Saturday, November 01, 2014

MIRLN --- 12-31 October 2014 (v17.15)

MIRLN --- 12-31 October 2014 (v17.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PRESENTATION | NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

PRESENTATION

Managing the Cybersecurity Threat to Your Law Practice (Polley presentation to the Law Firm Alliance, 25 Oct 2014) - Overview of the ethical and operational issues affecting US law firms' cybersecurity responsibilities. 43 annotated PowerPoint slides.

top

NEWS

Privacy and data security issues in M&A transactions (Paul Hastings, 3 Oct 2014) - Because the failure of a target company to meet its privacy and data security obligations can present a significant risk to the acquiring company, compliance with applicable laws should be an important consideration in merger and acquisition transactions. A potential purchaser should seek to understand the nature of the personal information the target collects and the privacy and data security issues relevant to that business. Through due diligence, the purchaser can gain an understanding of the target's rights and obligations regarding the personal information it has collected, retained, used and disclosed. To assist in that process, this alert provides a checklist of potential privacy and data security issues that may be triggered in mergers and acquisitions. * * * [ Polley : the ABA's Cyberspace Law Committee is undertaking a project to develop "best-practices" for security planning during M&A events. Email me if you'd like to be connected with the project co-chairs.]

top

Ask the Decoder: How are algorithms telling our stories for us? (Al Jazeera, 8 Oct 2014) - Jean Yang went on a big trip through Europe this summer, from Edinburgh, Scotland, to Dubrovnik, Croatia, to Oslo, Norway, and back. Like a good tourist, she took pictures on her phone, an Android, throughout her trip. When she returned home, she found a surprise package in her Google+ notifications: a neatly collated, summarized, annotated digital scrapbook titled "Trip." Jean shared the album with me with this message: " This is equally cool and creepy: Google made this scrapbook of my June travels based on a random selection of photos I took - and also its knowledge of where I was. It's kind of nice to have this information organized automatically, but this is really trusting them with a lot of information. It would be funny if they took quotes from emails I sent during this time and put in quotes relevant to the places. "Oslo is so expensive! My second dinner of wonton soup cost 68 kroner." I'm curious how they decide what to include." When I spoke with Jean later, she was surprised in part because she didn't know this feature existed. She was also a little taken aback by all the location information included, given that she hadn't been using her roaming phone plan or data while abroad. So how did Google pull this together? And why did it leave Jean with mixed feelings? We looked into the program. Google introduced this scrapbooking feature in May, just before Jean's trip. The company calls it Stories : "Your best photos are automatically chosen and arranged in a fun timeline to show the highlights of your trip or event." There's an example scrapbook here . * * *

top

Smile! Marketing firms are mining your selfies (9 Oct 2014, WSJ) - Most users of popular photo-sharing sites like Instagram, Flickr and Pinterest know that anyone can view their vacation pictures if shared publicly. But they may be surprised to learn that a new crop of digital marketing companies are searching, scanning, storing and repurposing these images to draw insights for big-brand advertisers. Some companies, such as Ditto Labs Inc., use software to scan photos -the image of someone holding a Coca-Cola can, for example-to identify logos, whether the person in the image is smiling, and the scene's context. The data allow marketers to send targeted ads or conduct market research. Others, such as Piqora Inc., store images for months on their own servers to show marketers what is trending in popularity. Some have run afoul of the loose rules on image-storing that the services have in place. The startups' efforts are raising fresh privacy concerns about how photo-sharing sites convey the collection of personal data to users. The trove is startling: Instagram says 20 billion photos have already been shared on its service, and users are adding about 60 million a day. There are no laws forbidding publicly available photos from being analyzed in bulk, because the images were posted by the user for anyone to see and download. The U.S. Federal Trade Commission does require that websites be transparent about how they share user data with third parties, but that rule is open to interpretation, particularly as new business models arise. Authorities have charged companies that omit the scope of their data-sharing from privacy policies with misleading consumers.

top

- and -

Feds press to keep mug shots secret (NLJ, 30 Oct 2014) - The federal government on Thursday asked a federal appeals court to block the compelled disclosure of mug shots, citing the "substantial" privacy interests of defendants. The U.S. Department of Justice is fighting a Michigan judge's ruling in a suit brought by the Detroit Free Press over access to mugs of four police officers charged in a drug and bribery conspiracy. A provision of the Freedom of Information Act allows the government to withhold mug shots, the department argues in its brief in the U.S. Court of Appeals for the Sixth Circuit. The U.S. Marshals Service denied the Free Press' FOIA request for the officers' mug shots, saying the disclosure "could reasonably be expected to constitute an unwarranted invasion of privacy."

top

Right round: Comparing US and European software patent eligibility (Patently-O, 10 Oct 2014) - Guest Post by Michael Williams . Williams is a UK and European Patent Attorney and Partner at the London based Cleveland-IP firm. In the book "Through the Looking-Glass", Alice compares her drawing room to the one reflected in the mirror. She notes that everything is the same " only the things go the other way ". In the recent Alice Corp [1] decision, the US Supreme Court set out a framework for assessing whether claims are patent eligible under 35 U.S.C. § 101. In this article I shall compare this framework with that used by the European Patent Office, and consider the similarities. * * *

top

Codes of conduct database fills an FCPA void (Corporate Counsel, 13 Oct 2014) - On Monday, in a decision followed closely by global companies who pay for and outside advisors who make a living off of Foreign Corrupt Practice Act (FCPA) compliance, the U.S. Supreme Court declined to review the Eleventh Circuit's ruling in United States v. Esquenazi, et al. , (11th Cir. 2014) on the scope of what constitutes a "foreign official" under the FCPA. * * * The Eleventh Circuit provided a list of nonexhaustive factors to determine whether an entity is an "instrumentality" of a foreign government-including, for example, the government's ability to hire and fire the entity's principals, what functions the entity performs, whether the government subsidizes the costs associated with the entity providing services, and whether the public and government of that foreign country generally perceive the entity to be performing a governmental function. The court's conclusion was consistent with long-standing U.S. Department of Justice interpretation of the FCPA. Although the Supreme Court has bigger fish to fry, the University of Houston Law Center has a free database to help answer in-house counsel's burning instrumentality-related questions by conducting benchmarking of FCPA corporate policies embedded in corporate codes of conduct. The database includes three years' worth of data from corporate codes of conduct that address 42 compliance topics in corporate codes, ranging from data privacy to anticorruption to immigration. Over 2,000 student and lawyer hours have gone into creating and maintaining the database, which can be accessed here . Companies can use this database to research how peer companies are addressing interactions with state-controlled companies, among other issues. When reviewing the dataset, we found that in the past three years, nearly all Fortune 500 companies included an antibribery-related policy, in the form of a gifts and entertainment policy, although not all were FCPA-specific. [ Polley : Spotted by MIRLN reader Gordon Housworth ]

top

VPPA claim goes the way of Saturday morning cartoons (Steptoe, 16 Oct 2014) - The U.S. District Court for the Northern District of Georgia, in Ellis v. Cartoon Network, Inc., dismissed a claim brought against the Cartoon Network under the Video Privacy Protection Act (VPPA), on the ground that a person's mobile device identifier does not constitute personally identifiable information within the meaning of the Act. Accordingly, the court reasoned, the Cartoon Network's disclosure of users' device IDs along with their video viewing history to a data analytics company did not violate the VPPA.

top

GM's DIY Compliance: #WhatCouldPossiblyGoWrong? (Corporate Counsel, 16 Oct 2014) - What would it look like if the human resources team woke up one day and suddenly decided it was going to take over the job of the internal audit function? Would managers somehow be asked to incorporate audit activities into their performance reviews? Would audit become 90 percent training? And more importantly, would the organization find itself less capable of identifying and fixing control risks? NO, you say! That could never happen! Because everyone knows Internal Audit has a certain highly developed subject matter expertise, and that's why this must be left to the experts. And you would be right, of course. Which is why so many compliance and ethics authorities are uncomfortable with the prospect of the legal department or the general counsel driving compliance. To paraphrase Sen. Charles Grassley, R-Iowa-You don't have to be a former chief compliance officer and recovered lawyer to see/smell the General Motors-style folly of that arrangement. So to state the blindingly obvious, to this former CCO and recovered in-house lawyer, GM looks like a textbook case of "DIY Compliance." * * * This is also why I have said that any smart or reasonably cautious GC should demand a strong, independent compliance voice in the room when important decisions on compliance are being made. But let's not pick on only poor GM. My second candidate for DIY Compliance poster child? Easy: Wal-Mart Stores Inc., pre-Jay Jorgensen overhaul (separating compliance from legal, and many other important and savvy reforms ). Well-known Foreign Corrupt Practices Act expert and blogger Tom Fox has described Walmart's decision to free its compliance function from its legal master as "the end of discussion" of how these departments should be structured.

top

Would a new crime of "willful refusal to comply with a decryption order" be the best answer to the device decryption puzzle? (Orin Kerr, 17 Oct 2014) - FBI Director James Comey spoke Thursday at Brookings about the FBI's concerns with how encryption can frustrate search warrants in lawful investigations. The scope of Comey's remarks goes beyond Apple's new iOS8 operating system design, but much of it focused on the question of device encryption raised by Apple's new policy. I wanted to focus on one aspect of Comey's remarks, the question of whether the government can get access to the contents of encrypted devices directly from a suspect in a criminal case. Here's Comey : "Finally, a reasonable person might also ask, "Can't you just compel the owner of the phone to produce the password?" Likely, no. And even if we could compel them as a legal matter, if we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for refusing to comply with a court order to produce his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?" I think Comey is wrong that the Fifth Amendment is a "likely" barrier in the cell phone context, because in most of the typical cases, when the government knows who is the owner of the phone, the Fifth Amendment shouldn't be a problem. But let me put that issue aside for now and focus instead on the rest of Comey's comment, and specifically his concern that the punishment for refusing to comply with a court order to produce a password would be so low that the bad guys will just make a rational decision to take the lesser contempt punishment. * * *

top

If you don't agree to the new Wii U EULA, Nintendo will kill-switch it (Cory Doctorow on BoingBoing, 18 Oct 2014) - When you bought your Wii U, it came with one set of terms-of-service; now they've changed, and if you don't accept the changes, your Wii seizes up and won't work. That's not exactly what we think of when we hear the word "agreement." Yet this is how Nintendo's update to its end-user license agreement (EULA) for the Wii U works, as described by YouTube user "AMurder0fCrows" in this video. He didn't like the terms of Nintendo's updated EULA and refused to agree. He may have expected that, like users of the original Wii and other gaming consoles, he would have the option to refuse software or EULA updates and continue to use his device as he always had before. He might have to give up online access, or some new functionality, but that would be his choice. That's a natural consumer expectation in the gaming context - but it didn't apply this time. Instead, according to his video, the Wii U provides no option to decline the update, and blocks any attempt to access games or saved information by redirecting the user to the new EULA. The only way to regain the use of the device is to click "Agree."

top

A 'partial win' for publishers (InsideHigherEd, 20 Oct 2014) - While academic publishers on Friday notched a rare win in the ongoing legal debate about digital access to copyrighted works, proponents of fair use said the opinion in Cambridge v. Patton recognizes that colleges and universities can legally create digital reserves of books in their collections. In a unanimous decision, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit, which covers Alabama, Georgia and Florida, rejected a broad ruling on how to determine fair use. The decision guarantees the case has a long and litigious road ahead of it by reversing the district court's opinion and sending the case back for further deliberations. Rather than strike a decisive blow against fair use, the legal concept that places some limits on the rights of copyright holders, the appeals court instead issued a stern warning against quick-fix, one-size-fits-all solutions to legal disputes -- specifically, the idea that copying less than a chapter or 10 percent of a book automatically protects an institution from a lawsuit. * * * [T]he court also came away "persuaded" that the Copyright Act of 1976 contains specific protections for colleges and universities, noting that Congress "devoted extensive effort to ensure that fair use would allow for educational copying under the proper circumstances." "While it can be worrisome to see a fair use win sent back, in this case, it seems to be mostly for the right reasons," Mike Masnick, founder of the technology blog Techdirt , wrote. "Given these new instructions, it seems like the lower court now has a chance to come to the right answer for the right reasons, and that's always going to be a better result." [ Polley : See also On Cambridge v. Patton (Tracy Mitrano on InsideHigherEd, 19 Oct 2014)]

top

- and -

Harvard library lifts restrictions on digital reproductions of works in the public domain (Harvard, 20 Oct 2014) - The Harvard Library is pleased to announce a new policy on the use of digital reproductions of works in the public domain. When the Library makes such reproductions and makes them openly available online, it will treat the reproductions themselves as objects in the public domain. It will not try to restrict what users can do with them, nor will it grant or deny permission for any use. For more detail, see the policy FAQ . Said Peter Suber, director of the Harvard Library Office for Scholarly Communication and director of the Harvard Open Access Project , "We were inspired by pioneering policies to this effect at Cornell University Library and Yale University. We were also fortunate to have the prime mover of the Cornell policy, Peter Hirtle, at Harvard. I'm proud that Harvard is removing obstacles to research and education, and taking this extra step to share the wealth of its extraordinary collections with the world." The Harvard Library Board adopted the policy late last month. The Library will update its web sites to reflect the new policy during the remainder of the present academic year.

top

EFF launches updated Know Your Rights guide (EFF, 20 Oct 2014) - In the U.S., if the police come knocking at your door, the Constitution offers you some protection. But the Constitution is just a piece of paper-if you don't know how to assert your rights. And even if you do assert your rights…what happens next? That answer may seem complicated, but protecting yourself is simple if you know your rights. That's why EFF has launched an updated Know Your Rights Guide that explains your legal rights when law enforcement try to search the data stored on your computer, cell phone, or other electronic device. The guide clarifies when the police can search devices, describes what to do if police do (or don't) have a warrant, and explains what happens if the police can't get into a device because of encryption or other security measures.

top

- and -

Florida Supreme Court rules warrants a must for real-time cell location tracking (SC Magazine, 20 Oct 2014) - In a ruling that Electronic Frontier Foundation (EFF) staff attorney Hanni Fakhoury believes will be "cited a lot by EFF" and other privacy advocates, the Florida Supreme Court has said that law enforcement agencies must have a warrant to obtain cell phone location information that they need to track a user's location in real time. The decision by Florida's highest court adds to the "growing chorus of courts" finding that location information is private, Fakhoury told SCMagazine.com Monday. The case, Tracey vs. Florida made its way to the Supreme Court after police obtained cell tower data from a provider without a warrant to track the movements in real time of suspected drug dealer Alvin Tracey and used that information to illicit a conviction from a criminal court. Officers "obtained an order authorizing the installation of a 'pen register' and 'trap and trace device' as to Tracey's cell phone," which records outgoing and incoming telephone numbers, respectively, the Florida Supreme Court decision noted. But later, without obtaining a warrant or providing additional "factual allegations," the officers "used information provided by the cell phone service provider" under an earlier order. The information provided "included real time cell site location information given off by cell phones when calls are placed." * * * Citing Fourth Amendment protections as well as Supreme Court precedent in several cases, including Katz v. United States , the Florida Supreme Court quashed the Fourth District Court ruling, noting that many of smartphone "are ubiquitous and have become virtual extensions of many of the people using them for all manner of necessary and personal matters," which makes a "phone's movements its owner's movements, often into clearly protected areas."

top

The number of industries getting classified cyberthreat tips from DHS has doubled since July (NextGov, 20 Oct 2014) - Firms from half of the nation's 16 key industries, including wastewater and banking, have paid for special technology to join a Department of Homeland Security program that shares classified cyberthreat intelligence, in hopes of protecting society from a catastrophic cyberattack. Participation in the Enhanced Cybersecurity Services initiative has more than doubled during the past few months. Through the voluntary program - previously exclusive to defense contractors - cleared Internet service providers feed nonpublic government information about threats into the anti-malware systems of critical sector networks. As of July, only three industries - energy, communications and defense - were using the service, according to an unfavorable DHS inspector general audit . Now, befitting National Cybersecurity Awareness Month, Homeland Security officials say the financial, water, chemical, information technology and transportation sectors also are receiving the threat indicators. Just two months ago, American Chemistry Council officials said they had never heard of the program . The service has been available since 2013.

top

Chinese APT groups targeting Australian lawyers (The Register, 21 Oct 2014) - Law firms are among Australian businesses being targeted by at least 13 Chinese advanced malware groups in a bid to steal intelligence from big business, says forensics bod and Mandiant man Mark Goudie. The attacks are well planned and rely on a combination of stealth and persistence in order to extract any and all valuable corporate data. The local Mandiant director presented findings at the Australian Information Security Association conference last week and said one unnamed Aussie firm had been thoroughly owned. "The property manager was used as a way to get the data about a business deal (merger and acquisition)," Goudie told Vulture South . "The law firms are data aggregators and are being targeted too - anything that goes through a lawyer is obviously of interest to a deal. "Law firms tend to operate in verticals as do advanced persistent threat (APT) groups, so it makes a lot of sense when you think about it."

top

- and -

After JPMorgan cyberattack, a push to fortify Wall Street banks (NYT, 21 Oct 2014) - This summer's huge cyberattack on JPMorgan Chase and a dozen other financial institutions is accelerating efforts by federal and state authorities to push banks and brokerage firms to close some gaping holes in their defenses. Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms , accounting and marketing firms and even janitorial companies, according to several people briefed on the matter. The push by government officials is a stark acknowledgment of the vulnerability of financial institutions - even after they have spent hundreds of millions of dollars to protect themselves - to an attack if one of their vendors is not fully prepared. The problem is causing some security consultants to privately consider whether the sprawling financial firms with operations across the globe may be "too big to secure." And smaller firms, the consultants say, may simply not have the ability to adequately defend customer information. At a dinner in New York on Tuesday evening that is expected to include the general counsels from JPMorgan, Bank of America and Deutsche Bank, New York State's top financial regulator, Benjamin M. Lawsky is expected to emphasize the gathering danger to the financial system when vendors' security is lax, according to one of the people briefed on the matter. The remarks, at the University Club in Midtown Manhattan, come as Mr. Lawsky is considering a new rule that would require banks to "obtain representations and warranties" from vendors about the adequacy of their controls to thwart hackers, the people said. [ Polley : emphasis added.]

top

- and -

Law firms face cybersecurity audits by banking clients; are they a 'weak link'? (ABA Journal, 27 Oct 2014) - Banks are increasingly scrutinizing their law firms' cybersecurity efforts, including the law firms' protection of confidential information released to vendors such as word-processing firms and print shops. The law firms are increasingly facing on-site technology audits by banks, even as the banks themselves face cybersecurity pressures from regulators, the Wall Street Journal (sub. req.) reports. Just last week, New York's Department of Financial Services sent letters to dozens of banks asking about protections for information sent to third-party vendors such as law firms and accounting firms, according to a separate story by the Wall Street Journal (sub. req.). "Law firms increasingly are seen as potential weak links," the Wall Street Journal says. "Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions." The story cites information from an American Bar Association technology survey that found 14 percent of the respondents had experienced some type of security breach or theft this year. But only 1 percent said the breach resulted in unauthorized access to sensitive client data. The Wall Street Journal spoke with Goodwin Procter's chief information officer, Lorey Hoffman, who works with examiners sent by clients who want to know about data protection. The firm also hires its own auditors to check its cybersecurity. "It's a lot more than just checking a box," Hoffman said of the firm's response to client security questions.

top

- and -

Cybersecurity: Not just for biglaw and its clients (WSJ, 27 Oct 2014) - Cybersecurity is an increasingly big priority for law firms with big financial institution clients. But it can be a matter of life and death for lawyers doing pro bono work with clients in troubled countries who are battling human trafficking, terrorism and other human rights violations. The interception of sensitive documents by criminals or unfriendly governments can compromise the safety of in-country clients, and in some cases the attorneys with whom they work. "Human rights really is cloak-and-dagger," Christina Storm, a lawyer and founder of the non-profit group Lawyers Without Borders , told Law Blog. "Lawyers put themselves at risk, and every person in-country who reaches out to us puts themselves at risk." Ms. Storm's group focuses on strengthening the rule of law around the world. The organization works with law firms big and small as well as solo practitioners on cases that range from electoral reform to strengthening protections for gay, bisexual and transgender people in African countries. Such work isn't always popular. In some places, government surveillance might involve keyloggers that track communications between dissidents and their lawyers. Confidential documents that fall into the wrong hands can expose both sides to danger, Ms. Storm said, adding, "Their safety is important to us." Lawyers Without Borders takes some of its security cues from the big law firms it works with, such as Reed Smith LLP and Linklaters, whose corporate and financial clients requirement myriad steps to prevent hackers from accessing confidential information. At one point the organization tried using encrypted email, but the program was so cumbersome that people abandoned it because it was hard to use. Another document management system ended up being accessed by authorities in an unfriendly country, and the whole thing had to be scrapped.

top

US national security prosecutors shift focus from spies to cyber (Reuters, 21 Oct 2014) - The U.S. Justice Department is restructuring its national security prosecution team to deal with cyber attacks and the threat of sensitive technology ending up in the wrong hands, as American business and government agencies face more intrusions. The revamp, led by Assistant Attorney General John Carlin, also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States. As part of the shift, the Justice Department has created a new position in the senior ranks of its national security division to focus on cyber security and recruited an experienced prosecutor, Luke Dembosky, to fill the position. The agency is also renaming its counter-espionage section to reflect its expanding work on cases involving violations of export control laws, Carlin confirmed in an interview. Such laws prohibit the export without appropriate licenses of products or machinery that could be used in weapons or other defense programs, or goods or services to countries sanctioned by the U.S. government.

top

New York City court buys NYPD's claims of 'national security,' grants it power to 'Glomar' FOIL requests (TechDirt, 21 Oct 2014) - A New York City court has given the NYPD one of the few things separating it from the "big boys" ( CIA, FBI and NSA ): the permission to issue "Glomar responses" (the infamous "we can neither confirm nor deny...") to FOIL (Freedom of Information Law) requests. Like the audacity of the department itself in pursuing this additional method of keeping the public separated from public documents , the decision is unprecedented: The decision appears to be the first time that a court anywhere in the U.S. has upheld the use of such a tactic by a state agency. The Glomar response has historically been used only with regard to requests made to federal agencies that involve sensitive matters of national security.

top

Antitrust experts slam Comcast merger plan, warn of threats to Netflix and Amazon Prime (GigaOM, 21 Oct 2014) - A letter signed by more than three dozen law and economics professors and submitted to the FCC on Monday makes a withering case against the proposed merger of cable giants Comcast and Time Warner Cable, claiming the deal would harm consumers and violate the antimonopoly provisions of the federal Clayton Act. According to the 16-page submission, the merger will reduce competition by providing Comcast with over 40 percent of the market for broadband internet services, and make it easier for the incumbents to hobble "over-the-top" challengers like Netflix by congesting their internet traffic. The document, signed by antitrust experts from across the country including Columbia's Tim Wu and Stanford's Mark Lemley, comes as the FCC decides whether or not to approve the $45 billion merger, which was announced in February. A decision is expected in 2015.

top

Pandora holds out olive branch of data to musicians (LA Times, 22 Oct 2014) - Pandora Media, the king of personalized online radio services, pays recording artists, songwriters, record labels and music publishers close to $300 million a year in royalties. That's not nearly enough to satisfy the company's critics in the music industry, who resent how little Pandora pays each time a user plays a track. On Wednesday, the company plans to start offering artists more than just royalties. It's opening a new Artists Marketing Platform that provides detailed analytics for bands and their managers about their songs and their fans. Pandora AMP will be available free to any artist whose music is available on the service. Among other things, artists will be able to see which cities are home to the greatest clusters of their fans, the number of thumbs up (the Pandora equivalent of a Facebook "like") each of their tracks have received from listeners, and some basic demographic information on the users who have created playlists based on their music. * * * Yet AMP has been in the works for some time. Company founder Tim Westergren, a former professional musician himself, revealed plans for the service in a January 2013 speech at the Consumer Electronics Show in Las Vegas. Westergren argued then that Pandora can offer struggling musicians a path into the middle class by making it easier for them to attract, find and connect with fans. He returned to that theme in a blog post Wednesday announcing the service.

top

Man convicted for webcam sex with virtual 'underage girl' (Mashable, 22 Oct 2014) - A 10-year-old girl from the Philippines, nicknamed Sweetie , has helped authorities convict one Australian on child pornography charges. But Sweetie isn't real - she's a virtual digital avatar created to lure predators as part of a global sting operation. Scott Robert Hansen, a 37-year-old from Australia, is the first person to be convicted as a result of his interactions with Sweetie, according to Agence France Press . Hansen pleaded guilty to three charges related to child sex on Tuesday, including sending obscene pictures of himself to Sweetie, having child porn on his computer, and breaking a sex offenders order, according to Australian media . Sweetie was created last year by the Dutch branch of Terre des Hommes International Federation , a charity that works to protect children. The organization said that a group of its researcher posed as Sweetie during the sting operation, visiting "dozens" of chat rooms. The researchers then passed the chat logs of their conversations with the predators to Europol. During the sting operation, Sweetie was approached by 20,000 people over a 10-week period. Some 1,000 of them have already been identified.

top

Museums morph digitally (NYT, 23 Oct 2014) - For the Metropolitan Museum of Art, a turning point came in 2011. Down went the signs imploring visitors to stow their cellphones. The Met revamped its website, tailoring it for viewing on smartphone screens. The museum was not only allowing visitors to use their mobile phones while browsing the artworks, but encouraging it. The digital experience was embraced and meant to enhance the physical experience of exploring the museum. The trend has only accelerated since, at the Met and across the museum world. At first glance, it might seem like a capitulation, giving in to the virtual enemy when museums are so essentially physical spaces. Yet listen to museum curators and administrators today and they often sound like executives in media, retailing, consumer goods and other industries. They talk of displaying their wares on "multiple platforms," and the importance of a social media strategy and a "digital first" mind-set. Museums are being redefined for a digital age. The transformation, museum officials say, promises to touch every aspect of what museums do, from how art and objects are presented and experienced to what is defined as art. The museum of the future will come in evolutionary steps. But some steps are already being taken. Digital technologies being deployed or developed include: augmented reality, a sort of smart assistant software that delivers supplemental information or images related to an artwork to a smartphone; high-definition projections of an artwork, a landscape or night sky that offer an immersive experience; and 3-D measurement and printing technology that lets people reproduce, hold and feel an accurate replica of an object. At the Smithsonian Institution , 3-D technology is increasingly used for conservation, research and public education programs. The fine-grained scanning allows a depth of data collection and analysis that was not possible before. The gunboat Philadelphia, built in 1776, is the last surviving cannon-bearing American vessel from the Revolutionary War. The historic boat has been 3-D-scanned so online viewers can see it from angles not possible in person at the National Museum of American History in Washington. But it is also scanned regularly so conservators can get early warnings of deterioration of the old wooden structure. Colleen Stockmann, assistant curator for special projects at the Cantor Arts Center at Stanford University, and Jean-Baptiste Boin, a Ph.D. candidate in electrical engineering at Stanford and an expert in computer vision, are working on taking augmented reality a step further. Their research project, Art++, combines image-recognition technology and computer graphics with art history expertise. With their software, a person would walk into a museum, turn his or her smartphone or tablet toward a photograph, painting or sculpture, and the artwork is surrounded with a digital halo of supplemental information. The Cantor center, Ms. Stockmann said, exhibited the Stanford University Libraries' collection of landscape photographs of California and the Northwest by the 19th-century photographer Carleton Watkins . Capture the image of a Watkins photo of Yosemite Valley, she said, and you can tap on an icon that shows a map of where Watkins walked in the valley to take his photographs. [ Polley : see related Tour a museum from anywhere (NYT, 23 Oct 2014); and Masterworks for one and all (MIRLN 16.08)]

top

Leave your passwords at the checkout desk (Secure List, 23 Oct 2014) - Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room. To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room. When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device: * * * Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying. Most of sessions were still open, even allowing the posting / sending of messages in the name of the user.

top

New guidance for lawyers on the ethics of social media use (Attorney At Work, 23 Oct 2014) - Do you need advice about the ethics issues involved in social networking? Chances are your questions will be answered by the Pennsylvania Bar Association's recent Formal Opinion 2014-300. The 18-page opinion addresses issues that are important for lawyers in every state. The Pennsylvania opinion rests on the premise that Rule 1.1 of the Model Rules of Professional Conduct requires lawyers to have "a basic knowledge of how social media websites work," as well as the ability to advise clients about the legal ramifications of using the sites. The Pennsylvania Bar Committee offers conclusions about 10 ethics issues involved in the use of social media for business purposes by lawyers and clients. Also, the committee emphasizes that lawyers should always assume their use of social media may be subject to the rules of professional conduct. The topics addressed in the opinion are well supported with rules and opinions from many states. The bar committee reached the following conclusions * * *

top

- and -

Competence: Acquire it or hire it! (ABA Journal, Nov 2014) - Lawyer competence, spelled out in the ethics rules in ABA Model Rule 1.1 as "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation" and in the civil context as a standard when evaluating legal malpractice of "ordinary" skill and capacity, or that of the average qualified practitioner, or that which is "normally" exercised by lawyers in similar circumstances. Restatement (Third) of the Law Governing Lawyers §52 (2000). Language linking the competence standard to expertise in technology was addressed in the context of technological advances when the ABA amended the comments to two of the Model Rules following the ABA Ethics 20/20 Commission's final reports. This language can be found in the Comments to two of the ABA Model Rules, Rule 1.1 Competence and Rule 1.6 Confidentiality. * * *

top

Verizon Wireless injects identifiers that link its users to Web requests (ArsTechnica, 24 Oct 2014) - Cellular communications provider Verizon Wireless is adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users' interests and to help clients tailor advertisements, according to researchers and Verizon's own documentation. The profiling, part of Verizon's Precision Market Insights division, kicked off more than two years ago and expanded to cover all Verizon Wireless subscribers as part of the company's Relevant Mobile Advertising service. It appends a per-device token known as the Unique Identifier Header (UIDH) to each Web request sent through its cellular network from a particular mobile device, allowing Verizon to link a website visitor to its own internal profiles. The service aims to allow client websites to target advertising at specific segments of the consumer market. While the company started piloting the service two years ago, privacy experts only began warning of the issue this week, arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purpose. [ Polley : AT&T, also, apparently - go here to test your own carrier.]

top

How Facebook is changing the way its users consume journalism (NYT, 26 Oct 2014) - Many of the people who read this article will do so because Greg Marra, 26, a Facebook engineer, calculated that it was the kind of thing they might enjoy. Mr. Marra's team designs the code that drives Facebook's News Feed - the stream of updates, photographs, videos and stories that users see. He is also fast becoming one of the most influential people in the news business. Facebook now has a fifth of the world - about 1.3 billion people - logging on at least monthly. It drives up to 20 percent of traffic to news sites, according to figures from the analytics company SimpleReach . On mobile devices, the fastest-growing source of readers, the percentage is even higher, SimpleReach says, and continues to increase. The social media company is increasingly becoming to the news business what Amazon is to book publishing - a behemoth that provides access to hundreds of millions of consumers and wields enormous power. About 30 percent of adults in the United States get their news on Facebook, according to a study from the Pew Research Center. The fortunes of a news site, in short, can rise or fall depending on how it performs in Facebook's News Feed. Though other services, like Twitter and Google News, can also exert a large influence, Facebook is at the forefront of a fundamental change in how people consume journalism. Most readers now come to it not through the print editions of newspapers and magazines or their home pages online, but through social media and search engines driven by an algorithm, a mathematical formula that predicts what users might want to read. It is a world of fragments, filtered by code and delivered on demand. For news organizations, said Cory Haik, senior editor for digital news at The Washington Post, the shift represents "the great unbundling" of journalism. Just as the music industry has moved largely from selling albums to songs bought instantly online, publishers are increasingly reaching readers through individual pieces rather than complete editions of newspapers or magazines. A publication's home page, said Edward Kim, a co-founder of SimpleReach, will soon be important more as an advertisement of its brand than as a destination for readers. "People won't type in WashingtonPost.com anymore," Ms. Haik said. "It's search and social." [ Polley : see related Harvard podcast below. ]

top

FCC imposes first cybersecurity fine (Inside Counsel, 27 Oct 2014) - Private customer information has become a business asset in the connected age, and as criminals increasingly target large corporations to extract that information, regulators are being brought to task over how to implement fines for those who leave their data vulnerable . The Federal Communications Commission (FCC) has become the latest to join the ranks of regulators imposing fines for data negligence on companies, announcing on Oct 24 that it will impose its first fine related to data security on phone providers TerraCom Inc and YourTel America Inc. The FCC is asking for $10 million regarding the issue. The Commission alleges that the two companies collected personal information, including contact information and social security numbers, from customers in a manner that exposed its customer base to considerable risk of data theft. The fine was imposed based on the companies' violation of the Communications Act of 1934.

top

New from AVVO: on-demand, fixed-fee legal advice (Robert Ambrogi, 27 Oct 2014) - Avvo, Inc. - never a company shy about pushing the envelope - has just pushed it a bit further, with the launch of Avvo Advisor , a service that provides on-demand legal advice by phone for a fixed fee of $39 for 15 minutes. The service is available to consumers online or through a free iOS app. To use the service, the consumer first enters his or her zip code and then selects the type of legal matter in which he or she needs help. The consumer is then asked to provide credit card and contact information. The service promises that the consumer will receive a call from an attorney within 15 minutes or else the consumer's fee will be fully refunded. The service covers nine legal categories: small business, divorce, family, immigration, real estate, landlord-tenant, criminal defense, employment and bankruptcy/debt. It is so far available to consumers in 15 states, with more to be added in the coming months: Arizona, California, Colorado, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, New Jersey, New York, Pennsylvania, Texas, Washington and Wisconsin. A separate section of the site provides information for attorneys wishing to enroll in the program. All an attorney needs to participate, it says, is a bank account and a mobile phone. "You control your availability via text, whenever and wherever you want to receive Avvo Advisor sessions." Avvo notifies the attorney via text when someone purchases a session in the attorney's state and practice area. The attorney responds to the text to claim the session, then has 15 minutes to initiate the call. Once the call is finished, the entire fee is deposited to the attorney's account (so there is no fee splitting).

top

Cyber attacks on US companies in 2014 (The Heritage Foundation, 27 Oct 2014) - The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector's information security. According to FBI Director James Comey, "There are two kinds of big companies in the United States. There are those who've been hacked…and those who don't know they've been hacked." This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data. This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves. The data breaches below are listed chronologically by month of public notice. * * * [ Polley : Spotted by MIRLN reader Andy Jabbour ]

top

NIST: Guide to cyber threat information sharing (NIST, 28 Oct 2014) - NIST announces the public comment release of Draft Special Publication (SP) 800-150 , Guide to Cyber Threat Information Sharing . The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.

top

NOTED PODCASTS

Uncovering algorithms: Looking inside the Facebook news feed (Berkman, 22 July 2014; 78 minutes) - Our online lives are organized by computer algorithms that select and recommend advertisements, search results, news, and online social interactions. These algorithms are often closely-guarded secrets kept by Internet companies, but researchers, users, and the public might legitimately need to know how these algorithms operate. In this talk we will use the Facebook news feed as an example to ask: How do we go about knowing these algorithms from the outside? This includes a discussion of potential research designs that investigate algorithms and also research on how users think about these algorithms.

top

RESOURCES

Homeland Security Policy Institute blog (Sept 2014) - The GWU Homeland Security Policy Institute has recently launched a new blog at http://hspi.org as a forum to provide short-form commentary and discussion on significant homeland security and counterterrorism issues, and as a place to highlight its events, reports, and other activities. Contributors to the blog include the full-time senior staff of HSPI and the Institute's senior fellows. Since our launch of the blog in mid-September, there have been more than 50 posts on the site, on topics such as the Secret Service's organizational issues , the implications of the recent JP Morgan Chase cyber incident , and ISIS's fundraising . We have also been posting summaries of our recent policy events on the site.

top

Just borrowing this story, OK? (MLPB, 14 Oct 2014) - Viva Moffat, University of Denver Sturm College of Law has published Borrowed Fiction and the Rightful Copyright Position at 32 Cardozo Arts & Entertainment Law Journal 389 (2014). Here is the abstract: Works of "borrowed fiction" - unauthorized sequels or retellings of literary works - have long prompted legal, cultural, and social backlash. With respect to copyright disputes, this is because borrowed fiction entails a range of legitimate but conflicting interests. Copyright law has historically elevated the interests of the "original" author over those of other writers and the reading public. Scholars have offered a range of proposals to counter this tendency, but these reforms have focused on the infringement analysis and the fair use doctrine. Each of those, however, involves a binary decision, one that is not amenable to accommodating the conflicting interests at stake. This Article proposes that a better accommodation between and among these interests can be achieved at the remedial stage. By taking seriously both the "rightful position" notion in remedies law and the Supreme Court's admonition against presumptive injunctive relief, courts can reach a more nuanced result in borrowed fiction cases. Under this approach, the full panoply of remedies would remain available, but rarely would anything more than compensatory damages be necessary to put the plaintiff in her rightful copyright position.

top

Book serves as guide to free and low-cost legal research (Robert Ambrogi, 20 Oct 2014) - I am a cheapskate. I am not ashamed to admit it. That is what first drove me to explore the Internet more than 20 years ago, back when many lawyers still had not even heard of it. Having just gone back into private practice at the time, I was in search of free resources for legal research, hoping to avoid the high cost of a Westlaw or LexisNexis subscription or investment in a library of hard-bound reporters. Fast forward two decades and, well, we've come a long way baby. Every federal and state appellate opinion can be found online at no cost. Federal and state statutes are online, as are growing bodies of other primary legal materials, from federal regulations to municipal ordinances. Traditional law reviews now publish online while legal blogs are creating new forms of legal commentary and analysis. Search technology has become so sophisticated that we forget how difficult search used to be. All of this is available to us wherever we are, in the office or on a mobile device sitting outside a courtroom. All these years later, I am as budget-conscious as ever. That is why I highly recommend the book, Internet Legal Research on a Budget , written by Carole Levitt and Judy Davis and published by the Law Practice Division of the American Bar Association. Together, they have written a book that is a must-have for any lawyer or legal researcher who is as budget-conscious as I - and I am willing to bet that is most of us. They have scoped out the terrain, tested and evaluated a host of free and low-cost legal research sites and identified the best. Not only do they show you the sites, they provide detailed instructions on how to use them.

top

EU copyright law and private copying (MLPB, 28 Oct 2014) - João Pedro Quintais, University of Amsterdam, Institute for Information Law (IViR), and University of California, Berkeley, School of Law, is publishing Private Copying and Downloading from Unlawful Sources in the International Review of Intellectual Property and Competition Law (2015). Here is the abstract: Private copying is one of the most contested areas of EU copyright law. This paper surveys that nebulous area and examines the issue of copies made from unlawful sources in light of the ECJ's ACI Adam decision. After describing the legal background of copyright levies and the facts of the litigation, the paper scrutinizes the Advocate General's Opinion and the Court's decision. The latter is analyzed against the history of copyright levies, the ECJ's extensive case-law on the private copying limitation and Member States' regulation of unlawful sources. This paper further reflects on the decision's implications for end-users, rights holders, collective management organizations and manufacturers/importers of levied goods. It concludes that, from a legal and economic standpoint, the decision not only fails to be properly justified, but its consequences will likely diverge from those anticipated by the Court. Most worrisome is the Court's stance on the three-step test, which it views as a restrictive, rather than enabling, clause. In its interpretation of the test, the decision fails to strike the necessary balance between competing rights and interests. This is due to multiple factors: overreliance on the principle of strict interpretation; failure to consider the fundamental right of privacy; lack of justification of the normative and empirical elements of the test's second condition; and a disregard for the remuneration element in connection with the test's third condition. To the contrary, it is argued that a flexible construction of the three-step test is more suited to the Infosoc Directive's balancing aims.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Florida town to use blanket of surveillance cameras (USA Today, 27 April 2004) -- One of the nation's wealthiest towns will soon have cameras and computers running background checks on every car and driver that passes through. Police Chief Clay Walker said cameras will take infrared photos recording a car's tag number, then software will automatically run the numbers through law enforcement databases. A 911 dispatcher is alerted if the car is stolen or is the subject of a "be on the lookout" warning. Next to the tag number, police will have a picture of the driver, taken with another set of cameras - upgraded versions of the standard surveillance cameras already in place. If there is a robbery, police will be able to comb records to determine who drove through town on a given afternoon or evening. "Courts have ruled that in a public area, you have no expectation of privacy," said Walker, one of 11 sworn officers who protects Manalapan's 321 residents. Still, Walker says Manalapan's data will be destroyed every three months.

top

Ashcroft says surveillance powers should stand (CNET, 29 Jan 2004) -- The Bush administration is warning Congress not to tinker with the Internet surveillance powers that the USA Patriot Act awarded to federal police. In a four-page letter to the Senate on Thursday, Attorney General John Ashcroft said that defanging the controversial law, which has been criticized by every major Democratic presidential contender, would "undermine our ongoing campaign to detect and prevent catastrophic terrorist attacks." Were Congress to vote to amend the USA Patriot Act, Ashcroft indicated, President Bush would veto the bill. Ashcroft was responding to a proposal in the Senate called the Security and Freedom Ensured Act (Safe), which would amend the USA Patriot Act by slapping limits on current police practices relating to surveillance and search warrants. It is sponsored by Republican Sen. Larry Craig of Idaho and has 12 co-sponsors, including two other Republicans. Many portions of the Safe Act affect the ability of federal police to conduct Internet surveillance against not only terrorists but also suspected perpetrators of a broad range of drug-related, computer hacking and white collar crimes. The measure would amend the USA Patriot Act to require, for instance, that electronic-surveillance orders specify either the identity or location of the suspect and that the person be there at the time--a departure from current practice. "This is an overheated attack on a very modest bill," said Tim Edgar, legislative counsel for the American Civil Liberties Union. "It shows that the attorney general is afraid of the bipartisan momentum that is going forward to fix parts of the Patriot Act." Ashcroft identifies no terrorist plots that were thwarted by the existence of the USA Patriot Act, Edgar said. "It doesn't contain a single real example of why passage of the Safe Act would impede antiterrorism efforts. It's based entirely on speculation and misleading, slanted legal analysis." Another section of the Safe Act that Ashcroft criticized would increase privacy protections for library patrons who use public computers for e-mail and Web browsing. "The Safe Act would make it more difficult, in some circumstances, to obtain information about e-mails sent from public computer terminals at libraries than it would be to obtain the same information about e-mails sent from home computers," Ashcroft said. "Ironically, it would extend a greater degree of privacy to activities that occur in a public place than to those taking place in a home." In Bush's State of the Union address earlier this month, the president called on Congress to renew the USA Patriot Act. Some portions--though not all--expire Dec. 31.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, October 11, 2014

MIRLN --- 21 September – 11 October 2014 (v17.14)

MIRLN --- 21 September - 11 October 2014 (v17.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PROGRAMS | NEWS | RESOURCES | LOOKING BACK | NOTES

PROGRAMS

Practical technology tools for mediators and dispute resolution professionals (CIJT) - Practical Technology Tools is an experiential course designed to introduce affordable and accessible online dispute resolution (ODR) technology to the practice of alternative dispute resolution (ADR). Instructors Daniel Rainey and Larry Bridgesmith are world-renowned experts and have taught ADR courses for over a combined 30 years. Participants will engage in four real-time lectures and discussions over a five-week period, with forums, wikis, directional study, and instructor guidance. Real-time lectures will take place Wednesday nights at 8pm EDT on October 22 & 29 and November 12 &19, 2014. All live classes are recorded for future viewing. [ Polley : I was on the IBO's Board of Directors until earlier this year, and highly commend them (and their offerings) to you.]

top

NEWS

N.Y. court authorizes service of legal documents via Facebook, when the physical address of the recipient is unknown (Eugene Volokh, 19 Sept 2014) - From Noel B. v. Anna Maria A. (N.Y. Fam. Ct. Sept. 12, 2014): The instant decision is with respect to this court's determination as to substituted service, specifically service by via the Facebook social networking service. The Petitioner filed the instant action seeking to modify the order of child support based on the alleged emancipation of the sole subject child. The Petitioner appeared today and stated the he was unable to effect service upon the Respondent. He presented an affidavit dated July 6, 2014, in which the affiant noted that the Respondent was unknown to the occupant of the Respondent's last known address, who is described as a tenant of one month. The Petitioner then described under oath the other efforts he made to try and locate the Respondent to effectuate service. * * * While this court is not aware of any published decision wherein a New York state court has authorized service of process by means of social media, other jurisdictions have allowed such service. See Whoshere, Inc. v. Orun , 2014 WL 670817 (E.D. Va.), Federal Trade Commission v. PCCare247 Inc. , 2013 WL 841037 (S.D.N.Y.). The court notes that in both those matters service via Facebook was directed to be made in connection with other means of service. Pursuant to CPLR § 308(5) the court authorizes substituted service by the following method: the Petitioner is to send a digital copy of the summons and petition to the Respondent via the Facebook account, and follow up with a mailing of those same documents to the previously used last known address. The Respondent can receive communications via social media, whereas her actual physical whereabouts are uncertain. The method detailed here by the court provides the best chance of the Respondent getting actual notice of these proceedings.

top

N.Y. financial regulator says to focus on cyber security (Reuters, 22 Sept 2014) - New York's financial regulator said on Monday his agency will focus on cyber security over the next year, saying the possibility of a systemic attack to the financial system is one thing that keeps him awake at night. "It is impossible to take it seriously enough," said Benjamin Lawsky, superintendent of the Department of Financial Services (DFS) for the state of New York. Cyberterrorism is "the most significant issue DFS will work on in the next year," he said, speaking at a Bloomberg Markets event at the Museum of Jewish Heritage in lower Manhattan. A report earlier this year by DFS on cyber security in the banking sector found that most institutions surveyed have come under cyber attack at some point in the past three years. The attacks came irrespective of the institutions' sizes, highlighting how prevalent an issue hacking has become.

top

- and -

FBI Director: China has hacked every big US company (Business Insider, 6 Oct 2014) - In his first major television interview, the director of the FBI has warned that Chinese hackers have embarked on a widespread campaign of cyberwarfare against the US. Speaking to CBS' "60 Minutes," James Comey had the following to say on Chinese hackers: "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."

top

ISO's new cloud privacy standard (Covington, 23 Sept 2014) - This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud - ISO 27018. Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that addresses key processor (and some controller) obligations under EU data protection laws. ISO 27018 builds on existing information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles (e.g., securing offices and facilities, media handling, human resources security, etc.). By contrast, ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud. ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer's approval. ISO 27018 also responds directly to EU regulators' calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission's 2012 Cloud Strategy here ). More specifically, the standard requires cloud providers to, among other things: * * *

top

9th Circuit creates problematic "failure to warn" exception to Section 230 immunity (Venkat Balasubramani & Eric Goldman, 23 Sept 2014) - Doe sued Internet Brands, Inc., the owner of Model Mayhem, alleging that two unrelated individuals drugged and assaulted her (and recorded her for a pornographic video). It's unclear precisely how the assailants used Model Mayhem, but the court merely says that they "used the website to lure [Doe] to a fake audition." Doe asserted a negligence claim against Internet Brands, alleging that it knew of the specific assailants in question and had a duty to warn her. Specifically, Internet Brands had purchased Model Mayhem in 2008, and later sued the sellers for failing to disclose the potential for civil liability arising from the activities of these same two assailants. A copy of Doe's complaint, which lays out the chronology, is here: [ pdf ]. The two individuals were arrested in 2007, Internet Brands bought the site in 2008, and sued the sellers in 2010. By August 2010, Doe claims that Internet Brands had the requisite knowledge. The district court dismissed on the basis of Section 230. See Internet Brand's motion to dismiss . The Ninth Circuit reverses, concluding that Section 230 does not bar Doe's duty to warn claim. According to the court, this isn't a case that's based on Model Mayhem's failure to remove content. In fact, the assailants are not even have alleged to have posted any content ("The Complaint alleges only that "Jane Doe" was contacted by [the assailants] through ModelMayhem.com using a fake identity."). In contrast to being a case about the removal of third party content, the court says it's about content (i.e., a warning) that Model Mayhem itself failed to provide. The court also says that imposing failure to warn liability is consistent with the overall purposes of Section 230, which as set forth in sections (c)(1) and (b) encourages self-regulation of offensive content and seeks to protect the free-flow of information via intermediaries. [I don't know what the word is for when someone cites to authority that's the exact opposite of what it is cited for, but this is what happened here.] * * * This is a bombshell ruling and is similar in some ways to Garcia v. Google . Both involve a sympathetic plaintiff and a bad (in this case, horrific) set of facts, but both rulings also totally diverge from established precedent, and both create gaping doctrinal holes. (Here, there were a bunch of cases dealing with the exact same fact pattern that go the other way, e.g., Doe v. MySpace ; Beckman v. Match.com ; Doe II v. MySpace .)

top

- and, Steptoe's take on the case -

Ninth Circuit finds CDA not applicable to failure-to-warn claim (Steptoe, 9 Oct 2014) - The U.S. Court of Appeals for the Ninth Circuit has held, in Doe 14 v. Internet Brands, Inc. , that a modeling website may be liable for failing to warn users about a rape scheme targeting users of a website owned by Internet Brands, Inc. The plaintiff may now pursue her claim of negligent failure to warn, which the district court had originally ruled was barred by the immunity provision in Section 230 of the Communications Decency Act (CDA), which protects against claims that treat a website as the publisher or speaker of content provided by third parties. The Ninth Circuit held that the plaintiff's "failure to warn claim had nothing to do with Internet Brands' efforts, or lack thereof, to edit or remove user generated content," meaning that Internet Brands cannot claim immunity under the CDA.

top

The State of Broadband 2014: Broadband for all (Benton Foundation, parsing an ITU report, 23 Sept 2014) - Over 50% of the global population will have Internet access within three years' time, with mobile broadband over smartphones and tablets now the fastest growing technology in human history. More than 40% of the world's people are already online, with the number of Internet users rising from 2.3 billion in 2013 to 2.9 billion by the end of this year. Over 2.3 billion people will access mobile broadband by end 2014, climbing steeply to a predicted 7.6 billion within the next five years. There are now over three times as many mobile broadband connections as there are conventional fixed broadband subscriptions. The popularity of broadband-enabled social media applications continues to soar, with 1.9 billion people now active on social networks. The Republic of Korea continues to have the world's highest household broadband penetration at over 98%, up from 97% last year. Monaco now surpasses last year's champion, Switzerland, as the world leader in fixed broadband penetration, at over 44% of the population. There are now four economies (Monaco, Switzerland, Denmark, Netherlands) where penetration exceeds 40%, up from just one (Switzerland) in 2013. The US ranks 19th globally in terms of number of people online, ahead of other OECD countries like Germany (20th) and Australia (21st), but behind the United Kingdom (12th), Japan (15th) and Canada (16th). The US has slid from 20th to 24th place for fixed broadband subscriptions per capita, just behind Japan but ahead of Macao (China) and Estonia. In total, there are now 77 countries where over 50% of the population is online, up from 70 in 2013. The top ten countries for Internet use are all located in Europe, with Iceland ranked first in the world with 96.5% of people online. The lowest levels of Internet access are mostly found in sub-Saharan Africa, with Internet available to less than 2% of the population in Ethiopia (1.9%), Niger (1.7%), Sierra Leone (1.7%), Guinea (1.6%), Somalia (1.5%), Burundi (1.3%), Eritrea (0.9%) and South Sudan (no data available). The list of the ten least-connected nations also includes Myanmar (1.2%) and Timor Leste (1.1%). [ Polley : the underlying ITU report is here .]

top

- and -

Akamai: average US broadband speed jumps to 11.4 mbps (TeleCompetitor, 30 Sept 2014) - The average U.S. broadband speed reached 11.4 Mbps in the second quarter of 2014, according to the latest Akamai State of the Internet report released today. That's an increase of 8.9% over first quarter of 2014, which saw a 9% speed increase over the last quarter of 2013. The 11.4 Mbps average broadband speed represented a 39% increase over the same period in 2013. The jump in average connection speed was not high enough to put the U.S. back in the top 10 countries measured by that metric, however. After finding itself in the top 10 for quarter after quarter, the U.S. fell off the top 10 list in the first quarter of 2014.

top

FBI gags state and local police on capabilities of cellphone spy gear (Washington Post, 23 Sept 2014) - The FBI requires state and local police to keep quiet about the capabilities of a controversial type of surveillance gear that allows law enforcement to eavesdrop on cellphone calls and track individual people based on the signals emitted by their mobile devices, according to a bureau document released recently under a Freedom of Information Act request. The December 2012 document is a heavily redacted letter between the FBI and police in Tacoma, Wash., as the local department sought to acquire an IMSI catcher, sometimes described as a "fake cellphone tower" because it tricks individual phones into routing their calls and other data through the surveillance equipment. The Tacoma police were buying gear produced by Harris Corp., a Florida-based company that makes the StingRay and other IMSI catchers used by law enforcement agencies across the country. The FBI letter, which was not classified but was designated as "law enforcement sensitive," told the Tacoma police chief that the Federal Communications Commission authorizes the sale of such surveillance equipment to state and local police departments on the condition that they first sign an FBI "non-disclosure agreement." The FCC last month began investigating reports of illegal use of IMSI catchers, by foreign intelligence services and criminals but has said it does not oversee the use of the surveillance gear by federal government agencies. Last week, the marketers of a device that's designed to detect IMSI catchers reported finding 18 in the Washington area over two days of searching. The locations, said the marketer of the GSMK CryptoPhone, included areas around the White House, the Capitol, the Russian Embassy and the cluster of defense contractors near Dulles International Airport. The CryptoPhone was not able to determine whether the IMSI catchers were being used by the federal government, local police or some other entity.

top

- and -

FCC and FBI disagree over NDA requirement for police StingRays (BeaconReader, 8 Oct 2014) - The Federal Communications Commission insists that it does not require police departments to sign a nondisclosure agreement with the FBI before acquiring or deploying cell phone trackers. The FCC's response contradicts wording found in one such FBI nondisclosure agreement released last month by Tacoma police . The FBI and FCC have both declined to comment on the discrepancy, and the FBI has rejected another FOIA request for a log of agencies that have signed such nondisclosure agreements. * * *

top

General Motors appoints its first cybersecurity officer (Fortune, 24 Sept 2014) - Cybersecurity has been all over the news for the past few months. Attacks at Target and Home Depot have left customers rattled and wondering if their credit cards and bank accounts are safe from hackers. Some cybersecurity experts even believe that, sooner or later, hackers will be able to harm drivers through the computers that run modern vehicles. Now comes news that General Motors has appointed its first cybersecurity chief, Jeffrey Massimilla, who will be in charge of the efforts to protect the computers that run GM cars. GM says it has established "one integrated organization, Vehicle and Vehicle Services Cybersecurity, to deal with cybersecurity for vehicles and vehicle-connected services. This team will utilize our internal experts and work with outside specialists, to develop and implement protocols and strategies to reduce the risks associated with cybersecurity threats." Protecting the computers that run inside of cars will become increasingly important as car companies start making more autonomous and semi-autonomous cars.

top

Build it yourself (InsideHigherEd, 24 Sept 2014) - When Lynn University couldn't find a suitable gradebook and attendance-tracking application to fit its tablet-first campus, the institution decided to build one itself. Lynn is now two years removed from hosting the third presidential debate between President Obama and former Massachusetts Governor Mitt Romney, an event that prompted a major renovation of the university's networking infrastructure. Since then, Lynn has gradually replaced textbooks with iPad minis, using content produced by its own faculty members hosted on Apple's course management platform, iTunes U. The move to a tablet-centric model has not been without its growing pains. This winter, Lynn announced it would drop its learning management system , Blackboard Learn, and replace it with iTunes U -- even though that platform doesn't offer a way to track attendance or grades. While faculty members and students would like to see more customization options in their learning management systems, Apple's software is defined by the company's "walled garden" approach -- Apple determines how its software should be used, and users sign on to those restrictions. Lynn therefore had to look to other providers. The university considered a number of replacements to plug the hole in its suite of administrative software. It looked at software from Jenzabar, which provides the university's student information system; Canvas, Instructure's learning management system; even apps in the K-12 space, such as Edmodo. "We really didn't find any enterprise-ready solution that would work the way we envisioned it working for us," said Chris Boniforti, Lynn's chief information officer. "We decided late in the spring that we ought to just go and try to build this ourselves."

top

- and -

USC, Condé Nast and WIRED launch master of integrated design, business and technology degree (USC, 1 Oct 2014) - The University of Southern California, Condé Nast and WIRED announced a partnership on Oct. 1, 2014, to create a new online master's degree in Integrated Design, Business and Technology. The partnership creates an unprecedented learning experience, combining the expertise of the editors, writers, and designers at WIRED with the academic rigor of USC, a leading research university known for its pioneering interdisciplinary programs. The aim of the 18-24 month degree is to educate creative thinkers and technologists to better equip them to transform the world of industry and enterprise. The first cohort is scheduled to begin in the 2015-2016 academic year.

top

- and -

Crouching tiger, mobile university (InsideHigherEd, 2 Oct 2014) - The biggest news to come out of EDUCAUSE 2014 was the announcement that the sequel to Crouching Tiger, Hidden Dragon will be simultaneously released on Netflix streaming and IMAX theaters next summer. Apparently the bricks and mortar legacy movie theater providers have their knickers in a twist about the Netflix plan, with AMC apparently vowing to boycott showing the movie in its 147 IMAX theaters. They can boycott all they want, but the writing is on the wall. The future of entertainment belongs to subscriptions and streaming, which really means the future of entertainment belongs to mobile. What platforms are Netflix subscribers streaming their videos? In 2013 23% of streaming occurred on mobile phones, 15% on tablets, 44% on computers, 17% on smart TVs, and 16% on computers connected to a TV. What is remarkable is that Netflix mobile phone streaming jumped from a based of 11% in 2012. By the summer of 2015 what percentage of Crouching Tiger, Hidden Dragon: The Green Legend will be on mobile devices? I'm betting over 50%. It seems a safe prediction that by 2020 mobile devices will account for almost all media consumption. Anyone willing to trade an 72 ft by 53 ft IMAX screen for a 4.7 inch iPhone screen to watch Michelle Yeoh will have no problem moving from consuming information from the back of the lecture hall to consuming information on an app. If our classrooms are like movie theaters, then our classrooms are hurtling towards extinction. The future will belong to the small seminar and the competency based credential (consumed on a mobile device no doubt). The place-based but impersonal model of teaching (think big lecture classes) will go away. This form of teaching will be replaced by adaptive mobile learning. Good riddance.

top

Auto-forwarding email constitutes interception under wiretap act, court finds (Steptoe, 25 Sept 2014) - The U.S. District Court for the Southern District of New York has found that setting up auto-forwarding to receive copies of another person's incoming emails is a violation of the federal Wiretap Act. In Zaratzian v. Abadir, the court granted the plaintiff's motion for summary judgment on the issue of whether her ex-husband, Adel Ramsey Abadir, committed an illegal "interception" by auto-forwarding her emails to his account without her permission after their divorce. The court assumed (without deciding) that an interception must be contemporaneous with the transmission of a communication in order to violate the Wiretap Act. But it determined that auto-forwarding an email constituted an interception because copies of the emails were made and forwarded "'within a second of each message's arrival and assembly.'"

top

Alabama trial judge reverses course, vacates restraining order against publishing gas company information (Eugene Volokh, 25 Sept 2014) - From Alabama Gas Corp. v. Advertiser Co. (Ala. Cir. Ct. Sept. 23, 2014) : Pending is a Motion to Dissolve Temporary Restraining Order, filed by defendant, The Advertiser Company. In its motion, this defendant argues that the TRO entered on September 12, 2014, constitutes an improper prior restraint contrary to the rights afforded by the First Amendment to the U.S. Constitution and Article 1, § 4 of the Constitution of the State of Alabama. * * * At this stage, the court cannot see such a clear and present danger. In its motion for a temporary restraining order, the plaintiff raised the danger of terrorism and sabotage if data within its Distribution Integrity Management Plan were publicly disclosed. While such possibilities might exist, they now appear to be only vague phantoms. On reflection, the court finds that it too readily focused on such ghosts in entering the Temporary Restraining Order sought by the plaintiff. The plaintiff cites other grounds justifying the entry of the TRO here. It argues that the DIMP is private property not properly subject to public disclosure. While this may be true, it is also uncontested that the plaintiff voluntarily produced the DIMP to the Public Service Commission, thereby ceding unfettered control over its property. [ Polley : The rest of Prof. Volokh's posting supplies context and analysis.]

top

PacerPro is a better way to use PACER (Lawyerist, 27 Sept 2014) - PacerPro 's creator, Gavin McGrane, doesn't have many negative things to say about PACER. Without PACER, he points out, nearly all federal court filings would be effectively inaccessible. Fine, fine. PACER is still a horrible user experience. Today McGrane showed me around PacerPro, his free alternative to PACER's clunky user interface. PacerPro is still adding courts, and McGrane wants to do much more with search, but even as-is, using PacerPro is light years better than using PACER. You can keep track of all your cases in one place, search multiple courts' PACER databases from a single search box, get search results that actually give you the information you need, download an entire docket with one click, and much more (here's the product overview PDF ). Even better, PacerPro won't let users pay for a document more than once. If multiple users are watching the same docket, it will even run a round-robin to evenly distribute the PACER fees.

top

UK IT suppliers face cyber security requirement (ContractorUK, 29 Sept 2014) - All businesses must from next month meet a cyber security standard if they want to bid for government contracts involving handling information and providing IT services. In fact, 'Cyber Essentials' (CE) will be required of suppliers from October 1 st on government work that includes the handling of sensitive or personal data and the provision of "technical products or services." The Cabinet Office adds that early adopters of the IT security certification include smaller firms like Nexor, Tier 3 and Skyscape, as well as larger ones like BAE Systems, Barclays, Vodafone and Hewlett Packard. The latter is already beginning to demand CE from its own supply chain, as HP Public Sector earlier this month said that the standard would become mandatory for all its suppliers, including 600 or so SMEs. Once these firms have the accreditation, it can also be used to show to "non-government customers" that they take IT security "seriously," touted Francis Maude, the Cabinet Office minister. "It's vital that we take steps to reduce the levels of cyber security risk in our supply chain," he said, unveiling the two -tier accreditation for would-be government suppliers. "Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack." A new accreditation body, QG, has been set up to help those wanting to get CE, and it joins CREST and the IASME Consortium in appointing firms who certify company applications.

top

FCC considers banning use of term 'Redskins' (The Hill, 30 Sept 2014) - The Federal Communications Commission is mulling whether TV and radio stations should be banned from repeatedly saying the name of the Washington Redskins. Earlier this month, the FCC received a petition to deny renewing the license of Washington sports radio station WWXX-FM because it "deliberately, repeatedly and unnecessarily broadcasts the word 'R*dskins' during most of its broadcasting day, and especially in prime time." The word, which many consider to be an offensive slur against Native Americans, is no different from other racist, homophobic or sexist names, legal activist John F. Banzhaf III argued in his complaint. FCC Chairman Tom Wheeler told reporters on Tuesday that the commission is examining the complaint.

top

Ponemon institute releases second annual study on data breach preparedness (Covington, 1 Oct 2014) - The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise. Ponemon Institute conducts independent research on privacy, data protection, and information security policy. For the September 2014 study, Is Your Company Ready for a Big Data Breach? , Ponemon Institute surveyed 567 U.S. executives from organizations ranging in size from less than 500 to more than 75,000 employees about how prepared they think their companies are to respond to a data breach. It appears that for an overwhelming number of the study's participants, the answer to "Is your company ready for a big data breach?" is, unfortunately, "No." Here are a few of the study's key findings: * * *

top

Can you shoot down a drone on your land? New incident raises self-defense questions (GigaOM, 1 Oct 2014) - After a New Jersey man spotted his neighbor's camera-equipped drone flying over his house this week, he fetched a shotgun and peppered the drone with holes, knocking it from the sky. Did he have a right to do so? Even though local police arrested the man on unlawful weapons charges, some people will feel he had the right to defend himself against an unlawful robot intrusion. More broadly, the episode highlights an emerging issue as more drones take to the skies: how to balance the rights of drone owners against people's rights to privacy and self-defense. Under common law traditions, the New Jersey man appeared well within his rights to shoot down the drone. As the famous 17th century jurist Edward Coke explained, "whoever owns the soil, it is theirs up to Heaven" and "the house of an Englishman is to him as his castle" - implying that property owners can use force against invaders. These days, of course, it's not so cut and dry. The arrival of airplanes meant property rights no longer extend right to the sky , while the so-called " Castle doctrine " typically requires a home owner to fear injury before she can use force. This means you better think twice before blasting away at the Phantom 2 hovering above your lawn. "Generally speaking, tort law frowns on self-help and that includes drones," says Ryan Calo , a robotics and cyber-law scholar at the University of Washington. "You would probably have to be threatened physically, or another person or maybe your property, for you to be able to destroy someone else's drone without fear of a counterclaim." The reason you can't simply shoot a person (or cow) who steps on your lawn is that the harm would likely outweigh the threat to your privacy and your property. But when using force against a drone, the calculation is different: the drone is likely recording and it may be armed and, unlike other trespassing vehicles, you can't just tow it away. These are some of the factors that have led Michael Froomkin, a University of Miami law professor, to suggest that people have a greater right to use force against drones and other robotic intruders. "If one is entitled to assume the worst then, in the absence of persuasive notice that the robot is harmless, the victim of robotic trespass frequently will be privileged to employ violent self‐help," wrote Froomkin, a co-author of a recent paper titled "Self Defense against Robots." The paper doesn't claim people have a right to waste anything that flies on their land, of course. But it does suggest that, especially in rural areas, courts may find a privilege to shoot down trespassing drones - a conclusion that would be a logical extension of the Castle doctrine.

top

The criminal indictment that could finally hit spyware makers hard (Wired, 1 Oct 2014) - The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope. The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target's phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (. pdf ) that hosted the stolen data. Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, on Saturday in Los Angeles following his indictment in Virginia on federal wiretapping charges (. pdf ), which include conspiracy to market and sell a surreptitious interception device. "StealthGenie has little use beyond invading a victim's privacy," U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case. "Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners."

top

JPMorgan Chase hacking affects 76 million households (NYT, 2 Oct 2014) - A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever. The details of the breach - disclosed in a securities filing on Thursday - emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target , Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards. But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers' credit card details and potentially includes more sensitive data. Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks. Hackers drilled deep into the bank's vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts. By the time the bank's security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank's computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access. [ Polley : There are weird reports of strange aspects to this intrusion, and I believe there's much yet to be learned about what's happening here. E.g., Hackers' attack cracked 10 financial firms in major assault (NYT, 3 Oct 2014).]

top

Cyber coverage experiences growing pains (Claims Journal, 3 Oct 2014) - In light of businesses increasing usage of information, asset and advancing technology insurers are pulling away from cyber coverage, according to Kevin Kalinich, global practice leader of cyber risk insurance at Aon Risk Solutions. "A big misconception is that these are creating worse exposures or more severe exposures, but they're creating different exposures," said Kalinich. He said insurers are reconsidering capacity and the scope of coverage as a result. "The smart insurers are differentiating the insureds now. The smart insurers are taking a look at IT security…who integrates their IT security into an overall risk management strategy that makes it part of the culture of the entity that they might insure," Kalinich said. "The insurers are taking a strong, second look at each of their insureds now in the cyber insurance market." While retailers and financial institutions gain significant media attention from data breaches, a recent review by Travelers' of its claims data revealed that other industries also are regularly targeted for cyber-attacks, including professional services firms and educational institutions.

