• Judge Orders Defendant to Decrypt PGP-Protected Laptop
• Media Need Not Reveal Web Posters’ Identities
• Volunteers Put The Economist Into Chinese
• White House Responds to Privacy Complaints?
• Web Behavioral Advertising Goes to Court
o Google to Offer Ads Based on Interests
• Diebold Voting System Has ‘Delete’ Button for Erasing Audit Logs
o Criminals Sneak Card-Sniffing Software on Diebold ATMS
• Obama Picks Net Neutrality Backer as FCC Chief
• Docs Seek Gag Orders to Stop Patients’ Reviews
• Industry Group Drops Effort to Craft Principles for Data Privacy Legislation
• Stimulus Creates New Breach Notification Requirements for Entities that Handle Health Information
• Twitter Boosts Public Access to Federal Courtrooms
o As Jurors Turn to Web, Mistrials Are Popping Up
• Government Cyber Security Chief Resigns Amid Turf War
• Australian Police May Get Hacking Powers
• Sketch Comedy Troupe Proposes a EULA for Friendship
• Companies Get Checklist for Complying with PCI Standard
• CIA, NSA Adopting Web 2.0 Strategies
o Government 2.0 Meets Catch-22
• Court Rules that Disloyal Employees’ Access to Employer’s Information Violated CFAA
• Online Networking More Popular than Email
• Copyright Treaty is Classified for ‘National Security’
• CBS to Offer Upcoming “March Madness” Streaming to iPhone
• Creative Commons Adds a ‘No Copyright At All’ Option
• DC Bar Association Claims Lawyer Rating Site Infringes Its Copyright
• Obama’s Gift to British Prime Minister Rendered Useless by DRM
• Internet Filter List of Porn Exposed
PODCASTS | RESOURCES | LOOKING BACK | NOTES
**** NEWS ****
JUDGE ORDERS DEFENDANT TO DECRYPT PGP-PROTECTED LAPTOP (CNET, 26 Feb 2009) - A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested. Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment. The Fifth Amendment says nobody can be “compelled in any criminal case to be a witness against himself,” which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors. Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over “passwords used or associated with” the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them. At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is “testimonial,” meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different. Barry Steinhardt, director of the ACLU’s technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher “should have been able to assert his Fifth Amendment rights. It’s not the same thing as asking him to turn over the Xeroxed copy of a document.” http://news.cnet.com/8301-13578_3-10172866-38.html?tag=pop
MEDIA NEED NOT REVEAL WEB POSTERS’ IDENTITIES (Washington Post, 28 feb 2009) - Operators of newspaper Web sites, blogs and chat rooms that allow readers to post anonymous comments using pseudonyms do not have to readily reveal the posters’ identities in defamation suits, Maryland’s highest court ruled yesterday, further shaping an emerging area of First Amendment law in the Internet age. The Maryland Court of Appeals reversed a lower court ruling and ordered that NewsZap.com, an online forum run by Independent Newspapers, does not have to disclose the identities of forum participants who engaged in an online exchange about the cleanliness of a Dunkin’ Donuts shop in 2006. More broadly, however, the court used the case to recommend a strict, five-step process for judges to follow “to balance the First Amendment right to anonymous speech on the Internet with the opportunity on the part of the object of that speech to seek judicial redress for alleged defamation.” The process, which closely matches one set out by a New Jersey court in 2002, requires a plaintiff claiming defamation from an online comment to try to notify the anonymous poster that the person is the subject of a subpoena -- including by posting a message on the relevant online message board. The plaintiff must then identify in court filings the exact statements purportedly made by each anonymous poster, as well as show how those comments have caused damage. Maryland’s court also went further than New Jersey’s, adding that the plaintiff might have to provide specific evidence supporting each element of the defamation claim. Finally, it indicated that judges also have to balance the anonymous poster’s right of free speech against the need to disclose a defendant’s identity. Sam Bayard, assistant director of the Citizen Media Law Project at Harvard Law School, said that, taken together, this and other recent state court cases show a convergence of law surrounding the right to online anonymity. http://www.washingtonpost.com/wp-dyn/content/article/2009/02/27/AR2009022702876.html?hpid=sec-metro
VOLUNTEERS PUT THE ECONOMIST INTO CHINESE (New York Times, 1 March 2009) - Every day, Chinese fans produce unauthorized translations of Western pop culture products and put them online, like subtitled episodes of “Heroes” or the final Harry Potter novel. But a group calling itself the Eco Team has picked a more cerebral target: the British newsweekly The Economist. Every two weeks, the online Eco Weekly carries two issues of The Economist translated by volunteers. With each new issue, the group’s members work together to sharpen their language skills by translating the magazine from cover to cover. The group meets on a message board at ecocn.org/bbs that is led by Shi Yi, a 39-year-old insurance broker in Beijing. “Different people come from different backgrounds with their own purpose,” Mr. Yi said. “But we all like the style of The Economist.” Thirty to 40 of the group’s members work on each issue, Mr. Yi said. On the message board, they interweave paragraphs of English and Chinese text and collaborate on the translations. The final versions are bundled into Eco Weekly, a publication in the PDF format that is released biweekly and can be freely downloaded and printed. So far, neither the Chinese authorities nor The Economist has tried to stop the noncommercial, volunteer effort. Mr. Yi said that he had met members of the magazine’s staff, including its editor, John Micklethwait, and that they had granted their approval. A spokesman for The Economist, Justin Hendrix, was unable to confirm that arrangement as of Sunday night. http://www.nytimes.com/2009/03/02/business/media/02economist.html?partner=rss&emc=rss
WEB BEHAVIORAL ADVERTISING GOES TO COURT (Law.com, 2 March 2009) - Big Brother may be at it again. Behavioral advertising -- the tracking of consumer’s Internet surfing activity to create tailored ads -- has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. “Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion,” said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. “Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously,” she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as “deep-packet inspection.” Meanwhile, the Federal Trade Commission this month released a report in which it announced that it would adhere to its self-regulation policy when it comes to behavior advertising -- at least for now. Within the report, the FTC also released revised behavioral-advertising guidelines calling for more rigorous self-policing, and it strongly advised the industry to follow the guidelines or brace for more regulation and legislation. Those guidelines call for more disclosure and transparency with consumers about tracking and data-collection practices, the ability of consumers to choose whether to allow data collection, and keeping promises regarding the use of consumer data. They also suggest that companies store data “only as long as is necessary to fulfill a legitimate business or law enforcement need.” And when obtaining sensitive data, consent must be obtained. Attorneys note that it’s the collection of sensitive data -- such as financial, health and other personal information -- that has fueled privacy fears with regard to behavioral advertising. “The bigger concern is what happens with this data ... . Not only do you not know what information is being collected, you don’t know who is collecting it,” said Jacqueline Klosek, counsel to the privacy and data security practice in the New York office of Boston’s Goodwin Procter, who advises business clients about complying with FTC guidelines. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202428691751&rss=newswire
- and -
GOOGLE TO OFFER ADS BASED ON INTERESTS (New York Times, 11 March 2009) - Google will begin showing ads on Wednesday to people based on their previous online activities in a form of advertising known as behavioral targeting, which has been embraced by most of its competitors but has drawn criticism from privacy advocates and some members of Congress. Perhaps to forestall objections to its approach, Google said it planned to offer new ways for users to protect their privacy. Most notably, Google will be the first major company to give users the ability to see and edit the information that it has compiled about their interests for the purposes of behavioral targeting. Like rivals such as Yahoo, it also will give users the choice to opt out from what it calls “interest-based advertising.” Google will use a cookie, a small piece of text that resides inside a Web browser, to track users as they visit one of the hundreds of thousands of sites that show ads through its AdSense program. Google will assign those users to categories based on the content of the pages they visit. For example, a user may be pegged as a potential car buyer, sports enthusiast or expectant mother. Google will then use that information to show people ads that are relevant to their interests, regardless of what sites they are visiting. An expectant mother may see an ad about baby products not only on a parenting site but also, for example, on a sports or fashion site that uses AdSense or on YouTube, which is owned by Google. Google said that it planned to segment users along 20 categories and nearly 600 subcategories, and would not create categories for certain “sensitive” interests, including race, religion, sexual orientation or certain types of financial or health concerns. It does not plan to associate the cookie of users with search data or with information from other Google services, like Gmail. Google won’t notify users that it has begun to show them ads based on their behavior, but users who click on the “Ads By Google” link, which appears on thousands of Web pages, will be taken to a site where the technique is explained. There, they will also be able to tap into what Google calls the Ads Preferences Manager, to see and edit the ad categories that have been associated with their browser. http://www.nytimes.com/2009/03/11/technology/internet/11google.html?_r=1&ref=technology [The Google explanation appears to be here: http://www.google.com/ads/preferences]
DIEBOLD VOTING SYSTEM HAS ‘DELETE’ BUTTON FOR ERASING AUDIT LOGS (Wired, 3 March 2009) - After three months of investigation, California’s secretary of state has released a report examining why a voting system made by Premier Election Solutions (formerly known as Diebold) lost about 200 ballots in Humboldt County during November’s presidential election. But the most startling information in the state’s 13-page report (.pdf) is not why the system lost votes, which Wired.com previously covered in detail, but that some versions of Diebold’s vote tabulation system, known as the Global Election Management System (Gems), include a button that allows someone to delete audit logs from the system. Auditing logs are required under the federal voting-system guidelines, which are used to test and qualify voting systems for use in elections. The logs record changes and other events that occur on voting systems to ensure the integrity of elections and help determine what occurred in a system when something goes wrong. “Deleting a log is something that you would only do in de-commissioning a system you’re no longer using or perhaps in a testing scenario,” said Princeton University computer scientist Ed Felten, who has studied voting systems extensively. “But in normal operation, the log should always be kept.” Yet the Diebold system in Humboldt County, which uses version 1.18.19 of Gems, has a button labeled Clear, that “permits deletion of certain audit logs that contain — or should contain — records that would be essential to reconstruct operator actions during the vote-tallying process,” according to the California report. The button is positioned next to the Print and Save As buttons (see image above), making it easy for an election official to click on it by mistake and erase crucial logs. In fact, the report says, this occurred recently in a California county when an official, while attempting to print out a copy of a so-called “poster log,” inadvertently deleted it instead. http://blog.wired.com/27bstroke6/2009/03/ca-report-finds.html
- and -
CRIMINALS SNEAK CARD-SNIFFING SOFTWARE ON DIEBOLD ATMS (ComputerWorld, 17 March 2009) - Diebold Inc. has released a security fix for its Opteva automated teller machines after cybercriminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. After studying samples submitted to the VirusTotal Web site, security vendor Sophos reported Tuesday that the code has been in circulation since at least November 2008. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129819&source=NLT_AM
OBAMA PICKS NET NEUTRALITY BACKER AS FCC CHIEF (CNET, 3 March 2009) - President Obama on Tuesday nominated Julius Genachowski as the nation’s top telecommunications regulator, picking a campaign advisor who has divided his career between Washington, D.C., political jobs and working as an Internet executive. Genachowski had been mentioned as a likely candidate for the Federal Communications Commission post, in part because he participated in the Obama campaign’s Internet efforts and previously worked as chief counsel to Democratic FCC Chairman Reed Hundt. http://news.cnet.com/8301-13578_3-10187067-38.html
DOCS SEEK GAG ORDERS TO STOP PATIENTS’ REVIEWS (AP, 4 March 2009) - The anonymous comment on the Web site RateMDs.com was unsparing: “Very unhelpful, arrogant,” it said of a doctor. “Did not listen and cut me off, seemed much too happy to have power (and abuse it!) over suffering people.” Such reviews are becoming more common as consumer ratings services like Zagat’s and Angie’s List expand beyond restaurants and plumbers to medical care, and some doctors are fighting back. They’re asking patients to agree to what amounts to a gag order that bars them from posting negative comments online. “Consumers and patients are hungry for good information” about doctors, but Internet reviews provide just the opposite, contends Dr. Jeffrey Segal, a North Carolina neurosurgeon who has made a business of helping doctors monitor and prevent online criticism. Some sites “are little more than tabloid journalism without much interest in constructively improving practices,” and their sniping comments can unfairly ruin a doctor’s reputation, Segal said. Segal said such postings say nothing about what should really matter to patients — a doctor’s medical skills — and privacy laws and medical ethics prevent leave doctors powerless to do anything it. His company, Medical Justice, is based in Greensboro, N.C. For a fee, it provides doctors with a standardized waiver agreement. Patients who sign agree not to post online comments about the doctor, “his expertise and/or treatment.” “Published comments on Web pages, blogs and/or mass correspondence, however well intended, could severely damage physician’s practice,” according to suggested wording the company provides. Segal’s company advises doctors to have all patients sign the agreements. If a new patient refuses, the doctor might suggest finding another doctor. Segal said he knows of no cases where longtime patients have been turned away for not signing the waivers. Doctors are notified when a negative rating appears on a Web site, and, if the author’s name is known, physicians can use the signed waivers to get the sites to remove offending opinion. http://news.yahoo.com/s/ap/20090304/ap_on_he_me/med_gagging_patients;_ylt=AggTrqnvCNj.mAbu6TaBAYADW7oF
INDUSTRY GROUP DROPS EFFORT TO CRAFT PRINCIPLES FOR DATA PRIVACY LEGISLATION (BNA’s Internet Law News, 5 March 2009) - BNA’s Electronic Commerce & Law Report reports that an industry coalition that includes leading technology companies, such as Microsoft Corp., has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation. Instead, the coalition is now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations that collect and use consumers’ personal data, according to Microsoft Chief Privacy Strategist Peter Cullen.
STIMULUS CREATES NEW BREACH NOTIFICATION REQUIREMENTS FOR ENTITIES THAT HANDLE HEALTH INFORMATION (Steptoe & Johnson’s E-Commerce Law Week, 5 March 2009) - There’s something for everyone in President Obama’s stimulus package -- including advocates of improved data security for health records. Subtitle D of Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) requires entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA) and suffer a breach of “unsecured protected health information” to notify all affected individuals “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.” The ARRA also requires covered entities to “immediately” notify the Secretary of the Department of Health and Human Services if the breach involves “500 or more individuals”; smaller breaches must be recorded in a log and submitted to the Secretary annually. The ARRA’s breach notification requirements also apply to several entities that are not covered by HIPAA, including “vendors of personal health records,” “entities that offer products or services through the website” of such a vendor, and “entities that access information in a personal health record or send information to a personal health record.” However, instead of notifying the HHS Secretary, these entities are required to notify the Federal Trade Commission if they suffer a breach of any size; the FTC will then relay this notification to the HHS Secretary. These breach notification requirements are effective 30 days after the HHS Secretary (for HIPAA entities) or FTC (for non-HIPAA entities) publish implementing regulations. http://www.steptoe.com/publications-5965.html
TWITTER BOOSTS PUBLIC ACCESS TO FEDERAL COURTROOMS (AP, 6 March 2009) - In a victory for news technology in federal courts, a judge is allowing a reporter to use the microblogging service Twitter to provide constant updates from a racketeering gang trial this week. It’s not the first time online streaming has been allowed in courtrooms, but the practice is still rare in the federal system, especially in criminal cases. A couple of lawyers voiced concern about the possibility that a juror might visit the online site to read the posts from Ron Sylvester, a reporter for the Wichita Eagle, but U.S. District Judge J. Thomas Marten said jurors are always told to avoid newspaper, broadcast and online reports. Sylvester has been using Twitter for a year to cover hearings and trials in state courts, but the racketeering trial of six Crips gang defendants that he’s covering online this week is his first in federal court. Among those who have signed up to follow Sylvester’s Twitter posts is the father of one of the defendants. He lives in Houston, Sylvester said, and can’t attend the trial. Across the country, tech-savvy federal judges are becoming increasingly receptive to live courtroom media coverage using emerging technologies. Such coverage from journalists reporting from trials in state courts is already common. Federal judges have wide discretion on how to run trials when it comes to emerging online technologies. http://news.yahoo.com/s/ap/20090306/ap_on_re_us/courtroom_tweets_4
- but -
AS JURORS TURN TO WEB, MISTRIALS ARE POPPING UP (New York Times, 17 March 2009) - Last week, a juror in a big federal drug trial in Florida admitted to the judge that he had been doing research on the case on the Internet, directly violating the judge’s instructions and centuries of legal rules. But when the judge questioned the rest of the jury, he got an even bigger shock. Eight other jurors had been doing the same thing. The federal judge, William J. Zloch, had no choice but to declare a mistrial, a waste of eight weeks of work by federal prosecutors and defense lawyers. It might be called a Google mistrial. The use of BlackBerrys and iPhones by jurors gathering and sending out information about cases is wreaking havoc on trials around the country, upending deliberations and infuriating judges. Last week, a building products company asked an Arkansas court to overturn a $12.6 million judgment, claiming that a juror used Twitter to send updates during the civil trial. And on Monday, defense lawyers in the federal corruption trial of a former Pennsylvania state senator, Vincent J. Fumo, demanded before the verdict that the judge declare a mistrial because a juror posted updates on the case on Twitter and Facebook. The juror had even told his readers that a “big announcement” was coming on Monday. But the judge decided to let the deliberations continue, and the jury found Mr. Fumo guilty. His lawyers plan to use the Internet postings as grounds for appeal. Jurors are not supposed to seek information outside of the courtroom. They are required to reach a verdict based on only the facts the judge has decided are admissible, and they are not supposed to see evidence that has been excluded as prejudicial. But now, using their cellphones, they can look up the name of a defendant on the Web or examine an intersection using Google Maps, violating the legal system’s complex rules of evidence. They can also tell their friends what is happening in the jury room, though they are supposed to keep their opinions and deliberations secret. “It’s really impossible to control it,” said Douglas L. Keene, president of the American Society of Trial Consultants. Judges have long amended their habitual warning about seeking outside information during trials to include Internet searches. But with the Internet now as close as a juror’s pocket, the risk has grown more immediate — and instinctual. Attorneys have begun to check the blogs and Web sites of prospective jurors. http://www.nytimes.com/2009/03/18/us/18juries.html?_r=1&ref=us
GOVERNMENT CYBER SECURITY CHIEF RESIGNS AMID TURF WAR (Washington Post, 9 March 2009) - The federal government’s director for cyber security has resigned after less than a year on the job, citing a lack of support and funding, and an over-reliance on the National Security Agency for combating threats to the nation’s computer systems. Former Silicon Valley entrepreneur Rod A. Beckstrom said in his resignation letter to Department of Homeland Security Secretary Janet Napolitano, a copy of which was published by The Wall Street Journal on Friday, that it was a “bad strategy” to give the NSA such a dominant role. Beckstrom was appointed last March to head the National Cyber Security Center, a new inter-agency group charged with coordinating the federal government’s efforts to protect its computer networks from organized cyber attacks. But recently, Beckstrom said, efforts have been underway to fold his group into a facility at the NSA. Reached by phone Sunday evening, Beckstrom confirmed that his last day would be March 13. He declined to veer far from the points he laid out in his letter, but said the purpose of his group was to coordinate -- not be subsumed by -- cyber efforts of various federal agencies. “This is a coordination body and it resides alongside or above the other centers, but certainly not below them,” Beckstrom said. “In my view, it is very important that there be independence for the NCSC, and that it be able to carry out its role.” http://www.washingtonpost.com/wp-dyn/content/article/2009/03/09/AR2009030901213.html?wprss=rss_technology
AUSTRALIAN POLICE MAY GET HACKING POWERS (CNET, 9 March 2009) - The government of the Australian state of New South Wales has unveiled plans to give state police the power to hack into computers remotely, with owners potentially remaining in the dark about the searches for up to three years. The new powers are part of a package introduced into parliament last week by Premier Nathan Rees. Broadly, they aim to give police the right to apply for covert search warrants from the Supreme Court to gather evidence in cases that could involve serious indictable offenses punishable by at least seven years’ imprisonment. Judges issuing the new warrants could authorize owners not being told about the searches for up to three years (under exceptional circumstances), NSW Police Minister Tony Kelly said in a statement, with police having to apply for several extensions to get the full period. Rees said the laws would enable computers to be searched, including access to “computers networked to a computer at the premises being searched.” “Police will also be able to gain remote access to computers for seven days at a time, up to a total of 28 days or longer in exceptional circumstances, to allow them, to undertake forensic off-site examiniation,” Rees said. Offenses covered by the new laws include the supply, manufacture, or cultivation of drugs; possession, manufacture or sale of firearms; money laundering; car or boat re-birthing; and unauthorized access to or modification of computer data or electronic communications. Also included are theft (if carried out on an organized basis); violence causing grievous bodily harm or wounding; possession, manufacture or supply of false instruments; corruption; destruction of property; homicide; and kidnapping. The news comes after similar moves in Europe have recently been gathering pace. For example, in January the U.K. government said it had agreed to work with the European Union parliament on plans to extend police powers to conduct remote searches of computers. http://news.cnet.com/8301-1009_3-10191514-83.html
SKETCH COMEDY TROUPE PROPOSES A EULA FOR FRIENDSHIP (Boing Boing, 9 March 2009) - AlexanderDitto sez, “This week’s LoadingReadyRun video addresses combining restrictive End-User License Agreements with Friendships. Results: pain. Also laughs!” http://blip.tv/file/1857716 and http://loadingreadyrun.com/videos/view/420/-Terms-of-Friendship [Editor: very funny.]
COMPANIES GET CHECKLIST FOR COMPLYING WITH PCI STANDARD (Network World, 10 March 2009) - The organization responsible for administering the Payment Card Industry Data Security Standard is offering new guidance to companies on how to focus their PCI DSS compliance efforts so as to more quickly them in position to meet the rules on protecting credit and debit card data. PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit-card companies in 2006, last week released a document detailing a Prioritized Approach framework that lists the most efficient order for companies to implement the 12 security controls mandated under PCI DSS. The framework groups the controls under six specific milestones that companies can use as a road map towards compliance, according to council officials. http://www.networkworld.com/news/2009/031009-companies-get-checklist-for-complying.html?nlhtsec=rn_031109&nladname=031109securityal Framework document here: https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf
CIA, NSA ADOPTING WEB 2.0 STRATEGIES (Information Week, 10 March 2009) - While the United States intelligence community may have gotten a lot of publicity for its Wikipedia-like Intellipedia Web site, agencies like the Central Intelligence Agency and National Security Agency are ramping up their use of other social and Web-inspired software as well. Intellipedia has been a success -- with 830,000 pages, it’s the crown jewel of the intelligence community’s proof that information sharing is better in the wake of the 9/11 attacks -- but Michael Kennedy, director of enterprise solutions for the intelligence community, said the government can’t rest on its laurels. He admits criticism that Intellipedia has matured, and while it remains a centerpiece, he said the government also needs to keep moving onto the next big thing. We talked with Tim Breidigan, Eventful VP business development, about the service and how it helps connect users and events. “We don’t know what the next great tool is going to be for the users,” he said during a panel discussion Tuesday at the FOSE conference in Washington, D.C. “We just know there will be one very soon, and we want to be there, whatever it is.” For example, intelligence agency employees now exchange about 5 million daily instant messages via Jabber and IBM Sametime. A search engine based on Google technologies has indexed 92 million documents and handles 2 million queries every month. A new site allows employees to share and analyze photos and videos of events like a test last year that destroyed a failing satellite with a missile. This year, the community is working on a number of new initiatives, such as ramping up search capabilities. For example, the agencies are now working with a vendor -- Kennedy wouldn’t say who -- that provides it with the ability to draw a picture and then search for similar images. Semantic search capabilities to analyze sentiment and summarize documents are coming soon, too, but for now Kennedy and his colleagues aren’t yet confident in the ability of commercial tools on which it will rely. Another key focus for the intelligence community’s social and information-sharing initiatives this year is a common one: SharePoint. “It’s one of those products we can’t get by without anymore,” Kennedy said, adding that SharePoint is used for everything from unclassified to highly classified intelligence. Kennedy and his colleagues hope the new tools will accelerate problem solving, since intelligence agency employees can now immediately post and share information they are receiving about events, and since the tools can bring subject matter experts like a CIA agent and an NSA signal intelligence analyst together to work on documents and analysis more deeply than they may have been able to do in the past. http://www.informationweek.com/news/internet/web2.0/showArticle.jhtml?articleID=215801627&cid=RSSfeed_IWK_News
- and -
GOVERNMENT 2.0 MEETS CATCH 22 (New York Times, 17 March 2009) - “Do I need to P.I.A. Facebook?” said the perplexed bureaucrat squished into a narrow basement hotel conference room in Washington DC. P.I.A. stands for Privacy Impact Assessment, a procedure that federal agencies must go through every time they create a new computer system. It was one of many questions about how the government can use the tools of Web 2.0 raised in a session of a privacy conference last week. Organizations of all sorts have been trying to figure out how they can adapt social networks, blogs, wiki’s and other Web tools to their traditional operating methods in order to connect to customers and partners. But it is tough. “We have a Facebook page,” said one official of the Department of Homeland Security. “But we don’t allow people to look at Facebook in the office. So we have to go home to use it. I find this bizarre.” There are many other procedures at government agencies that aren’t just tradition, they are the law. For example, the mostly harmless feature of Facebook that allows users to specify their religious and political views, may run afoul of the Privacy Act. That law prevents the government from using the site because a provision in the Privacy Act bans it from keeping records related to how people exercise their first amendment rights. “We are stodgier” than the private sector, said Alex Joel, the civil liberties protection officer for the Office of the Director of National Intelligence, who moderated the session at the annual meeting of the International Association of Privacy Professionals, the trade group for corporate and government privacy officers. “We have our own way of doing things.” Speaking of the First Amendment, one person asked, does the government have the right to remove offensive comments on a blog or social network page? And if it does, must it keep copies of the deleted material under the Federal Records Act and provide them to people making Freedom of Information Act Requests? Yes, it can remove comments that violate posted policies about decency and so on, and yes, it must keep them for a specified time, other participants said. http://bits.blogs.nytimes.com/2009/03/17/government-20-meets-catch-22/
COURT RULES THAT DISLOYAL EMPLOYEES’ ACCESS TO EMPLOYER’S INFORMATION VIOLATED CFAA (Steptoe & Johnson’s E-Commerce Law Week, 12 March 2009) - Another court has weighed in on whether a disloyal employee’s use of his employer’s computer system is “without authorization” or “exceed[s] authorized access,” in violation of the Computer Fraud and Abuse Act (CFAA), and whether “lost business” constitutes a cognizable loss under the statute. Courts have reached conflicting decisions on both questions. In Ervin & Smith Advertising and Public Relations, Inc. v. Ervin, a federal court in Nebraska ruled in favor of the plaintiff employer on both issues, finding that employees who access company computers for personal gain and against the employer’s interests exceed their authorized access, and that any resulting loss of business is a cognizable loss under the CFAA. Resolution of the split in the courts on these issues seems unlikely anytime soon, underscoring the importance to employers of a friendly venue and careful pleading. http://www.steptoe.com/publications-5982.html Ruling here: http://www.steptoe.com/assets/attachments/3745.pdf
ONLINE NETWORKING MORE POPULAR THAN EMAIL (Washington Post, 12 March 2009) - Are you spending hours and hours on Facebook? If so, you are not alone. Networking and blogging sites account for almost ten percent of time spent on the internet -- more than on email. Time on the sites ranked fourth, after online searching, general interest sites, and software sites, according to a study released by Nielsen Online. One in every 11 minutes spent online globally is on networking sites. Between December 2007 and December 2008, the time spent on the sites climbed 63 percent to 45 billion minutes. The figure was even higher for the world’s most popular networking site, Facebook, where members spent 20.5 billion minutes, up 566 percent from 3.1 percent the previous year, according to the study. http://www.washingtonpost.com/wp-dyn/content/article/2009/03/12/AR2009031200223.html
COPYRIGHT TREATY IS CLASSIFIED FOR ‘NATIONAL SECURITY’ (CNET, 12 March 2009) - Last September, the Bush administration defended the unusual secrecy over an anti-counterfeiting treaty being negotiated by the U.S. government, which some liberal groups worry could criminalize some peer-to-peer file sharing that infringes copyrights. Now President Obama’s White House has tightened the cloak of government secrecy still further, saying in a letter this week that a discussion draft of the Anti-Counterfeiting Trade Agreement and related materials are “classified in the interest of national security pursuant to Executive Order 12958.” The 1995 Executive Order 12958 allows material to be classified only if disclosure would do “damage to the national security and the original classification authority is able to identify or describe the damage.” Jamie Love, director of the nonprofit group Knowledge Ecology International, filed the Freedom of Information Act request that resulted in this week’s denial from the White House. The denial letter was sent to Love on Tuesday by Carmen Suro-Bredie, chief FOIA officer in the White House’s Office of the U.S. Trade Representative. Love had written in his original request on January 31--submitted soon after Obama’s inauguration--that the documents “are being widely circulated to corporate lobbyists in Europe, Japan, and the U.S. There is no reason for them to be secret from the American public.” The White House appears to be continuing the secretive policy of the Bush administration, which wrote to the Electronic Frontier Foundation (PDF) on January 16 that out of 806 pages related to the treaty, all but 10 were “classified in the interest of national security pursuant to Executive Order 12958.” http://news.cnet.com/8301-13578_3-10195547-38.html
CBS TO OFFER UPCOMING “MARCH MADNESS” STREAMING TO IPHONE (ArsTechnica, 13 March 2009) - As Divison I men’s college basketball teams are fighting for the right to play in the tournament that will eventually crown the national champion, CBS has released an iPhone application that will stream audio and or video of every game, depending on the available connection. Beginning on March 19, customers who purchase the application for $4.99 will be able to stream live audio of all games over 3G or EDGE, or audio and video over WiFi. CBS March Madness On Demand will give fans up-to-the-moment scores, bracket results, and highlights. The release comes on the heels of announcements that Silverlight will be powering the streaming of the tournament on the Web, and that EA would have a special XBox Live version of NCAA Basketball especially for the tournament. http://arstechnica.com/apple/news/2009/03/cbs-to-offer-upcoming-march-madness-streaming-to-iphone-1.ars
CREATIVE COMMONS ADDS A ‘NO COPYRIGHT AT ALL’ OPTION (TechDirt, 13 March 2009) - Just two months ago, we were pointing out how difficult it was to opt-out of copyright and put content into the public domain. We noted that it wasn’t solved by Creative Commons -- who had a series of licenses that all relied on copyright, and none that removed all restrictions. Looks like the CC folks were listening (not to me, necessarily, but to others who raised similar issues). They have now released a new offering to help content creators declare their work to be in the public domain. They’re calling it CC0. While it looks just like other CC licenses, it’s not actually a “license,” but a waiver/declaration that the content is in the public domain. http://techdirt.com/articles/20090312/1534364096.shtml
DC BAR ASSOCIATION CLAIMS LAWYER RATING SITE INFRINGES ITS COPYRIGHT (TechDirt blog, 17 March 2009) - There’s been no shortage of stories about misplaced anger (and sometimes lawsuits) filed against all kinds of rating sites lately, and the latest situation is equally questionable. Against Monopoly points us to the news that the Washington DC Bar Association has sent a cease-and-desist letter to lawyer-rating site, Avvo, claiming that Avvo’s use of information on the DC Bar’s website violates copyright and privacy rights. It would be great if some lawyers chimed in, but I have a hard time seeing either claim making any sense. On the copyright side, the information appears to mostly be factual information, which isn’t covered by copyright. On the privacy side (and local privacy laws do differ), if the information is public information, it’s difficult again to explain how anyone’s privacy is being violated. http://techdirt.com/articles/20090312/1718164101.shtml
OBAMA’S GIFT TO BRITISH PRIME MINISTER RENDERED USELESS BY DRM (TechDirt, 19 March 2009) - A few years back, it emerged that US Senator Ted Stevens had been given an iPod by his daughter, and it had changed the way he saw the RIAA and the measures for which it lobbied. It’s always seemed to me that once politicians -- at least those not beholden to the entertainment industry -- experienced the stupidity and frustration of the locks and controls that groups like the RIAA and MPAA put on content and want backed up by law, they’d realize they were little more than attempts to frustrate consumers and prop up outmoded business models. Maybe the UK is prepared for a similar political inflection point: its Prime Minister, Gordon Brown, was recently given a gift of 25 DVDs of classic American movies by US President Barack Obama. When Brown sat down to watch one of them, he found he couldn’t -- because Obama had given him Region 1 DVDs, unplayable in Brown’s Region 2 DVD player. http://techdirt.com/articles/20090319/1337464182.shtml
INTERNET FILTER LIST OF PORN EXPOSED (Australian IT, 20 March 2009) - THE Rudd Government’s plans for a nationwide internet filter are in jeopardy after its top-secret blacklist of banned web pages was leaked. The list, published on the internet, reads like a White Pages of porn and its release has provided a handy guide for young people to access the very material the Government wishes to banish from their eyes. The secret blacklist, which was leaked to the whistle-blower website Wikileaks, is purportedly the same list the Australian Communications and Media Authority distributes to vendors of approved internet filters to ban offensive material -- such as child pornography, bestiality and violence. ACMA and Communications Minister Stephen Conroy yesterday attempted to hose down concerns about the published blacklist, saying it was not the official list used by the communications regulator. Of the 2395 web pages on the leaked list, approximately half relate to child porn -- one of the key targets of the federal Government’s planned mandatory internet filter. Many more web pages relate to online poker sites, YouTube links, pornography sites, Wikipedia entries and even links to a Queensland boarding kennel and a Queensland dentist. “While Wikileaks is used to exposing secret government censorship in developing countries, we now find Australia acting like a democratic backwater,” the website notes. http://www.australianit.news.com.au/story/0,24897,25214571-15306,00.html
**** NOTED PODCASTS ****
PATTIE MAES & PRANAV MISTRY: UNVEILING THE “SIXTH SENSE,” GAME-CHANGING WEARABLE TECH (TED Talks, Feb 2009) - This 9-minute demo -- from Pattie Maes’ lab at MIT, spearheaded by Pranav Mistry -- was the buzz of TED. It’s a wearable device with a projector that paves the way for profound interaction with our environment. Imagine “Minority Report” and then some. http://www.ted.com/index.php/talks/pattie_maes_demos_the_sixth_sense.html [Editor: wow!]
SECURING PERSONAL DATA IN THE GLOBAL ECONOMY (FTC, 16-17 March 2009) - The United States Federal Trade Commission (FTC), along with co-organizers APEC and OECD, held an international conference on March 16-17, 2009 on the trans-border aspects of data security. This conference, first discussed at an OECD brainstorming session to identify current global privacy challenges, brought together regulators and civil enforcers, consumer advocates, industry representatives, technology experts, and academics from around the world to address these issues. The conference focused in particular on business organization’s data security practices in a global economy, rather than on the law enforcement and criminal law dimensions of the issue. [Windows Media Player streams of the panel programs is available here (for free): http://htc-01.media.globix.net/COMP008760MOD1/ftc_web/FTCindex.html#Mar16_09; see, e.g., the segment on “Data Security Practices in Industry”]
**** RESOURCES ****
SURVEILLANCE SELF DEFENSE (EFF, March 2009) - The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it. Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying? After an introductory discussion of how you should think about making security decisions — it’s all about risk management — we’ll be answering those two questions for three types of data: First, we’re going to talk about the threat to the data stored on your computer posed by searches and seizures by law enforcement, as well as subpoenas demanding your records. Second, we’re going to talk about the threat to your data on the wire — that is, your data as it’s being transmitted — posed by wiretapping and other real-time surveillance of your telephone and Internet communications by law enforcement. Third, we’re going to describe the information about you that is stored by third parties like your phone company and your Internet service provider, and how law enforcement officials can get it. In each of these three sections, we’re going to give you practical advice about how to protect your private data against law enforcement agents. https://ssd.eff.org/
LEGAL GUIDE FOR BLOGGERS (EFF, February 2009) - Whether you’re a newly minted blogger or a relative old-timer, you’ve been seeing more and more stories pop up every day about bloggers getting in trouble for what they post. Like all journalists and publishers, bloggers sometimes publish information that other people don’t want published. You might, for example, publish something that someone considers defamatory, republish an AP news story that’s under copyright, or write a lengthy piece detailing the alleged crimes of a candidate for public office. The difference between you and the reporter at your local newspaper is that in many cases, you may not have the benefit of training or resources to help you determine whether what you’re doing is legal. And on top of that, sometimes knowing the law doesn’t help - in many cases it was written for traditional journalists, and the courts haven’t yet decided how it applies to bloggers. But here’s the important part: None of this should stop you from blogging. Freedom of speech is the foundation of a functioning democracy, and Internet bullies shouldn’t use the law to stifle legitimate free expression. That’s why EFF created this guide, compiling a number of FAQs designed to help you understand your rights and, if necessary, defend your freedom. http://www.eff.org/issues/bloggers/legal
**** LOOKING BACK - MIRLN TEN YEARS AGO ****
ECHELON, THE UK-USA COMMUNICATIONS MONITORING PROGRAM INVESTIGATED BY CONGRESSIONAL PANEL -- Echelon is one name of the analysis programs developed by the US and British intelligence organizations to monitor voice and data messages throughout the world. Two weeks ago, the House Committee on Intelligence requested that the NSA and CIA provide a detailed report outlining the legal standards used to monitor communication of American citizens. http://www.nytimes.com/library/tech/99/05/cyber/articles/27network.html
************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:firstname.lastname@example.org?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, email@example.com.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.