Saturday, February 07, 2009

MIRLN --- 18 January - 7 February 2009 (v12.02)

**** NEWS ****

IT SECURITY RISKS DISMISSED BY BOARDS, CMU SURVEY FINDS (, 4 Dec 2008) - A report released this week by Carnegie Mellon University’s CyLab, illustrates the wide gap between boards of directors and those responsible for information security in the enterprise, in particular where board members who still aren’t clear on the link between IT risk and a company’s overall risk posture. CyLab’s Governance of Enterprise Security report was based on data collected by the National Association of Corporate Directors for its 2008 Public Company Governance Survey. The survey was taken by 703 sitting directors of U.S. public companies, primarily audit, compensation and governance professionals. The conclusions aren’t encouraging for CISOs who are desperate to be heard by boards and senior management. Directors and officers still aren’t devoting resources or attention to the business-critical implications of faulty information security processes. And with a recession in full swing, board members’ attention is further diverted. A little more than a third of the respondents believe overall enterprise risk is a critical governance issue, well behind other issues such as board leadership, CEO relations, evaluation and succession plans, and board culture. Thirty-six percent of those surveyed said boards have a direct involvement in the oversight of information security, and of the 47% of respondents that have formalized enterprise risk management plans, only two-thirds include IT risks in those plans. “That disconnect of risk management plans not including IT risk is eye-opening. [Boards] don’t understand that the majority of their operations rely on technology,” said report co-author Jody Westby, CEO of Global Cyber Risk LLC and an Adjunct Distinguished Fellow at CyLab. “They don’t understand that if the Internet or communications goes down, or if there’s a sustained attack, they’re out of business.” Boards still labor under the thinking that security is primarily a technology issue and leave security issues to IT, the report concludes. Noteworthy findings include:
• 38% of the respondents said boards occasionally or rarely review privacy, security or risk management budgets (40% said they never do).
• 55% said boards occasionally or rarely approve roles and responsibilities for privacy officers (28% never do).
• 56% occasionally or rarely review top-level security and privacy policies (23% never do).
• 62% occasionally or rarely receive reports from senior management on risk (15% never do).,289142,sid14_gci1341038,00.html

- and -

CYBER THIEVES HACKED HEARTLAND’S CREDIT CARD SYSTEM (Topnews, 21 Jan 2009) - It literally shocked the United States cardholders, on Tuesday, when the Credit-card processor, Heartland Payment Systems disclosed that cyber thieves broke its system in 2008 and stole credit card information. Heartland Payment Systems divulged that cyber thieves hacked into the computers that were used to process 100 million payment card transactions per month for 175,000 merchants. In an interview, Heartland’s president and CFO, Robert Baldwin said, “Intruders had access to Heartland’s system for longer than weeks in late 2008.” “The number of victims is unknown. We just don’t have the information right now,” He said. According to the company, Visa and MasterCard alerted them of the fishy activities linked with processed card transactions. They started an investigation, which revealed software that compromised data that crossed Heartland’s network. Mr. Baldwin said, “We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands.” According to the company, several steps were immediately taken to secure its systems -a website - www. 2008breach. com - was created to provide information about the incident.

- and -

HEARTLAND BREACH RAISES QUESTIONS ABOUT PCI STANDARD’S EFFECTIVENESS (NetworkWorld, 22 Jan 2009) - It’s not yet known if Heartland Payment Systems’ newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn’t sufficient to ensure cardholder data is safeguarded. “Billions is being spent on PCI compliance, but it isn’t really working,” says Gartner analyst Avivah Litan. “PCI’s dirty little secret is that it doesn’t mandate encryption inside a private network because then all the processors would have to encrypt.” Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers. But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated. The irony, Litan says, is that some retailers today do encrypt data in motion inside their private store networks (even though it’s not mandated by the PCI standard) and they have to decrypt it before they send it to their processors. Heartland was compliant with PCI, certified by PCI assessor Trustwave in April, but PCI compliance isn’t stopping the wave of attacks against payment processors, Litan notes. She points out that the PCI standard does include a requirement for file-integrity checking at least weekly, so something may have broken down in that area that allowed the malware to remain unnoticed for so long.

- and -

DATA BREACH COSTS ROSE SIGNIFICANTLY IN 2008, PONEMON STUDY SAYS (DarkReading, 2 Feb 2008) - The cost of data breaches is on the rise, and businesses that experience them are losing customers as a result, according to a new study issued today. In an update to its popular annual “U.S. Cost of a Data Breach Study,” Ponemon Institute and PGP have published a new report that indicates many of the cost factors surrounding security incidents have risen in the past 12 months. “After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach,” says Larry Ponemon, chairman and founder of The Ponemon Institute. “As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy.” The average cost of a data breach in 2008 grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record), according to the study. The average total cost per reporting company was more than $6.6 million per breach -- up from $6.3 million in 2007 and $4.7 million in 2006 -- and ranged from $613,000 to almost $32 million. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million, or $139 per record compromised, the study says. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study. In 2008, the average abnormal customer churn rate resulting from a data breach was 3.6 percent, an increase from 2.67 in 2007 and 2.01 percent in 2006. Between 2005 and 2008, this one cost component grew by more than $64 on a per victim basis -- a 38 percent increase, the study says. “The cost of customer churn is the largest cost,” Ponemon says. “Yet many organizations fail to consider or measure this important economic loss.” Healthcare and financial service companies have the highest average rate of churn -- 6.5 percent and 5.5 percent, respectively, according to the study. “High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data,” it says. The average cost of a healthcare breach ($282 per record) is more than twice that of an average retail breach ($131). More than 88 percent of all breaches in 2008 involved incidents resulting from insider negligence, according to the study. The cost of these incidents is lower than the cost of malicious attacks: Per-victim cost for data breaches involving negligence was $199 per record, compared to $225 per record for malicious acts. Breaches by third-party organizations -- such as outsourcers, contractors, consultants, and business partners -- were reported by 44 percent of respondents, up from 40 percent in 2007, 29 percent in 2006, and 21 percent in 2005. Per-victim cost for third-party incidents is $52 higher -- $231 vs. $179 -- than insider-caused breaches, the study says. Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches, according to the report. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies, Ponemon says. More than 84 percent of all cases in this year’s study involved organizations that had experienced more than one major data breach.

POPULAR CHINESE FILTERING CIRCUMVENTION TOOLS DYNAWEB FREEGATE, GPASS, AND FIREPHOENIX SELL USER DATA (Hal Roberts, Berkman Center, 9 Jan 2009) - Update: The site hosting the data for these tools has now removed the faq entry offering to sell the data. Please read my subsequent update for responses from the tool developers and further thoughts. Three of the circumvention tools — DynaWeb FreeGate, GPass, and FirePhoenix — used most widely to get around China’s Great Firewall are tracking and selling the individual web browsing histories of their users. Data about aggregate usage of users of the tools is published freely. You can see, for example, that the three sites most visited by users of these circumvention tools are,, and Aggregate data like this is a terrific resource for those of us interested in researching circumvention tool usage, and not much of a privacy risk for the circumventing users if it is only stored (as well as displayed) in the aggregate. But the ranking site also advertises a pay service through which you can get not only much more data, but data about individual users. The site’s FAQ states:
Q: I am interested in more detailed and in-depth visit data. Are they available?
A: Yes, we can generate custom reports that cover different levels of details for your purposes, based on a fee. But data that can be used to identify a specific user are considered confidential and not shared with third parties unless you pass our strict screening test. Please contact us if you have such a need.
So they are happy to provide you with specific user data, but only if you double super promise not to share it and only if they really like you. It’s hard to state how dangerous this practice is. These tools are acting as virtual ISPs for millions of users. All circumvention tools work by proxying the data of their users through some third machine, so all circumventing traffic is going through that third party machine. Selling the browsing histories of those users is like an ISP selling the browsing histories of its users, which is a big step beyond what companies like NebuAd and Phorm were / are trying to do. NebuAd and Phorm are at least adding a variety of pseudonymity and privacy layers to their tracking, whereas dynaweb et al. are evidently directly storing (and selling) the full, individually identifiable browsing histories of their users. And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents.

COURT RULES THAT ‘METADATA’ AREN’T PUBLIC RECORDS (Arizona Central, 13 Jan 2009) - A divided Arizona appellate court ruled Tuesday that hidden electronic data that indicates how and when documents are produced with word processing computer programs aren’t themselves public records. The three-judge Court of Appeals panel’s majority opinion rejected part of a Phoenix police officer’s public-records request that sought “metadata” for notes written by one of the officer’s supervisors. Metadata is data embedded in documents to track authors, when something was saved and what changes were made. It isn’t visible when a document is printed on paper nor does it appear on screen in normal settings. The officer said he wanted the metadata to see if the supervisor had backdated the notes.

LEGAL DOWNLOADS SWAMPED BY PIRACY (BBC, 16 Jan 2009) - Ninety-five per cent of music downloaded online is illegal, a report by the International Federation of the Phonographic Industry (IFPI) has said. The global music trade body said this is its biggest challenge as artists and record companies miss out on payments. There has, however, been a 25% rise since last year with downloads now accounting for a fifth of all recorded music sales. The IFPI said worldwide music market revenues shrank by 7% last year.

FAKE REVIEWS PROMPT BELKIN APOLOGY (CNET, 19 Jan 2009) - Fake positive reviews of Belkin products were actively solicited by one of its employees, the company admitted on Sunday. Belkin, a networking and peripheral manufacturer, apologized for the worker’s actions, which sought to artificially boost Belkin’s status on Amazon while denigrating existing bad reviews. On Friday, The Daily Background Web site revealed how someone, apparently Belkin business development representative Mark Bayard, had used the Mechanical Turk service to ask users to write positive reviews of a Belkin product at a rate of 65 cents per review. The requests made it clear that writers need have no experience of, nor even own, the product in question. Mechanical Turk is an online clearing-house for small jobs that cannot be done by machine, such as writing product descriptions. It is, coincidentally, run by Amazon. In a letter posted on the company’s Web site on Sunday, Belkin President Mark Reynoso said the solicitations had been “an isolated incident.” “It was with great surprise and dismay when we discovered that one of our employees may have posted a number of queries on the Amazon Mechanical Turk Web site inviting users to post positive reviews of Belkin products in exchange for payment,” Reynoso wrote. “Belkin does not participate in, nor does it endorse, unethical practices like this. We know that people look to online user reviews for unbiased opinions from fellow users and instances like this challenge the implicit trust that is placed in this interaction. We regard our responsibility to our user community as sacred, and we are extremely sorry that this happened.”

LAWSUIT AGAINST AOL CLEARS HURDLE AFTER ‘CHERNOBYL OF THE INTERNET’ (Chicago Sun Times, 20 Jan 2009) - Thousands of California residents can sue AOL in their home state for invasion of privacy despite agreements they signed requiring all legal disputes to go before “courts of Virginia” and be guided by Virginia law. A federal appellate court on Friday cleared a path for a class-action lawsuit to proceed against AOL. On July 31, 2006, AOL (formerly America Online) placed on a public Web site 20 million search inquiries by 658,000 of its members over a three-month period. A broad protest erupted in cyberspace, with one blogger describing the incident as the “Chernobyl of the Internet,” in reference to a disastrous 1986 nuclear accident in the former Soviet Union. The data included addresses, phone numbers, credit-card numbers, Social Security numbers, passwords and other personal information. The suit, which followed less than two months after the incident, was filed in Oakland federal court, alleging violations of federal electronic privacy law and, on behalf of the California subset, state law requiring businesses to protect customers’ personal information. It seeks an unspecified amount of monetary damages. AOL, a unit of media conglomerate Time Warner Inc. and one of the largest access businesses in the United States, persuaded U.S. District Judge Saundra B. Armstrong to throw the suit out because of the clause in the membership agreements mandating that legal disputes go before a Virginia court, where class actions are not allowed. (Until its recent move to New York, AOL was based in Dulles, Va.) But on Friday, a three-judge panel of the San Francisco-based 9th U.S. Circuit Court of Appeals reversed that decision for the as-yet-undetermined number of California residents who are part of the class and sent it back to Armstrong for further proceedings. Citing a 1972 U.S. Supreme Court opinion and a 2001 California court of appeal decision, the circuit panel ruled that “enforcement of the forum selection clause violates the (California) Consumer Legal Remedies Act,” and is unenforceable against California residents. The state’s public policy would be violated if its residents were forced to waive their rights to a class action and remedies available under California consumer law, the panel declared. In the public posting, AOL user names were changed to numbers, but the ability to analyze all searches by a single user often made it easy to identify the user, the panel noted.,w-aol-lawsuit-privacy012009.article

FISA APPEALS COURT UPHOLDS WARRANTLESS WIRETAPS (Steptoe & Johnson’s E-Commerce Law Week, 22 Jan 2009) - In a rare decision handed down in August but released on January 15, the Foreign Intelligence Surveillance Court of Review ruled that an order requiring a communications service provider to assist in warrantless surveillance of persons “reasonably believed” to be outside the United States did not violate the Fourth Amendment. The order was issued under a stop-gap amendment to the Foreign Intelligence Surveillance Act (FISA) know as the Protect America Act (PAA) of 2007. But the court’s broad reasoning would clearly result in upholding the warrantless wiretapping authority provided in the permanent amendments to FISA enacted last year, since those amendments provide even greater privacy protections than the temporary PAA. Decision here:

WHITE HOUSE EXEMPTS YOUTUBE FROM PRIVACY RULES (CNET, 22 Jan 2009) - The new Web site for Obama’s White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site’s policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites. The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama’s legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site). While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama’s home in cyberspace. No other company has been singled out and rewarded with such a waiver. In a blog post back in November, I criticized the Obama transition team’s Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules. Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user’s browser--even for those users who do not click the “play” button. Someone on the Obama legal team seems to have read my previous blog post, as they’ve modified the White House privacy policy to specifically exclude YouTube’s tracking cookies from federal rules that would otherwise prohibit their use: “For videos that are visible on, a ‘persistent cookie’ is set by third party providers when you click to play the video. This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.” Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user’s browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.

NEW NATIONAL CYBER ADVISER TO REPORT TO OBAMA (CNET, 22 Jan 2009) - The administration of President Barack Obama will be hiring a new national cyber adviser, according to the agenda for homeland security released on his first full day in office. The Agenda for Homeland Security, released Wednesday, lists goals for defeating terrorism and improving intelligence gathering, as well as for protecting the nation’s information networks and critical infrastructure. The top item under protecting information networks is to strengthen leadership on cyber security by establishing a “position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.” Other items include: supporting an initiative to develop next-generation secure computers and networking for national security applications, and deploying secure hardware and software to protect critical cyber infrastructure; establishing “tough new standards for cyber security and physical resilience;” developing systems to protect trade secrets from being stolen online from U.S. businesses; shutting down “untraceable Internet payment schemes;” and securing personal data stored on government and private systems and requiring companies to disclose data breaches. The homeland security agenda also calls for ensuring that “security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle.”

OBAMA REPORTEDLY GETS A SUPER-ENCRYPTED BLACKBERRY (ABA Journal, 23 Jan 2009) - Barack Obama has apparently won his fight to retain his beloved BlackBerry. An unidentified government agency has added a “super-encryption package” to a standard BlackBerry that the president can use for routine and personal messages, according to The Atlantic’s Marc Ambinder blog. The device is designed to protect Obama from hackers who seek to read his messages or learn his location, explains the National Business Review. The Marc Ambinder article says BlackBerrys aren’t designed for encrypted messages of top-secret status, and it’s not clear if Obama is “getting something new and special.” A device that could do the job, the blog says, is the $3,350 smartphone called Sectera Edge, made by General Dynamics. Earlier this month, Obama said he was in a “scuffle” with his lawyers over keeping his BlackBerry. “I’m still clinging to my BlackBerry,” Obama said in a CNBC interview. “They’re going to pry it out of my hands.” While Obama won his BlackBerry battle, his aides aren’t so lucky. They will have to deal with a ban on instant messaging, Politico reports.

HOW QUICKLY ARE THINGS CHANGING? EBAY SENDS 70 TWEETS DURING ITS EARNINGS CALL (, 23 Jan 2009) - With the coming regulatory reform likely to be a whopper (the House passed the “TARP Reform and Accountability Act” on Wednesday; it’s not expected to go anywhere in the Senate though), I predict a huge host of changes this year beyond those required by law. For example, Corporate America will start catching up with the young folks online (my 14-year old lives for Facebook). Case in point: On Wednesday, eBay’s Richard Brewer-Hay (the guy behind eBay’s “Ink Blog”) sent a total of approximately 70 tweets during an eBay earnings call (it’s hard to pinpoint the exact number; it depends if you count “retweets”). It’s pretty amazing to witness a play-by-play of what is happening during the earnings call. Talk about real-time disclosure! [Editor: read on to catch some concerned commentary.]

NYPD EYES WEB PAGES OF POLICE RECRUITS (NY Post, 23 Jan 2009) - The NYPD is requiring police recruits who have MySpace or Facebook pages to watch as an investigator sifts through their most private postings, The Post has learned. The measure is designed to weed out would-be cops who litter their Web sites with violent or explicit imagery, racist rants and any other material deemed objectionable, a law-enforcement source said. Applicants Processing Division officers are demanding any recruit with an account log on to their pages, even if those pages are private and not accessible to the public, the source said. Without the applicant logging on, only a subpoena could get the NYPD that much access to the private Web pages. The online snooping goes well beyond the previously announced policy of Googling would-be cops and visiting them online in the publicly accessible pages of social-networking sites. It makes investigators privy even to some of the most private postings of anyone who wants to be a cop, sources said.

VATICAN 2.0: POPE GETS HIS OWN YOUTUBE CHANNEL (AP, 23 Jan 2009) - Puffs of smoke, speeches in Latin and multipage encyclicals have all been used by the Vatican to communicate with the faithful. Now the pope is trying to broaden his audience by joining the wannabe musicians, college pranksters and water-skiing squirrels on YouTube. In his inaugural YouTube foray Friday, Benedict welcomed viewers to this “great family that knows no borders” and said he hoped they would “feel involved in this great dialogue of truth.” “Today is a day that writes a new page in history for the Holy See,” Vatican Radio said in describing the launch of the site, The Vatican said that with the YouTube channel, it hoped to broaden and unite the pontiff’s audience — an estimated 1.4 billion people are online worldwide — while giving the Holy See better control over the pope’s Internet image. The pontiff joins President Barack Obama, who launched an official White House channel on his inauguration day, as well as Queen Elizabeth, who went online with her royal YouTube channel in December 2007. For the Vatican, it was the latest effort to keep up to speed with the rapidly changing field of communications and new media. For a 2,000-year-old institution known for being very set in its ways, it was something of a revolution. At the same time, though, the pope warned he wasn’t embracing virtual communication without some reservation. In his annual message for the World Day of Communication, Benedict praised as a “gift to humanity” the benefits of social networking sites such as Facebook and MySpace in forging friendships and understanding. But he also warned that virtual socializing had its risks, saying “obsessive” online networking could isolate people from real social interaction and broaden the digital divide by further marginalizing people.

ON THE INTERNET, A UNIVERSITY WITHOUT A CAMPUS (IHT, 25 Jan 2009) - An Israeli entrepreneur with decades of experience in international education plans to start the first global, tuition-free Internet university, a nonprofit venture he has named the University of the People. “The idea is to take social networking and apply it to academia,” said Shai Reshef, an entrepreneur and founder of several previous Internet-based educational businesses. “The open source courseware is there, from universities that have put their courses online, available to the public, free. We know that online peer-to-peer teaching works. Putting it all together, we can make a free university for students all over the world, anyone who speaks English and has an Internet connection.” Online learning is growing in many different contexts. Through the Open Courseware Consortium, started by the Massachusetts Institute of Technology in 2001, universities around the world have posted materials for thousands of courses - as widely varied as Utah State University’s “Lambing and Sheep Management” and MIT’s “Relativistic Quantum Field Theory” - all free to the public. Many universities now post their lectures on the iTunes music store. For-profit universities like the University of Phoenix and Kaplan University have extensive online offerings. And increasingly, both public universities, like the University of Illinois, and private ones, like Stanford, offer at least some classes online. Outside the United States, too, online learning is booming: Open University in Britain, for example, enrolls about 160,000 undergraduates in distance-learning courses. The University of the People, like other Internet-based universities, would have online study communities, weekly discussion topics, homework assignments and exams. But in lieu of tuition, students would pay only nominal fees for enrollment ($15 to $50) and for exams ($10 to $100), with students from poorer countries paying the lower fees. Experts in online education say it is an interesting idea, but one that raises many questions.

GOOGLE LETS USERS SEARCH FOR INTERNET BLOCKERS (Reuters, 28 Jan 2009) - Google Inc on Wednesday unveiled a plan aimed at eventually letting computer users determine whether providers like Comcast Corp are inappropriately blocking or slowing their work online. The scheme is the latest bid in the debate over network neutrality, which pits content companies like Google against some Internet service providers. Google will provide academic researchers with 36 servers in 12 locations in the United States and Europe to analyze data, said its chief Internet guru, Vint Cerf, known as the “father of the Internet.” “When an Internet application doesn’t work as expected or your connection seems flaky, how can you tell whether there is a problem caused by your broadband ISP (Internet service provider), the application, your PC (personal computer), or something else?” Cerf wrote in a blog post. The effort aims to uncover the problem for users, Cerf said.

CAN BLOGS SURVIVE TWITTER? (Legal Blog Watch, 29 Jan 2009) - Blogging is a conversation, Kevin O’Keefe of LexBlog is fond of saying. But how can you have a conversation if others can’t join in through comments? Recently, the editors of popular legal blogs The Volokh Conspiracy and Above the Law have updated their respective comment policies, reserving the right to moderate comments as they deem fit. Above the Law took a further step, changing the site design to hide comments by default -- requiring readers to opt-in to view them. The sites have taken this approach to crack down on crude or offensive comments that may drive other readers away, or intimidate them from commenting. In that regard, the restrictions that ATL, Volokh and others place on commenters help to encourage the conversation rather than kill it. But even without restrictive policies, blog comments in general are dwindling, writes Scott Greenfield. On his Simple Justice blog, Greenfield says many regular readers and commenters (largely from the criminal defense community) have taken the conversation over to Twitter.

JUSTICE DEPARTMENT SENDS HOAX E-MAIL TO TEST WORKERS (CNET, 30 Jan 2009) - A U.S. Department of Justice e-mail that phished for sensitive information from federal workers was a hoax that the agency sent out to test its own security awareness, according to a report. The e-mail, sent two weeks ago to Justice Department employees, directed recipients to a Web site that prompted them to supply account information related to the federal retirement savings program, the Associated Press reported. “We have learned that the messages are part of a hoax invented and distributed by DOJ to test employee security awareness,” Ted Shelkey, assistant director for information systems security, wrote in an e-mail to the AP on Wednesday. Justice Department spokeswoman Gina Talamona confirmed that the e-mail was a security test. “Scenarios are intended to represent an example of persistent cyberthreats facing today’s Internet users,” she told the news service. Talamona did not immediately return a call seeking comment on Friday and Shelkey could not be reached.

CAN YOUR IT DEPARTMENT READ YOUR OFFLINE GMAIL? (PC Magazine, 30 Jan 2009) - We’ve been waiting for some sort of offline functionality to come to Gmail ever since Google Gears was released—it seems like the feature for which Gears was invented in the first place. And now that offline Gmail is here (and seems to work well, according to Lance Ulanoff), I have but one concern about it: Is it safe to use on a work PC? Offline Gmail works by archiving and storing your Gmail messages locally on your machine. I’m guessing you use your freemail account the same way everyone does—for the e-mail that you don’t really want stored on your corporate servers or sitting in your corporate inbox. If that’s the case, storing an archive of those message on your work PC might not seem like such a great idea. The archive is buried fairly deep in your C:\ Documents and Settings file tree. If you’re using Firefox, the archive is stored here: C:\Documents and Settings\ \Local Settings\Application Data\Mozilla\Firefox\Profiles\74d61f9f.Default User\Google Gears for Firefox\ For Chrome, your messages are kept here: C:\Documents and Settings\ \Local Settings\Application Data\Google\Chrome\User Data\Default\Plugin Data\Google Gears\ That’s right, there’s a different archive for each browser you use Offline Gmail with (I couldn’t get Offline Gmail to archive my messages with IE8). Naturally, every company has different I.T. policies in place, and varying levels of employee privacy. In the case of Offline Gmail, it would be extremely difficult for your I.T. department to read your archived e-mail as of right now. The archived messages are stored in a proprietary database file type called “COM-GOOGLEMAIL#DATABASE” or “GOOGLEMAIL#DATABASE”. I’m guessing your I.T. department doesn’t have a tool to access the data inside the file, or the free time to build one (though such a tool may someday exist). So your private e-mail is almost certainly private on your work PC, at least for the time being. Still, our Security Watch Contributing Editor Larry Seltzer advises taking the safe route, telling me that you have to “assume you have no privacy from your company.” “If you put it on your work machine you should assume they can and will [be able to access it],” he said. “And they should be able to. It’s their computer.”

CARDINAL EXEC NOMINATED FOR HOMELAND SECURITY POST (Columbus Dispatch, 30 Jan 2009) - Dublin-based Cardinal Health apparently will be looking for some new legal help. That’s because the company’s current chief legal officer, Ivan K. Fong, is being nominated by President Obama to be general counsel for the U.S. Department of Homeland Security. Fong has previous government experience, as a deputy associate attorney general for the Department of Justice, the homeland security department said this week in a release.

DOCUMENTING THE DECLINE OF (PRINT) LAW REVIEWS (InsideHigherEd, 2 Feb 2009) - You don’t have to look far for evidence of the decline of the print medium, as daily newspapers contract by the day, amid other signs. But not surprisingly, perhaps, publishers are not exactly advertising their woes, and as a result, Ross E. Davies, editor in chief of The Green Bag law journal and a professor of law at George Mason University, had some difficulty when he sought to catalog the print readership of the country’s leading law reviews. In a paper prepared for The Green Bag’s annual almanac and available now on the Social Science Research Network, Davies found that many law reviews were inconsistent, to be kind, in keeping up with a U.S. Postal Service requirement to publish their circulation numbers. Seven of the 15 leading journals he examined had not published their statistics for 2007-8, and several of them seemed to flout the rule consistently. While Davies speculates about whether ignorance or something else explains the failure, he suggests that it may be better explained by what is revealed by the data he was able to collect, which show that all of the law reviews have seen significant drops — most in the range of half to two-thirds — in their print circulations. Harvard’s law review fell to 2,610 paid subscriptions in 2007-8, down from a peak of 8,760 in 1979-80, and the University of Virginia’s had dipped to 530 from 2,396 in 1980-81, as seen in the table below. SSNR paper here:

COMCAST PORN GOOF GIVES SUPER BOWL VIEWERS AN EYEFUL (Valleywag, 2 Feb 2009) - Everyone’s pretending to be shocked about the 10-second clip of porn spliced into Comcast’s Tucson-area broadcast of the Super Bowl. Why? That’s how Comcast butters its bread. The clip (do we even need to mention that it’s NSFW?) from ClubJenna, apparently meant to broadcast on the Shorteez channel but instead spliced into KVOA’s feed of the football game, is but one of the many porn channels from which Comcast makes a healthy profit. Across the industry, porn accounts for more than a quarter of pay-per-view revenues. Cue a round of handwringing among the media. Comcast customers have better purposes for their hands. [Editor: a whole new kind of “wardrobe malfunction”.]

GOOGLE OFFERS TOOL TO LET YOU TRACK YOUR FRIENDS’ MOVEMENTS (Computerworld, 4 Feb 2009) - Not content with indexing the world’s information, Google Inc. is now tracking where users of its maps service are, and making that location data searchable by others. The tracking feature, called Latitude, will appear on compatible mobile devices in a new version of Google Maps, Version 3.0.0. It can also be added as a gadget on iGoogle, the company’s personalizable home page service. Tracking people’s movements is sure to raise concerns about privacy, but “everything about Latitude is opt-in,” according to Vic Gundotra, vice president of engineering with Google’s mobile team, writing on the company’s official blog. The service will indicate users’ locations with a small photo icon superimposed on a map. It is initially available for the BlackBerry and devices running Nokia’s S60 or Microsoft’s Windows Mobile software. An Android version will follow in a few days, said Gundotra, and he expects an iPhone version will follow “very soon.” To begin sharing your location, you must either sign up for the Latitude service or accept an invitation to view the location of someone already using it. Latitude’s help pages describe the fine-grained control the service allows over who sees what and when. For each friend with whom you choose to share information, you can give your precise location, the name of the city only or no information at all. Latitude can automatically detect your location if you’re using it on a compatible smartphone, but it’s also possible to lie about where you are, by manually setting your location on a map.

- and -

I AM HERE: ONE MAN’S EXPERIMENT WITH THE LOCATION-AWARE LIFESTYLE (Wired Magazine, February 2009) - I’m baffled by WhosHere. And I’m no newbie. I built my first Web page in 1994, wrote my first blog entry in 1999, and sent my first tweet in October 2006. My user number on Yahoo’s event site, 14. I love tinkering with new gadgets and diving into new applications. But WhosHere had me stumped. It’s an iPhone app that knows where you are, shows you other users nearby, and lets you chat with them. Once it was installed and running, I drew a blank. What was I going to do with this thing? So I asked for some help. I started messaging random people within a mile of my location (37.781641 °N, 122.393835 °W), asking what they used WhosHere for. [Editor: Interesting read about location-aware cellphone services; benefits and pitfalls and risks. I’ve been playing with some of these apps, too – e.g., Twinkle and Loopt]

HOTELS.COM, EXPEDIA.COM AGREE TO ENHANCE WEB SITE ACCESSIBILITY FOR DISABLED TRAVELERS (BNA’s Internet Law News, 5 Feb 2009) - BNA’s Electronic Commerce & Law Report reports that and have agreed to improve their online travel sites to settle a lawsuit alleging the sites refused to guarantee disabled travelers accessible rooms under a settlement approved Jan. 15. Civil rights attorneys alleged did not allow mobility-impaired individuals to search for accessible features, such as doorways wide enough for a wheelchair, or make reservations guaranteeing that an accessible room would be available to them at the discounted rates offered to other customers. Case name is Smith v.

COURT’S CFAA RULING GIVES PLAINTIFFS BAR A GIFT-WRAPPED “TIME BOMB” (Steptoe & Johnson’s E-Commerce Law Week, 5 Feb 2009) - Producers of defective software could soon take a place next to disloyal employees and meddling moms on the ever expanding list of entities subject to civil suit or prosecution under the Computer Fraud and Abuse Act (CFAA). In Kalow & Springnut, LLP, v. Commence Corporation, a federal court in New Jersey recently ruled that a company that allegedly suffered damages because software it purchased was “intentionally designed to stop working” can state a claim against the producer of this software under the CFAA. While legitimate software vendors would never sell code with the intention of causing damage, this decision -- if left standing -- could still greatly increase the legal risk for such vendors. Under the court’s reasoning, as long a plaintiff simply alleges the requisite intent to cause harm (along with knowing transmission of a program, damage, etc.) and states that it had not altered its computer system, it may survive a motion to dismiss -- thus subjecting the software maker to expensive discovery and litigation costs. Make it a class action and the case becomes, at the least, a serious settlement driver. This ruling itself could thus become a real “time bomb” for software makers if it is not reversed or narrowed.

**** LOOKING BACK ****
MOODY’S ERROR GAVE TOP RATINGS TO DEBT PRODUCTS (MIRLN 11.07, 31 MAY 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower [Editor: Ah, weren’t those the days!]

MAPPING GLOBALIZATION (Ethan Zuckerman, Berkman Center, 27 Jan 2009) - We’re all surrounded by infrastructure that we rarely pay attention to... except on those rare occasions when it fails. When the gas gets shut off in Bulgaria or the internet in Egypt, we reach for maps of infrastructure to understand what’s going on. These may not be the right maps - maps of infrastructure show what’s possible in a connected world, but not necessarily what happens. Understanding globalization requires new kinds of maps - maps of flow of bits, atoms and ideas. [Editor: Fascinating talk about various kinds of geographical mapping and “flow maps”. TWO STARS.] Slides are here: The airflow map is quite beautiful:

ENTERPRISE 2.0: HOW ORGANIZATIONS ARE EXPLOITING WEB 2.0 TECHNOLOGIES AND PHILOSOPHIES (Andrew McAfee, Berkman Center, 13 Jan 2009) - Over the past few years a wide array of “Web 2.0” technologies and communities have appeared on the Internet; these include Facebook, Twitter, Wikipedia, YouTube, and Organizations are in the early stages of incorporating these tools into their work, a phenomenon I call “Enterprise 2.0.” In this talk I’ll give examples of Enterprise 2.0, folding them into a simple model intended to communicate the different categories of benefits conferred. [Editor: It turns out that “Enterprise 2.0” means knowledge management; pretty interesting discussion about weak-ties, knowledge workers, intranet blogging—”narrating your work”—and corporate prediction markets. Caveat: he’s got it wrong when he says that prediction markets don’t need credentialed participants—read Cass Sunstein’s “Infotopia” and see Wikipedia’s discussion of Condorcet’s Jury Theorem. ONE STAR.]

**** RESOURCES ****
10 PRIVACY SETTINGS EVERY FACEBOOK USER SHOULD KNOW (Facebooko, 2 Feb 2009) - Everyday I receive an email from somebody about how their account was hacked, how a friend tagged them in the photo and they want a way to avoid it, as well as a number of other complications related to their privacy on Facebook. Over the weekend one individual contacted me to let me know that he would be removing me as a friend from Facebook because he was “going to make a shift with my Facebook use - going to just mostly family stuff.” Perhaps he was tired of receiving my status updates or perhaps he didn’t want me to view photos from his personal life. Whatever the reason for ending our Facebook friendship, I figured that many people would benefit from a thorough overview on how to protect your privacy on Facebook. Below is a step by step process for protecting your privacy. [Editor: this posting was recommended by a knowledgeable MIRLN reader.]

SEC POSTS XBRL RULES: WHAT TO DO NOW (, 2 Feb 2009) - Last Friday, the SEC posted the adopting release for its new interactive data rules. This project has been an enormous effort on the part of the Corp Fin Staff under an extraordinarily tight timeframe. Under the new rules, filers will be required to provide a new exhibit containing the financial statements and any applicable financial statement schedules in interactive data format with certain Securities Act registration statements, quarterly reports, annual reports, transition reports, and current reports on Form 8-K or Form 6-K that contain revised or updated financial statements. The new requirements will be phased in as follows: [Read more, if this applies to you.] SEC release here:

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: