP2oaJ9HLz7D5w/s1600/legal+practice.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgckHnLkxxmuj9YyDAc0479u6ZbM9jvz6amQ7405ofmcUoNSgIYnamxmzgNGaTqNepw7DComjICTf4KlCE5sVAHCCyUbf9AhA4JFlO4rP2k3JTRwJe6jgu_1Crylgf_naP2oaJ9HLz7D5w/s1600/legal+practice.PNG" title="negotiable instrument" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoNormal">
<span style="font-size: 16.0pt; line-height: 107%;">Promissory
Note to Support Autonomous Contract<o:p></o:p></span></div>
</td></tr>
</tbody></table>
<br />
Critical to a business’ accounting to stakeholders is its maintenance of books, ledgers and documentation to show revenue, expenses, assets, liabilities and so on. Those books, ledgers and documentation enable a third-party auditor to review and opine on the financial statements the business provides to stakeholders.<br />
<br />
But if Alice’s evidence for its obligation to Bob is just the entries on a public blockchain, that evidence may not satisfy the auditor. The auditor may lack the expertise to interpret the blockchain. Blockchain technology is very new and very complex. Few accountants in the world are today qualified to review a blockchain.<br />
<br />
Alice’s auditor may refuse to approve Alice’s financial statements . . . or may flag the poorly-documented contract as a problem.<br />
<br />
<h3 style="text-align: left;">
Famous court case calls for backup documentation.</h3>
<br />
An instructive court case is <i>SEC v. World-Wide Coin Investments</i>, 567 F.Supp. 724 (N.D. Ga. 1983). World-Wide Coin was a small, publicly-owned company. It was subject to the US securities laws, including the requirement that it “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets of the” company. 15 USC § 78m(b)(2)(A). The court found that the company had failed to satisfy that requirement for records. Among many other recordkeeping defects, the court found: “no promissory notes or other supporting documentation has been prepared to evidence purported loans to World-Wide.”<br />
<br />
In other words, at this company obligations to pay money (repay loans) were supported by only sketchy notations and/or memories stored in the heads of staff members. But the court said that’s not good enough to serve the interests of stakeholders (even though the people to whom money was owed were not complaining). Sketchy notations and human memories are inadequate to constitute “reasonable records.” Obligations to pay money need to be documented by written evidence like promissory notes or contracts.<br />
<br />
<h3 style="text-align: left;">
Outside auditors demand good documentation.</h3>
<br />
Let’s apply the <i>World-Wide Coin</i> lesson back to Alice, Inc. Its outside auditor will expect Alice to have reasonable records of obligations. (Further, under general corporate law Alice’s creditors and shareholders also expect Alice to maintain reasonable records of obligations.) Those records give the auditor comfort that the financial ledgers shown to the auditor are in fact accurate.<br />
<br />
If the auditor is uncomfortable with the quality of Alice’s documentation, the auditor could point to the <i>World-Wide Coin</i> case for the proposition that Alice is deficient (even if Alice is not a publicly-owned company that must comply with the securities laws like 15 USC § 78m(b)(2)(A)).<br />
<br />
<div style="text-align: left;">
In the mind of the outside auditor, deficient documentation of transactions could be a symptom of deeper problems at Alice. </div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>One problem could simply be sloppiness such that Alice – innocently, naively -- does not understand its obligations and therefore is incompetent to account for its financial status.</li>
<li>A second, more sinister, problem could be that management at Alice is intentionally obscuring the company’s financial condition for the purpose of fraud. The poster child for this problem is Bernard “Bernie” Madoff, one of the most infamous of all financial crooks. He and the staff at his company deliberately maintained sketchy or nonexistent documentation of contracts and other transactions in order to hide the company’s true condition from auditors, investors and regulators. </li>
</ul>
<br />
<h3 style="text-align: left;">
Tax authorities demand good documentation.</h3>
<br />
In regards to Alice, Inc.’s accounting documentation, another stakeholder is a tax authority. If Alice is a US company it must pay federal income tax. Alice will likely try to reduce its tax liability by claiming the transfers of bitcoin to Bob Corp. reduced Alice’s income.<br />
<br />
In support of Alice’s claim, the Internal Revenue Service expects Alice to keep adequate records and documentation. The records and documentation enable IRS auditors to confirm Alice’s annual income.<br />
<br />
Section 6001 of the Internal Revenue Code requires each taxpayer to keep records necessary to show whether the taxpayer owes tax.<br />
<br />
The taxpayer has the burden to prove the authenticity of its records. <i>Gillespie v. Commissioner</i>, 35 T.C.M. (CCH) 269 (1976).<br />
<br />
Sometimes, owing to inadequate documentation of transactions, IRS disagrees with a business taxpayer’s calculation of tax. In <i>Bard v. Commissioner</i>, for example, the IRS disallowed deductions the taxpayer had taken for the costs of precious metals purchased in cash transactions. The taxpayer had documented the purchases with little more than a fragmentary telephone log kept in a looseleaf notebook, without numbered pages. Although the taxpayer appealed to the tax court, the court sided with the IRS. It sustained the disallowance of deductions, which increased the taxpayer’s tax liability considerably. 60 T.C.M (CCH) 485 (1990).<br />
<br />
In theory a tax auditor can understand the smart contract on the blockchain. But in practice the tax auditor may consider the blockchain to be too obscure and therefore inadequate to support Alice’s tax claims.<br />
<br />
Accordingly, Alice, Inc. may be saving itself heartache in a tax audit by supporting the smart contract, at the outset, with a traditional, written promissory note.<br />
<br />
<h3 style="text-align: left;">
Why is a promissory note needed?</h3>
<br />
In all likelihood the code for a functioning smart contract will not include all the information that is critical from a legal or accounting perspective, such as the precise legal name of the parties (Alice, Inc. and Bob Corp.).<br />
<br />
The process or drafting a promissory note or similar document – to stand along side a smart contract -- imposes intellectual and ethical rigor on business people and programmers who may otherwise be in a hurry. In my experience executives and coders can dash-off ideas and deals quickly, with little regard for the details that may not seem important at the time.<br />
<br />
But those details are the domain of the <i>scrivener</i> (the document draftsman). The disciplined scrivener knows that a promise to pay needs to nail down topics such as the precise legal identity of the parties, whether the promise was made by an authorized officer of the promising company, whether the obligation to pay can be enforced in court (outside of the blockchain), and more.<br />
<br />
<h3 style="text-align: left;">
Conclusion: Smart contracts and traditional documentation complement each other.</h3>
<br />
Smart contracts are good, and companies like Alice, Inc. should use them where they make sense. But substantial smart contracts need to be supported by traditional written documentation like paper contracts or promissory notes.<br />
What do you think? If any of my ideas are off-target, please let me know.<br />
<br />
By <a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a><br />
<br />
<iframe frameborder="no" height="450" scrolling="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/189323302&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true" width="100%"></iframe>
<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-41024029167509536992015-01-04T14:17:00.000-08:002015-01-23T09:02:03.385-08:00Legal Terms for Crypto 2.0 Project<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
Generic Disclaimer of Liability</h3>
<div>
<br /></div>
<div>
Ethereum’s Vitalik Buterin inspires me to offer a contribution to the cryptocurrency community (a.k.a. Crypto 2.0). Buterin <a href="https://blog.ethereum.org/2014/12/31/silos/" target="_blank">observes</a> how many different projects are underway within the community, working on cryptocurrencies, blockchains, smart contracts, distributed ledgers, decentralized consensus and the like. </div>
<div>
<br /></div>
<div>
These projects include Bitcoin, myriad altcoins, Bitshares, Ethereum, Counterparty and others. More projects will come. </div>
<div>
<br /></div>
<div>
Many of these projects are open source. Many of them celebrate their informality. Legal formalities were scarce when Satoshi Nakamoto launched Bitcoin.</div>
<div>
<br /></div>
<div>
Buterin recommends that the folks working in their different projects (he calls them “silos”) make their projects inter-operate, all for the greater good. Particular projects may come to specialize in offering browsers, blockchain services or decentralized applications (DApps) that can help other projects.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Generic Legal Terms</h3>
<div>
<br /></div>
<div>
For such projects, here (tentatively) are legal terms to publish conspicuously to stakeholders.</div>
<div>
<br /></div>
<div style="text-align: center;">
<b><u>Project Terms</u></b></div>
<div>
<b><br /></b></div>
<div>
<b>1. This Project is built and used by a community of people from all over the world. </b></div>
<div>
<b><br /></b></div>
<div>
<b>2. The Project includes the data, work, ideas, protocols, software, processes and documentation that are contributed to it. Original contributions to the Project are <a href="http://www.cnet.com/news/is-public-domain-software-open-source/" target="_blank">open source and public domain</a> forever. </b></div>
<div>
<b><br /></b></div>
<div>
<b>3. The Project is offered “as-is.” The Project, its contributors, leaders, promoters and users disclaim all liability and all warranties, whether express or implied. There is no assurance that the Project will be accurate or error free, will achieve any particular result or complies with any particular law or property right. You use, rely on or contribute to the Project at your own risk. </b></div>
