Hello and welcome to another edition of What's Next—hopefully you all had a pleasant holiday weekend. I'm Law.com reporter Ben Hancock in San Francisco, and I'm working to ensure that even after net neutrality goes out the window, at least delivery of this news briefing won't lag!

Feedback? Tips? Ping me at [email protected]. Want to subscribe? This briefing—and others by my Law.com colleagues—are now available. You can check out the offerings and sign up for a free trial subscription here.

|

Watch This Space: Signal and Noise at the FCC

If you're like me, mulling over the Federal Communications Commission's impending repeal of net neutrality didn't exactly alleviate post-turkey indigestion. But putting aside for the moment whether we're witnessing the rise of a new internet hierarchy, the tech-enabled hijacking of the FCC's public comment process has been a disturbing spectacle all its own.

A brief summary: Millions of public comments—both in favor of and against repeal of net neutrality — appear to have been submitted by bots. That wouldn't be all that alarming, perhaps, if these were just anonymous, form comments. But that doesn't seem to be the case. According to New York State Attorney General Eric Schneiderman, at least tens of thousands of people's real names and addresses were taken and used in order to make it look like real people signed off on the submissions.

“That's akin to identity theft,” Schneiderman said in a bluntly worded open letter to FCC Chairman Ajit Pai just before the holiday, “and it happened on a massive scale.” Noting that such behavior violates New York law, the AG said his office has attempted to launch an investigation to try and identify the culprit—only to be stonewalled by the FCC. “[W]e have received no substantive response to our investigative requests. None.”

It gets even more eerie, though. While most people were sitting down to their second helping of stuffing, San Francisco-based data scientist Jeff Kao posted on the website Hacker Noon an analysis of what at first blush look like unique comments in favor of net neutrality — 1.3 million of them, in fact. The result? A whole lot of them appeared to use automated tweaks in natural language to make them look like they were original, grass-roots submissions. “It was like mad-libs, except for astroturf,” Kao wrote.

So what does the FCC have to say about this? The Washington Post quotes an FCC spokesman as dismissing Schneiderman's comments as political posturing and pointing to numbers showing large-scale fakery on the other side of the ledger: 7.5 million form messages from a fake email generator, and 400,000 comments from one address in Russia, all in favor of keeping net neutrality rules in place. Meanwhile, according to The Verge, a senior FCC official says the commission wasn't looking all that closely at regular folks' opinions anyway.

>> Think Ahead: The FCC surely took note of submissions from many well-represented companies. But all the noise casts an air of illegitimacy on the whole thing. Will more of these kind of digital shenanigans make the statutorily required public comment process look like a charade?

On the Radar: 3 Things to Know

1. Larry Klayman's lawsuit against the NSA's bulk collection program is officially over.

● Klayman, a right-wing Washington attorney and former DOJ prosecutor, sued in 2013 to block the NSA's bulk collection of phone records exposed by Edward Snowden – and initially won. After being reversed in 2015, a district judge last week finally ended his pair of lawsuits, Ars Technica reports.

● The suit ultimately fizzled in large part because relevant provisions of the USA Patriot Act expired in 2015. Klayman also couldn't identify a way to get around sovereign immunity to seek monetary damages for individuals affected by the bulk collection.

>> Think Ahead: U.S. District Judge Richard Leon of the District of Columbia wrote he would not be the last judge “who will be required to determine the appropriate balance between our national security and privacy interests during this never-ending war on terror.”

2. A hacker who played a role in the 2014 Yahoo hack is now expected to plead guilty.

● A federal indictment unsealed earlier this year alleged that Karim Baratov, a 22-year-old dual Canadian-Kazakh national, conspired with two Russian operatives and a third Russian hacker who accessed a trove of Yahoo data, The Wall Street Journal reports.

● Baratov is now expected to plead guilty on Tuesday in a hearing before U.S. District Judge Vince Chhabria of the Northern District of California. The plea comes after “extensive negotiations between his lawyers and federal prosecutors,” the WSJ said.

>> Think Ahead: It's not clear whether there is any connection between this Yahoo breach and the hack of Democratic National Committee email accounts last year, which officials believe was coordinated by Russia. But one could imagine prosecutors might get useful intel from Baratov.

3. Europe's data privacy regulators are putting the microscope on Uber this week.

● The chair of a group of European data protection authorities — known as the Article 29 Working Party — said on Thursday that Uber's concealed data breach would be discussed at its meeting on Nov. 28 and 29, Reutersreports.

● The company belatedly disclosed that 57 million drivers and riders globally had their personal information accessed, and reportedly paid hackers off to keep the breach quiet.

>> Data Point: DPAs cannot impose joint sanctions, though they can set up task forces to coordinate national investigations, Reuters notes. When the GDPR comes into effect, they will be able to coordinate more closely and impose steeper fines.

