Category Archives: Legal

California Appeals Court Holds Amazon Strictly Liable

This is a very interesting situation and could affect some businesses and all consumers. Amazon is likely to appeal to the California Supreme Court, so this is not over.

Amazon and many other online retailers (Walmart and Target just to name two) sell both their own stuff and other vendors’ stuff on their web site. Amazon calls theirs a “marketplace”. In many cases, Amazon even fulfills the order. Amazon’s objective in this lawsuit is to use the same argument that Uber and others use – we are just a technology platform – don’t blame us for what happens there.

That strategy worked ten years ago, but it has been working less and less – just ask Uber how much their legal fees have been lately.

At the core, it is about who is financially liable when something goes wrong in cyber-land. In this case, the product was a battery. The battery was not sold by Amazon, but it was sold on the Amazon web site, Amazon did collect the money and Amazon even shipped the product to the customer.

If you go into a retail store, there is the concept of strict liability which means that if that battery that you bought in, say, Target, explodes, Target is liable. For the most part, up until now, who is liable when that is sold in the online world has been muddy and folks like Amazon liked it that way. They certainly don’t want to be liable.

In a sense, I agree. In a sense. But Amazon would also like to not be responsible if they are the seller either.

It looks like that idea is not going to fly as more courts say that companies that sell online, no matter what their business model, is the seller and therefore liable.

But here is the problem.

The Amazon (and other) marketplace is a very dynamic place. Vendors come and go and there are literally millions of products on the marketplace at any one time. If Amazon and others are required to test every product, it can’t be done.

If they ask some vendor to certify that the product is safe, there is no way to validate that. And no way to verify that the vendor can defend Amazon and pay a judgement.

Amazon could buy insurance to cover the risk and just charge marketplace vendors an even higher percentage than they already do.

Or they could just decide that the marketplace model is not worth the pain and dump it.

So what is the upshot –

If you run an online business and you allow third party merchants to sell on your platform, understand the risk.

If you are a merchant who uses an online platform, know that your business model could be at risk.

If you are a consumer, understand that your choices may decrease.

While this only affects California and could be overturned, it isn’t looking good for Amazon. The Assembly passed a bill this year (but the Senate did not) that would have made this law.

Since California is like the world’s 5th or 6th biggest economy, other states are watching and will probably follow suit.

If this is of interest to you, I invite you to read Professor Goldman’s extremely detailed analysis. While he is a law professor, he writes, amazingly, in English that humans can comprehend. Credit: Eric Goldman

FBI: Ring Doorbell Good, Ring Doorbell Bad

Yup, sometimes tech is a double edged sword.

While smart doorbells and other web based security cameras discourages crooks, it is not all good news says the FBI in a secret report.

On the good side, you get to see who is outside your place (home or work). Typically, these devices are motion sensitive. They usually record the video, either locally or in the cloud.

If your place is broken into, many times the police have pictures both of the bad guys and also what they took.

In fact, Ring, a division of Amazon, is working with the police in hundreds of cities to encourage sales. Amazon is giving the police some devices to give away free. All in hopes that other people buy one.

Why are the police excited? They hope that they can get homeowners and businesses to give them access to their accounts so that they can review footage to try and find bad guys. If the home or business owner gives them access to the video, they don’t need probable cause to get a warrant. They don’t need to spend the time getting it and they don’t need to convince a judge that they meet the requirement for getting a warrant.

Okay, so all of that is good. Why is the FBI saying it is bad.

Lets say the cops suspect you of being a drug dealer. No, not that you; the other you.

So the cops might want to surveil your place for a while. But there are cameras. Some of those likely have motion detection. Even ones that don’t might record the cops in their car across the street or down the block. And the cameras might be across the street or down the block – recording the cops every move.

For sure if they plan to burst in on you, that will trigger the motion sensor.

Which may give the bad you time to flush the evidence.

If there is a standoff between the police and bad you, those security feeds, maybe from a house across the street owned by a friend or accomplice, could give the bad you all sorts of tactical information.