<div>
<b><br /></b></div>
<div>
<b>4. The Project may discontinue or change at any time. </b></div>
<div>
<b><br /></b></div>
<div>
<b>5. If any portion of these Terms is held to be invalid or unenforceable, the remaining portions remain in full force and effect.</b></div>
<div>
==<br />
<br /></div>
<h3 style="text-align: left;">
Analysis of the Terms</h3>
<div>
<br /></div>
<div>
The foregoing is a generic form. It is short so that it is more likely to be read. It strives to cope with legal risk in furtherance of the project.</div>
<div>
<br /></div>
<div>
It condenses terms for services and terms for software into a single unified statement. For some projects the distinction between services and software makes little sense. In fact there may be no “service” <i>per se</i>. The project assembles software so that a freeform community of miners (workers or voters) can use it in a process to achieve a result, such as a consensus vote on what time it is or the execution of a transaction.<br />
<br />
Yet, the project may be more than just software, which is the subject of a traditional open-source license.<br />
<br />
<h3 style="text-align: left;">
Risk Begone!</h3>
</div>
<div>
<br /></div>
<div>
One goal of these Terms is to reduce the <a href="http://hack-igations.blogspot.com/2014/10/open-ledger.html" target="_blank" title="disclaimer">potential (theoretical) liability</a> of some project stakeholders to other stakeholders. Some malcontents may claim that others promised they'd get rich but the riches never materialized. The malcontents might try to sue in a court, or just complain in public.<br />
<br />
The Terms above aim to curb the risk of liability on the part of any party. But it does not eliminate the risk.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhX8HSCGS50UZ05LiHGpXJIZpPzYi89yyMgl7pvvMh_IGEDYX-Jo8ZpV9qNM3CFVZusdJrA9PS3EVCXrdsNbp6K0twmAXkdz4Fi3epgrE7M62HPRw8Be8pSnDHZNS4xri2wt7WvVJkQA/s1600/Terms+and+Conditions.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="electronic contract" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhX8HSCGS50UZ05LiHGpXJIZpPzYi89yyMgl7pvvMh_IGEDYX-Jo8ZpV9qNM3CFVZusdJrA9PS3EVCXrdsNbp6K0twmAXkdz4Fi3epgrE7M62HPRw8Be8pSnDHZNS4xri2wt7WvVJkQA/s1600/Terms+and+Conditions.gif" height="180" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Legal Notice</td></tr>
</tbody></table>
</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Property Ownership Might Be Disputed.</h3>
<div>
<br /></div>
<div>
A second goal is to reduce the possibility of unexpected claims of ownership to something. But it does not eliminate the possibility.</div>
<div>
<br /></div>
<div>
The terms say, “Original contributions to the Project are open source and public domain forever.” That sentence does not guarantee that no one can claim ownership to something, such as ideas or code. It applies only to “original” contributions. So if Jane contributes proprietary code that was stolen from Phil, then that code would not be an original contribution. Phil might still claim ownership. </div>
<div>
<br /></div>
<div>
Further, Nick might muddy the topic of ownership (of the code he contributes) by widely declaring: “The ‘open source and public domain’ terms of the Project do not apply to the code that I contribute. The code that I contribute is copyrighted and patented by me.” Nick's unruly declaration raises unsettling issues over <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2009/06/does-world-wide-web-publication-constitute-legal-notice-to-the-world.html" target="_blank">how legal terms are negotiated in an online community</a>.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Your Project May Need Something Different.</h3>
<div>
<br /></div>
<div>
The generic Project Terms above are not customized for the needs of any particular project. Some projects will be wise to have different or additional terms. For example:</div>
<div>
<ul style="text-align: left;">
<li>Certain terms that are specific to software, and other terms that are specific to services.</li>
<li>Reference to a particular license or terms, such as (for open-source software) the GNU General Public License.</li>
<li>Notice that the project uses technology such as a particular algorithm under a specified license.</li>
<li>More formality and detail to confirm that all contributions to the project and its software are open source and free.</li>
<li>Explicit limitation of liability to a certain amount. The Mozilla Public License (MPL) referenced below limits liability to $500.</li>
<li>Choice of law. The MPL chooses California law.</li>
</ul>
</div>
<div>
<br /></div>
<div>
The Project Terms above are obviously for a free, open-source project. A proprietary project or a project that is charging fees may need different or additional terms. Appropriate terms might look like a license that commonly comes with proprietary software or a service agreement for paid services.</div>
<div>
<br /></div>
<div>
<h3 style="text-align: left;">
Disclaimer and Caution</h3>
</div>
<div>
<br /></div>
<div>
<u>Notice</u>: This blog post is just public discussion. It is not legal advice for any particular situation, and I am not your lawyer. If you need legal advice, you should retain a lawyer.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO2ky9BT3GMDUk7bvJhWsEQ5RlT08Z1y5nkWqozzhZ-ZeBe76HUbdY6CgLzwmnd9otJFu0ObAwSsM7vUst1iTt9VR9kvmFl4DMgXRKr2zMfhi5DTd8PBE373unJAgXnZx8h6NPsOOjlEM/s1600/self-serving+language.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="public warning" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO2ky9BT3GMDUk7bvJhWsEQ5RlT08Z1y5nkWqozzhZ-ZeBe76HUbdY6CgLzwmnd9otJFu0ObAwSsM7vUst1iTt9VR9kvmFl4DMgXRKr2zMfhi5DTd8PBE373unJAgXnZx8h6NPsOOjlEM/s1600/self-serving+language.jpg" height="102" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Legal notice modifies risk because it warns people<br />
before they take action that could cause them injury.</td></tr>
</tbody></table>
</div>
<div>
<br /></div>
<div>
I am skeptical that the Project Terms above would protect someone such as a project leader who is intentionally deceiving people.</div>
<div>
<br /></div>
<div>
I consider the Project Terms I publish above to be in the public domain. You may use them any way you wish. But you are responsible, not me.</div>
<div>
<br /></div>
<div>
<h3 style="text-align: left;">
Feedback Invited</h3>
</div>
<div>
<br /></div>
<div>
What do you think? I welcome discussion and feedback. I may revise the Terms above, so check back from time to time.</div>
<div>
<br /></div>
<div>
By <a href="https://plus.google.com/+BenjaminWright1/about" target="_blank">Benjamin Wright</a></div>
<div>
<br /></div>
<div>
<span style="font-size: xx-small;">Footnote: The Project Terms published above are inspired by <a href="http://unlicense.org/">unlicense.org</a> and these things connected with Mozilla Firefox: </span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-size: xx-small;">“About Your Rights,” accessible through Firefox address bar at “about:rights”</span></li>
<li><span style="font-size: xx-small;">“Mozilla Firefox Web-Based Information Services,” accessible through Firefox address bar at “about:rights#webservices”</span></li>
<li><a href="https://www.mozilla.org/MPL/2.0/" style="font-size: x-small;" target="_blank">Mozilla Public License</a><span style="font-size: xx-small;">, Version 2.0</span></li>
</ul>
</div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-85549806500644602012014-11-23T16:35:00.000-08:002017-01-18T13:38:10.148-08:00Smart Blockchain Contract Law<div dir="ltr" style="text-align: left;" trbidi="on">
Many propose to use block-chain technology to make “smart contracts.” Examples include:<br />
<br />
<ul style="text-align: left;">
<li><a href="http://blockstream.com/" target="_blank">Blockstream</a>, which proposes to run contracts off of “sidechains” to the Bitcoin blockchain;</li>
<li><a href="https://ethereum.org/" target="_blank">Ethereum</a>, which is a decentralized publishing platform for powering contracts; </li>
<li><a href="https://openbazaar.org/" target="_blank">OpenBazaar</a>, which proposes to be a decentralized market for using Bitcoin to make purchases</li>
</ul>
<br />
Some say that smart contracts are "trustless" transactions because they execute transparently without the need to trust any particular person or institution.<br />
<br />
Some say this trustless transparency results from "<a href="http://hack-igations.blogspot.com/2015/01/decentralization.html" target="_blank">decentralized consensus</a>," where a community of "miners" makes each decision (to execute a transaction or not to execute a transaction) by way of consensus that is controlled by no one.<br />
<br />
<h3 style="text-align: left;">
Bitcoin Succeeds.</h3>
<br />
These proposals are early in their development. They build on the pioneering success of Bitcoin.<br />
<br />
Bitcoin is <i>truly remarkable</i>. It is the first distributed ledger to operate usefully and perpetually, independent of any central institution or sponsor. See <a href="http://hack-igations.blogspot.com/2014/10/open-ledger.html" target="_blank" title="virtual money">my discussion</a> of a distributed public ledger.<br />
<br />
Proposals for smart contracts seek to launch distributed ledgers to execute transactions that are more complex than Bitcoin; Bitcoin just keeps debits and credits of “coins.”<br />
<br />
<h3 style="text-align: left;">
“I Hereby Bequeath My Bitcoin to My Kids.”</h3>
<br />
Here is an example of a complex smart transaction, as <a href="https://www.youtube.com/watch?v=TNDHjmbC-t8" target="_blank">explained</a> by Stephan Tual, CCO of Ethereum: Stephan says he holds digital assets like bitcoin. He imagines setting up a commitment under an Ethereum-based blockchain for distributing his assets upon his death. To govern that commitment, he imagines these rules as his digital last will and testament:<br />
<br />
<br />
<ol style="text-align: left;">
<li>If Stephan does not appear on the Internet for three consecutive months, then</li>
<li>His assets will be transferred to accounts belonging to his two designated heirs.</li>
<li>The issue whether Stephen has failed to appear on the Internet for three months would be resolved by a vote among “miners” that maintain the Ethereum blockchain.</li>
</ol>
<div>
(A premise behind Stephan's will is that if he does not appear on the net for three months, then he "must be dead.")</div>
<br />
<h3 style="text-align: left;">
Transaction Executes Automatically.</h3>
<br />
In theory a smart transaction -- in this case Stephan's last will and testament -- will execute automatically, without involvement of a court or government or central authority, just as a transfer of bitcoin executes today. I analyze Stephan's smart will below. But first, let me provide some background . . .<br />
<br />
Smart transactions – smart contracts – might govern myriad different deals, such as escrows, stock sales, credit default swaps, last wills and testaments, and corporate governance through shareholders.<br />
<br />
<a href="http://insidebitcoins.com/news/blockstream-closes-21-million-seed-funding-to-fulfill-the-promise-of-blockchain-technology/26456" target="_blank">Some envision</a> smart contracts without the need for lawyers.<br />
<br />
The concept is admirable. As an e-commerce lawyer, I am eager to see it in action.<br />
<br />
But I am skeptical that smart contracts and smart transactions can exist in a pristine universe, separate from traditional law, traditional legal analysis and traditional legal draftsmanship.<br />
<br />
<h3 style="text-align: left;">
Law Does Apply to Blockchains.</h3>
<br />
An old saw holds that “law abhors a vacuum.” What that means is that law applies wherever it needs to apply. People cannot get away from law. They cannot declare themselves, their computers, their data, their assets, their transactions, their communications, or their blockchains as free from law (though they may influence <i>which</i> law applies and <i>how</i> it applies).<br />
<br />
Accordingly, you can control some bitcoin, subject to the Bitcoin blockchain. And the Bitcoin blockchain operates without direction from government authority. But that does not mean law has no impact on your control of your bitcoin. So – for instance – if you got your bitcoin by running the illegal Silk Road market, then law can take your bitcoin from you and cause it to be sold, with the proceeds going to the government. <a href="http://ridethelightning.senseient.com/2014/11/want-to-buy-some-bitcoins-the-government-is-having-an-auction.html" target="_blank">Reference</a> the experience of criminal suspect Ross Ulbricht.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiACPUihh5__0DzMQ0KhZ-BUCZAgzSHagS78eqZgf-M-BmNjlM9XMR1gQmoYDEb3YA-tlYEoOwmYPcXRoWFM9GjLrHIGevxk0hZEBYfFO377681QNKan_N7MF55s98oIwhEUCM4bRKLGqo/s1600/e-commerce.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="open ledger" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiACPUihh5__0DzMQ0KhZ-BUCZAgzSHagS78eqZgf-M-BmNjlM9XMR1gQmoYDEb3YA-tlYEoOwmYPcXRoWFM9GjLrHIGevxk0hZEBYfFO377681QNKan_N7MF55s98oIwhEUCM4bRKLGqo/s1600/e-commerce.gif" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Blockchain</td></tr>
</tbody></table>
<br />
<h3 style="text-align: left;">
Legal Talent Needed.</h3>
<br />
Let’s go back to Stephan Tual’s last-will-and-testament example above. Experience has proven that writing, interpreting and executing a will can be tricky, just as writing, interpreting and executing a contract can be tricky.<br />
<br />
Any person can write a legally-binding will or contract. You don’t have to be a lawyer to write these documents, whether you write them on paper, in software code or on stone tablets.<br />
<br />
However, my experience is that some people are more skilled at writing such documents than others. Some lawyers are more skilled at it than other lawyers.<br />
<br />
Legal training, legal analysis, and experience in the practice of law can all be helpful in composing wills, contracts and similar documents so that they achieve the desired outcomes. When you want to write a contract for the sale of widgets, you are not required to retain a lawyer to do the writing. You can do it yourself. However, you may get a better outcome if you do hire a lawyer who is qualified and talented at writing sales-of-widgets contracts.<br />
<br />
<h3 style="text-align: left;">
How to Avoid Misunderstanding</h3>
<br />
Poorly conceived terms in a will or contract can be misinterpreted. They can be ambiguous. Or they can fail to anticipate contingencies that thwart the real intent of the document.<br />
<br />
Here are examples of misinterpretations, contingencies or issues that might apply to Stephan Tual’s last-will-and-testament:<br />
<br />
<br />
<ul style="text-align: left;">
<li>What happens if Stephan has not “appeared on the Internet for three months” because he is sick? He is still alive, and he may still need his digital assets. Why must they now go to his heirs?</li>
<li>What if Stephan has died, but someone has stolen his credentials and falsely appears on the Internet as him? (In this scenario, one can imagine a court stepping in and forcing the transfer of Stephen’s assets to his heirs, even though -- according to the evidence conveniently available to the Ethereum miners -- he still “appears” on the Internet.)</li>
<li>What if 17.5 years from now the “Internet” is replaced by something so strange and so unanticipated that the “miners” cannot interpret what it means to “not appear on the Internet for three months”? (To be fair, similar problems can bedevil traditional paper wills. A will that is well-written in 1998 may make no sense in 2015 owing to changed circumstances.)</li>
<li>What if someone tricked Stephan into approving an Ethereum last-will-and-testament that he did not understand or intend?</li>
<li>Might there be ways to structure Stephan’s last-will-and-testament so as to reduce the tax liability incurred by his heirs?</li>
<li>Think of the overhead cost of “miners” constantly monitoring the Internet, indefinitely, to evaluate and vote on whether Stephan has appeared somewhere over the past three months. Is it practical to expect that this overhead can be sustained for the next 40 years of Stephan’s life?</li>
<li>What if the Ethereum blockchain has long stopped functioning? Might a court still interpret and enforce Stephen's code as his last will and testament? (The answer might be yes, unless Stephan has explicitly stated otherwise. The court might consider his old code to be his "written and <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication.html" target="_blank">signed</a>" will -- equal to a will he wrote and signed on paper -- even though it cannot be executed through the original blockchain.) </li>
</ul>
<br />
<h3 style="text-align: left;">
Intended Terms Can Be Coded Into the Will or Contract.</h3>
<br />
A skilled lawyer – or other professional such as an accountant – could help Stephan understand these problems and address them. They might be addressed variously by way of<br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>the coding behind his “smart will,”</li>
<li>the publication of special words/terms connected with his will (e.g., "This will is effective only if executed through XYZ blockchain. If XYZ blockchain ceases to function, then this code does not constitute my legally-binding last will and testament.")</li>
<li>the adoption of measures that address risk (e.g., the division of Stephan’s assets into multiple accounts, corporations or trusts), </li>
<li>helping Stephan include a contingency for third-party arbitration, or</li>
<li>recommending that Stephan manage his assets a completely way.</li>
</ul>
<br />
<br />
All those things are the stock in trade of the traditional practice of law or accounting.<br />
<br />
<iframe frameborder="no" height="140" scrolling="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/178344763&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true" width="100%"></iframe>
<br />
<h3 style="text-align: left;">
To Be Effective, Contract Practice Must Keep Up with Technology.</h3>
<br />
In a “smart transaction” environment, traditional legal analysis and legal draftsmanship will encounter new twists. The same happened when we moved from old-fashioned paper contracts to modern electronic contracts. For instance, the “<a href="http://legal-beagle.typepad.com/wrights_legal_beagle/battle-of-the-forms/" target="_blank">battle of the forms</a>” – under which contract terms and conditions are negotiated – can unfold differently over the Internet compared to how they unfold when people exchange paper documents via snail mail.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe5N5gon7Hon-51owYjWbmQt6MiHa0IX8wdqAmsvEn1kmF9lmqEFeZMUTmBem0iGOS6N8Sx0NLbHGu9Ls5YD2UzpknE6ybdbUvdm98eq4DVaOUtL4WEUnhqX24759EOODJWO5mdBHu0_0/s1600/sidechain.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="decentralized" border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe5N5gon7Hon-51owYjWbmQt6MiHa0IX8wdqAmsvEn1kmF9lmqEFeZMUTmBem0iGOS6N8Sx0NLbHGu9Ls5YD2UzpknE6ybdbUvdm98eq4DVaOUtL4WEUnhqX24759EOODJWO5mdBHu0_0/s1600/sidechain.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Transparent Ledger</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Therefore lawyers will need to acquire new skills to help clients compose and evaluate contracts for the smart, blockchain universe.<br />
<br />
By: <a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a>, Author, <i>The Law of Electronic Commerce</i><br />
<div>
<br />
Good discussion on <a href="http://www.reddit.com/r/ethereum/comments/2o23zb/legal_discussion_of_a_lastwillandtestament_under/" target="_blank">Reddit about this blog post</a>.<br />
<br />
<a href="http://www.coindesk.com/smart-contracts-will-need-smart-term-sheets-match/" target="_blank">This December 2016 article, written by other lawyers</a>, expresses ideas that are consistent with the ideas above.<br />
<br />
See also:<br />
<br />
<ul style="text-align: left;">
<li><a href="http://hack-igations.blogspot.com/2015/01/decentralization.html" target="_blank" title="public domain">Generic Legal Rules for Crypto-Commerce Project</a></li>
<li><a href="http://hack-igations.blogspot.com/2015/02/automated.html" target="_blank">More on Smart Contract Law</a></li>
</ul>
</div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-81590461176240343902014-10-10T13:05:00.000-07:002017-01-18T12:18:38.366-08:00How to Cope with Block Chain Legal Liability<div dir="ltr" style="text-align: left;" trbidi="on">
Some institutions may hesitate to participate with a blockchain until they get assurance on potential liability.
<br />
<br />
<h3 style="text-align: left;">
Bitcoin Is Just One Example of an Explosive Idea.</h3>
<br />
Bitcoin’s blockchain is a specific example of a greater idea. It is a <i>distributed ledger</i>. A distributed ledger is a powerful innovation for accounting. <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF1yQlxcT2YsCr4H5er8M6LciO328ibo-zR4YOzdqqdLIZEKEMnNA5qWKNNT7zMeH_eQS3FvGDEHfLMK_MGodSytDbN8R2zeXjOxUnJBR9pIjkPZUpJiJf_U14PY5crwGL52rd2pcojFo/s1600/Ledger.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="debit credit" border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF1yQlxcT2YsCr4H5er8M6LciO328ibo-zR4YOzdqqdLIZEKEMnNA5qWKNNT7zMeH_eQS3FvGDEHfLMK_MGodSytDbN8R2zeXjOxUnJBR9pIjkPZUpJiJf_U14PY5crwGL52rd2pcojFo/s1600/Ledger.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Traditional Central Ledger</td></tr>
</tbody></table>
It replaces the traditional centralized ledger for keeping track of trades and ownership of assets, such as money, stocks, barter, commodities and more.<br />
<br />
The centralized ledger requires a central authority like a bank to keep track of debits, credits or other matters of account.<br />
<br />
In contrast, a distributed ledger manages debits and credits by community action. In Bitcoin, the members of this community, this “crowd,” are called miners. They perform calculations and confirm transactions publicly, such that all the participants can observe what is happening and verify accuracy.<br />
<br />
The distributed system does not rely on a central authority, who can be corrupted.<br />
<br />
Bitcoin’s blockchain is the first really successful application of a distributed ledger. But visionaries see much more for the future.<br />
<br />
<h3 style="text-align: left;">
A Better Way to Administer Trust</h3>
<br />
In effect a distributed ledger is a method for managing trust among entities without requiring the entities constantly to check back with headquarters (the central authority) to confirm that an entity or party is entitled to a measure of trust. Checking back with headquarters for every transaction is inefficient.<br />
<br />
Checking with the crowd that maintains the block chain (the miners) can be more efficient.<br />
<br />
What is even more important is this: <i>to corrupt a large crowd of miners is harder than to corrupt a central authority.</i><br />
<br />
<h3 style="text-align: left;">
An Open Ledger Manages Trust.</h3>
<br />
Therefore <a href="http://www.coindesk.com/ibm-executive-block-chain-internet-of-things/" target="_blank">IBM</a> is exploring use of block chain to manage trust in the <a href="https://www.google.com/url?q=http://hack-igations.blogspot.com/2014/01/iot.html&sa=U&ei=Ejg4VLTXDeWZ8gH274CIBQ&ved=0CAUQFjAA&client=internal-uds-cse&usg=AFQjCNEnNXX8JIIp15XMlgp9LQtWTTCrmw" target="_blank">Internet of Things</a>, where a multitude of devices (like your smart watch and your home thermostat) share data and responsibility with one another.<br />
<br />
An example Internet-of-Things transaction might be the decision for a thermostat to trust an instruction from a certain smart watch to increase temperature by three degrees at 2:03 p.m. The confirmation of transactions might be distributed across a large and constantly evolving multitude of devices (a crowd). No single device is trusted too much. But the system can function if most of the devices are trustworthy most of the time.<br />
<br />
Confirmation of any unit of trust <span style="font-size: xx-small;"><b>[see footnote]</b></span> comes from multiple miners in the crowd, but not necessarily all the miners.<br />
<br />
<h3 style="text-align: left;">
Potential Liability for Errors or Omissions</h3>
<br />
Bitcoin’s block chain runs on open source software. Many people have contributed to its development and updating.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="180" src="//www.youtube.com/embed/-uX_bB_4VJk?rel=0" width="320"></iframe>
<span style="font-size: xx-small;">[Video above depicts action on Bitcoin's block chain through <a href="http://bitcointicker.co/">bitcointicker.co</a>; video saluted by <a href="https://twitter.com/BTCticker/status/519182233501192192" target="_blank">@BTCticker</a>.]</span><br />
<br />
Many distributed ledger projects will involve the collaborative efforts of many parties.<br />
<br />
However, some institutions (like a large nonprofit foundation) will be concerned about the potential liability that comes from associating themselves with a block chain project. Their contribution might look like an endorsement or an acceptance of responsibility.<br />
<br />
Block chains will not always work as expected. For instance, Bitcoin as originally designed has proven vulnerable to attack in that hackers can steal bitcoin from an individual trader if they can compromise the credentials for a trader’s single signature. For that reason Bitcoin is <a href="http://www.coindesk.com/early-bitcoin-adopter-calls-multi-sig-solutions-750-btc-theft/" target="_blank">evolving</a> to multiple-signature credentials.<br />
<br />
In the future, as a new blockchain is created an institution that supports it would not want to be a “deep pocket” target for a lawsuit from someone who claims the block chain’s poor design caused damage. (Example case: member banks <a href="http://www.huffingtonpost.com/2012/03/14/big-banks-new-york-settlement_n_1343720.html" target="_blank">settle liability for actions of electronic mortgage clearinghouse</a>.)<br />
<br />
<h3 style="text-align: left;">
Warn Users of Risk.</h3>
<br />
For this reason institutions are wise to insist that the block chains they support come with disclaimers and/or terms of use. These types of statements can explain and disclaim risk.<br />
<br />
For instance, something like the following statement might be published widely in connection with a block chain that manages <a href="http://hack-igations.blogspot.com/2014/11/ethereum.html" target="_blank" title="smart property">ownership among stockholders of a corporation</a>:<br />
<br />
<blockquote class="tr_bq">
<i>This block chain is offered "as-is" with no assurance of reliability. Use at your own risk. </i></blockquote>
<br />
The statement might go on to explain with some detail the kinds of risks that are present, such as flaws in software or a future decrease in miner incentive to work.<br />
<br />
A disclaimer is not a perfect shield from legal liability. It probably does not protect an institution from liability if the institution knowingly engaged in fraud. But a well-crafted disclaimer can dramatically reduce the risk of liability.<br />
<br />
<h3 style="text-align: left;">
Example Disclaimers</h3>
<br />
Here are three examples of institutions insisting on the publication of disclaimers relative to their contributions to community projects.<br />
<br />
<ol style="text-align: left;">
<li>The payment card community works together to publish the Payment Card Industry Data Security Standard. The PCIDSS sets standards for securing credit card data. However, it is possible that a merchant who follows PCIDSS will still suffer a data breach. The institutions that participate in the PCI community and promote the PCIDSS desire no liability for a shortcoming in the standard. Their solution is to require anyone downloading a copy of the standard to agree to a contract that disclaims liability and places risk with the user merchant.</li>
<li>The American Medical Association works with the National Supplier Clearinghouse to facilitate communications of Medicare claims by healthcare providers. However, the methods and technology of the Clearinghouse may not give a healthcare provider the desired outcome. AMA wants no liability. Therefore access to the Clearinghouse <a href="http://www.palmettogba.com/nsc" target="_blank">website</a> requires the user to click on terms that disclaim liability by AMA.</li>
<li>Ethereum.org <a href="https://blog.ethereum.org/2014/07/22/launching-the-ether-sale/" target="_blank">publishes</a> this statement regarding the initial sale of "Ether": </li>
</ol>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>Ether is a product, NOT a security or investment offering. Ether is simply a token useful for paying transaction fees or building or purchasing decentralized application services on the Ethereum platform; it does not give you voting rights over anything, and we make no guarantees of its future value.</i></blockquote>
</blockquote>
<ol style="text-align: left;">
</ol>
<br />
<h3 style="text-align: left;">
What Stands in the Place of Legal Liability?</h3>
<br />
The user of a block chain that comes with a disclaimer might ask how he can get assurance if legal liability has been disclaimed. The answer is that the user can rely on “collective intelligence.” The user can observe the collective behavior of the community using the block chain to understand the risk associated with it. If a large and smart community is using the block chain in a <a href="http://hack-igations.blogspot.com/2013/08/secrets.html" target="_blank">transparent</a> way, then the user can sense a measure of assurance, though he knows he probably cannot use the legal system to enforce that assurance.<br />
<br />
<h3 style="text-align: left;">
Cyber Insurance Distributes Risk.</h3>
<br />
Another way to manage risk is to acquire insurance. Some block chains may require participants to pay a fee, part of which could goes to the purchase of cyber insurance to cover the participants for risk of loss.<br />
<br />
Alternatively the terms of a block chain might require that each participant purchase certain insurance for itself and absolve all other participants of liability.<br />
<br />
<h3 style="text-align: left;">
Hold Harmless Clause Assigns Risk and Incentives.</h3>
<br />
The absolution of liability might be worded different ways, depending on the needs and culture of the community. For instance, an absolution of liability might include:<br />
<br />
<ol style="text-align: left;">
<li>An indemnification clause in which each participant holds each other participant harmless from any claims based on the first participant’s reliance.</li>
<li>A caveat that the absolution of liability does not apply to intentional fraud, which is proven beyond a reasonable doubt. Such a caveat sets up a high standard of evidence that a participant must meet in order to collect from others on account of their misdeeds.</li>
</ol>
<br />
<br />
By: <a href="https://plus.google.com/+BenjaminWright1" rel="author" target="_blank">Benjamin Wright</a><br />
<br />
==<br />
<br />
<b><span style="font-size: xx-small;">Footnote:</span></b> The “unit of trust” might measure any number of things. In Bitcoin it measures a debit or credit of <a href="http://hack-igations.blogspot.com/2014/07/bitlicens.html" target="_blank">bitcoin</a>. But the unit of trust could measure ownership of land or commodities. It could even measure community perception on whether an entity or individual professional is in compliance with law, ethical principles or industry standards.
<br />
<br />
Related:<br />
<br />
<ol style="text-align: left;">
<li>Declaration of entire crypto 2.0 project as <a href="http://hack-igations.blogspot.com/2015/01/decentralization.html" target="_blank">"as-is" and "use at your own risk"</a> </li>
<li>Recording <a href="http://hack-igations.blogspot.com/2014/07/virtual-currency.html" target="_blank">Bitcoin Legal Evidence</a></li>
</ol>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-78548569544996396972014-09-29T09:42:00.000-07:002014-10-10T20:12:33.680-07:00Bitcoin Services Agreement | What Terms Should a Customer Demand?<div dir="ltr" style="text-align: left;" trbidi="on">
Many wallets and platforms like Coinbase provide services to Bitcoin and other cryptocurrency customers. Typically a service provider requires customers to agree to the provider’s standard terms of service. And typically individual and small business customers lack leverage to negotiate these terms.<br />
<br />
However, some customers do have leverage. Customers may have leverage because they bring a large volume of business to the provider, or they have teamed up with other customers to negotiate as a group. Alternatively they possess the patience to shop among service providers to find the most favorable legal terms.<br />
<br />
<h2 style="text-align: left;">
What Terms Protect the Customer’s Interest?</h2>
The following are some (not all) of the terms that customers may desire but that are not commonly offered to small customers:<br />
<br />
<h2 style="text-align: left;">
1. A Clear Statement of What Services Are Being Provided to the Customer</h2>
<br />
Technology services providers are known for being vague about what services they are providing the customer. Some Bitcoin service providers are equally vague. For example Coinbase’s standard User Agreement <a href="https://coinbase.com/legal/user_agreement" target="_blank">says</a>, “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.” However, the agreement itself does not define “storage.”<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiErKwZVUpQxNFpNWANYdCc_z3owo3bJtQebrYUlH5J4Q6BunE8UQNcqGQ2PetK7nCmJC1J3__dsYpcGD78XPZe4ZDckG26Xdmh38-oebxaIe06nhjI0b61FDg7YqypR4rc3-6gJTAthVo/s1600/Fiduciary+Duty.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="bitcoin ownership" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiErKwZVUpQxNFpNWANYdCc_z3owo3bJtQebrYUlH5J4Q6BunE8UQNcqGQ2PetK7nCmJC1J3__dsYpcGD78XPZe4ZDckG26Xdmh38-oebxaIe06nhjI0b61FDg7YqypR4rc3-6gJTAthVo/s1600/Fiduciary+Duty.jpg" height="113" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Legally, what does <br />
"storage" of bitcoin entail?</td></tr>
</tbody></table>
It may be that here “storage” means Coinbase is managing the credentials that control the credit of bitcoin to the address pertaining to customer in the Bitcoin blockchain. But Coinbase’s Agreement does not say that. Further, it does not say the customer is entitled to those credentials and any value associated with them. It does not say that the Blockchain address belongs to customer.<br />
<br />
What does the User Agreement say that the customer is entitled to? The User Agreement does little more than imply that all the customer is entitled to (at most) “FEES PAID TO COINBASE BY YOU IN THE PRECEDING THREE (3) MONTHS.” See Section 9.1. That’s it.<br />
<br />
Coinbase’s User Agreement seems to say nothing about the customer being able to obtain the customer’s blockchain credentials or the blockchain credit pertaining to the customer. Maybe that is because the customer is not entitled to those things. But if that is the case, I’ll bet many customers would be surprised. The customer may think he has 10 bitcoin, but in fact all he has is the right to obtain from Coinbase a return the past three months of fees (at most). Those fees could be worth much less than 10 bitcoin.<br />
<br />
<h2 style="text-align: left;">
2. Effort to Overcome Force Majeure</h2>
<br />
Service providers often insist on a “Force Majeure” clause in their agreements. And that may be fair as far as the customer is concerned.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrFHFh6yHgbRL9Tw6TsojKBKaQm9OlOq3jtt-xIp6idCrJhJnf1Rd6goFeyskXdLJVL5gaLToCfP_4qLNZkCfVOOrSxNZIBNWLfKPfv23T9PsuS0fRE4JldHonErPSmZXy36DbcG1g5Zo/s1600/Force+Majeure.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Fire" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrFHFh6yHgbRL9Tw6TsojKBKaQm9OlOq3jtt-xIp6idCrJhJnf1Rd6goFeyskXdLJVL5gaLToCfP_4qLNZkCfVOOrSxNZIBNWLfKPfv23T9PsuS0fRE4JldHonErPSmZXy36DbcG1g5Zo/s1600/Force+Majeure.gif" height="200" width="113" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">What if fire strikes?</td></tr>
</tbody></table>
“Force Majeure” means superior force. Typically a Force Majeure clause says the service provider is excused from performing services in the face of a superior force such as war, natural disaster and the like.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dx1J9ZlXfuq2cBjrfs7HdS5j-Ss464EIHZhZUe3CICoTYxgz7lPwEUIl_I-WbrmGg8pRtjlP8AN_wrjYi6fqg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
However, the customer prefers that the Force Majeure clause not allow the provider simply to close shop in the event of adversity. For example if the customer is a merchant, and the service provider ceases operation on account of an earthquake, then the customer is in a lurch. So the customer wishes for the provider to work to overcome the adversity.<br />
<br />
The customer might insist that the agreement provide:<br />
<ul style="text-align: left;">
<li>the service provider will promptly notify the customer of the force majeure event and then regularly update the customer about the status of the event; and</li>
<li>the service provider will use commercially-reasonable efforts to overcome the event. (In other words the provider will take reasonable disaster recovery measures and will strive to return to normal service quickly.)</li>
</ul>
<br />
<h2 style="text-align: left;">
3. Response to Subpoena or Court Order for Information</h2>
The service provider holds sensitive information about the customer. That information might include address data, transaction history, blockchain credentials, investment details and more. The information might be relevant to divorce, tax collection, private lawsuits, bill collection, child support obligations and many other disputes.<br />
<br />
Adversaries to the customer might try any number of legal means to get the information from service provider. They might try a civil subpoena, a tax summons, a police raid or a grand jury subpoena. An official order demanding information might issue from most any legal jurisdiction in the world (e.g., Uganda or Canada), regardless of the geographic location of the customer or the service provider.<br />
<br />
The legal validity of a subpoena or other demand for information can be open to dispute. It is possible that an adversary would issue a subpoena that is unjustified or overly-broad. What is worse, sometimes Internet service providers (especially smaller ones that lack a large legal staff) can be overly generous in responding to a subpoena and turn over more information than is required. (See <i>Theofel vs. Farey-Jones</i>, 341 F.3d 978, 981 (9th Cir. 2003), in which an ISP disclosed too much of a business customer’s email to the customer’s lawsuit opponent.)<br />
<br />
Accordingly, a customer desires terms like these: If someone makes a legal demand for records about the customer, then . . .<br />
<br />
<br />
<ul style="text-align: left;">
<li>service provider will promptly give a copy of the demand to the customer. (Under rare circumstances the service provider is forbidden by law from informing the customer that US law enforcement is seeking information about the customer.)</li>
<li>service provider will wait to comply with the demand until the applicable deadline. Often a subpoena will give the service provider, say, two weeks to comply. If the service provider waits to the end of the two weeks, that gives the customer time to study the subpoena and react to it. The customer might for instance believe the subpoena is invalid or overly-broad; so the customer might appeal to a court to “quash” the subpoena or reduce its scope. (See details about <a href="http://hack-igations.blogspot.com/2012/08/demand.html" target="_blank">quashing a subpoena</a> in a US court.)</li>
</ul>
<br />
<br />
Similarly customer desires that service provider enter a non-disclosure agreement (“NDA”). Under common NDA terms the service provider would not disclose or use customer records without permission (except as required by law). The customer does not want the service provider to give customer’s information to customer’s competitors. Neither does the customer want service provider itself to use customer’s trading data to compete with customer.<br />
<br />
<h2 style="text-align: left;">
4. Cooperation with Audits, Investigations or Requests for Information</h2>
<br />
Just as a customer is reluctant to let adversaries access the customer’s information held by the service provider, the customer desires assurance that the customer itself can access its own information and details about how transactions are processed.<br />
