Saturday, February 28, 2009

MIRLN --- 8-28 February 2009 (v12.03)

• Ponemon Study Shows Data Breach Costs Continue to Rise
• Lords: Rise of CCTV is Threat to Freedom
• NIST Updates Recommendations for IT Security Controls
• Change You Can Download
• ABA Social Network Fails to Connect
• Web 2.0 Defamation Lawsuits Multiply
• Congressman’s Twittering Raises Security Concerns
• More than 150 Banks Affected by Heartland Data Breach Thus Far
• Video Site’s Investors Not, On Role Alone, Liable for Alleged Infringements
• YouTube Goes Offline
• In ‘Fig Leaf’ Settlement with Jones Day, Website Agrees to Adjust Use of Links
• Where You’ve Been on Net Not Private, Canadian Judge Rules
• E-Invoicing in Europe
• How Attackers Use Your Metadata Against You
• Massachusetts Extends Compliance Deadline on Data Security Rules – Again
• Ninth Circuit Makes it More Difficult for Individuals to Challenge Government Searches of the Workplace
• As Data Collecting Grows, Privacy Erodes
• Facebook’s Users Ask Who Owns Information
o Facebook Backtracks on Terms of Use After Protests
o Facebook Opens Governance of Service and Policy Process to Users
• Let My Board and Me Become As One: The Wii Balance Board/Google Earth Mashup
• Visual Computer Forensic Analysis
• CVS Caremark Settles FTC Charges: Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations
• DHS Names Chief Privacy Officer
• Surprise: America is No. 1 in Broadband
• Exiting Workers Taking Confidential Data With Them
• Cybersecurity Audit Guidelines Recommended
• Listen Up and Discover Audio Recordings
• Ten Steps for Mitigating Data Risk During a Merger
• Posting YouTube Video Without Subjects’ Consent Draws Fine From Spanish DPA
• Obama Administration Supports Telco Spy Immunity
• Judge Orders Defendant to Decrypt PGP-Protected Laptop


**** NEWS ****

PONEMON STUDY SHOWS DATA BREACH COSTS CONTINUE TO RISE (PGP Corporation, February 2009) - PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research firm, today announced results of the fourth annual U.S. Cost of a Data Breach Study. According to the study which examined 43 organizations across 17 different industry sectors, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase. The annual U.S. Cost of Data Breach Study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. [There are separate studies for the US, the UK, and Germany – download them here:]

LORDS: RISE OF CCTV IS THREAT TO FREEDOM (The Guardian, 6 Feb 2009) - The steady expansion of the “surveillance society” risks undermining fundamental freedoms including the right to privacy, according to a House of Lords report published today. The peers say Britain has constructed one of the most extensive and technologically advanced surveillance systems in the world in the name of combating terrorism and crime and improving administrative efficiency. The report, Surveillance: Citizens and the State, by the Lords’ constitution committee, says Britain leads the world in the use of CCTV, with an estimated 4m cameras, and in building a national DNA database, with more than 7% of the population already logged compared with 0.5% in the America. The cross-party committee which includes Lord Woolf, a former lord chief justice, and two former attorneys general, Lord Morris and Lord Lyell, warns that “pervasive and routine” electronic surveillance and the collection and processing of personal information is almost taken for granted. Although many surveillance practices and data collection processes are unknown to most people, the expansion in their use represents “one of the most significant changes in the life of the nation since the end of the second world war”, the report says. The committee warns that the national DNA database could be used for “malign purposes”, challenges whether CCTV cuts crime and questions whether local authorities should be allowed to use surveillance powers at all. The peers say privacy is an “essential prerequisite to the exercise of individual freedom” and the growing use of surveillance and data collection needs to be regulated by executive and legislative restraint at all times.

NIST UPDATES RECOMMENDATIONS FOR IT SECURITY CONTROLS (GCN, 6 Feb 2009) - The National Institute of Standards and Technology has released an initial draft for public comment of a revised version of its Recommended Security Controls for Federal Information Systems and Organizations. Although this is Revision 3 of Special Publication (SP) 800-53, NIST calls it the first major update of the guidelines since its initial publication in December 2005. NIST tries to revisit its security guidance every two years and update them as needed, said senior computer scientist Ron Ross. But revising a 200-plus-page comprehensive set of recommendations is expensive and time-consuming. SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act (FISMA). It is intended to answer these questions:
• What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
• Have the selected security controls been implemented or is there a realistic plan for their implementation?
• What is the desired or required level of assurance (i.e. grounds for confidence) that the selected security controls, as implemented, are effective in their applications?
This update also is part of an effort to harmonize security requirements across government. NIST guidance typically does not apply to government information systems identified as national-security systems. Draft here:

CHANGE YOU CAN DOWNLOAD (Wikileaks, 8 Feb 2009) - Wikileaks has released nearly a billion dollars worth of quasi-secret reports commissioned by the United States Congress. The 6,780 reports, current as of this month, comprise over 127,000 pages of material on some of the most contentious issues in the nation, from the U.S. relationship with Israel to the financial collapse. Nearly 2,300 of the reports were updated in the last 12 months, while the oldest report goes back to 1990. The release represents the total output of the Congressional Research Service (CRS) electronically available to Congressional offices. The CRS is Congress’s analytical agency and has a budget in excess of $100M per year. Open government lawmakers such as Senators John McCain (R-Arizona) and Patrick J. Leahy (D-Vermont) have fought for years to make the reports public, with bills being introduced--and rejected--almost every year since 1998. The CRS, as a branch of Congress, is exempt from the Freedom of Information Act.
Although all CRS reports are legally in the public domain, they are quasi-secret because the CRS, as a matter of policy, makes the reports available only to members of Congress, Congressional committees and select sister agencies such as the GAO. [This is said to be the entire CRS electronic body of work back to 1990 in one slug – 2.16 gigs. CRS reports are here: and here:] Some examples: “Border Searches of Laptop Computers and Other Electronic Storage Devices”; “Broadband Internet Regulation and Access: Background and Issues”; “2008-2009 Presidential Transition: National Security Considerations and Options”; “Fair Use on the Internet: Copyright’s Reproduction and Public Display Rights”; “A Sketch of Supreme Court Recognition of Fifth Amendment Protection for Acts of Production”.

ABA SOCIAL NETWORK FAILS TO CONNECT (, 9 Feb 2009) - The American Bar Association has jumped on the social networking bandwagon with a site of its own, LegallyMinded. The ABA hopes to separate its site from the professional networking pack by combining the best features of the top social networking sites with substantive legal information from the ABA’s library. Ambitious as it is, the site falls short on execution. It jettisons features that should be central and weighs itself down with others that are useless or redundant. It is as if the ABA came late to a crowded race, barefoot and with bricks in its backpack. “We set out to do something different,” said Fred Faulkner, the ABA’s manager of interactive services in Chicago, in an article in the ABA Journal. “We looked at a lot of the professional and social networks, and the gap we found was that there truly wasn’t a good site that was a cross between professional and personal networking,” he said. I interviewed Faulkner, who explained that the goal was to combine the best features of sites such as LinkedIn and Facebook with high-quality content from the ABA and other sources. Given this, it is unfathomable why the ABA chose not to include the one feature that defines social networking sites -- connections. Users have no way to link with each other. Instead, a user’s only option is to add other members to a private “contacts” list that only the user can see.

WEB 2.0 DEFAMATION LAWSUITS MULTIPLY (SF Gate, 9 Feb 2009) - The Web 2.0 movement, which ushered in an interactive Internet, sought to put power in the hands of the people by tapping the so-called wisdom of the crowds to change the world - and to keep such a digital democracy in check. A decade later, as defamation lawsuits have begun to mount, some are questioning the wisdom of the crowds, and wondering if it hasn’t turned into mob rule. “I don’t know why this has taken so long,” said Andrew Keen, author of a controversial book, “The Cult of the Amateur: How Today’s Internet is Killing Our Culture.” “The Internet is a culture of rights rather than responsibilities. We have no coherent theory of digital responsibility. The issue has broken through, broken out of Silicon Valley - now it affects real people with real reputations to defend.” Just last week, Juicy Campus - a Web site that was banned from some colleges for its postings of vicious anonymous gossip - abruptly shut down, its traffic redirected to a site called College Anonymous Confession Board, whose owner said he hosts “a higher level of discourse.” Meanwhile, the review site Yelp, based in San Francisco, has found itself in the crosshairs of the free e-speech debate. Yvonne Wong, a pediatric dentist in Foster City, recently sued Los Altos couple Tai Jing and Jia Ma after they criticized her treatment of their son in a posting on Yelp. They questioned her use of laughing gas and said they were angry she had used fillings containing mercury. Wong’s lawyer, Marc TerBeek of Oakland, said the review is false, and Yelp has since taken it down. Legal scholars have started to ask whether that law - the Communications Decency Act - should be modified, on the grounds that it allows too much irresponsible speech. “We may put our photos on Flickr and our e-mail on Google and our personal experiences on Facebook,” said Brewster Kahle, who founded the Internet Archive, a nonprofit digital library in San Francisco. “But who’s responsible for this content? If you want things to go away, does it really?” See also

CONGRESSMAN’S TWITTERING RAISES SECURITY CONCERNS (, 11 Feb 2009) - The top Republican on the House intelligence committee landed in hot water this week after using his Twitter page to update the public on his precise whereabouts while traveling through Iraq and Afghanistan. The revelation prompted the Pentagon to review its policy, which regards such information as sensitive, and lit up the liberal blogosphere with accusations of hypocrisy. Rep. Pete Hoekstra says he did nothing wrong. He pointed to announcements by other high-ranking officials, including House Speaker Nancy Pelosi, which list the countries they plan to visit. “The policy that we have and that we did on this trip is consistent and well restrained from what other folks have done in the past,” said Hoekstra, R-Mich. But Hoekstra, who has decried the unauthorized leaking of classified information, provided far more details than a general itinerary, including at least a 12-hour heads-up that he was headed to Iraq.

MORE THAN 150 BANKS AFFECTED BY HEARTLAND DATA BREACH THUS FAR (ComputerWorld, 11 Feb 2009) - The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the news portal. The Web site today published a list containing the names of 157 institutions that it said have publicly disclosed to customers that they were victimized as a result of the breach at Heartland, a large payment processor in Princeton, N.J. The list includes two banks in Bermuda, plus one each in Canada and Guam. Meanwhile, in another indication of the fallout from the breach, 83% of the 512 banks that responded to an informal “quick poll” survey conducted in late January by the Independent Community Bankers of America (ICBA) trade group said that credit or debit cards they had issued were compromised in the incident at Heartland.

VIDEO SITE’S INVESTORS NOT, ON ROLE ALONE, LIABLE FOR ALLEGED INFRINGEMENTS (BNA’s Internet Law News, 12 Feb 2009) - BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that investors who appear to have done little more than serve on the board of directors for an online video-sharing service cannot be held liable for the service’s alleged copyright infringement. The court said that a leadership role in a video-sharing corporation was not itself enough to substantiate claims of contributory or vicarious copyright infringement. Case name is UMG Recordings Inc. v. Veoh Networks Inc.

YOUTUBE GOES OFFLINE (YouTube and Larry Lessig’s blog, 12 Feb 2009) - We are always looking for ways to make it easier for you to find, watch, and share videos. Many of you have told us that you wanted to take your favorite videos offline. So we’ve started working with a few partners who want their videos shared universally and even enjoyed away from an Internet connection. Many video creators on YouTube want their work to be seen far and wide. They don’t mind sharing their work, provided that they get the proper credit. Using Creative Commons licenses, we’re giving our partners and community more choices to make that happen. Creative Commons licenses permit people to reuse downloaded content under certain conditions. We’re also testing an option that gives video owners the ability to permit downloading of their videos from YouTube. Partners could choose to offer their video downloads for free or for a small fee paid through Google Checkout. Partners can set prices and decide which license they want to attach to the downloaded video files (for more info on the types of licenses, take a look here). For example, universities use YouTube to share lectures and research with an ever-expanding audience. In an effort to promote the sharing of information, we are testing free downloads of YouTube videos from Stanford, Duke, UC Berkeley, UCLA, and UCTV (broadcasting programs from throughout the UC system). YouTube users who are traveling or teachers who want to show these videos in classrooms with limited or no connectivity should find this particularly useful.

IN ‘FIG LEAF’ SETTLEMENT WITH JONES DAY, WEBSITE AGREES TO ADJUST USE OF LINKS (ABA Journal, 12 Feb 2009) - In a “fig leaf” settlement entered into by BlockShopper after it racked up a six-figure legal defense bill in a controversial federal trademark infringement lawsuit, the website has agreed to alter the way it describes home purchases by Jones Day attorneys. Instead simply “deep linking” the name of a Jones Day attorney buying a home to his or her law firm biography, BlockShopper has agreed to do so in a manner specified by the law firm, reports the Cleveland Plain Dealer. A copy of the settlement agreement is provided by the Am Law Daily. Under the new format agreed to in the settlement, BlockShopper will link the Jones Day law firm biography to a spelled-out law firm Web address following the lawyer’s name, Brian Timpone, the website’s founder, tells the ABA Journal. “In other words,” the Plain Dealer explains, “instead of writing ‘Daniel P. Malone Jr. is an associate in the Chicago office of Jones Day,’ “—and linking the law firm biography to Malone’s name—”BlockShopper must write ‘Malone ( is an associate ... .’ “ Settlement agreement here: [Editor: seems predicated on the assumption that people actually read complex URLs. Not a happy-ending. Acerbic TechDirt story here:]

WHERE YOU’VE BEEN ON NET NOT PRIVATE, CANADIAN JUDGE RULES (National Post, 13 Feb 2009) - An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant. Justice Lynne Leitch found that there is “no reasonable expectation of privacy” in subscriber information kept by Internet service providers (ISPs), in a decision issued earlier this week. The decision is binding on lower courts in Ontario and it is the first time a Superior Court-level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the Charter. The ruling is a significant victory for police investigating crimes such as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding users of the Internet. The ruling by Judge Leitch was made in a possession of child pornography case in southwestern Ontario. A police officer in St. Thomas faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard that it was a “standard letter” that had been previously drafted by Bell and the officer “filled in the blanks” with a request that stated it was part of a child sexual exploitation investigation. Bell provided the information without asking for a search warrant.

E-INVOICING IN EUROPE (McGinnis Lochridge, 13 Feb 2009) - On 28 January, 2009 the Commission of the European Union proposed an overhaul of the 2006 EU Directive on Invoicing (Directive 2006/112/EC). If approved, this new Directive will fundamentally change how electronic invoicing is conducted in Europe and will affect all companies doing business in Europe. The proposed new Directive would make electronic invoices equivalent in all respects to paper ones. It would eliminate the requirement that advanced electronic signatures be used in electronic invoices and would eliminate the requirement that the recipient of the invoice consent to receive it in electronic form. Observing that the Member States’ disparate requirements for advanced electronic signatures have created significant obstacles to the adoption of electronic invoices, the Commission now wishes to harmonize member state requirements for electronic invoices by, among other things, abolishing the need for invoices to include advanced electronic signatures. In the original 2006 Directive on VAT Invoicing, Title XI, Chapter 3, Section 5 governed the use of electronic invoices. Article 232 of the original directive allowed enterprises to use electronic invoices only if the recipient consented to receive electronic invoices. Article 233 required electronic invoices to assure integrity of content and authenticity of origin by means of either an advanced electronic signature, EDI or “other electronic means allowed by the Member States” . The proposed new Directive would amend Article 232 to say that invoices can always be sent by paper or “made available” electronically, thus deleting the requirement of recipient consent. The new directive would delete Article 233 and the requirement to use advanced electronic signatures entirely.This new Directive will fundamentally change how electronic invoicing is conducted in Europe. Proposed new Directive is here:

HOW ATTACKERS USE YOUR METADATA AGAINST YOU (DarkReading, 13 Feb 2009) - To steal your identity, a cybercriminal doesn’t have to have direct access to your bank account or other personal information. Often, he collects information about you from a variety of seemingly innocuous sources, then uses that data to map out a strategy to crack your online defenses and drain your accounts. Such methods are well-known to security professionals. But what those same professionals often overlook is this approach also can be used to crack the defenses of sensitive business files, as well. Rather than trying to gain access to your data, itself, the bad guys are analyzing the so-called harmless information about your files -- collectively known as metadata -- and using it to develop attacks that can drain your business of its most sensitive information. Armed with this data, an attacker can target users, as well as the computing environment within their enterprises. Several instances of metadata mishaps have been in the news in recent years. In one case, attackers used data they collected from the “track changes” feature in Microsoft Word. In another case, they took advantage of failed attempts to black out data in PDF files. These cases make it clear: Once your documents leave the internal network -- either through email or Web publishing -- those files and the metadata they contain are fair game for attackers. Many security professionals know about metadata, but they don’t really know how it can be used against their organizations. The first stage of leveraging metadata for an attack is gathering it. Both attackers and pen testers have a bevy of tools available solely for this purpose. Two readily-available hacking tools -- MetaGooFil and CeWL -- were created to expedite the collection process by automating the search, download, and extraction of metadata from documents available on the Internet. MetaGooFil was the first tool on the scene, and it uses Google to search for files of specific type. Once it finds and downloads files, the metadata is extracted and displayed in a HTML report that shows the information found in each file. The end of the report includes a summary of authors and file paths -- information that can be important later on, during other attack phases. CeWL takes a different approach, spidering a Website to create a word list that can be used for password brute-forcing. It can also collect email addresses, authors, and user names from metadata found in Microsoft Office documents. Included with CeWL is a “Files Already Bagged” (FAB) tool that processes files already acquired. Metadata is also helpful in social engineering attacks. Knowing the five different authors of a document, an attacker can “drop names” via the phone to make his scheme seem more credible. Similarly, location information contained in photos could be mentioned, making the calls seem more legit. Spear-phishing email could target all of the authors who worked on one particular document. Knowing which version of software was used to create the file, an attacker could also email client-side exploits to individuals who use particularly vulnerable versions of Microsoft Word or PowerPoint. Metadata can also help with physical theft. For example, users may post images to Flickr or Twitter from a phone that enables geotagging. This information can give attackers the location about a target’s home or business, and where he might be on a daily basis. Similarly, the MAC address of the system can indicate the type of hardware used, making it easier to identify mobile workers who are likely to have laptops that are kept in places where they might be easy to steal.

MASSACHUSETTS EXTENDS COMPLIANCE DEADLINE ON DATA SECURITY RULES - AGAIN (ComputerWorld, 13 Feb 2009) - For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September. In addition to the deadline extension, which was announced late yesterday, the state’s Office of Consumer Affairs and Business Regulation (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts. Under the new deadline, businesses now have until the start of next year to comply with the regulations, which are aimed at protecting the personal data of Massachusetts residents. Prior to the extension, the compliance deadline was May 1. That date was set in November, when the OCABR extended its original deadline of Jan. 1. In a statement yesterday, OCABR undersecretary Daniel Crane said that given the importance of the data-protection mandate, state officials decided it was necessary to give companies more time to make the necessary changes to their systems and business processes. Crane also cited the economic recession.