ALSO: On the Calendar – If you live in the Bay Area, Berkeley Law and Blockchain at Berkeley are hosting “How to raise money the right way,” a conference on initial coin offerings featuring speakers from the SEC. Thursday, Nov. 30. Details here.

“[T]he government thinks it should be able to turn each of us into a tracking device ourselves, without any protection of the Fourth Amendment whatsoever.”

— Nathan Wessler, staff attorney at the ACLU Speech, Privacy, and Technology Project, speaking with me on my latest podcast. Wessler will argue before the U.S. Supreme Court on Wednesday in the cell-site location data case Carpenter v. United States.

In Futuro: AI and the eDiscovery Cash Cow

Like other aspects of the tech industry, the eDiscovery business has been changing – moving from on-site servers to the cloud, and trying to adapt to machine learning. That poses challenges to major vendors, and the law firms that have made eDiscovery big business.

My colleague Gina Passarella reports for The American Lawyer on how a small number of firms grew eDiscovery practices in house and raked in business as a result. Firms like Nelson Mullins, Morgan Lewis & Bockius, and Winston & Strawn and have hired dozens of lawyers and built data centers — pitching critical document analysis and security as selling points.

But for those that made the investment, will tech also bring the end of the gravy train? “The next thing that is about to happen is that machine learning is going to become … another disruptor in how e-discovery is handled,” Morgan Lewis e-data practice leader Tess Blair says. Much more of the process will be automated, perhaps requiring smaller groups to handle the work, she adds.

>> In Context: Terms like AI, analytics and machine learning get tossed around a lot. Casetext founder Jake Heller writes a helpful explainer on the differences here.

Dose of Dystopia

As we prepare to watch arguments in Carpenter v. U.S., here's a news item about location data that ought to alarm you: Google has been tracking Android device users' location information, even when they have location services turned off – and even when the device doesn't have a SIM card loaded, Quartz uncovered:

“Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals' locations and their movements that go far beyond a reasonable consumer expectation of privacy.”

Google reportedly confirmed the practice, and said that it was taking steps to end it after being contacted by Quartz. To me, this raises a lot of legal questions. Even assuming the third-party doctrine applies in the Carpenter context, what about location data that was gathered when phone users' took steps to disable location-based features? I could imagine civil suits emerging out of this, although the injury hurdle seems like it would be hard to clear.

It's hardly the only example of a large company surveilling users' habits without them really understanding what's going on — and it seems unlikely to be the last.

That's all for now — Stay tuned for What's Next!

Hello and welcome to another edition of What's Next—hopefully you all had a pleasant holiday weekend. I'm Law.com reporter Ben Hancock in San Francisco, and I'm working to ensure that even after net neutrality goes out the window, at least delivery of this news briefing won't lag!

Feedback? Tips? Ping me at [email protected]. Want to subscribe? This briefing—and others by my Law.com colleagues—are now available. You can check out the offerings and sign up for a free trial subscription here.

|

Watch This Space: Signal and Noise at the FCC

If you're like me, mulling over the Federal Communications Commission's impending repeal of net neutrality didn't exactly alleviate post-turkey indigestion. But putting aside for the moment whether we're witnessing the rise of a new internet hierarchy, the tech-enabled hijacking of the FCC's public comment process has been a disturbing spectacle all its own.

A brief summary: Millions of public comments—both in favor of and against repeal of net neutrality — appear to have been submitted by bots. That wouldn't be all that alarming, perhaps, if these were just anonymous, form comments. But that doesn't seem to be the case. According to New York State Attorney General Eric Schneiderman, at least tens of thousands of people's real names and addresses were taken and used in order to make it look like real people signed off on the submissions.

“That's akin to identity theft,” Schneiderman said in a bluntly worded open letter to FCC Chairman Ajit Pai just before the holiday, “and it happened on a massive scale.” Noting that such behavior violates New York law, the AG said his office has attempted to launch an investigation to try and identify the culprit—only to be stonewalled by the FCC. “[W]e have received no substantive response to our investigative requests. None.”

It gets even more eerie, though. While most people were sitting down to their second helping of stuffing, San Francisco-based data scientist Jeff Kao posted on the website Hacker Noon an analysis of what at first blush look like unique comments in favor of net neutrality — 1.3 million of them, in fact. The result? A whole lot of them appeared to use automated tweaks in natural language to make them look like they were original, grass-roots submissions. “It was like mad-libs, except for astroturf,” Kao wrote.

So what does the FCC have to say about this? The Washington Post quotes an FCC spokesman as dismissing Schneiderman's comments as political posturing and pointing to numbers showing large-scale fakery on the other side of the ledger: 7.5 million form messages from a fake email generator, and 400,000 comments from one address in Russia, all in favor of keeping net neutrality rules in place. Meanwhile, according to The Verge, a senior FCC official says the commission wasn't looking all that closely at regular folks' opinions anyway.

