Saturday, May 07, 2016

MIRLN --- 17 April – 7 May 2016 (v19.07)

MIRLN --- 17 April - 7 May 2016 (v19.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Target's cyber insurance: a $100 million policy vs. $300 million (so far) in costs (Patterson Belknap, 7 April 2016) - When it comes to buying cyber insurance, businesses can take comfort that they have mitigated the financial risks that come with a data breach. Just not all of them. Target Corporation's high-profile hack is a case in point. In a securities filing last week, Target said costs associated with its 2013 holiday season data breach - which exposed the personal information of more than 100 million customers - are approaching $300 million. As of January 2016, Target has incurred $291 million in breach-related costs including legal fees, crisis communications and forensics costs. Of that amount, less than one-third or about $90 million is expected to be covered by cyber insurance. At the time of the breach, Target had $100 million in cyber insurance coverage from multiple underwriters, on top of a $10 million deductible. According to its public filings, Target's cyber insurance policy contained a $50 million sublimit for settlements with payment card networks. In 2015, Target entered into settlement agreements with all four of its major credit card providers, which are in various stages of court approval. Visa, for example, cut a $67 million deal with Target. MasterCard later entered into a $19 million settlement. But Target hasn't disclosed whether its settlements with the credit card companies will come from a portion of the cyber insurance, subject to the sublimit, or if those settlements will be funded by other sources (such as its corporate general liability policy or from its operations). And the financial pain isn't close to over. Although Target has resolved many of the more than 100 lawsuits filed after the breach, it still faces several shareholder class action lawsuits, a separate lawsuit filed in Canada and ongoing investigations by State Attorneys General and the U.S. Federal Trade Commission. Several industry analysts forecast that Target's breach-related losses will reach $1 billion. After disclosure of the breach in early 2014, Target's profit was cut in half - down 46 percent over the same period the year before.

- and -

Federal appeals court holds data breach class action triggers insurer's duty to defend under general liability policy (Holland & Hart, 15 April 2016) - A federal court of appeals held that general insurance policies cover a data breach class action in a case that is highly likely to impact how courts throughout the country resolve insurance claims related to cyberattacks and policy renewal negotiations. On April 11, 2016, the United States Court of Appeals for the Fourth Circuit upheld a trial court's finding that Travelers Indemnity Company of America is required to defend Portal Healthcare Solutions, LLC in a class action filed in New York. In the original case, two plaintiffs filed a class action alleging that Portal failed to safeguard their confidential medical records when they were made publicly accessible on the internet. Travelers filed a separate action seeking a declaratory judgment that it was not required to defend Portal. Travelers argued that the class representatives had not alleged that Portal had "published," given "undue publicity," or "disclosed" the plaintiffs' information to any third party, to trigger coverage under the policies. Applying Virginia law, the trial court disagreed, finding that it was required to follow the "Eight Corners Rule" by looking to the four corners of the class action complaint to determine whether it alleged grounds for liability "potentially or arguably covered" by the four corners of the insurance policies. The trial court concluded that since the policies did not define the operative terms "publication," "unreasonable publicity," or "disclose," those terms would be given their plain and ordinary meaning. Citing common dictionaries, the court found that the tort alleged in the class action - i.e., exposing the plaintiffs' medical records online - constituted publication, unreasonable publicity, and disclosure of the medical records even if the only individuals who actually saw the records were the plaintiffs. Thus, the court concluded, Travelers was required to provide a defense to Portal. The Fourth Circuit upheld the trial court's ruling, holding that the trial court correctly applied the Eight Corners Rule, particularly because "under Virginia law, an insurer's duty to defend an insured is broader than its obligation to pay or indemnify an insured" and that "the insurer must use language clear enough to avoid ambiguity if there are particular types of coverage that it does not want to provide." Although the Fourth Circuit was interpreting Virginia law, most jurisdictions throughout the United States - including Utah - apply the Eight Corners Rule and, even where the rule is articulated differently, as in Colorado, courts universally hold that insurance companies have a broad duty to defend. The ruling has significant implications for claims under existing or prior policies. First, companies that are or have been the target of cyberattacks likely have a strong claim that their existing general insurance policies cover any ensuing litigation related to the cyberattacks. Because a company may not discover that it was the target of a cyberattack until months or years afterwards, insurance companies will likely have to cover significant claims covered by current or prior policies for years to come. [ See also Do you need cyber insurance or will your CGL policy be enough? (Womble Carlyle, 25 April 2016)]

Santa Clara County: High-tech police spying rules take shape (Mercury News, 18 April 2016) - Santa Clara County officials are poised to approve sweeping rules governing police use of cell phone trackers and other spying technology that advocates say will be a model for the nation but that cops worry could hamper investigations. "Santa Clara County is asking and answering the right questions," said Nicole Ozer of the ACLU's Northern California chapter. "It's going to be a model for moving forward for other cities and counties." But the sheriff's and district attorney's offices have both said that the ordinance could prove cumbersome because of the need to report on what's being done in the field with surveillance technology. County Supervisor Joe Simitian's proposal for an electronic surveillance ordinance has been in the works since late 2014. Such privacy concerns have garnered greater scrutiny in Santa Clara County since then because of the sheriff's plan, since suspended, to quietly acquire a cellphone tracking device commonly called a Stingray. Similar conflicts over police spying and privacy have arisen numerous times locally and around the nation. Examples include the San Jose Police Department's acquisition of a drone, the use and retention of information captured on license plate readers and the creation of a "Domain Awareness Center" electronic information aggregation hub in Oakland. * * * Simitian's ordinance, which is being finalized and expected to go before the full board sometime in May, goes much further and mandates that government agencies publicly establish a policy before any new surveillance technology is acquired or used. It also requires annual reports on how the technology is used and what the results have been. What makes it different from other ordinances around the nation is that rather than target named gadgets, the language encompasses any surveillance-related technology, including what can't be foreseen. Simitian has called it "future-proof."

New data: Americans are abandoning wired home internet (WaPo, 18 April 2016) - For the most part, America's Internet-usage trends can be summed up in a few phrases. The Internet is now so common as to be a commodity; the rich have better Internet than the poor; more whites have Internet than do people of color ; and, compared with low-income minorities, affluent whites are more likely to have fixed, wired Internet connections to their homes. But it may be time to put an asterisk on that last point, according to new data on a sample of 53,000 Americans. In fact, Americans as a whole are becoming less likely to have residential broadband, the figures show: They're abandoning their wired Internet for a mobile-data-only diet - and if the trend continues, it could reflect a huge shift in the way we experience the Web. The study, which was conducted for the Commerce Department by the U.S. Census Bureau, partly reaffirms what we already knew. Low-income Americans are still one of the biggest demographics to rely solely on their phones to go online. Today, nearly one-third of households earning less than $25,000 a year exclusively use mobile Internet to browse the Web. That's up from 16 percent of households falling in that category in 2013. And they're often cited as evidence of a major digital divide; struggling families with little money to afford a home Internet subscription must resort to free public WiFi at libraries and even McDonald's to do homework, look for jobs and find information. But as the chart above shows, even people with higher incomes are ditching their wired Internet access at similar or even faster rates compared with people who don't earn as much. In 2013, 8 percent of households making $50,000 to $75,000 a year were mobile-only. Fast-forward a couple of years, and that figure now stands at 18 percent. Seventeen percent of households making $75,000 to $100,000 are mobile-only now, compared with 8 percent two years ago. And 15 percent of households earning more than $100,000 are mobile-only, vs. 6 percent in 2013.

9 years prison, $1.7 million fine for malicious law firm insider (Dark Reading, 18 April 2016) - A former IT engineer for a Dallas law firm was sentenced to 115 months in prison and ordered to pay $1.697 million in restitution for a destructive computer attack he committed against his former employer in 2011. The sentencing comes in the wake of a flurry of attacks on law firms and the highly publicized leak at Panamanian law firm Mossack Fonseca . Anastasio N. Laoutaris, 41, of Spring, Texas, was an IT engineer for Locke Lord LLP from 2006 to August 2011. On Dec.1 and Dec. 5, 2011, four months after his employment there ended, Laoutaris accessed Locke Lord's systems without authorization and according to court documents, issued commands that caused "significant damage" to the network, "including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts." Laoutaris was convicted of two counts of intentionally accessing a computer network without authorization and intentionally issuing commands and codes that caused damage to the network.

State data breach notification laws just got crazier (Law Technology Today, 19 April 2016) - * * * Tennessee recently added even more complexity to these complicated, confusing and outright contradictory state requirements. Effective July 1, 2016, the Tennessee definition of what constitutes a "breach of the security of the system" that triggers notice includes not only the loss of unencrypted data but encrypted data as well (if that data includes personally identifiable information of Tennesseans). Tennessee is the first state in the country to eliminate a safe harbor from data breach notice obligations where the breach involves encrypted data. All the other states with data breach notification statutes specifically provide this safe harbor from notice for encrypted data. The Tennessee action is all the more amazing given that encryption of personal data is a data security best practice, particularly for data in transit and is the current state of the art. * * * On its face, the Tennessee law still provides that a notice of a breach requires that the unauthorized access of data "materially compromise the security, confidentiality or integrity of personal information" and that notice is required where personal information is "reasonably believed to have been acquired". In doing so, Tennessee's law is consistent with that of some 41 other states all of whom provide a safe harbor for encrypted data. Under these "risk of harm analysis" statutes, its indeed possible to argue that where the data is encrypted, then there is no such material compromise and no reasonable belief that personal information has been acquired. But in Tennessee at least, the burden of showing these criteria are met is now higher since losing encrypted data is no longer per se exempt from notice requirements. * * *

Lawyers accused of Facebook spying can face ethics complaint, state high court rules (WSJ, 19 April 2016) - New Jersey's highest court ruled Tuesday that two defense lawyers accused of spying on a plaintiff's Facebook page can be prosecuted for attorney misconduct. The case dealt with what the court described as a "novel ethical issue." Two defense attorneys in New Jersey are accused of snooping on the private Facebook account of a plaintiff suing their client. The Facebook account was at first publicly viewable. But after the plaintiff tightened the settings and put his profile page behind a privacy wall, the lawyers didn't stop monitoring it. A paralegal at their firm was able to get access by sending a Facebook friend request to the plaintiffs without revealing her employer. The New Jersey Supreme Court wasn't deciding if the two lawyers violated ethics or should face sanction. The court was ruling on whether the head of the state's attorney disciplinary body could prosecute the lawyers for alleged Facebook spying after a regional disciplinary body chose to drop the case. The local body didn't think the lawyers' actions, even if proven, constituted unethical conduct. The director of the New Jersey Office of Attorney Ethics, an arm of the state judiciary, disagreed and filed a complaint against the defense attorneys. The state's high court Tuesday unanimously ruled that the misconduct case could go forward. ( You can read the opinion here .) * * * Bar association guidelines have discouraged lawyers from monitoring personal profile pages of jurors, witnesses and opposing parties if access to the content requires special permission.

Federal judge rules FBI didn't have proper warrant to hack child porn site (TechCrunch, 20 April 2016) - A federal judge ruled today that the FBI did not obtain the proper warrant before hacking a child porn website and that the evidence it collected against one of the defendants, Alex Levin, must be suppressed. The case centers on a child porn site called Playpen, which was hosted on a hidden Tor service intended to conceal users' identities. The FBI seized the site's server in February of last year, but instead of shutting it down, the agency continued to run the site on its own server for several weeks. During that period, the FBI implemented its own hacking tool, referred to as a network investigative technique (NIT), to collect the IP addresses of visitors to the site. The FBI is thought to have obtained thousands of IP addresses during the investigation. One of the IP addresses allegedly belonged to Levin, a Massachusetts man who is charged with possession of child pornography. Levin's public defender successfully argued that the warrant the FBI used to authorize the NIT was not valid because it was issued by a magistrate judge in Virginia, and Levin's computer - located at his home in Massachusetts - was outside that judge's jurisdiction. In today's ruling, Judge William G. Young said that the evidence against Levin, including "eight media files allegedly containing child pornography," must be suppressed. "The court concludes that the NIT Warrant was issued without jurisdiction and thus was void," Young wrote. "It follows that the resulting search was conducted as though there were no warrant at all." Young also expressed skepticism at the ethics of the FBI running a child porn site. "Unlike those undercover stings where the government buys contraband drugs to catch the dealers, here the government disseminated child obscenity to catch the purchasers - something akin to the government itself selling drugs to make the sting," he wrote. [ Polley : Recent USSC proposed changes to FRCrimPro Rule 41 reportedly would change this outcome. See , following two stories.]

- and -

Privacy watchdogs vow to fight 'dystopian' Rule 41 (Kaspersky's ThreatPost, 2 May 2016) - The Supreme Court is moving to expand the FBI's hacking authority with Criminal Rule 41, an amendment to federal criminal procedures that makes it easier for the FBI to access computers remotely when their locations are unknown. Privacy watchdogs are blasting the proposed change saying it would allow the government to hack into phones and seize computers remotely. The change was issued by the Supreme Court last week and now heads to Congress, which has until Dec. 1 to either block or pass the provision. The controversial Rule 41 attempts to make it easier for law enforcement to track down cyber criminals who use tools such as Tor, botnets or malware to mask their true location. Rule 41 allows law enforcement to request from judges a warrant that permits the use of remote access tools "to search electronic storage media and to seize or copy electronically stored information located within or outside that district." Typically, a judge's authority to authorize search warrants is limited by his or her jurisdiction. Rule 41 allows judges to issue a search warrant across state lines to penetrate computers outside their jurisdiction or even outside the U.S. EFF along with privacy advocates Access Now are both fighting Rule 41 and submitted joint testimony to the Advisory Committee on Criminal Rules. * * * Rule 41 goes too far, according to Senator Ron Wyden, a Democrat from Oregon. In a statement issued last week he said, "Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime." Wyden plans to introduce legislation to reverse the Rule 41 amendment.

- and -

TOR and VPN users will be target of government hacks under new spying rule (TechWorm, 2 May 2016) - * * * The new rule will affect millions of Tor and VPn users. Many Facebook users are already preferring Tor to surf FB. As of April, over one million people use Tor just to browse Facebook, the social media giant noted in a blog post. Rule 41, in its current form, stipulates that magistrate judges can only authorize searches within their own jurisdiction. The amendment would allow them to issue warrants to hack into and seize information on a computer if its location has been "concealed through technical means." Absence of opposition to the rule could mean that we have a subversive spying campaign against Tor and VPN users around the world without even the user knowing it.

How M&A activity can open the door to cyber threats (Security Week, 21 April 2016) - Mergers and acquisitions (M&A) can be exciting, offering companies a significant platform for growth. According to the Deloitte M&A Index 2016, global M&A activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these companies. But while mergers and acquisitions propel companies forward, the M&A process also fuels significant opportunities for cyber criminals. Failure to secure sensitive information during this time opens the door to threat actors looking to profit by exploiting financial markets and proprietary intellectual property (IP). Understanding the cyber risks present along the M&A process is the first step toward mitigating the risk. While each process will have its own nuances, all tend to follow five general stages. Along each stage new risks emerge and advanced attackers, well-versed in corporate espionage techniques, stand to profit. Here's a brief look at each of the stages and the types of risks and possible degradations in security posture that may occur. * * *

- and -

Cybersecurity is an enterprise risk in M&A deals (BNA, 25 April 2016) - Companies involved in a merger or acquisition must be cognizant of cybersecurity risks or face possible grave financial and reputational harm, privacy attorneys told Bloomberg BNA. To avoid potential pitfalls, companies on both sides of the deal need to pay close attention to insider threats and cybersecurity risks involved in the due diligence process. Merging companies must also prepare for the potential hazards incorporating new technology into an existing company. Ultimately the acquiring company needs to appropriate the necessary level of cybersecurity threat prevention spending. Cybersecurity issues in a deal are "calibrated to the nature of the business being acquired, such as whether the target has confidential materials and personally identifiable information," Jeffrey P. Cunard of Debevoise & Plimpton's Cybersecurity & Data Privacy practice, in Washington, said. * * * [ Polley : The ABA's Cyberspace Law Committee, at invitation from DHS, is working on a best-practices guide for cybersecurity considerations in M&A transactions. For more info, email me.]

Court: Border search warrant exception beats Riley in the 'constitution-free zone' (TechCrunch, 22 April 2016) - The Supreme Court declared in 2014 that law enforcement could no longer perform searches of cellphones incident to arrest without a warrant. The exceptions to this ruling are making themselves apparent already. The area of the United States where the Constitution does not apply -- while still being fully within the borders of the US -- apparently exempts law enforcement from following this ruling in regards to cellphone searches. The Southern District of California has come to the conclusion that border searches are not Fourth Amendment searches and that the government has no need to seek a warrant before searching a cellphone. The court notes the Riley decision says one thing but the "border exception" says another: Heading in one direction is the Supreme Court's bright line rule in Riley: law enforcement officers must obtain a warrant to search a cell phone incident to an arrest. Heading on a different course is the border search exception. The border search exception describes an exception to general Fourth Amendment principles. It is the notion that the government may search without a warrant anyone and anything coming across its border to protect its national sovereignty. Balancing the two competing interests in this case, the court ultimately finds the government's national security interest outweighs citizens' privacy interests. As it weighs this against cases dealing with more elaborate and lengthy device searches at the border, the court basically finds that if the Fourth Amendment is violated by "cursory" searches of devices, it is only violated a little.

Startup plans to rate lawyers based on court records and win-loss stats (Robert Ambrogi, 25 April 2016) - Two Harvard University undergraduates are preparing to launch a website that will rate lawyers based on publicly available court records. The site, called Legalist , will mine and analyze court records in order to match clients with lawyers who win similar cases based on details and location. It will also profile litigators' win-loss records. The site is currently in beta testing and its developers hope to launch it in late summer or early fall. The testing phase is using only Massachusetts cases and the initial launch will start with Massachusetts lawyers. The developers plan to then begin rolling out the service to other states, beginning with the most-populous ones. * * *

LexisNexis unveils visualization map feature for case law research (Robert Ambrogi, 27 April 2016) - A new visualization tool for case law research in Lexis Advance is being announced today by LexisNexis Legal & Professional . Called Search Term Maps, the tool color codes and maps your search terms so that you can more easily assess the significance of a case and navigate to key passages. Search Term Maps is being rolled out now in limited release and will be added as core functionality to all Lexis Advance accounts later this summer, LexisNexis said. The new tool places a Search Term Location Bar at the top of every case and also within each item in your search results. It also color-codes each of up to five search terms. The location bar shows where in the case each of the color-coded terms appears. This lets you quickly see where terms appear, how often they appear and where terms are clustered within the case.

Verizon's 2016 Data Breach Investigations Report released (Ride the Lightning, 27 April 2016) - Verizon's 2016 Data Breach Investigations Report has been released and may be downloaded here . I will take time to read the entire report, but Dark Reading reported yesterday that legitimate user credentials were used in most data breaches, with 63% of them using weak, default or stolen passwords. Marc Spitler, senior manager at Verizon Security Research, and co-author of the report, found the high percentage startling. Stolen credentials topped the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing and keyloggers. The report draws from more than 100,000 security incidents worldwide in 2015, 3,141 of which were actual data breaches.

The government wants your fingerprint to unlock your phone. Should that be allowed? (LA Times, 30 April 2016) - As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone , federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it. It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge's permission. But some legal experts say there should be a higher bar for biometric data because providing a fingerprint to open a digital device gives the state access to a vast trove of personal information and could be a form of self-incrimination. "It isn't about fingerprints and the biometric readers," said Susan Brenner, a law professor at the University of Dayton who studies the nexus of digital technology and criminal law, but rather, "the contents of that phone, much of which will be about her, and a lot of that could be incriminating." But Albert Gidari, the director of privacy at Stanford Law School's Center for Internet and Society, said the action might not violate the 5th Amendment prohibition of self-incrimination. "Unlike disclosing passcodes, you are not compelled to speak or say what's 'in your mind' to law enforcement," Gidari said. "'Put your finger here' is not testimonial or self-incriminating." [ Polley : The law here has been pretty settled, but Prof. Brenner makes a good point; maybe the law here shouldn't be so settled. See also 2.5-year-old article Apple's fingerprint id may mean you can't 'take the Fifth' (Marcia Hofmann in Wired, 12 Sept 2013)]

Introducing TACC (InsideHigherEd, 2 May 2016) - It is with pleasure that I introduce a unique, new information management and cybersecurity program hosted by the University of Massachusetts Amherst: Trust, Assurance and Cybersecurity Certificate Program ! As a bona fide academic program consisting of four courses and 15 credits, it is unique because it occupies a space between matriculated degree programs in cybersecurity and non-academic "little c" certificates such as CISSP or SANS. It is also much more than cybersecurity. Trust and assurance speak to Internet governance, law, policy, regulatory compliance, information privacy and security management. Hence the name, and acronym, TACC. TACC is designed to fill gaps in the academic understanding and working practice of information risk management. Long recognized as a moving target, information management has remained for over a decade in the top tier of IT issues for higher education … and for corporate American writ large. Intervening issues such as the Apple iPhone case for electronic surveillance or GAFE for consumer and enterprise privacy, for example, intersect with the requirements for sound privacy and security practices in formation of cloud computing contracts. In a world without global Internet governance, cybersecurity remains a paramount challenge. The course work for TACC touches on all of these issues as well as in the implementation of risk assessment and operational policy, technical cybersecurity and information management programs in a corporate environment - including profit and not-for-profit institutions, education and government.

Rethinking knowledge in the internet age (David Weinberger writing on LARB, 2 May 2016) - The internet started out as the Information Highway, the Great Emancipator of knowledge, and as an assured tool for generating a well-informed citizenry. But, over the past 15 years, that optimism has given way to cynicism and fear - we have taught our children that the net is a swamp of lies spun by idiots and true believers, and, worse still, polluted by commercial entities whose sole aim is to have us click to the next ad-riddled page. Perhaps our attitude to the net has changed because we now see how bad it is for knowledge. Or perhaps the net has so utterly transformed knowledge that we don't recognize knowledge when we see it. For philosopher Michael P. Lynch, our fears are warranted - the internet is a wrong turn in the history of knowledge. "Information technology," Professor Lynch argues in his new book, The Internet of Us , "while expanding our ability to know in one way, is actually impeding our ability to know in other, more complex ways." He pursues his argument with commendable seriousness, clarity, and attunement to historical context - and yet he misses where knowledge actually lives on the net, focusing instead on just one aspect of the phenomenon of knowledge. * * * [ Polley : interesting and thoughtful.]

The Australian government decides it's really into Bitcoin (Mashable, 3 May 2016) - Is it because the creator of Bitcoin could, just maybe, be an Aussie ? The day after the mysterious Craig Wright told news outlets he was the father of Bitcoin, which many people continue to very much doubt , the Australian government included a number of crypto-currency-friendly measures in its 2016 budget. Tuesday night local time, the government repeated its proposal, first announced by Treasurer Scott Morrison in March, to end the double taxation of Bitcoin in Australia. The Australian Taxation Office currently treats Bitcoin as a commodity rather than a currency, meaning both the Bitcoin transaction and the goods purchased are liable for a 10% Goods and Services Tax (GST). In its budget, the government also flagged that Data61, the data innovation arm of Australia's peak science body, the CSIRO, would investigate the possible use of the blockchain in the public and private sector. A number of Australian banks have already indicated their interest in the technology.

Long-form reading shows signs of life in our mobile news world (Pew Research, 5 May 2016) - In recent years, the news media have followed their audience's lead and gone mobile, working to make their reporting accessible to the roughly seven-in-ten American adults who own a smartphone. With both a smaller screen size and an audience more apt to be dipping in and out of news, many question what kind of news content will prevail. One particular area of uncertainty has been the fate of long, in-depth news reports that have been a staple of the mainstream print media in its previous forms. These articles - enabled by the substantial space allotted them - allow consumers to engage with complex subjects in more detail and allow journalists to bring in more sources, consider more points of view, add historical context and cover events too complex to tell in limited words. A unique, new study of online reader behavior by Pew Research Center, conducted in association with the John S. and James L. Knight Foundation, addresses this question from the angle of time spent with long- versus short-form news. It suggests the answer is yes: When it comes to the relative time consumers spend with this content, long-form journalism does have a place in today's mobile-centric society. To understand how mobile users interact with news, the study utilized audience behavior metrics provided by the web analytics firm Parse.ly , a company that supplies real-time and historical analytics to a broad mix of digital publishers, including over 170 top media companies. The analysis finds that despite the small screen space and multitasking often associated with cellphones , consumers do spend more time on average with long-form news articles than with short-form. Indeed, the total engaged time with articles 1,000 words or longer averages about twice that of the engaged time with short-form stories: 123 seconds compared with 57. This gap between short- and long-form content in engaged time remains consistent across time of day and the pathway taken to get to the news story. However, when looking solely within either short- or long-form content, engaged time varies significantly depending on how the reader got to the article, whether it is midday or evening, and even what topic the article covers, according to the study. * * *

RESOURCES

Simonson on the right to record the police (MLPB, 15 April 2016) - Jocelyn Simonson, Brooklyn Law School, is publishing Beyond Body Cameras: Defending a Robust Right to Record the Police in volume 104 of the Georgetown Law School (2016). Here is the abstract: This symposium essay articulates and defends a robust First Amendment right to record the police, up to the point that the act of filming presents a concrete, physical impediment to a police officer or to public safety. To the extent that courts have identified the constitutional values behind the right to record, they have for the most part relied on the idea that filming the police promotes public discourse by facilitating the free discussion of governmental affairs. Like limiting the gathering of news, limiting the filming of the police constricts the information in the public sphere from which the public can draw and debate. I contend that this account of the constitutional values behind the right to record is correct but incomplete, for it sets aside the ways in which the act of recording an officer in the open is a form of expression in the moment, a gesture of resistance to the power of the police over the community. In order to flesh out this function of civilian recording as resistance, this essay contrasts civilian filming of the police with the use of police-worn body cameras: while both forms of film are useful to deter misconduct and document police activity, only civilian filming allows civilians to express ownership over their streets and neighborhoods. Ultimately, I argue that a jurisprudence of the right to record should account for both the benefits to public discourse and the in-the-moment communication to officers that can be found when civilians record the police.

CRS - Protection of Trade Secrets: Overview of Current Law and Legislation (BeSpacific, 25 April 2016) - Protection of Trade Secrets: Overview of Current Law and Legislation, Brian T. Yeh, Legislative Attorney. April 22, 2016.

Copyright Holders, Publicity Rights Holders, and the First Amendment (MLPB, 28 April 2016) - Reid K. Weisbord, Rutgers Law School (Newark), is publishing A Copyright Right of Publicity in volume 84 of the Fordham Law Review (2016). Here is the abstract: This Article identifies a striking asymmetry in the law's disparate treatment of publicity-rights holders and copyright holders. State-law publicity rights generally protect individuals from unauthorized use of their name and likeness by others. Publicity-claim liability, however, is limited by the First Amendment's protection for expressive speech embodying a "transformative use" of the publicity-rights holder's identity. This Article examines for the first time a further limitation imposed by copyright law: when a publicity-rights holder's identity is transformatively depicted in a copyrighted work without consent, the author's copyright can produce the peculiar result of enjoining the publicity-rights holder from using or engaging in speech about her own depiction. This Article offers novel contributions to the literature on copyright overreach and: (1) identifies a legal asymmetry produced in the interplay of publicity rights, copyright law, and the First Amendment; (2) examines the burdens on constitutionally protected speech, autonomy, and liberty interests of publicity-rights holders when copyright law prevents or constrains use of their own depiction; and (3) outlines a framework for recognizing a "copyright right of publicity" to exempt the publicity-rights holder's use from copyright infringement liability. Notably, this Article contributes uniquely to the literature by including a special first-person narrative from an internationally recognized celebrity whose persona was prominently depicted without prior notice or consent in a wide-release feature film.

The Fourth Amendment in the Information Age (by ODNI's GC, Bob Litt; 28 April 2016) - Office of the Director of National Intelligence General Counsel Robert Litt has published a new essay in The Yale Law Journal that will likely be of interest to Lawfare readers. Entitled "The Fourth Amendment in the Information Age" , it begins: To badly mangle Marx, a specter is haunting Fourth Amendment law-the specter of technological change. In a number of recent cases, in a number of different contexts, courts have questioned whether existing Fourth Amendment doctrine, developed in an analog age, is able to deal effectively with digital technologies. Justice Sotomayor, for example, wrote in her concurrence in United States v. Jones, a case involving a GPS tracking device placed on a car, that "the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties . . . is ill suited to the digital age." And in Riley v. California, the Chief Justice more colorfully rejected the government's argument that a search of a cell phone was equivalent to a search of a wallet. That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. I intend to discuss the application of the Fourth Amendment in the information age, and I want to start with two important caveats. First, I am not proposing a comprehensive theory of Fourth Amendment law. Rather, I want to offer some tentative observations that might be explored in shaping a productive response to the challenges that modern technology creates for existing legal doctrine. In particular, I would like to suggest that the concept of "reasonable expectation of privacy" as a kind of gatekeeper for Fourth Amendment analysis should be revisited. Second, these thoughts are not informed by deep research into the intent of the Framers, or close analysis of case law or academic scholarship. Rather, they derive from almost forty years of experience in law enforcement and intelligence. But, despite Justice Oliver Wendell Holmes's adage about the life of the law, I hope that they have some foundation in logic as well.

The Post-Riley Search Warrant: Search Protocols and Particularity in Cell Phone Searches (Adam Gershowitz in Vanderbilt Law Review, 19 April 2016) - Abstract: Last year, in Riley v. California, the Supreme Court required police to procure a warrant before searching a cell phone. Unfortunately, the Court's assumption that requiring search warrants would be "simple" and very protective of privacy was overly optimistic. This article reviews lower court decisions in the year since Riley and finds that the search warrant requirement is far less protective than expected. Rather than restricting search warrants to the narrow evidence being sought, some magistrates have issued expansive warrants authorizing a search of the entire contents of the phone with no restrictions whatsoever. Other courts have authorized searches of applications and data for which no probable cause existed. And even when district and appellate courts have found these overbroad search warrants to be defective, they have almost always turned to the good faith exception to save the searches and allow admission of the evidence. This Article calls on courts to take the Fourth Amendment's particularity requirement seriously before issuing search warrants for cell phones. Just as magistrates cannot authorize police to search for a fifty-inch television in a microwave, nor should officers be permitted to rummage through all of the files on a cell phone when a narrower search will suffice. In order to effectuate the privacy guarantee in Riley, this Article proposes two approaches to narrow cell phone search warrants. First, I argue that judges should impose search protocols that specify in advance exactly how police should execute warrants and sift through electronic data. Second, this Article challenges the common assumption that all cell phone searches require full forensic analysis. In many cases involving street crimes, magistrates should initially restrict warrants to a manual search of the particular functions or applications for which there is probable cause. These two ex ante restrictions on cell phone searches will protect privacy and prevent overuse of the good faith exception, while still permitting police to examine all data they have probable cause to investigate.

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs

United States Supreme Court approves electronic discovery amendments to FRCP (April 14, 2006) -- On Wednesday, April 12, 2006, the United States Supreme Court approved, without comment or dissent, the entire package of proposed amendments to the Federal Rules of Civil Procedure concerning the discovery of "electronically stored information." The package includes revisions and additions to Rules 16, 26, 33, 34, 37, and 45, as well as Form 35. The proposed amendments were transmitted to the Supreme Court last September, after the Judicial Conference unanimously approved them. The new rules and amendments have now been transmitted to Congress and will take effect on December 1, 2006, unless Congress enacts legislation to reject, modify, or defer the amendments. The amendments may be accessed on the U.S. Court's Federal Rulemaking website at: http://www.uscourts.gov/rules/newrules6.html#cv0804 [ Polley in 2016 : It's priceless that this USSC URL is broken]

Yellow Pages publisher feeling the heat from online alternative (ARS Technica, 7 July 2006) -- Sooner or later, all "old media" companies find themselves threatened by a site or phenomenon on the Internet. We've seen it happen with the music industry, TV, newspapers, and many others. Sometimes, it takes a while for the old guard to discover what's happening-that appears to be the case with Yell, which calls itself the world's largest yellow pages publisher. The problem-from Yell's point of view-is Yellowikis, a wiki-based business directory available in several languages and containing listings for several different countries. The directory publisher is accusing Yellowikis of "misrepresentation," maintaining that the site's name "constitutes an 'instrument of fraud.'" At first glance, it seems like a case of an elephant feeling threatened by a gnat. Yellowikis has only been operating since January 2005, has around 5,000 listings, and is run entirely by volunteers. In contrast, Yell had revenues of US$2.4 billion during 2005. However, Yellowikis offers something a telephone directory publisher cannot: dynamic, customizable content. In contrast, once a yellow pages business directory is published, that's it until the next edition. Yell wants Yellowikis to pay damages and surrender the domain name, perhaps so it can launch a wiki-like service. As "Yellow Pages" is a trademarked name in the UK and Yellowikis refers to itself as "Yellow Pages for the 21st Century," the small wiki may find itself embroiled in an expensive legal fight. Even if Yell wins or forces a settlement, it won't change the fact that the business model of selling advertising, printing it in gigantic phone books, and dropping yellow pages directories off on front porches is endangered. Many directory publishers realize this and have developed an online presence that mixes paid placements in with search results. Others, like Verizon, are getting out of the yellow pages business altogether.

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

Friday, April 15, 2016

MIRLN --- 27 March - 16 April 2016 (v19.06)

MIRLN --- 27 March - 16 April 2016 (v19.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Pentagon cut off access to personal email to fight malicious message (NextGov, 23 March 2016) - Pentagon officials last week cut off employee access to private webmail after a malicious, pervasive email campaign was spotted. Employees could not log on to commercial webmail services from the military's network for about 48 hours beginning Thursday night, according to the Defense Department. The Defense Information Systems Agency, which operates the Department of Defense Information Network, severed connections, by direction of U.S. Cyber Command. Defense restored access over the weekend. "The decision to temporarily block commercial webmail services was a result of a recent, widespread phishing effort," agency spokesman Jeffrey Capenos told Nextgov in an email Wednesday.

top

FBI is pushing back against judge's order to reveal TOR browser exploit (Motherboard, 29 March 2016) - Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a "fair question" to ask how exactly the FBI caught the defendant. But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation. In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)-the FBI's term for a hacking tool-carried out additional functions beyond those authorised in the warrant. "Tsyrklevich claims that he requires access to the government's 'exploit' to determine if the government 'executed additional functions outside the scope of the NIT warrant,'" Special Agent Daniel Alfin writes. He is referring to Vlad Tsyrklevich, a malware expert held by the defense to analyse the NIT. In January, the defense did receive some of the NIT code, but not sections that would ensure that the identifier issued to the suspect's NIT-infection was unique, and the exploit used to break into the computer.

top

Google and Oracle lawyers who research jurors online must disclose it, judge rules (ABA Journal, 29 March 2016) - A federal judge has asked lawyers for Google and Oracle to voluntarily agree to a ban on Internet research on potential jurors or to disclose the extent of their online searches during jury selection. U.S. District Judge William Alsup offered that choice to lawyers in an order (PDF) on Friday. He ruled in advance of a second trial in May on Oracle's claim that Google used Oracle's copyrighted code in the Android operating system. Alsup said he decided to give lawyers the choice after realizing the reason they wanted more time to review a two-page juror questionnaire was so they could "scrub Facebook, Twitter, LinkedIn, and other Internet sites to extract personal data on the venire." He gave the lawyers until March 31 to decide whether they will agree to a ban. If the lawyers opt to conduct the searches, their juror disclosure "shall not explain away their searches on the ground that the other side will do it, so they have to do it too," Alsup wrote. "Nor may counsel intimate to the venire that the court has allowed such searches and thereby leave the false impression that the judge approves of the intrusion." Alsup said the disclosure should include how the lawyers will research jurors' social media accounts before and during the trial. Potential jurors would be told, however, that Google won't be mining their Internet searches. The lawyers would also have to keep a record of every search and all information viewed. Alsup acknowledged the online searches could turn up information that aids the lawyers in their peremptory challenges and could even lead to a for-cause removal of a potential juror. But Alsup saw potential problems with the searches. First, he wrote, jurors who learn of lawyers' own searches could be tempted to "stray from the court's admonition to refrain from conducting Internet searches on the lawyers and the case." Second, Alsup said, lawyers could use their Internet research to make improper personal appeals to particular jurors. "For example," he wrote, "if a search found that a juror's favorite book is To Kill A Mockingbird , it wouldn't be hard for counsel to construct a copyright jury argument (or a line of expert questions) based on an analogy to that work and to play upon the recent death of Harper Lee, all in an effort to ingratiate himself or herself into the heartstrings of that juror. The same could be done with a favorite quote or with any number of other juror attitudes on free trade, innovation, politics or history."

top

Hackers breach law firms, including Cravath and Weil Gotshal (WSJ, 29 March 2016) - Hackers broke into the computer networks at some of the country's most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more. It isn't clear what information the hackers stole, if any, but the focus of the investigation is on whether confidential data were taken for the purpose of insider trading, according to a person familiar with the matter. Cravath said the incident, which occurred last summer, involved a "limited breach" of its systems and that the firm is "not aware that any of the information that may have been accessed has been used improperly." The firm said its client confidentiality is sacrosanct and that it is working with law enforcement as well as outside consultants to assess its security. A spokeswoman for Weil Gotshal declined to comment. The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading. The potential vulnerability of law firms is raising concerns among their clients, who are conducting their own assessments of the firms they hire, according to senior lawyers at a number of firms. One of the trickiest questions for law firms is when they are required to publicly disclose a data breach. Forty-seven US states have their own breach-notification laws, forcing law firms and other companies to navigate a patchwork of different rules.

top

- and -

Cybercriminals target 50 BigLaw firms for phishing attacks seeking corporate deal info (ABA Journal, 30 March 2016) - A would-be securities fraud broker has spotlighted methods used in attempts to penetrate law firm computer systems, by seeking help with his project on a cybercriminal forum, authorities say. A post earlier this year by "Oleras," who lives in the Ukraine, outlined a plan to target nearly 50 BigLaw firms, most of them based in the U.S., in an attempt to get hold of documents that reveal information about pending corporate deals, Crain's Chicago Business (sub. req.) reports. Offering to pay a hacker $100,000 plus half the profits after the first $1 million, the broker outlined a plan to do keyword searches in law firm computer networks for documents likely to contain merger information. But first the hacker would have to get access to the law firm computer networks, and to do that the broker apparently suggested spear-phishing attacks on employees whose names, email addresses and social media account information were provided. In another post, Oleras listed eight attorneys at major firms to target in a different phishing attack. It would purportedly seek to profile the lawyers in a trade magazine article on top mergers and acquisitions practitioners, the Crain's article says.

top

- and -

Cravath admits breach as law firm hacks go public (American Lawyer, 30 March 2016) - While it's no secret that law firms are often targeted by cybercriminals seeking sensitive client information, it's rare for breaches to become public. But not this week. The Wall Street Journal reported Tuesday that hackers had gained access to the computer networks of law firms working on M&A deals, including Cravath, Swaine & Moore and Weil, Gotshal & Manges. A Weil spokeswoman declined to comment, but Cravath confirmed that the firm identified a "limited breach of its IT systems" in the summer of 2015. Also this week, Crain's Chicago Business reported that dozens of law firms were targeted by a Russian hacker seeking information on M&A deals. The cybercriminal, going by the name of "Oleras," was discovered soliciting help from other hackers to try to gain access to computer systems at 48 firms, nearly all of which are among The Am Law 100. When contacted by The American Lawyer, some firms said they became aware of the incident either in late 2015 or earlier this year. Wachtell, Lipton, Rosen & Katz; Paul, Weiss, Rifkind, Wharton & Garrison; Goodwin Procter; Shearman & Sterling; Pillsbury; and Kaye Scholer, which were all named in the Russian threat report, said they had no reason to believe that any of their information had been compromised. Many other firms declined to comment. Douglas Ellenoff, a founding partner at the 69-lawyer M&A firm Ellenoff Grossman & Schole, said that he found out his firm was on the target list Wednesday after reading the Crain's article. "We were surprised our name was on that particular list," he said, adding that it would have been a nice courtesy if he found out earlier. A partner at another of the targeted firms, who did not want to be identified for fear of inviting other attacks, said his firm sees "many, many phishing attempts." Cybersecurity professionals said that what's new about these hacks and attempted attacks is that they've been disclosed, willingly or not. Law firms will go to great lengths to keep attempted and successful hacks secret, because any sign that the data they store isn't secure can result in a "huge loss of customer confidence," said Austin Berglas, former head of the FBI's cyber branch in New York. "I think that the majority of the law firms don't even know that they're compromised," said Berglas, who now leads the cyber investigations and incident response team at K2 Intelligence. He added that law firms are traditionally understaffed in cybersecurity, compared with large corporations and banks. [ Polley : emphasis supplied.]

top

- and -

Law firm data breaches besiege client confidentiality (Legal Tech News, 31 March 2016) - In the wake of recently exposed law firm data breaches among several of the Am Law 100 emerges a larger issue around managing client confidentiality-one of the bedrocks of law firms' responsibilities. In the modern digital world, it also becoming more of a complex challenge, which is the topic of a recent whitepaper released by Delta-Risk, a cybersecurity consulting company based in Washington, D.C. And nowhere is the concern over client confidentiality perhaps more pronounced than in industry's vulnerabilities to cyberthreats. Law firms are some of the most attractive targets for cyberattackers, the whitepaper notes, because they handle a variety of sensitive information, from "potential mergers and acquisitions, patent and trade secrets, litigation plans, and generally very specific and confidential information on clients and their dealings." While law firms have kept hush about it, data breaches at law firms actually date back several years: For example, in 2010, California-based law firm Gipson, Hoffman & Pancione was the target of malicious phishing emails from Chinese hackers shortly after filing a software piracy lawsuit again the government and the country's firms. The firm was quickly able to identify the malware and prevent any data infiltration. In 2012, however, Chinese hackers successfully breached Washington D.C. firm Wiley Rein, who represented Solarworld in an antidumping case against the country, as a part of a wider cyberattack effort. Gipson, Hoffman & Pancione and Wiley Rein declined to comment for this article. But that is not unusual, said Joseph Abrenio, vice president of commercial services at Delta-Risk, who is also president of the Midwest Cybersecurity Alliance. He noted that firms are usually hesitant to disclose breaches due to legal, ethical, and as important, branding issues. The amount of breaches at law firms, he believes, is higher than what is usually reported.

top

- and -

GCs are aghast over hacks at top law firms (American Lawyer, 31 March 2016) - A general counsel often has some control over cybersecurity efforts within her corporation. But several cybercrimes reported this week show that now she needs to scrutinize the company's outside law firms as well. Consider these news items, all published in the past five days: * * * Outside counsel and GCs have known since an FBI warning in 2011 that law firms were becoming a major target of hackers because the firms hold a treasure of corporate information, such as upcoming M&As along with copyright and patent data on new creations. "But now we know how severely law firms are being targeted," says attorney Sharon Nelson, who is president of Sensei Enterprises Inc., a digital forensics and information security firm in Fairfax, Virginia. Because everyone is vulnerable to an attack, "the general counsel usually wants to work hand in glove with the hacked law firm," Nelson says. * * * [ Polley : This story has a better headline than body. Still; great headline.]

top

- and -

'Panama Papers' put spotlight on law firm data security (American Lawyer, 4 April 2016) - Experts warned that law firms need to "up their game" on data security after millions of documents showing apparent tax evasion and money laundering by wealthy individuals and companies were leaked from Panama offshore firm Mossack Fonseca. The Panama Papers leak is reportedly the biggest ever data breach and calls into question the ability of law firms to protect clients' data. Benedict Hamilton, Europe, Middle East and Africa managing director of risk consultant Kroll Experts, said that although firms are already taking security measures to protect private data, much more still needs to be done. "I definitely think they need to up their game on data security... I don't think they are doing nearly enough," said Hamilton. "No company can totally protect itself against an employee abusing trust, but there are things you can do that make it harder for people to leak documents." Ropes & Gray privacy and data security partner Rohan Massey said: "The risk we have is incredibly real and we are now as a sector being targeted because of the sensitivity of the information we hold. "As a profession we do need to ensure that our houses are safe and maybe we lag behind because we focus on clients." Philip Lieberman, president of Lieberman Software, said clients should be aware of the risks of law firm data breaches and satisfy themselves that a firm has necessary security measures in place before trusting them with information. "There are some law firms with excellent automated and adaptive cyber defence capabilities, but many are stuck in the dark ages of wigs, candles to read by, and quill pens to write with," he added. [ Polley : This was reportedly due to a former employee, and not a hack: see Former-employee curse: How to prevent your company from becoming the next Mossack Fonseca (Business Insights, 11 April 2016)]

top

- and -

7 lessons from the Panama Papers leak (Dark Reading, 5 April 2016) - Although many people are rejoicing in the Panama Papers outing of illegal and unethical activity by rich and powerful individuals and companies across the globe, information security professionals can also take the opportunity to learn a few lessons. The International Consortium of Investigative Journalists (ICIJ), Monday, published a report based upon a yearlong study into an enormous store of 11.5 million documents -- 2.6 TB of data, mostly emails -- leaked from Panamanian law firm Mossack Fonseca. The leaked data reveals secret information about the offshore holdings of political leaders and crime lords alike, and has exposed illegal practices used to hide wealth, disguise sources of wealth, and evade taxes. A separate report last week revealed that hackers have also been attacking law firms and banks in the United States, and the FBI is investigating to see if the attacks have resulted in insider trading. With that in mind, here are a few things all organizations, and perhaps law firms in particular, should keep in mind. * * * [ Polley : perhaps obvious, but still useful.]

top

Appeals Court: No stingrays without a warrant, explanation to judge (ArsTechnica, 31 March 2016) - On Wednesday, the Maryland Court of Special Appeals published a legal opinion finding that state police must not only obtain a warrant before deploying a cell-site simulator, but are required to also fully explain to the court what exactly the device does and how it is used. In recent years, stingray use has come under increasing scrutiny, with several states including California , Washington , Virginia , Minnesota , and Utah now mandating a warrant be issued for their use. Last year, the Department of Homeland Security and the Department of Justice also imposed new policies that require a warrant for stingray use in most cases. In an e-mail to Ars, American Civil Liberties Union attorney Nathan Wessler called Wednesday's opinion the "first appellate opinion in the country to fully address the question of whether police must disclose their intent to use a cell site simulator to a judge and obtain a probable cause warrant."

top

Could the election be hacked? (Government Technology, 31 March 2016) - With the surge in data breaches over the past several years, the prevailing wisdom is that no online data is completely safe from hackers. Banks, governments, insurance companies and small businesses globally have lost billions of dollars to cybercrime. Which leads to the big question that's being asked with renewed fervor: Could the 2016 presidential election be disrupted, or somehow manipulated, via unauthorized computer hacking or denial of service attacks? Related situations have come up several times in the past year. Concerns were raised following the Iowa caucuses in February after a new Microsoft vote-tallying app failed in certain parts of the state. The Des Moines Register reported these troubles: "Too many accounts have arisen of inconsistent counts, untrained and overwhelmed volunteers, confused voters, cramped precinct locations, a lack of voter registration forms and other problems." Still, no hacker "foul play" was insinuated. After the hanging chads from the Florida election in November 2000 and the dozens of nationwide contested elections over the past decade, no one wants to wake up to a huge cybermess that involves the word "hacking" on Nov. 9, 2016. Therefore, this election tampering issue has been raised by commentators from both ends of the political spectrum. The Huffington Post mentioned six ways hackers could disrupt an election, including hacking a voting machine, shutting down the voting system or election agencies, and deleting or changing election records. Meanwhile, Fox News proclaimed that "ballot machines are easy targets." Pointing to a report by the Commonwealth Security and Risk Management Directorate for the Virginia Information Technologies Agency, experts recently insisted that old technology could impact election results. A 2015 report from the Brennan Center for Justice said that in this year's election, 43 states will use electronic voting machines that are at least 10 years old and reaching the end of their expected lifespan. A member of the U.S. Election Assistance Commission told the report's authors, "We're getting by with Band-Aids." So what efforts are being made to ensure a safe and reliable election count? In 2012, CountingVotes.org looked at election preparedness state-by-state. The answer is that every state has taken specific actions to ensure that public trust and integrity in the voting process is maintained. [ Polley : This is one of my greatest fears; there's a lot of money involved, and even more money potentially to be had (or lost) depending on the way governments go. It'd be naive to assume that this isn't under some kind of active consideration, somewhere.]

top

Reddit hints that US now spying on its customers (CNN, 1 April 2016) - It seems that the federal government has made a demand -- in a controversial secret court -- to spy on Reddit users. Normally, the discussion website Reddit would never be allowed to even acknowledge that it received such a request. But thanks to a legal hack, the company has tipped off its customers. Federal agencies have a tool of mass surveillance called a "National Security Letter." It's a formal request that's usually issued by the FBI to an American company seeking information about customers. The legal demand is approved by a federal judge sitting on the Foreign Intelligence Surveillance Act court -- whose proceedings are kept secret -- and the subject company must stay absolutely silent about it. Ever since ex-NSA contractor Edward Snowden in 2013 revealed the extent of U.S. government surveillance, some technology companies have adopted a legal hack to alert the public when they receive these secret demands for information. It's called a "warrant canary." Here's the logic: Although a company can't say when it has received a National Security Letter, it can say when it has not received one. So, some companies have included special language in public statements saying things like, "We haven't received an NSL yet." The idea is, when an NSL comes around, the language disappears. It's like a canary in a coal mine that dies when exposed to toxic gas. Only a few companies -- mostly high tech ones that have a strong pro-privacy stance -- have adopted this, such as websites Pinterest, Reddit, and Tumblr, software maker Adobe, phone maker Silent Circle, and mobile cybersecurity company Lookout. In Reddit's case, the company previously included this language in its 2014 "transparency report," which documented how many times governments have requested information on Reddit users. "As of January 29, 2015, reddit has never received a National Security Letter," the company wrote then. "If we ever receive such a request, we would seek to let the public know it existed." That language disappeared in its next transparency report . Reuters was the first to discover this. Reddit did not respond to requests for comment.

top

The Internet's lowercase demotion by AP Stylebook upsets the internets (Mashable, 2 April 2016) - The end of an era is coming: As of June 1, Internet will no longer be capitalized. No, there's no law mandating the change, and the Internet will still be a thing, you'll just start to notice a difference in the way the word appears on many websites. The update reflects a shift in the Associated Press Stylebook , the writing bible for many journalists in the U.S. So while a large number of websites that don't use the AP Stylebook as a guide will continue to write the word as they see fit, for many others, readers will need to get used to seeing the word as "internet." The change is being met with gratitude by some, and protest by others. In fact, if you keep scrolling through the responses to AP's tweet on Saturday, the debate about the change is incredibly civil and packed with good points. [ Polley : Wired Magazine ran a story advocating for lower-case "internet" back in 2004; wouldn't you know it but the URL for that story is dead: http://www.wired.com/culture/lifestyle/news/2004/08/64596 .]

