Tuesday, October 29, 2019

SECURITY - Ransomware Hunting League Hero




"The Ransomware Superhero of Normal, Illinois" by Renee Dudley, ProPublica 10/28/2019

Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free.

This story was co-published with the Chicago Sun-Times and The Pantagraph.

ProPublica is a nonprofit newsroom that investigates abuses of power.  Sign up for ProPublica’s Big Story newsletter to receive stories like this one in your inbox as soon as they are published.


About 10 years ago, Michael Gillespie and several classmates at Pekin Community High School in central Illinois were clicking on links on the school’s website when they discovered a weakness that exposed sensitive information such as students’ Social Security numbers.  They quickly alerted their computer repair and networking teacher, Eric McCann.

“It was a vulnerability that nobody even knew about,” McCann said.  “They did a quick search on passwords and student accounts, and lo and behold, that file is sitting out there.”

A shy, skinny teenager whose hand-me-down clothes didn’t fit him, and who was often ridiculed by schoolmates, Gillespie was already working after school as a computer technician.  “He was full of information all the time,” McCann said.  “We’d bounce ideas off each other.  You could tell his passion for technology, for computers, for figuring out things.  That definitely made him stand out.”

Without crediting the students, school administrators closed the breach and changed everyone’s passwords.  Gillespie’s anonymous protection of the school’s cyberdefenses was a harbinger of his future.  Like a real-life version of Clark Kent or Peter Parker, the self-effacing Gillespie morphs in his spare time into a crime-foiling superhero.  A cancer survivor who works at a Nerds on Call computer repair shop and has been overwhelmed by debt — he and his wife had a car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie has become, with little fanfare or reward, one of the world’s leading conquerors of an especially common and virulent cybercrime: ransomware.  Asked what motivates him, he replied, “I guess it’s just the affinity for challenge and feeling like I am contributing to beating the bad guys.”

Each year, millions of ransomware attacks paralyze computer systems of individuals, businesses, hospitals and medical offices, government agencies, and even police departments.  Often, files cannot be decrypted without paying a ransom, and victims who haven’t saved backup copies and want to retrieve the information have little choice but to pony up.  But those who have recovered their data without enriching criminals frequently owe their escapes to Gillespie.

The FBI and local law enforcement agencies have had little success in curbing ransomware.  Local departments lack the resources to solve cybercrime, and the ransoms demanded have often been below the threshold that triggers federal investigations.  Security researchers like Gillespie have done their best to fill the gap.  There are almost 800 known types of ransomware, and Gillespie, mostly by himself but sometimes collaborating with other ransomware hunters, has cracked more than 100 of them.  Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.

“He took that deep dive into the technical stuff, and he just thrives on it,” said Lawrence Abrams, founder of a ransomware assistance website called BleepingComputer.com.  “Every time a new ransomware comes out, he checks it out.  ‘Can it be decrypted?  Yes, it can be decrypted.  OK, I’ll make the decryptor.’  And it’s just nonstop.  He just keeps pumping them out.”

Gillespie downplays his accomplishments.  “IT [Internet Technology] moves so fast, there’s always something to learn, and there’s always someone better than you,” he said.

Gillespie’s tools are available on BleepingComputer.com, and they can be accessed through a site he created and operates, called ID Ransomware.  There, victims submit about 2,000 ransomware-stricken files every day to find out which strain has hit them and to obtain an antidote, if one exists.

As hackers and their corporate enablers, including cyber insurance providers and data recovery firms whose business models are based on paying ransoms, profit directly or indirectly from cybercrime, one of ransomware’s greatest foes lives paycheck-to-paycheck.  Under his internet alias, demonslay335, Gillespie tackles ransomware either in his downtime at Nerds on Call or at night in the two-story bungalow he shares with his wife, Morgan, and their dog, rabbit and eight cats.  Surrounded by pets, he lies on his living room couch, decoding ransomware on his laptop and corresponding with victims desperate for his help.

Although the FBI honored him in 2017 with an award for his website, it doesn’t systematically recommend ID Ransomware — meaning that some victims may never learn of a resource that could help them avoid paying a ransom.  Many of his friends, relatives and colleagues don’t know the extent of his war on ransomware.  “They do not have a clue because of Michael’s modesty,” said his wife’s grandmother, Rita Blanch.  “Honestly, I don’t think anyone in the family knows what he does for free.  I barely know.”  When he got the FBI award, she added, “I sent out a family text, and they’re like: ‘What?  What?  Our Michael?’”

McCann wasn’t aware of Gillespie’s accomplishments either.  “It kind of gives me goosebumps,” the teacher said.  “He’s sitting here doing all this for free.  That’s incredible.”

On a humid morning in July, Gillespie sat on his covered front porch.  His hair was pulled back into a low ponytail, and he sported scraggly facial hair and a V-neck striped shirt.  Brown leaves left over from the previous autumn and birdseed from a feeder were scattered on the ground.  Gillespie said hello to a cardinal — the Illinois state bird, he pointed out — and a squirrel with a “wonky eye.” He said a family of groundhogs resides under the porch and eats from the front-yard mulberry tree, but they didn’t make an appearance.

He opened his Twitter account.  “Like right now, I have 58 PMs and 120 notifications,” he said.  Most were pleas for help from victims of a ransomware strain, STOP Djvu, which he can sometimes decrypt.

Gillespie’s love of computers and electronics started early.  His paternal grandmother, a video gamer, introduced him to online role-playing games such as RuneScape.  He played Donkey Kong Country on a used Super Nintendo that his uncle gave him.  As emergency services volunteers, his parents communicated with tornado spotters via ham radios.  His father, a land surveyor, taught him how to repair electronics by soldering the radios.

Gillespie gleaned from his mother’s father, a police lieutenant in Florida, the importance of protecting the public.  Reinforcing the message, his parents went out of their way on family trips to pass through Metropolis, Illinois, which proclaims itself to be Superman’s hometown, and pay their respects at the Man of Steel’s bronze statue.  Gillespie was also fascinated by cryptography.  He liked the idea of having secret codes that no one else could figure out — and cracking other people’s.

Struggling financially, his family sometimes had to move in with friends or relatives.  When he was in high school, his parents filed for bankruptcy in the Central District of Illinois, court documents show.

At Pekin High, he helped protect not only the website but also his classmates’ belongings.  One day, noticing that other students were pre-setting codes to the combination locks on their lockers for convenience, he pulled down on every lock in his aisle.  About a quarter of the lockers opened.  He left a Post-it note in each one, admonishing the user to be more careful.

By then, he and Morgan Blanch were becoming close.  They lived down the street from each other but didn’t become friends until their freshman year at Pekin.  They began hanging out at each other’s houses and messaging on Myspace.  They were both in the school show choir and eventually sang in a national competition on the Grand Ole Opry stage in Nashville, Tennessee.

Both sometimes felt like outcasts.  She was overweight.  Gillespie, she said, was “that one kid at school that everybody knows who they are because they’re weird or they’re the butt of people’s jokes.”

But they could rely on each other.  “We’d get annoyed because our other friends were more flighty,” she said.  “They weren’t dependable, whereas if Michael and I made a plan, we stuck to it.  And we liked that about each other.” They started dating during Christmas break of their junior year.

When he graduated in 2010, Gillespie was named a Prairie State Scholar and an Illinois State Scholar, based on his standardized test scores and class rank.  Instead of going to college, he began working full time at the Nerds on Call store in Normal, Illinois.  Even with financial aid, he said, college would have been too expensive, and he already had everything he wanted.  “I got a job, got a car, got a girlfriend.  Boom.  Life together,” he said.

“He just felt that he could learn better on his own than in a classroom setting,” Morgan Gillespie said.  “He doesn’t really like to be restrained by protocol or by doing the ‘typical’ route of things.  He likes to get in there and figure it out and do whatever it is he feels like he wants to do.”

She enrolled at Millikin University in Decatur, Illinois, but missed Gillespie and dropped out after two months.  They moved into a new apartment close to his job and were married in October 2012, with Rita Blanch officiating.  For the bachelor party, Gillespie and his Nerds on Call friends went to a nearby farm and shot up old computers with his father’s firearms.  “Nobody who was too tipsy got to hold the rifles, but we put a few rounds through some old monitors,” said his best man, former co-worker David Jacobs, who organized the party.

The couple honeymooned in Peoria, Illinois.  The next year, with a Federal Housing Administration loan for lower-income borrowers, they purchased their $116,000 bungalow in a working-class neighborhood in Bloomington, Illinois.  There they could hear Amtrak’s Lincoln Service roar by on its way to Chicago.

At Nerds on Call, Gillespie was known as the Swiss Army Knife for his versatility.  So when a client was hit by TeslaCrypt ransomware in 2015, Gillespie was assigned to recover the files.

He embraced the task.  Not only was it an opportunity to expand his skills, but he also objected to the very idea of paying a ransom.  “I say hell no,” he said.  “There’s all the stuff about how it’s funding terrorism, funding bad stuff.  But more so, it’s just encouraging [criminals] to keep going.”

Gillespie “lives so heavily in the tech world, I think having bad actors involved just bothers him,” Jacobs said.  “Sometimes it’s also a little bit of competition.  ‘It’s me versus the bad guys and I want to win.  I want to be able to outdo their schemes.’”

Gillespie immediately consulted BleepingComputer.com.  Established in 2004 by Abrams to provide free advice for any computer problem through tutorials and forums, it had become the go-to site for ransomware assistance.

Sure enough, a BleepingComputer member known as BloodDolly had figured out how to crack TeslaCrypt.  But Gillespie still had to create a key for the client, which required running complex software for hours or days at a time.  “I wanted to post a success story for one of my customer’s systems that was hit this week,” he proudly announced on the forum in August 2015.  “I’ve just successfully decoded a few sample files at home.  … My customer is going to be thrilled we can get her photos back.”

Gillespie realized that Abrams, BloodDolly and other ransomware researchers were overwhelmed with requests for help.  He soaked up everything they could teach him.  Soon he was running software from both his home computer and computers under his desk at work, generating customized keys for scores of TeslaCrypt victims who had posted on BleepingComputer or on social media.

“It was huge, it was insane,” Abrams recalled.  “We were cracking keys left and right.  And Michael got the bug from that.  He came to the site, started cracking keys, starting helping.”

Gillespie also began exchanging private messages on BleepingComputer with U.K.-based ransomware expert Fabian Wosar.  Wosar, now the chief technology officer of antivirus provider Emsisoft, was working to break other strains of ransomware, and he referred TeslaCrypt victims to Gillespie.  Wosar, too, shared his knowledge with Gillespie.

“Sometimes, when people seem genuinely interested, I just ask them if they want to come along,” Wosar said.  “I just open a screen share, and they can watch what I’m doing.  And I explain to them what I am doing and why, and what all this different stuff means.”

Wosar, Gillespie, Abrams and a handful of other volunteers worldwide began communicating over the messaging platform Slack, forming a group they dubbed the Ransomware Hunting Team.  Abrams would hear about a new type of ransomware through users’ posts on his website and send a sample to his teammates.  If they could solve it, they would.

Gillespie creates 90% of the decryptors available on BleepingComputer, Abrams said.  Since May, when Abrams began tracking statistics, decryptors on the site have been downloaded more than 320,000 times.

While BleepingComputer makes money from advertisers, members of the hunting team from time to time have discussed charging for their services.  Each time, “it left a sour taste,” Abrams said.  He recalled a mother who contacted him to say she’d lost photos of her son, a fallen Army veteran, to ransomware.  Abrams helped to decrypt her files.  “I couldn’t charge for that,” he said.

Wosar and Gillespie have each created more free, public decryptors than anybody else in the world.  The two have much in common: neither went to college and both consider themselves autodidacts, learning mostly from internet research.  Both found a home and friendships on BleepingComputer.  And both, Wosar said, suffer from imposter syndrome — feelings of inadequacy that persist despite their success.

“I think we’re all kind of misfits,” Wosar said, referring to members of the team.  “We all have weird quirks that isolate us from the normal world but come in handy when it comes to tracking ransomware and helping people.  That’s why and how we work so well together.  You don’t need credentials, as long as you have the passion and the drive to teach yourself the skills required.  And Michael clearly has it, right?”

As ransomware became increasingly prevalent, the Ransomware Hunting Team had trouble staying abreast of new variants.  “It just got to the point where we just couldn’t keep track any more,” Abrams said.

Gillespie quietly began working on a solution.  “I’m a programmer,” he said.  “What do I do?  I automate.”

At night, on his couch, Gillespie developed a site where victims could upload a ransomware-encrypted file and automatically learn what type it was, whether a decryptor existed and, if so, how to get it.  In March 2016, he launched ID Ransomware with an announcement on Twitter and on BleepingComputer.  “All too often after a ransomware attack, the first question is, ‘what encrypted my files?’, followed by ‘can I decrypt my data?’” he wrote.  “This web service aims to help answer those questions, and guide a victim to the correct information relating to their infection.”

The site took off immediately.  Victims, ransomware recovery firms and other researchers sent encrypted files for analysis.  When they submitted files infected by an unidentified type of ransomware, Gillespie added it to his database.  As before, he and other members of the team worked to create decryptors for newly discovered strains.  ID Ransomware currently can detect more than 780 strains, of which almost 40% have free decryptors, most of them developed by Gillespie or Wosar, and others by cybersecurity firms such as Kaspersky, Avast and Bitdefender.

He’s developed other free applications for victims, which are available on BleepingComputer.  RansomNoteCleaner removes ransom notes left behind after an infection — eliminating the time-consuming task of removing them manually — and CryptoSearch locates encrypted files and makes it easier to back them up, in the hope that a solution may someday be discovered.  ID Ransomware also cross-references the submitter’s IP address with Shodan, a site that can show a computer’s vulnerabilities.  If it detects an open port, which could have allowed the hackers in, ID Ransomware flags the vulnerability — and, like the notes Gillespie stuck in the high school lockers, suggests fixing it.

Gillespie worked nonstop.  “I felt like I never saw him,” his wife said.  “We would be hanging out in the evening, and he would be like, ‘Oh my gosh, I have to go do this.’ And he would just disappear for hours.”

Volunteers around the world have translated ID Ransomware into two dozen languages, from Swedish to Nepali.  Only 26% of submissions to the site have come from the U.S.  “He collects amazing data because so many people use it,” Abrams said.  “He has tons of information.  You can see statistics, trends, what kinds of attacks are happening and when.  Everyone uses it.”

Those users include law enforcement, on both sides of the Atlantic.  Europol and Netherlands police flattered ID Ransomware by imitation, launching a similar but less comprehensive site.  An FBI agent from the Springfield, Illinois, field office asked to meet Gillespie, and they got together with another agent at a local Panera restaurant.

“The first meeting was nerve-wracking for me because, you know, why does the FBI want to talk to me?” Gillespie recalled.  “I was so awkward at that meeting.  I wasn’t thinking, ‘Am I gonna get arrested.’  But I did have in the back of my mind, ‘Am I gonna say something stupid?’”

The FBI needed help.  Victims often don’t report attacks to the bureau because they don’t want investors or the public to learn of their security lapses.  In 2018, the FBI received only 1,493 reports of ransomware — compared with the 2,000 queries daily to Gillespie’s site from about 750 different IP addresses worldwide.

At first, the agents sought information about the origins of a specific ransomware attack, something Gillespie does not investigate.  Then they began requesting lists of IP addresses that had uploaded files to ID Ransomware, which could help identify victims, as well as ransom notes and other material.  Gillespie, who discloses on the ID Ransomware homepage that email or bitcoin addresses uploaded to the site may be shared with “trusted third parties or law enforcement,” complied.

His assistance appears to have paid off.  Gillespie said agents indicated to him that his information may have been instrumental in last year’s indictment of two Iranian hackers wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018.  Although the suspects have not been arrested, it was the U.S. government’s first indictment of cyberattackers for deploying a ransomware scheme.

Gillespie continues to meet regularly with FBI agents.  He tips them off, for instance, when a ransom note or extension on a file uploaded to the site identifies the targeted business.  Cooperation from such victims could help law enforcement learn more about the source of the ransomware, he said.

Some other ransomware hunters are warier of the FBI.  Abrams expressed concern that, despite the ID Ransomware acknowledgment, there could be “repercussions” from victims who might be upset that Gillespie identified them to the bureau.  Gillespie “is a little too trusting” of law enforcement, Abrams said.  “I do think that he’s not very worldly and that he sees things a little more black and white than with a lot of shades of gray.  And I think in that case he could be easily manipulated and taken advantage of.”

In 2017, the FBI awarded Gillespie a Community Leadership Award for his “public service, devotion and assistance to victims of ransomware in the United States and Internationally.”  Gillespie prominently displays the award in his home.  In April 2018, he and his wife flew to Washington for the award ceremony, accompanied by his boss at Nerds on Call.  The joke around the office was that the boss “went with him to try to nerf anybody trying to recruit him,” said Gillespie’s former co-worker, Jacobs.  “He would be very difficult to replace.”

Philosophically opposed to charging victims, Gillespie keeps ID Ransomware free.  He put up a link for donations to help cover the costs of running the site, but he didn’t bother to register it as a nonprofit, which would have enabled donors to deduct gifts from their taxes.  Contributions were scarce.  One $3,000 donation through PayPal proved to be a scam — Gillespie speculated that it may have been revenge by hackers whose ransomware he disabled — and PayPal demanded the money back.  He couldn’t repay it and switched to another service.

Gillespie “doesn’t chase money,” Jacobs said.  “If he were chasing money, he would have been living on the East or West Coast by now and doing something for some company that we’d all heard of instead of a little service provider in the Midwest.  But he’s one of those guys, he operates very heavily on principle.”

To make ends meet, Gillespie supplemented his Nerds on Call salary with a 2 a.m. paper route, delivering the local newspaper on his bike.  While he had enjoyed having a paper route in junior high, the job now depressed him.  But the family bills were mounting, especially for health care.  Morgan Gillespie struggled with diabetes and other medical issues.  Over the years, Michael Gillespie noticed blood in his urine, and in the fall of 2017, his wife finally made him see a doctor.  The physician removed a tumor and diagnosed bladder cancer, which rarely affects young adults.  Gillespie took one day off for surgery and one to recover before returning to work.  He underwent immunotherapy treatment weekly for two months, and the cancer has been in remission since.  Although he was insured through Nerds on Call, the costs for his care still added up.

The couple reached a financial breaking point.  They racked up credit card debt and fell behind on payments on Morgan Gillespie’s Nissan.  They rotated which utility bills they would pay; one month their electricity would be turned off, and the next month it would be gas.  They surrendered the car to the bank, which sold it at a loss at auction and forced them to make up the difference.  Last year, around the time his wife lost her job as a nanny, they missed four mortgage payments on their house and began to receive foreclosure notices, Michael Gillespie said.

Gillespie said he’s considering charging other security researchers for the statistics he gathers on the site, but he will always keep the tools free for victims.  Friends and family members nagged Gillespie to collect fees from ID Ransomware users.  Even his wife’s grandmother, whom Gillespie calls “grammy,” brought it up.  “I try to not interfere in that area,” Rita Blanch said.  “Unless, being silly at times, when I would say to him, ‘Babe, you need to charge, you could, like, be rich.’”

Other relatives “have been like: ‘Why isn’t he charging?  Why isn’t he making money off of this?’” said his wife, who recently found a part-time job as a babysitter.  “They think it’s almost dumb, the fact that he does what he does.  But that was just never what the deal was for us.  He just doesn’t want to take advantage of people who are already being taken advantage of.”

Instead, his fellow ransomware hunters stepped in.  Abrams covered the $400 cost of obtaining a certificate that lets users know they’re downloading from a trustworthy site.  Wosar began donating to ID Ransomware, and his employer, Emsisoft, hired Gillespie part-time this year to create Emsisoft-branded decryptors.  The money enabled the Gillespies to catch up on mortgage payments.

“He’s doing so much, how do you not support him if you can?” Abrams said.

After dinner one summer evening, Gillespie took a visitor to the Normal office of Nerds on Call, one of the company’s three locations in central Illinois, nestled in a strip mall between a check-cashing store and a Great Clips hair salon.  Gillespie, who has worked for Nerds on Call for 11 years, has keys, so he was able to open the office and disable the alarm system.  In the back, behind the retail area, is his desk, adorned with framed photos of his cats.

As his wife’s relatives often remind him, he could earn three times as much somewhere else.  But he’s happy at Nerds on Call, which gives him the freedom to work on ransomware in his downtime.  This year, he figured out fixes for the STOP Djvu ransomware, which was infecting files through pirated software.  Victims — who were unlikely to seek law enforcement assistance since they were committing a crime themselves — continue to press Michael for help unceasingly.  “It’s borderline harassment,” he said.

His frustration with the deluge of entreaties occasionally boiled over in his tweets.  “Everything you could possibly need to know is IN THE FUCKING FAQ, and its in BIG BOLD RED LETTERS,” he once responded.  “I’m losing sleep, losing time at my job, losing fucking sanity at this point.”

Some STOP Djvu victims thanked Gillespie.  Adam Hegedus of Szolnok, Hungary, was surfing the internet on his girlfriend's laptop in August when he disabled the anti-virus and firewall protections.  Ransomware crippled the computer, and a text file demanded $1,000 to restore access.  Hegedus' girlfriend is a teacher, and her lesson plans, thesis and other important documents were encrypted.  Hegedus felt so guilty that he couldn't sleep, and he sought assistance from several forums, including BleepingComputer.com.  This month, Gillespie replied with some good news; he had a decryption key.  Hegedus called his girlfriend, who rushed home and was delighted to be able to use her files again.

"You cannot imagine how grateful I am," Hegedus wrote to Gillespie.  "Everything has been decrypted and this is only because of your hard work." Hegedus offered a donation, but Gillespie declined.

Gillespie hopes that someday his services will no longer be needed, because businesses and people will have learned proper cybersecurity.  “If the world had backups, then we wouldn’t have ransomware,” he said.

In the meantime, he said, he plans to keep plugging away, even as hackers and their enablers pile up profits.  “There’s a time in every IT person’s career where they think, ‘I’m on the wrong side,’” he said.  “You start seeing the dollar amounts that are involved.  But nah, I can’t say that I ever have.  I just don’t care to go that way.”

ProPublica research reporter Doris Burke contributed to this article.

Tuesday, May 21, 2019

WARNING - Automatic Agreement to Web Site Terms

"Soon You May Not Even Have to Click on a Website Contract to Be Bound by Its Terms" by Ian MacDougall, ProPublica 5/20/2019

A private and influential legal group you’ve never heard of is about to vote on what critics call a fundamental rollback of consumer rights.

If you’re like most people, you’ve probably clicked “I agree” on many online contracts without ever reading them.  Soon you may be deemed to have agreed to a company’s terms without even knowing it.  A vote is occurring Tuesday that would make it easier for online businesses to dispense with that click and allow websites that you merely browse — anything from Amazon and AT&T to Yahoo and Zillow — to bind you to contract terms without your agreement or awareness.

As public outcry mounts over companies like Facebook collecting and selling user information, the new proposal would prime courts and legislatures to give businesses even more power to extract data from unwitting consumers.  If the proposal is approved, merely posting a link to a company’s terms of service on a homepage could be enough for the company to conclude that a user has agreed to its policies.  That includes everything from provisions that allow the sale of customer data or grant the right to track visitors to policies that limit consumers’ legal rights by barring them from suing in court or in class actions.  Some courts have already given their blessing to this practice.  But the proposal up for a vote Tuesday is set to make those kinds of business-friendly rulings all the more common.

The proposal has outraged consumer advocates, state attorneys general and other constituencies.  They see it as improperly tilting the scales in favor of business interests.  They argue that the solution is creating clearer, simpler contracts rather than lengthy, confusing ones that are harder to find.  The proposal’s authors counter that they have simply summarized trends in American law.

There’s been little discussion of the impending change in the general public.  That’s because the vote isn’t before Congress, the Supreme Court or a regulatory agency.  It’s before a private association virtually unknown outside legal circles: the more than 4,700 judges, legal scholars and practicing attorneys that constitute the American Law Institute [ALI].  The new proposal was drafted by three law professors affiliated with the organization.

Almost a century old, ALI is about as elite an institution as the United States has to offer.  It counts among its founders two chief justices of the U.S. Supreme Court — one of whom, William Howard Taft, was also the 27th president — and its membership is a who’s who of the American bar.  Speakers at ALI’s annual conclave in Washington this week include Chief Justice John Roberts and former Justice Anthony Kennedy.

For decades, ALI has exerted profound influence over American law and life through the publication of what it calls the “Restatements of the Law.”  The Restatements are, in essence, guidebooks to the common law.  That body of law — created by judicial opinions rather than statutes — plays a central role in governing everything from property rights to contract disputes to who’s liable when accidents happen.  But it’s a messy realm; courts in each state are free to create or put their own spin on common-law rules.  The point of the Restatements is to clarify the common law and impose order on it.

The reputation of the Restatements is such that for decades courts have treated them as something close to an authoritative explanation of what the law is and where it’s heading.  “The ALI is the unofficial College of Cardinals of the U.S. legal profession,” said Adam Levitin, a Georgetown University law professor and ALI member who has helped spearhead opposition to the new Restatement.  “Even though its members are not representatives of the public, once the ALI approves these Restatements, lawyers, arbitrators, judges and justices use them as a handy reference guide to what the law is and should be.”

At the heart of consumer advocates’ objections to the Restatement is a section that substantially weakens in the consumer context a core concept of contract law — that a contract requires a “meeting of the minds,” with each party assenting to its terms.  Instead, the Restatement requires businesses only to give customers notice of the contract terms and an opportunity to review them.

The Restatement provides examples of how little businesses need to do to bind consumers to their terms and conditions.  In one hypothetical, a user simply browsing a website becomes bound by its terms of use because the homepage contains a notice that links to the language and reads, “By continuing past this page, you agree to abide by the Terms of Use for this site.”  In another, a user becomes bound by the website’s terms merely by clicking a “Read More” button to access the full text of a webpage.  (Companies can continue using “I Agree” buttons if they prefer.)

The authors of the Restatement — three professors from Harvard Law School, NYU School of Law and the University of Chicago Law School — contend that courts have reasoned there’s no need for businesses to do more, because nobody reads these contract terms anyway.

Consumer advocates and other critics acknowledge that nobody reads online contracts.  But they argue the proposed cure is worse than the disease.  They say it provides businesses an incentive to bury objectionable terms inside ever-longer and more impenetrable contracts — think Apple’s user agreements — instead of identifying better ways to alert consumers to significant or intrusive contract terms.

“Weakening the requirement of mutual assent is not only contrary to fundamental principles of contract law,” New York State Attorney General Letitia James wrote in a May 14 letter to ALI, “but will encourage a veritable race to the bottom, as market forces will drive businesses — which will know they can bind consumers to all but the most odious terms — to draft standard form contracts with egregiously self-serving terms.”  The letter was signed by 23 other state attorneys general and top consumer protection officials.  All but one are Democrats.

Worse still, critics claim, the proposed Restatement departs from the traditional role of Restatements — to synthesize the law as it is — and doesn’t accurately reflect the state of the law.  Opponents assert that the Restatement’s authors have relied on faulty empirical methods and cherry-picking from case law to reach their preferred rules.  “They’re being a little disingenuous,” Levitin said.  “They claim they’re following what courts are doing, and this is out of their hands.  Except that it all depends on some rather constrained readings of the cases.”

One lawyer who represents financial institutions offers a similar view.  “It’s not a good portrayal of the common law of contracts as it applies to consumers,” said Alan Kaplinsky, an ALI member and partner at the law firm Ballard Spahr.  (The firm has represented ProPublica in the past.“This is more of a document expressing the aspirations of the three reporters — what they would like the law to be rather than what the law actually is.”

ALI and the Restatement’s authors dispute these claims.  They have defended their methodology and say they have followed the traditional approach.  The Restatement doesn’t reflect personal opinion, noted one of the three authors.  “We are not partisans,” said University of Chicago law professor Omri Ben-Shahar.  “We are not anti-consumer or anti-business.  ALI entrusted us to identify patterns in the law as developed in the courts.  We did our best to identify what are the relevant precedents and rules.”  As Ben-Shahar put it, “The grounds for the opposition is that people don’t like the law and hope that either the ALI will try to change the law or not engrave into stone existing law, in the hope that maybe it would change in courts over time, since we’re talking about common law that’s developed by courts.”

Proponents of the Restatement argue that it hews to how courts have responded to the rise of e-commerce.  “The courts (and everyone else) recognize that most don’t read the contracts,” Steven Weise wrote in an email to ProPublica.  Weise is a partner at the law firm Proskauer Rose and a member of the ALI’s governing council.  “But that doesn’t mean that the law should give up — the courts have taken classic rules on contract law and applied them in the changing, online environment.”

The authors also contend that there’s a benefit for consumers: tools that make it easier to sue in court.

But consumer advocates see that as meaningless.  Most consumers don’t litigate contract issues because they can’t afford to, they say.  Consumer goods usually aren’t worth the legal fees, and contracts often include mandatory arbitration clauses or class-action waivers that further deter litigation.

The consumer advocates have found an unexpected ally among some in the business community, who oppose the proposed changes to the rules that apply to consumer lawsuits.  Some companies fear that the stronger legal tools will result in a flood of lawsuits and leave businesses unsure of how to conduct themselves to avoid liability.

The combination of consumer and business opposition has led to a groundswell of critical op-eds, law review articles, posts on legal blogs and letters.  Their goal is to stop the Restatement altogether and leave consumer contracts guidelines as they currently are.

The extent of the opposition makes Tuesday’s vote hard to predict, according to ALI members.

Proponents are confident.  Historically, the broader membership has followed the organization’s governing council, which in this case voted in favor of the Restatement.

Opponents seem pessimistic.  “My hope is they drop it altogether,” said Kaplinsky, who served on ALI’s board of advisers for the consumer contracts Restatement.  “The best the opponents can hope for is that it gets sent back” for revision to the authors and the governing council “and dies a slow death.”

Monday, February 4, 2019

PERSONAL PRIVACY - Microchipping Humans?!

WTF - We already have problem with our personal data and the internet, and now we are looking into a technology that may be abused by government and outlaws?

"Microchipping humans wields great promise, but does it pose greater risk?" PBS NewsHour 1/30/2019

Excerpt

SUMMARY:  An intense debate is underway over the benefits and drawbacks of using microchips, typically relied upon to identify ranch animals and pets, on humans.  Advantages include fast communication of critical patient data to medical teams, seamless payment, and automatically opened doors.  But skeptics warn of dire implications for privacy and ethics.  Special correspondent Malcolm Brabant reports.