12.24.2018
12.10.2018
Book Excerpts are Food for Thought on Cyber
In October, former Assistant Attorney General John P. Carlin's Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat, was released. It is available via Amazon (https://www.amazon.com/gp/product/B079L5N2TC?tag=hacboogrosit-20 ).
Recently I was delighted to review some multi-media clips which feature excerpts from the work. Here are three such excerpts, via one such snippet (https://www.politico.com/magazine/story/2018/11/21/junaid-hussain-most-dangerous-terrorist-cyber-hacking-222643 ), followed by comments that I have added.
“We were, as a country and a society, providing technology to our adversaries—technology developed with our creativity and through our national investments in education; technology that allowed them to communicate securely and instantly among themselves and potential recruits; technology that was specially designed to allow them to keep their conversations private and prohibit law enforcement from listening even with a valid court order; technology that allowed them to reach into our schools, our shopping malls and our basements to spread poison to our children, tutor them and provide them operational directions and supervision to kill fellow Americans. And we’d given it all to them for free—available for an easy download in the app store, just a few clicks away.”
My comment: Putting a net around these risks is a global scale issue. Could/should/do licensing paradigms & OFAC/ITAR address this sufficiently? What’s the best path forward that acknowledges the spirit of the creative & free societies that created these technologies?
“After the retailer reported the email exchange, the FBI was able to trace the internet address of the sent email to Malaysia,”
My comment: Am curious what the author thinks of new leg that makes collecting IP addresses and related info a regulatory violation (https://eugdprcompliant.com/personal-data/ ). Will it have any chilling effect on law enforcement?
“Too often, it seemed like luck kept us safe”
My comment: I second this sentiment; it’s troubling.
Congratulations to the author & please share this post if you think an autographed copy would make a great holiday gift :)
-MCC,ESQ.
11.08.2018
Daikon Breakfast Treat Recipe: Serves 2
What is the difference between a latke and a hash brown? Will have to leave it to the food scholars to answer that question. This recipe uses shredded daikon, a winter radish, in the place of potatoes to create a dish that is reminiscent of a hash brown or a latke, for a leisurely and tasty fall breakfast.
You will need:
Salt to taste
1/3 large peeled grated daikon
1 slice bacon
1/3 white onion sliced
1/4 cup vegetable oil
1 tablespoon butter
1 egg
1/4 teaspoon chili powder
1 tablespoon dried sage
Cream cheese for garnish
Directions:
Peel and grate 1/3 of a large daikon, add salt, place in a bowl and refrigerate- you will come back to this in about 30 minutes to drain it.
Wait around 20 minutes :-) (Maybe check your email or tackle a small task on your to-do list)
Coat a large frying pan with vegetable oil and heat at medium. Once the oil is warm, place a piece of bacon in the pan and fry. Remove the bacon slice from pan and reserve.
Add to the frying pan 1/3 of a sliced white onion.
Add to the pan a tablespoon of butter. Stir.
Remove the grated daikon from the fridge, drain and season with chili powder.
Add 1 egg to the grated daikon and mix until egg is somewhat beaten.
Divide grated daikon into four equal portions.
If your frying pan is getting too hot and/or your onion is starting to burn, feel free to add a teaspoon of water to the pan.
Add sage to the frying pan and stir into the onion.
Spoon the apportioned grated daikon into the frying pan, incorporating some of the onion as you form the mixture into a thin cake.
Keep the flame on medium and flip the cake every few minutes, until crispy on outside and cooked on inside.
Plate, adding a bit of reserved bacon on top and garnish with cream cheese.
Enjoy :)
10.16.2018
“We thought that we had the answers, It was the questions we had wrong” U2. Lyrics to “11 O’Clock Tick Tock” Under A Blood Red Sky, 1983.
My highlighted PDF copy of Dodd Frank (1) notes that Section
619 (“Volcker Rule”) runs from pages 246-257. Thus, it’s
619 (“Volcker Rule”) runs from pages 246-257. Thus, it’s
11 pages long.