NINTH CIRCUIT MAKES IT MORE DIFFICULT FOR INDIVIDUALS TO CHALLENGE GOVERNMENT SEARCHES OF THE WORKPLACE (Steptoe & Johnson’s E-Commerce Law Week, 14 Feb 2009) - A ruling handed down by the Ninth Circuit early this month could make it more difficult for a business owner or employee to challenge a government search of her workplace and its computers. In United States v. SDI Future Health, Inc., the Ninth Circuit ruled that, “except in the case of a small, family-run business over which an individual exercises daily management and control, an individual challenging a search of workplace areas beyond his own internal office must generally show some personal connection to the places searched and the materials seized.” The dispute in this case centered around a warrant the government was granted to search the offices and computers of SDI Future Health for evidence that it had engaged in Medicare fraud. Based on evidence seized during its search, the government won an indictment against SDI, its president and part-owner Todd Kaplan, and SDI officer and part-owner Jack Brunk. A district court granted the defendants’ motion to suppress evidence obtained using the search warrant on the ground that the warrant was vague and overbroad. On appeal, the Ninth Circuit agreed that some portions of the warrant were overbroad, but held that the district court had not properly established that Kaplan and Brunk had standing to challenge the search. Decision here:

AS DATA COLLECTING GROWS, PRIVACY ERODES (New York Times, 16 Feb 2009) – There are plenty of people who can muster outrage at Alex Rodriguez, the Yankees third baseman who is the latest example of win-at-any-cost athletes. But I’d prefer to see him as at the cutting edge of another scourge — the growing encroachment on privacy. The way Mr. Rodriguez’s positive steroid test result became public followed a path increasingly common in the computer age: third-party data collection. We are typically told that personal information is anonymously tracked for one reason — usually something abstract like making search results more accurate, recommending book titles or speeding traffic through the toll booths on the thruways. But it is then quickly converted into something traceable to an individual, and potentially life-changing. In Mr. Rodriguez’s case, he participated in a 2003 survey of steroid use among Major League Baseball players. No names were to be revealed. Instead, the results were supposed to be used in aggregation — to determine if more than 5 percent of players were cheating — and the samples were then to be destroyed. It is odd that most of the news coverage described the tests as “anonymous.” If the tests were truly anonymous, of course, Mr. Rodriguez would still be thought of as a clean player — as he long had insisted he was. But when federal prosecutors came calling, as part of a steroid distribution case, it turned out that the “anonymous” samples suddenly had clear labels on them. As a friend put it in an e-mail message: “Privacy is serious. It is serious the moment the data gets collected, not the moment it is released.” To Jonathan Zittrain, a professor of Internet law at Harvard, there is an obvious explanation for this kind of repurposing of information — there is so much information out there. Supply creates demand, he argues. “This is a broader truth about the law,” he writes in an e-mail message. “There are often no requirements to keep records, but if they’re kept, they’re fair game for a subpoena.” And we are presented with what Professor Zittrain calls the “deadbeat dad” problem. There are government investigators, divorcing spouses, even journalists, who have found creative ways to exploit the material. “So many databases,” he writes, “as simple as highway toll collection records or postal service address changes, lend themselves to other uses, such as finding parents behind on their child support payments.” Perhaps a more direct explanation is that data collection is part of what Cindy Cohn, the legal director of the Electronic Frontier Foundation, calls “the surveillance business model.” That is, there is money to be made from knowing your customers well — with a depth unimaginable before Internet cookies allowed companies to track obsessively online behavior.

FACEBOOK’S USERS ASK WHO OWNS INFORMATION (New York Times, 16 Feb 2009) - Reacting to an online swell of suspicion about changes to Facebook’s terms of service, the company’s chief executive moved to reassure users on Monday that the users, not the Web site, “own and control their information.” The online exchanges reflected the uneasy and evolving balance between sharing information and retaining control over that information on the Internet. The subject arose when a consumer advocate’s blog shined an unflattering light onto the pages of legal language that many users accept without reading when they use a Web site. The pages, called terms of service, generally outline appropriate conduct and grant a license to companies to store users’ data. Unknown to many users, the terms frequently give broad power to Web site operators. This month, when Facebook updated its terms, it deleted a provision that said users could remove their content at any time, at which time the license would expire. Further, it added new language that said Facebook would retain users’ content and licenses after an account was terminated. Mark Zuckerberg, the chief executive of Facebook, said in a blog post on Monday that the philosophy “that people own their information and control who they share it with has remained constant.” Despite the complaints, he did not indicate the language would be revised. The changes in the terms of service had gone mostly unnoticed until Sunday, when the blog Consumerist cited them and interpreted them to mean that “anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later.” Given the widespread popularity of Facebook — by some measurements the most popular social network with 175 million active users worldwide — that claim attracted attention immediately. The blog post by Consumerist, part of the advocacy group Consumers Union, received more than 300,000 views. Users created Facebook groups to oppose the changes. To some of the thousands who commented online, the changes meant: “Facebook owns you.” Facebook moved swiftly to say it was not claiming to own the material that users upload. It said the terms had been updated to better reflect user behavior — for instance, to acknowledge that when a user deletes an account, any comments the user had posted on a page remain visible. Consumerist blog posting here:

- and -

FACEBOOK BACKTRACKS ON TERMS OF USE AFTER PROTESTS (, 18 Feb 2009) - In an about-face following a torrent of online protests, Facebook is backing off a change in its user policies while it figures how best to resolve questions like who controls the information shared on the social networking site. The site, which boasts 175 million users from around the world, had quietly updated its terms of use -- its governing document -- a couple of weeks ago. The changes sparked an uproar after popular consumer rights advocacy blog pointed them out Sunday, in a post titled “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” Facebook has since sought to reassure its users -- tens of thousands of whom had joined protest groups on the site -- that this is not the case. And on Wednesday morning, users who logged on to Facebook were greeted by a message saying that the site is reverting to its previous terms of use policies while it resolves the issues raised. Facebook spelled out, in plain English rather than the legalese that prompted the protests, that it “doesn’t claim rights to any of your photos or other content. We need a license in order to help you share information with your friends, but we don’t claim to own your information.” Jonathan Zittrain’s musings on all this: [Editor: at a Berkman lunch last week, a notable observed that nobody reads terms-of-service. In acting as our watchdog, the Consumerist, and like organizations, serve an important public service.]

- and -

FACEBOOK OPENS GOVERNANCE OF SERVICE AND POLICY PROCESS TO USERS (Facebook PR, 26 Feb 2009) - Facebook today announced a new approach to site governance that offers its users around the world an unprecedented role in determining the future policies governing the service. Facebook released the first proposals subject to these new procedures – The Facebook Principles, a set of values that will guide the development of the service, and Statement of Rights and Responsibilities that make clear Facebook’s and users’ commitments related to the service. Over the coming weeks, users will have the opportunity to review, comment and vote on these documents. An update to the Privacy Policy is also planned and this change will be subject to similar input. “As people share more information on services like Facebook, a new relationship is created between Internet companies and the people they serve,” said Mark Zuckerberg, founder and CEO of Facebook. “The past week reminded us that users feel a real sense of ownership over Facebook itself, not just the information they share.” “Companies like ours need to develop new models of governance,” Zuckerberg added. “Rather than simply reissue a new Terms of Use, the changes we’re announcing today are designed to open up Facebook so that users can participate meaningfully in our policies and our future.”

LET MY BOARD AND ME BECOME AS ONE: THE WII BALANCE BOARD/GOOGLE EARTH MASHUP (, 17 Feb 2009) - With just a touch smoother scrolling (chalked up, surely, to the program itself), this could feel amazing: Germany’s Research Center for Artificial Intelligence has hacked together a Wii balance board with Google Earth to go surfing, as Kottke says, “like the Silver Surfer.”
Or, if you please, the same interaction can be used in Second Life, or -- as made the rounds earlier last year -- World of Warcraft’s Azeroth, but there’s nothing better than their tour-glide over Munich from 300 feet. [Editor: pretty cool demo video. Even cooler is Johnny Lee’s Wii-3D headtracking demo from 21 December 2007 out of CMU:]

VISUAL COMPUTER FORENSIC ANALYSIS (, 17 Feb 2009) - Computer forensics is a slow process. Examiners typically embark on a tedious file review process to determine each file’s relevance to a particular case. This can quickly add hours and extra costs to computer forensics. However, recent research presented at the Black Hat 2008 conference in Las Vegas may curb that trend. Researchers Greg Conti and Erik Dean from the United States Military Academy, West Point, adapted a new concept to computer forensics: visualization. The researchers demonstrated how visual computer forensic methods can dramatically reduce the time it takes to review files. To understand the benefits of visual forensic analysis, one must understand the state of the art in computer forensic analysis. A typical computer investigation requires an individual analysis of each file on a computer system. Some files can easily be ruled out by matching them to known files that have already been analyzed, such as system files. Unfortunately, the hundreds of thousands of files remaining must be analyzed by an examiner. A typical file examination requires that the file be examined in its native application (or a suitable viewer). Therefore, examination of one file can be different than the examination of another. For example, a JPEG file is loaded into an image viewer. A Microsoft Word document is loaded into its associated viewer instead of an image viewer. An executable (program or application) file can be examined in a debugging tool called a disassembler. And a pure binary file can be viewed with a hexadecimal viewer. The process above begins to break down when the examiner analyzes a file type that he or she cannot readily determine or identify. There are some ways an examiner can attempt to determine a file’s type with signature analysis or an educated guess based on the file extension. But neither of these approaches guarantees the correct answer the first time. Visual computer forensics lends a hand to this problem. By loading the unknown file into the free visual forensics tools developed by Conti and Dean, an unknown file can be identified by the way the data looks. This is different than standard matching techniques currently used today which involve matching a few bytes of the beginning and end of a file to known values of known file types. Structured files, such as Internet browsing history files, tend to have discrete structures within their contents, while compressed or encrypted files have high levels of entropy due to the nature of how compression and encryption algorithms work. The visualized contents of compressed or encrypted files tend to look random when compared with uncompressed or unencrypted files. The following screenshots show the difference between structured files and compressed/encrypted files when viewed with a visual computer forensics tool developed by Conti and Dean: [Editor: there’s much more.]

CVS CAREMARK SETTLES FTC CHARGES: FAILED TO PROTECT MEDICAL AND FINANCIAL PRIVACY OF CUSTOMERS AND EMPLOYEES; CVS PHARMACY ALSO PAYS $2.25 MILLION TO SETTLE ALLEGATIONS OF HIPAA VIOLATIONS (FTC, 18 Feb 2009) - CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA). The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

DHS NAMES CHIEF PRIVACY OFFICER (CNET, 19 Feb 2009) - U.S. Homeland Security Secretary Janet Napolitano announced on Thursday she is appointing attorney Mary Ellen Callahan as the department’s chief privacy officer. “Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built in to everything we do,” Napolitano said. “Our Privacy Office is viewed as a leader in the federal government in public outreach and as model for Privacy Impact Assessments. I look forward to the skill and experience Mary Ellen will bring to this robust and important office.” Callahan currently serves as a partner at the law firm Hogan & Hartson, where she counsels online companies, trade associations, and other corporations on antitrust, e-commerce, and privacy-related issues. She has helped companies draft their Web site privacy policies and terms of use and counsels corporations on developing legally compliant e-mail marketing campaigns.

SURPRISE: AMERICA IS NO. 1 IN BROADBAND (New York Times, 23 Feb 2009) - There is a constant refrain that the United States is falling behind in broadband, as if the speed of Internet service in Seoul represents a new Sputnik that is a challenge to national security. It’s certainly true that in some countries, like South Korea, far more homes have broadband connections than in the United States. And the speeds in some countries are far higher than is typical here. But there are many ways to measure the bandwidth wealth of nations. At the Columbia/Georgetown seminar on the broadband stimulus yesterday, I heard Leonard Waverman, the dean of the Haskayne School of Business at the University of Calgary, describe a measure he developed called the “Connectivity Scorecard.” It’s meant to compare countries on the extent that consumers, businesses and government put communication technology to economically productive use. Even after deducting the untold unproductive hours spent on Facebook and YouTube, the United States comes out on top in Mr. Waverman’s ranking of 25 developed countries. The biggest reason is that business in the United States has made extensive use of computers and the Internet and it has a technically skilled work force. Also, as dusty as your local motor vehicle office may seem, government use of communications technology is as good in the United States as anywhere in the world, according to Mr. Waverman’s rankings. After the United States, the ranking found that Sweden, Denmark, the Netherlands, and Norway rounded out the five most productive users of connectivity. Japan ranked 10, and Korea, 18. And while wired and wireless broadband networks used by consumers lagged other countries, the United States ranked No. 1 in the world for technology use and skills by consumers. (This was measured by comparing countries on five measures: The penetration of Internet use, penetration of Internet banking, wired and wireless voice minutes per capita, SMS messages per capita, and consumer software spending.) Report here:

EXITING WORKERS TAKING CONFIDENTIAL DATA WITH THEM (CNET, 23 Feb 2009) - As layoffs continue apace, a survey released on Monday shows what many companies fear--exiting workers are taking a lot more with them than just their personal plants and paperweights. Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee’s next job stint. “I don’t think these people see themselves as being thieves or as stealing,” said Larry Ponemon, founder of the Ponemon Institute, which conducted the online survey last month. “They feel they have a right to the information because they created it or it is useful to them and not useful to the employer.” The survey also found a correlation between people who took data they shouldn’t have taken and their attitude towards the company they are leaving. More than 60 percent of those who stole confidential data also reported having an unfavorable view of the company. And nearly 80 percent said they took it without the employer’s permission. Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD, while 42 percent put it on a USB drive and 38 percent sent it as attachments via e-mail, according to the survey. The survey also found that many companies seem to be lax in protecting against data theft during layoffs. Eighty-two percent of the respondents said their employers did not perform an audit or review of documents before the employee headed out the door and 24 percent said they still had access to the corporate network after leaving the building.

CYBERSECURITY AUDIT GUIDELINES RECOMMENDED (FCW, 23 Feb 2009) - A group of cybersecurity experts today recommended twenty specific security controls that the government and industry should deploy to block or lessen the consequences of cyberattacks that come from inside and outside threats. The recommended controls are meant to provide a standard baseline for measuring computer security. The recommendations, the Consensus Audit Guidelines, were agreed to by federal and private industry cybersecurity officials and are based on specific experiences in dealing with particular attacks directed at government and the defense industrial base’s information systems. The group also detailed the types of cyberattacks that a recommended security controls could thwart, how a recommended security control could be implemented and how to evaluate its effectiveness. Alan Paller, the director of research at the SANS Institute who worked on the guidelines, said the strategy is significant because it has specific actions for agencies to take and a way to measure their effectiveness, something he said the Government Accountability Office has been requesting. He said the project, started in early 2008, was inspired by the realization that the defense industrial base’s systems had been deeply penetrated. CAG/guidelines here: [Editor: this may be a very big deal – the CAG potentially will become “best-practice” and de facto requirements.]

LISTEN UP AND DISCOVER AUDIO RECORDINGS (, 25 Feb 2009) - As most IT professionals already know, courtesy of the Federal Rules of Civil Procedure Rule 34(a), audio files are now fully discoverable. This has led many IT professionals to create and implement procedures that will record and store telephonic conversations and other electronic interactions originating from and connected to their company client orders. These new protocols specifically address sound content from call desks, trading desks, phone systems and, of course, VoIP. IT professionals have enacted these procedures in an effort to keep up with one of the newest trends in mainstream e-discovery: sound recordings. The necessity for IT professionals to haul audio recordings into their general e-discovery process is gaining awareness because of situations that may -- at first glance -- appear harmless. Think about scenarios where a company employee is having a phone dialogue with a customer and at the same time sending e-mails to another. This may seem innocuous on the surface; the two interactions seem separate and unconnected with no suggestion of any illegality. However, if one pays attention to the audio in the milieu of the e-mail exchange, it may paint an absolutely different picture. In reality, the entire picture may demonstrate that the company employee was using the data received from the person with whom he or she was exchanging instant messages or e-mails to his or her advantage when speaking with the other customer on the phone. Nevertheless, connecting these two actions together is nearly impossible via conducting a discovery of solely written messages. IT professionals are now tasked with bridging this gap by creating an integrated business information system that will account for all business written and audio content. Failure by IT professionals to enact such an integrated data management system can be fatal. The absence of a viable, synchronized information protocol results in businesses pursuing various recording discovery procedures that are distinct from the ordinary chain of custody mandate. Consequently, sound recordings and e-mails are not tagged in a similar fashion, and there is no method to directly connect them to one another. Furthermore, the ability to fashion a timeline as to when these exchanges happened becomes more complicated for IT professionals to generate. This in turn leaves in-house counsel at a palpable loss and incapable of viewing the interconnectedness between the diverse messages.

TEN STEPS FOR MITIGATING DATA RISK DURING A MERGER (InfoWorld, 25 Feb 2009) - Merger and acquisition activity stands to increase as global markets struggle to stay afloat during the worst economic slowdown in decades. What will you do when you find out you’re about to acquire or consolidate with another firm or division? Are you aware of the risks you may be inheriting? What data is going to demand the highest availability? What IT regulations will you have to address and how do you know if existing controls already address them? Below are 10 “data health” checks a CIO can conduct to answer these questions before giving a green light to a merger, acquisition, or consolidation.
Step one: Assess your data From a data perspective, the first step needs to be an assessment of the independent data assets of each organization participating in the merger. If you do not know what data exists before the acquisition, gaining this understanding after combining the data, if it can be combined at all, will be extremely difficult. The task at hand will be simpler if both organizations practiced strong data governance. This is rarely the case though.
Step two: Plug the governance gaps After completing an honest assessment of where each organization stands in terms of data governance, the next step needs to be plugging the gaps. Work toward creating a definition of data that is not well understood or undocumented. Do not turn this into a long process; define what data you have and where it is stored. Consider using tools like data dictionaries and repositories and consult the subject matter experts (business users, programmers, data architects, etc.) at each organization for this information.
Step three: Leverage the M&A for governance improvements Use the acquisition as a springboard for instituting new or stronger data governance policies and procedures. Lack of insight into important business data can be a strong motivational tool for implementing improved data management practices.

POSTING YOUTUBE VIDEO WITHOUT SUBJECTS’ CONSENT DRAWS FINE FROM SPANISH DPA (Steptoe & Johnson’s E-Commerce Law Week, 26 Feb 2009) - The Spanish Data Protection Agency (DPA) recently ruled that individuals who post pictures or videos of “identifiable persons” without the consent of those photographed or filmed face liability under Spain’s Law 15/1999, On the Protection of Personal Data (LOPD). The Spanish DPA held that, by posting a video of several youths taunting an allegedly paranoid schizophrenic individual to YouTube without the consent of those depicted, an individual identified as “Mr. R.R.R.” committed a “serious” violation of the LOPD. While such violations are punishable by more than € 60,000 in fines, the Spanish DPA chose to impose a reduced penalty of € 1,500, stressing that the poster of the video had promptly removed it of his own accord after it was reported on by the news media. But even this diminished fine could scare Spanish users away from posting images or movies to social networking and other public websites, potentially cutting off the flow of the user-generated content on which these websites depend.

OBAMA ADMINISTRATION SUPPORTS TELCO SPY IMMUNITY (Wired, 26 Feb 2009) - The Obama administration vigorously defended congressional legislation late Wednesday that immunizes U.S. telecommunication companies from lawsuits about their participation in the Bush administration’s domestic spy program. It was the first time the Obama administration weighed in on a federal court challenge questioning the legality of the legislation President Barack Obama voted for as an Illinois senator in July. “Accordingly, the court should now promptly dismiss these actions,” the Justice Department wrote U.S. District Judge Vaughn Walker of San Francisco late Wednesday. Obama opposed immunity but voted for it because it was included in a new spy bill that gave the U.S. presidency broad, warrantless-surveillance powers. Justice Department spokesman Matthew Miller said in a statement that the immunity bill “is the law of the land, and as such the Department of Justice defends it in court.” DOJ letter here:

JUDGE ORDERS DEFENDANT TO DECRYPT PGP-PROTECTED LAPTOP (CNET, 26 Feb 2009) - A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested. Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment. At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is “testimonial,” meaning that it triggers Fifth Amendment protections.

**** LOOKING BACK ****
U.S. AGENCIES EARN D-PLUS ON COMPUTER SECURITY (, 16 Feb 2005) -- The overall security of computer systems inside the largest U.S. government agencies improved marginally since last year but still merits only a D-plus on the latest progress report from Congress. The departments of Transportation, Justice and the Interior made remarkable improvements, according to the rankings, which were compiled by the House Government Reform Committee and based on reports from each agency’s inspector general. But seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country’s computer networks. ``Several agencies continue to receive failing grades, and that’s unacceptable,” said Rep. Tom Davis, R-Va., the committee’s chairman. ``We’re also seeing some exceptional turnarounds.” Davis said troubling areas included lax security at federal contractor computers, which could be used to break into government systems; a lack of contingency plans for broad system failures and little training available for employees responsible for security. The Transportation Department improved from a D-plus to an A-minus; the Interior Department, which failed last year, improved to a C-plus; and the Justice Department rose from a failing grade to B-minus. The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security. Industry groups have argued that the government needs to improve its own computer security before requiring businesses to make such changes.

NEW ERA OF COMPUTING: THE OPPORTUNITIES AND CHALLENGES OF CLOUD-BASED SOFTWARE AND SERVICES (Berkman Center, 17 Feb 2009; Lisa Tanzi of Microsoft) - The IT industry is at the cusp of a new era of computing - one in which cloud computing will play a central role. Lisa will highlight key innovations that are driving this new computing era, the essential roles of cloud computing and software (i.e. software + services) in it, and the benefits it will provide. She also will also focus on several legal and policy issues that industry and governments will need to grapple with in this new era, including the movement of data across borders (and associated privacy and law enforcement issues), security of information, and the application of traditional telecommunications rules in a world where computing and communications technologies are converging. [Editor: illustrates that even Microsoft can’t solve the associated jurisdictional issues; does do a good job of illuminating the problems; recommended for those of you who represent multinational entities.] … See also …

REPORT CITES POTENTIAL PRIVACY GOTCHAS IN CLOUD COMPUTING (Computerworld, 25 Feb 2009) - Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won’t be stepping on any privacy land mines in the process, according to a report released this week by the World Privacy Forum. The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and “emotional.” But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality.

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, February 07, 2009

MIRLN --- 18 January - 7 February 2009 (v12.02)

**** NEWS ****

IT SECURITY RISKS DISMISSED BY BOARDS, CMU SURVEY FINDS (, 4 Dec 2008) - A report released this week by Carnegie Mellon University’s CyLab, illustrates the wide gap between boards of directors and those responsible for information security in the enterprise, in particular where board members who still aren’t clear on the link between IT risk and a company’s overall risk posture. CyLab’s Governance of Enterprise Security report was based on data collected by the National Association of Corporate Directors for its 2008 Public Company Governance Survey. The survey was taken by 703 sitting directors of U.S. public companies, primarily audit, compensation and governance professionals. The conclusions aren’t encouraging for CISOs who are desperate to be heard by boards and senior management. Directors and officers still aren’t devoting resources or attention to the business-critical implications of faulty information security processes. And with a recession in full swing, board members’ attention is further diverted. A little more than a third of the respondents believe overall enterprise risk is a critical governance issue, well behind other issues such as board leadership, CEO relations, evaluation and succession plans, and board culture. Thirty-six percent of those surveyed said boards have a direct involvement in the oversight of information security, and of the 47% of respondents that have formalized enterprise risk management plans, only two-thirds include IT risks in those plans. “That disconnect of risk management plans not including IT risk is eye-opening. [Boards] don’t understand that the majority of their operations rely on technology,” said report co-author Jody Westby, CEO of Global Cyber Risk LLC and an Adjunct Distinguished Fellow at CyLab. “They don’t understand that if the Internet or communications goes down, or if there’s a sustained attack, they’re out of business.” Boards still labor under the thinking that security is primarily a technology issue and leave security issues to IT, the report concludes. Noteworthy findings include:
• 38% of the respondents said boards occasionally or rarely review privacy, security or risk management budgets (40% said they never do).
• 55% said boards occasionally or rarely approve roles and responsibilities for privacy officers (28% never do).
• 56% occasionally or rarely review top-level security and privacy policies (23% never do).
• 62% occasionally or rarely receive reports from senior management on risk (15% never do).,289142,sid14_gci1341038,00.html

- and -

CYBER THIEVES HACKED HEARTLAND’S CREDIT CARD SYSTEM (Topnews, 21 Jan 2009) - It literally shocked the United States cardholders, on Tuesday, when the Credit-card processor, Heartland Payment Systems disclosed that cyber thieves broke its system in 2008 and stole credit card information. Heartland Payment Systems divulged that cyber thieves hacked into the computers that were used to process 100 million payment card transactions per month for 175,000 merchants. In an interview, Heartland’s president and CFO, Robert Baldwin said, “Intruders had access to Heartland’s system for longer than weeks in late 2008.” “The number of victims is unknown. We just don’t have the information right now,” He said. According to the company, Visa and MasterCard alerted them of the fishy activities linked with processed card transactions. They started an investigation, which revealed software that compromised data that crossed Heartland’s network. Mr. Baldwin said, “We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands.” According to the company, several steps were immediately taken to secure its systems -a website - www. 2008breach. com - was created to provide information about the incident.

- and -

HEARTLAND BREACH RAISES QUESTIONS ABOUT PCI STANDARD’S EFFECTIVENESS (NetworkWorld, 22 Jan 2009) - It’s not yet known if Heartland Payment Systems’ newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn’t sufficient to ensure cardholder data is safeguarded. “Billions is being spent on PCI compliance, but it isn’t really working,” says Gartner analyst Avivah Litan. “PCI’s dirty little secret is that it doesn’t mandate encryption inside a private network because then all the processors would have to encrypt.” Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers. But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated. The irony, Litan says, is that some retailers today do encrypt data in motion inside their private store networks (even though it’s not mandated by the PCI standard) and they have to decrypt it before they send it to their processors. Heartland was compliant with PCI, certified by PCI assessor Trustwave in April, but PCI compliance isn’t stopping the wave of attacks against payment processors, Litan notes. She points out that the PCI standard does include a requirement for file-integrity checking at least weekly, so something may have broken down in that area that allowed the malware to remain unnoticed for so long.

- and -

DATA BREACH COSTS ROSE SIGNIFICANTLY IN 2008, PONEMON STUDY SAYS (DarkReading, 2 Feb 2008) - The cost of data breaches is on the rise, and businesses that experience them are losing customers as a result, according to a new study issued today. In an update to its popular annual “U.S. Cost of a Data Breach Study,” Ponemon Institute and PGP have published a new report that indicates many of the cost factors surrounding security incidents have risen in the past 12 months. “After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach,” says Larry Ponemon, chairman and founder of The Ponemon Institute. “As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy.” The average cost of a data breach in 2008 grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record), according to the study. The average total cost per reporting company was more than $6.6 million per breach -- up from $6.3 million in 2007 and $4.7 million in 2006 -- and ranged from $613,000 to almost $32 million. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million, or $139 per record compromised, the study says. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study. In 2008, the average abnormal customer churn rate resulting from a data breach was 3.6 percent, an increase from 2.67 in 2007 and 2.01 percent in 2006. Between 2005 and 2008, this one cost component grew by more than $64 on a per victim basis -- a 38 percent increase, the study says. “The cost of customer churn is the largest cost,” Ponemon says. “Yet many organizations fail to consider or measure this important economic loss.” Healthcare and financial service companies have the highest average rate of churn -- 6.5 percent and 5.5 percent, respectively, according to the study. “High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data,” it says. The average cost of a healthcare breach ($282 per record) is more than twice that of an average retail breach ($131). More than 88 percent of all breaches in 2008 involved incidents resulting from insider negligence, according to the study. The cost of these incidents is lower than the cost of malicious attacks: Per-victim cost for data breaches involving negligence was $199 per record, compared to $225 per record for malicious acts. Breaches by third-party organizations -- such as outsourcers, contractors, consultants, and business partners -- were reported by 44 percent of respondents, up from 40 percent in 2007, 29 percent in 2006, and 21 percent in 2005. Per-victim cost for third-party incidents is $52 higher -- $231 vs. $179 -- than insider-caused breaches, the study says. Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches, according to the report. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies, Ponemon says. More than 84 percent of all cases in this year’s study involved organizations that had experienced more than one major data breach.

POPULAR CHINESE FILTERING CIRCUMVENTION TOOLS DYNAWEB FREEGATE, GPASS, AND FIREPHOENIX SELL USER DATA (Hal Roberts, Berkman Center, 9 Jan 2009) - Update: The site hosting the data for these tools has now removed the faq entry offering to sell the data. Please read my subsequent update for responses from the tool developers and further thoughts. Three of the circumvention tools — DynaWeb FreeGate, GPass, and FirePhoenix — used most widely to get around China’s Great Firewall are tracking and selling the individual web browsing histories of their users. Data about aggregate usage of users of the tools is published freely. You can see, for example, that the three sites most visited by users of these circumvention tools are,, and Aggregate data like this is a terrific resource for those of us interested in researching circumvention tool usage, and not much of a privacy risk for the circumventing users if it is only stored (as well as displayed) in the aggregate. But the ranking site also advertises a pay service through which you can get not only much more data, but data about individual users. The site’s FAQ states:
Q: I am interested in more detailed and in-depth visit data. Are they available?
A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.
So they are happy to provide you with specific user data, but only if you double super promise not to share it and only if they really like you. It’s hard to state how dangerous this practice is. These tools are acting as virtual ISPs for millions of users. All circumvention tools work by proxying the data of their users through some third machine, so all circumventing traffic is going through that third party machine. Selling the browsing histories of those users is like an ISP selling the browsing histories of its users, which is a big step beyond what companies like NebuAd and Phorm were / are trying to do. NebuAd and Phorm are at least adding a variety of pseudonymity and privacy layers to their tracking, whereas dynaweb et al. are evidently directly storing (and selling) the full, individually identifiable browsing histories of their users. And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents.

COURT RULES THAT ‘METADATA’ AREN’T PUBLIC RECORDS (Arizona Central, 13 Jan 2009) - A divided Arizona appellate court ruled Tuesday that hidden electronic data that indicates how and when documents are produced with word processing computer programs aren’t themselves public records. The three-judge Court of Appeals panel’s majority opinion rejected part of a Phoenix police officer’s public-records request that sought “metadata” for notes written by one of the officer’s supervisors. Metadata is data embedded in documents to track authors, when something was saved and what changes were made. It isn’t visible when a document is printed on paper nor does it appear on screen in normal settings. The officer said he wanted the metadata to see if the supervisor had backdated the notes.

LEGAL DOWNLOADS SWAMPED BY PIRACY (BBC, 16 Jan 2009) - Ninety-five per cent of music downloaded online is illegal, a report by the International Federation of the Phonographic Industry (IFPI) has said. The global music trade body said this is its biggest challenge as artists and record companies miss out on payments. There has, however, been a 25% rise since last year with downloads now accounting for a fifth of all recorded music sales. The IFPI said worldwide music market revenues shrank by 7% last year.

FAKE REVIEWS PROMPT BELKIN APOLOGY (CNET, 19 Jan 2009) - Fake positive reviews of Belkin products were actively solicited by one of its employees, the company admitted on Sunday. Belkin, a networking and peripheral manufacturer, apologized for the worker’s actions, which sought to artificially boost Belkin’s status on Amazon while denigrating existing bad reviews. On Friday, The Daily Background Web site revealed how someone, apparently Belkin business development representative Mark Bayard, had used the Mechanical Turk service to ask users to write positive reviews of a Belkin product at a rate of 65 cents per review. The requests made it clear that writers need have no experience of, nor even own, the product in question. Mechanical Turk is an online clearing-house for small jobs that cannot be done by machine, such as writing product descriptions. It is, coincidentally, run by Amazon. In a letter posted on the company’s Web site on Sunday, Belkin President Mark Reynoso said the solicitations had been “an isolated incident.” “It was with great surprise and dismay when we discovered that one of our employees may have posted a number of queries on the Amazon Mechanical Turk Web site inviting users to post positive reviews of Belkin products in exchange for payment,” Reynoso wrote. “Belkin does not participate in, nor does it endorse, unethical practices like this. We know that people look to online user reviews for unbiased opinions from fellow users and instances like this challenge the implicit trust that is placed in this interaction. We regard our responsibility to our user community as sacred, and we are extremely sorry that this happened.”

LAWSUIT AGAINST AOL CLEARS HURDLE AFTER ‘CHERNOBYL OF THE INTERNET’ (Chicago Sun Times, 20 Jan 2009) - Thousands of California residents can sue AOL in their home state for invasion of privacy despite agreements they signed requiring all legal disputes to go before “courts of Virginia” and be guided by Virginia law. A federal appellate court on Friday cleared a path for a class-action lawsuit to proceed against AOL. On July 31, 2006, AOL (formerly America Online) placed on a public Web site 20 million search inquiries by 658,000 of its members over a three-month period. A broad protest erupted in cyberspace, with one blogger describing the incident as the “Chernobyl of the Internet,” in reference to a disastrous 1986 nuclear accident in the former Soviet Union. The data included addresses, phone numbers, credit-card numbers, Social Security numbers, passwords and other personal information. The suit, which followed less than two months after the incident, was filed in Oakland federal court, alleging violations of federal electronic privacy law and, on behalf of the California subset, state law requiring businesses to protect customers’ personal information. It seeks an unspecified amount of monetary damages. AOL, a unit of media conglomerate Time Warner Inc. and one of the largest access businesses in the United States, persuaded U.S. District Judge Saundra B. Armstrong to throw the suit out because of the clause in the membership agreements mandating that legal disputes go before a Virginia court, where class actions are not allowed. (Until its recent move to New York, AOL was based in Dulles, Va.) But on Friday, a three-judge panel of the San Francisco-based 9th U.S. Circuit Court of Appeals reversed that decision for the as-yet-undetermined number of California residents who are part of the class and sent it back to Armstrong for further proceedings. Citing a 1972 U.S. Supreme Court opinion and a 2001 California court of appeal decision, the circuit panel ruled that “enforcement of the forum selection clause violates the (California) Consumer Legal Remedies Act,” and is unenforceable against California residents. The state’s public policy would be violated if its residents were forced to waive their rights to a class action and remedies available under California consumer law, the panel declared. In the public posting, AOL user names were changed to numbers, but the ability to analyze all searches by a single user often made it easy to identify the user, the panel noted.,w-aol-lawsuit-privacy012009.article

FISA APPEALS COURT UPHOLDS WARRANTLESS WIRETAPS (Steptoe & Johnson’s E-Commerce Law Week, 22 Jan 2009) - In a rare decision handed down in August but released on January 15, the Foreign Intelligence Surveillance Court of Review ruled that an order requiring a communications service provider to assist in warrantless surveillance of persons “reasonably believed” to be outside the United States did not violate the Fourth Amendment. The order was issued under a stop-gap amendment to the Foreign Intelligence Surveillance Act (FISA) know as the Protect America Act (PAA) of 2007. But the court’s broad reasoning would clearly result in upholding the warrantless wiretapping authority provided in the permanent amendments to FISA enacted last year, since those amendments provide even greater privacy protections than the temporary PAA. Decision here:

WHITE HOUSE EXEMPTS YOUTUBE FROM PRIVACY RULES (CNET, 22 Jan 2009) - The new Web site for Obama’s White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site’s policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites. The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama’s legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site). While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama’s home in cyberspace. No other company has been singled out and rewarded with such a waiver. In a blog post back in November, I criticized the Obama transition team’s Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules. Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user’s browser--even for those users who do not click the “play” button. Someone on the Obama legal team seems to have read my previous blog post, as they’ve modified the White House privacy policy to specifically exclude YouTube’s tracking cookies from federal rules that would otherwise prohibit their use: “For videos that are visible on, a ‘persistent cookie’ is set by third party providers when you click to play the video. This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.” Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user’s browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.

NEW NATIONAL CYBER ADVISER TO REPORT TO OBAMA (CNET, 22 Jan 2009) - The administration of President Barack Obama will be hiring a new national cyber adviser, according to the agenda for homeland security released on his first full day in office. The Agenda for Homeland Security, released Wednesday, lists goals for defeating terrorism and improving intelligence gathering, as well as for protecting the nation’s information networks and critical infrastructure. The top item under protecting information networks is to strengthen leadership on cyber security by establishing a “position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.” Other items include: supporting an initiative to develop next-generation secure computers and networking for national security applications, and deploying secure hardware and software to protect critical cyber infrastructure; establishing “tough new standards for cyber security and physical resilience;” developing systems to protect trade secrets from being stolen online from U.S. businesses; shutting down “untraceable Internet payment schemes;” and securing personal data stored on government and private systems and requiring companies to disclose data breaches. The homeland security agenda also calls for ensuring that “security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle.”

OBAMA REPORTEDLY GETS A SUPER-ENCRYPTED BLACKBERRY (ABA Journal, 23 Jan 2009) - Barack Obama has apparently won his fight to retain his beloved BlackBerry. An unidentified government agency has added a “super-encryption package” to a standard BlackBerry that the president can use for routine and personal messages, according to The Atlantic’s Marc Ambinder blog. The device is designed to protect Obama from hackers who seek to read his messages or learn his location, explains the National Business Review. The Marc Ambinder article says BlackBerrys aren’t designed for encrypted messages of top-secret status, and it’s not clear if Obama is “getting something new and special.” A device that could do the job, the blog says, is the $3,350 smartphone called Sectera Edge, made by General Dynamics. Earlier this month, Obama said he was in a “scuffle” with his lawyers over keeping his BlackBerry. “I’m still clinging to my BlackBerry,” Obama said in a CNBC interview. “They’re going to pry it out of my hands.” While Obama won his BlackBerry battle, his aides aren’t so lucky. They will have to deal with a ban on instant messaging, Politico reports.

HOW QUICKLY ARE THINGS CHANGING? EBAY SENDS 70 TWEETS DURING ITS EARNINGS CALL (, 23 Jan 2009) - With the coming regulatory reform likely to be a whopper (the House passed the “TARP Reform and Accountability Act” on Wednesday; it’s not expected to go anywhere in the Senate though), I predict a huge host of changes this year beyond those required by law. For example, Corporate America will start catching up with the young folks online (my 14-year old lives for Facebook). Case in point: On Wednesday, eBay’s Richard Brewer-Hay (the guy behind eBay’s “Ink Blog”) sent a total of approximately 70 tweets during an eBay earnings call (it’s hard to pinpoint the exact number; it depends if you count “retweets”). It’s pretty amazing to witness a play-by-play of what is happening during the earnings call. Talk about real-time disclosure! [Editor: read on to catch some concerned commentary.]

NYPD EYES WEB PAGES OF POLICE RECRUITS (NY Post, 23 Jan 2009) - The NYPD is requiring police recruits who have MySpace or Facebook pages to watch as an investigator sifts through their most private postings, The Post has learned. The measure is designed to weed out would-be cops who litter their Web sites with violent or explicit imagery, racist rants and any other material deemed objectionable, a law-enforcement source said. Applicants Processing Division officers are demanding any recruit with an account log on to their pages, even if those pages are private and not accessible to the public, the source said. Without the applicant logging on, only a subpoena could get the NYPD that much access to the private Web pages. The online snooping goes well beyond the previously announced policy of Googling would-be cops and visiting them online in the publicly accessible pages of social-networking sites. It makes investigators privy even to some of the most private postings of anyone who wants to be a cop, sources said.

VATICAN 2.0: POPE GETS HIS OWN YOUTUBE CHANNEL (AP, 23 Jan 2009) - Puffs of smoke, speeches in Latin and multipage encyclicals have all been used by the Vatican to communicate with the faithful. Now the pope is trying to broaden his audience by joining the wannabe musicians, college pranksters and water-skiing squirrels on YouTube. In his inaugural YouTube foray Friday, Benedict welcomed viewers to this “great family that knows no borders” and said he hoped they would “feel involved in this great dialogue of truth.” “Today is a day that writes a new page in history for the Holy See,” Vatican Radio said in describing the launch of the site, The Vatican said that with the YouTube channel, it hoped to broaden and unite the pontiff’s audience — an estimated 1.4 billion people are online worldwide — while giving the Holy See better control over the pope’s Internet image. The pontiff joins President Barack Obama, who launched an official White House channel on his inauguration day, as well as Queen Elizabeth, who went online with her royal YouTube channel in December 2007. For the Vatican, it was the latest effort to keep up to speed with the rapidly changing field of communications and new media. For a 2,000-year-old institution known for being very set in its ways, it was something of a revolution. At the same time, though, the pope warned he wasn’t embracing virtual communication without some reservation. In his annual message for the World Day of Communication, Benedict praised as a “gift to humanity” the benefits of social networking sites such as Facebook and MySpace in forging friendships and understanding. But he also warned that virtual socializing had its risks, saying “obsessive” online networking could isolate people from real social interaction and broaden the digital divide by further marginalizing people.

ON THE INTERNET, A UNIVERSITY WITHOUT A CAMPUS (IHT, 25 Jan 2009) - An Israeli entrepreneur with decades of experience in international education plans to start the first global, tuition-free Internet university, a nonprofit venture he has named the University of the People. “The idea is to take social networking and apply it to academia,” said Shai Reshef, an entrepreneur and founder of several previous Internet-based educational businesses. “The open source courseware is there, from universities that have put their courses online, available to the public, free. We know that online peer-to-peer teaching works. Putting it all together, we can make a free university for students all over the world, anyone who speaks English and has an Internet connection.” Online learning is growing in many different contexts. Through the Open Courseware Consortium, started by the Massachusetts Institute of Technology in 2001, universities around the world have posted materials for thousands of courses - as widely varied as Utah State University’s “Lambing and Sheep Management” and MIT’s “Relativistic Quantum Field Theory” - all free to the public. Many universities now post their lectures on the iTunes music store. For-profit universities like the University of Phoenix and Kaplan University have extensive online offerings. And increasingly, both public universities, like the University of Illinois, and private ones, like Stanford, offer at least some classes online. Outside the United States, too, online learning is booming: Open University in Britain, for example, enrolls about 160,000 undergraduates in distance-learning courses. The University of the People, like other Internet-based universities, would have online study communities, weekly discussion topics, homework assignments and exams. But in lieu of tuition, students would pay only nominal fees for enrollment ($15 to $50) and for exams ($10 to $100), with students from poorer countries paying the lower fees. Experts in online education say it is an interesting idea, but one that raises many questions.

GOOGLE LETS USERS SEARCH FOR INTERNET BLOCKERS (Reuters, 28 Jan 2009) - Google Inc on Wednesday unveiled a plan aimed at eventually letting computer users determine whether providers like Comcast Corp are inappropriately blocking or slowing their work online. The scheme is the latest bid in the debate over network neutrality, which pits content companies like Google against some Internet service providers. Google will provide academic researchers with 36 servers in 12 locations in the United States and Europe to analyze data, said its chief Internet guru, Vint Cerf, known as the “father of the Internet.” “When an Internet application doesn’t work as expected or your connection seems flaky, how can you tell whether there is a problem caused by your broadband ISP (Internet service provider), the application, your PC (personal computer), or something else?” Cerf wrote in a blog post. The effort aims to uncover the problem for users, Cerf said.

CAN BLOGS SURVIVE TWITTER? (Legal Blog Watch, 29 Jan 2009) - Blogging is a conversation, Kevin O’Keefe of LexBlog is fond of saying. But how can you have a conversation if others can’t join in through comments? Recently, the editors of popular legal blogs The Volokh Conspiracy and Above the Law have updated their respective comment policies, reserving the right to moderate comments as they deem fit. Above the Law took a further step, changing the site design to hide comments by default -- requiring readers to opt-in to view them. The sites have taken this approach to crack down on crude or offensive comments that may drive other readers away, or intimidate them from commenting. In that regard, the restrictions that ATL, Volokh and others place on commenters help to encourage the conversation rather than kill it. But even without restrictive policies, blog comments in general are dwindling, writes Scott Greenfield. On his Simple Justice blog, Greenfield says many regular readers and commenters (largely from the criminal defense community) have taken the conversation over to Twitter.

JUSTICE DEPARTMENT SENDS HOAX E-MAIL TO TEST WORKERS (CNET, 30 Jan 2009) - A U.S. Department of Justice e-mail that phished for sensitive information from federal workers was a hoax that the agency sent out to test its own security awareness, according to a report. The e-mail, sent two weeks ago to Justice Department employees, directed recipients to a Web site that prompted them to supply account information related to the federal retirement savings program, the Associated Press reported. “We have learned that the messages are part of a hoax invented and distributed by DOJ to test employee security awareness,” Ted Shelkey, assistant director for information systems security, wrote in an e-mail to the AP on Wednesday. Justice Department spokeswoman Gina Talamona confirmed that the e-mail was a security test. “Scenarios are intended to represent an example of persistent cyberthreats facing today’s Internet users,” she told the news service. Talamona did not immediately return a call seeking comment on Friday and Shelkey could not be reached.

CAN YOUR IT DEPARTMENT READ YOUR OFFLINE GMAIL? (PC Magazine, 30 Jan 2009) - We’ve been waiting for some sort of offline functionality to come to Gmail ever since Google Gears was released—it seems like the feature for which Gears was invented in the first place. And now that offline Gmail is here (and seems to work well, according to Lance Ulanoff), I have but one concern about it: Is it safe to use on a work PC? Offline Gmail works by archiving and storing your Gmail messages locally on your machine. I’m guessing you use your freemail account the same way everyone does—for the e-mail that you don’t really want stored on your corporate servers or sitting in your corporate inbox. If that’s the case, storing an archive of those message on your work PC might not seem like such a great idea. The archive is buried fairly deep in your C:\ Documents and Settings file tree. If you’re using Firefox, the archive is stored here: C:\Documents and Settings\ \Local Settings\Application Data\Mozilla\Firefox\Profiles\74d61f9f.Default User\Google Gears for Firefox\ For Chrome, your messages are kept here: C:\Documents and Settings\ \Local Settings\Application Data\Google\Chrome\User Data\Default\Plugin Data\Google Gears\ That’s right, there’s a different archive for each browser you use Offline Gmail with (I couldn’t get Offline Gmail to archive my messages with IE8). Naturally, every company has different I.T. policies in place, and varying levels of employee privacy. In the case of Offline Gmail, it would be extremely difficult for your I.T. department to read your archived e-mail as of right now. The archived messages are stored in a proprietary database file type called “COM-GOOGLEMAIL#DATABASE” or “GOOGLEMAIL#DATABASE”. I’m guessing your I.T. department doesn’t have a tool to access the data inside the file, or the free time to build one (though such a tool may someday exist). So your private e-mail is almost certainly private on your work PC, at least for the time being. Still, our Security Watch Contributing Editor Larry Seltzer advises taking the safe route, telling me that you have to “assume you have no privacy from your company.” “If you put it on your work machine you should assume they can and will [be able to access it],” he said. “And they should be able to. It’s their computer.”