top

Publishers dealt another loss in copyright lawsuit (InsideHigherEd, 4 April 2016) - A U.S. district court judge has once again taken a look at three publishers' case against Georgia State University's e-reserve and ruled that, in 41 of 48 cases, no copyright infringement took place. The ruling , a 220-page walk-through that applies the four-part fair-use test to each of the 48 cases, is seen by copyright experts as a complicated decision that won't be of much help to universities in determining fair use, as it relies on revenue data not normally available. Still, observers described it as a win for proponents of fair use and another loss for the publishers. "This ruling, like each ruling in the case, is clearly a disaster for the plaintiff publishers," Kevin Smith, director of the office of copyright and scholarly communication at Duke University, said in a blog post . "Once again it establishes that there is significant space for fair use in higher education, even when that use is not transformative. Nevertheless, it is a difficult victory for libraries, in the sense that the analysis it uses is not one we can replicate; we simply do not have access to the extensive data about revenue, of which [U.S. District Judge Orinda D. Evans] makes such complex use."

top

Website seeks to make government data easier to sift through (NYT, 4 April 2016) - For years, the federal government, states and some cities have enthusiastically made vast troves of data open to the public. Acres of paper records on demographics, public health, traffic patterns, energy consumption, family incomes and many other topics have been digitized and posted on the web. This abundance of data can be a gold mine for discovery and insights, but finding the nuggets can be arduous, requiring special skills. A project coming out of the M.I.T. Media Lab on Monday seeks to ease that challenge and to make the value of government data available to a wider audience. The project, called Data USA , bills itself as "the most comprehensive visualization of U.S. public data." It is free, and its software code is open source, meaning that developers can build custom applications by adding other data. Cesar A. Hidalgo, an assistant professor of media arts and sciences at the M.I.T. Media Lab who led the development of Data USA, said the website was devised to "transform data into stories." Those stories are typically presented as graphics, charts and written summaries. The media lab worked with the consulting and auditing firm Deloitte , which provided funding and expertise on how people use government data sets in business and for research.

top

Applying the Fourth Amendment to cell-site simulators (Orin Kerr on Volokh, 4 April 2016) - The widespread use of cellphones gives the government a way to locate criminal suspects using a device known as a cell-site simulator . The Maryland Court of Special Appeals recently handed down the first appellate decision on whether and when use of a cell-site simulator to identify the location of a target's phone is a Fourth Amendment "search." The opinion, in State v. Andrews , rules that government use of a cell-site simulator is always a Fourth Amendment search and that it ordinarily requires a warrant. I think that result is plausible, but I found the court's path to that result rather frustrating. This post explains why. * * *

top

Wikimedia's free photo database of artworks violates copyright, court rules (The Guardian, 4 April 2016) - Sweden's highest court on Monday found Wikimedia Sweden guilty of violating copyright laws by providing free access to its database of artwork photographs without the artists' consent. Wikimedia, part of the not-for-profit foundation which oversees Wikipedia among other online resources, has a database of royalty-free photographs that can be used by the public, for educational purposes or the tourism industry. The Visual Copyright Society in Sweden (BUS), which represents painters, photographers, illustrators and designers among others, had sued Wikimedia Sweden for making photographs of their artwork displayed in public places available in its database, without their consent. The Supreme Court found in favour of BUS, arguing that while individuals were permitted to photograph artwork on display in public spaces, it was "an entirely different matter" to make the photographs available in a database for free and unlimited use.

top

- and -

Hyperlinking to unlawfully published copyright images is still legal, says top European judge (PC World, 7 April 2016) - Publishing hyperlinks to photos from, say, Playboy magazine is legal -- even if the website linked to doesn't have permission to publish the images, a top European Union judge has said. That's because hyperlinking to a document does not constitute a fresh publication, according to Melchior Wathelet, advocate general of the Court of Justice of the EU, in a legal opinion issued Thursday . But his opinion, on a case brought by the publisher of Playboy magazine, is only advisory, and it still remains for the CJEU to make a final ruling on the matter. The question of whether hyperlinking constitutes publication is important to copyright and libel law. It was last addressed by the CJEU in 2014 , when it found that Swedish media aggregation site Retriever did not need a newspaper's permission to link to stories.

top

Bitcoin start-up gets an electronic money license in Britain (NYT, 6 April 2016) - The British government has pushed through its first licensing of a virtual currency company, underscoring its desire to make London a hub for the development of financial technology. The Financial Conduct Authority, Britain's top financial regulator, has granted an electronic money license to Circle, a company based in Boston that uses Bitcoin, the virtual currency, to enable consumers to make payments to other consumers using a mobile app, or "social payments" as the company puts it. The regulator helped Circle get the license by putting it in the government's Innovation Hub, which is one of several initiatives Britain has undertaken to encourage experimentation in the financial industry. The license makes it possible for Circle to establish a banking relationship with Barclays , the British bank. It is the first time that a large global bank has agreed to work with a Bitcoin company, though Circle has attracted investments from others .

top

Using the All Writs Act to route around the Fifth Amendment (TechDirt, 6 April 2016) - USA Today's Brad Heath has dug up another use for the FBI's now-infamous All Writs Act orders: skirting the Fifth Amendment. In a 2015 case currently headed to the Appeals Court, the government is attempting to use All Writs to force a defendant to unlock his devices. The order finding Francis Rawls guilty of contempt contains a footnote pointing to the government's use of an All Writs order to force Rawls to unlock his devices -- and, one would think -- allow the government to dodge a Fifth Amendment rights violation. On July 29, 2015, the Government obtained a search warrant for certain electronic media previously seized by Delaware County and Philadelphia County law enforcement officials. Dkt. No. 1. On August 3, 2015, the Government made an application pursuant to that All Writs Act to require Francis Rawls to assist in the execution of a previously executed search warrant. "Assist in the execution" means forcing Rawls to possibly provide evidence against himself, depending on what's contained in the devices. However, the court didn't see it this way. It considered his unlocking of the devices to be "non-testimonial." While it did grant him a chance to respond to the All Writs application, it ultimately found in favor of the government.

top

Cyber insurance rates could rise 30% in 2016 for large health care, point-of-sale retailers (Canadian Underwriters, 7 April 2016) - The withdrawal by American International Group Inc. from some monoline site pollution markets "will result in increased competition" as other carriers look to pick up the displaced business, losses arising from the explosion last August in the Chinese port of Tianjin could reach $6 billion and some retailers could expect cyber insurance rates to rise 30% this year, Willis Towers Watson plc said in a report announced Thursday. In Marketplace Realities 2016 Spring Update, Willis Towers Watson revealed its predictions on rate changes for several commercial lines this year. All dollar figures are in U.S. currency. "Cyber renewals are seeing primary premiums increases of 5% to 15% for most buyers and 15% to 30% for [point of sale] retailers and large health care companies with no losses - with additional increases on excess lawyers," stated Willis Towers Watson, formed by the recent merger of commercial brokerage Willis Group plc with Towers Watson & Co.

top

Workplace wearables open up a murky legal hinterland (ReadWrite, 10 April 2016) - As wearables become more common for personal use, they are also increasingly being used by employers in the workplace . This new technology is giving employers new tools to track safety and productivity, and allowing insurers to track employee habits and health indicators. But just as the options for wearable tech proliferates, so do the related legal and privacy issues. Companies are increasingly embracing the habit of tracking any and all data possible to create efficiencies and boost the bottom line. But a recent MarketWatch article explored many of the subsequent legal concerns that are cropping up in this emerging age of workplace wearables. For employers that mandate wearables in the workplace, it's incumbent on them to develop clear rationales and policies explaining why data is being collected and limits of its use, said Jason Geller. Geller is a partner with U.S. law firm Fisher & Phillips who specializes representing employers in labour and discrimination cases.

top

How an internet mapping glitch turned a random Kansas farm into a digital hell (Fusion, 10 April 2016) - An hour's drive from Wichita, Kansas, in a little town called Potwin, there is a 360-acre piece of land with a very big problem. The plot has been owned by the Vogelman family for more than a hundred years, though the current owner, Joyce Taylor née Vogelman, 82, now rents it out. The acreage is quiet and remote: a farm, a pasture, an old orchard, two barns, some hog shacks and a two-story house. It's the kind of place you move to if you want to get away from it all. The nearest neighbor is a mile away, and the closest big town has just 13,000 people. It is real, rural America; in fact, it's a two-hour drive from the exact geographical center of the United States. But instead of being a place of respite, the people who live on Joyce Taylor's land find themselves in a technological horror story. For the last decade, Taylor and her renters have been visited by all kinds of mysterious trouble. They've been accused of being identity thieves, spammers, scammers and fraudsters. They've gotten visited by FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children. They've found people scrounging around in their barn. The renters have been doxxed, their names and addresses posted on the internet by vigilantes. Once, someone left a broken toilet in the driveway as a strange, indefinite threat. All in all, the residents of the Taylor property have been treated like criminals for a decade. And until I called them this week, they had no idea why. * * * [ Polley : Fascinating story about "internet mapping"]

top

University says government's pretty terrible at sharing cyberthreat information (TechDirt, 11 April 2016) - Multiple government agencies have gone all-in on cybersecurity. CISA was pushed through late last year -- dumped into the back pages of a "must pass" omnibus spending bill. Just like that, the government expanded its surveillance power and cleared its cyberthreat inboxes to make way for all the information non-governmental entities might want to share with it. It promised to share right back -- making this all equitable -- but no one really believed the government would give as much as it would take. Right on cue, a university heavily involved in scientific research says the government really isn't interested in sharing information . Virginia Tech is no stranger to hackers . Randy Marchany, the school's chief information security officer, says he assumes the attackers are already inside the networks. The university's attack space includes power generation networks, campus police databases, research files, student records and retail payment systems, among other sensitive digital operations, he said. Marchany lamented what he says has been a growing trend during the last couple of years of the government restricting information about ongoing hack campaigns - information that could help his staff identify the suspicious activity they already glimpse on systems. "The federal government now has this tendency to try to put a classified label on everything, and so I have to sometimes go to a dark room and have people hand me information that I can only look at," he said.