It truly captures the imagination and attention then, when:
“On July 17, 2018, the Agencies published in the Federal Register
a notice of proposed rulemaking (proposal) that would amend
the regulations implementing section 13 of the Bank Holding
Company Act. Section 13 contains certain restrictions on the ability
of a banking entity and nonbank financial company supervised by
the Board to engage in proprietary trading and have certain
interests in, or relationships with, a hedge fund or private equity
fund. The proposed amendments are intended to provide banking
entities with clarity about what activities are prohibited and to
improve supervision and implementation of section 13.
a notice of proposed rulemaking (proposal) that would amend
the regulations implementing section 13 of the Bank Holding
Company Act. Section 13 contains certain restrictions on the ability
of a banking entity and nonbank financial company supervised by
the Board to engage in proprietary trading and have certain
interests in, or relationships with, a hedge fund or private equity
fund. The proposed amendments are intended to provide banking
entities with clarity about what activities are prohibited and to
improve supervision and implementation of section 13.
In response to requests from commenters regarding issues addressed
in the proposal, the public comment period has been extended for
30 days until October 17, 2018.” (2)
in the proposal, the public comment period has been extended for
30 days until October 17, 2018.” (2)
To summarize, by extending the time to comment on the proposed
amendments, interested parties would have more time to review and
analyze the somewhat lengthy proposal on proposed changes to the
“Volcker Rule”.
amendments, interested parties would have more time to review and
analyze the somewhat lengthy proposal on proposed changes to the
“Volcker Rule”.
However, rather than analyzing the proposal, I found myself
considering whether an argument can be made to strike section 13
of the Bank Holding Company Act (entirely or otherwise) on the
basis of the constitutional doctrine of “Unconstitutional
Vagueness” (3).
considering whether an argument can be made to strike section 13
of the Bank Holding Company Act (entirely or otherwise) on the
basis of the constitutional doctrine of “Unconstitutional
Vagueness” (3).
To construct a framework for such an inquiry, one must parse the
task into two sequential legal analyses; let’s call them 1.) a
threshold question and 2.) a substantive question.
task into two sequential legal analyses; let’s call them 1.) a
threshold question and 2.) a substantive question.
The Threshold question is:
Is section 13 of the Bank Holding Company Act (ie Section
619 Dodd Frank, ie “The Volcker Rule”) subject to constitutional
review (4)?
619 Dodd Frank, ie “The Volcker Rule”) subject to constitutional
review (4)?
The Substantive question is:
Is section 13 of the Bank Holding Company Act (ie Section 619
Dodd Frank, ie “The Volcker Rule”) vague and if so,
Dodd Frank, ie “The Volcker Rule”) vague and if so,
Does it rise to the level of “Unconstitutional Vagueness”?
The 1st question is important because if the answer to it is not
“yes” there is no point in going to the 2nd question. (IE, “even
if it is unconstitutionally vague, the doctrine is not applicable
bc…” is a contingency we have considered from the outset.)
“yes” there is no point in going to the 2nd question. (IE, “even
if it is unconstitutionally vague, the doctrine is not applicable
bc…” is a contingency we have considered from the outset.)
In order to reflect on the threshold question, we should consider
relevant Supreme Court caselaw that addresses when and
whether legislation is subject to constitutional review.
relevant Supreme Court caselaw that addresses when and
whether legislation is subject to constitutional review.
The seminal caselaw on judicial review is Marbury v. Madison, 5
U.S. 137, (1803) which established judicial review. Incidentally, it’s around five pages long.
U.S. 137, (1803) which established judicial review. Incidentally, it’s around five pages long.
The readers of this blog post are encouraged to more profoundly consider what arguments
may exist for and against our threshold question of whether Dodd Frank generally or the
Volcker Rule specifically is subject to judicial review.
may exist for and against our threshold question of whether Dodd Frank generally or the
Volcker Rule specifically is subject to judicial review.
Okay, 2nd question :)
Is Volcker vague?
If it is vague, does such vagueness rise to the level of
unconstitutional vagueness, such that it should be struck down, ala
Marbury v Madison?
unconstitutional vagueness, such that it should be struck down, ala
Marbury v Madison?
With regard to our 2nd question, it’s important to understand why
the doctrine of unconstitutional vagueness exists in the 1st place.
It’s about due process, which is super important in our judicial system.
the doctrine of unconstitutional vagueness exists in the 1st place.
It’s about due process, which is super important in our judicial system.
Here is an excerpt from an early 20th century tobacco case:
Collins V Kentucky 234 U.S. 634, 637 (1914):
“no standard of conduct that it was possible to know; that it
violated the fundamental principles of justice embraced in the
conception of due process of law in compelling men on peril
of indictment to guess”
violated the fundamental principles of justice embraced in the
conception of due process of law in compelling men on peril
of indictment to guess”
In other words, when a law (which when broken leads to enforcement)
has a standard that is unknowable, it is a violation of due process.
Another way to say this is: if it’s impossible to tell whether or not
one has broken the law, that’s just not fair, and thus repugnant to our
system of law.
has a standard that is unknowable, it is a violation of due process.
Another way to say this is: if it’s impossible to tell whether or not
one has broken the law, that’s just not fair, and thus repugnant to our
system of law.
After running some searches, around twenty SCOTUS cases
emerged(5) as those that are oft cited when the courts seek insight
on what the SCOTUS thinks about “unconstitutional
vagueness”. One thing that this short list tells us is that
“unconstitutional vagueness” is a doctrine that the court has not
considered with frequency.
emerged(5) as those that are oft cited when the courts seek insight
on what the SCOTUS thinks about “unconstitutional
vagueness”. One thing that this short list tells us is that
“unconstitutional vagueness” is a doctrine that the court has not
considered with frequency.
Some things to consider when perusing the cases is whether or not
the parties in those cases are anything like the potential parties in
our scenario and also, how analogous (or not) our theoretical
argument is to the facts and circumstances in the various cases.
the parties in those cases are anything like the potential parties in
our scenario and also, how analogous (or not) our theoretical
argument is to the facts and circumstances in the various cases.
Another thing to generally consider is whether, in the absence of
controlling law, a successful case can be brought at all.
controlling law, a successful case can be brought at all.
Again, will leave it to the reader of this blog post to consider
whether a legal challenge of the type above described would be met
with success and what costs and risks(6) would otherwise
attend such an endeavor.
whether a legal challenge of the type above described would be met
with success and what costs and risks(6) would otherwise
attend such an endeavor.
Happy autumn all! 🌇
1. Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203 et seq, (2010) link to act: https://www.law.cornell.edu/topn/dodd-frank_wall_street_reform_and_consumer_protection_act
5.Please see link to case table: https://docs.google.com/spreadsheets/d/1ir9IQ52pchZqGe7RrGUq4pquvRkQYsmloNYw0Huh16Q/edit?usp=sharing
6. Please enjoy: https://www.pokernews.com/strategy/understanding-what-it-means-to-be-pot-committed-20050.htm
9.30.2018
Brexit Countdown Clock
Brexit
Countdown to Mar 29, 2019 11:00 pm. Showing days, hours, minutes and seconds ticking down to 0
9.16.2018
Fifteen Ways to Use Your Law License to Help Others
This free CLE may help:
"You might be poor, your shoes might be broken, but your mind is a palace" -Frank McCourt, Angela's Ashes
7.20.2018
All the Bogus Emails
Here are screenshots of some of the bogus emails I have rec'd lately.
Some of these made it through my email program's spam filters; many did not.
This one (above) is allegedly from a local admirer. Maybe I need a bodyguard.
This one is inviting me to a leadership conference, and the State Department will pick up the tab. No such person, apparently.
This one (above) purports to be from Chase. So, aside from a phishing attempt, this is also trademark & copyright infringement IMO.
In this one (above) I am supposed to think ADP is invoicing me. No such account.
This one begins "Dear Sir" and apparently includes a purchase order, attached. No thanks.
Some of these made it through my email program's spam filters; many did not.
This one (above) is allegedly from a local admirer. Maybe I need a bodyguard.
This one is inviting me to a leadership conference, and the State Department will pick up the tab. No such person, apparently.
In this one I am supposed to open an attachment from a person who purports to be with the IRS. Nice try, possibly once and future felon.
In this one (above) I am supposed to think ADP is invoicing me. No such account.
This one begins "Dear Sir" and apparently includes a purchase order, attached. No thanks.
This is the second one I have rec'd recently from a party purporting to be BOA. #illegal
Oh, yes, my contract payment of 27 million dollars, how could I have overlooked that? #fraud
Have a great weekend all, please carefully consider opening attachments associated with unsolicited emails, and do not click on any links they may include. xo, Martha
6.01.2018
Never Pay the Ran$om
The first draft of this blog post began, (last month) with the assertion that one should never pay the ransom in a ransomware attack. This inevitably led to the question "Are any or all ransomware attacks acts of terrorism?" This question turned out to be a much more nuanced and complicated one than the first draft of this blog post anticipated.
There are many definitions of terrorism. The one that I found most consistent with my own line of thinking is by Dr. Bernhard Blumenau, who defines terrorism in FN1 of an article in the May issue of Studies in Conflict and Terrorism as "The politically motivated use or threat of violence that is directed not just against the immediate targets but is meant to communicate with an audience beyond the primary victims of these acts. It is a tactic used to gain or solidify power."
Another definition in line with my own manner of thinking is often attributed to the CIA, which in relevant part represents that terrorism is "designed to change the existing political order." Paul R. Pillar, in the first chapter of Terrorism and Foreign Policy, while considering the form and function of a definition of terrorism observes "terrorists attack people who cannot defend themselves in return" (page 14) and later states that counterterrorism: "is an effort to civilize the manner in which any political contest is waged" (page 18). His discussion makes clear that violence or the threat of violence is part of his accepted definition.
The UN maintains that terrorism includes "Criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organization to do or to abstain from doing an act."
These definitions are illuminating but not determinative in answering the question "Are any or all ransomware attacks acts of terrorism?"
To further our inquiry let's consider what characteristics these several definitions share:
Clearly global actors who concern themselves with addressing terrorism mitigation agree that terrorism includes 1. an aspect of violence, or the threat of violence, 2. engineered to reach an audience beyond its primary targets, 3. for political reasons, and 4. said targets are civilians (who cannot defend themselves in return).
The next part of our inquiry is much easier :)
We must consider the definition of a ransomware attack:
"Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them."
"Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry Worm," traveled automatically between computers without user interaction."
Let's turn to how the above definition of a ransomware attack, as applied to the four characteristics of terrorism that the various terrorism definitions share, informs our question.
The first part of the definition of a ransomware attack concerns an aspect of violence, or the threat of violence. This seems to be the most provocative part of our inquiry. Perhaps the threat of violence could be more easily interpreted by many ransomware scenarios. As someone who has been present at various meetings and panel discussions where attorneys with all different kinds of experience in cyber considered whether and when a cyber attack becomes a kinetic attack, perhaps the best thing that can be said about this question is that it may be a fact based inquiry.
Our second factor was whether the act was engineered to reach an audience beyond its primary target. The threat of disseminating information to a wider audience (or blocking access to it), is an act that, at the very least, suggests the malfeasor is considering how the act will be perceived by third parties, and perhaps even relying on these third parties, as a force multiplier of sorts, to make the threat hold more power over the victim. This observation is much more valid when the threat is to disseminate the data, rather than to hold it hostage, because, theoretically, the victim could keep it a secret that their data is being held hostage, but even that would be a decision based upon the consideration of parties beyond the malfeasor and the victim.
Okay, third question: Whether or not a particular ransomware attack is carried out for political reasons is probably also a fact based inquiry. For the purposes of this blog post let's observe that it is most certainly possible to carry out a ransomware attack for political purposes.
Now to the last question in the analysis--whether the target of the attack is a civilian. Okay, this at first seems like another simple, fact specific inquiry. But what about the part where we considered civilians *or* "parties who cannot defend themselves in return"? Hmm. It kind of goes without saying that if a bad actor is able to encrypt all of your data for ransom, from a distance, somewhere along the line there was an inability to defend oneself in return.
Now let's get back to the main question:
If one believes that threatening to publish the victim's data or perpetually lock access to it
is violence or the threat of violence,
then at the very least, some ransomware attacks are acts of terrorism
if
the ransomware attack was engineered to reach an audience beyond its primary targets,
and
the ransomware attack was carried out for political reasons
and
the victims of the ransomware attacks were civilians, or otherwise parties who cannot defend themselves in return.
Whether a ransomware attack is an act of terrorism could be relevant for a number of reasons. Of course, our inquiry is valuable because it forces us to think critically about a particular type of cybersecurity related incident, and that has its own value. Additionally, answering this question could have legal consequences, for example your insurance policy might not cover acts of terrorism, or as another example, being a victim of an act of terrorism might allow a party to qualify for certain types of social services. Without wading too deeply into this ancillary issue, for the purposes of this blog post, we can observe that our inquiry may have legal relevance in contemplated, and perhaps uncontemplated domains.
While a coherent theory of cyber security continues to emerge and coalesce, now is a good time to remind the reader that the first draft of this blog post began, (last month :)) with the assertion that one should never pay the ransom in a ransomware attack.
Let's agree that reasonable minds may differ on the issue of whether to pay the ransom or not. My position is based on my legal training and experience, as well as education in counterterrorism, and can be summed up by opining that an unseen party who would intrude onto your computer or network, and threaten you is not going to do the right thing because you send them some coin. But of course you should make the decision that best suits your particular set of circumstances.
An organization with potential exposure to a ransomware attack (and/or other cyber related incidents) may want to address this risk by having a team designated in advance, ideally comprised to address 5 functions: a party whose function is that of a chief information officer, a party who makes business or management-related decisions for the organization, an in-house counsel who should be notified of such an incident immediately, an outside counsel and an outside data-related party, the nature and scale of which may depend on the incident.
By prioritizing the value of an organization's data and backing it up regularly, in a manner that reflects respect for the necessity of said data in the continuing operation of the organization, organizations and individuals can act decisively to neutralize the threat of a ransomware attack, whether it is an act of terrorism or not.
Have a great June all. It's a pretty good month.
There are many definitions of terrorism. The one that I found most consistent with my own line of thinking is by Dr. Bernhard Blumenau, who defines terrorism in FN1 of an article in the May issue of Studies in Conflict and Terrorism as "The politically motivated use or threat of violence that is directed not just against the immediate targets but is meant to communicate with an audience beyond the primary victims of these acts. It is a tactic used to gain or solidify power."
Another definition in line with my own manner of thinking is often attributed to the CIA, which in relevant part represents that terrorism is "designed to change the existing political order." Paul R. Pillar, in the first chapter of Terrorism and Foreign Policy, while considering the form and function of a definition of terrorism observes "terrorists attack people who cannot defend themselves in return" (page 14) and later states that counterterrorism: "is an effort to civilize the manner in which any political contest is waged" (page 18). His discussion makes clear that violence or the threat of violence is part of his accepted definition.
The UN maintains that terrorism includes "Criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organization to do or to abstain from doing an act."
These definitions are illuminating but not determinative in answering the question "Are any or all ransomware attacks acts of terrorism?"
To further our inquiry let's consider what characteristics these several definitions share:
Clearly global actors who concern themselves with addressing terrorism mitigation agree that terrorism includes 1. an aspect of violence, or the threat of violence, 2. engineered to reach an audience beyond its primary targets, 3. for political reasons, and 4. said targets are civilians (who cannot defend themselves in return).
The next part of our inquiry is much easier :)
We must consider the definition of a ransomware attack:
"Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them."
"Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry Worm," traveled automatically between computers without user interaction."
Let's turn to how the above definition of a ransomware attack, as applied to the four characteristics of terrorism that the various terrorism definitions share, informs our question.
The first part of the definition of a ransomware attack concerns an aspect of violence, or the threat of violence. This seems to be the most provocative part of our inquiry. Perhaps the threat of violence could be more easily interpreted by many ransomware scenarios. As someone who has been present at various meetings and panel discussions where attorneys with all different kinds of experience in cyber considered whether and when a cyber attack becomes a kinetic attack, perhaps the best thing that can be said about this question is that it may be a fact based inquiry.
Our second factor was whether the act was engineered to reach an audience beyond its primary target. The threat of disseminating information to a wider audience (or blocking access to it), is an act that, at the very least, suggests the malfeasor is considering how the act will be perceived by third parties, and perhaps even relying on these third parties, as a force multiplier of sorts, to make the threat hold more power over the victim. This observation is much more valid when the threat is to disseminate the data, rather than to hold it hostage, because, theoretically, the victim could keep it a secret that their data is being held hostage, but even that would be a decision based upon the consideration of parties beyond the malfeasor and the victim.
Okay, third question: Whether or not a particular ransomware attack is carried out for political reasons is probably also a fact based inquiry. For the purposes of this blog post let's observe that it is most certainly possible to carry out a ransomware attack for political purposes.
Now to the last question in the analysis--whether the target of the attack is a civilian. Okay, this at first seems like another simple, fact specific inquiry. But what about the part where we considered civilians *or* "parties who cannot defend themselves in return"? Hmm. It kind of goes without saying that if a bad actor is able to encrypt all of your data for ransom, from a distance, somewhere along the line there was an inability to defend oneself in return.
Now let's get back to the main question:
"Are any or all ransomware attacks acts of terrorism?"
If one believes that threatening to publish the victim's data or perpetually lock access to it
is violence or the threat of violence,
then at the very least, some ransomware attacks are acts of terrorism
if
the ransomware attack was engineered to reach an audience beyond its primary targets,
and
the ransomware attack was carried out for political reasons
and
the victims of the ransomware attacks were civilians, or otherwise parties who cannot defend themselves in return.
Whether a ransomware attack is an act of terrorism could be relevant for a number of reasons. Of course, our inquiry is valuable because it forces us to think critically about a particular type of cybersecurity related incident, and that has its own value. Additionally, answering this question could have legal consequences, for example your insurance policy might not cover acts of terrorism, or as another example, being a victim of an act of terrorism might allow a party to qualify for certain types of social services. Without wading too deeply into this ancillary issue, for the purposes of this blog post, we can observe that our inquiry may have legal relevance in contemplated, and perhaps uncontemplated domains.
While a coherent theory of cyber security continues to emerge and coalesce, now is a good time to remind the reader that the first draft of this blog post began, (last month :)) with the assertion that one should never pay the ransom in a ransomware attack.
Let's agree that reasonable minds may differ on the issue of whether to pay the ransom or not. My position is based on my legal training and experience, as well as education in counterterrorism, and can be summed up by opining that an unseen party who would intrude onto your computer or network, and threaten you is not going to do the right thing because you send them some coin. But of course you should make the decision that best suits your particular set of circumstances.
An organization with potential exposure to a ransomware attack (and/or other cyber related incidents) may want to address this risk by having a team designated in advance, ideally comprised to address 5 functions: a party whose function is that of a chief information officer, a party who makes business or management-related decisions for the organization, an in-house counsel who should be notified of such an incident immediately, an outside counsel and an outside data-related party, the nature and scale of which may depend on the incident.
By prioritizing the value of an organization's data and backing it up regularly, in a manner that reflects respect for the necessity of said data in the continuing operation of the organization, organizations and individuals can act decisively to neutralize the threat of a ransomware attack, whether it is an act of terrorism or not.
Have a great June all. It's a pretty good month.
3.27.2018
Googacle Continues
We are just getting word that the U.S. Court of Appeals for the Federal Circuit has sided with Oracle in the latest round of this litigation. Please see here for a slideshare on Open Source Adoption Rates, with attention to slide
12, reproduced below:
12, reproduced below:
Also, please see here for a table of cases cited in this most recent round of the litigation. Please note the intersection of cases cited by both sides, and also, the small number of Supreme Court cases that were cited overall.
3.13.2018
Fitness For a Particular Purpose
While serving a non-profit pro bono I spent some time researching antitrust issues in the standard setting process. Approaching anti-competition risk management from this perspective is quite different than approaching antitrust regulations from the perspective of defense counsel in the corporate space, and I am grateful for the opportunity to have considered this area of law from these divergent vantage points.
One may tend to orient oneself to a number of different facts and circumstances from within the context of the Clayton Act when approaching antitrust as a defense counsel in the corporate space; one is often dealing with more antitrust counsel and with opposing counsel, perhaps at the DOJ or the European Commission, or Ministry of Commerce, and these are parties who are necessarily well versed in antitrust law- they might even be the parties who wrote the laws or who spent five or seven or thirteen years on a particular matter, absorbing all of the relevant legal details as they followed a particular controversy from the complaint stage to the appellate stage.
In the non-profit space one might find oneself evaluating or making recommendations on specific scenarios or policies with attorneys and advisors who have high technical proficiency in their practice area, but not necessarily a background in business law.
Thus I would like to share a link to the helpful guide: ISO's "Competition Law Guidelines for Participants in the ISO Standards Development Process", which includes helpful tips such as:
"Do ensure that you and other participants that attend meetings have the necessary technical expertise."
"Do feel free to use and share information from the public domain, including historical and aggregated industry information (which doesn’t allow an individual business’s pricing or commercial strategy to be identified), but do be careful that it doesn’t lead to discussions on future strategy."
"Don’t fix any prices or price-related conditions with competitors."
Since it is Women's History Month, I am also going to share this chart from the US Department of Labor that conveys some statistics on women in the workplace. According to the chart, female chief executives comprise 28% of all chief executives in the labor force. Preschool and kindergarten teachers are 97.7% female. Lawyers are 37.4% female. Judges, magistrates, and other judicial workers are 28.1% female. Electricians are 2.5% female. Physicians and surgeons are 40% female.
From the chart, I was not able to deduce how many women are represented in standard setting organizations. It's an important question to consider; most of the above cited examples require a license, and are thus regulated by some set of standards somewhere.
It seems logical that the older a standard is, the more likely it is that it was devised exclusively by men. This would be true if gender balance statistics in standard making bodies are consistent with historic gender imbalances in the broader workplace. While some would want to spend time considering whether this is good, or unfortunately bad, I would merely posit that this is so. Further, I would seize the opportunity to make a brief reference to Rawls' "Veil of Ignorance", while contemplating this assertion.
So, some questions to ask this Women's History Month when thinking about standards:
Who developed the standard? When was the last time the standard was evaluated? Have female experts ever commented on how they approached the standard? Is it the best available standard for evaluating fitness for a particular purpose? How would we begin to undertake a task such as reconsidering all of our existing standards, in all contexts, in a big data world?
Happy March, all.
🐱
One may tend to orient oneself to a number of different facts and circumstances from within the context of the Clayton Act when approaching antitrust as a defense counsel in the corporate space; one is often dealing with more antitrust counsel and with opposing counsel, perhaps at the DOJ or the European Commission, or Ministry of Commerce, and these are parties who are necessarily well versed in antitrust law- they might even be the parties who wrote the laws or who spent five or seven or thirteen years on a particular matter, absorbing all of the relevant legal details as they followed a particular controversy from the complaint stage to the appellate stage.
In the non-profit space one might find oneself evaluating or making recommendations on specific scenarios or policies with attorneys and advisors who have high technical proficiency in their practice area, but not necessarily a background in business law.
Thus I would like to share a link to the helpful guide: ISO's "Competition Law Guidelines for Participants in the ISO Standards Development Process", which includes helpful tips such as:
"Do ensure that you and other participants that attend meetings have the necessary technical expertise."
"Do feel free to use and share information from the public domain, including historical and aggregated industry information (which doesn’t allow an individual business’s pricing or commercial strategy to be identified), but do be careful that it doesn’t lead to discussions on future strategy."
"Don’t fix any prices or price-related conditions with competitors."
Since it is Women's History Month, I am also going to share this chart from the US Department of Labor that conveys some statistics on women in the workplace. According to the chart, female chief executives comprise 28% of all chief executives in the labor force. Preschool and kindergarten teachers are 97.7% female. Lawyers are 37.4% female. Judges, magistrates, and other judicial workers are 28.1% female. Electricians are 2.5% female. Physicians and surgeons are 40% female.
From the chart, I was not able to deduce how many women are represented in standard setting organizations. It's an important question to consider; most of the above cited examples require a license, and are thus regulated by some set of standards somewhere.
It seems logical that the older a standard is, the more likely it is that it was devised exclusively by men. This would be true if gender balance statistics in standard making bodies are consistent with historic gender imbalances in the broader workplace. While some would want to spend time considering whether this is good, or unfortunately bad, I would merely posit that this is so. Further, I would seize the opportunity to make a brief reference to Rawls' "Veil of Ignorance", while contemplating this assertion.
So, some questions to ask this Women's History Month when thinking about standards:
Who developed the standard? When was the last time the standard was evaluated? Have female experts ever commented on how they approached the standard? Is it the best available standard for evaluating fitness for a particular purpose? How would we begin to undertake a task such as reconsidering all of our existing standards, in all contexts, in a big data world?
Happy March, all.
🐱
3.08.2018
1.22.2018
#governmentshutdown2018
This weekend I caught up with some guests from out of town and was somewhat chagrined to have to contemplate telling them that they might not be able to visit some of the country’s best sights due to the government shutdown of 2018. The botched plans of tourists were only one facet of ruminating upon what, exactly, would take place during such an event.
Amidst the anxiety generated by such governmental and political dysfunction, please be reminded that some professionals show leadership by conveying clear instructions in the event of such a contingency. Here’s a link to the SEC’s Operations Plan in the event of a government shutdown, which is posted on the agency’s website, and thus accessible to the general public: https://www.sec.gov/files/sec-operations-plan-gov%20shutdown-to-omb-12042017.pdf. There is a similarly accessible plan posted on the DOJ website: https://www.justice.gov/jmd/page/file/1015676/download. The Department of Commerce’s contingency plan is 137 pages long: https://www.commerce.gov/sites/commerce.gov/files/plan_for_orderly_shutdown_due_to_lapse_of_congressional_appropriations_-_20171207.pdf in contrast to the previous two, which were less than twenty pages in length. A link to the VA’s contingency plan may be found on this page: https://www.blogs.va.gov/VAntage/43654/va-contingency-plan-2017/. It seems to be formatted in MS, unlike the others just cited, which were PDFs.
Why isn’t there one of these contingency plans on the homepage of all of our government agencies, or at least for each Cabinet office? Now is probably a good time to observe that respect is earned, most often during moments when some are grandstanding while others quietly make sure people are supplied with a plan of action, and a government.
Subscribe to:
Posts (Atom)