Saturday, January 17, 2009

MIRLN --- 28 December 2008 – 17 January 2009 (v12.01)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

**************End of Introductory Note***************

ABA CYBERSPACE COMMITTEE WINTER WORKING MEETING - The Committee on Cyberspace Law invites you to its annual Winter Working Meeting, January 30th through the 31st, 2009 on the campus of Santa Clara University in Santa Clara, California (just adjacent to San Jose). Don’t miss this great opportunity to exchange views, explore issues, identify emerging practices and interact with other Committee members. The “WWM” is meant just as much for persons new to the Committee as it is for those of long-standing membership, so please do not hesitate to join us if you are looking for a place and project to get involved with the Committee’s work! Information here:

**** NEWS ****

• Gatehouse Sues NYT Co. Over Local Websites
• Pushing The Envelope On Copyright Exemptions Court Rejects Effort To Require Website To Identify Anonymous Commenters
• ABA Launches New Social Network
• The Toughest Q’s Answered In The Briefest Tweets
• Risky For All Executives
• Do Model Web Faces Misrepresent Law Firms?
• Florida Justices Give Cold Shoulder To Proposed Web Rule
• Data Breaches Up Almost 50 Percent, Affecting Records Of 35.7 Million People
• Yelp User Faces Lawsuit Over Negative Review
• Skype Sued Under Washington’s Gift Card Rule
• New Jersey Drops Encryption Requirement From Draft Data Security Regulations
• Court Rules That Employee’s Misappropriation Of Business Information Does Not Violate CFAA
• E-Mail Snafu Exposes Names Of Confidential Witnesses In Federal Probe
• Limewire Mixing Social Networking, P2P
• E-Discovery Rulings: 2008 In Review
• Is It Copyright Infringement On Fashion Design To Post Photos From A Fashion Show Online?
• U.S. Visitors Required To Register Online
• Itunes Songs Don’t Have DRM, But They Contain Your Email Address
• NIST Proposes Risk-Based Approach To Guarding Personal Data
• Ct Rules Mere Violation Of Privacy Policy Promise Didn’t Amount To Contract Breach, Fraud
• Judge Approves Streaming Of Music-Swapping Hearing

Podcasts, Resources, Book-Review

GATEHOUSE SUES NYT CO. OVER LOCAL WEBSITES (Boston Globe, 22 Dec 2008) - GateHouse Media Inc., the owner of 125 local newspapers across Massachusetts, sued the Boston Globe’s parent today for linking to GateHouse articles on the Globe’s new local websites. In a lawsuit filed in US District Court in Massachusetts, GateHouse argued that the New York Times Co. violated copyright law by copying “verbatim” headlines and the first sentence from articles in the Newton Tab, Daily News Tribune of Waltham and other GateHouse papers on the Globe’s own websites, along with links to the full articles. The suit raises critical legal issues about what type of linking is permitted on the Internet. Many blogs and media sites routinely post links to stories by other media. Indeed, GateHouse has published links to Globe stories in the past. [Editor: a la the Google/Belgium cases from 2007, this theory would implicate MIRLN. Nuts!]