<br />
A customer desires an agreement that under no circumstances will service provider:<br />
<br />
<br />
<ul style="text-align: left;">
<li>place a <a href="http://hack-igations.blogspot.com/2014/09/Cryptocurrency-Agreement.html" target="_blank">lien</a> on customer’s data [A lien is a legal measure that impairs a person's freedom to sell or transfer its property, such as its data.]; or</li>
<li>deny customer access to his/her data.</li>
</ul>
<br />
<br />
Sometimes technology service providers take the position that in a dispute with the customer, the provider can withhold data or deny service. For example the vendor of a cloud-based electronic patient record <a href="http://www.bostonglobe.com/news/nation/2014/09/21/electronic-health-records-vendor-compugroup-blocks-maine-practice-from-accessing-patient-data/6ILpMv78NARDsrdU5O0T9N/story.html" target="_blank">recently denied</a> a medical practice in Maine access to its own patient records!<br />
<br />
But from the perspective of the customer, the service provider holds unfair advantage if it can hold data hostage in the event of a dispute. The customer argues that if there is a dispute the service provider should not hold data hostage; instead, service provider can sue the customer and enforce the results of the lawsuit through normal legal procedures.<br />
<br />
The customer may have both a commercial need and an ethical need to access its records. What would be an example of an “ethical” need for records? Suppose the customer was a law firm. The law firm might be controlling bitcoin on behalf of a client in settlement of a dispute. The law firm is obligated under its professional code of ethics to ensure it has access to the relevant records.<br />
<br />
What’s more the customer may need assurance that the customer’s auditors can confirm and understand transactions. Relevant auditors might include financial auditors, tax auditors and security/internal control auditors. Hence the customer might insist that the service provider:<br />
<br />
<br />
<ul style="text-align: left;">
<li>maintain adequate documentation about how its system works; and</li>
<li>cooperate with customer’s auditors.</li>
</ul>
<br />
<br />
For its part, service provider might insist that it be compensated if its staff must spend time responding to audit requests.<br />
<br />
In regards to the security/internal control auditors looking out for the interests of customers: the service provider may find it is impractical to respond to all customer audit requests one-by-one. Therefore the service provider might itself hire a single auditor to conduct an audit for the benefit of all of its customers under a standard like Statement on Standards for Attestation Engagements <a href="http://ssae16.com/SSAE16_overview.html" target="_blank">(SSAE) No. 16</a> published by the American Institute of Certified Public Accountants (AICPA).<br />
<br />
<h2 style="text-align: left;">
These Ideas Apply Beyond Cryptocurrencies.</h2>
The foregoing terms are not unique to Bitcoin. They might serve the needs of customers of many kinds of technology and e-commerce services.<br />
<br />
If I’ve made any mistakes, please let me know so I can correct myself.<br />
<br />
By: <a href="http://about.me/benjaminwright" target="_blank" title="social media investigation">Benjamin Wright</a><br />
<br />
[The foregoing is not legal advice for any particular situation. If you need legal advice, you should retain and consult a lawyer.]<br />
<br />
Related:<br />
<br />
<ul style="text-align: left;">
<li>How to interpret a <a href="http://hack-igations.blogspot.com/2014/09/Cryptocurrency-Agreement.html" target="_blank">contract for payment by Bitcoin</a>.</li>
<li>How to Address <a href="http://hack-igations.blogspot.com/2014/10/open-ledger.html" target="_blank">Block Chain Legal Liability</a></li>
</ul>
<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-10573834924457609642014-09-14T11:14:00.000-07:002014-09-29T12:15:40.614-07:00How to Write, Interpret, Enforce a Contract for Bitcoin<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Stated Terms and Conditions Influence Legal Result.</b><br />
<br />
Suppose John offers to sell a valuable widget to Betty in exchange for Betty agreeing to “pay 5 bitcoin” and Betty accepts the offer. They agree by recorded audio<b>:</b><br />
<br />
<iframe frameborder="no" height="100" scrolling="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/167616059&color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false" width="100%"></iframe> <span style="font-size: xx-small;">[In regards to audio contract, see footnote below.]</span><br />
<br />
Then suppose John delivers the widget to Betty, but Betty fails to deliver the bitcoin.<br />
<br />
What are John’s legal rights?<br />
<br />
<h3 style="text-align: left;">
Mutual Consideration Supports Contract.</h3>
<br />
Under US law it appears John and Betty have formed a legally enforceable contract. The parties made mutual promises for valuable consideration. The widget is valuable, and the bitcoin is valuable under current market conditions.<br />
<br />
But the novelty of Bitcoin could make the precise outcome of a lawsuit by John against Betty hard to predict.<br />
<br />
<h3 style="text-align: left;">
The “Money” that Is Not Money.</h3>
<br />
Although some people use the word “currency” to describe the phenomenon popularly known as Bitcoin, <a href="http://hack-igations.blogspot.com/2014/07/bitlicens.html" target="_blank">Bitcoin might not</a> actually be a “currency.” Unlike dollars, it has not been deemed in US law as legal tender that can be used to extinguish a debt.<br />
<br />
Further, the Internal Revenue Service views bitcoin as property – which is subject to capital gains taxes – rather than currency -- which normally is not subject to capital gains taxes.<br />
<br />
<h3 style="text-align: left;">
What Are the Remedies for Breach of a Virtual Money Contract?</h3>
<br />
So if John sues Betty for breach of contract, it seems he could succeed in showing he is the victim of a breach and he is entitled to remedy under contract law.<br />
<br />
But it could take some effort for a court to understand the contract.<br />
<br />
Bitcoin is a specific example of a general idea. The general idea is trading by way of a <a href="http://www.businessinsider.com/bank-of-england-report-on-bitcoin-2014-9" target="_blank">distributed cryptographic ledger</a>. In Bitcoin the distributed ledger is called the "block chain."<br />
<br />
If a distributed ledger is competently designed and implemented, it inherently follows the rules programmed into its software. As people use the software, they adopt "customs" of trade that can be understood without a lot of explanation by contract for each trade. For example, by Bitcoin custom the term "to pay" five bitcoin arguably means to modify the block chain to indicate as follows:<br />
<br />
1. debit five bitcoin from the payer's address identified in the block chain; and<br />
<br />
2. credit five bitcoin to the payee’s address identified in the block chain.<br />
<br />
<h3 style="text-align: left;">
Industry Custom May Resolve Some Ambiguity.</h3>
<br />
Thus, John and Betty’s contract say she will “pay” 5 bitcoin to John. The custom around Bitcoin suggests that Betty is required to interact with the block chain to debit 5 bitcoin relative to her address and credit 5 relative to his address.<br />
<br />
However, bitcoin and similar technology are evolving so quickly that clear custom may not have had time to coalesce. A full review of the interaction with block chain around the world may show confusion or ambiguity about what is customary and what is not customary. (See story about a <a href="http://www.cryptocoinsnews.com/coinbase-extreme-bitcoin-transaction-delays-cause-problems-vendors-yet-tiger-direct-ignores-customers-happen/" target="_blank">failed Bitcoin transaction</a>.)<br />
<br />
In contract practice, if there might be confusion about custom, the draftsman of the contract can employ words to reduce the confusion. He might for instance write out a long statement of steps that Betty will follow to cause and confirm a 5 bitcoin credit to appear relative to John’s address.<br />
<br />
Alternatively, he might refer to an authoritative statement of Bitcoin custom. He might say in the contract, “This contract will be interpreted under Bitcoin custom as articulated in https://en.bitcoin.it/wiki/Main_Page ." That sentence might resolve many questions about custom, but probably not all questions.<br />
<br />
<h3 style="text-align: left;">
What Should Happen in a Court of Law?</h3>
<br />
However, neither block chain software nor Bitcoin custom explain what should happen in a court of law if a party fails to execute a trade (e.g., Betty fails to “pay” the five bitcoin).<br />
<br />
The software and the custom fail to explain what the consequences should be if Betty does not control the agreed amount of bitcoin at the time in question. Is she required to purchase five bitcoin and then transfer it to John?<br />
<br />
Or can she satisfy her obligation by delivering to John a quantity of pork bellies (a valuable commodity) equal in value to five bitcoin? That particular outcome does not seem right because we have no evidence that John is easily able to accept pork bellies.<br />
<br />
<h3 style="text-align: left;">
What Should Be the Remedy for Breach of Contract?</h3>
<br />
If a court forced Betty to render to John 5 bitcoin using the block chain process, that outcome could be called “specific performance” under contract law. Specific performance means Betty must literally do what the contract says. But commonly US courts disfavor specific performance.<br />
<br />
Specific performance requires the court to understand what is going on.<br />
<br />
In order for a court clearly to understand specific performance in Bitcoin, the court might need to digest quite a bit of testimony from experts. The experts would have to explain to the court how the block chain works and so on. That would be a lot of work for the court.<br />
<br />
<h3 style="text-align: left;">
Courts Prefer Money Judgment Rather Than Specific Performance.</h3>
<br />
Instead, a court is likely to prefer to give to John a “judgment” for an amount of legal-tender-money equal to the value that Betty failed to deliver to John. A judgment is a ruling that enables John to take legal action relative to Betty and her property.<br />
<br />
This judgment is the contract law remedy for Betty's breach of contract; it is an official statement that Betty owes a debt to John.<br />
<br />
This kind of remedy is called a “money judgment.” A money judgment is easier for a US court to understand and oversee.<br />
<br />
In the US legal system, money judgments are rendered and enforced all the time. Our system has managed money judgments for centuries.<br />
<br />
In contrast, to require Betty specifically to execute some performance relative to the so-called “block chain” would be – for a court – a new and complex exercise.<br />
<br />
<h3 style="text-align: left;">
Money Judgment Means Greenback Dollars.</h3>
<br />
Typically, in a US court, the amount of money in a judgment would be stated in US dollars. If John does obtain a court judgment, he can use regular court procedures to enforce the judgment. Enforcement can include an array of actions by John, including placing and foreclosing a lien on Betty’s property, like<br />
<br />
<ul style="text-align: left;">
<li>her house, </li>
<li>her car, </li>
<li>her bank account which is denominated in dollars or euros, </li>
<li>her pork bellies, </li>
<li>her intellectual property such as a patent, . . . or </li>
<li>(theoretically) her bitcoin.</li>
</ul>
<br />
But typically the calculation of satisfaction of the judgment would be made in dollars.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWo0V4MGHpeAxlKhfAPmKmItOyXn2xBiLs5vmGFTloXAp5EnFjbKXnMhRfWBscoT2HyiN7IhYa7xzydBZgEve52WDVpMzjdPHYkEn8vnoIV7t4WICtjs_pEzYBLjj82oEq7avkdl-tDR4/s1600/Fiat.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="legal tender" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWo0V4MGHpeAxlKhfAPmKmItOyXn2xBiLs5vmGFTloXAp5EnFjbKXnMhRfWBscoT2HyiN7IhYa7xzydBZgEve52WDVpMzjdPHYkEn8vnoIV7t4WICtjs_pEzYBLjj82oEq7avkdl-tDR4/s1600/Fiat.gif" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Court Judgment<br />
Calculated in US Dollars.</td></tr>
</tbody></table>
<br />
For example, if John’s judgment is in the amount of $2500, then the value of his lien on Betty’s house would be up to $2500. When Betty sells her house, John would be entitled to $2500 of the proceeds.<br />
<br />
Typically Betty could satisfy the judgment by paying John the requisite number of dollars.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<h3 style="text-align: left;">
But What If John Wants Specific Performance?</h3>
<br />
Let’s say John is really serious, at the outset of the contract, about wanting 5 bitcoin, rather than dollars. He could write the contract to state in detail something like the following:<br />
<br />
(A) Betty represents that she controls a Bitcoin address with at least 5 bitcoin of credit.<br />
<br />
(B) Betty will execute specific steps to credit 5 bitcoin to the Bitcoin address identified by John.<br />
<br />
(C) If Betty fails to follow the steps, then John “will suffer irreparably harm and significant injury the degree of which may be difficult to ascertain.”<br />
<br />
(D) John is entitled to an order from court requiring Betty specifically to execute the steps articulated under (B) above. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimYgQn3-TsZMy5LQtUfPsC8SCAn0pLyGZTSIc1KQyX1vJleTGenj1K7dHJNkDtj9NvHgv_SoUYU052zBI2yeAFfxtGNNmNPloa8jbRaGts1ZGcBnGeonIbzjQP0DpWNiopxPlj5yDQ2cQ/s1600/blockchain.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="bitcoin symbol" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimYgQn3-TsZMy5LQtUfPsC8SCAn0pLyGZTSIc1KQyX1vJleTGenj1K7dHJNkDtj9NvHgv_SoUYU052zBI2yeAFfxtGNNmNPloa8jbRaGts1ZGcBnGeonIbzjQP0DpWNiopxPlj5yDQ2cQ/s1600/blockchain.jpg" height="200" width="110" /></a></div>
<br />
<h3 style="text-align: left;">
Written Contract Details Add Certainty.</h3>
<br />
The contract as stated in the audio above leaves open to interpretation questions like:<br />
<br />
<ul style="text-align: left;">
<li>when Betty must pay the bitcoin;</li>
<li>whether interest will accumulate if Betty fails to pay on time;</li>
<li>which jurisdiction’s law governs the transaction (e.g., Texas . . . or Alberta);</li>
<li>whether the party enforcing the contract in court receives compensation for the cost of enforcement, such as attorneys’ fees;</li>
<li>how the widget will be tendered or delivered.</li>
</ul>
<br />
<br />
Details like these can be specified in a well-written contract, and can help John with his enforcement.<br />
<br />
<h3 style="text-align: left;">
Analysis of Example Agreement</h3>
<br />
Let’s look at a well-known contract that refers to Bitcoin practice, <a href="https://coinbase.com/legal/user_agreement" target="_blank">Coinbase’s User Agreement</a>. Coinbase is a well-known Bitcoin wallet and platform.<br />
<br />
Section 2.4 of the agreement says, “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.”<br />
<br />
What does that sentence mean? The words “store” and “storage” are metaphors for complex, and possibly ambiguous ideas. They mean something other than simply:<br />
<br />
(a) keeping physical objects in a three dimensional place (e.g., keeping in a box a sheet of paper bearing the words “one bitcoin”); or<br />
<br />
(b) the retention of specific data that expresses bitcoin (Example: It’s not like storing the content of a distinct Excel spreadsheet – which says, “Ben has 6 bitcoin” -- on a hard drive.)<br />
<br />
If a customer wanted to reduce the ambiguity of those words “store” and “storage,” then the customer could insist that the agreement provide much more detail. Alternatively the customer might insist that the agreement say that terms like “store” and “storage” will be interpreted under Bitcoin custom as articulated at a place like <a href="https://en.bitcoin.it/wiki/Main_Page">https://en.bitcoin.it/wiki/Main_Page</a> .<br />
<br />
So a general message to readers is that a contract for bitcoin can be written with details that help to reduce risk and misunderstanding. A talented draftsman uses judgment to know how much detail is enough and how much is too much.<br />
<br />
This is an intriguing topic, and I’d like to talk about it. Please comment. If I’ve made any mistakes, please let me know.<br />
<br />
By: <a href="https://plus.google.com/+BenjaminWright1/about" target="_blank">Benjamin Wright</a><br />
<br />
You might also like:<br />
<br />
<ul style="text-align: left;">
<li>How to capture legal and accounting <a href="http://hack-igations.blogspot.com/2014/07/virtual-currency.html" target="_blank">evidence of a bitcoin transaction</a>.</li>
<li> Terms of <a href="http://hack-igations.blogspot.com/2014/09/Altcoin-Contract.html" target="_blank">Bitcoin Wallet</a> and Services.</li>
</ul>
<br />
<br />
<b>*Footnote</b>: Under the Statute of Frauds, this contract might need to be evidenced by a “signed writing” to be enforceable. An audio recording can constitute a “signed writing.” <i>Ellis Canning v. Bernstein</i>, 348 F. Supp. 1212 (D. Colo. 1972).<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-36458687495780948452014-09-09T10:18:00.001-07:002014-09-09T13:14:40.730-07:00How to Talk Publicly about Data Security Breach<div dir="ltr" style="text-align: left;" trbidi="on">
Major data security breaches are becoming more common. Among the many that have unfolded in 2014 are Target stores and Community Health Systems (the second-largest for-profit U.S. hospital chain).<br />
<br />
Now Home Depot, another major retailer, is in the throes of a substantial payment card breach, apparently involving both credit cards and debit cards.<br />
<br />
Home Depot is making some limited public statements. The Home Depot story is only beginning.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegyzkhTrZBGNu8FyYbV3kwhTN7r5I04Mq5oh9son7e0g4WNLejHIV99ZM0E-JJPcXbjBCKfaF0JFE3dDNMjiU-8fLIxTNuTB7fU0rP7KyDjACg3kJi0MOWkkXvxLLWjS4sCNt-OOfMdo/s1600/public+relations.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegyzkhTrZBGNu8FyYbV3kwhTN7r5I04Mq5oh9son7e0g4WNLejHIV99ZM0E-JJPcXbjBCKfaF0JFE3dDNMjiU-8fLIxTNuTB7fU0rP7KyDjACg3kJi0MOWkkXvxLLWjS4sCNt-OOfMdo/s1600/public+relations.PNG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Press Releases Matter</td></tr>
</tbody></table>
Home Depot’s public communications will influence the final outcome of this data breach in terms of law, reputation and customer relations.<br />
<br />
I teach a technology law course at the SANS Institute. A key topic is how to communicate publicly about information security, including data breaches and other infosec incidents. In that course students and I review the (in)famous TJX breach (2007). We compare the experience at TJX with the lessons from Target and Sony Playstation Network (2011 breach).<br />
<br />
Now, early September 2014, Home Depot’s crisis is playing out. So . . . as of the live delivery of the SANS course October 2014, we will also compare Home Depot’s public and legal response.<br />
<br />
The title of the course I teach is <a href="http://www.sans.org/course/law-data-security-investigations" target="_blank">Law of Data Security and Investigations</a>. The course is unique in the world. <br />
<br />
The goal of the course is to equip professionals with the skill and knowledge necessary to respond to future events in computer security and investigations.<br />
<br />
By: Attorney Benjamin Wright<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="186" src="//www.youtube.com/embed/W0VTrVZwM9o?list=UU7SvcYFGQnGlHAVG1wyQK8A" width="330"></iframe>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0tag:blogger.com,1999:blog-2938493123269026698.post-37070948849239178242014-08-23T16:05:00.000-07:002015-12-03T07:42:17.108-08:00How to Record Evidence from a Mobile Device<div dir="ltr" style="text-align: left;" trbidi="on">
Dual-camera video recording on a smart phone can be very handy for a professional investigator such as a financial auditor or a forensics expert.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT5_fvwCj3I0_Q-VYMAxdwZUPwpPA0e1EHXEm8-3X7O5g6HKD9u_RnISQo7-HCy7JoSdBg_EGCTgKYUEyEjl1uQFvs-SGBUluRmtWbxcBiFqfMKgVDZJwDpAW_-AcPD41AyFfKPJYfruY/s1600/Two-camera+video.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="believable memory" border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT5_fvwCj3I0_Q-VYMAxdwZUPwpPA0e1EHXEm8-3X7O5g6HKD9u_RnISQo7-HCy7JoSdBg_EGCTgKYUEyEjl1uQFvs-SGBUluRmtWbxcBiFqfMKgVDZJwDpAW_-AcPD41AyFfKPJYfruY/s1600/Two-camera+video.PNG" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Video Affidavit</td></tr>
</tbody></table>
The video below demonstrates how an investigator can use a dual-camera video (on a smartphone) to record evidence displayed on a second mobile device. In this case the second mobile device is an e-ink reader.<br />
<br />
The video evidence shows how the e-ink reader works as it renders data from the cloud. The “data from the cloud” in this case is just the content from one of my web sites. The e-ink reader features an odd web browser; it blinks as the user scrolls. The point of the demonstration is that the video records exactly:<br />
<br />
<ol style="text-align: left;">
<li>how the e-ink reader worked (or didn't work) at the time of investigation; and</li>
<li>what information rendered from "the cloud" on the e-ink reader's browser client.</li>
</ol>
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="248" src="//www.youtube.com/embed/_Z2OUgZWhdI?rel=0" width="330"></iframe>
<br />
<br />
This video is the latest in a series of videos and blog posts I publish to demonstrate how to capture and preserve legal and audit evidence from social media or the Internet of Things.<br />
<br />
<h3 style="text-align: left;">
A Legal Affidavit Confirms Validity by Placing Investigator's Professional Reputation on the Line.</h3>
<br />
My publications showcase the idea that evidence is more legally useful if it is formally “signed” in realtime by the investigator via webcam or microphone. The realtime signature by the investigator makes the whole record a kind of <i>affidavit. </i>The affidavit could be powerful in court years later when the investigator might not be available to testify about what he witnessed at the time of investigation.<br />
<br />
The realtime signature of a record by an ethical and responsible investigator lends credibility and authenticity to the record.<br />
<br />
What’s new about this video is that it uses the <a href="https://play.google.com/store/apps/details?id=wik.dualcamera&hl=en" target="_blank" title="android app">dual-camera recording</a> capability of an advanced Android phone. The phone I used was an HTC One M8.<br />
<br />
<h3 style="text-align: left;">
Investigator Records His Face, Lips and Voice.</h3>
<br />
In the video above, the investigator appears in the small window at the top. As the investigator uses the back-facing camera to record what appears on the e-reader, he records himself with the front-facing camera. The recording of the investigator himself serves two purposes:<br />
<br />
1. It narrates the evidence. It explains to the future viewer, such as a jury, what is happening as he manipulates the evidence source -- that is, the browser app on the e-ink reader.<br />
<br />
2. It authenticates the whole compilation of video evidence. The investigator says, "I hereby sign and affirm this video . . . ". That is a legal signature, binding on the investigator. It is probative to a viewer such as a court who tries to evaluate the credibility of the video as evidence later.<br />
<br />
<h3 style="text-align: left;">
Video of Forensic Examiner Reveals Too Much?</h3>
Some professional investigators are hesitant to create video of themselves or the labs in which they collect and assess evidence. They worry they may inadvertently capture a record of their identity, behavior or surroundings that might be misused by an adversary, such as a defense attorney who cross examines an investigator in a criminal trial and tries to discredit the investigator's work or the investigator's ethics.<br />
<br />
For example, a video might inadvertently show a can of soda in the lab; food and drink are often forbidden by policy in a forensics lab because they can contaminate evidence. The appearance of the can could raise questions about the competence of the investigator's lab and the ethics of an investigator who has testified that she adheres to high standards of quality.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzxxVa8Y8PCLjyTvBvFG6mC0H5QniQJZK8BJ_7nW7cj-BhjQ07YbPldiR_qhv6h0sOEYx36u-M2X5jb4xUd-B7Bj5V0g_3O-kwPFpU_mkA0nptNI4icubBwxnNflMBh__1_Upqcxo0-I/s1600/contraband.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="lab contamination" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzxxVa8Y8PCLjyTvBvFG6mC0H5QniQJZK8BJ_7nW7cj-BhjQ07YbPldiR_qhv6h0sOEYx36u-M2X5jb4xUd-B7Bj5V0g_3O-kwPFpU_mkA0nptNI4icubBwxnNflMBh__1_Upqcxo0-I/s1600/contraband.jpg" width="122" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Unexpected evidence of policy<br />
violation in forensics lab!</td></tr>
</tbody></table>
If the investigator is concerned that video of his/her face reveals too
much, then the investigator might record only audio of his/her vocal narration of
the video of what s/he observes. See an example of that idea: <a href="http://legal-beagle.typepad.com/security/2011/10/cops.html" id="yui_3_16_0_1_1409237170272_11932" shape="rect" target="_blank">http://legal-beagle.typepad.com/security/2011/10/cops.html</a><br />
<br />
<h3 style="text-align: left;">
I Publish Many Blog Posts on Video-Recorded Legal and Accounting Evidence.</h3>
<br />
For more detail on these ideas, including analysis and evaluation of alternative forensic tools, please see:<br />
<br />
<ul style="text-align: left;">
<li><a href="http://hack-igations.blogspot.com/2014/07/virtual-currency.html" target="_blank">Screencast of behavior of online Bitcoin Wallet</a></li>
<li><a href="http://hack-igations.blogspot.com/2011/11/electronic-contracts.html" target="_blank">Online trading evidence to show terms of contract</a> </li>
<li><a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2011/04/credible.html" target="_blank">Live instant message interaction with a criminal showing text, images and format</a></li>
<li><a href="http://hack-igations.blogspot.com/2013/12/robot-sensor.html" target="_blank">Drone video affidavit by remote pilot</a> </li>
<li><a href="http://hack-igations.blogspot.com/2015/12/virtual-reality.html" target="_blank">Legal and audit evidence recorded from augmented reality</a> </li>
</ul>
<br />
I am keen to hear your comments.<br />
<br />
<b>P.S.</b> Although the video above shows how to capture evidence flashing on a computing device (that is, the e-reader), it could also be applied to the <a href="https://www.youtube.com/watch?v=Hr6rTzmpGQ8" target="_blank">recording of physical objects such as papers</a> or a crime scene. The investigator could use the back-facing camera on her phone to record "the evidence," while simultaneously using the front-facing camera to record her face as she vocally describes and authenticates what she witnesses with her visual, auditory, tactile and olfactory senses.<br />
<div>
<br /></div>
</div>
Benjamin Wrighthttp://www.blogger.com/profile/11543639411820745571noreply@blogger.com0