And, of course, there are less nefarious issues. We have all seen people post snaps of videos on social media bypassing police all together and sometimes compromising their future case.

So, as is often the case, nothing in tech is simple. Good? Bad? Both?

Credit: Threatpost

Security News for the Week Ending September 4, 2020

Centurylink Routing Issues Lead to Massive Internet Outage

Last Saturday night/Sunday morning, Centurylink had a bit of a problem, either taking down or severely impacting web site such as Cloudflare, Amazon, Steam, Twitter and many more. Just because a system was designed to stay operating in case of a nuclear attack does not mean that it is immune to human error or software bugs. Centurylink has not explained what happened. This particular attack nullified many business continuity strategies. If staying online is important to you, this would be a good time to review your DR-BC program. Credit: Bleeping Computer

The New Normal: Dell Says 60% of Their Staff Will Not be Going Back to the Office Regularly

We are seeing more companies saying that they do not plan to return to office life ever. Dell says that the majority of it’s 165,000 member workforce will never return to the office again or regularly. Dell says “work is something you do, an outcome, not a place or time”.

Ignore for the moment what this means for the commercial real estate market if this becomes the new normal.

That means a significant leap for your cybersecurity practices going forward. When the majority of your work is being done on a network, via unencrypted wireless through a router that was last patched in 2013, what does that mean for security? If that thought keeps you up at night, call us. Credit: The Register

Users’ Browsing Can Be De-Anonymized With Little Work, Researchers Say

Mozilla (Firefox) collected two 1-week browsing history datasets from 50,000 volunteers and were able to re-identify anonymous browsing data to the individual successfully. With users who only visited 50 web sites during that period, they were able to re-identify up to 80% of them. The odds improve when the researchers have more data. After all, who visits only 50 web sites in a two week period. Therefore, assume claims of data being anonymized with great skepticism. Credit: Help Net Security

US Federal Appeals Court Rules NSA’s Mass Surveillance Disclosed by Edward Snowden is Illegal

Seven years after Edward Snowden disclosed the existence of NSA’s mass surveillance program a federal appeals court said the program is illegal. In defending the program, the NSA pointed to one case where NSA surveillance data was used, but the judge overseeing that case says that the NSA’s information was not material. However, the same court said that the folks convicted in that case are still guilty so no getting off the hook based on that. Given the hundreds of millions of dollars spent on this program, the fact that the NSA can only point to one court case where the program had any effect should kill the program on effectiveness grounds anyway, but that it not the job of the court. I am sure the Republican administration will appeal this up to the Supremes, but they may or may not take the case, so stay tuned. Credit: Threatpost

Republican Plan to Ban Huawei Will Cost Americans $2 Billion

Now that the Republicans have decided (it is an election year) that Huawei is a national security threat (but wasn’t for the last three years), they have created a requirement to rip out and replace all of the existing Huawei (and ZTE) equipment that carriers are already using. The first step in this process was to ask the carriers well, how much will it cost to replace all that stuff. The carriers have come back with that initial estimate and it is $1.8 billion and change. Carriers are notoriously bad at estimating costs like this, so make it $2.5 billion or so.

BTW, I am not saying that the FCC is wrong, I just don’t understand why this wasn’t considered a problem in 2017 vs. two months before the elections.

Where is that money going to come from? There are really only two options – higher prices to customers and a taxpayer subsidy.

Curiously, the Republicans are complaining about a Chinese law that requires Chinese companies to comply with requests from the intelligence services and not tell anyone. If I was wearing a blindfold, that would sound exactly like the U.S. Foreign Intelligence Surveillance Act or FISA.

I have said for a long time that when it comes to telecom, the U.S. is basically a third world country (according to Wikipedia, we rank 30th in the world for mobile Internet connection speed). What the carriers will do in the short term is, except for really densely populated downtown cities, slow down the rollout of 5G Internet (Verizon, for example, only covers 5% of the population with high speed 5G – high speed means that a user can tell the difference when connecting over a 5G connection vs. connecting over a 4G connection). Other carriers cover more of the US, but with virtually no speed difference over 4G, but now, even that rollout will likely slow down.