PUSHING THE ENVELOPE ON COPYRIGHT EXEMPTIONS (InsideHigherEd, 30 Dec 2008) - Professors, librarians and others have proposed that the U.S. Copyright Office significantly expand its list of when, and by whom, DVDs and other audiovisual materials should be exempted from technological measures that control access to copyrighted works. The list came in a Federal Register notice of proposed rule making that is one early step in a yearlong process that is likely to culminate next fall. As a general rule, entertainment companies and publishers tend to oppose significant exceptions (or any, in some cases), and the Copyright Office solicits recommendations and comments and conducts a series of hearings before making its decisions. The exemptions last for three years, and do not automatically renew. As part of the last triennial review, in 2006, the Copyright Office altered its method for judging those exceptions. Under the change, the office shifted its focus from deciding simply which “classes of works” (“literary works,” “sound recordings”) warranted exemptions, to a more specific analysis that also took into account who should be able to circumvent access-control technologies and under what circumstances — a change that allowed for narrower pools of copyrighted material to be exempted. In October, the Library of Congress announced the start of the latest triennial review process, and in the weeks since then, about 20 institutions, organizations, and people have suggested possible exemptions from the copyright law’s prohibition on circumvention. They range from the American Federal for the Blind arguing for an exemption for electronic books that prevent the use of read-aloud functions or specialized formats that enable the visually impaired to use them to several related to the interoperability of cellular telephones. Of most direct interest to people in higher education, though, are a set of proposals that seek to expand on the exemption won by the University of Pennsylvania’s Peter Decherney and other film studies scholars in 2006. Decherney himself, an assistant professor of cinema studies and English, submitted a request that the exemption that allows film studies professors to reproduce clips from DVDs be altered in two ways: to allow the use of any audiovisual material in any university library (the current exemption applies only to material in a film studies department’s own library) and to allow film studies students, not just professors, to use such material.

COURT REJECTS EFFORT TO REQUIRE WEBSITE TO IDENTIFY ANONYMOUS COMMENTERS (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2008) - A recent ruling could help clarify when an Internet service provider may resist complying with a subpoena for the identity of anonymous individuals who have posted content to the provider’s servers. In Enterline v. Pocono Medical Center, a federal court in Pennsylvania ruled that a newspaper had standing to challenge a subpoena for the identities of anonymous individuals who posted comments to the newspaper’s website. It also ruled that the First Amendment rights of the commentators barred the court from compelling the newspaper to comply with the subpoena.

ABA LAUNCHES NEW SOCIAL NETWORK (ABA Journal, 31 Dec 2008) - Social networks are booming. With Facebook hosting more than 100 million user profiles and LinkedIn attracting more than 30 million profiles of business professionals, social networking has moved far beyond its genesis as a way for teens to communicate with one another. Today lawyers are using social networking as a way to connect with colleagues as well as clients—both old and new. To meet the needs of a growing number of lawyers who seek a way to enter the world of Web 2.0, the ABA recently launched a new social networking platform, LegallyMinded is the latest online forum for the legal community. While other social networking sites catering to legal audiences do exist, many of these sites limit their membership to licensed lawyers, requiring potential members to provide verification. However, the goal of LegallyMinded is to engage all constituencies in the legal community from law students to paralegals and firm administrators. “The legal community consists of a diverse set of professionals, not just lawyers,” said Fred Faulkner, manager of ABA interactive services. “Our goal is to engage legal professionals up and down the vertical ladder, from academics and judges to legal support staff.” LegallyMinded hosts much of the ABA’s rich content, including news from the ABA Journal. Additionally, the site includes user profiles, wikis, a job board and career center. Users can also create a blog, participate in discussion groups and share files with other users. Whether users talk about trends in litigation or what software is best to manage case loads, LegallyMinded provides users with the framework to connect with their peers, share their knowledge and speak their minds. The network is free and open to the public.

THE TOUGHEST Q’S ANSWERED IN THE BRIEFEST TWEETS (New York Times, 3 Jan 2009) - The Israel Defense Forces, recognizing that success in neutralizing the Hamas movement in Gaza is as much a public relations challenge as a military one, has enlisted an arsenal of Internet tools to take their message directly to a global audience. There is a military channel on the video-sharing site YouTube where you can watch suspected Hamas sites being obliterated by ordnance; blogs that spread the message of the foreign affairs ministry; and in the newest wrinkle, a news conference conducted through the microblogging service Twitter. “Since the definition of war has changed, the definition of public diplomacy has to change as well,” said David Saranga, the head of media relations for the Israeli consulate in New York, which conducted the Twitter news conference on Tuesday. Some, including the MSNBC anchor Rachel Maddow, mocked the idea of a government spokesman addressing the Israeli-Palestinian conflict in tweets barely a sentence long. “The Israeli government is trying to explain a conflict that people write books about, a conflict that newspaper writers struggle to explain in 2,000 words, in 140 characters at a time,” she marveled. Mr. Saranga said Tuesday’s online dialogue, which was open for questions from anyone with a Twitter account, was “the first governmental press conference ever held on Twitter.” And he made no apologies for using common text-messaging abbreviations — 2 for to, 4 for for, and r for are, and other shorthand like civ for civilian — in his answers. “I speak to every demographic in a language he understands,” he said. “If someone only speaks Spanish, I speak in Spanish; if someone is using a platform like Twitter, I want to tweet.”

RISKY FOR ALL EXECUTIVES (National Law Journal, 5 Jan 2009) - Like many executives, Barack Obama is an admitted BlackBerry addict. But advisers insist that on Inauguration Day he should give up the device, which, in the words of one senior aide, “never stopped crackling with e-mails” during the campaign. As president, Obama will be subject to a strict records-retention law called the Presidential Records Act, and wireless devices also pose security risks deemed too high for the commander in chief. The question for in-house counsel: If a BlackBerry poses dangers for the nation’s chief executive, should your chief executive officer be using one? It may be difficult to imagine life without a BlackBerry. In many organizations, such devices have become vital to the smooth functioning of corporate teams at the highest levels of management, where decisions affecting hundreds of people and involving millions of dollars are made every day. Yet the same concerns worrying Obama’s advisers also apply to corporate BlackBerry users. Computer usage, records retention and security have been and continue to be corporate duties. Obama’s team is smart to be addressing the issue now, and in-house counsel and information technology departments should follow suit with respect to the use of portable communication devices. Executives of both private and public companies have a responsibility to protect and preserve business records as set forth in several state and federal laws. The Sarbanes-Oxley Act, for instance, requires that companies preserve a variety of business records for specified periods of time. The law’s definition of business record is broad enough to include many messages sent from mobile devices. Moreover, when the prospect of litigation arises, communications related to the dispute sent from portable devices may become discoverable under the Federal Rules of Civil Procedure. If there is no system established to preserve wireless communications, litigants may be incapable of complying with discovery requests and suffer court sanctions. More worrisome is a situation in which an exculpatory document is lost in the wireless ether. Such risks require sophisticated, nuanced and routinely updated computer usage and document-retention policies that take wireless devices into account. Companies should first decide whether such devices should be used and, if so, what, if any, types of business records can be sent using such devices. Then the task is to develop a workable means of capturing messages to facilitate compliance with federal and state statutes, as well as discovery rules and organizational needs.

DO MODEL WEB FACES MISREPRESENT LAW FIRMS? (Nat’l Law Journal, 5 Jan 2009) - The images of several well-groomed, professional-looking people permeate the pages on the Web site of the Holland & Knight law firm. But would-be clients should not seek to speak with any of those people about their legal needs when contemplating whether to hire the Tampa, Fla.-based firm. All of those good-looking folks shown on virtually all of the Web site’s main pages -- blacks and whites, males and females, younger people and gray-haired ones -- are paid models. Not one is a lawyer with the firm. The same goes for the home page of the Web site of Ruden McCloskey, a Fort Lauderdale-based firm with offices around the state. The trio of smiling, professional-looking people -- a black male, a white male and a white female -- also are paid models, not lawyers, a firm spokesman acknowledged. Before a state-appointed receiver took down the Web site of the controversial debt settlement law firm of Hess Kennedy of Coral Springs, models appeared on its home page. While not ambivalent about the topic, The Florida Bar has not raised any enforcement issues over the use of models on law firm Web sites. Over the years, The Bar has maintained a reputation of being one of the nation’s toughest regulatory bodies on lawyer advertising. But complaints about models on Web sites have been non-existent, said Kathy Bible, The Bar’s advertising counsel in Tallahassee. “I’ve never had a complaint on this,” she said. “I don’t recall this ever coming up.” Speaking generally about the use of models instead of actual lawyers, Bible said, “I don’t really see this as truly misleading or deceptive.” Joy Bruner, the assistant ethics counsel in Tallahassee, said the organization’s advertising committee has not previously ruled on the question. “The issue is whether they are misleading in the context in which it’s being used,” Bruner said when asked generally about the use of models. She would not comment about the use of models by any specific firm. The Bar’s rules of professional conduct dealing with communications about lawyer services contain a section dealing with advertising prohibitions. Rule 4-7.2 (c) says that lawyers “shall not make or permit to be made a false misleading or deceptive communication about the lawyer or the lawyer’s services” and that a communication violates the rule if it is deceptive or “contains a material misrepresentation of fact or law.” The rules, under “prohibited visual and verbal portrayals and illustrations,” say that lawyers shall not include in their ads “any visual or verbal descriptions, depictions, illustrations or portrayals of persons, things or events that are deceptive, misleading, manipulative or likely to confuse the viewer.” Not all law firms that use group pictures on their Web sites hire models. In fact, most do not, based on a check of about 20 large firms that maintain offices in South Florida. Some firms use no group pictures at all or only use individual photos of their partners and associates, which can be easily changed as people leave the firm or as new attorneys arrive.

