Saturday, September 20, 2014

MIRLN --- 1-20 September 2014 (v17.13)

MIRLN --- 1-20 September 2014 (v17.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Court holds that online posting of patient medical information constitutes "publication" sufficient to trigger a general liability insurer's duty to defend (Hunton & Williams, August 2014) - On August 7, 2014, the United States District Court for the Eastern District of Virginia held in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online posting of patient medical information constituted "publication," whether or not it was viewed by a third party, and therefore triggered the insurer's duty to defend its insured against a class action seeking damages for breach of privacy claims.

top

Getting to EDD competency in California (LTN News, 29 August 2014) - The State Bar of California issued Formal Opinion Interim No. 110004 in April, addressing an attorney's ethical duties in handling the discovery of electronically stored information. Getting to the interim opinion has been a long and winding road, to borrow a phrase from Paul McCartney. The comment period closed on June 24. The end of the road is near. Two years ago, at its August annual meeting, the American Bar Association added a technology component to the comments in Model Rule 1.1 in the ABA Model Rules of Professional Conduct. The rule states that a "lawyer shall provide competent representation to a client." The comment added to the obligation that lawyers should keep abreast of changes in the law, "including the benefits and risks associated with relevant technology." (See " ABA Adopts Ethics Policy on Lawyers' Use of Technology .") Achieving competency in technology is fleeting, relative to the complexity of the task and the software used to accomplish it. And just when you think you know the task and the tools, the technology changes, leaving you less than competent-perhaps incapable-and perhaps putting clients at risk. State bar associations have been grappling with how Model Rule 1.1 and its comments will apply, especially in the discovery of electronically stored information in litigation. The State Bar of California recognizes that the ethical duty of competence will evolve, case by case, as new technologies are integrated with law practice. The interim opinion was published in April to gauge its membership on the proposition that competence in litigation includes a basic understanding of electronic data discovery. The interim opinion is advisory only, not binding on courts and members of the bar. But it should serve as a call to arms for California attorneys because the final opinion will interpret Rules 3-100, 3-110 and 3-210 regarding competency in the Rules of Professional Conduct of the State Bar of California and the California Business and Professions Code Section 6068.

top

- and -

Texas Supreme Court limits reach of pre-suit discovery (Eric Goldman's blog, 16 Sept 2014) - The Texas Rules of Civil Procedure provide potential plaintiffs in Texas courts with the broadest power to conduct pre-suit discovery in the country. Under Rule 202, a Texas court can authorize a pre-suit deposition to investigate a potential claim before an actual lawsuit is filed. Rule 202 has been used in numerous contexts, but plaintiffs increasingly have found Rule 202 to be the preferred path for investigating claims involving on-line activities, as it allows them to notice a deposition of an on-line service provider, hosting company or web site operator in order to gather info on users who are the actual targets of the investigation. In many cases, Rule 202 has been invoked as a weapon by plaintiffs seeking to unmask the identity of anonymous users. Recently, the tide turned. In In re John Doe a/k/a "Trooper ", the Texas Supreme Court limited the reach of Rule 202 pre-suit depositions by holding that the trial court in a Rule 202 proceeding must have personal jurisdiction over not only the respondent (the party whose deposition is sought), but, if applicable, also over the subject(s) of the pre-suit investigation about whom the respondent is expected to be deposed. This important ruling significantly narrows the scope of Rule 202 and substantially decreases the ability for an aggressive plaintiff to use Rule 202 to route around discovery limitations and other procedural safeguards that might protect the target of their investigation in Texas or in the target's home state.

top

Law firm Imhoff & Associates suffers data breach (Ride The Lightning, 2 Sept 2014) - SC Magazine reported on August 27th that Imhoff & Associates PC , a multi-jurisdictional criminal defense law firm, has sent out data breach notifications to clients after a firm backup hard disk (apparently unencrypted) was stolen from the locked trunk of an employee's vehicle. The theft took place on June 27th and the hard drive has yet to be recovered. The firm is notifying an undisclosed number of individuals that their personal information was stolen including Social Security numbers, names, addresses, phone numbers, birth dates, e-mail addresses and driver's license numbers. The firm noted in its letter that it is strengthening internal processes regarding encryption, and enhancing policies, procedures and staff education on the safeguarding of company property and information. All impacted individuals are being notified and offered a free year of identity theft protection services.

top

- and -

Viruses are more common at law firms than encryption, ABA survey shows (Robert Ambrogi, 12 Sept 2014) - Nearly half of law firms were infected with viruses, spyware or malware last year, according to the latest ABA Legal Technology Survey Report. At the same time, only a quarter of law firms had any kind of email encryption available for their lawyers to use, the survey found. Also, 14% of law firms experienced a security breach last year in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit. Taken together, these findings paint a sorry picture about the state of law firm security: Viruses are common; encryption is not. In the survey, 45% of respondents said that their law firm technology had been infected with a virus, spyware or malware. That was more or less the same as the two prior years (43% in 2013 and 44% in 2012) and down from 55% in 2011. Firms of 2-9 attorneys were most likely to have had a virus (51%), while firms of 500 or more attorneys were least likely (31%). Another 28% of respondents could not say whether their firm had been infected. On the bright side, of those who reported an infection, 48% said it resulted in no business losses or breaches. The most common negative results from virus infections were downtime/loss of billable hours (42%), consulting fees for repair (37%), and temporary loss of network access (25%).

top

- and -

Unprepared law firms vulnerable to hackers (Pittsburgh Tribune, 14 Sept 2014) -Computer hackers are targeting top international law firms, including Pittsburgh-based K&L Gates, to steal intellectual property data and trade secrets, the Tribune-Review found. Cyber criminals stepped up attacks against lawyers to get around defenses set up by their corporate clients, who became more protective of their computer systems, legal and cybersecurity experts said. Too often, law firms do not employ the same high level of cybersecurity precautions that many major corporations practice, experts told the Trib. In addition, experts said these hackers increasingly work on behalf of foreign governments - or at least with their implicit protection. "Law firms are a rich target," said Patrick Fallon Jr., the FBI's assistant special agent in charge of the Pittsburgh field office. "They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting." Federal prosecutors in Pittsburgh charged Chinese military hackers this year with stealing attorney-client communications from SolarWorld, an Oregon-based solar panel manufacturer. Computer attacks on law firms happen every day, Fallon said, and the FBI warns attorneys about the threat. Many law firms don't do enough to protect their computer systems, especially against an attack sponsored by a foreign government, agreed Thomas Hibarger, managing director of Stroz Friedberg, a law firm in Washington. "Protecting against state-sponsored hackers is a big undertaking, and many firms have not devoted adequate resources to address this threat," Hibarger said. "Nation-state hackers are very, very sophisticated and targeted in their approach, and it is likely they will succeed." For corporate clients with strong computer defenses, a poorly prepared lawyer can be like an unlocked back door into an otherwise secure operation, said Vincent Polley, a lawyer in Bloomfield Hills, Mich., who co-wrote the American Bar Association's cybersecurity handbook. Because of the high cost of cybersecurity and the hassle of protecting documents, firms often are reluctant to invest in necessary technology. "Lawyers aren't technologically adept. They're not particularly interested in technology, and they're loathe to spend the resources - both time and money - to harden data" protection, Polley said.

top

As corporate boards get hip to security, IT execs can't hide behind 'jargon,' says Cisco CSO (WSJ, 3 Sept 2014) - Months after the Target Corp. breach, and with reports of a possible Home Depot Inc. breach now on everyone's minds, corporate boards are finally figuring out the right security questions to ask, says John Stewart, chief security officer at Cisco Systems Inc. "Over the past 18 months, I've briefed 12 different boards of directors on what security questions they're supposed to ask executives," Mr. Stewart said, Wednesday, at a conference in San Francisco. Cybersecurity breaches have happened for years, but the Target breach was the "tipping point" for corporate board involvement, said Mr. Stewart. Now, the potential breach at Home Depot underscores the point that cybersecurity is a risk that must be managed at the board level, he added. "After the Target breach happened, one of the first things I was asked by the board was, 'could it happen to us and if no, why not?" said Rich Mason, chief security officer and vice president at Honeywell International, speaking on another panel at the conference sponsored by Box Inc. "The security questions are coming up faster and more frequently," he said. The National Association of Corporate Directors has also stepped up its education efforts after 90% of directors surveyed said they wanted to know more about cybersecurity. In June, the NACD released a Cyber-Risk Oversight Handbook, created with the Internet Security Alliance and American International Group. The handbook covers board composition, liability implications, disclosure issues, access to expertise and risk appetite calibration.

top

- and -

Addressing security with the board: tips for both sides of the table (CIO, 11 Sept 2014) - In the boardroom, when it comes to addressing the topic of security, there's tension on both sides of the table. It doesn't happen all the time, but when it does, the cause of the friction is usually security executives and board members - each with vastly different areas of expertise and interest - pushing to get what they want out of the discussion while keeping business goals intact. Stephen Boyer, the co-founder and CTO of BitSight Technologies, a company that uses public data to rate the security performance of an organization, shared some thoughts with CSO recently, geared towards moving the discussions forward past the deadlock. Since there are two sides to the issue, Boyer shared two sets of tips; one set for the board and the other set for the executives speaking to them. * * *

top

A platform for all purposes (InsideHigherEd, 4 Sept 2014) - The online education platform provider EdCast, Silicon Valley's latest contribution to the ed-tech space, wants to be simultaneously massive and intimate, private and public -- and preferably to stay out of the spotlight. In simple terms, EdCast is a service provider built on top of Open edX, the Cambridge, Mass.-based MOOC provider's open-source initiative. The company will help institutions -- and particularly groups of institutions working together -- build their own online education platforms where they can run multiple instances of the same courses, removing the need for institutions to do the coding themselves. On Wednesday, the United Nations-backed Sustainable Development Solutions Network unveiled one example of what an EdCast-powered platform may look like. The network, which has more than 200 university and organizational members, now has its own online education portal: SDSN.edu . Jeffrey D. Sachs, the Columbia University professor of health policy and management who directs the network, will teach the first of three planned courses, titled "The Age of Sustainable Development." The course launched on Coursera this January, and will be offered again on that platform this fall.

top

Conversations, clicks, community, and content (InsideHigherEd, 4 Sept 2014) - How a school handles its social media endeavors says a lot about the culture on its campus. Some institutions treat their social media channels like virtual billboards. Content is pushed out, conversations rarely take place, and posts get little to no engagement. It's essentially a hallmark of the old ways of doing communications. Think of it as PR 1.0...it's not engaging and it's certainly not adding very much value for the various audiences who like to engage with a school. Contrast that type of social media use with what most agree as being part of the best practices communications mix: conversations, reciprocity, customer service, community-driven content , and a commitment to engagement-oriented missives. Additionally, social media policies at a school can give you insight about the climate of a campus. Some institutional policies are quite restrictive when it comes to how they frame social media use by campus communicators. A quick read of social media guidelines/policies for a school can be quite telling. Oftentimes, if a school's policies read as being fairly restrictive when it comes to social media use, it's due to a lack of understanding of the medium by those in leadership positions. Consistently, those in senior leadership positions at institutions will ask me about the value of social media. The value of something is almost always a bit tricky to measure. Thankfully, there are a number of sites that provide social media metrics. In fact, Twitter has recently opened up access to a fair amount of tweet data. Drilling down into specific data for individual tweets is helpful for figuring out what types of content are working for your account. For example, when I retweeted this tweet from an ed tech event, I had no idea that it would garner so many retweets and favorites. Twitter's analytics provide all sorts of metrics for strategic communicators. You can see how many people have clicked on a hashtag in one of your tweets as well as the number of times viewers have emailed, retweeted, favorited, and clicked on links in your tweet. * * *

top

Google settles with photographers over book scanning lawsuit (TNW, 5 Sept 2014) - Google has announced a settlement with a coalition of photographers over use of their work in its Google Books scanning project. The photographers first filed suit against Google in 2010. Terms of the deal have not been disclosed, but all parties are said to be "pleased" with the agreement, which includes funding for the PLUS Coalition for better image licensing. Google Books has caused a world of legal trouble for the company. In 2012, Google settled an extended disagreement with book publishers over the project. Last year, it emerged victorious over the Authors Guild, which filed an appeal earlier this year.

top

Should lawyers look to online dispute resolution to resolve disputes with clients? (Carolyn Elefant, 5 Sept 2014) - Online dispute resolution is rapidly gaining traction. Modria , a leading online dispute resolution (ODR) platform, boasts that its service is used to settle more than 60 million cases annually. Yet even though ABA task forces have studied, and appear to endorse ODR, I've not found much mention of the potential uses of ODR to resolve disputes between lawyers and clients. Currently, in most state ethics codes , lawyers may include binding arbitration clauses in representation agreements resolution of legal malpractice disputes . But should lawyers consider including ODR clauses instead - not necessarily as binding requirements but perhaps as prerequisites to litigation. Consumers are already familiar with the ODR process as its used widely in e-commerce, so they would understand the need to adequately documenting their claims. And while granted, the relative ease of ODR could invite groundless fee disputes from clients, that's probably preferable to posting negative reviews or filing a grievance. Attorneys could benefit from ODR also, using it to attempt to collect debts owed from clients. I realize that going after fees always raises the prospect of malpractice or a grievance, but because ODR is less intimidating than a court process, perhaps clients would be less likely to retaliate. Or not - this may be purely wishful thinking. And even if attorneys don't make the option of ODR available through participation in a third party service, bar associations could offer online fee dispute resolution. Many bars offer this service already but ODR would make it faster and more efficient as well.

top

The Potemkinism of privacy pragmatism (Chris Hoofnagle, 5 Sept 2014) - A revolution is afoot in privacy regulation. In an assortment of white papers and articles , business leaders-including Microsoft-and scholars argue that instead of regulating privacy through limiting the collection of data, we should focus on how the information is used. It's called "use regulation," and this seemingly obscure issue has tremendous implications for civil liberties and our society. Ultimately, it can help determine how much power companies and governments have. You are probably familiar with privacy laws that regulate the collection of data-for example, the military's famous "don't ask, don't tell, don't pursue." When you interview for a job, the employer should not ask you about your religion, your plans to have children, or whether you are married. There's also the national movement to " ban the box " to stop collection of arrest and old conviction data on job applications. In a use-regulation world, companies may collect any data they wish but would be banned from certain uses of the data. In U.S. law, a good example of use regulation comes from credit reporting. Your credit report can be used only for credit decisions, employment screening, and renting an apartment. Or consider your physician: Her professional norms encourage expansive data collection, but she can use medical records only to advance patient care. Bans on data collection are powerful tools to prevent institutions from using certain knowledge in their decision-making. But advocates of use regulations have some compelling points: Collection rules are too narrow by themselves. They ignore the real-life problem that we just click away our rights for the newest free service. And, increasingly, technologies gather data with no realistic opportunity to give notice to the individual at all. Some of these technologies can be used to infer knowledge about the very issues collection limitations attempt to protect. For instance, consider the Target Corporation's ability to infer that a shopper was pregnant when she went from buying scented to unscented lotion. Use regulations shift the pressure away from notice and choice, making a more universal set of rules for data. * * *

top

China launches man in the middle attack against Google (InfoSecurity, 5 Sept 2014) - The Chinese authorities have launched a man-in-the-middle attack campaign against users of the country's research and education network CERNET who try to search via Google, in a bid to monitor and censor the HTTPS site. Non-profit anti-censorship body Greatfire.org claimed that the attacks are similar to those believed to have been sanctioned by Beijing in January 2013 against developer site Github . They first came to light when users of CERNET, who unlike regular Chinese netizens are allowed access to usually blocked foreign sites, complained on social media that they'd begun receiving warning messages about invalid SSL certificates. "By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results." Greatfire said it's basing its conclusions on expert advice from network security monitoring firm Netresec, which analyzed the original MITM attacks on Github last year. [ Polley : I know of US companies that are running MITM attacks against their own employee/users, enabling review of traffic to secure against improper disclosures.]

top

New NIST forensic subcommittee on digital evidence (NIST, 8 Sept 2014) - Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States. Forensic science practitioners, academic researchers and others with expertise in digital evidence are encouraged to apply for one of up to 20 voting positions on the new Digital Evidence Subcommittee by Sept. 30, 2014. Those who previously applied for membership on other subcommittees should reapply if they wish to be considered for the Digital Evidence Subcommittee. The OSAC's Forensic Science Standards Board agreed to add digital evidence as a subcommittee under the IT/Multimedia Scientific Area Committee in a teleconference with NIST staff on Sept. 3. NIST recently finalized membership of all five scientific area committees-IT/Multimedia, Biology/DNA, Chemistry/Instrumental Analysis, Crime Scene/Death Investigation and Physics/Pattern.

top

Is Bitcoin money? (Anita Ramasastry, 9 Sept 2014) - Bitcoin confounds lawmakers as they try to figure out what it is and how it should be regulated. The Bitcoin Foundation notes that Bitcoin is an innovative payment network and a new kind of money. But is it money? Some call it a new form of virtual currency. Others have lauded it as a new type of payment system. So what is it? And why does it matter? What we call it may not matter much in casual conversation, but how it is categorized does have significant implications when it comes to regulation. If it is "money" or "currency," then existing laws and regulations may apply to businesses and consumers who issue, sell, or transact with Bitcoin. From banking laws to anti-money-laundering laws and tax regulations-whether these laws apply to the use of Bitcoin depends on how Bitcoin is classified. At present there is no consensus as to what we should call Bitcoin or how it should be defined for purposes of applying legal rules. As I will discuss in this column, courts and regulators are coming up with different theories and classifications as a way of figuring out whether this new product/payment vehicle is or is not covered by different laws. As I will also discuss, it appears that lawmakers, at times, restrict the term "money" or "currency" to refer only to government-issued money or legal tender. This conflicts with basic definitions of money, found in both economics texts and in dictionaries. If certain laws are meant only to deal with government-issued currencies, then perhaps we should revise statutory definitions to make such distinctions clearer. In the meantime, we will need to sit back and watch regulators around the globe grapple with whether or not Bitcoin is "money."

top

- earlier this year -

Is UCC Article 9 the Achilles heel of Bitcoin? (Credit Slips, 10 March 2014) - Last week, Professor Lynn LoPucki called me up and asked a good question. Why hasn't Bitcoin fallen apart because of the operation of Article 9 of the Uniform Commercial Code (UCC)? It is a really good question. With Lynn's permission, I am writing up a blog post about our conversation, but it was Lynn who first identified the issue. As many readers will know, all 50 states have enacted the UCC with only minor variations. Article 9 governs security interests in personal property - that is, movable and intangible property as opposed to land and buildings. The bank that gave you a car loan has an Article 9 security interest in the automobile serving as collateral for the loan, and the bank providing operating capital for your corner bakery similarly may have an Article 9 security interest in the inventory, equipment, and accounts at the store. Article 9 is one of those laws that only specialists tend to know, but it plays an important role in the flow of commerce. The bakery example was deliberate given this news about a Durham, NC, bakery accepting bitcoins. I have no idea about the financial circumstances of this particular bakery, but to understand the point assume it has loan from a bank secured by the bakery's "inventory, goods, equipment, accounts, and general intangibles." Such an arrangement would not be uncommon and would effectively give the bank an Article 9 security interest in all of the bakery's property that is not real estate, sometimes referred to as a "blanket lien."

top

Every part of the US government has probably already been hacked (Defense One, 10 Sept 2014) - Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists. Consider the testimony today from some of the nation's top cybersecurity experts before the Senate Committee on Homeland Security and Governmental Affairs. Suzanne Spaulding, undersecretary of the Department of Homeland Security's National Protection and Programs Directorate, told lawmakers DHS' National Cybersecurity and Communications Integration Center - or NCCIC - has already responded to more than 600,000 cyber incidents this fiscal year. High-profile cyber breaches - such as those affecting Target, Home Depot and even celebrities' private photos - trickle out on a near daily basis. But it's clear the vulnerabilities aren't relegated to the commercial sector. When committee members asked Robert Anderson, the executive assistant director for the Federal Bureau of Investigation's Criminal, Cyber, Response and Services branch, how much of government hasn't been hacked yet, he offered a stark reply. Despite demurring that he probably couldn't answer the question exactly "off the top of his head," Anderson said any part of government that hasn't been hacked yet probably has been hacked - and hasn't realized it yet.

top

California law says companies can't punish customers who post negative reviews (GigaOM, 10 Sept 2014) - A swanky hotel in New York caught flak this summer for threatening to fine brides $500 if any of their wedding guests posted a negative review on social media. In that case, the hotel backed down, but that doesn't mean other businesses aren't trying the same trick: stuffing so-called "non-disparagement clauses" into customer contracts in order to muzzle online criticism. This explains why Governor Jerry Brown of California signed a law this week that will turn the tables on such businesses, by fining them up to $10,000 if they use contracts that prevent customers from expressing their opinion about a good or service online. The law is a victory for consumers' free speech rights, and comes after repeated instances of merchants trying to collect penalties of thousands of dollars from customers who criticized them. In one notorious case , a Utah couple received an email from an online retailer saying they would have to pay $3,500 unless they removed a comment they had posted to the review site, RipoffReport.com. The text of the law is straightforward, and says businesses may not impose contract terms "waiving the consumer's right to make any statement regarding the seller or lessor or its employees or agents, or concerning the goods or services." The law, which is the first of its kind in the U.S. and was reported by the LA Times , goes into force in California in 2015. Businesses meanwhile continue to struggle with how to manage review forums and social media tools that empower customers, and that can make or break their reputation. Earlier this month, a federal appeals court threw out a class action that accused review site Yelp of "extorting" small businesses.

top

Government push for Yahoo's user data set stage for broad surveillance (NYT, 12 Sept 2014) - It's hard to fathom after a year of revelations about widespread government surveillance of Internet users, but in 2007, the government's authority to demand such data from technology companies without a search warrant was very much in doubt. That changed a year later, when crucial precedents establishing the government's right to request emails, phone records and other user data were set in a secret court case in which Yahoo unsuccessfully challenged the constitutionality of the government's demands for information about its foreign users. Documents from that case , which were released by the Foreign Intelligence Surveillance Court this week after much of the file was declassified, paint a vivid portrait of a battle that pitted a leading Internet company against some of the top officials in the Bush administration over what was legitimate gathering of foreign intelligence and what was illegal snooping. At one point, when Yahoo refused to turn over the requested data while it appealed its loss at the first stage of the case, the director of national intelligence, Michael McConnell, submitted an impassioned 16-page affidavit to Reggie B. Walton of Federal District Court, the surveillance court judge who had decided the case, outlining the various threats posed by Al Qaeda and other terrorist groups and the need for Yahoo's cooperation. International terrorists "use Yahoo to communicate over the Internet," Mr. McConnell wrote. "Any further delay in Yahoo's compliance could cause great harm to the United States, as vital foreign intelligence information contained in communications to which only Yahoo has access, will go uncollected." Underscoring that urgency, the government's lawyers asked Judge Walton to declare Yahoo in contempt and impose a fine of $250,000 a day, with the daily fine to double each week that the company continued to drag its feet. The judge took just a few hours to order Yahoo to comply "forthwith" or face "coercive" fines, prompting it to cooperate as it pursued its appeal. The legal decisions in the case, and the reasoning used by both sides, helped set the stage for an updated Foreign Intelligence Surveillance Act that set clearer rules about what types of information the government could seek from technology companies like Yahoo, Google and Facebook, which hold vast quantities of private user information. The lower court and appellate rulings supporting the government also gave encouragement to national security officials as they pushed forward with broad surveillance programs like Prism, XKeyscore and others described in documents leaked last year by Edward J. Snowden, a former National Security Agency contractor. "The specific kind of surveillance the government was seeking was untested," said Stephen I. Vladeck, a professor who studies national security law at the American University Washington College of Law. "This litigation led to the judicial validation of practices that the government was already undertaking." The Protect America Act, a temporary law passed in August 2007 by Congress after the 9/11 attacks, was the first to explicitly authorize bulk surveillance of foreigners suspected of being terrorists or posing other national security threats. Yahoo chose to mount an aggressive challenge to such surveillance, setting itself as a defender of its users' rights. "The broad surveillance authorized by the P.A.A. and the directives is unreasonable because the P.A.A. allows the government to initiate surveillance on an unlimited number of targets, with no prior judicial review, no requirements of particularity and no findings of necessity," the company wrote in its brief urging the appellate panel to allow oral arguments in the case. "The issues at stake in this litigation are the most serious issues this nation faces today - to what extent must the privacy rights guaranteed by the United States Constitution yield to protect our national security." Perhaps coincidentally, as the company waged its secret court fight, its co-founder and chief at the time, Jerry Yang, was being raked over the coals by Congress and human rights advocates for the company's 2007 decision to turn over information on Chinese users that had been demanded by the Chinese government, resulting in the arrest of at least two dissidents. Judge Walton, who heard the initial round of the case, and the three-judge panel of the Foreign Intelligence Surveillance Court of Review that heard the appeal were both acutely aware of the precedents they were setting. In his 98-page ruling , Judge Walton bemoaned the lack of clear guidance to decide the matter, even as he carefully addressed each party's principal arguments. Ultimately, he concluded, deference must be given to the government's claims that it would protect American users' legal rights as it pursued foreign intelligence needed for national security.

top

Why FRAND commitments are not (usually) contracts (Patently-O, 14 Sept 2014) - There has been a fair amount of controversy recently over commitments that patent holders make to license patents on terms that are "fair, reasonable and non-discriminatory" (FRAND). As I have previously written, FRAND commitments generally arise when a patent holder wishes to assure the marketplace that it will not seek to block implementation of a common technology platform or product interoperability standard. Making such a public commitment encourages widespread adoption of these technologies, which is often beneficial for both the patent holder and the market. As such, it is important that these commitments be enforced. The dominant theory that several U.S. courts and commentators have adopted to justify the enforcement of FRAND commitments is common law contract. The argument goes like this: the patent holder makes a promise to a standards-development organization (SDO) that it will license its essential patents to others on FRAND terms. The SDO accepts this promise as consideration for permitting the patent holder to participate in the relevant standardization effort. Hence, the common law elements of offer, acceptance and consideration are all present. Then, after the relevant standard is adopted and a vendor incorporates it into a product, the vendor can insist that the patent holder grant it a patent license on FRAND terms. Even if the vendor was not a member of the SDO, it can seek to enforce the patent holder's promise as a third party beneficiary. This line of reasoning was accepted by the federal district courts in Microsoft v. Motorola (W.D. Wash. 2012) and Apple v. Motorola (D. Wis. 2012), by the Federal Trade Commission in its settlement with Google/Motorola , and by several commentators. Nevertheless, as I discuss in a forthcoming article , common law contract is a poor fit for the enforcement of most FRAND commitments, and relying too heavily on it is likely to have unwelcome results. Contract law fails as a general-purpose FRAND enforcement theory on several grounds. * * *

top

NSA/GCHQ/CSEC infecting innocent computers worldwide (Bruce Schneier, 15 Sept 2014) - There's a new story on the C't Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties. The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they've completed port scans of 27 different countries and are prepared to do more. The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: "2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible." They've automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify "a list of 3000+ potential ORBs" in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected. The slides never say how many of the "potential ORBs" CSEC discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected, but they're all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA. Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that.

top

Court blasts US Navy for scanning civilians' computers for child porn (ArsTechnica, 15 Sept 2014) - A federal appeals court said the US Navy's scanning of the public's computers for images of child pornography constituted "a profound lack of regard for the important limitations on the role of the military in our civilian society." The Naval Criminal Investigative Service (NCIS) practice led the 9th US Circuit Court of Appeals to suppress evidence in the form of images of child pornography that an NCIS agent in Georgia found on a Washington state civilian's computer. The agent was using a law-enforcement computer program called RoundUp to search for hashed images of child pornography on computers running the file-sharing network Gnutella. "...RoundUp surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance," Judge Marsha Berzon wrote for the San Francisco-based appeals court. The court ruled 3-0 Friday that the Obama administration's position on the case would render "meaningless" the Posse Comitatus Act (PCA), which largely prohibits the military from enforcing civilian law. [ Polley : See stories from 2004 below, in " Looking Back ".]

top

Survey of online stalking, harassment and violations of privacy (Without My Consent, 17 Sept 2014) - We have data to share. Today we are proud to release our Preliminary Report: Without My Consent's Survey of Online Stalking, Harassment and Violations of Privacy. Two years ago, after attending SXSW, we were struck by how little data we could find that would help explain what is going on with online harassment. So we decided to conduct an online survey to see what we could learn ourselves. The output of that effort is now ready to share. Our survey was conducted between July 2013 and February 2014. While the press attention to the "revenge porn" phenomenon has grown dramatically during this time, our survey was broader. It sought to understand the experiences of online harassment victims and survivors of all kinds. We hope the results summarized in this preliminary report are a useful step in understanding the nature of online harassment, the challenges encountered by those who experience it, and the strategies for how to address it. We also hope these results will spur future, larger and more in depth studies (with qualitative interviews, ethnographic studies, funded surveys with random selections of larger numbers of participants, and the like) to provide data to regulators, industry, and the public on the prevalence and impact of online harassment, and to work towards solutions to end it. [Report here ]

top

Apple says iOS 8 update keeps data private, even from the police (NYT, 17 Sept 2014) - Apple wants to make clear that it wants nobody snooping around in your device, not even the police. The company said Wednesday night that its latest software system, iOS 8, included deep protection of the information stored on Apple mobile devices. So deep, in fact, that Apple says it has become technically impossible for it to comply with government warrants asking for customer information like photos, email, messages, contacts, call history and notes, to be extracted from devices. The company said all this information was under the protection of a customer's passcode, the four-digit number used to log in to the device. In the past, Apple was able to extract certain types of information from devices, even when they were locked with a passcode, in response to a valid search warrant. The new security in iOS 8 protects information stored on the device itself, but not data stored on Apple's cloud service. So Apple will still be able to hand over some customer information stored on iCloud in response to government requests. Christopher Soghoian, a principal technologist for the American Civil Liberties Union, said Apple's new privacy policy reflected the revelations of the government surveillance programs revealed in documents leaked by Edward J. Snowden. "The public has said they want companies to put their privacy first, and Apple has listened," Mr. Soghoian said. [ Polley : but then a flurry of "warrant canary" stories, about whether or not Apple has been using a canary-- Apple's "warrant canary" disappears, suggesting new Patriot Act demands (GigaOM, 18 Sept 2014); and No, Apple probably didn't get new secret gov't orders to hand over data (ArsTechnica, 18 Sept 2014). Finally, a paper recommended by Chris Soghoian: Warrant Canaries as Tools For Transparency in the Wake of the Snowden Disclosures (SSNR by Naomi Gilens, April 2014) ]

top

Texas' highest criminal court strikes down 'improper photography' statute (Volokh Conspiracy, 18 Sept 2014) - I'm delighted to report that yesterday the Texas Court of Criminal Appeals handed down Ex parte Thompson (Tex. Ct. Crim. App. Sept. 17, 2014) (8-to-1, with Judge Meyers dissenting without opinion). This was a UCLA First Amendment Amicus Brief Clinic case, in which my student Samantha Booth and I wrote an amicus brief on behalf of the Reporters Committee for Freedom of the Press. The court's opinion is a victory for the right to take photographs in public - even when a statute barring such photograph is limited to photography of people without their consent and "with intent to arouse or gratify … sexual desire," but of course equally when the photographs lack such an intention. * * * [ Polley : Pretty interesting case and reasoning.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Pentagon seeks US Spy powers (Wired, 19 June 2004) -- A Pentagon effort to persuade Congress to allow military intelligence agents to work undercover in the United States met with resistance in the House Wednesday when the provision was left out of the highly secretive intelligence funding bill. However, the Senate's version of the Intelligence Authorization Act of 2005 still includes the provision, which exempts Department of Defense intelligence agents from a portion of the Privacy Act, a 30-year-old law that outlaws secret databases on American citizens and green-card holders. The bill would allow Pentagon intelligence agents to work undercover and question American citizens and legal residents without having to reveal that they are government agents. That exemption currently applies only to law enforcement officials working on criminal cases and to the CIA, which is prohibited from operating in the United States. Pentagon officials say the exemption would not affect civil liberties and is needed so that its agents can obtain information from sources who may be afraid of government agents, such as a green-card-holding professor of nanotechnology who formerly lived under a repressive government. The military has increased its focus on antiterrorism programs within the United States, most notably by reorganizing its command structure in 2002 by creating the Northern Command in Colorado Springs, Colorado. The command is tasked with preventing and defeating threats and aggression aimed at the United States and helping civil authorities in the event of an emergency. Such investigations should be conducted by the FBI, and the Department of Defense should not be engaged in widespread intelligence gathering in the United States, say civil liberties advocates, such as the American Civil Liberties Union's legislative counsel Timothy Edgar.

top

Spy imagery agency watching inside US (AP, 27 Sept 2004) -- In the name of homeland security, America's spy imagery agency is keeping a close eye, close to home. It's watching America. Since the Sept. 11 attacks, about 100 employees of a little-known branch of the Defense Department called the National Geospatial-Intelligence Agency - and some of the country's most sophisticated aerial imaging equipment - have focused on observing what's going on in the United States. Their work brushes up against the fine line between protecting the public and performing illegal government spying on Americans. Roughly twice a month, the agency is called upon to help with the security of events inside the United States. Even more routinely, it is asked to help prepare imagery and related information to protect against possible attacks on critical sites. For instance, the agency has modified basic maps of the nation's capital to highlight the location of hospitals, linking them to data on the number of beds or the burn unit in each. To secure the Ronald Reagan (news - web sites) funeral procession, the agency merged aerial photographs and 3D images, allowing security planners to virtually walk, drive or fly through the Simi Valley, Calif., route. The agency is especially watchful of big events or targets that might attract terrorists - political conventions, for example, or nuclear power plants. Everyone agrees that the domestic mission of the NGA has increased dramatically in the wake of Sept. 11, even though laws and carefully crafted regulations are in place to prevent government surveillance aimed at Americans.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 30, 2014

MIRLN --- 10-30 August 2014 (v17.12)

MIRLN --- 10-30 August 2014 (v17.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

L.A. county fire department links dispatch system to PulsePoint CPR app (LA Times, 6 August 2014) - Hoping to turn regular cellphone-toting Angelenos into rapid responders, the Los Angeles County Fire Department has linked its dispatch system to a cellphone app that will notify CPR-trained good Samaritans when someone in a public place nearby is having a cardiac arrest. The app, called PulsePoint, sends Fire Department alerts to mobile phone users at the same time that dispatchers send the official messages to emergency crews - increasing the possibility that a cardiac arrest victim could get lifesaving cardiopulmonary resuscitation from a bystander while medical responders are still on the way, department officials said Wednesday. The program also provides CPR instruction and the location of defibrillators nearby.

top

Cybersecurity: What Directors need to know in an era of increased scrutiny (Alston & Bird, 6 August 2014) - "[B]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril." SEC Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus , Speech at the New York Stock Exchange (June 10, 2014). Since the financial crisis, corporate governance has increased the focus on risk management. And, in recent years, cybersecurity has increasingly become a key issue in risk management due in large part to the growing realization that most companies' assets are digital, and that most systems are networked and connected to the Internet, leaving such assets subject to any number of targeted cyberattacks from increasingly sophisticated threat actors, including state actors with unlimited resources to conduct such attacks. In this era of increased cybersecurity scrutiny and litigation, it is imperative that directors educate themselves on the risks the company may face related to cybersecurity, as well as those risks that any director may face individually. Board members must also involve themselves in the company's cybersecurity strategy before and after a data breach. This advisory will discuss the developing cyber risk landscape, the increased regulator interest in cybersecurity, particularly from the SEC, and the impact on potential director liability for cybersecurity deficiencies (or perceived deficiencies). This advisory will conclude with practical guidance to help board members navigate the all-too-unfamiliar cyber risk and cybersecurity landscape. * * * [ Polley : Useful and actionable.]

top

- and -

Cybersecurity in M&A (Freshfields, July 2014) - A survey of global deal-makers by Freshfields Bruckhaus Deringer reveals a growing awareness of the cyber threat. But it also shows respondents are yet to evaluate it in the same way as other risks that can undermine corporate value. Freshfields surveyed 214 global deal-makers from corporates, financial institutions, investors and legal services providers (63 per cent from North America, 34 per cent from Europe and 3 per cent from the rest of the world) on their awareness of cyber risk and how it affects their working practices. The results show that 78 per cent of respondents believe cyber security is not analysed in great depth or specifically quantified as part of
the M&A due diligence process, despite 83 per cent saying they believe a deal could be abandoned if previous cyber security breaches were identified and 90 per cent saying such breaches could reduce the value of a deal. Cyber security in the M&A process is about more than just keeping sensitive data safe. Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyse its financial position. A thorough knowledge of a business's cyber security is equally important during the integration phase; as a former deputy assistant attorney general at the US Department of Justice who supervised cyber crime investigations has said: 'when you buy a company, you're buying its data - and you could be buying its data security problems'.

top

Study: government blocks specific journalists from accessing information (International Business Times, 7 August 2014) - As states move to hide details of government deals with Wall Street and as politicians come up with new arguments to defend secrecy, it was revealed this week that many government information officers block specific journalists they don't like from accessing information. The news comes as 47 federal inspectors general sent a letter to lawmakers criticizing "serious limitations on access to records" that they say have "impeded" their oversight work. The data about public information officers was compiled over the past few years by Kennesaw State University professor Carolyn Carlson. Her surveys found that 4 in 10 public information officers say "there are specific reporters they will not allow their staff to talk to due to problems with their stories in the past." Carlson has conducted surveys of journalists and public information officers since 2012 . In her most recent survey of 445 working journalists, four out of five reported that "their interviews must be approved" by government information officers, and "more than half of the reporters said they had actually been prohibited from interviewing [government] employees at least some of the time by public information officers." Those revelations foreshadowed this week's letter from more than half of the federal government's inspectors general saying that government agencies' move to hide information from them represents a "potentially serious challenge to the authority of every Inspector General and our ability to conduct our work thoroughly, independently, and in a timely manner."

top

UK's Information Commissioner Voices Concerns About Data Security in Legal Profession (August 5, 2014) - The UK Information Commissioner's Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients' data would face fines of up to GBP 500,000 (US $840,000). - http://www.v3.co.uk/v3-uk/news/2358882/ico-sounds-the-alarm-over-legal-professions-shoddy-data-handling [SANS Editor's Note (Paller): I have first hand evidence that US law firms have lost huge troves of their clients' data; the FBI disclosed that US law firms were targets of nation-state attacks in 2009; and the head of MI5 made it clear that the same was happening in the UK in a disclosure the year before. Nation states (as well as economic competitors) have figured out that organizations run by lawyers (as well as the consulting companies run by ex Federal officials) are the most cost-effective way to steal intellectual property from companies seeking to do business in their countries because those companies share the crown jewels with their lawyers and consultants and think they will protect the information. ]

top

- and -

ABA House urges all organizations to develop cybersecurity programs (ABA Journal, 12 August 2014) - The ABA House of Delegates has adopted a policy encouraging private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program. Such programs would need to comply with applicable ethical and legal obligations. They would also need to be tailored to the nature and scope of the organization, and to the data systems which need protecting. The threat of cyberattacks on law firms is fast growing, and Resolution 109 was drafted to allow flexibility for small businesses, small law firms and solo practitioners. Last year the association published the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals. It presents practical guidance and strategies and addresses the relationship and legal obligations between lawyers and clients when cyberattacks occur.

top

- and -

ABA: Throwing stones in glass houses? (CorporateCounsel.net, 26 August 2014) - At the ABA's 2014 annual meeting earlier this month, delegates approved a resolution that "encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program." When you consider that some pundits characterize lawyers as technology Luddites and law firms as "the soft underbelly" of data security in corporate America, it may seem odd for the legal industry to be lecturing other organizations about getting their cyber houses in order. The ABA Cybersecurity Legal Task Force report accompanying the draft resolution warns that "the threat of cyber attacks against law firms is growing." It notes that law firms collect and store large amounts of critical, highly valuable corporate records. The report points out that "lawyers and law offices have a responsibility to protect confidential records from unauthorized access and disclosure, whether malicious or unintentional, by both insiders and hackers." Unfortunately, many lawyers don't fully appreciate the scope of that responsibility, particularly as it applies to data transmitted via the internet or stored in the Cloud. A survey conducted in March 2014 by LexisNexis found that 89% of law firms use email daily for business purposes, but only 22% of law firms are encrypting email. A recent post in Law Technology News urges that It's Time to Secure Privileged Communications . The post notes that "attorneys should be concerned about the general uncertainty of privacy expectations for email." Those risks to email confidentiality are not merely a theoretical concern. For example, in February the New York Times reported that a foreign spy agency intercepted email messages between a large U.S. law firm and its foreign government client and then shared the information with the U.S. National Security Agency. In a carefully worded statement , the law firm said: "There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm." The statement misses the point, because unencrypted email is intercepted, undetectably, while it is being transmitted or stored outside the firm's internal network. That news report prompted the ABA to ask the NSA to explain how the agency deals with attorney-client privileged communications. As discussed in the post, Law Firm Email Security Questions The ABA Should Be Asking , the ABA was conflating legal privilege with client confidentiality and asking the wrong questions of the wrong organization. The fundamental question is whether the firm's lawyers were taking reasonable steps in the circumstances in order to secure sensitive email communications. The ABA report acknowledges that "law firms are businesses and should take special care to ensure that they have a strong security posture and a well-implemented security program." Many lawyers say the NIST Cybersecurity Framework can serve as a general guide for information security oversight and risk assessments, in order to establish that reasonable care was taken. The NIST Cybersecurity Framework includes an assessment of whether "data-in-transit is protected." Email fundamentally is a convenient but unsecure method of transmitting and storing data in the Cloud. There are many simple steps that lawyers can take to protect sensitive data that they exchange with clients and third parties, including email encryption. State bar associations, however, continue to draw an unfounded distinction between the data security measures required when transmitting and storing data "in the Cloud" versus those required for email.

top

Google opens Classroom to all apps for education users (InsideHigherEd, 13 August 2014) - Google Classroom , the search giant's lightweight learning management system, is now available to any institution that uses the company's Apps for Education. Classroom launched as a limited preview in May and adds a layer of course management on top of Google's productivity suite, which includes apps such as Gmail and Docs.

top

Judge bans live tweets by opposing counsel during deposition (ABA Journal, 13 August 2013) - Convicted for his role in a money-laundering conspiracy involving election contributions from a drug trafficker, a former South Texas sheriff got five years in federal prison. After his sentencing last month, KGBT reported on tweets of what disgraced ex-Hidalgo County Sheriff Lupe Treviño was saying during the federal court hearing. But an attempt to share with the public what Treviño said during a recent deposition in one of the civil suits the former sheriff is now facing was soon shut down. In a Wednesday hearing in Edinburg, a state-court judge banned further tweets by attorney Javier Peña, reports another KGBT article. Peña represents a former candidate for the sheriff's job in a lawsuit against Treviño. Judge Rudy Delgado rejected an attempt by Treviño's lawyer, Preston Henrichson, to limit the scope of Peña's questioning in the ongoing 93rd State District Court deposition but nixed live updates from Peña's Twitter account, the station reports. "Our technology is far outpacing ability to formulate rules," the judge commented.

top

Get the GC plugged in to cybersecurity (Corporate Counsel, 13 August 2014) - As more countries try to create rules to deal with cybersecurity and data privacy, general counsel need to become more engaged participants in the conversation, said Kaye Scholer partner Adam Golodner, because those rules will affect future business. Recent incidents, including the massive hacking of data by a Russian gang revealed last week and the theft of customer financial data from Target Corp. in December, only accelerate the process. So GCs should "engage in those discussions now," Golodner told CorpCounsel.com this week. Cybersecurity is a fundamental issue for general counsel and corporate counsel, Golodner said, and it now has escalated to a board of directors' issue. "We've seen significant change over the past three years where it has matured to a top-level risk management issue," he explained. Proposed legislation in the EU, he noted, will set cybersecurity standards for all enterprises. The proposal affects network and information security separate from the EU's data privacy directive. Before these standards become final, Golodner said, there's still a chance for multinational companies to participate in what the rules will look like.

top

Military companies brace for rules on monitoring hackers (Bloomberg, 13 August 2014) - Companies that do business with the Defense Department are bracing for new U.S. rules requiring them to report computer breaches to the Pentagon and give the government access to their networks to analyze the attacks. Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cybersecurity protections needed to comply. A report that was to be released today on the rules has been pushed back until Sept. 24, according to a person familiar with the matter who isn't authorized to speak publicly. The pending rule change marks an escalation of efforts to understand the scale of hacking as the Defense Department plans to spend $23 billion through fiscal year 2018 on cybersecurity. The crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks. The effort "has the potential to become too onerous" if it requires contractors to report minor breaches and allows the Pentagon access to trade secrets or personal information on their networks, said Mike Hettinger, senior vice president for the public sector at TechAmerica, a trade association based in Arlington, Virginia, that represents Lockheed Martin Corp. (LMT), Northrop Grumman Corp. (NOC) and other defense contractors.

top

Cyber risk and the captive market (AON, August 2014) - The associated costs of cyber threats are increasing for entities in every industry sector. The legal exposure, reputational harm and business interruptions that may result can wreak havoc on a company's bottom line. This was made clear in Aon's 2014 Underrated Threats Report, where 83% of respondents (Captive Directors) felt that the ranking of #18 in Aon's Global Risk Management Survey 2013 for cyber risks (computer crimes/hacking /viruses/malicious codes) was severely underrated, a finding that was consistent along regional and revenue categories. In Aon's Global Risk Management Survey 2013 , 7% of respondents (Captive Owners) indicated interest in underwriting cyber risk in a captive over the subsequent five years. Most cited the lack of appropriate cover in the commercial market place as the reason. However, in Aon's 2014 Captive Benchmarking Tool , which captured data from over 1,000 Aon managed captive clients, the number of captives writing cyber currently, is reported at 1%, a number which has remained static since 2012. The reluctance for many organisations appears to derive from the challenge of gaining an estimation of the cyber risk exposure and quantification of consequences of cyber events, a challenge equally reflected in the reluctance of organisations to purchase cyber insurance from the insurance market.

top

Court says search results and suggested search terms protected by CDA immunity (Steptoe, 14 August 2014) - The U.S. District Court for the District of New Jersey has found that search engines are immune from liability for publishing search results and suggesting search terms that contain allegedly defamatory information. In Obado v. Magedson, the court held that Google, Yahoo!, and other sites were protected by Section 230 of the Communications Decency Act for publishing content provided by third parties. Even though the search engines themselves determine what is displayed on their pages, and in that sense "create" the content, the court appeared to reason that the search engines did not create the content because the results and search terms were determined by an algorithm based on the content contained on third-party sites, and not by some purposeful act of the search engines to create the content. While other U.S. courts have reached similar conclusions, the decision is in stark contrast to foreign court rulings holding Google liable for search results or "autocomplete" search suggestions. For example, a Hong Kong court recently ruled that a corporate executive could sue Google for defamation because its suggested search terms linked his name to organized crime. And last year, Germany's highest civil court ruled that once Google becomes aware that its suggested search terms are defamatory, it is obligated to remove them.

top

Box announces new alliances in legal (Bob Ambrogi, 14 August 2014) - In two posts last year, I wrote about Box , the file sharing and collaboration platform, making a push into the legal industry through integrations with several mobile and web legal platforms ( here and here ). Today, two weeks before its major BoxWorks2014 user conference in San Francisco and just a few days before the International Legal Technology Association conference in Nashville, the company announced major new clients in the legal field and new law-related partnerships and integrations. In today's announcement, Box said that the law firms DLA Piper, Hinshaw & Culbertson, Perkins Coie and Stoel Rives have chosen Box to manage, access and share information for various purposes. Box also announced a new relationship with HBR Consulting , a firm that provides strategic, technology and information management consulting services to the legal sector. Through the relationship, Box and HBR Consulting will work together to offer custom-built cloud-based storage and collaboration tools for law firms.

top

Cell phone guide for US protesters, updated 2014 edition (EFF, 15 August 2014) - With major protests in the news again, we decided it's time to update our cell phone guide for protestors . A lot has changed since we last published this report in 2011, for better and for worse. On the one hand, we've learned more about the massive volume of law enforcement requests for cell phone-ranging from location information to actual content-and widespread use of dedicated cell phone surveillance technologies. On the other hand, strong Supreme Court opinions have eliminated any ambiguity about the unconstitutionality of warrantless searches of phones incident to arrest, and a growing national consensus says location data, too, is private. Protesters want to be able to communicate, to document the protests, and to share photos and video with the world. So they'll be carrying phones, and they'll face a complex set of considerations about the privacy of the data those phones hold. We hope this guide can help answer some questions about how to best protect that data, and what rights protesters have in the face of police demands. See also, the ACLU's Know Your Rights: Photographers (updated July 2014).

top

Lower your car insurance bill, at the price of some privacy (NYT, 15 August 2014) - An increasing number of the nation's auto insurance companies have a new proposition: Let them track every second of your driving in exchange for an annual discount that can reach into the hundreds of dollars if you behave yourself on the road. In theory, everyone wins here. Progressive, Allstate and State Farm - among the most aggressive of the larger companies that are pursuing this strategy - attract better drivers who crash less often. Customers who sign up for the optional programs can pay premiums based more on how they drive and less on their age, gender or credit history. But usage-based insurance , as the program is known, generates vast amounts of data. While insurance companies are pledging to keep it to themselves for now, some experts believe that we're only a few years away from companies' contributing complete driver histories into a central industry database. Then, we'd all have driver scores like the numbers that FICO helps creditors calculate, which would follow us around whenever we shopped for a new auto insurance policy.

top

Can pseudonyms make better online citizens? (Harvard Magazine, Sept 2014) - People socialize online more than ever: posting photos on Instagram, job-hunting on LinkedIn, joking about politics on Twitter, and sharing reviews of everything from hotels to running shoes. Judith Donath, a fellow at Harvard's Berkman Center for Internet and Society , argues against using real names for most of these Internet interactions and relying instead on pseudonyms. A made-up handle is essential to maintain privacy and manage one's online identity, she says. Her new book, The Social Machine: Designs for Living Online (MIT Press, 2014), also contends that well-managed pseudonyms can strengthen online communities, an idea that contradicts the conventional wisdom that fake names bring out the worst in people, allowing "trolls" to bully others or post hateful, destructive comments without consequences. Real names, such thinking goes, keep online conversations civil. But Donath often uses a pseudonym online, not because she wants to "anonymously harass people or post incendiary comments unscathed," as she explained in a commentary published on Wired.com this spring, but because she prefers to separate certain aspects of her life. In the age of Google, a quick search of a person's name gathers everything he or she has posted under that name, from résumés to college party photos. As a public figure who studies how people communicate online, Donath's academic writing can be found online under her real name. But when she writes product reviews on shopping sites such as Drugstore.com, or restaurant reviews on Yelp, she might use a pseudonym. [ Polley : Interesting ideas - this related to the podcast recommended below .]

top

Cybersecurity is hard to ensure or insure (Houston Chronicle, 17 August 2014) - A massive data breach into Target's computer systems last year claimed millions of customer credit card numbers, a CEO's job and $148 million so far to clean up the mess. If hackers ever manage to hit an oil and gas company with a major cyberattack -- compromising key systems at a deep-water platform or an oil refinery -- losses could dwarf the retailer's tab. Yet most U.S. energy companies have to scrape together a collection of insurance policies to protect themselves against property, environmental and other damages from cyber-attacks that could run into the billions of dollars. "Imagine what could happen if a large refinery or petrochemical facility's safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it," Legge said. "As we've all seen from Deepwater Horizon, those risks and damages can be astronomical. It requires an immediate response." That deadly 2010 blowout and oil spill in the Gulf of Mexico was an accident, but London-based insurer Aon says energy companies are at particular risk for cyberattacks because hackers only began targeting them in recent years, so many are just beginning to develop effective security. ABI Research forecasts that the oil industry will pay $1.9 billion on cybersecurity defense systems by 2018. But less than a fifth of U.S. companies over all are covered for cyberdamages.

top

Law firm leaders - value of outside perspective (Layse LLC, 19 August 2014) - Quality decision-making has a great deal to do with shaping the fate of all law firms. Today's post focuses on the value of today's law firm leader engaging the insight and decision-making acumen of seasoned outside business professionals. * * * Edward Drummond is a UK based executive search firm that recently released the results of a study of the top 100 UK law firms over the last four years. It is telling that this study reports that about a quarter of the UK top 100 use a non-firm member to assist with decision making; and that the firms that utilized this approach realized a growth rate of about a third more than other firms. The author of the study suggests "To get someone in just for a few days a year often works well for both parties. Having someone with strong commercial experience - sometimes within the FTSE 100 - can really drive growth through commercial experience."

top

2014 ABA Tech Survey shows more attorneys using iPhones, but iPad use holds steady (iPhone JD, 20 August 2014) - Every year, the ABA Legal Technology Resource Center conducts a survey to gauge the use of legal technology by attorneys in the United States. My thoughts on the prior reports are located here: 2013 , 2012 , 2011 , 2010 . No survey is perfect, but the ABA tries hard to ensure that its survey has statistical significance, and every year this is one of the best sources of information on how attorneys use technology. Yesterday, the ABA released Volume VI of the report titled Mobile Lawyers. This year's report once again shows that a large number of attorneys are using iPhones and iPads. For those nine out of every ten attorneys who are using smartphones, 74% reported in 2014 that they were using a personally owned smartphone, and 28% used a smartphone permanently assigned by their law firm. Those numbers were closer to 66% and 36% in the prior three years, so it seems that in 2014, fewer law firms are buying smartphones for their attorneys and more attorneys are buying their own smartphones. Whether they buy it themselves or it is purchased by their law firm, what smartphones are those nine out of ten attorneys using in 2014? Last year, the big news was that over half of all attorneys were using an iPhone. This year, that number increases even more: 60.8% of all attorneys are using an iPhone (66.8% of the 91% of attorneys who use a smartphone). So if you can imagine a row of ten attorneys, this year one of them doesn't use a smartphone at all, and six of them use an iPhone. What about the other three? Two of them are likely using an Android phone (24.5% of the 91% of attorneys who use a smartphone report using an Android phone in 2014, a small increase from 22% in 2013.) and that last attorney is probably using a Windows phone. Last year, based on the 2013 survey, I concluded that over 400,000 attorneys were using an iPad based on the survey numbers and the assumption that there are about one million attorneys in the U.S. This year, I still believe that there are over 400,000 attorneys using an iPad, but the 2014 survey results on lawyer tablet use were surprising to me in two respects. First, lawyer tablet use is not growing nearly as much as I had expected. In 2011, 15% of attorneys reported that they used a tablet device. In 2012, that more than doubled to 33%. In 2013, it increased to 48%. Thus, I would have guessed that more than half of attorneys would be using tablets in 2014. But that didn't happen. The number instead increased only from 48% to 49%. Have we reached the point where most attorneys who want to use a tablet already have one? After all, as useful as an iPad is, I often hear attorneys tell me that laptops such as the MacBook Air are so thin and light that they carry theirs almost everywhere, and when you always have a laptop with you there is less of a need for an iPad. Is it possible that even though almost half of all attorneys now use a tablet, the other half will never see the need to do so?

top

Big win for Amazon: First provider authorized to handle sensitive DoD workloads in Cloud (NextGov, 21 August 2014) - Amazon Web Services has become the first commercial cloud provider authorized to handle the Defense Department's most sensitive unclassified data. Today's announcement that AWS has achieved a provisional authority to operate under DOD's cloud security model at impact levels 3-5 is a major win for the company, as it allows DOD customers to provision commercial cloud services for the largest chunks of their data. In technical speak, the provisional ATO granted by the Defense Information Systems Agency means DOD customers can use AWS' GovCloud - an isolated region entirely for U.S. government customers - through a private connection routed to DOD's network. DOD customers can now secure AWS cloud services through a variety of contract vehicles. In layman's terms, AWS is the first company with the ability to take any and all of DOD's unclassified data to the cloud. AWS recently launched a private cloud for the Central Intelligence Agency to service the intelligence community , and other cloud providers have been busy picking up new business in the civilian government where billions of dollars are up for grabs. AWS was one of the first cloud providers to meet the Federal Risk and Authorization Management Program, the government's baseline security standards for cloud computing. The company was also one of three firms to meet DISA's cloud security requirements at impact levels 1-2, which govern the agency's least sensitive data. DISA's cloud security model includes many additional requirements on top of what is required by FedRAMP.

top

Taking a selfie inside the National Gallery: a copyright infringement? (IPKat, 21 August 2014) - A few days ago a number of UK newspapers reported that, following similar moves by a number of other UK institutions, also the National Gallery in London has changed its strict no-photos-(please) policy " after staff realised they were fighting a losing battle against mobile phones ", The Telegraph explains . In particular, this decision has been motivated by the difficulties that have arisen to distinguish between visitors using the free wi-fi provided by the Gallery " to research paintings " [of course, what else?] " and those trying to take pictures with mobile phones ." Since late July the new photography policy of this glorious cultural institution has quietly replaced the old one: visitors may now take photos of the Gallery's permanent collection on their own devices for personal, non-commercial purposes. Tripods remain off limits, and visitors will also be "discouraged" from blocking other people's views while taking pictures. In any case, similarly to the National Portrait Gallery and the Tate , the National Gallery "will maintain restrictions on members of the public photographing their temporary exhibitions, for reasons of copyright " [as well as, presumably, in some other cases for reasons of security or conservation]. So, would the taking of a picture of temporary exhibitions or displays with loans be really a potential copyright infringement? It might well be, provided of course that the particular work photographed is still protected by copyright [which might be the case also for works in the permanent collection, although for those paintings it is likely that the Gallery also owns the copyright]. The conclusion above is because the so called freedom of panorama under UK copyright does not apply to paintings. Section 62 ( Representation of certain artistic works on public display ) of the Copyright, Designs and Patents Act 1988 ('CDPA') states * * *

top

US universities at greater risk for security breaches than retail and healthcare (ZDnet, 21 August 2014) - The back-to-school season is a busy time for many, even hackers. According to a new report by the security rankings provider BitSight Technologies, higher education institutions experience an influx in malicious cyberattacks during the school year. But what's worse is that most of those universities are ill-equipped to prevent and handle such attacks, which, according to the report, results in cybersecurity rankings below that of retail and healthcare - two sectors plagued by near-constant security attacks that often result in successful breaches. The majority of attacks experienced by higher education institutions come from malware infections, with the most prevalent being Flashback, which targets Apple computers. Other prominent malware include Ad-ware and Conficker. BitSight said universities are the targets of so many attacks because they harbor a trove of sensitive and personal data, ranging from addresses and social security numbers to credit card numbers and intellectual property - and hackers are quick to notice the weak IT infrastructure in place to keep that data protected.

top

Giving email a holiday (NYT Editorial, 23 August 2014) - Daimler, the German automaker, has given new meaning to the escape command on workers' computers this summer by instituting an automatic program to delete incoming emails to employees on vacation, so they are not tempted to peek at business traffic at the seashore and can start with a clean slate when they return to work. The idea is to encourage a healthier balance in life and to cut down on workers' burnout - a condition that Daimler has concluded can't be good for business in the long run. The program, called Mail on Holiday, politely informs senders that their messages were instantly deleted, but they can contact a designated alternate worker if necessary. The email blackout is optional for the company's 100,000 workers, but "the response is basically 99 percent positive," a Daimler spokesman, Oliver Wihofszki, told BBC Radio. "Everybody says, 'That's a real nice thing.' " Well, of course it is. The new freedom - or is it basically a stroke of virtual mercy? - grows out of research by Daimler with psychologists at the University of Heidelberg. It is part of a "data detox" trend in European corporate life. Volkswagen and Deutsche Telekom have programs to cut back on evening and weekend emails to workers. Even Germany's Labor Ministry is pushing the go-easy button, encouraging managers to stop emailing workers outside of work hours. In France, employers and unions are pursuing an agreement so contract workers on long days might disconnect at given times from their babbling brooks of email. At Daimler, officials say they intend nothing more than emotional relief - a virtual sabbatical for their workers in what is proving to be a relentless digital age. And they issued assurances that no one was keeping lists of which vacationers did or did not resist the temptation of the inbox. [ Polley : Reminds me of the seminal email article by Amitai Etzioni in the NYT on 23 Nov 1997, " Some Privacy, Please, for E-Mail "]

top

'Hackcess to Justice' winners look to increase the reach of their apps (ABA Journal, 25 August 2014) - Award winners from the recent Hackcess to Justice legal hackathon are working hard to fulfill the main goal of the event: Improving access for all Americans to effective legal assistance. In the two weeks since the inaugural hackathon-in conjunction with the ABA Annual Meeting-took place at Suffolk University Law School in Boston, the programmers and lawyers behind the three winning entries have hardly sat back and rested on their laurels. Instead, they have all taken steps to try and increase the reach of their apps. For instance, all three apps are now available for the general public to use, and in some cases, the prize winners are speaking to nonprofit and state agencies to figure out ways their apps can be used to provide legal assistance to many more individuals. William Palin, a Somerville, Massachusetts, attorney who won first place with his health care proxy and living will generator PaperHealth , tells the ABA Journal that the app has already been approved by Apple and is now available in the App Store . He says that he is currently talking to a nonprofit legal network in Vermont in the hopes of increasing awareness of his app. "What I'm proposing is that, if the state will provide an attorney to review the legality of the app, then I'll adjust and customize it for the state, and then provide it for free, as long as they promote it," says Palin, who hopes to do this with every state in the country. The second-place winning app, disastr , which was created by Matthew Burnett, director of the Immigration Advocates Network, and Adam Friedl, program and special initiatives manager at Pro Bono Net, has been officially released for Android. The app provides information, resources, real-time news and alerts and legal representation forms for people affected by natural disasters Meanwhile, David Colarusso, staff attorney for the Massachusetts Committee for Public Counsel Services, has been busy talking to state officials about potential uses for his team's app, Due Processr . The app, which took third place and was developed by Colarusso and his teammates, David Zvenyach, a general counsel in Washington, D.C. and William Li, a computer science PhD student at the Massachusetts Institute of Technology, Hotmail.is an interactive tool that allows users to determine their eligibility for indigent legal services in Massachusetts, and for criminal defendants to calculate their state prison sentences.

top

Surveillance Law (Stanford MOOC, Fall 2014) - This website hosts content for Surveillance Law , a free online course offered by Stanford Law School . We encourage you to join the interactive course on Coursera. If you would like heightened privacy protection, you can view noninteractive material on this website. The server is configured to not log requests, and can be accessed using HTTPS ( details ) or as a Tor hidden service ( 7vrl523532rjjznj.onion ). It's easy to be cynical about government surveillance. In recent years, a parade of Orwellian disclosures have been making headlines. The FBI, for example, is hacking into computers that run anonymizing software. The NSA is vacuuming up domestic phone records. Even local police departments are getting in on the act, tracking cellphone location history and intercepting signals in realtime. Perhaps 2014 is not quite 1984, though. This course explores how American law facilitates electronic surveillance-but also substantially constrains it. You will learn the legal procedures that police and intelligence agencies have at their disposal, as well as the security and privacy safeguards built into those procedures. The material also provides brief, not-too-geeky technical explanations of some common surveillance methods. [ Polley : I love how they're using TOR, and giving out .onion addresses.]

top

NIH tells genomic researchers: 'You must share data' (Chronicle of Higher Ed, 28 August 2014) - Scientists who use government money to conduct genomic research will now be required to quickly share the data they gather under a policy announced on Wednesday by the National Institutes of Health. The data-sharing policy, which will take effect with grants awarded in January, will give agency-financed researchers six months to load any genomic data they collect-from human or nonhuman subjects-into a government-established database or a recognized alternative. NIH officials described the move as the latest in a series of efforts by the federal government to improve the efficiency of taxpayer-financed research by ensuring that scientific findings are shared as widely as possible. "We've gone from a circumstance of saying, 'Everybody should share data,' to now saying, in the case of genomic data, 'You must share data,'" said Eric D. Green, director of the National Human Genome Research Institute at the NIH. The NIH's plan to require data-sharing hasn't been entirely popular with the researchers themselves, at least not in the early stages. When it appeared last year, the initial version of the NIH's policy proposal drew criticism from the Federation of American Societies for Experimental Biology, the nation's largest coalition of biomedical researchers, and the Association of American Medical Colleges, whose members include all 141 accredited U.S. medical schools.

top

NOTED PODCASTS

Judith Donath on The Social Machine (Berkman, 26 May 2014; 71 minutes) - Online, interface designs fashion people's appearance, shape their communication and influence their behavior. Can we see another's face or do we know each other only by name? Do our words disappear forever once they leave the screen or are they permanently archived, amassing a history of our views and reactions? Are we aware of how public or private our surroundings are? In this talk Judith Donath - Berkman Faculty Fellow and former director of the MIT Media Lab's Sociable Media Group - discusses some of these questions and more from her new book "The Social Machine." [ Polley : I'm particularly interested in online meetings vs. IRL meetings; Ms. Donath has some interesting observations about how online meetings should be different , and can be richer.]

top

RESOURCES

Open Intellectual Property Casebook (Duke, August 2014) - Duke's Center for the Study of the Public Domain is announcing the publication of Intellectual Property: Law & the Information Society-Cases and Materials by James Boyle and Jennifer Jenkins. This book, the first in a series of Duke Open Coursebooks, is available for free download under a Creative Commons license. It can also be purchased in a glossy paperback print edition for $29.99, $130 cheaper than other intellectual property casebooks. * * * The book is intended to be a textbook for the basic Intellectual Property class, but because it is an open coursebook, which can be freely edited and customized, it is also suitable for an undergraduate class, or for a business, library studies, communications or other graduate school class. Each chapter contains cases and secondary readings and a set of problems or role-playing exercises involving the material. The problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court's new rulings on gene patents.

top

The 9 most useful Bitcoin data resources (Coindesk, 10 August 2014) - The days of pencil-pushing to gather and analyse data are numbered, and new tools have made gathering, sorting, analysing and visualising enormous amounts of data easier than ever. Bitcoin, of course, lends itself perfectly to these quantitatively-focused metric tools. Few things about the digital currency are subjective, and even though nobody knows for certain what drives bitcoin's price changes , plenty of people have tried their hand at using technical analysis to predict price trends. Luckily for us, there's no shortage of companies working with data to paint a picture of the ever-changing bitcoin ecosystem. These websites provide information on pricing, trading, market capitalisations, blockchain statistics and more. Here are nine of the most helpful bitcoin data resources * * * [ Polley : I'm still experimenting with my BTC wallets.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Controversial government data-mining research lives on (Information Week, 23 Feb 2004) -- The government is still financing research to create powerful tools that could mine millions of public and private records for information about terrorists despite an uproar last year over fears it might ensnare innocent Americans. Congress eliminated a Pentagon office developing the terrorist tracking technology because of the outcry over privacy implications. But some of those projects from retired Adm. John Poindexter's Total Information Awareness effort were transferred to U.S. intelligence offices, congressional, federal and research officials told The Associated Press. In addition, Congress left undisturbed a separate but similar $64 million research program run by a little-known office called the Advanced Research and Development Activity (ARDA) that has used some of the same researchers as Poindexter's program. ``The whole congressional action looks like a shell game,'' said Steve Aftergood of the Federation of American Scientists, which tracks work by U.S. intelligence agencies. ``There may be enough of a difference for them to claim TIA was terminated while for all practical purposes the identical work is continuing.''

top

NSA plots software center (FCW, 15 Oct 2004) -- The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project. Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software. Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years. NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top