Saturday, February 28, 2009

MIRLN --- 8-28 February 2009 (v12.03)

• Ponemon Study Shows Data Breach Costs Continue to Rise
• Lords: Rise of CCTV is Threat to Freedom
• NIST Updates Recommendations for IT Security Controls
• Change You Can Download
• ABA Social Network Fails to Connect
• Web 2.0 Defamation Lawsuits Multiply
• Congressman’s Twittering Raises Security Concerns
• More than 150 Banks Affected by Heartland Data Breach Thus Far
• Video Site’s Investors Not, On Role Alone, Liable for Alleged Infringements
• YouTube Goes Offline
• In ‘Fig Leaf’ Settlement with Jones Day, Website Agrees to Adjust Use of Links
• Where You’ve Been on Net Not Private, Canadian Judge Rules
• E-Invoicing in Europe
• How Attackers Use Your Metadata Against You
• Massachusetts Extends Compliance Deadline on Data Security Rules – Again
• Ninth Circuit Makes it More Difficult for Individuals to Challenge Government Searches of the Workplace
• As Data Collecting Grows, Privacy Erodes
• Facebook’s Users Ask Who Owns Information
o Facebook Backtracks on Terms of Use After Protests
o Facebook Opens Governance of Service and Policy Process to Users
• Let My Board and Me Become As One: The Wii Balance Board/Google Earth Mashup
• Visual Computer Forensic Analysis
• CVS Caremark Settles FTC Charges: Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations
• DHS Names Chief Privacy Officer
• Surprise: America is No. 1 in Broadband
• Exiting Workers Taking Confidential Data With Them
• Cybersecurity Audit Guidelines Recommended
• Listen Up and Discover Audio Recordings
• Ten Steps for Mitigating Data Risk During a Merger
• Posting YouTube Video Without Subjects’ Consent Draws Fine From Spanish DPA
• Obama Administration Supports Telco Spy Immunity
• Judge Orders Defendant to Decrypt PGP-Protected Laptop


**** NEWS ****

PONEMON STUDY SHOWS DATA BREACH COSTS CONTINUE TO RISE (PGP Corporation, February 2009) - PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research firm, today announced results of the fourth annual U.S. Cost of a Data Breach Study. According to the study which examined 43 organizations across 17 different industry sectors, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase. The annual U.S. Cost of Data Breach Study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. [There are separate studies for the US, the UK, and Germany – download them here:]

LORDS: RISE OF CCTV IS THREAT TO FREEDOM (The Guardian, 6 Feb 2009) - The steady expansion of the “surveillance society” risks undermining fundamental freedoms including the right to privacy, according to a House of Lords report published today. The peers say Britain has constructed one of the most extensive and technologically advanced surveillance systems in the world in the name of combating terrorism and crime and improving administrative efficiency. The report, Surveillance: Citizens and the State, by the Lords’ constitution committee, says Britain leads the world in the use of CCTV, with an estimated 4m cameras, and in building a national DNA database, with more than 7% of the population already logged compared with 0.5% in the America. The cross-party committee which includes Lord Woolf, a former lord chief justice, and two former attorneys general, Lord Morris and Lord Lyell, warns that “pervasive and routine” electronic surveillance and the collection and processing of personal information is almost taken for granted. Although many surveillance practices and data collection processes are unknown to most people, the expansion in their use represents “one of the most significant changes in the life of the nation since the end of the second world war”, the report says. The committee warns that the national DNA database could be used for “malign purposes”, challenges whether CCTV cuts crime and questions whether local authorities should be allowed to use surveillance powers at all. The peers say privacy is an “essential prerequisite to the exercise of individual freedom” and the growing use of surveillance and data collection needs to be regulated by executive and legislative restraint at all times.

NIST UPDATES RECOMMENDATIONS FOR IT SECURITY CONTROLS (GCN, 6 Feb 2009) - The National Institute of Standards and Technology has released an initial draft for public comment of a revised version of its Recommended Security Controls for Federal Information Systems and Organizations. Although this is Revision 3 of Special Publication (SP) 800-53, NIST calls it the first major update of the guidelines since its initial publication in December 2005. NIST tries to revisit its security guidance every two years and update them as needed, said senior computer scientist Ron Ross. But revising a 200-plus-page comprehensive set of recommendations is expensive and time-consuming. SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act (FISMA). It is intended to answer these questions:
• What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
• Have the selected security controls been implemented or is there a realistic plan for their implementation?
• What is the desired or required level of assurance (i.e. grounds for confidence) that the selected security controls, as implemented, are effective in their applications?
This update also is part of an effort to harmonize security requirements across government. NIST guidance typically does not apply to government information systems identified as national-security systems. Draft here:

CHANGE YOU CAN DOWNLOAD (Wikileaks, 8 Feb 2009) - Wikileaks has released nearly a billion dollars worth of quasi-secret reports commissioned by the United States Congress. The 6,780 reports, current as of this month, comprise over 127,000 pages of material on some of the most contentious issues in the nation, from the U.S. relationship with Israel to the financial collapse. Nearly 2,300 of the reports were updated in the last 12 months, while the oldest report goes back to 1990. The release represents the total output of the Congressional Research Service (CRS) electronically available to Congressional offices. The CRS is Congress’s analytical agency and has a budget in excess of $100M per year. Open government lawmakers such as Senators John McCain (R-Arizona) and Patrick J. Leahy (D-Vermont) have fought for years to make the reports public, with bills being introduced--and rejected--almost every year since 1998. The CRS, as a branch of Congress, is exempt from the Freedom of Information Act.
Although all CRS reports are legally in the public domain, they are quasi-secret because the CRS, as a matter of policy, makes the reports available only to members of Congress, Congressional committees and select sister agencies such as the GAO. [This is said to be the entire CRS electronic body of work back to 1990 in one slug – 2.16 gigs. CRS reports are here: and here:] Some examples: “Border Searches of Laptop Computers and Other Electronic Storage Devices”; “Broadband Internet Regulation and Access: Background and Issues”; “2008-2009 Presidential Transition: National Security Considerations and Options”; “Fair Use on the Internet: Copyright’s Reproduction and Public Display Rights”; “A Sketch of Supreme Court Recognition of Fifth Amendment Protection for Acts of Production”.

ABA SOCIAL NETWORK FAILS TO CONNECT (, 9 Feb 2009) - The American Bar Association has jumped on the social networking bandwagon with a site of its own, LegallyMinded. The ABA hopes to separate its site from the professional networking pack by combining the best features of the top social networking sites with substantive legal information from the ABA’s library. Ambitious as it is, the site falls short on execution. It jettisons features that should be central and weighs itself down with others that are useless or redundant. It is as if the ABA came late to a crowded race, barefoot and with bricks in its backpack. “We set out to do something different,” said Fred Faulkner, the ABA’s manager of interactive services in Chicago, in an article in the ABA Journal. “We looked at a lot of the professional and social networks, and the gap we found was that there truly wasn’t a good site that was a cross between professional and personal networking,” he said. I interviewed Faulkner, who explained that the goal was to combine the best features of sites such as LinkedIn and Facebook with high-quality content from the ABA and other sources. Given this, it is unfathomable why the ABA chose not to include the one feature that defines social networking sites -- connections. Users have no way to link with each other. Instead, a user’s only option is to add other members to a private “contacts” list that only the user can see.

WEB 2.0 DEFAMATION LAWSUITS MULTIPLY (SF Gate, 9 Feb 2009) - The Web 2.0 movement, which ushered in an interactive Internet, sought to put power in the hands of the people by tapping the so-called wisdom of the crowds to change the world - and to keep such a digital democracy in check. A decade later, as defamation lawsuits have begun to mount, some are questioning the wisdom of the crowds, and wondering if it hasn’t turned into mob rule. “I don’t know why this has taken so long,” said Andrew Keen, author of a controversial book, “The Cult of the Amateur: How Today’s Internet is Killing Our Culture.” “The Internet is a culture of rights rather than responsibilities. We have no coherent theory of digital responsibility. The issue has broken through, broken out of Silicon Valley - now it affects real people with real reputations to defend.” Just last week, Juicy Campus - a Web site that was banned from some colleges for its postings of vicious anonymous gossip - abruptly shut down, its traffic redirected to a site called College Anonymous Confession Board, whose owner said he hosts “a higher level of discourse.” Meanwhile, the review site Yelp, based in San Francisco, has found itself in the crosshairs of the free e-speech debate. Yvonne Wong, a pediatric dentist in Foster City, recently sued Los Altos couple Tai Jing and Jia Ma after they criticized her treatment of their son in a posting on Yelp. They questioned her use of laughing gas and said they were angry she had used fillings containing mercury. Wong’s lawyer, Marc TerBeek of Oakland, said the review is false, and Yelp has since taken it down. Legal scholars have started to ask whether that law - the Communications Decency Act - should be modified, on the grounds that it allows too much irresponsible speech. “We may put our photos on Flickr and our e-mail on Google and our personal experiences on Facebook,” said Brewster Kahle, who founded the Internet Archive, a nonprofit digital library in San Francisco. “But who’s responsible for this content? If you want things to go away, does it really?” See also

CONGRESSMAN’S TWITTERING RAISES SECURITY CONCERNS (, 11 Feb 2009) - The top Republican on the House intelligence committee landed in hot water this week after using his Twitter page to update the public on his precise whereabouts while traveling through Iraq and Afghanistan. The revelation prompted the Pentagon to review its policy, which regards such information as sensitive, and lit up the liberal blogosphere with accusations of hypocrisy. Rep. Pete Hoekstra says he did nothing wrong. He pointed to announcements by other high-ranking officials, including House Speaker Nancy Pelosi, which list the countries they plan to visit. “The policy that we have and that we did on this trip is consistent and well restrained from what other folks have done in the past,” said Hoekstra, R-Mich. But Hoekstra, who has decried the unauthorized leaking of classified information, provided far more details than a general itinerary, including at least a 12-hour heads-up that he was headed to Iraq.

MORE THAN 150 BANKS AFFECTED BY HEARTLAND DATA BREACH THUS FAR (ComputerWorld, 11 Feb 2009) - The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the news portal. The Web site today published a list containing the names of 157 institutions that it said have publicly disclosed to customers that they were victimized as a result of the breach at Heartland, a large payment processor in Princeton, N.J. The list includes two banks in Bermuda, plus one each in Canada and Guam. Meanwhile, in another indication of the fallout from the breach, 83% of the 512 banks that responded to an informal “quick poll” survey conducted in late January by the Independent Community Bankers of America (ICBA) trade group said that credit or debit cards they had issued were compromised in the incident at Heartland.

VIDEO SITE’S INVESTORS NOT, ON ROLE ALONE, LIABLE FOR ALLEGED INFRINGEMENTS (BNA’s Internet Law News, 12 Feb 2009) - BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that investors who appear to have done little more than serve on the board of directors for an online video-sharing service cannot be held liable for the service’s alleged copyright infringement. The court said that a leadership role in a video-sharing corporation was not itself enough to substantiate claims of contributory or vicarious copyright infringement. Case name is UMG Recordings Inc. v. Veoh Networks Inc.

YOUTUBE GOES OFFLINE (YouTube and Larry Lessig’s blog, 12 Feb 2009) - We are always looking for ways to make it easier for you to find, watch, and share videos. Many of you have told us that you wanted to take your favorite videos offline. So we’ve started working with a few partners who want their videos shared universally and even enjoyed away from an Internet connection. Many video creators on YouTube want their work to be seen far and wide. They don’t mind sharing their work, provided that they get the proper credit. Using Creative Commons licenses, we’re giving our partners and community more choices to make that happen. Creative Commons licenses permit people to reuse downloaded content under certain conditions. We’re also testing an option that gives video owners the ability to permit downloading of their videos from YouTube. Partners could choose to offer their video downloads for free or for a small fee paid through Google Checkout. Partners can set prices and decide which license they want to attach to the downloaded video files (for more info on the types of licenses, take a look here). For example, universities use YouTube to share lectures and research with an ever-expanding audience. In an effort to promote the sharing of information, we are testing free downloads of YouTube videos from Stanford, Duke, UC Berkeley, UCLA, and UCTV (broadcasting programs from throughout the UC system). YouTube users who are traveling or teachers who want to show these videos in classrooms with limited or no connectivity should find this particularly useful.

IN ‘FIG LEAF’ SETTLEMENT WITH JONES DAY, WEBSITE AGREES TO ADJUST USE OF LINKS (ABA Journal, 12 Feb 2009) - In a “fig leaf” settlement entered into by BlockShopper after it racked up a six-figure legal defense bill in a controversial federal trademark infringement lawsuit, the website has agreed to alter the way it describes home purchases by Jones Day attorneys. Instead simply “deep linking” the name of a Jones Day attorney buying a home to his or her law firm biography, BlockShopper has agreed to do so in a manner specified by the law firm, reports the Cleveland Plain Dealer. A copy of the settlement agreement is provided by the Am Law Daily. Under the new format agreed to in the settlement, BlockShopper will link the Jones Day law firm biography to a spelled-out law firm Web address following the lawyer’s name, Brian Timpone, the website’s founder, tells the ABA Journal. “In other words,” the Plain Dealer explains, “instead of writing ‘Daniel P. Malone Jr. is an associate in the Chicago office of Jones Day,’ “—and linking the law firm biography to Malone’s name—”BlockShopper must write ‘Malone ( is an associate ... .’ “ Settlement agreement here: [Editor: seems predicated on the assumption that people actually read complex URLs. Not a happy-ending. Acerbic TechDirt story here:]

WHERE YOU’VE BEEN ON NET NOT PRIVATE, CANADIAN JUDGE RULES (National Post, 13 Feb 2009) - An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant. Justice Lynne Leitch found that there is “no reasonable expectation of privacy” in subscriber information kept by Internet service providers (ISPs), in a decision issued earlier this week. The decision is binding on lower courts in Ontario and it is the first time a Superior Court-level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the Charter. The ruling is a significant victory for police investigating crimes such as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding users of the Internet. The ruling by Judge Leitch was made in a possession of child pornography case in southwestern Ontario. A police officer in St. Thomas faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard that it was a “standard letter” that had been previously drafted by Bell and the officer “filled in the blanks” with a request that stated it was part of a child sexual exploitation investigation. Bell provided the information without asking for a search warrant.

E-INVOICING IN EUROPE (McGinnis Lochridge, 13 Feb 2009) - On 28 January, 2009 the Commission of the European Union proposed an overhaul of the 2006 EU Directive on Invoicing (Directive 2006/112/EC). If approved, this new Directive will fundamentally change how electronic invoicing is conducted in Europe and will affect all companies doing business in Europe. The proposed new Directive would make electronic invoices equivalent in all respects to paper ones. It would eliminate the requirement that advanced electronic signatures be used in electronic invoices and would eliminate the requirement that the recipient of the invoice consent to receive it in electronic form. Observing that the Member States’ disparate requirements for advanced electronic signatures have created significant obstacles to the adoption of electronic invoices, the Commission now wishes to harmonize member state requirements for electronic invoices by, among other things, abolishing the need for invoices to include advanced electronic signatures. In the original 2006 Directive on VAT Invoicing, Title XI, Chapter 3, Section 5 governed the use of electronic invoices. Article 232 of the original directive allowed enterprises to use electronic invoices only if the recipient consented to receive electronic invoices. Article 233 required electronic invoices to assure integrity of content and authenticity of origin by means of either an advanced electronic signature, EDI or “other electronic means allowed by the Member States” . The proposed new Directive would amend Article 232 to say that invoices can always be sent by paper or “made available” electronically, thus deleting the requirement of recipient consent. The new directive would delete Article 233 and the requirement to use advanced electronic signatures entirely.This new Directive will fundamentally change how electronic invoicing is conducted in Europe. Proposed new Directive is here:

HOW ATTACKERS USE YOUR METADATA AGAINST YOU (DarkReading, 13 Feb 2009) - To steal your identity, a cybercriminal doesn’t have to have direct access to your bank account or other personal information. Often, he collects information about you from a variety of seemingly innocuous sources, then uses that data to map out a strategy to crack your online defenses and drain your accounts. Such methods are well-known to security professionals. But what those same professionals often overlook is this approach also can be used to crack the defenses of sensitive business files, as well. Rather than trying to gain access to your data, itself, the bad guys are analyzing the so-called harmless information about your files -- collectively known as metadata -- and using it to develop attacks that can drain your business of its most sensitive information. Armed with this data, an attacker can target users, as well as the computing environment within their enterprises. Several instances of metadata mishaps have been in the news in recent years. In one case, attackers used data they collected from the “track changes” feature in Microsoft Word. In another case, they took advantage of failed attempts to black out data in PDF files. These cases make it clear: Once your documents leave the internal network -- either through email or Web publishing -- those files and the metadata they contain are fair game for attackers. Many security professionals know about metadata, but they don’t really know how it can be used against their organizations. The first stage of leveraging metadata for an attack is gathering it. Both attackers and pen testers have a bevy of tools available solely for this purpose. Two readily-available hacking tools -- MetaGooFil and CeWL -- were created to expedite the collection process by automating the search, download, and extraction of metadata from documents available on the Internet. MetaGooFil was the first tool on the scene, and it uses Google to search for files of specific type. Once it finds and downloads files, the metadata is extracted and displayed in a HTML report that shows the information found in each file. The end of the report includes a summary of authors and file paths -- information that can be important later on, during other attack phases. CeWL takes a different approach, spidering a Website to create a word list that can be used for password brute-forcing. It can also collect email addresses, authors, and user names from metadata found in Microsoft Office documents. Included with CeWL is a “Files Already Bagged” (FAB) tool that processes files already acquired. Metadata is also helpful in social engineering attacks. Knowing the five different authors of a document, an attacker can “drop names” via the phone to make his scheme seem more credible. Similarly, location information contained in photos could be mentioned, making the calls seem more legit. Spear-phishing email could target all of the authors who worked on one particular document. Knowing which version of software was used to create the file, an attacker could also email client-side exploits to individuals who use particularly vulnerable versions of Microsoft Word or PowerPoint. Metadata can also help with physical theft. For example, users may post images to Flickr or Twitter from a phone that enables geotagging. This information can give attackers the location about a target’s home or business, and where he might be on a daily basis. Similarly, the MAC address of the system can indicate the type of hardware used, making it easier to identify mobile workers who are likely to have laptops that are kept in places where they might be easy to steal.

MASSACHUSETTS EXTENDS COMPLIANCE DEADLINE ON DATA SECURITY RULES - AGAIN (ComputerWorld, 13 Feb 2009) - For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September. In addition to the deadline extension, which was announced late yesterday, the state’s Office of Consumer Affairs and Business Regulation (OCABR) also revised a key provision in the regulations that had prompted considerable concern within the business community both inside and outside of Massachusetts. Under the new deadline, businesses now have until the start of next year to comply with the regulations, which are aimed at protecting the personal data of Massachusetts residents. Prior to the extension, the compliance deadline was May 1. That date was set in November, when the OCABR extended its original deadline of Jan. 1. In a statement yesterday, OCABR undersecretary Daniel Crane said that given the importance of the data-protection mandate, state officials decided it was necessary to give companies more time to make the necessary changes to their systems and business processes. Crane also cited the economic recession.

NINTH CIRCUIT MAKES IT MORE DIFFICULT FOR INDIVIDUALS TO CHALLENGE GOVERNMENT SEARCHES OF THE WORKPLACE (Steptoe & Johnson’s E-Commerce Law Week, 14 Feb 2009) - A ruling handed down by the Ninth Circuit early this month could make it more difficult for a business owner or employee to challenge a government search of her workplace and its computers. In United States v. SDI Future Health, Inc., the Ninth Circuit ruled that, “except in the case of a small, family-run business over which an individual exercises daily management and control, an individual challenging a search of workplace areas beyond his own internal office must generally show some personal connection to the places searched and the materials seized.” The dispute in this case centered around a warrant the government was granted to search the offices and computers of SDI Future Health for evidence that it had engaged in Medicare fraud. Based on evidence seized during its search, the government won an indictment against SDI, its president and part-owner Todd Kaplan, and SDI officer and part-owner Jack Brunk. A district court granted the defendants’ motion to suppress evidence obtained using the search warrant on the ground that the warrant was vague and overbroad. On appeal, the Ninth Circuit agreed that some portions of the warrant were overbroad, but held that the district court had not properly established that Kaplan and Brunk had standing to challenge the search. Decision here:

AS DATA COLLECTING GROWS, PRIVACY ERODES (New York Times, 16 Feb 2009) – There are plenty of people who can muster outrage at Alex Rodriguez, the Yankees third baseman who is the latest example of win-at-any-cost athletes. But I’d prefer to see him as at the cutting edge of another scourge — the growing encroachment on privacy. The way Mr. Rodriguez’s positive steroid test result became public followed a path increasingly common in the computer age: third-party data collection. We are typically told that personal information is anonymously tracked for one reason — usually something abstract like making search results more accurate, recommending book titles or speeding traffic through the toll booths on the thruways. But it is then quickly converted into something traceable to an individual, and potentially life-changing. In Mr. Rodriguez’s case, he participated in a 2003 survey of steroid use among Major League Baseball players. No names were to be revealed. Instead, the results were supposed to be used in aggregation — to determine if more than 5 percent of players were cheating — and the samples were then to be destroyed. It is odd that most of the news coverage described the tests as “anonymous.” If the tests were truly anonymous, of course, Mr. Rodriguez would still be thought of as a clean player — as he long had insisted he was. But when federal prosecutors came calling, as part of a steroid distribution case, it turned out that the “anonymous” samples suddenly had clear labels on them. As a friend put it in an e-mail message: “Privacy is serious. It is serious the moment the data gets collected, not the moment it is released.” To Jonathan Zittrain, a professor of Internet law at Harvard, there is an obvious explanation for this kind of repurposing of information — there is so much information out there. Supply creates demand, he argues. “This is a broader truth about the law,” he writes in an e-mail message. “There are often no requirements to keep records, but if they’re kept, they’re fair game for a subpoena.” And we are presented with what Professor Zittrain calls the “deadbeat dad” problem. There are government investigators, divorcing spouses, even journalists, who have found creative ways to exploit the material. “So many databases,” he writes, “as simple as highway toll collection records or postal service address changes, lend themselves to other uses, such as finding parents behind on their child support payments.” Perhaps a more direct explanation is that data collection is part of what Cindy Cohn, the legal director of the Electronic Frontier Foundation, calls “the surveillance business model.” That is, there is money to be made from knowing your customers well — with a depth unimaginable before Internet cookies allowed companies to track obsessively online behavior.

FACEBOOK’S USERS ASK WHO OWNS INFORMATION (New York Times, 16 Feb 2009) - Reacting to an online swell of suspicion about changes to Facebook’s terms of service, the company’s chief executive moved to reassure users on Monday that the users, not the Web site, “own and control their information.” The online exchanges reflected the uneasy and evolving balance between sharing information and retaining control over that information on the Internet. The subject arose when a consumer advocate’s blog shined an unflattering light onto the pages of legal language that many users accept without reading when they use a Web site. The pages, called terms of service, generally outline appropriate conduct and grant a license to companies to store users’ data. Unknown to many users, the terms frequently give broad power to Web site operators. This month, when Facebook updated its terms, it deleted a provision that said users could remove their content at any time, at which time the license would expire. Further, it added new language that said Facebook would retain users’ content and licenses after an account was terminated. Mark Zuckerberg, the chief executive of Facebook, said in a blog post on Monday that the philosophy “that people own their information and control who they share it with has remained constant.” Despite the complaints, he did not indicate the language would be revised. The changes in the terms of service had gone mostly unnoticed until Sunday, when the blog Consumerist cited them and interpreted them to mean that “anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later.” Given the widespread popularity of Facebook — by some measurements the most popular social network with 175 million active users worldwide — that claim attracted attention immediately. The blog post by Consumerist, part of the advocacy group Consumers Union, received more than 300,000 views. Users created Facebook groups to oppose the changes. To some of the thousands who commented online, the changes meant: “Facebook owns you.” Facebook moved swiftly to say it was not claiming to own the material that users upload. It said the terms had been updated to better reflect user behavior — for instance, to acknowledge that when a user deletes an account, any comments the user had posted on a page remain visible. Consumerist blog posting here:

- and -

FACEBOOK BACKTRACKS ON TERMS OF USE AFTER PROTESTS (, 18 Feb 2009) - In an about-face following a torrent of online protests, Facebook is backing off a change in its user policies while it figures how best to resolve questions like who controls the information shared on the social networking site. The site, which boasts 175 million users from around the world, had quietly updated its terms of use -- its governing document -- a couple of weeks ago. The changes sparked an uproar after popular consumer rights advocacy blog pointed them out Sunday, in a post titled “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” Facebook has since sought to reassure its users -- tens of thousands of whom had joined protest groups on the site -- that this is not the case. And on Wednesday morning, users who logged on to Facebook were greeted by a message saying that the site is reverting to its previous terms of use policies while it resolves the issues raised. Facebook spelled out, in plain English rather than the legalese that prompted the protests, that it “doesn’t claim rights to any of your photos or other content. We need a license in order to help you share information with your friends, but we don’t claim to own your information.” Jonathan Zittrain’s musings on all this: [Editor: at a Berkman lunch last week, a notable observed that nobody reads terms-of-service. In acting as our watchdog, the Consumerist, and like organizations, serve an important public service.]

- and -

FACEBOOK OPENS GOVERNANCE OF SERVICE AND POLICY PROCESS TO USERS (Facebook PR, 26 Feb 2009) - Facebook today announced a new approach to site governance that offers its users around the world an unprecedented role in determining the future policies governing the service. Facebook released the first proposals subject to these new procedures – The Facebook Principles, a set of values that will guide the development of the service, and Statement of Rights and Responsibilities that make clear Facebook’s and users’ commitments related to the service. Over the coming weeks, users will have the opportunity to review, comment and vote on these documents. An update to the Privacy Policy is also planned and this change will be subject to similar input. “As people share more information on services like Facebook, a new relationship is created between Internet companies and the people they serve,” said Mark Zuckerberg, founder and CEO of Facebook. “The past week reminded us that users feel a real sense of ownership over Facebook itself, not just the information they share.” “Companies like ours need to develop new models of governance,” Zuckerberg added. “Rather than simply reissue a new Terms of Use, the changes we’re announcing today are designed to open up Facebook so that users can participate meaningfully in our policies and our future.”

LET MY BOARD AND ME BECOME AS ONE: THE WII BALANCE BOARD/GOOGLE EARTH MASHUP (, 17 Feb 2009) - With just a touch smoother scrolling (chalked up, surely, to the program itself), this could feel amazing: Germany’s Research Center for Artificial Intelligence has hacked together a Wii balance board with Google Earth to go surfing, as Kottke says, “like the Silver Surfer.”
Or, if you please, the same interaction can be used in Second Life, or -- as made the rounds earlier last year -- World of Warcraft’s Azeroth, but there’s nothing better than their tour-glide over Munich from 300 feet. [Editor: pretty cool demo video. Even cooler is Johnny Lee’s Wii-3D headtracking demo from 21 December 2007 out of CMU:]

VISUAL COMPUTER FORENSIC ANALYSIS (, 17 Feb 2009) - Computer forensics is a slow process. Examiners typically embark on a tedious file review process to determine each file’s relevance to a particular case. This can quickly add hours and extra costs to computer forensics. However, recent research presented at the Black Hat 2008 conference in Las Vegas may curb that trend. Researchers Greg Conti and Erik Dean from the United States Military Academy, West Point, adapted a new concept to computer forensics: visualization. The researchers demonstrated how visual computer forensic methods can dramatically reduce the time it takes to review files. To understand the benefits of visual forensic analysis, one must understand the state of the art in computer forensic analysis. A typical computer investigation requires an individual analysis of each file on a computer system. Some files can easily be ruled out by matching them to known files that have already been analyzed, such as system files. Unfortunately, the hundreds of thousands of files remaining must be analyzed by an examiner. A typical file examination requires that the file be examined in its native application (or a suitable viewer). Therefore, examination of one file can be different than the examination of another. For example, a JPEG file is loaded into an image viewer. A Microsoft Word document is loaded into its associated viewer instead of an image viewer. An executable (program or application) file can be examined in a debugging tool called a disassembler. And a pure binary file can be viewed with a hexadecimal viewer. The process above begins to break down when the examiner analyzes a file type that he or she cannot readily determine or identify. There are some ways an examiner can attempt to determine a file’s type with signature analysis or an educated guess based on the file extension. But neither of these approaches guarantees the correct answer the first time. Visual computer forensics lends a hand to this problem. By loading the unknown file into the free visual forensics tools developed by Conti and Dean, an unknown file can be identified by the way the data looks. This is different than standard matching techniques currently used today which involve matching a few bytes of the beginning and end of a file to known values of known file types. Structured files, such as Internet browsing history files, tend to have discrete structures within their contents, while compressed or encrypted files have high levels of entropy due to the nature of how compression and encryption algorithms work. The visualized contents of compressed or encrypted files tend to look random when compared with uncompressed or unencrypted files. The following screenshots show the difference between structured files and compressed/encrypted files when viewed with a visual computer forensics tool developed by Conti and Dean: [Editor: there’s much more.]

CVS CAREMARK SETTLES FTC CHARGES: FAILED TO PROTECT MEDICAL AND FINANCIAL PRIVACY OF CUSTOMERS AND EMPLOYEES; CVS PHARMACY ALSO PAYS $2.25 MILLION TO SETTLE ALLEGATIONS OF HIPAA VIOLATIONS (FTC, 18 Feb 2009) - CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA). The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

DHS NAMES CHIEF PRIVACY OFFICER (CNET, 19 Feb 2009) - U.S. Homeland Security Secretary Janet Napolitano announced on Thursday she is appointing attorney Mary Ellen Callahan as the department’s chief privacy officer. “Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built in to everything we do,” Napolitano said. “Our Privacy Office is viewed as a leader in the federal government in public outreach and as model for Privacy Impact Assessments. I look forward to the skill and experience Mary Ellen will bring to this robust and important office.” Callahan currently serves as a partner at the law firm Hogan & Hartson, where she counsels online companies, trade associations, and other corporations on antitrust, e-commerce, and privacy-related issues. She has helped companies draft their Web site privacy policies and terms of use and counsels corporations on developing legally compliant e-mail marketing campaigns.

SURPRISE: AMERICA IS NO. 1 IN BROADBAND (New York Times, 23 Feb 2009) - There is a constant refrain that the United States is falling behind in broadband, as if the speed of Internet service in Seoul represents a new Sputnik that is a challenge to national security. It’s certainly true that in some countries, like South Korea, far more homes have broadband connections than in the United States. And the speeds in some countries are far higher than is typical here. But there are many ways to measure the bandwidth wealth of nations. At the Columbia/Georgetown seminar on the broadband stimulus yesterday, I heard Leonard Waverman, the dean of the Haskayne School of Business at the University of Calgary, describe a measure he developed called the “Connectivity Scorecard.” It’s meant to compare countries on the extent that consumers, businesses and government put communication technology to economically productive use. Even after deducting the untold unproductive hours spent on Facebook and YouTube, the United States comes out on top in Mr. Waverman’s ranking of 25 developed countries. The biggest reason is that business in the United States has made extensive use of computers and the Internet and it has a technically skilled work force. Also, as dusty as your local motor vehicle office may seem, government use of communications technology is as good in the United States as anywhere in the world, according to Mr. Waverman’s rankings. After the United States, the ranking found that Sweden, Denmark, the Netherlands, and Norway rounded out the five most productive users of connectivity. Japan ranked 10, and Korea, 18. And while wired and wireless broadband networks used by consumers lagged other countries, the United States ranked No. 1 in the world for technology use and skills by consumers. (This was measured by comparing countries on five measures: The penetration of Internet use, penetration of Internet banking, wired and wireless voice minutes per capita, SMS messages per capita, and consumer software spending.) Report here:

EXITING WORKERS TAKING CONFIDENTIAL DATA WITH THEM (CNET, 23 Feb 2009) - As layoffs continue apace, a survey released on Monday shows what many companies fear--exiting workers are taking a lot more with them than just their personal plants and paperweights. Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee’s next job stint. “I don’t think these people see themselves as being thieves or as stealing,” said Larry Ponemon, founder of the Ponemon Institute, which conducted the online survey last month. “They feel they have a right to the information because they created it or it is useful to them and not useful to the employer.” The survey also found a correlation between people who took data they shouldn’t have taken and their attitude towards the company they are leaving. More than 60 percent of those who stole confidential data also reported having an unfavorable view of the company. And nearly 80 percent said they took it without the employer’s permission. Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD, while 42 percent put it on a USB drive and 38 percent sent it as attachments via e-mail, according to the survey. The survey also found that many companies seem to be lax in protecting against data theft during layoffs. Eighty-two percent of the respondents said their employers did not perform an audit or review of documents before the employee headed out the door and 24 percent said they still had access to the corporate network after leaving the building.

CYBERSECURITY AUDIT GUIDELINES RECOMMENDED (FCW, 23 Feb 2009) - A group of cybersecurity experts today recommended twenty specific security controls that the government and industry should deploy to block or lessen the consequences of cyberattacks that come from inside and outside threats. The recommended controls are meant to provide a standard baseline for measuring computer security. The recommendations, the Consensus Audit Guidelines, were agreed to by federal and private industry cybersecurity officials and are based on specific experiences in dealing with particular attacks directed at government and the defense industrial base’s information systems. The group also detailed the types of cyberattacks that a recommended security controls could thwart, how a recommended security control could be implemented and how to evaluate its effectiveness. Alan Paller, the director of research at the SANS Institute who worked on the guidelines, said the strategy is significant because it has specific actions for agencies to take and a way to measure their effectiveness, something he said the Government Accountability Office has been requesting. He said the project, started in early 2008, was inspired by the realization that the defense industrial base’s systems had been deeply penetrated. CAG/guidelines here: [Editor: this may be a very big deal – the CAG potentially will become “best-practice” and de facto requirements.]

LISTEN UP AND DISCOVER AUDIO RECORDINGS (, 25 Feb 2009) - As most IT professionals already know, courtesy of the Federal Rules of Civil Procedure Rule 34(a), audio files are now fully discoverable. This has led many IT professionals to create and implement procedures that will record and store telephonic conversations and other electronic interactions originating from and connected to their company client orders. These new protocols specifically address sound content from call desks, trading desks, phone systems and, of course, VoIP. IT professionals have enacted these procedures in an effort to keep up with one of the newest trends in mainstream e-discovery: sound recordings. The necessity for IT professionals to haul audio recordings into their general e-discovery process is gaining awareness because of situations that may -- at first glance -- appear harmless. Think about scenarios where a company employee is having a phone dialogue with a customer and at the same time sending e-mails to another. This may seem innocuous on the surface; the two interactions seem separate and unconnected with no suggestion of any illegality. However, if one pays attention to the audio in the milieu of the e-mail exchange, it may paint an absolutely different picture. In reality, the entire picture may demonstrate that the company employee was using the data received from the person with whom he or she was exchanging instant messages or e-mails to his or her advantage when speaking with the other customer on the phone. Nevertheless, connecting these two actions together is nearly impossible via conducting a discovery of solely written messages. IT professionals are now tasked with bridging this gap by creating an integrated business information system that will account for all business written and audio content. Failure by IT professionals to enact such an integrated data management system can be fatal. The absence of a viable, synchronized information protocol results in businesses pursuing various recording discovery procedures that are distinct from the ordinary chain of custody mandate. Consequently, sound recordings and e-mails are not tagged in a similar fashion, and there is no method to directly connect them to one another. Furthermore, the ability to fashion a timeline as to when these exchanges happened becomes more complicated for IT professionals to generate. This in turn leaves in-house counsel at a palpable loss and incapable of viewing the interconnectedness between the diverse messages.

TEN STEPS FOR MITIGATING DATA RISK DURING A MERGER (InfoWorld, 25 Feb 2009) - Merger and acquisition activity stands to increase as global markets struggle to stay afloat during the worst economic slowdown in decades. What will you do when you find out you’re about to acquire or consolidate with another firm or division? Are you aware of the risks you may be inheriting? What data is going to demand the highest availability? What IT regulations will you have to address and how do you know if existing controls already address them? Below are 10 “data health” checks a CIO can conduct to answer these questions before giving a green light to a merger, acquisition, or consolidation.
Step one: Assess your data From a data perspective, the first step needs to be an assessment of the independent data assets of each organization participating in the merger. If you do not know what data exists before the acquisition, gaining this understanding after combining the data, if it can be combined at all, will be extremely difficult. The task at hand will be simpler if both organizations practiced strong data governance. This is rarely the case though.
Step two: Plug the governance gaps After completing an honest assessment of where each organization stands in terms of data governance, the next step needs to be plugging the gaps. Work toward creating a definition of data that is not well understood or undocumented. Do not turn this into a long process; define what data you have and where it is stored. Consider using tools like data dictionaries and repositories and consult the subject matter experts (business users, programmers, data architects, etc.) at each organization for this information.
Step three: Leverage the M&A for governance improvements Use the acquisition as a springboard for instituting new or stronger data governance policies and procedures. Lack of insight into important business data can be a strong motivational tool for implementing improved data management practices.

POSTING YOUTUBE VIDEO WITHOUT SUBJECTS’ CONSENT DRAWS FINE FROM SPANISH DPA (Steptoe & Johnson’s E-Commerce Law Week, 26 Feb 2009) - The Spanish Data Protection Agency (DPA) recently ruled that individuals who post pictures or videos of “identifiable persons” without the consent of those photographed or filmed face liability under Spain’s Law 15/1999, On the Protection of Personal Data (LOPD). The Spanish DPA held that, by posting a video of several youths taunting an allegedly paranoid schizophrenic individual to YouTube without the consent of those depicted, an individual identified as “Mr. R.R.R.” committed a “serious” violation of the LOPD. While such violations are punishable by more than € 60,000 in fines, the Spanish DPA chose to impose a reduced penalty of € 1,500, stressing that the poster of the video had promptly removed it of his own accord after it was reported on by the news media. But even this diminished fine could scare Spanish users away from posting images or movies to social networking and other public websites, potentially cutting off the flow of the user-generated content on which these websites depend.

OBAMA ADMINISTRATION SUPPORTS TELCO SPY IMMUNITY (Wired, 26 Feb 2009) - The Obama administration vigorously defended congressional legislation late Wednesday that immunizes U.S. telecommunication companies from lawsuits about their participation in the Bush administration’s domestic spy program. It was the first time the Obama administration weighed in on a federal court challenge questioning the legality of the legislation President Barack Obama voted for as an Illinois senator in July. “Accordingly, the court should now promptly dismiss these actions,” the Justice Department wrote U.S. District Judge Vaughn Walker of San Francisco late Wednesday. Obama opposed immunity but voted for it because it was included in a new spy bill that gave the U.S. presidency broad, warrantless-surveillance powers. Justice Department spokesman Matthew Miller said in a statement that the immunity bill “is the law of the land, and as such the Department of Justice defends it in court.” DOJ letter here:

JUDGE ORDERS DEFENDANT TO DECRYPT PGP-PROTECTED LAPTOP (CNET, 26 Feb 2009) - A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested. Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment. At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is “testimonial,” meaning that it triggers Fifth Amendment protections.

**** LOOKING BACK ****
U.S. AGENCIES EARN D-PLUS ON COMPUTER SECURITY (, 16 Feb 2005) -- The overall security of computer systems inside the largest U.S. government agencies improved marginally since last year but still merits only a D-plus on the latest progress report from Congress. The departments of Transportation, Justice and the Interior made remarkable improvements, according to the rankings, which were compiled by the House Government Reform Committee and based on reports from each agency’s inspector general. But seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country’s computer networks. ``Several agencies continue to receive failing grades, and that’s unacceptable,” said Rep. Tom Davis, R-Va., the committee’s chairman. ``We’re also seeing some exceptional turnarounds.” Davis said troubling areas included lax security at federal contractor computers, which could be used to break into government systems; a lack of contingency plans for broad system failures and little training available for employees responsible for security. The Transportation Department improved from a D-plus to an A-minus; the Interior Department, which failed last year, improved to a C-plus; and the Justice Department rose from a failing grade to B-minus. The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security. Industry groups have argued that the government needs to improve its own computer security before requiring businesses to make such changes.

NEW ERA OF COMPUTING: THE OPPORTUNITIES AND CHALLENGES OF CLOUD-BASED SOFTWARE AND SERVICES (Berkman Center, 17 Feb 2009; Lisa Tanzi of Microsoft) - The IT industry is at the cusp of a new era of computing - one in which cloud computing will play a central role. Lisa will highlight key innovations that are driving this new computing era, the essential roles of cloud computing and software (i.e. software + services) in it, and the benefits it will provide. She also will also focus on several legal and policy issues that industry and governments will need to grapple with in this new era, including the movement of data across borders (and associated privacy and law enforcement issues), security of information, and the application of traditional telecommunications rules in a world where computing and communications technologies are converging. [Editor: illustrates that even Microsoft can’t solve the associated jurisdictional issues; does do a good job of illuminating the problems; recommended for those of you who represent multinational entities.] … See also …

REPORT CITES POTENTIAL PRIVACY GOTCHAS IN CLOUD COMPUTING (Computerworld, 25 Feb 2009) - Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won’t be stepping on any privacy land mines in the process, according to a report released this week by the World Privacy Forum. The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and “emotional.” But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality.

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

1 comment:

Claude Baudoin said...

Re: "The act of Googling oneself has become the digital age’s premiere guilty pleasure — an activity enjoyed by all and admitted by few."

I feel the author dismisses this practice a little too easily. I set up a Google Alert on my name years ago, so that I could see if anything bad or incorrect got listed somewhere. Doing so may contain some element of narcissism, but for anyone with a professional capacity, “brand control” is certainly a legitimate concern, at least if the goal is to react to misleading postings. For example, if false information appeared, or negative information about a homonym, you might actually want to mention it at the water cooler, lest your employer find the information out and thought it was correct information about you. In my case, I found that there is a Claude Baudoin who's in a mental institution and has claimed for years that he is unjustly imprisoned. Whether his claim is true or not, I would want to know if "Is Claude Baudoin really mad?" made it into the top-10 search results on my name!

For a corporation, it should certainly be a normal practice of the Marketing Communications department to set up an alert on their name (as well as on common misspellings) and to review the results thoroughly. Companies that don’t have such alerts set up are really playing with their reputations these days. It wouldn’t prevent the Domino/YouTube story, but it could help react to slower fires.