October 1, 2017

Legal Robot will publish this report quarterly, the next being on or around January 1st, 2018.

Algorithmic Transparency

On January 12, 2017, Legal Robot publicly committed to implementing principles for Algorithmic Transparency. This is our third report since making that commitment and are now publishing self-ratings on our progress toward implementation.

We will make our owners, designers, builders, users, and other stakeholders of analytic systems aware of the possible biases involved in their design, implementation, and use and the potential harm that biases can cause to individuals and society.

In an effort to improve the general awareness around Algorithmic Transparency, our CEO, Dan Rubins, traveled to Washington D.C. to speak at the Association for Computing Machinery’s (ACM) Panel on Algorithmic Transparency. The panel discussed the challenges, opportunities, business value, and societal impacts of algorithms with a diverse and lively crowd of political staffers, lobbyists, academics, and other stakeholders.

Access and Redress
We will adopt mechanisms that enable questioning and redress for individuals and groups that are adversely affected by algorithmically informed decisions.

Most predictions in our app have a button to visualize and examine the details of the result, however we don’t provide this for basic operations like sentence segmentation, part-of-speech tagging, and other NLP operations that are fairly well understood by the NLP community. Where appropriate, we also include statistical measures like precision, recall, and F1 score, as well as the size, source, and scope of the underlying dataset, and details about the design of the algorithm used for the prediction. Of course, we don’t expect everyone to be able to interpret this technical data, so we also allow anyone to share the results with our team for more explanation.

Also, anyone can ask questions over email to [email protected], even if they are not using Legal Robot. These questions are tracked separately from our normal support requests.

We will demonstrate to our users how decisions are made by the algorithms that they use, even if it is not feasible to explain in detail how the algorithms produce their results.

Many of our processes at Legal Robot use deep neural networks to process language. Neural networks can be very complex which can make them seem incomprehensible. However, just because an algorithm seems like a black box (and is treated that way by many people using it) does not mean it cannot be explained.

To begin with, we do not use any 3rd party machine learning APIs at Legal Robot. This is mainly so we can control where data processing occurs. Rather than passing sensitive data to a 3rd party as many “AI” companies do, we actually build our own algorithms so we can open up the internals for further analysis and explanation.

We now tag each prediction created by our software with a unique random identifier that can be used to trace back to both the algorithm and the training dataset used for each prediction in order to enable questioning and redress.

We will produce explanations regarding both the procedures followed by the algorithm and the specific decisions that are made.

Some of the techniques we use yield dense vectors (basically a long string of seemingly incomprehensible numbers, like [0.78524 , 0.42504, 0.60494, …]) that we use to teach an algorithm what a particular type of clause looks like (statistically speaking). However, we are working on methods to make these dense vectors more interpretable, much the same way that deep learning techniques can yield semi-interpretable layer visualizations in computer vision. We think these can provide some utility for users to understand what is happening inside the “black box.” We are focusing on these areas over the next few releases and intend to publish our results to the research community.

Data Provenance
We will provide a description of the way in which the training data was collected, along with an exploration of the potential biases induced by the human or algorithmic data-gathering process.

Every model created by Legal Robot is traceable to the specific dataset. Every data point also includes detail on how and why each sample was collected, and the details of any enrichment or manual tagging.

All models, algorithms, training and test data, as well as decisions, will be recorded and kept for a reasonable amount of time so they can be audited in cases where harm is suspected. However, we will not provide sensitive user information, like decisions or other algorithmic output from private legal documents, to anyone but their owner (doing so would violate our privacy policy, terms of service, and ethics).

All of our models, algorithms, and datasets are now versioned and recorded, providing a full audit trail. We have not yet set a policy or provided a mechanism to view or download the audit trail, but are planning to release this feature soon.

Validation and Testing
We will use rigorous methods to validate our models and document those methods and results. In particular, we will explore ways to conduct routine tests to assess and determine whether the model generates discriminatory harm. We will publish a description of the methods and the results of such tests in each quarter's transparency report.

We are working on a structured approach to analyzing bias to capture both known and unknown biases. In addition to this high-level approach, we are investigating lower level techniques like attribution to detect and evaluate bias. This quarter, we started to use automated bias analysis on some of our models, but there is still much work to do by the research community.


In quite possibly one of the most widely damaging security breaches ever, Equifax, a consumer credit reporting agency, seems to have left a server unpatched for months after repeated notification and public disclosure of a serious flaw. It should be no surprise to any programmer that all software has flaws, but it is basic security hygiene to both update software regularly and verify that countermeasures against attackers are effective. We, of course, update our servers regularly and pay attention to all security bulletins. However, human processes are fallible and prone to failure, and we want to learn what we can from Equifax’s failures. So, this quarter, we also added new automated version checking and vulnerability scanning steps to our continuous build process. In simpler terms, all code is now checked for vulnerabilities and outdated versions when we write any new code or refresh any existing infrastructure.