- and -

FLORIDA JUSTICES GIVE COLD SHOULDER TO PROPOSED WEB RULE (Nat’l Law Journal, 9 Jan 2009) - Law firm Web sites should not be subjected to the stringent rules governing other legal advertising, the Florida Bar argued Tuesday to the state Supreme Court. Presenting proposed rules, the Bar’s attorney contended lawyers should be allowed to publish client testimonials and claims about past successes on the Internet. The Bar prohibits lawyers from presenting this information in printed promotional material. But the justices did not seem too keen on the idea of having expanded information on the Internet. Several justices expressed concern about allowing testimonials and failing to require Bar review. “I don’t know for the life of me why you would allow testimonials on the Web site, and it’s being completely unregulated,” Justice Barbara Pariente said. Chief Justice Peggy Quince questioned why the Bar proposed testimonials without review, which is required for other kinds of lawyer advertising. Arguing for the Bar, Daytona Beach attorney Chobee Ebbets said the Bar never requested Web submissions and it would be “physically impossible” for the Bar to monitor all Web sites.

DATA BREACHES UP ALMOST 50 PERCENT, AFFECTING RECORDS OF 35.7 MILLION PEOPLE (Washington Post, 6 Jan 2009) - Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to a nonprofit group that works to prevent identity fraud. Identity Theft Resource Center of San Diego is set to announce today that some 656 breaches were reported in 2008, up from 446 in the previous year. Nearly 37 percent of the breaches occurred at businesses, while schools accounted for roughly 20 percent of the reported incidents. The center also found that the percentage of breaches attributed to data theft from current and former employees more than doubled from 7 percent in 2007 to nearly 16 percent in 2008. “This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” said Linda Foley, the center’s co-founder. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.” The largest single cause of data breaches came from human error, the center found. Lost or stolen laptops and other removable electronic devices, along with the accidental exposure of consumer data -- such as the inadvertent posting of personal data online -- were named as the cause for more than 35 percent of reported incidents. Computer hacking and software that steals data were blamed for nearly 14 percent of breaches.

YELP USER FACES LAWSUIT OVER NEGATIVE REVIEW (CNET, 6 Jan 2009) - San Franciscan Christopher Norberg went to a chiropractor after being injured in a car accident in 2006. After a disagreement with the chiropractor over billing, he posted a negative review of the business on Yelp suggesting that the doctor was dishonest. Now he is facing a defamation lawsuit that could chill self-expression on the popular gripe Web site. “If Christopher loses then anyone on Yelp who writes a negative review better be careful,” said Michael Blacksburg, an attorney representing Norberg. “This strikes at the heart of Yelp’s business model and other Web sites that provide a bulletin board for people to state what they think of businesses in their community.” “This is clearly Christopher Norberg’s version of conversations with the doctor relating to a billing dispute and his opinion of how the doctor was behaving,” Blacksburg said on Tuesday. “This is clear opinion that falls squarely within constitutionally protected speech.” Eric Nordskog, the attorney for chiropractor Steven Biegel, said the case comes down to whether Norberg’s comments are considered statements of fact or opinions. [Editor: no new “law” here probably; but another illustration of the “different-packages” effect.] Case settles January 9:; similar, new suits filed against Yelp January 13:

SKYPE SUED UNDER WASHINGTON’S GIFT CARD RULE (BNA’s Internet Law News, 8 Jan 2009) - BNA’s Electronic Commerce & Law Report reports that a complaint filed in Washington Superior Court for King County claims that Skype’s seizure of unused funds its VoIP customers deposit in stored value accounts violates Washington’s gift card rule, which prohibits most gift card expiration dates. Washington’s gift card statute prohibits expiration dates on gift cards, with certain exceptions. It does permit account dormancy charges, but only if a gift card goes unused for at least 24 months.

NEW JERSEY DROPS ENCRYPTION REQUIREMENT FROM DRAFT DATA SECURITY REGULATIONS (Steptoe & Johnson’s E-Commerce Law Week, 8 Jan 2009) - Last month, the New Jersey Division of Consumer Affairs released a new draft of its proposed data security regulations. As we previously reported, backlash from business blocked adoption of the original proposed regulations, which were drafted in 2007 pursuant to New Jersey’s Identity Theft Prevention Act. While the original proposal would have required companies doing business in the Garden State to use encryption -- and a plethora of other technologies -- to protect the personal data of New Jersey residents, the new draft does not require encryption or any other specific technologies. Instead, the new draft would impose a more general requirement on affected companies to “implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of personal information.”

COURT RULES THAT EMPLOYEE’S MISAPPROPRIATION OF BUSINESS INFORMATION DOES NOT VIOLATE CFAA (Steptoe & Johnson’s E-Commerce Law Week, 8 Jan 2009) - A December 15 ruling adds to the division among the courts about when an employee’s breach of loyalty to his company violates the Computer Fraud and Abuse Act (CFAA). In Condux Int’l, Inc., v. Haugum, a federal court in Minnesota ruled that a former employee’s “wrongful intended use” of information that he had accessed on workplace computers while he still worked for the company did not make this access “unauthorized” for the purposes of the CFAA. The court noted the split in legal authority on the question of whether violating a duty of loyalty to an employer can cause one’s access to workplace computers to become “unauthorized” or in excess of authorized access for purposes of the CFAA. But it ultimately sided with those courts that have interpreted the CFAA as creating a cause of action for the “unauthorized procurement or alteration of information, not its misuse or misappropriation.” It held that, under the plain language of the statute, “exceeds authorized access” “contemplates persons who ‘go beyond the permitted access granted to them,’” while “without authorization” refers to persons with “no permission to access whatsoever.”

E-MAIL SNAFU EXPOSES NAMES OF CONFIDENTIAL WITNESSES IN FEDERAL PROBE (Computerworld, 8 Jan 2009) - From the how-not-to-keep-a-secret department comes the tale of an official at U.S Attorney Patrick Fitzgerald’s office in Chicago who inadvertently e-mailed a document containing the names of more than 20 confidential witnesses in a federal probe to the media. According to reports published by the Chicago Tribune and The Smoking Gun Web site, the snafu happened yesterday, when a spokesman for Fitzgerald attached the document to an e-mail message announcing felony charges against individuals named John Walsh and Charles Martin. The two men were partners in a foreign-exchange futures dealer called One World Capital Group, located in the Chicago area but now defunct, that is accused of defrauding customers of $15 million. Included along with the 62-page complaint filed against Walsh and Martin was a one-page chart that identified 24 sources who were mentioned only in an anonymous fashion in the complaint itself. The sources included former One World employees, customers and “other” individuals, according to a copy of the document that was posted by The Smoking Gun with the names blurred out. The document also apparently identified two investment groups that hadn’t been publicly named. Once the error was discovered, Fitzgerald spokesman Randall Sanborn quickly sent out another e-mail asking all of the media members who received the original document to quickly destroy it, according to the two reports.

LIMEWIRE MIXING SOCIAL NETWORKING, P2P (CNET, 8 Jan 2009) - Get ready for the collision of social networking and peer-to-peer file sharing. With the beta release of LimeWire 5.0 (download for Windows| Mac), which was announced at the Consumer Electronics Show here, the popular P2P service is incorporating a social element that will enable people using Jabber-compatible services like Gmail to share files with friends on their buddy lists. Lime Wire calls this a “personal sharing network.” The idea, said Lime Wire CEO George Searle, is to add trusted context to user searches for content, given that people are more likely to want--and feel comfortable with--content from people they know. Additionally, Searle explained that the new social features of LimeWire--which has 70 million monthly unique users and more than 5 billion queries a month--will enable people to choose whether to make files available to the public at large, or just to their friends and family.

E-DISCOVERY RULINGS: 2008 IN REVIEW (Nat’l Law Journal, 9 Jan 2009) - In 2006, courts and litigants braced for the electronic data discovery amendments to the Federal Rules of Civil Procedure. Conventional wisdom suggested pandemonium would ensue as parties wrangled over the meaning and relative impact of the amended rules on their respective cases. Instead, in 2007, courts quickly responded with several rulings that clarified the amended rules. Then in 2008, the EDD community saw its most active year to date, with opinions delving into the technology for search and retrieval, the meet-and-confer process and the enactment of Federal Rule of Evidence 502 to combat waiver of attorney-client privilege resulting from the inadvertent production of electronically stored information. While the usual suspects -- a small group of active judges -- continue to write opinions that further guide and shape the preservation and production of ESI, several opinions in 2008 were drafted by relatively new players taking a more active role. Many of 2008’s “must read” opinions came from District of D.C. Magistrate Judge John Facciola and District of Maryland Judge Paul Grimm. Some have suggested the two have a friendly rivalry aptly called “the Battle of the Beltway,” however, the cases are more likely testament to both judges’ passion and expertise in the area. The biggest event of 2008 was the Sept. 19 passage of FRE 502 that made uniform and codified the “middle of the road” approach to determining waiver of the attorney-client privilege and work-product doctrine in the event of an inadvertent production. [Editor: there’s more, and it’s a workmanlike summary.]

IS IT COPYRIGHT INFRINGEMENT ON FASHION DESIGN TO POST PHOTOS FROM A FASHION SHOW ONLINE? (TechDirt, 12 Jan 2009) - For many years, we’ve discussed how the fashion industry is a great example of an industry that is more innovative, more prolific and more dynamic due to the lack of intellectual property protection. In fact studies have repeatedly shown that it’s the very lack of copyright over clothing designs that has made the overall industry so successful. It encourages continued innovation and adaptation, while the fact that there are knockoffs actually helps to increase the value of original authentic designs, while permeating design concepts throughout the fashion world. However, that hasn’t stopped designers from trying to gain copyright advantages over clothing designs, and one ongoing case suggests how ridiculous this concept could be. An online publication is being sued by two French fashion designers, not for creating knockoff clothing, but for daring to post photos online of the fashion designers clothing lines, which they demonstrated at a fashion show. The website sent its own photographers to the show (so it’s not a case of them reposting someone else’s photos). A French court sided with the designers (French design protectionism shows up again...), and now the case has moved to the US to see if the designers can collect.