Gartner Says CEOs to be Personally Liable for CPS Breaches

Gartner defines Cyber-Physical Systems (CPS) as those systems “that are engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world, including humans”.

CPSs include many IoT, IIoT, critical infrastructure such as electric and water and healthcare systems, among others.

Gartner predicts that the LIABILITY from cyber incidents will fall DIRECTLY onto many CEOs by 2024. They say that CPS incidents will pierce the corporate veil and hold CEOs personally liable in 75% of the cases.

If you run a company, that should make you nervous.

In part, this is because regulators will increase rules and regulations governing these breaches.

Given that we are seeing a dramatically increasing frequency of alerts from the FBI, NSA, CISA and others, it is going to be hard for CEOs to claim they just didn’t know or understand.

Not even considering the cost of loss of human life, the costs of litigation, insurance, regulatory fines, compensation and reputation damage will be significant, they say.

Gartner says that the financial impact of CPSs resulting in casualties to human life (a small percentage of the total events) is predicted run up a $50 BILLION bill by 2023.

While many companies claim that they don’t run any cyber physical systems, the reality of the story is that even if the do not run any today, that will be technically impossible in a couple of years because there will be no other options available.

Try telling your electric company that you don’t really want a smart meter. For now, my electric company will allow me to keep my old, dumb meter, but they will tack on a $20 per month meter reading fee plus a one time $80 setup fee. As their smart meter rollout completes, that fee could be $50 or $100 a month as the person they have to keep on staff might only have a few meters to read each month. Expect the option to choose to go away in a couple of years.

In addition, there will be benefits to the company of smart systems – possibly lower costs and also the impossibility of keeping good employees without them.

Finally, companies will need to install smart systems in order to support customers who have at their location.

Bottom line, CEOs who do not up their security game may find themselves personally in court defending themselves. Credit: ZDNet

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

Federal Trade Commission Plans to Update Privacy Rule

Unlike Europe, the United States does not have a uniform national privacy law. Instead we have a patchwork of state laws and federal regulations that apply to one industry or another.

One of those regulations is Gramm-Leach-Bliley or GLBA. GLBA was signed into law in 1999 and written over the years prior to that. It is probably a bit long in the tooth, so to speak.

The Federal Trade Commission (FTC) is responsible for creating the rules that implement GLBA. One of those rules is called the Safeguards Rule, written in 2003. Last month the FTC held a workshop to discuss proposed changes to the Safeguards Rule.

The Safeguards Rule only applies to companies regulated by GLBA. That includes banks, insurance companies, lenders and investment advisors, among others. These companies AND THEIR VENDORS AND BUSINESS PARTNERS will make an important contribution to the security and privacy of all Americans.

So what is the FTC proposing? Are they radical? No. Are they a silver bullet? No. But what they do is elevate the security and privacy conversation in businesses. Here are some of the proposed changes:

  • Designate ONE QUALIFIED person to be responsible for overseeing the company’s information security program. They use the term Chief Information Security Officer or CISO, but the person does not have to have that title. They do, however, have to be qualified.
  • Base the information security program on a written risk assessment that must include certain criteria for determining risk and address how the information security program will address these risks. These risk assessments must be done on a routine basis according to FTC staff.
  • Provide security awareness training to to all personnel with extra training for people in more sensitive positions like information security. While this doesn’t sound profound, many companies still do once a year boring after lunch Powerpoints that staff quickly forgets, assuming they didn’t sleep through them.
  • Implement encryption and multi-factor authentication. If you can’t do MFA then you must implement alternative security controls.
  • They want the controls not to be based on how many employees you have or how many dollars you make but rather how much data you have access to.
  • There was a comment period which ended earlier this month, but it will still take a while before anything becomes mandatory.

If you are part of the regulated industries, these are the things that you should be doing already, but if you are not, now is a good time to start doing these things.

Credit: The law firm of Ballard Spahr