Month: October 2022

By Peter Leasure, J.D., Ph.D.*

 

 

Several have proposed blockchain-based criminal record databases or discussed their potential benefits, including the National Center for State Courts.[1][2] These authors generally point to several benefits of utilizing blockchain-based criminal record databases including decentralization and immutability.[3] Generally speaking, decentralization means that data is stored on multiple interconnected nodes and that a failure or breach of a single node (or even perhaps multiple nodes) will not compromise the data. Immutability (often referred to as the append-only feature) means that once data is on a specific block of a blockchain, it cannot be reversed, changed, or deleted. The focus of this piece is on immutability.

While true immutability may seem like an attractive feature of a blockchain-based criminal record database, many jurisdictions within the U.S. have laws that allow for the sealing or expungement of one’s criminal history.[4] Sealing generally means that the record is ordered to be hidden from public view and expungement generally means that the record is ordered to be destroyed. With true immutability, records on a blockchain could not be removed from public view or destroyed. A new block could certainly be added to the blockchain noting that the previous record is no longer valid; however, this approach defeats the overall purpose of record sealing and expungement. Therefore, because of sealing and expungement laws, a truly immutable blockchain-based criminal record database may not be the best approach.

Relatedly, while some have stated that issues of manual data entry and quality control could be alleviated using blockchain technology (largely because there would be a single immutable database for all criminal justice partners to amend),[5] it is difficult to imagine how blockchain technology could meaningfully reduce data entry errors or reduce the need for quality control in practice. Each occurrence of arrest, court processing, and potential post-sentence processing would still need to be manually entered by criminal justice personnel (it is difficult to imagine an error-proof artificial intelligence mechanism), and manual entry is always subject to error and in need of quality control and additional alterations. Here again, the need for a mutable blockchain-based criminal record database is reinforced.

Interestingly, some have recognized the issues of immutability noted above and have presented or discussed methods to erase or delete information contained in blockchains.[6] Nonetheless, any alterations to previous blocks would still need consensus from participants in the network,[7] and consensus could be more difficult on a public blockchain.[8] Given these points, a hybrid, private, or consortium blockchain may be best suited for a blockchain-based criminal record database. In summary, while blockchain technology does present some interesting features, jurisdictions should thoroughly examine the potential costs, benefits, and practical impacts of implementing a blockchain-based criminal record database and weigh those factors against the features of other types of databases.

 

 

 

 

* Peter Leasure is a Senior Research Associate at the Drug Enforcement and Policy Center, Moritz College of Law, The Ohio State University.

[1] Maisha Afrida Tasnim et al., CRAB: Blockchain Based Criminal Record Management System, in Security, Privacy, and Anonymity in Computation, Communication, and Storage 294, 294-303 (Guojun Wang, Jinjun Chen, & Laurence T. Yang eds., 2018); Aditya Vijaykumar Singh et al., A Criminal Record Keeper System using Blockchain, in 2022 6th International Conference on Trends in Electronics and Informatics (ICOEI) 840 (2022); Aastha Jain et al., Blockchain-Based Criminal Record Database Management, 2021 Asian Conference on Innovation in Technology, 1-5 (ASIANCON) (2021); Alejandro Tomás Dini et al., Analysis of implementing blockchain technology to the argentinian criminal records information system, in 2018 Congreso Argentino de Ciencias de la Informática y Desarrollos de Investigación, 1-3 (CACIDI) (2018); Merritt Francis, Blockchain as Best Practice: The Benefits of the Criminal Justice System Implementing Blockchain Technology, Richmond Journal of Law and Technology (2022), https://jolt.richmond.edu/2022/01/06/blockchain-as-best-practice-the-benefits-of-the-criminal-justice-system-implementing-blockchain-technology (last visited Oct 13, 2022); Paul Embley, When Might Blockchain Appear in Your Court?, Trends in State Court, 28-34, (2018).

[2] It is important to point out that some mistakenly identify Satoshi Nakamoto (the name used by the person or group of people that published the Bitcoin whitepaper) and Bitcoin as the origin of blockchain technology (see Francis, 2022 noted above). However, papers discussing what would later be termed blockchain technology were published much earlier; See Stuart Haber & W. Scott Stornetta, How to Time-Stamp a Digital Document, in Advances in Cryptology, 437-455 (Alfred J. Menezes & Scott A. Vanstone eds., 1991); Dave Bayer, Stuart Haber & W. Scott Stornetta, Improving the Efficiency and Reliability of Digital Time-Stamping, in Sequences II 329 (Renato Capocelli, Alfredo De Santis, & Ugo Vaccaro eds., 1993), http://link.springer.com/10.1007/978-1-4613-9323-8_24 (last visited Oct 13, 2022).

[3] Praveen Jayachandran, The difference between public and private blockchain, IBM Supply Chain and Blockchain Blog (2017), https://www.ibm.com/blogs/blockchain/2017/05/the-difference-between-public-and-private-blockchain/ (last visited Oct 13, 2022) (It is important to note that immutability is a feature of both public and private blockchain a public blockchain. With a public blockchain, anyone is allowed to participate in the network. With a private blockchain, only invited entities are allowed to participate in the network. Participation can mean many things, but generally means validating the authenticity of blocks to be added to the blockchain. There can also be hybrid blockchains (a mix of public and private) and consortium blockchains (private but multiple organizations participate)); See Omar Dib et al., Consortium Blockchains: Overview, Applications and Challenges, International Journal On Advances in Telecommunications, 51-64, (2018); Henry M. Kim et al., Permissionless and Permissioned, Technology-Focused and Business Needs-Driven: Understanding the Hybrid Opportunity in Blockchain Through a Case Study of Insolar, 69 IEEE Transactions on Engineering Management 776 (2022).

[4] Eviction Record Expungement Can Remove Barriers to Stable Housing, Center for American Progress, https://www.americanprogress.org/article/eviction-record-expungement-can-remove-barriers-stable-housing (last visited Oct 13, 2022) (Noting that some jurisdictions allow or may allow for sealing or expungements of civil actions such as evictions).

[5] Merritt Francis, Blockchain as Best Practice: The Benefits of the Criminal Justice System Implementing Blockchain Technology, Richmond Journal of Law and Technology (2022), https://jolt.richmond.edu/2022/01/06/blockchain-as-best-practice-the-benefits-of-the-criminal-justice-system-implementing-blockchain-technology (last visited Oct 13, 2022).

[6] Martin Florian et al., Erasing Data from Blockchain Nodes, in 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) 367 (2019); Peter Hillmann et al., Selective Deletion in a Blockchain, arXiv e-prints (2021), https://ui.adsabs.harvard.edu/abs/2021arXiv210105495H (last visited Oct 13, 2022); Eugenia Politou et al., Blockchain Mutability: Challenges and Proposed Solutions, 9 IEEE Transactions on Emerging Topics in Computing 1972 (2021); Arthur Carvalho et al., When good blocks go bad: Managing unwanted blockchain data, 57 International Journal of Information Management 102263 (2021); See Jing Chen & Silvio Micali, Algorand: A secure and efficient distributed ledger, 777 Theoretical Computer Science 155 (2019) (noting that blockchains with a lower probability of forking may have advantages over those with higher probabilities of forking).

[7] Bahareh Lashkari & Petr Musilek, A Comprehensive Review of Blockchain Consensus Mechanisms, 9 IEEE Access 43620 (2021) (discussing various consensus mechanisms).

[8] Martin Florian et al., Erasing Data from Blockchain Nodes367 (2019), https://www.computer.org/csdl/proceedings-article/euros&pw/2019/302600a367/1cJ7azLFB0A (last visited Oct 13, 2022).

 

Image Source: https://www.purdueglobal.edu/blog/criminal-justice/growing-role-technology-criminal-justice/

By: Haley Magel

 

 

We have smartphones, smart TVs, smartwatches, and now even smart contracts. For those who don’t already know, a smart contract is a self-executing contract with the terms of the contract between buyer and seller being directly written into lines of code.[1]  The code and the contract contained in the code exist across a distributed, decentralized blockchain network.[2]  Blockchain is the technology underlying the cryptocurrency Bitcoin.[3]  Blockchain is open and transparent for all to see, and the record is intended to be permanent and immutable.[4]  Smart contracts permit transactions to be carried out without the need for a central authority, legal system, or external enforcement mechanism.[5]  Because smart contracts are envisioned as potentially limiting the need for external enforcement of legal agreements, they are seen as making business transactions cheaper, quicker, and more efficient.[6]

This all sounds abstract, so let’s turn to an example to help structure the sequence of events.  An insurance company promises farmer Bob, in return for a monthly payment, a lump sum in the event the temperature exceeds 100 degrees for more than five days straight during the term of the agreement.[7]  The insurance company and Bob translate the provisions into software code, making sufficient funds available to fulfill their side of the agreement and digitally sign it.[8]  Bob’s payments would automatically be deducted each month and credited to the insurance company’s account, while the smart contract would also be checking the high temperature on Weather.com each day.[9]  If the temperature exceeded 100 degrees for six days, the lump sum payment from the insurance company would be transferred to Bob’s account, and the smart contract would terminate.[10]

Smart contracts sound like they could be extremely useful in that they are self-enforcing and circumvent the need for judicial enforcement, but there are of course shortfalls to be analyzed.[11]  When there is contractual litigation, courts give great deference to longstanding principles such as good faith efforts, estoppel, or partial performance.[12]  However, those principles will be impossible to apply to an executed smart contract since the content is irreversible.[13]  The content is considered irreversible because the central idea of the smart contract is for parties to receive the predetermined outcome without altering the terms.[14]  Further, business people will rarely want performance and enforcement of contracts to be automatic because circumstances change in unpredictable ways.[15]  In practice, counterparties tend to only resort to the literal language in their contracts after the relationship between the parties has broken down.[16]

While the efficiency possible with smart contracts is attractive, there is still much to be fleshed out with how contract law would apply to smart contracts and whether the two can be reconciled as is or whether new law would be needed to regulate smart contracts.

 

 

 

 

 

[1] Jake Frankenfield, What are Smart Contracts on the Blockchain and How They Work, Investopedia (Mar. 24, 2022), https://www.investopedia.com/terms/s/smart-contracts.asp.

[2] Id.

[3] Id.

[4] Reggie O’Shields, Smart Contracts: Legal Agreements for the Blockchain, 21 N.C. Banking Inst. 177, 180 (2017).

[5] Frankenfield, supra note 1.

[6] O’Shields, supra note 4, at 178.

[7] Kevin Werbach & Nicolas Cornell, Contracts Ex Machina, 67 Duke L.J. 313, 331 (2017).

[8] Id.

[9] Id.

[10] Id.

[11] See generally O’Shields, supra note 4, at 185-93.

[12] Rakhil Kalantarova, The Ongoing Speculation About Smart Contracts: Smart Enough to Replace Third Party Arbitrators, or Is “Smart” Just A Misnomer?, 21 Cardozo J. Conflict Resol. 551, 567 (2020).

[13] Id.

[14] Id.

[15] Francesco Mazzotta, Sense, Sensibility and Smart Contracts: A View from a Contract Lawyer, 49 UCC L.J. 2 (2020).

[16] Id.

 

Image Source: https://blockgeeks.com/wp-content/uploads/2016/10/What-are-Smart-Contracts_.png.webp

By Paige Hastings

 

 

With the rise of awareness in data privacy there has been increased trepidation surrounding what personal information companies access and how they use it.[1] While it may seem as though the public disfavors cell phone apps and technology companies tracking locations and capitalizing off user data, the issue may not be so clear cut.[2]

Sensors in phones correlate with data from GPS satellites to create detailed user location information.[3] This information enables the use of maps and other features, but companies can also access the data.[4] Companies engage with consumers based on information received from this data, such as by streamlining relevant advertisements.[5] The government can also request the user data for geofence warrants.[6]

A geofence is a virtual perimeter around a specific physical location.[7] Created with the mapping software in phones, a geofence can detect movement inside its boundary.[8] When the government serves a geofence warrant on a company like Google, it requests information on “all users who were within” the specified area at the specified time.[9] This allows the government if granted the warrant, to focus on a given location and find an unknown suspect, so long as that person had a phone.[10] Initially, the data received is anonymous, but after narrowing down which users the government believes are relevant to the investigation, it can compel identifying information, including the name and email address associated with the accounts.[11]

An example of a geofence used in practice occurred right here in Richmond, Virginia. In United States v. Chatrie, data received from a geofence warrant allowed the Government to find the defendant and ultimately hold him accountable.[12] Call Federal Credit Union was the site of a bank robbery in May of 2019, and law enforcement was having trouble locating the suspect.[13] Since security footage showed the suspect on his cell phone when he first entered the bank, law enforcement requested a geofence warrant.[14] The warrant granted by the Chesterfield Magistrate drew a geofence with a 150-meter radius surrounding the bank at the time of the robbery.[15] The data received included the information of nineteen users, the suspect, and eighteen bystanders.[16] Law enforcement then de-anonymized the device identifications of three users believed to be relevant to the investigation by requesting the information from Google.[17]  The specific information allowed the Government to track the locations of the three individuals and ultimately implicated Chatrie.[18] Chatrie was later indicted and found guilty.[19]

Geofence warrants and similar consumer data use raises serious concerns for privacy rights. As the Court in Chatrie noted, geofence data endangers the rights granted by the Fourth Amendment’s protection against unreasonable searches and seizures.[20] In Chatrie, the Court determined that the geofence warrant was invalid because it was overly broad and lacked probable cause to search all nineteen individuals found within the geofence.[21] However, the evidence the warrant discovered was allowed because of a good faith exception that protects warrants reasonably believed lawful by law enforcement.[22] Demonstrating that even wrongly employed account and location data can be accessed and utilized.

Notably, the Court did not rule out geofence warrants entirely, it just required them to be more particularized with respect to the users it “searches.”[23] Although this could make it more difficult for geofence warrants to be used in the future, they remain a legal tool. Even though the Court found the geofence warrant to be a violation of the defendant’s Fourth Amendment rights, they permitted the evidence and law enforcement’s overall intrusive activity.[24] Future implications of how the government may take advantage of user data remain unclear, but cases such as Chatrie should put consumers on notice that location and account information is available and can be accessed by the government.[25]

 

 

 

[1] See Nina Burleigh, Americans Demanded Freedom From Tracking during Covid, and Then Grabbed Their Phones, nbc news (July 2, 2021, 11:35am), https://www.nbcnews.com/think/opinion/americans-demanded-freedom-tracking-during-covid-then-grabbed-their-phones-ncna1273007.

[2]See also Nathan Wessler, The U.S. Government is Secretly Using Cell Phone Location Data to Track Us. We’re Suing., aclu: news & commentary (Dec. 2, 2020), https://www.aclu.org/news/immigrants-rights/the-u-s-government-is-secretly-using-cell-phone-location-data-to-track-us-were-suing.

[3] David Nield, All the Sensors in Your Smartphone, and How They Work, gizmodo

(June 29, 2020, 10:38 AM), https://gizmodo.com/all-the-sensors-in-your-smartphone-and

-how-they-work-1797121002.

[4] Privacy & Terms: How Google Uses Location Information, https://policies

.google.com/technologies/location-data?hl=en-US (last visited Oct. 3, 2022).

[5] Id.

[6] A. Reed McLeod, Geofence Warrants: Geolocating the Fourth Amendment, 30 William & Mary Bill of Rights J. 531, 532 (2021).

[7] Verizon connect: what is a geofence?, https://www.verizonconnect.com/glossary/what-is-a-geofence/ (last visited Oct. 3, 2022).

[8] Id.

[9] United States v. Chatrie, No. 3:18cr130, 2022 U.S. Dist. LEXIS 38227, at *22 (E.D. Va. Mar. 3, 2022).

[10] Id. at *60.

[11] Id. at *25-30.

[12] Id. at *22, *82-84.

[13] Id. at *31.

[14] Chatrie, 2022 U.S. Dist LEXIS 38227, at *30.

[15] Id. at *33.

[16] Id. at *37-41.

[17] Id.

[18] Id.

[19] Chatrie, 2022 U.S. Dist LEXIS 38227, at *82-84.

[20] U.S. Const. amend. IV.

[21] Chatrie, 2022 U.S. Dist LEXIS 38227, at *54.

[22] Id. at *72-83.

[23] Id. at *83.

[24] Id.

[25] See A. Reed McLeod supra note 6 at 564-65.

Image Source:https://www.filecloud.com/blog/2020/11/geo-fencing-in-data-governance-and-its-possible-uses/#.Yz8Aa3bMK38

By Madison Edenfield

 

 

Since the beginning of Covid in 2020, sex toy sales have skyrocketed. [1] Teledildonics, a category of sex toys that can be used remotely, became particularly popular during lockdown. ^[2] These remote sex toys are controlled by an app and transmit data through Bluetooth.[3] This digital upgrade has brought sex toys into the 21st century, and with it a host of new problems. Because of its digital design and weak security, teledildonics are susceptible to hacking which could lead to malicious attacks on users’ intimate data and consent violations. [4]

This article will focus on two issues presented in teledildonics security: protecting data privacy and preventing consent violations. Data privacy will be examined through the Wiretap Act, a federal law that prohibits intercepting electronic communications. [5]  The Wiretap Act was amended in 1986 to “extend data and electronic transmissions the same protection already afforded to oral and wire communications.” [6]  This expansion of the law will be applied to user data collected by remote sex toys.

The Computer Fraud and Abuse Act (CFAA) will examine consent violations via hacked devices. The CFAA prohibits knowingly accessing a computer without authorization or consent and appropriating its contents. [7] There are currently no laws that directly deal with teledildonics, however, the CFAA provides a viable framework to examine security and electronic consent violations.

1. Protecting Data Privacy

The data collected by sex toys is similar to information collected from any other electronic device. This information can include account names, emails, and location. [8] However, teledildonic devices can collect intimidate data like chat logs, who is controlling the device, vibration patterns, and the duration of use. [9] While this might not seem like highly volatile information, when this data is combined, it could easily build a profile on that user and put their privacy at risk. [10] Additionally, teledildonics seem to be riddled with security issues. [11] Security issues raise concerns about a user’s identity being leaked, which could ultimately lead to harassment, loss of professional opportunities, and negative emotional impact. [12] Teledildonics is an exciting advancement in sex technology, but how does it change the meaning of consent, privacy, and security?

In 2019, a class action lawsuit was brought against Hytto Ltd., or Lovense, a company that sells Bluetooth-enabled vibrators that are controlled through an app.[13] The plaintiff, S.D., alleged that Lovense illegally harvested data from its users, thus violating the Wiretap Act. [14] The Wiretap Act prohibits “interceptions of electronic communications.” [15] In this case, S.D.’s data, which included their vibration settings, date and time of use, duration of use, and email address, was stored in the Lovense app and reported back to the company. [16]  The Court ruled that intercepting and storing vibration intensity data falls under the Wiretap Act because vibrations are an extended form of communication between the people operating the app. [17] In sum, electronic communication is broadly defined, and just because vibrations are used to communicate does not change the fact that it is still a communication. [18]

Additionally, in 2018, the SEC Consult found that Vibratissimo sex toys could also be hacked through Bluetooth connection. [19] In this instance, however, Vibratissimo had a social network system where users could communicate and stream their videos. [20] This allowed hackers to not only connect to devices, but also access around 50,000 users’ data, which included images, chat logs, sexual orientation, passwords, and more. [21] Additionally, the Vibratissimo devices had weak Bluetooth security, making it easy for an attacker to take control of a device as long as they were in range. [22] This leads to a disturbing question about consent violations and sexual assault regarding remote sex toys.

2. Preventing Consent Violations

Tech expert Alex Lomas tested whether it was possible to hack and control a Bluetooth-enabled sex toy. [23] In a few minutes, Lomas had located a remote sex toy, hacked into the user’s account, and accessed control over their device.[24] While Lomas didn’t do anything with this access, it is alarming to think that with a few simple clicks, anyone within range could take control of someone’s device without their consent. [25]

According to Shanlon Wu, a former federal sex crimes prosecutor, hacking and controlling someone’s sex toy without their consent signals sexual assault. [26] This aligns with the  Department of Justice’s description of sexual assault, which requires sexual contact or behavior that occurs without the explicit consent of the recipient. [27] Some lawyers, like Stewart Baker, reject the idea that hacking into someone’s sex toy is a sex crime because of the virtual component. [28] Instead, Baker contends that a hacker could potentially be held responsible for a cybercrime under the 1986 Computer Fraud and Abuse Act. [29]  The CFAA prohibits all purposeful, unauthorized access of a computer and appropriating its contents. [30] As mentioned earlier, the data collected by teledildonic devices is similar to information collected from any other electronic device, like a computer. [31] Remote sex toys could likely be viewed as computers, so taking unauthorized control of a device might fall under the CFAA. [32] So, even though the CFAA does not directly address teledildonics, it could potentially establish a framework for prosecuting consent violations via a remote device. [33]

While there is a lack of precedent for teledildonics, the Wiretap Act and the CFAA provide frameworks that could help protect users’ privacy and prevent consent violations. [34] Luckily, as technology evolves and expands, so will our laws. As Congress stated, “the law must advance with the technology to ensure the continued vitality of the Fourth Amendment. If we do not, we will promote the gradual erosion of this precious right.” [35] It is time to contemplate and question what the future of privacy will look like in the age of teledildonics.

 

 

 

[1] Brit Dawson, Guybrators, Joysticks, and Teledildonics: Inside the Sex Tech Revolution, Dazed (Aug. 16, 2022) https://www.dazeddigital.com/life-culture/article/56765/1/guybrators-joysticks-and-teledildonics-inside-the-sex-tech-revolution-toys

[2] Bobby Box, Breaking Into Your Personal Buzzer Isn’t That Hard to Do, Playboy (Nov. 9, 2017) https://www.playboy.com/read/sex-toys-hacked

[3] Id.

[4] Id.

[5] See 18 U.S.C.S. § 2511(1).

[6] Smart v. Home Depot, Inc., No. 21-CV-00153-JSM-PRL, 2021 U.S. Dist. Ct. LEXIS 15653, at *5 (M.D. Fla. May 20, 2021).

[7] See 18 U.S.C.S. § 1030.

[8] Matt Burgess, Smart Dildos and Vibrators Keep Getting Hacked – But Tor Could Be the Answer to Safer Connected Sex, Wired (Mar. 3, 2018, 8:00 AM) https://www.wired.co.uk/article/sex-toy-bluetooth-hacks-security-fix.

[9] Id.

[10] Id.

[11] Shayna Posses, Lovers May Not Be Alone In Using Sex Toy’s Camera, FTC Told, Law360 (Apr. 26, 2017, 6:14 PM) https://www.law360.com/privacy/articles/917596/lovers-may-not-be-alone-in-using-sex-toy-s-camera-ftc-told.

[12] Id.

[13] S.D. v. Hytto Ltd., No. 18-cv-00688-JSW, 2019 U.S. Dist. LEXIS 229909, at *3 (N.D. Cal. May 14, 2019).

[14] Id. at *4.

[15] Id. at *14.

[16] Id. at *4.

[17] Id. at *18-19.

[18] Id. at *18.

[19] Thomas Brewster, ‘Panty Buster’ Toy Left Private Sex Lives of 50,000 Exposed, Forbes (Feb. 1, 2018, 5:50 AM) https://www.forbes.com/sites/thomasbrewster/2018/02/01/vibratissimo-panty-buster-sex-toy-multiple-vulnerabilities/?sh=7baf97aa5a94.

[20] Id.

[21] Id.

[22] Id.

[23] Alex Lomas, Screwdriving: Locating and Exploiting Smart Adult Toys, Pen Test Partners (Sep. 29, 2017) https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/.

[24] Id.

[25] Id.

[26] See Claire Lampen, If Your Vibrator is Hacked, Is It a Sex Crime?, Gizmodo (Oct. 31, 2017, 2:22 PM) https://gizmodo.com/if-your-vibrator-is-hacked-is-it-a-sex-crime-1820007951.

[27] See Office on Violence Against Women, Sexual Assault, Department of Justice (last visited Sep. 30, 2022) https://www.justice.gov/ovw/sexual-assault.

[28] Lampen, supra note 26.

[29] Id.

[30] 18 U.S.C.S. § 1030.

[31] Burgess supra note 8.

[32] See Lampen, supra note 26.

[33] Id.

[34] Id.

[35] Smart v. Home Depot, Inc., No. 21-CV-00153-JSM-PRL, 2021 U.S. Dist. Ct. LEXIS 15653, at *6 (M.D. Fla. May 20, 2021).

 

Image Source: https://www.them.us/story/sex-toy-technology-future

By Karl Canby

 

On the second day of August 2022, President Joseph R. Biden ordered the killing of Ayman al-Zawahiri in the Afghani capital city of Kabul.[1] Zawahiri, an Egyptian National, had sat atop of the Federal Bureau of Investigation’s list of most wanted terrorist for his role in the murder of almost 3,000 people in New York City on September 11, 2001.[2] He had been Osama bin Laden’s deputy and eventual successor as the leader of the al-Qaida terrorist organization.[3] However, unlike his predecessor, Zawahiri’s death was not the result of a night insertion by United States Special Forces personnel.[4] Instead, Zawahiri was eliminated with surgical precision by two AGM-114 Hellfire missiles fired from a General Atomics MQ-9 Reaper drone.[5] His death culminated not only 20 years of US Military Operations against global terror but signified the result of two decades of policy change intended to revolutionize the future of warfare carried out by Unmanned Aerial Vehicles (“UAV”).

Increased military drone strikes have fundamentally challenged the international rule of law.[6] Their ambiguous legal nature has increasingly damaged the lines of what violence is acceptable from a state-to-state legal perspective.[7] Nations keen on riding this new wave of global confusion have subtly shifted their domestic policy to reflect their desire to utilize this gap in the commonly understood rules of war.[8] Where a Head of State may have had no choice but to react to violence in the past, they now have the option to qualify or challenge the legality of a drone strike on the global stage.

Look no further than the assassination of Iranian Major General Qassem Soleimani in Baghdad, Iraq, on January 2, 2020.[9] In a move heavily questioned by the international community, US President Donald J. Trump ordered Soleimani’s death through the use of a drone strike.[10] What makes this act so complex from an international legal perspective is the number of entities that it affected. Soleimani was an Iranian General visiting the sovereign nation of Iraq and was killed by a drone strike from a country that was not at war with either. Before the advent of the UAV, the physical nature required to commit such assassination would have clearly violated international rule of law. Both Iran and Iraq would have had a strong legal foundation to retaliate against the United States.[11] Instead, the legal ambiguity of the drone strike gave the United States a way to circumvent accountability while simultaneously preventing Iran and Iraq from seeking legal recourse.[12]

Most recently, the Russian invasion of Ukraine has once again called into question the legal trajectory of the use of drones in combat.[13] Heavy usage by both sides has highlighted the effects that unmanned vehicles have on the battlefield.[14] A particularly alarming issue is the modification and deployment of commercial drones in Ukraine.[15] These products are easily purchased through traditional vendors, which calls into question how insurgents and terrorist groups could use them in the future. As this conflict continues, nations across the globe must ask themselves the difficult question of how they will prepare for the inevitable increase in UAV use in conflicts moving forward. The complicated and intricate international legal system will need to prepare for this increasingly dangerous threat to world peace.

 

 

 

[1] Jim Garamone, U.S. Drone Strike Kills al-Qaida Leader in Kabul, U.S. Department of Defense (Aug. 2, 2022), https://www.defense.gov/News/News-Stories/Article/Article/3114362/us-drone-strike-kills-al-qaida-leader-in-kabul/

[2] Id.

[3] Id.

[4] See generally Kris Osborn & Ho Lin, The Operation that Took Out Osama Bin Laden, Military.com (2022), https://www.military.com/history/osama-bin-laden-operation-neptune-spear (an in-depth explanation of the military operation that resulted in the death of Osama Bin Laden).

[5] Garamone, supra note 1.

[6] Rosa Brooks, Drones and the International Rule of Law, 28 Ethics & Int’l Aff. 83 (2014).

[7] Id.

[8] See Generally American Security Drone Act of 2021, S.73, 117th Cong. (1st Sess. 2021) (An example of United States legislation moving in favor of UAVs).

[9] Michael Crowley et al., U.S. Strike in Iraq Kills Qassim Suleimani, Commander of Iranian Forces, The New York Times (Jan. 2, 2020), https://www.nytimes.com/2020/01/02/world/middleeast/qassem-soleimani-iraq-iran-attack.html.

[10] Id.

[11] See Generally Michael N. Schmitt, Assassination in the Law of War, Liber Institute (Oct. 15, 2021) https://lieber.westpoint.edu/assassination-law-of-war/ (An overview of the legality of assassinations carried out by the military).

[12] Id.

[13] Elias Yousif, Drone Warfare in Ukraine: Understanding the Landscape, Stimson (June 30, 2022) https://www.stimson.org/2022/drone-warfare-in-ukraine-understanding-the-landscape/.

[14] Id.

[15] Ukraine Conflict: How are drones being used? BBC (Aug. 2022) https://www.bbc.com/news/world-62225830.

 

 

Image Source: https://www.goodfreephotos.com/weapons/aircraft/heron-1-drone-UAV.jpg.php

By Michael Alley

 

On May 14, 2018, the gambling world changed forever. On this date, the United States Supreme Court decided the landmark case Murphy v. National Collegiate Athletic Association.[1] This decision limited the federal government’s ability to regulate gambling that occurs in the states.[2]  In this case, New Jersey, along with Governor Phil Murphy, successfully challenged the constitutionality of the Professional and Amateur Sports Protection Act (PASPA), which prohibited states from allowing sports gambling.[3] The court found that PASPA violated the anti-commandeering doctrine because the federal government is explicitly directing states on the laws they may or may not pass.[4] Furthermore, it violates state sovereignty, and Congress must allow the states to regulate gambling as an intrastate activity.[5]

The impact of this decision has been felt immediately. Currently, roughly 30 states have some online gambling, with nearly 20 states allowing an online option.[6] Some states restrict it to tribal grounds while others allow it statewide.  In some states, such as Florida, battles rage between lawmakers and Native American tribal leaders on the effect of online gambling, where the Tribe will undoubtedly lose tourism and gambling dollars if more competition is introduced.[7]

The competition is fierce, with New York set to bring in the most revenue.[8]  New York has a tax rate of 51% and is set to collect just shy of $250 million in revenue for 2022.[9] However, online gambling is a unique issue.  Due to evolving technological advances, people have attempted to gamble through Virtual Private Networks (VPNs).[10] VPNs will hide a user’s IP Address and location, tricking a gambling platform into thinking the person is in a permitted geographical area to gamble when they are not.[11]  It can allow a person in a state where sports gambling is illegal to place a bet as if they are in another state where sports gambling is permitted.[12] Although gambling platforms have done a good job at blocking the popular VPN networks,[13] as the technology advances, there is no guarantee that the success will continue.

Furthermore, people are more interconnected with people in other areas of the country. Although the Fifth Circuit Court of Appeals held that the WIRE Act applied to sports gambling,[14] people in states where sports gambling is outlawed can gamble through proxies in states where sports gambling is legal.[15]  This blurs the line of whether online gambling can be limited to just intrastate commerce. It raises the question of if congress could try to act again in the future to curb sports gambling. States where gambling is illegal still have a populace that engages in the practice yet are not gaining any benefits such as an increase in tax revenue or jobs.

Gambling companies such as DraftKings and FanDuel have achieved massive success and must focus on this issue. If they don’t limit gambling across state lines, it opens these companies to the mercy of federal government regulation. Congress may renew an argument that online gambling in its current form must be interstate commerce and can be regulated federally, either by the WIRE Act or other means.

 

 

[1] Murphy v. National Collegiate Athletic Ass’n., 138 S.Ct. 1461 (Westlaw 2018).

[2] Id. at 1485.

[3] Id.

[4] Id. at 1481.

[5] Murphy v. National Collegiate Athletic Ass’n., 138 S.Ct. 1461, 1478.

[6] Sam McQuillan, Where is Sports Betting Legal? Projections for all 50 states, Action Network (Sept. 14, 2022, 9:08 AM), https://www.actionnetwork.com/news/legal-sports-betting-united-states-projections.

[7] See Daniel Wallach, Feds, Seminole Tribe Invoke IGRA ‘Jurisdiction—Shifting’ In Bid To Revive Online Sports Betting in Florida, Forbes (Sept. 29, 2022, 4:16 PM), https://www.forbes.com/sites/danielwallach/2022/09/29/feds-seminole-tribe-invoke-igra-jurisdiction-shifting-in-bid-to-revive-online-sports-betting-in-florida/?sh=4090c002c2a6

[8] Justin Byers, New York’s Sports Betting Tax Revenue Hits Record High, Front Office Sports, (July 11, 2022, 5:14 AM), https://frontofficesports.com/new-yorks-sports-betting-tax-revenue-hits-record-high/.

[9] Id.

[10] See Robert A, Cronkleton, How many Missourians tried to gamble in Kansas on first day of legal sports betting?, The Kansas City Star, (Sept. 2, 2022, 12:49 PM), https://www.kansascity.com/news/local/article265242136.html (explaining how Kansas blocked 16,000 attempts by gamblers who were illegally trying to gamble from Missouri).

[11] Dalvin Brown, When to Use a VPN–and When IT Won’t Protect Your Data, The Wall Street Journal, (Sept. 6, 2022, 10:00 AM), https://www.wsj.com/articles/vpn-data-protection-privacy-tips-11662155750 (explaining how VPNs can mask location).

[12] See id.

[13] See Cronkleton, supra note 10.

[14] Aalok Sharma, The First Circuit Rules that the Wire Act Applies to Sports Betting Only, JDSUPRA (May 6, 2021), https://www.jdsupra.com/legalnews/the-first-circuit-rules-that-the-wire-9621258/ (explaining how the First Circuit Court of Appeals found that the WIRE Act prohibited interstate sports gambling).

[15] See id.

Image Source: https://depositphotos.com/stock-photos/online-sports-betting.html

By Yanrong Zeng

 

In 2020, Congress passed the Holding Foreign Corporation Accountability Act (“HFCAA”) and required foreign governments to provide U.S. regulators with full access to the audit working papers to examine the financial integrity of foreign companies listed in the U.S. stock exchanges.[1] Otherwise, the HFCAA will delist these companies after three years. Audit working papers are broadly defined as first-hand information that provides all the factual basis for a company’s financial statements. [2] When the U.S. regulator expanded its extraterritorial oversight over foreign audit firms and companies,[3] the ambiguous definition of audit working papers opened the door to foreign governments’ concerns about information confidentiality, such as the position taken by Japan in 2003.[4]

The international framework requires overseas regulators to comply with the domestic laws before directly investigating or requesting auditing material.[5] The European Union chooses the principle of “full trust” to identify the audit supervision system of 10 countries (including China) as equivalent to the E.U.’s audit supervision system and fully trust the audit supervision results of foreign regulators.[6] In contrast, the United States is the first one to break through the traditional regulatory jurisdiction based on national borders and expand its regulatory capabilities in accordance with the principle of “long-arm jurisdiction.”[7]

China allows accounting firms to provide audit working papers to foreign regulators after redacting sensitive information during the cybersecurity screening and using appropriate regulatory cooperation channels.[8] Both methods are in line with common international practices.[9] On the other hand, U.S. regulators protect the interests of U.S. investors by requiring direct inspection and full disclosure of audit working papers. The U.S. regulator is concerned that Chinese auditing firms would remove harmful information in the original audit working papers.[10] Against the backdrop of the U.S.-China trade war and economic decoupling, some market watchers[11] and academics[12] in both the U.S. and China view the HFCAA as an ultimatum to the decade-long bilateral negotiation. An American scholar pointed out that the HFCAA “weaponized access to the U.S. capital market to punish the Chinese firms.”[13]

However, the fundamental disagreement over redaction is caused by the two countries’ different definitions of “national security information.” The Director of International Affairs at the U.S. Securities and Exchange Commission (“SEC”) recently stated, “Sensitive information pertaining to national security—and by that, I mean the ability for the state to cater to the protection and defense of its citizenry—should not be in the auditor’s files.”[14] In comparison, the Chinese definition includes a wide range of sensitive information relating to cybersecurity, data security, and protection of personal information.[15] Chinese regulators attach great importance to commercially sensitive information because most Chinese companies listed in the United States are pan-Internet companies focusing on online games and searches, education and chain operations, new energy, medicine, and high-end manufacturing.[16]

These pan-Internet companies have been adversely affected by Chinese law requiring cybersecurity review. “Security-related information” include personal privacy information from (1) online platform with more than 1 million users,[17] and (2) “critical information infrastructure” in the areas of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and defense technology.[18]

The new cybersecurity law was enacted in response to the July 2021 information breach caused by Chinese ride-hailing company Didi Global. Didi surged into the U.S. stock market with a nearly $70 billion pre-IPO valuation but chose not to hold any bell-ringing ceremony or official press release.[19] With 15 million active drivers and 156 million monthly active users globally, Didi is naturally closely regulated because of its scale.[20] Didi has demonstrated predictive capabilities based on big data and artificial intelligence. In 2015, Chinese government and Didi jointly released a statistical report that counted the workload of each governmental agency over a certain period and the addresses of everyone working in that department.[21]

 

 

[1]  See Holding Foreign Companies Accountable Act, Pub. L. No. 116-222, 134 Stat. 1063.

[2]  AU Section 339: a Working Papers, Pub. Co. Acct. Oversight Bd., https://pcaobus.org/oversight/standards/archived-standards/details/AU339A.

[3]  International, Pub. Co. Acct. Oversight Bd., https://pcaobus.org/oversight/international.

[4]  The Japanese Inst. of Certified Pub. Acct., Re: Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules Relating to Registration System (File No. PCAOB-2003-03) (June 27, 2003), https://www.sec.gov/rules/pcaob/pcaob200303/jicpa062703.htm (“It is commonly understood that the Japanese law does not directly extend to include the laws and judicial proceedings of foreign countries, and accordingly, compliance of a foreign country’s law such as the Sarbanes-Oxley Act or the PCAOB requirements, would not constitute a ‘justifiable reason’”).

[5]  Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information, IOSCO (May 2012), § 7(c) (“Assistance will not be denied based on the fact that the type of conduct under investigation would not be a violation of the Laws and Regulations of the Requested Authority”).

[6]  Commission Decision of 19 January 2011 on the Equivalence of Certain Third Country Public Oversight, Quality Assurance, Investigation and Penalty Systems for Auditors and Audit Entities and a Transitional Period for Audit Activities of Certain Third Country Auditors and Audit Entities in the European Union. Official Journal of the European Union.

[7] Since the PCAOB was established in the same year as Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information.

[8] See Zhonghua Renmin Gongheguo Zhengquan Fa [Securities Law of the People’s Republic of China] § 177 (rev’d Dec. 28, 2019, effective Mar. 1, 2020), http://www.gov.cn/xinwen/2019-12/29/content_5464866.htm, (“Without the consent of the securities regulatory authority of the State Council and the relevant competent departments of the State Council, no entity or individual may provide documents and materials related to securities business activities to overseas countries without authorization”).

[9] Id.

[10] See id.

[11]  See Gangku Kejigu Baodie Beihou Fasheng le Shenme? Honghao: Qingxuehua Paoshou, Meigu Shenzhi Keneng Yaozhan [What Happened Behind the Plunge in Hong Kong Technology Stocks? Hong Hao: U.S. Stocks May Even Halve after Emotional Selling], Phoenix News, Mar. 14, 2022, https://finance.ifeng.com/c/8ENa6F54mTo. Hereinafter Honghao.

[12]  See Connie Friesen, Re-Thinking US Policy on Engagement with Chinese Financial Institutions (May 2022) (M.A. dissertation, Harvard University), https://nrs.harvard.edu/URN-3:HUL.INSTREPOS:37371771.

[13]  Venkat Gundumella et. al, Great Power Competition and Chinese Assertiveness in the Covid World Order, SSRN, Apr. 9, 2021, at 10, https://ssrn.com/abstract=3822102 or http://dx.doi.org/10.2139/ssrn.3822102.

[14] YJ Fischer, Director, Office of Int’l Affs., Sec. and Exch. Comm’n, Resolving the Lack of Audit Transparency in China and Hong Kong: Remarks at the International Council of Securities Associations (ICSA) Annual General Meeting (May 24, 2022), https://www.sec.gov/news/speech/fischer-remarks-international-council-securities-associations-052422.

[15] Wangluo Anquan Shencha Banfa [Network Security Review Measures] § 7 (promulgated by Cyberspace Administration of China et. al, Dec. 28, 2021, effective Fed. 15, 2022], http://www.gov.cn/zhengce/zhengceku/2022-01/04/content_5666430.htm.

[16] Id.

[17] Wangluo Anquan Shencha Banfa [Network Security Review Measures, supra note 50.

[18] Guanjian Xinxi Jichu Sheshi Anquan Baohu Tiaoli [Critical Information Infrastructure Security Protection Regulations] § 2 (promulgated by St. Council, July 30, 2021, effective Sept. 1, 2021), http://www.gov.cn/zhengce/content/2021-08/17/content_5631671.htm.

[19] Xiao Wenjie & Wang Shanshan, Gongsi Yanbao: Didi de Zhen Wenti [Company Research Report: The Real Problem of Didi], YiMagazine, Oct. 13, 2021. https://www.yicai.com/news/101196927.html.

[20] Id.

[21] Dashuju Jiemi: Gaowentian Buwei Jiaban Dabiping [Big Data Revealed: Ministries and Commissions Work Overtime in High Temperature Days], Xinhua Net, July 18, 2015, http://www.xinhuanet.com/politics/2015-07/18/c_1115967447.htm.

Image Source: https://www.bloomberg.com/news/articles/2022-05-06/markets-are-weaker-than-u-s-economy-bridgewater-s-prince-says

By Jessica Otiono

 

Electronic Health Records (EHR) utilize modern technology that allows for electronic entry, storage, and maintenance of digital patient data.[1] This data includes patient records from doctors such as demographics, test results, medical history, history of present illness, and past and current medications.[2] In the past two decades, the utilization of information technology in the delivery and management of healthcare, which resulted in the adoption of EHRs, has provided an efficient way of sharing healthcare records between healthcare professionals and patients who enjoy easy access to their records.[3]

However, this ease of access is met with cybersecurity threats and data privacy challenges.[4]  The sensitive and patient-care-centeredness of EHRs make them susceptible to cyber-attacks.[5]  This is because they contain Personal Health Information (PHI), which cyber attackers sell for profit on the dark web.[6] Cyberattacks on EHRs occur in diverse ways. Some of these cyberattacks include:

 

1. 1. Phishing – Phishing attacks are the most rampant cybersecurity threats in healthcare. It is the practice of infecting a seemingly harmless email with malicious links.[7]  The usual form of phishing attack is email phishing.[8]
   2. Malware/Ransomware – This type of malware disables access to computer systems and files until a ransom has been paid.[9]  Ransomware may infect a computer system through a phishing email containing a malicious link.[10]
   3. Distributed Denial of Service (DDOS) – DDOS floods a website or computer network with internet traffic to overwhelm it and impair its performance and availability.[11] Cybercriminals employ bots to submit an excessive number of requests.[12] DDOs used together with Ransomware are one of the most destructive cybersecurity attack combinations.[13]

In dealing with cybersecurity threats to EHRs, Federal compliance laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (Act) were enacted to protect the privacy and data security of Personal Health Information (PHI) which are stored electronically.[14] In addition, the HIPAA privacy rule establishes “national standards to protect individuals’ medical records and other individually identifiable health information….”[15]

The HIPAA Security Rule also establishes appropriate safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.[16] The Security Rule provides administrative, physical, and technical safeguards for managing healthcare data privacy.[17]  Some of these safeguards include: i.) establishing a security management process in which the covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations;[18] ii.) appointing a designated security official who is responsible for the development and implementation of policies and procedures mandated by the Security Rule;[19] iii.) implementing policies and procedures to address security incidents when they occur;[20] iv.) creating policies and procedures for responding to an emergency that damages computer systems containing EHRs;[21] v.) establishing safeguards for workstation security;[22] vi.) implementing audit controls for information systems;[23] and vii.) implementing measures to protect against unauthorized access to electronic personal health information transmitted over an electronic communications network.[24]

In addition, the HITECH Act establishes the Breach Notification Rule. This rule requires Health care providers as well as other covered entities under HIPAA to promptly notify (within 60 calendar days from the day the breach is discovered) individuals of a data breach, as well as the Secretary of the U.S. Department of Health and Human Services (HHS) and the media in cases where the breach affects more than 500 individuals.[25] Breaches of fewer than 500 individuals must be reported to the Secretary of the HHS on an annual basis, no later than 60 calendar days from the end of the year.[26] As healthcare delivery technology continues to evolve, cyber-attacks on EHRs continue to happen. It is therefore imperative that healthcare providers and other key players implement policies that align cybersecurity and patient safety initiatives. These measures will protect patient safety and privacy while ensuring continuity in the delivery of high-quality healthcare by mitigating disruptions.

 

[1] Electronic Medical Record in Healthcare, U.S. Dept. Health Hum. Serv. 1, 3 (2022), https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.

[2] Id.

[3] Liu Hua Yeo & James Banfield, Human Factors in Electronic Health Records Cybersecurity Breach: An Explanatory Analysis, Perspectives In Health Info. Mgmt. (Mar. 15, 2022), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9123525/.

[4] Id.

[5] Greg Kill, Top 5 Cybersecurity Threats to Electronic Health Records and Electronic Medical Records, Integracon (Apr. 28, 2018), https://integracon.com/top-5-cybersecurity-threats-to-electronic-health-records-and-electronic-medical-records/.

[6] U.S. Dept. Health Hum. Serv., supra note 1, at 6.

[7] Edward Kost, Biggest Cyber Threats in Healthcare, Upguard (Aug. 8, 2022), https://www.upguard.com/blog/biggest-cyber-threats-in-healthcare.

[8] Id.

[9] Cyber Attacks: In the Healthcare Sector, Ctr. Internet Sec., https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector (last visited Sept. 14, 2022).

[10] Id.

[11] Hardik Shah, Top 10 Cybersecurity Challenges in the Healthcare Industry, Global Sign (May 5, 2022), https://www.globalsign.com/en/blog/10-cybersecurity-challenges-healthcare.

[12] Id.

[13] Id.

[14]   Liu Hua Yeo & Banfield, supra note 3.

[15] See The HIPAA Privacy Rule, HHS.gov., https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[16] The Security Rule, HHS.gov.,  https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[17] Ryan L. Garner, Evaluating Solutions to Cyber Attack Breaches of Health Data: How Enacting A Private Right of Action For Breach Victims Would Lower Costs, 14 Ind. Health L. Rev. 127, 139  (2017).

[18] Id.; 45 C.F.R. § 164.308 (a)(3)(i) (2017).

[19] Id. § 164.308(a)(2).

[20] Id. § 164.308(a)(6)(i).

[21] Id. § 164.308(a)(6)(i).

[22] 45 C.F.R. § 164.308(a)(6)(i) (2017).

[23] Id. § 164.312(b).

[24] Id. § 164.312(e)(1).

[25] 45 C.F.R. §§ 164. 400-414 (2009).

[26] Id.

Image Source: https://www.aranca.com/knowledge-library/special-reports/valuation/healthtech-decoded