Deloitte’s email system was breached when attackers found an administrator account using only a password and no 2-Factor Authentication (2FA). Again, we should learn from this. At Legal Robot, all of our administrator accounts across all core services (domain, email, databases, registrar, content delivery, etc.) have always required 2FA and often use additional protections as well. However, in our own service, we do not yet provide users or Team administrators with a mechanism to enforce 2FA as a policy for their team members or collaborators. Given the sensitivity of legal documents, we feel that it is important to add this feature to our own product soon.

Security Incidents
  • None
Bug Reports

Starting with the last transparency report, we began publishing statistics on our bug bounty program, links to disclosed bug reports, and detailed incident reports for serious security issues. This quarter saw a huge spike in reports for two reasons:

  1. We deployed new features for hardware-based 2-Factor Authentication and Account Recovery then asked the hacker community to attack these features. In return, we offered a triple bug bounty for reports involving these features before we deployed them to production. The community responded by submitting dozens of reports on these new features (mostly best practices).
  2. We changed our policy on disclosing bug reports. Instead of requesting public disclosure on just Resolved reports, we began requesting public disclosure on all closed reports, including Informative, Not Applicable, and even Spam reports. In keeping with this new policy, we went back through previously closed reports and requested public disclosure. The increased activity on our bounty program’s disclosure timeline attracted significant attention and resulted in an 69x increase in new reports compared to the previous quarter.

The last report contained a summary of every month of our bug bounty program since inception. However, since this information is available in our archive, we will only publish the most recent two quarters of results going forward.

NewTriagedNeeds More InfoResolvedInformativeDuplicateNot ApplicableSpam
Public Disclosures

We intend to disclose all reports, once closed. However, we also respect the wishes of security researchers that are working with other organizations to resolve related issues. This quarter, we publicly disclosed the following Resolved reports:

#249346 - Missing link to 2FA recovery codeFunctional issueNone
#230525 - Domain takeover (legalrobot.co.za)Domain takeoverNone
#250457 - User enumerationEnumerationLow
#249798 - Intercom chat session information persists after logoutImproper accessLow
#250243 - Users with 2FA can have multiple sessionsFunctional issueNone
#249337 - Non-functional 2FA recovery codesFunctional issueNone
#213936 - Token leakage by referrerToken leakageLow
#250088 - Account profile shows encryption recovery box for all usersFunctional issueNone
#250741 - [New Feature] Password history checkFunctional issueNone
#252544 - Token leakage by referrer header & analyticsToken leakageLow
#251468 - Pages don’t render in old browsers like IE11Functional issueNone
#251469 - Meta characters are not filtered into full name on profile pageFunctional issueNone
#253448 - [Cross-domain Referer leakage] Password reset token leakage via refererToken leakageLow
#251526 - No notification on change password featureFunctional issueNone
#249695 - 2FA Error Handling on Google AuthenticatorErrorNone
#255021 - Profile shows incorrect account creation dateFunctional issueNone
#250082 - Enhancement: email confirmation for 2FA recoveryEnhancementNone
#249339 - Missing link to TOTP manual enroll optionEnhancementNone
#249467 - 2FA user enumeration via loginEnumerationNone
#257207 - Code injectionCode injectionLow
#249431 - 2FA user enumeration via password resetEnumerationLow
#259416 - Incorrect email content when disabling 2FAFunctional issueNone
#259415 - Lengthy manual entry of 2FA secretFunctional issueNone
#256649 - Mixed Content over HTTPSFunctional issueNone
#259742 - Incorrect error messageFunctional issueNone
#260604 - Update any profileImproper accessMedium
#260278 - TabNabbing issue (due to taget=_blank)EnhancementLow
#260632 - Improper validation of parameters while creating issuesMissing validationLow
#180895 - Password reset access controlLogic issueNone
#213180 - Password reset form ignores email fieldFunctional issueNone
#255679 - Change password logic inversionImproper accessLow
#251200 - Missing Issuer parameter on TOTP 2FAFunctional issueNone
#262109 - UX: JS error on Password Safety linkFunctional issueNone
#249398 - Password complexity not evenly enforcedFunctional issueNone
#250253 - Password complexity ignores empty spacesFunctional issueNone
#260648 - CSP script-src includes “unsafe-inline”Missing best practiceLow
#260662 - No length limit in invite_code can cause server degradationMissing best practiceLow
#255474 - Profile fields validation bypassFunctional issueNone
#265775 - Password reset token issueFunctional issueNone
#260468 - first name and last name restrictions bypassFunctional issueNone
#257035 - User enumeration from failed login error messageEnumerationLow
#266017 - Logic issue in email change processImproper accessLow
#164648 - Missing access control at password changeFunctional issueNone
#267356 - Autocomplete featureFunctional issueNone
#260299 - observer.com URL should HTTPSFunctional issueNone
#260491 - 2FA manual entry uses wrong encodingFunctional issueNone
#260591 - Futureoflife organization URL should be HTTPSFunctional issueNone
#260316 - Profile fields validation mismatchFunctional issueNone
#260938 - Homograph IDNs displayed in DescriptionFunctional issueNone
#260941 - UX: JS error on Password Safety linkFunctional issueNone
#268629 - Failed OutLink on Terms of ServiceFunctional issueNone
#269288 - External links to be in HTTPFunctional issueNone
#268981 - Missing homograph filter characterFunctional issueNone
#260390 - 2FA manual entry uses wrong encodingFunctional issueNone
#255481 - app.legalrobot.com opens FireFox but not in FireFox ESRFunctional issueNone
#255100 - No error or notification on Reset password pageFunctional issueNone
#259400 - Issues with Forgot password Error HandlingFunctional issueNone
#261285 - Privilege Escalation to Admin-level AccountPrivilege EscalationHigh

We also publicly disclosed the following reports which were not evaluated to have any security impact.

#254895 - SSL BREACH attack (CVE-2013-3587)Informative
#255041 - LUCKY13 (CVE-2013-0169) effects legalrobot.comInformative
#216330 - Big XSS vulnerability!Spam
#250766 - Subdomain misconfiguration [mail.legalrobot.com]Informative
#254927 - Lack of input validation in e-mail & user name, job title, company name fieldInformative
#255020 - Password Reset page Session FixationNot Applicable
#260239 - Tampering the mail id on chatboxInformative
#260689 - Weak Cryptography for PasswordsInformative
#260751 - Change password session fixedSpam
#263196 - Name can’t be numbers or emailInformative
#262140 - Password Restriction On ChangeInformative
#263589 - Email Length VerificationSpam
#255025 - Create Api Key is not workingInformative
#260838 - Special characters are not filtered out on profile fieldsInformative
#261817 - Information disclosureInformative
#178990 - The websocket traffic is not secure enoughInformative
#166231 - CSRF IssueInformative
#163730 - News Feed DetectedSpam
#263846 - Registration Allows Disposable Email AddressesInformative
#213767 - Password Policy BypassInformative
#264023 - Coding error !Duplicate
#263743 - I cant login to my accountInformative
#264101 - design issue exists on login pageSpam
#260492 - Invalid Email VerificationInformative
#189023 - S3 ACL misconfigurationInformative
#165542 - clickjacking at http://mailboxes.legalrobot-uat.com/Not Applicable
#263681 - Improper error messageInformative
#265619 - No alert in verify email address with wrong inputInformative
#265441 - Error the message with already e-mailInformative
#265749 - Bypass email verification when register new accountNot Applicable
#263728 - Password ComplexityNot Applicable

Code of Conduct

We require all members of the Legal Robot community to abide by our Code of Conduct. As of the date of this report, we have not received any reports alleging violations of our code of conduct.

Requests for User Information

As of the date of this report, Legal Robot has not received any governmental or civil requests for user information. When we receive a request, we will ensure it is legitimate and not overbroad, and provide advance notice to affected users unless prohibited by a court order, or where we decide delayed notice is appropriate based on our privacy policy. Further information about our legal polcies, including helpful information for law enforcement, is available on our legal policies page.

National Security Requests

For more information around what inspired this statement go to https://www.canarywatch.org.

As of October 1st, 2017:

  • Legal Robot has not received any National Security Letters or any orders under the Foreign Intelligence Surveillance Act.
  • Legal Robot does not have any knowledge of any search orders that have been issued or carried out.
  • We have never placed any backdoors in our software and have not received any requests to do so.

Special note should be taken if this transparency report is not updated by the expected date at the top of the page, or if this section is modified or removed from the page.

The canary scheme is not infallible. Although signing the declaration makes it difficult for a third party to produce this declaration, it does not prevent them from using force or other means, like blackmail or compromising the signers’ laptops, to coerce us to produce false declarations.

Requests for Removal

Legal Robot has not received any “take down” notices or other removal requests under the Digital Millennium Copyright Act (“DMCA”) or any other regulation like Article 12 of Directive 95/46/EC, or the newer Article 17 of the General Data Protection Regulation (“GDPR”), commonly known as the “right to be forgotten”.

Proof of Freshness

The news quotes below show this report could not have been created prior to October 1st, 2017.

  • BBC: Catalan referendum: Catalonia has ‘won right to statehood’
  • NY Times: White House Memo: Trump Rates His Hurricane Relief: ‘Great.’ ‘Amazing.’ ‘Tremendous.’
  • Reuters: U.S. lawmakers urge Trump to ‘get to work’ on Puerto Rico
  • Washington Post: Defending Trump, Geraldo Rivera debates the meaning of ‘dying’ with San Juan’s mayor


Signed by Dan Rubins / Fingerprint 98D0 F6F0 305E F378 / Text format for verification