Hey there What’s Next readers! Ian Lopez here getting back from a good two weeks of disconnecting (really, it helps). That said, we’ve got a great roundup of the news you (and I) may have missed, including a look at the impact of a novel ruling in an SEC action against crypto outfit Blockvest. Also on deck: the government is both for and against facial recognition tech, plus a look at the legal framework around gene edited babies and more.

As always, I love hearing from you. Please drop me a line at ilopez@alm.com or @IanMichaelLopez.


Security Setback? What An SEC Loss Portends for Crypto Actions


You’ll remember last week we discussed that early ruling in California involving a fight over whether an ICO is a security. That decision involved a judge turning back a request by the SEC for a preliminary injunction to halt the launch of an ICO by Blockvest, a company no stranger to controversy, after the commission failed to demonstrate investors purchased Blockvest’s offering expecting to turn a profit, rendering it short of “Howey” test requirements used to define a security.

To get a read on any potential impact of such a decision, I dialed Morrison & Foerster’s Michael Birnbaum, who notes that “the implications of this case shouldn’t be too broad,” but rather the SEC “didn’t meet its burden for preliminary injunction” on the facts of the case.

The claim “tokens are not securities” “ vastly overstates it,” Birnbaum says. “The judge found on the facts before him that these particular tokens didn’t satisfy the Howey test but did not rule finding they are securities at a later stage, perhaps after the SEC offers additional factual support.”

“I would be surprised if this [means] a change in the SEC’s approach to regulating tokens in general,” he adds. “I would be surprised if the SEC significantly changed its approach. I think the SEC will continue to treat most tokens and coins as securities.”

Joining Birnbaum in this view is Alto Litigation’s Jared Kopel, though he notes the case “may be useful in pointing out the SEC still has to go through the process of demonstrating that a particular event was an unregistered offering.” In his telling, the agency had previously “seemed to be taking the view that anything that involved some kind of distribution of digital assets was by definition an unregistered offering.”

“One would hope the SEC would be more selective in what kinds of case sit brings and what allegation it makes and not just use a kind of blanket allegation that everything that involves digital assets is an unregistered offering therefore violating securities laws,” he adds.

Takeaway: The implications of the Blockvest case seem unlikely to spill into the broader crypto market, though it’s novel nonetheless in how a court tackles an SEC action.

New Government Face-Off over Facial Recognition Tech?


Congress and Amazon’s Rekognition haven’t always seen eye-to-eye, if you will (see here, for example). And it’s that time of of year again for Congress to demand answers from Jeff Bezos.

The second time this year, to be exact. Eight Democratic Congressmen Thursday fired off a letter to Bezos, expressing “serious concerns” RE Amazon’s move to fork over Rekognition to law enforcement agencies, particularly given “accuracy issues” and the “disproportionate burdens” it places on people of color, including other problems.

Among the disconcerting info cited by the legislators are reports of law enforcement sending “raw video footage of bystanders” to “Amazon servers for facial recognition analysis,” spurring the question of whether Rekognition has built-in protections for “the privacy rights of innocent Americans” whose info is in the databases.

Local law enforcement aren’t the only government entities eyeing facial recognition tech. It turns out the Secret Service is doing an about-face on Congress Democrats and launching its own “Facial Recognition Pilot,” using none other than 1600 Pennsylvania Avenue as a testing ground.

Now, DHS says the Secret Service will try to see whether the tech can identify staff members in video feeds from “separate locations” in the White House, and “include images of individuals passing by on public streets and parks adjacent to the White House Complex.” But in the ACLU’s telling, that “crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks,” representing “DHS’s determination to deploy facial recognition” on the public without congressional consent.

“Face recognition is one of the most dangerous biometrics from a privacy standpoint because it can so easily be expanded and abused—including by being deployed on a mass scale without people’s knowledge or permission,” writes the ACLU’s Jay Stanley. “Unfortunately, there are good reasons to think that could happen. The Secret Service envisions using the technology to provide early warning about “subjects of interest” who are approaching the White House “prior to direct engagement with law enforcement.”

Takeaway: While some in Congress are trying to clamp down on facial recognition technology’s use on the public, other government agencies are making moves some think could pose a significant threat to individual privacy. And the road to facial recognition’s use becoming ubiquitous or (at least partially) unlawful looks to be a long and bumpy one.


Did Marriott Foul Out of its Own Breach Notification Effort?


Marriott may have dropped the ball in its attempt at breach response efforts, and third parties appear to be picking up the slack.

That’s according to a report from TechCrunch, whose Zack Whittaker calls the hotel chain out for using third-party apps to send email notifications to those affected by the breach that not only had the appearance of a sketchy email, but were also “easily spoofable.”

Scammers taking advantage of a breach isn’t unusual—think Equifax—but what is interesting is that reps from two separate security firms, Rendition Infosec and FireEye Inc, tried to beat them at their own game, purchasing domains (email-marriot.com and email-mariott.com) similar to one sending the legit warning emails (email-marriott.com) to stop nefarious actors from using them.

Criticism of the company’s efforts extending far beyond the media. As Law.com’s Amanda Bronstad reports, about a dozen class actions flooded the courts in the days following the breach, some of which question why Marriott waited over two months after receiving a security alert to announce it (a decision that also resulted in a probe by New York Attorney General Barbara Underwood).

And in addition to the breach’s magnitude—500 million impacted, second only to Yahoo—the type of the data compromised—addresses, passport numbers, names, credit and debit numbers, as well as customer travel information and reward points—and how it was obtained are raising eyebrows.

Privacy Counsel LLC’s Paige Boshell told Legaltech News it was odd the breach’s perps didn’t just “take the credit card information and get out” as is typical with financially-motivated hacks, instead taking the time to copy and encrypt data rather than using ransomware or other expedient measures.

Takeaway: It appears Marriott may not have learned a lesson from Equifax or other major breach response efforts, though that’s not unusual in corporate cybersecurity.

On the Radar: 3 Things to Know


Crowdsourcing Legal Code? That’s the D.C. Council’s approach to updating its legal code. As Legaltech News’ Victoria Hudgins writes, laws passed by the council are first updated via Github, with former D.C. Council GC Dave Zveynach describing the process of web publishing updates—which used to take months—as meaning “a lot less busy work” for lawyers. The Council’s move appears novel in the world of legal web publishing, with Joshua Tauberer, a member of the D.C. Mayor’s Open Government Group, describing it on Ars Technica as something he believes “no other jurisdiction in the world does.” What’s more, Tauberer emphasizes that the Github content “isn’t a copy of the D.C. law,” but “an authoritative source,” i.e. “where the D.C. Council stores the digital versions of enacted laws, and this source feeds directly into the Council’s DC Code website.”

Deputy AG Goes OG on Big Tech. You read that right. Rod Rosenstein had harsh words for big tech last week at a Georgetown Law cybercrime symposium, with the Washington Post summing his message up as “Do better to police your platforms or face government regulation.” Rosenstein fired off his comments about a week before the White House is scheduled to hold a panel discussion with big tech bigwigs from the likes of Microsoft and Google, among others. Yahoo Finance’s Rob Pegoraro sums up Rosenstein’s remedy for the turmoil surrounding tech as a “two-part obligation” of designing with safety in mind and ensuring measures don’t preclude law enforcement from snooping around when a warrant is issued.

“Murky at best” is how The Verge’s Angela Chen describes the legal framework around producing ‘gene edited babies,’ with the U.S. barring bucks from going to research without prohibiting the practice outright. The legality also appears to be a mixed bag in China, where the topic of DNA dabbling in children made a splash after a Chinese scientist claimed to have made the world’s first gene edited babies. That drew the ire of the Chinese government, with its vice minister for science and technology describing it as a “blatant violation” of Chinese law and regulations. But that could be debatable. As The Guardian reports, the only relevant regulations on China’s books “come from an ‘ethics guidance’ document released in 2003 that bars the use of any research embryos for reproduction,” but don’t specify any punishment for violation.

Thanks for reading! See you next week!