top

NY high court says parents can legally eavesdrop on kids (Ride the Lightning, 12 April 2016) - On April 5, the New York Court of Appeals, the state's highest court, ruled that a parent who believes their minor child is in danger can legally record an overheard conversation by giving consent on behalf of their child, countering a state wiretapping law that requires the consent of at least one person on the call. The court affirmed a decision of a lower court that a recording made by a child's father, who heard his ex-wife's boyfriend, Anthony Badalamenti, threatening to punch his son in the face, was admissible evidence in the underlying criminal trial against Badalamenti, on the grounds that vicarious consent was given by the father on behalf of his son to be recorded because the father believed his son was in danger. The court applied the vicarious consent doctrine which recognizes the long-established principle that the law protects the right of a parent or guardian to take actions he or she considers to be in the child's best interests. The court noted that the parent or guardian who acted in bad faith and was merely curious about the child's conversations cannot give consent and could be held liable for eavesdropping, which could be determined by the court.

top

What happened when I eliminated political dissent from my Facebook feed (Vox, 12 April 2016) - I normally refrain from posting political content on social media, but in the aftermath of the San Bernardino shooting last December I shared a video on Facebook. It was too disturbing not to. Dana Loesch, a conservative radio host, narrates the video, which appeared on the National Rifle Association's news site . She has harsh words for liberals. "These saboteurs share the same fanatical fervor to tear apart the foundations of America as the terrorists who threaten our very survival. And together, they march hand in hand toward the possible, purposeful destruction of us all," says Loesch. The video implied that the "godless left" was responsible for the San Bernardino shooting, piling it on with other purported atrocities Loesch believes liberals are also responsible for: Benghazi, Obamacare, the overall "tearing apart of the foundations of America." She goes on to say that liberals "demonize Christians" and endanger the country with our talk of "racism and xenophobia." The inflammatory nature of her remarks alarmed me. I'm a progressive. I felt personally attacked. But I also felt terrified that this rhetoric existed at all in the light of such a tragedy. I posted the video with the following comment: "As we continue to lose our sense of safety in public places, including schools, it is interesting to note that the NRA and those who profit from the sale of weapons are sponsoring videos such as this one to further promote fear and division among Americans. What a scary, scary video." I assumed my friends would see that the video was propaganda. That they would be horrified, and agree that whatever our beliefs about gun ownership, making remarks like Loesch's about any political group is not acceptable. This is why I was incensed when an old classmate commented that she absolutely loved the video and proceeded to repost it to her page. I didn't respond. I had a sudden urge to block her from my news feed, to prevent her from commenting on my posts, or even to delete her. But I worried that these feelings made me guilty of the same intolerance I have accused others of in the past. I resolved to not take any action. * * * While we may have always created echo chambers in our social circles, the emergence of the internet has intensified this effect. In his TED talk , Eli Pariser, the author of The Filter Bubble: What the Internet Is Hiding From You and the founder of MoveOn.org, warns that the internet is "increasingly showing us things we want to see and not the things we need to see." [ Polley : This is interesting and lengthy - I've here included only part of the posting.]

top

Texas prisons' new rules aim to force social media to close inmate accounts (ArsTechnica, 14 April 2016) - This month the Texas Department of Criminal Justice (TDCJ) updated its offender handbook (PDF) to stipulate that inmates are not allowed to have social media accounts. While blog posts are still permitted, a spokesperson for the TDCJ told Ars that the rule was developed to get social media platforms to comply with the corrections department's takedown requests more readily. Since Texas inmates are not allowed Internet access, this rule applies to social media accounts managed by friends or family. As Fusion explains , "Prisoners write posts, send them to a friend or family member through snail mail, and ask the friend to post them on Facebook." If an inmate is caught having a friend or family member update an account for them, they're charged with a "level three violation," which TDCJ characterizes as the lowest level of violation in the Texas prison system. The Electronic Frontier Foundation (EFF), however, says that level three violations can result in loss of privileges, extra work duty, or confinement to an inmate's cell for up to 45 days. The EFF objects to the new rules in Texas, arguing that "a person does not lose all of their rights to participate in public discourse when they are incarcerated… This policy would not only prohibit the prisoners' exercise of their First Amendment rights, but also prevent the public from exercising their First Amendment rights to gather information about the criminal justice system from those most affected by it." The TDCJ had no response to the EFF's argument. In an e-mail to Ars, TDCJ spokesperson Jason Clark noted that the new rules did not apply to blog posts written by inmates. "The rule is specific to active social media accounts such as Facebook, Twitter, Instagram, etc," he wrote. "Those companies have mechanisms in place that allow us to request that the pages be deactivated. Private Web pages don't have a mechanism to request they be taken down and we cannot force them to comply." Clark clarified for Ars that the rule was put in place in part to appease social media companies that balked at the idea of taking down a social media account without a rule in place to force their hand in compliance. "Recently when we have asked that accounts be deactivated, increasingly we have found that the social media company would come back and indicate they would not do so because the agency did not have a rule prohibiting offenders from having social media accounts." With a rule in place, however, social media companies are more willing to meet the correctional system's demand.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Changes are expected in voting by 2008 election (New York Times, 8 Dec 2006) -- By the 2008 presidential election, voters around the country are likely to see sweeping changes in how they cast their ballots and how those ballots are counted, including an end to the use of most electronic voting machines without a paper trail, federal voting officials and legislators say. New federal guidelines, along with legislation given a strong chance to pass in Congress next year, will probably combine to make the paperless voting machines obsolete, the officials say. States and counties that bought the machines will have to modify them to hook up printers, at federal expense, while others are planning to scrap the machines and buy new ones. Motivated in part by voting problems during the midterm elections last month, the changes are a result of a growing skepticism among local and state election officials, federal legislators and the scientific community about the reliability and security of the paperless touch-screen machines used by about 30 percent of American voters. The changes also mean that the various forms of vote-counting software used around the country - most of which are protected by their manufacturers for reasons of trade secrecy - will for the first time be inspected by federal authorities, and the code could be made public. There will also be greater federal oversight on how new machines are tested before they arrive at polling stations. "In the next two years I think we'll see the kinds of sweeping changes that people expected to see right after the 2000 election," said Doug Chapin, director of electionline.org, a nonpartisan election group. "The difference now is that we have moved from politics down to policies." Many of the paperless machines were bought in a rush to overhaul the voting system after the disputed presidential election in 2000, which was marred by hanging chads. But concerns have been growing that in a close election those machines give election workers no legitimate way to conduct a recount or to check for malfunctions or fraud. Several counties around the country are already considering scrapping their voting systems after problems this year, and last week federal technology experts concluded for the first time that paperless touch-screen machines could not be secured from tampering.

top

MySpace gains top ranking of US web sites (Reuters, 11 July 2006) -- Online teen hangout MySpace.com ranked as the No. 1 U.S. Web site last week, displacing Yahoo's top-rated e-mail gateway and Google Inc.'s search site, Internet tracking firm Hitwise said on Tuesday. News Corp.'s MySpace accounted for 4.46 percent of all U.S. Internet visits for the week ending July 8, pushing it past Yahoo Mail for the first time and outpacing the home pages for Yahoo, Google and Microsoft's MSN Hotmail. Hitwise does not provide figures for the number of unique visitors to a site. MySpace, which dominates social networking on the Web, also gained share in June from other sites that aim to create virtual communities online for sharing music, photos or other interests, Hitwise said. MySpace captured nearly 80 percent of visits to online social networking sites, up from 76 percent in April. A distant second was FaceBook at 7.6 percent. Rupert Murdoch's News Corp bought MySpace for $580 million one year ago as part of a strategy to rapidly build up the media conglomerate's Internet presence.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top