CARDINAL EXEC NOMINATED FOR HOMELAND SECURITY POST (Columbus Dispatch, 30 Jan 2009) - Dublin-based Cardinal Health apparently will be looking for some new legal help. That’s because the company’s current chief legal officer, Ivan K. Fong, is being nominated by President Obama to be general counsel for the U.S. Department of Homeland Security. Fong has previous government experience, as a deputy associate attorney general for the Department of Justice, the homeland security department said this week in a release.

DOCUMENTING THE DECLINE OF (PRINT) LAW REVIEWS (InsideHigherEd, 2 Feb 2009) - You don’t have to look far for evidence of the decline of the print medium, as daily newspapers contract by the day, amid other signs. But not surprisingly, perhaps, publishers are not exactly advertising their woes, and as a result, Ross E. Davies, editor in chief of The Green Bag law journal and a professor of law at George Mason University, had some difficulty when he sought to catalog the print readership of the country’s leading law reviews. In a paper prepared for The Green Bag’s annual almanac and available now on the Social Science Research Network, Davies found that many law reviews were inconsistent, to be kind, in keeping up with a U.S. Postal Service requirement to publish their circulation numbers. Seven of the 15 leading journals he examined had not published their statistics for 2007-8, and several of them seemed to flout the rule consistently. While Davies speculates about whether ignorance or something else explains the failure, he suggests that it may be better explained by what is revealed by the data he was able to collect, which show that all of the law reviews have seen significant drops — most in the range of half to two-thirds — in their print circulations. Harvard’s law review fell to 2,610 paid subscriptions in 2007-8, down from a peak of 8,760 in 1979-80, and the University of Virginia’s had dipped to 530 from 2,396 in 1980-81, as seen in the table below. SSNR paper here:

COMCAST PORN GOOF GIVES SUPER BOWL VIEWERS AN EYEFUL (Valleywag, 2 Feb 2009) - Everyone’s pretending to be shocked about the 10-second clip of porn spliced into Comcast’s Tucson-area broadcast of the Super Bowl. Why? That’s how Comcast butters its bread. The clip (do we even need to mention that it’s NSFW?) from ClubJenna, apparently meant to broadcast on the Shorteez channel but instead spliced into KVOA’s feed of the football game, is but one of the many porn channels from which Comcast makes a healthy profit. Across the industry, porn accounts for more than a quarter of pay-per-view revenues. Cue a round of handwringing among the media. Comcast customers have better purposes for their hands. [Editor: a whole new kind of “wardrobe malfunction”.]

GOOGLE OFFERS TOOL TO LET YOU TRACK YOUR FRIENDS’ MOVEMENTS (Computerworld, 4 Feb 2009) - Not content with indexing the world’s information, Google Inc. is now tracking where users of its maps service are, and making that location data searchable by others. The tracking feature, called Latitude, will appear on compatible mobile devices in a new version of Google Maps, Version 3.0.0. It can also be added as a gadget on iGoogle, the company’s personalizable home page service. Tracking people’s movements is sure to raise concerns about privacy, but “everything about Latitude is opt-in,” according to Vic Gundotra, vice president of engineering with Google’s mobile team, writing on the company’s official blog. The service will indicate users’ locations with a small photo icon superimposed on a map. It is initially available for the BlackBerry and devices running Nokia’s S60 or Microsoft’s Windows Mobile software. An Android version will follow in a few days, said Gundotra, and he expects an iPhone version will follow “very soon.” To begin sharing your location, you must either sign up for the Latitude service or accept an invitation to view the location of someone already using it. Latitude’s help pages describe the fine-grained control the service allows over who sees what and when. For each friend with whom you choose to share information, you can give your precise location, the name of the city only or no information at all. Latitude can automatically detect your location if you’re using it on a compatible smartphone, but it’s also possible to lie about where you are, by manually setting your location on a map.

- and -

I AM HERE: ONE MAN’S EXPERIMENT WITH THE LOCATION-AWARE LIFESTYLE (Wired Magazine, February 2009) - I’m baffled by WhosHere. And I’m no newbie. I built my first Web page in 1994, wrote my first blog entry in 1999, and sent my first tweet in October 2006. My user number on Yahoo’s event site, 14. I love tinkering with new gadgets and diving into new applications. But WhosHere had me stumped. It’s an iPhone app that knows where you are, shows you other users nearby, and lets you chat with them. Once it was installed and running, I drew a blank. What was I going to do with this thing? So I asked for some help. I started messaging random people within a mile of my location (37.781641 °N, 122.393835 °W), asking what they used WhosHere for. [Editor: Interesting read about location-aware cellphone services; benefits and pitfalls and risks. I’ve been playing with some of these apps, too – e.g., Twinkle and Loopt]

HOTELS.COM, EXPEDIA.COM AGREE TO ENHANCE WEB SITE ACCESSIBILITY FOR DISABLED TRAVELERS (BNA’s Internet Law News, 5 Feb 2009) - BNA’s Electronic Commerce & Law Report reports that and have agreed to improve their online travel sites to settle a lawsuit alleging the sites refused to guarantee disabled travelers accessible rooms under a settlement approved Jan. 15. Civil rights attorneys alleged did not allow mobility-impaired individuals to search for accessible features, such as doorways wide enough for a wheelchair, or make reservations guaranteeing that an accessible room would be available to them at the discounted rates offered to other customers. Case name is Smith v.

COURT’S CFAA RULING GIVES PLAINTIFFS BAR A GIFT-WRAPPED “TIME BOMB” (Steptoe & Johnson’s E-Commerce Law Week, 5 Feb 2009) - Producers of defective software could soon take a place next to disloyal employees and meddling moms on the ever expanding list of entities subject to civil suit or prosecution under the Computer Fraud and Abuse Act (CFAA). In Kalow & Springnut, LLP, v. Commence Corporation, a federal court in New Jersey recently ruled that a company that allegedly suffered damages because software it purchased was “intentionally designed to stop working” can state a claim against the producer of this software under the CFAA. While legitimate software vendors would never sell code with the intention of causing damage, this decision -- if left standing -- could still greatly increase the legal risk for such vendors. Under the court’s reasoning, as long a plaintiff simply alleges the requisite intent to cause harm (along with knowing transmission of a program, damage, etc.) and states that it had not altered its computer system, it may survive a motion to dismiss -- thus subjecting the software maker to expensive discovery and litigation costs. Make it a class action and the case becomes, at the least, a serious settlement driver. This ruling itself could thus become a real “time bomb” for software makers if it is not reversed or narrowed.

**** LOOKING BACK ****
MOODY’S ERROR GAVE TOP RATINGS TO DEBT PRODUCTS (MIRLN 11.07, 31 MAY 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower [Editor: Ah, weren’t those the days!]

MAPPING GLOBALIZATION (Ethan Zuckerman, Berkman Center, 27 Jan 2009) - We’re all surrounded by infrastructure that we rarely pay attention to... except on those rare occasions when it fails. When the gas gets shut off in Bulgaria or the internet in Egypt, we reach for maps of infrastructure to understand what’s going on. These may not be the right maps - maps of infrastructure show what’s possible in a connected world, but not necessarily what happens. Understanding globalization requires new kinds of maps - maps of flow of bits, atoms and ideas. [Editor: Fascinating talk about various kinds of geographical mapping and “flow maps”. TWO STARS.] Slides are here: The airflow map is quite beautiful:

ENTERPRISE 2.0: HOW ORGANIZATIONS ARE EXPLOITING WEB 2.0 TECHNOLOGIES AND PHILOSOPHIES (Andrew McAfee, Berkman Center, 13 Jan 2009) - Over the past few years a wide array of “Web 2.0” technologies and communities have appeared on the Internet; these include Facebook, Twitter, Wikipedia, YouTube, and Organizations are in the early stages of incorporating these tools into their work, a phenomenon I call “Enterprise 2.0.” In this talk I’ll give examples of Enterprise 2.0, folding them into a simple model intended to communicate the different categories of benefits conferred. [Editor: It turns out that “Enterprise 2.0” means knowledge management; pretty interesting discussion about weak-ties, knowledge workers, intranet blogging—”narrating your work”—and corporate prediction markets. Caveat: he’s got it wrong when he says that prediction markets don’t need credentialed participants—read Cass Sunstein’s “Infotopia” and see Wikipedia’s discussion of Condorcet’s Jury Theorem. ONE STAR.]

**** RESOURCES ****
10 PRIVACY SETTINGS EVERY FACEBOOK USER SHOULD KNOW (Facebooko, 2 Feb 2009) - Everyday I receive an email from somebody about how their account was hacked, how a friend tagged them in the photo and they want a way to avoid it, as well as a number of other complications related to their privacy on Facebook. Over the weekend one individual contacted me to let me know that he would be removing me as a friend from Facebook because he was “going to make a shift with my Facebook use - going to just mostly family stuff.” Perhaps he was tired of receiving my status updates or perhaps he didn’t want me to view photos from his personal life. Whatever the reason for ending our Facebook friendship, I figured that many people would benefit from a thorough overview on how to protect your privacy on Facebook. Below is a step by step process for protecting your privacy. [Editor: this posting was recommended by a knowledgeable MIRLN reader.]

SEC POSTS XBRL RULES: WHAT TO DO NOW (, 2 Feb 2009) - Last Friday, the SEC posted the adopting release for its new interactive data rules. This project has been an enormous effort on the part of the Corp Fin Staff under an extraordinarily tight timeframe. Under the new rules, filers will be required to provide a new exhibit containing the financial statements and any applicable financial statement schedules in interactive data format with certain Securities Act registration statements, quarterly reports, annual reports, transition reports, and current reports on Form 8-K or Form 6-K that contain revised or updated financial statements. The new requirements will be phased in as follows: [Read more, if this applies to you.] SEC release here:

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.