>> Think Ahead: The FCC surely took note of submissions from many well-represented companies. But all the noise casts an air of illegitimacy on the whole thing. Will more of these kind of digital shenanigans make the statutorily required public comment process look like a charade?

On the Radar: 3 Things to Know

1. Larry Klayman's lawsuit against the NSA's bulk collection program is officially over.

● Klayman, a right-wing Washington attorney and former DOJ prosecutor, sued in 2013 to block the NSA's bulk collection of phone records exposed by Edward Snowden – and initially won. After being reversed in 2015, a district judge last week finally ended his pair of lawsuits, Ars Technica reports.

● The suit ultimately fizzled in large part because relevant provisions of the USA Patriot Act expired in 2015. Klayman also couldn't identify a way to get around sovereign immunity to seek monetary damages for individuals affected by the bulk collection.

>> Think Ahead: U.S. District Judge Richard Leon of the District of Columbia wrote he would not be the last judge “who will be required to determine the appropriate balance between our national security and privacy interests during this never-ending war on terror.”

2. A hacker who played a role in the 2014 Yahoo hack is now expected to plead guilty.

● A federal indictment unsealed earlier this year alleged that Karim Baratov, a 22-year-old dual Canadian-Kazakh national, conspired with two Russian operatives and a third Russian hacker who accessed a trove of Yahoo data, The Wall Street Journal reports.

● Baratov is now expected to plead guilty on Tuesday in a hearing before U.S. District Judge Vince Chhabria of the Northern District of California. The plea comes after “extensive negotiations between his lawyers and federal prosecutors,” the WSJ said.

>> Think Ahead: It's not clear whether there is any connection between this Yahoo breach and the hack of Democratic National Committee email accounts last year, which officials believe was coordinated by Russia. But one could imagine prosecutors might get useful intel from Baratov.

3. Europe's data privacy regulators are putting the microscope on Uber this week.

● The chair of a group of European data protection authorities — known as the Article 29 Working Party — said on Thursday that Uber's concealed data breach would be discussed at its meeting on Nov. 28 and 29, Reutersreports.

● The company belatedly disclosed that 57 million drivers and riders globally had their personal information accessed, and reportedly paid hackers off to keep the breach quiet.

>> Data Point: DPAs cannot impose joint sanctions, though they can set up task forces to coordinate national investigations, Reuters notes. When the GDPR comes into effect, they will be able to coordinate more closely and impose steeper fines.

ALSO: On the Calendar – If you live in the Bay Area, Berkeley Law and Blockchain at Berkeley are hosting “How to raise money the right way,” a conference on initial coin offerings featuring speakers from the SEC. Thursday, Nov. 30. Details here.

“[T]he government thinks it should be able to turn each of us into a tracking device ourselves, without any protection of the Fourth Amendment whatsoever.”

— Nathan Wessler, staff attorney at the ACLU Speech, Privacy, and Technology Project, speaking with me on my latest podcast. Wessler will argue before the U.S. Supreme Court on Wednesday in the cell-site location data case Carpenter v. United States.

In Futuro: AI and the eDiscovery Cash Cow

Like other aspects of the tech industry, the eDiscovery business has been changing – moving from on-site servers to the cloud, and trying to adapt to machine learning. That poses challenges to major vendors, and the law firms that have made eDiscovery big business.

My colleague Gina Passarella reports for The American Lawyer on how a small number of firms grew eDiscovery practices in house and raked in business as a result. Firms like Nelson Mullins, Morgan Lewis & Bockius, and Winston & Strawn and have hired dozens of lawyers and built data centers — pitching critical document analysis and security as selling points.

But for those that made the investment, will tech also bring the end of the gravy train? “The next thing that is about to happen is that machine learning is going to become … another disruptor in how e-discovery is handled,” Morgan Lewis e-data practice leader Tess Blair says. Much more of the process will be automated, perhaps requiring smaller groups to handle the work, she adds.

>> In Context: Terms like AI, analytics and machine learning get tossed around a lot. Casetext founder Jake Heller writes a helpful explainer on the differences here.

Dose of Dystopia

As we prepare to watch arguments in Carpenter v. U.S., here's a news item about location data that ought to alarm you: Google has been tracking Android device users' location information, even when they have location services turned off – and even when the device doesn't have a SIM card loaded, Quartz uncovered:

“Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals' locations and their movements that go far beyond a reasonable consumer expectation of privacy.”

Google reportedly confirmed the practice, and said that it was taking steps to end it after being contacted by Quartz. To me, this raises a lot of legal questions. Even assuming the third-party doctrine applies in the Carpenter context, what about location data that was gathered when phone users' took steps to disable location-based features? I could imagine civil suits emerging out of this, although the injury hurdle seems like it would be hard to clear.

It's hardly the only example of a large company surveilling users' habits without them really understanding what's going on — and it seems unlikely to be the last.

That's all for now — Stay tuned for What's Next!