LIVE FROM LEGALWEEK NYC!! Russian bots, blockchain …and those data privacy blues

Home / Uncategorized / LIVE FROM LEGALWEEK NYC!! Russian bots, blockchain …and those data privacy blues


Russian bots, blockchain …and those data privacy blues



Eric De Grasse
Chief Technology Officer

The Project Counsel Group

30 January 2017 (New York, New York) – This place is wall-to-wall lawyers so obviously one would think the debacle that is Trump and the “rule of law” would be discussed. Especially given last night’s State of the Union speech. But no, most lawyers here are to sell and talk tech so it is a bit of a bubble, as Louis Armstrong’s “It’s a Wonderful World” warbles in the background.

But Legalweek (I still want to call it Legaltech) is more interesting not for the sessions (almost all bland, with no depth) or the vendors in the exhibit hall (fewer this year, and the crowd pretty sparse) but for some of the attendees you meet.


INTERESTING NOTE: non-exhibiting vendors had to pay $2,500 for a Legaltech pass this year. But many vendors … cutting expenses … opted for the $1,200 personal badge and are not here “officially” as a vendor but as “John Smith, Cyber” or “Jane Smith, CIPP”. Still selling, meeting, but discreetly. Or not with a badge at all, but grabbing people in the Hilton foyers and/or bars. That $9 billion market has not reached everybody.



I met up with two chaps from Crowdstrike, which is one of the leaders in endpoint protection, threat intelligence and incident response. You hear their name all the time when one of those massive data breaches happen and the company calls in a “what-in-hell-happened” investigation team.


They are here to:

  1. cruise some of the legal vendors to “fact check” what these vendors are claiming they have re: cyber security solutions. Ah, tis a vicious market!
  2. attend some of the sessions on social media strategy sessions and social media data collection

The social media angle was of more interest two me. On Monday, the Trump Administration said it would not impose the Congressional mandated sanctions on Russia.  The White House says we don’t need sanctions because Russia has already been deterred:

On the same day, Pompeo announces that Russia intends to interfere in the 2018 election:

Some deterrent.

The Crowdstrike chaps shared a bit of a study they are putting together on Russian social media influence, and they have an intriguing timeline:

1. In the United States, as we are seeing now in the United Kingdom, when the question of Russia’s deployment on social media was first raised the initial answer was nothing happened. There was no Russian involvement in the U.S. Presidential Election of 2016.

2. After a short while, Twitter revised this and said it had identified 201 accounts. After further scrutiny, Twitter admitted it had identified over 2,400 managed Russian accounts. That number would grow.

3. Last week, the company increased that figure by a further 1,000 managed accounts – trolls working at the St Petersburg farms under direct control of the Kremlin.

4. In addition, Twitter added that it had since come across an army of 50,000 automated Russian bots which had worked on the election in tandem with the managed troll. Something other analysts exposed months ago (some using Crowdstrike software/methods), and actually number in the hundreds of thousands.

5. These accounts produced an estimated 455 million impressions (meaning enough to be seen multiple times by every single American). Twitter even had to contact each American who interacted with these fake users by way of Retweet/Like – something which happened 677,000 times.

6. As it happens, these accounts also appear to have produced over 400,000 supportive reactions to tweets by Donald Trump, and also provided between 40 and 70% of the social media traffic around Wikileaks and their publication of DNC emails, which were hacked directly by Russia.

7. Despite some action by Twitter, huge swathes of the Russian accounts have been confirmed as still active and pushing the latest nonsense conspiracy theory, #ReleaseThe Memo which releates to a broadly discredited document designed to discredit the FBI (there are enough mainstream media sources to read about this). Those Russian accounts are estimated to be 50,000 +/-.

8. Meanwhile, most intriguing, the UK has seen a similar pattern unfold. Initially, there was an absolute denial of any Russian involvement in Brexit. Then it transpired a known St Petersburg troll farm had spent $1,000 dollars on Twitter when they took a closer look.

9. This last week, Twitter responded to UK’s the Fake News Inquiry saying they had identified 100 Russian accounts active during Brexit. In short order, they were told to do better. Analysts are saying it will be in the 1000s.

My take: things unfolded differently in the US and the UK, not least of which the situation in the UK is more complex, in particular due to less stringent rules/controls around foreign funding of political parties and campaigners. And the UK numbers will increase, just as it did in the US, while Facebook and Twitter will continue to kick and scream they are doing all they can.



“Blockchain Frenzy” !!!! Know what you’re talking about!!

In March we have a video series coming out in cooperation with the law firm of Drinker Biddle, and with MIT Media Lab. I spent my breakfast with a MIT Media Lab attendee and we discussed a new blockchain report by the National Institute of Standards and Technology aims to go well beyond the hype.

For the uninitiated, blockchains are immutable digital ledger systems implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority. At its most basic level, they enable a community of users to record transactions in a ledger public to that community such that no transaction can be changed once published.

NIST announced the release of Draft NISTIR 8202, Blockchain Technology Overview. This publication is intended to provide a high-level technical overview of blockchain technology. It is very well done. It discusses its application for virtual currency like bitcoin, as well as broader uses, as in legal contracts. The document looks at different categories and approaches for different blockchain platforms.

I strongly recommend it because it will tell you:

  • what blockchain is
  • what blockchain can do, and most importantly
  • what blockchain cannot do

For the NIST draft click here.


One of the “oh-so-current” topics on the floor of Legaltech has been Strava. It brings up that old issue “I-checked-a-box-to-accept-the app’s-privacy-policy-and-did-not-realise-the-default-setting-is-to-share-data-with-the-company”.

For users of the exercise app Strava, which has a global “heat map” showing where its users jogged or walked or otherwise traveled while the app was on, it has become an issue. The map includes some three trillion GPS data points, covering more than 5 percent of the earth. Over the weekend, a number of security analysts showed that because many American military service members are Strava users, the map inadvertently reveals the locations of military bases and the movements of their personnel.

More alarming for the military, as the blog DefenseOne noted this morning, similar patterns of movement appear to possibly identify stations or airstrips in locations where the United States is not known to have such operations, as well as their supply and logistics routes. Analysts noted that with Strava’s interface, it is relatively easy to identify the movements of individual soldiers not just abroad but also when they are back at home, especially if combined with other public or social media data.

As one presenter said at a session here at Legaltch, the Strava debacle “underscores a crucial misconception at the heart of the system of privacy protection in the United States. The privacy of data cannot be managed person-by-person through a system of individualized informed consent”.

BANG. SMASH. YOU GET THE TEE SHIRT. As I have noted in numerous posts, data privacy is not like a consumer good, where you click “I accept” and all is well. Or better said by Zeynep Tufekci (a Turkish writer, academic, and techno-sociologist known primarily for her research on the social implications of emerging technologies in the context of politics and corporate responsibility and whom I have met at several cyber tech events in Europe):

Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed. Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia – but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.

And another part of the problem, as many vendors will tell you here at Legaltech, is the increasingly powerful computational methods called machine learning, which can take seemingly inconsequential data about you and, combining them with other data, can discover facts about you that you never intended to reveal.

What I am hoping is discussed at Legaltech by somebody is that the challenging feature of machine learning is that exactly how a given system works is opaque. As we learned at the Conference and Workshop on Neural Information Processing Systems last year even those who have access to the code and data can tell what piece of data came together with what other piece of data to result in the finding the program made. This further undermines the notion of informed consent, as we do not know which data results in what privacy consequences. What we do know is that these algorithms work better the more data they have. This creates an incentive for companies to collect and store as much data as possible, and to bury the privacy ramifications, either in legalese or by playing dumb and being vague.


Here is a wonderful TEDTalk by Zeynep Tufekci: “We’re building a dystopia just to make people click on ads”:



Related Posts