top

iPhone encryption and the return of the crypto wars (Bruce Schneier, 6 Oct 2014) - Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it. From now on, all the phone's data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user's iPhone data is now more secure . To hear U.S. law enforcement respond , you'd think Apple's move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples' iPhones. In the words of cyberlaw professor Orin Kerr, "How is the public interest served by a policy that only thwarts lawful search warrants?" Ah, but that's the thing: You can't build a "back door" that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You're either vulnerable to eavesdropping by any of them, or you're secure from eavesdropping from all of them. Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006. In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

top

Does using Gmail put attorney-client privilege at risk? (ABA Journal, 8 Oct 2014) - Imagine that a direct marketer has offered a lawyer free services, such as photocopying, in exchange for being allowed to scan client files for research purposes. Is client consent required? Is this project a good idea, even if clients do consent? The answers to those questions are obvious, and it is nearly as clear that lawyers may be taking a risk by using Gmail and Google Apps for Business, attorney Chris Castle writes in a recent Texas Lawyer (sub. req.) column. Lawyers are arguably required to obtain express client consent to Google's data harvesting under Texas Disciplinary Rule of Professional Conduct 1.05. It says attorneys cannot use "privileged information of a client for the advantage of the lawyer or of a third person, unless the client consents after consultation," Castle writes, and Google's free email and business apps arguably constitute such an advantage for the lawyer. Meanwhile, in order to maintain attorney-client privilege, communications need to be confidential. Does Google's scanning of email and data harvesting violate this requirement? That question has not been definitively answered, according to Castle, but risk-averse lawyers may want to rethink if they are relying on Gmail. While other alternatives may be more costly and less convenient, "it seems that the ethical issues surrounding obtaining a client's consent to Gmail data harvesting may well be more trouble than Gmail is worth," he writes. [ Polley : this is nuts; the comments are worth reading.]

top

Law firm Shook Hardy achieves ISO 27001 certification (Ride the Lightning, 8 Oct 2014) - Shook Hardy & Bacon recently announced that it had obtained ISO 27001 certification of its information security management system. A globally recognized standard for information security management systems, ISO 27001 certification requires that a company show a systematic and ongoing approach to managing sensitive information. Shook began pursuing certification 18 months ago. To maintain its standing, Shook must undergo annual audits to assess its maintenance of high standards. While the pursuit of ISO 27001 is gaining momentum among law firms, certification itself is not standard across the industry. According to a presentation at the International Legal Technology Association 's LegalSEC conference in June 2014, certification had been achieved by at least 12 large law firms, half of which are based in the United Kingdom. Another 16 U.S. firms were identified as "working toward or investigating certification." While law firms have not exactly been racing toward certifications, it is clear that clients are beginning to demand evidence that law firms are taking cybersecurity seriously. Watch for more firms to follow suit - it is simply the cost of doing business - as the smarter firms are learning. Clients are more likely to hire and stay with a firm that they trust to safeguard their data.

top

Harvard Law Review claims copyright over legal citations; now challenged by public domain effort (TechDirt, 8 Oct 2014) - If you're not a copyright geek, you might not be aware of the copyright saga revolving around the Harvard "Bluebook." The Bluebook is basically the standard for legal citations in the US. It's technically owned by an organization that is effectively made up of four top law schools. For a variety of reasons, the idea that citations can be covered by copyright is troubling to a lot of folks, but the Harvard Law Review, in particular, has stood by the copyright in The Bluebook (for which it makes a pretty penny each year). Last year, there was a fight over this, best summed up succinctly by Carl Malamud in this short BoingBoing post . * * * The story has now taken an interesting twist, as Malamud, with the help of NYU law professor Chris Sprigman, has now sent a new letter to Harvard , pointing out that the 10th edition of The Bluebook is actually in the public domain, seeing as someone forgot to renew the copyright. Now, the 10th edition is obviously way off from the current 19th edition... but since much of the 19th edition survives from the 10th edition, that would suggest that much of The Bluebook is also public domain. Malamud's Public Resource is going to create an alternative to The Bluebook, called Baby Blue, which will make use of the public domain portions of the book.

top

Five hot tips for researching on Google Scholar (Attorney at Work, 8 Oct 2014) - If you are seeking ways to reduce your legal research costs, here is one good option: Google Scholar . It is an online research service you can use to find cases and secondary sources for free. If you want to know how to harness the power of Google Scholar - and impress your colleagues and clients with your stellar research skills - here are five good tips to get you started. 1. Extensive database of cases. Google Scholar has an extensive database of reported cases from state and federal courts. The database covers cases from the United States Supreme Court (since 1791), the U.S. Courts of Appeals and U.S. District Courts (since 1923), and supreme courts and intermediate appellate courts from all states (since 1950). If you can't find any relevant cases within those date ranges, you probably should consider settling your lawsuit. 2. Reliable search algorithm and advanced searching. Google's effective search algorithm powers Google Scholar. When searching for federal and state cases using keywords, the relevancy of the results is comparable to the results on WestlawNext and Lexis Advance (but let that be our little secret). Like those paid services, Google Scholar will likely return relevant results even if you do not use the proper terms of art. 3. Useful proximity connector. Most free services don't allow users to run searches where various terms appear in the same sentence or paragraph. But Google Scholar has one proximity connector: AROUND. Apparently, Google wants only the "in-crowd" to know about this search functionality; in fact, it does not even mention the connector "AROUND" on the official Google Scholar Blog . After experimenting with this proximity connector, I learned a few useful things * * *

top

The Reader has no clothes (InsideHigherEd, 9 Oct 2014) - Chances are, you've heard the troubling news that the new version of Adobe Digital Editions is a privacy train wreck. Nate Hoffelder broke the news at The Digital Reader . The two key issues (apart from the fact that this software transmits an awful lot of data to the mothership about what exactly you are reading, including which pages you read and at what IP address) is that it hunts for all of the ebook files on your reading device and sends information about them to Adobe. And all of that data is sent in plain text, meaning that anyone who intercepts the information can read it without any trouble, which is not just a privacy violation, it's a disturbingly amateurish way to do things on the internet. So it's both embarrassing AND a huge privacy breach. A twofer. Librarians who have ebook collections need to inform their patrons right now that if they are using the latest Adobe Digital Editions software, their reading history, including ebooks they didn't borrow from the library, belongs to Adobe and anyone else who's watching. (See how librarians at Ryerson responded within 24 hours.) Next, they have to figure out what steps to take to fix the problem. Beyond that, we all need to have a serious conversation of whether our devotion to privacy is merely lip service, an old-fashioned hang-up we have decided doesn't matter anymore and should scrub from the American Library Association website, or whether we will actually, you know, stand up for it. Because right now, that's not happening. I couldn't explain the problem better than Andromeda Yelton has , so I won't try. I'll just share a few of my thoughts. * * *

top

RESOURCES

Cybersecurity for government contractors (Covington, April 2014) - This Briefing Paper presents a comprehensive summary of the key legal issues and evolving compliance obligations that contractors now face in the federal cybersecurity landscape. It begins with an overview of the most prevalent types of cyber attacks and targets, as well as the federal cybersecurity budget. Next, the Paper outlines the current federal cybersecurity legal requirements applicable to Government contractors, including statutory and regulatory requirements, the President's 2013 cybersecurity Executive Order (E.O.), and the resulting "cybersecurity framework" issued by the National Institute of Standards and Technology (NIST) in February 2014, as well as highlights further developments expected this year. Finally, it identifies and dis- cusses the real-world legal risks that contractors face when confronting cyber attacks and addresses the availability of possible liability backstops in the face of such attacks.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Most Third World e-Govt projects fail: World Bank (The Age, 8 Nov 2004) -- Eighty-five percent of e-government projects in developing countries fail either partially or fully, a World Bank official says. "It is estimated approximately 35 percent of e-government projects in developing countries are total failures and approximately 50 percent are partial failures," Robert Schware, World Bank lead informatics specialist, said on Friday. E-government refers to the use of information and communications technologies to improve the efficiency, effectiveness, transparency and accountability of government. The World Bank funds many e-government projects worldwide such as developing e-trade facilitation systems, e-procurement pilots and one-stop government gateways. "Only some 15 percent can be fully seen as success. There are equal numbers of very sad statistics about the number of failed implementations in the US and Europe," Schware told delegates at a seminar on e-government. In India half of the ongoing 200 e-governance projects were bound to fail, he said. "By failure I mean the inability to deliver government services that provide benefit to citizens or business."

top

Ban is eased on editing foreign work (New York Times, 5 April 2004) -- The federal government has eased a ban on editing manuscripts from nations that are under United States trade embargoes, a move that appears to leave publishers free once again to edit scholarly works from Iran and other such countries. The Treasury Department sent a letter on Friday to a lawyer for the Institute of Electronic and Electrical Engineers, an international group representing more than 360,000 engineers and scientists, saying the organization's peer review, editing and publishing was "not constrained" by regulations from the department's Office of Foreign Assets Control. The group says its members produce 30 percent of the world's literature in electrical and electronics engineering and computer science. The letter from the Treasury Department referred specifically to publishing by the institute, but Arthur Winston, the group's president, said he believed the ruling would be "a relief for nearly everyone" in the scholarly publishing community. "The ruling eliminates potentially disturbing U.S. government intrusions on our scholarly publishing process," Mr. Winston said. No one at the Treasury Department could be reached for comment Sunday night on the ruling. The department and publishers have long quarreled over the exemption of "information or informational materials" from the nation's trade embargoes. Congress has generally allowed such exemptions. Nonetheless, the Treasury Department sent out advisory letters over the past year telling publishers who were editing material from a country under a trade embargo that they were forbidden to reorder paragraphs or sentences, correct syntax or grammar, replace "inappropriate words" or add illustrations. The advisories concerned Iran, but experts said the ruling seemed to extend to Cuba, Libya, North Korea and other nations with which most trade is banned without a government license. In theory, even routine editing on manuscripts from those countries could have subjected publishers to fines of $500,000 and 10 years in jail.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top