U.S. VISITORS REQUIRED TO REGISTER ONLINE (CNET, 12 Jan 2009) - Starting Monday, travelers from the United Kingdom, Germany, Japan, Australia, and a host of other countries will have to register online with the U.S. Department of Homeland Security before they can travel into the United States. As part of its efforts to use technology to improve border security, the DHS is mandating that travelers from any of the 35 countries in the U.S. Visa Waiver Program apply online for an Electronic System of Travel Authorization before boarding a plane to the U.S. Previously, visitors from those countries were only required to fill out the I-94W form on flights to the U.S. for trips shorter than 90 days. The ESTA applications collect the same information as the I-94W form and check it against DHS databases to determine whether a traveler poses a law enforcement or security risk. That information includes biographical data like birth date and passport information, as well as information regarding communicable diseases, arrests, convictions for certain crimes, and mental disorders that spur behavior that may pose a threat to others. ESTA is a “key security element” of the Visa Waiver Program, DHS Secretary Michael Chertoff wrote on the DHS Leadership Journal blog.

ITUNES SONGS DON’T HAVE DRM, BUT THEY CONTAIN YOUR EMAIL ADDRESS (TechDirt, 14 Jan 2009) - Apple got a lot of press last week when it announced that it was going to remove the DRM from songs it sold through the iTunes Music Store. That’s a great thing in itself, since it removes the barriers legitimate customers faced in playing back music they purchased on the device of their choice. But details are coming out, and it’s not all good news: the songs are watermarked (via Slashdot) with the email address of the iTunes account used to purchase them. This is certainly better than DRM, but it’s still not great. The biggest issue is that it links files to a particular consumer -- which will likely lead to the RIAA using the watermarks to attempt to “prove” that people actively shared songs and sue them.

NIST PROPOSES RISK-BASED APPROACH TO GUARDING PERSONAL DATA (GCN, 14 Jan 2009) - Federal agencies are required under various laws, regulations and mandates to protect the privacy of citizens and secure the personally identifiable information (PII) that they hold, but this has not stopped breaches in IT systems that have potentially exposed millions of personal records. The National Institute of Standards and Technology has outlined for agencies a risk-based approach to securing PII in the recently released draft of Special Publication 800-122, titled “Guide to Protecting the Confidentiality of Personally Identifiable Information.” The guidelines lay out appropriate security controls that can be used depending on the nature of the information being protected and the likelihood of its being exposed. NIST explains the risk-based approach to security with a quote former national security adviser McGeorge Bundy, who once told Congress, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.” Personally identifiable information generally is information that can be used to specifically identify an individual. Some types of information can pose a risk to the individual if it falls into the wrong hands by enabling identity theft or financial fraud. Its loss also can cause substantial embarrassment or worse to the organization that loses it. To effectively protect this type of information, NIST recommends that organizations: * * *

CT RULES MERE VIOLATION OF PRIVACY POLICY PROMISE DIDN’T AMOUNT TO CONTRACT BREACH, FRAUD (BNA’s Internet Law News, 15 Jan 2009) - BNA’s Electronic Commerce & Law Report reports that a federal court in Louisiana has ruled that violations of a privacy policy, which allegedly arose when a tax firm carelessly disposed of sensitive client files in a dumpster, did not yield a cause of action for breach of the policy’s terms without a showing of actual damages. The court also held that the plaintiff was not entitled to recover under Louisiana’s database security breach notification law because the alleged data breach involved data represented on paper documents not in computerized storage. Case name is Pinero v. Jackson Hewitt Tax Service Inc. (Subscription required, free trial available)

JUDGE APPROVES STREAMING OF MUSIC-SWAPPING HEARING (Boston Herald, 15 Jan 2009) - A federal judge on Wednesday authorized the first online streaming of oral arguments in a U.S. District Court in Massachusetts in a copyright infringement lawsuit that pits a Boston University graduate student against the music recording industry. U.S. District Court Judge Nancy Gertner restricted the live streaming to a Jan. 22 hearing, saying she will decide later whether to make other proceedings in the case, set for March 30 trial, available online. The lawsuit is one of a series filed by the Recording Industry Association of America since 2003 against about 35,000 people who allegedly swapped songs online. Most of those sued are college students, and many have defaulted or settled for amounts between $3,000 and $10,000, often without legal counsel. Charles Nesson, a Harvard University professor representing BU student Joel Tenenbaum, of Providence, R.I., is challenging the constitutionality of the lawsuits, which, based on the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999, can impose damages of $150,000 per willful act of infringement. Nesson had asked Gertner to authorize video cameras already installed in courtrooms to be used to capture the proceedings and transmit the material to Harvard’s Berkman Center for Internet, which will then stream it on its Web site for free. Gertner approved the request and authorized New York-based Courtroom View Network, which has webcast state court trials, to “narrowcast” proceedings to the Berkman Center. Gertner said local district judges have the discretion under the guidelines of the policy-setting federal Judicial Conference to allow recording and broadcast when it serves the public interest, particularly of legal arguments without the presence of witnesses and jurors in a case. “The public benefit of offering a more complete view of these proceedings is plain, especially via a medium so carefully attuned to the Internet Generation captivated by these filesharing lawsuits,” Gertner said.

DEVELOPING A SELF-LEARNING DISTANCE PROGRAM ON COPYRIGHT FOR LIBRARIANS (Berkman Center podcast, 9 Dec 2008) - Copyright for Librarians is a project developed at the Berkman Center in partnership with (Electronic Information for Libraries), aiming at developing a distance learning program on copyright targeted to librarians. Berkman Fellow Melanie Dulong de Rosnay presents the objectives and main steps of the project. As new technologies impact on the work of libraries and copyright law increasingly challenges library practices and access to knowledge, the aim of the course is to provide a sound understanding of the fundamentals of copyright and to raise awareness amongst librarians for balanced copyright laws and practices. [One Star]

**** RESOURCES ****
Cyber Liability & Higher Education (Aon Professional Risk Solutions White Paper, Dec 2008) - Due to the nature and complexity of operations and the academic culture of open face unique exposures related to the internet and information security and privacy. An overriding challenge that educational institutions face when dealing with privacy and security risks continues to be the fundamental conflict between a culture that values an unfettered exchange of ideas, and the security and privacy of sensitive or private information.

**** BOOK REVIEW ****
GOOGLING SECURITY: BOOK THAT OPENS YOUR EYES TO HOW MUCH YOU DISCLOSE TO GOOGLE (BoingBoing, 5 Dec 2008 review by Cory Doctorow) - Greg Conti -- a West Point instructor in computer science and information war -- has taken a long, hard look at the amount of information Internet users explicitly and implicitly disclose to Google and the results, collected in his book Googling Security: How Much Does Google Know About You? are sobering. Conti enumerates all of Google’s (often fantastic) services, describes how compelling they are, and then notes what information you disclose when you use them -- even when you only use them inadvertently (say, when you send email to someone with a Gmail account, or when you load a bookmarked Gmap that’s been sent to a group of logged-in Google users, thus tying yourself to those users as part of the same group). In slow, methodical steps, Conti builds his case: our complacency, Google’s capacity for building compelling services, and the inadequacy of our browsers and other tools in alerting us to potential information disclosure have created a situation where Google ends up in possession of an alarming amount of information about us, our beliefs, our movements, our finances, our health, our employment and our social circles. Conti’s explanations are extremely accessible, even when discussing difficult and counter-intuitive subjects like cross-site scripting and cookies. Likewise accessible are his concrete recommendations for staunching the flow of personal information from your computer into Google’s records. Finally, Conti does a great job of explaining why people who “have nothing to hide” might still want to keep their information to themselves (the approximate dimensions and characteristics of the body under your clothes aren’t a secret -- but you still don’t walk around naked in public and you’d resent it if someone forced you to. Private and secret aren’t the same thing). I’ve given the subject of privacy and Internet use a lot of thought, but even so, Conti’s book opened my eyes to potential risks I’d never considered. I’d recommend this to anyone who’s worried about what’s happening to our ability to control the aggregation of our personal data.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: