Saturday, June 13, 2009

MIRLN --- 24 May – 13 June 2009 (v12.08)

• Insurance Coverage for Data Security Breaches: First Bank v. Federal Insurance Co.
• Bloomberg Forbids Mentioning Competitors, or Linking to Them
• Risk Calculators: Finance Geeks Use Open API to Crunch Market Numbers
• eBay Wins Europe Court Fight Against L’Oreal Over Fake Products
• Web Site has a Read On Digital Book Sales
• ITU Calls for Global Cybersecurity Measures
• Appeals Court Upholds No Exclusive Cable Rights in Apartments
• Judge Sotomayor is First Nominee with Cyberlaw Record
• Savvis Faces Bank Lawsuit over Cardsystems Data Breach
• Violating Facebook ToS to Access User Data Actionable as Copyright Infringement
• EFF Gives Copyright Education a Crack with New Curriculum
• TRO in Web Advertising Case Could Augur Major Problem for Search Engines and ISPS
• Id-Theft Ruling: Set Your Own Fraud Alerts
• Obama’s Public-Private Cybersecurity Challenge
• US Grapples With How to Retaliate in Cyber Attacks
• Another Court Ruling in Spain Finds Personal File Sharing to be Legal
• Report: Social Networking Up 83 Percent for U.S.
• New Programs Put Crime Stats on the Map
o Map of Disputes Between WTO Members
• Web Series Tied to ‘Blade Runner’ is in the Works
• Federal IT Security Recommendations Released in Final NIST Draft
• Web Privacy Study Finds Widespread Data Sharing, ‘Web Bugs’
• Web Site Tracks Policy Changes at Popular Sites
o iAwful, the Internet Advocates Watchlist for Ugly Laws
• The New Student Excuse?
• Judge Reprimanded for Friending Lawyer and Googling Litigant
• San Francisco Twitters with Citizens to Fix City
• Swedish Pirate Party Enters EU Parliament: Partial Results
• Army Orders Bases to Stop Blocking Twitter, Facebook, Flickr
• Magazine Cover Ads, Subtle and Less So
• Agencies Issue Frequently Asked Questions on Identity Theft Rules


**** NEWS ****

INSURANCE COVERAGE FOR DATA SECURITY BREACHES: FIRST BANK V. FEDERAL INSURANCE CO. (Perkins Coie, 16 April 2009) - On March 23, 2009, First Bank filed a breach of contract claim against its insurer, Federal Insurance Company (Chubb). First Bank v. Federal Insurance Company, No. 4:09-cv-00532 (Mo. Cir. Ct.). The case, although a classic insurance coverage dispute, deals with a relatively new policy form and relatively new type of insurance. The policy at issue is CyberSecurity by Chubb, and is meant to cover, among other things, losses stemming from data security breaches. In late 2007, First Bank had such a loss. The First Bank complaint highlights not only the importance of having specialized insurance coverage for data security breaches, but it also previews some of the defenses an insurer might use in resisting payment when there is a loss stemming from a data security breach.

BLOOMBERG FORBIDS MENTIONING COMPETITORS, OR LINKING TO THEM (ValleyWag, 22 May 2009) - Bloomberg has distributed a policy to newsroom staff on blogging, Twittering and Facebook updating. And in keeping with the company’s tyrannical management culture, the rules are far more authoritarian than similar admonitions recently dispensed at the Wall Street Journal, New York Times and elsewhere. A mole forwarded us the excerpt below. It all but bans personal Web posts and status updates of all sorts. First it outlaws discussion of any topic covered by Bloomberg News. The financial wire covers a huge swath of events — “companies, markets, industries, economies and governments,” per its own marketing materials, plus “Arts and culture” and food — leaving little else to talk about. And even if a Bloomberg journalist does find an allowed topic, he would be hard-pressed to link to or even describe any relevant content, since company policy says staff may not “direct Internet traffic to media competitors or discuss them” (emphasis added).

RISK CALCULATORS: FINANCE GEEKS USE OPEN API TO CRUNCH MARKET NUMBERS (Wired, 22 May 2009) - When AAA-rated companies began crumbling like sand castles in an earthquake last year, Jesper Andersen and Toby Segaran had the same thought: There has to be a better way of measuring corporate credit risk. Bond rating is plagued by insularity, they argue. Agencies like Moody’s and Standard & Poor’s lack transparency, use narrow data sets, and rely on too few models (one of which was the notorious Gaussian copula formula featured on Wired’s March cover). Worst of all, they’re paid by the firms they evaluate—an obvious incentive for grade inflation. “No one can pay for this and keep it fair,” Segaran says. The partners’ solution: a volunteer army of finance geeks. Their project,, provides a platform for investors, academics, and armchair analysts to rate companies by crowdsourcing. The site amasses data from SEC filings (in XBRL format) to which anyone may add unstructured info (like footnotes) often buried in financial documents. Users can then run those numbers through standard algorithms, such as the Altman Z-Score analysis and the Piotroski method, and publish the results on the site. But here’s the really geeky part: The project’s open API lets users design their own risk-crunching models. The founders hope that these new tools will not only assess the health of a company but also identify the market conditions that could mean trouble for it (like the housing crisis that doomed AIG).

EBAY WINS EUROPE COURT FIGHT AGAINST L’OREAL OVER FAKE PRODUCTS (, 22 May 2009) - A British court today ruled that Internet marketplace eBay is not liable for bogus beauty products sold on its Web site, dealing a blow to cosmetics company L’Oreal’s campaign against the online auction giant. L’Oreal SA has taken San Jose-based eBay to court across Europe, suing in Britain, Germany, France, Belgium and Spain over the sale of fake fragrances and cosmetics on the site. L’Oreal claims there is an increasing volume of counterfeit goods being sold on eBay. The online auctioneer said negotiations between the companies on the issue broke down because L’Oreal was being unreasonable. Justice Richard David Arnold ruled in London’s High Court that eBay Europe was not liable for trademark infringements committed by its users. EBay said in a statement that the British ruling was “a victory for consumers and the thousands of entrepreneurs who sell legitimate goods on eBay every day.” A call placed with L’Oreal’s London office seeking comment was not immediately returned. Earlier this month, a French court ordered L’Oreal and eBay to settle their differences, giving them until May 25 to come up with a mediated settlement. Other cases elsewhere in Europe are still pending.

WEB SITE HAS A READ ON DIGITAL BOOK SALES (, 24 May 2009) - Scribd is proposing to do for books what iTunes did for music — let readers buy only what they want to read. Eight years ago, Apple turned the music industry upside-down when it launched iTunes, an online music store that let listeners cherry-pick one or two songs instead of having to buy an entire album. Now Scribd is giving readers the option of buying content, including paying a few dollars for a chapter or two from a travel guide or a how-to book. That’s just one example of the flexibility that digital book purveyors are experimenting with as printed content migrates to the digital format. Another is the pricing model. Paperbacks largely have been priced about $10 to $15, while hardcovers are $25 to $30. With digital books, that price could be any amount. Scribd takes 20 percent of whatever price publishers and authors set for their works; the rest goes to the writer or publisher. Some authors, for example, are releasing their books on Scribd for $2.

ITU CALLS FOR GLOBAL CYBERSECURITY MEASURES (H Security, 24 May 2009) - The International Telecommunication Union ITU has published its proposals for harmonising global cybersecurity legislation on the periphery of a conference on the information society in Geneva. At a discussion session, ITU General Secretary Hamadoun Touré stated that the document, advertised as a “Cybersecurity Toolkit” is “no Bible and no Koran”, instead offering a list of best practices from existing legislation. Drafting of the document was entrusted to an expert group commissioned by the ITU and led by the American Bar Association’s Privacy and Computer Crime Committee (PACC). In Geneva, PACC boss Jody Westby emphasised that legislation from many different countries was considered in producing the document, which is intended as a model for national legislation. In addition to the Council of Europe’s ‘Convention on Cybercrime’, their search for model regulations also took in legislation from Australia, Canada, China and many other countries. Information about the “Toolkit” is here:

APPEALS COURT UPHOLDS NO EXCLUSIVE CABLE RIGHTS IN APARTMENTS (, 26 May 2009) - A federal appeals court says cable companies cannot have exclusive rights to provide service in apartment buildings that they wire. The decision today from the Court of Appeals in Washington upholds a Federal Communications Commission ruling that banned the exclusive agreements as anticompetitive. The deals involved a company exchanging a valuable service like wiring a multiunit building for cable in exchange for the exclusive right to provide service to all the residents. The commission said cable operators could no longer enter into such deals and existing ones could not be enforced. Associations representing cable companies and apartment building owners sued. But the appeals court sided with the FCC.

JUDGE SOTOMAYOR IS FIRST NOMINEE WITH CYBERLAW RECORD (BNA’s Thomas O’Toole blog, 26 May 2009) - President Obama’s choice today for Associate Supreme Court Justice, Sonia Sotomayor, authored a handful of cyberlaw opinions while on the Second Circuit. All business disputes and a privacy case, but nothing (I hope) that could provide ammunition for the World’s Greatest Deliberative Body. About Judge Sotomayor I will venture this: If confirmed, she will be the first justice who has written cyberlaw-related opinions before joining the court. I looked just now and couldn’t find where Chief Justice Roberts or Associate Justice Alito had written a cyberlaw opinion while serving as appellate judges. (Then-Judge Alito missed both ACLU v. Reno and Playboy Entertainment Group, Inc. v. United States, a pair of new media cases that were decided initially by special three-judge panels in the Third Circuit.) I don’t think any of the following means much as far was what Judge Sotomayor will do as an Associate Supreme Court Justice. I’m passing it along for conversational purposes only. Judge Sotomayor wrote the court’s 2002 opinion in Specht v. Netscape Communications Corp., an important online contracting case. In Specht, the Second Circuit declined to enforce contract terms that were available behind a hyperlink that could only be seen by scrolling down on a Web page. A “reasonably prudent” user would not have learned of the existence of the terms before responding to an invitation to download free software, Judge Sotomayor wrote.

SAVVIS FACES BANK LAWSUIT OVER CARDSYSTEMS DATA BREACH (FinExtra, 26 May 2009) - Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor’s systems were hacked, compromising up to 40 million credit card accounts. Atlanta-based CardSystems - now owned by Pay By Touch - identified a security incident in May 2005 that exposed more than 40 million credit cards to hackers. The following year the company agreed to settle federal charges that it failed to protect the financial data of millions of consumers. The US Federal Trade Commission (FTC) said the breach “led to millions of dollars in fraudulent purchases”. The FTC concluded CardSystems created unnecessary risks to the information by storing it and failed to ensure that its network was secure from attacks. Merrick, which is an acquiring bank for around 125,000 merchants, has now filed a federal complaint claiming the breach cost it around $16 million in payments to Visa and MasterCard for using a processor that did not meet their standards as well as payouts to affected banks and legal fees. Before the breach Merrick agreed to use CardSystems for processor and independent sales services if it proved compliance with Visa and MasterCard security requirements. The processor asked Savvis to assess and certify its compliance and got the all clear, and consequently the Merrick contract.

VIOLATING FACEBOOK TOS TO ACCESS USER DATA ACTIONABLE AS COPYRIGHT INFRINGEMENT (BNA’s Internet Law News, 28 May 2009) - BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that accessing the Facebook social network through automated means to scrape personal data in violation of the Facebook terms of service is actionable as copyright infringement. The court allowed a copyright infringement claim against a social networking conglomeration service to survive a motion to dismiss. Case name is Facebook Inc. v. Power Ventures Inc.

EFF GIVES COPYRIGHT EDUCATION A CRACK WITH NEW CURRICULUM (ArsTechnica, 28 May 2009) - Teaching copyright to schoolkids is a recent innovation, one spurred in large part by the fantastical growth and amazing ease of digital copying—both legal and illegal. Most such programs have been drawn up by rightsholders in a not-so-subtle attempt to bolster their business models. For instance, “Think First, Copy Later: Respecting Creative Ownership” may have some educational value, but the title makes clear that this is not the kind of dispassionate material that belongs in our nation’s classrooms. Now, the Electronic Frontier Foundation has launched a curriculum of its own in an effort to “give students the real story about their digital rights and responsibilities on the Internet and beyond.” But if the rightsholder-produced material stresses the “responsibilities” side of the equation a bit too heavily, the EFF leans predictably the other way. The Web-based EFF curriculum is called, simply, “Teaching Copyright.” It makes clear that students should not infringe copyright, but this is secondary to extended discussions about the VCR, the photocopier, audio cassettes, and blank CDs—technologies that each posed challenges to copyright holders. In a classroom exercise on P2P music sharing, the class is asked to consider the case of a “12-year-old girl in Toledo” who is sued for file-sharing. “The 12-year-old girl downloaded the songs, but she didn’t know she was doing anything illegal,” we are told. “She found the files on a site that was free to access, but there were no warning signs that the bands didn’t authorize the site. She’s a huge fan of these bands—she owns all of their CDs and just wanted to hear the new songs.” As for the bands she downloaded, we learn that one wants her to pay for the music but the other “has a different perspective and supports music file-sharing technology, even encouraging fans to download its latest album of MP3s for free or for whatever they want to pay. Band B believes P2P file-sharing helps promote its music and encourages an even wider spectrum of music to be heard.” Needless to say, these are not the sort of perspectives stressed in “Think First, Copy Later.” The material is all accurate, as is the curricula of most rightsholders. But it’s striking just how different the emphases are in these materials. The EFF’s curriculum rightly says that P2P isn’t just for copyright infringement because “NASA is using BitTorrent to distribute massive photographs; BitTorrent is used to cheaply distribute the Linux operating systems that are free to users.” This is absolutely true, and absolutely important. But the material glosses quickly over the absolutely epic levels of infringement taking place on P2P networks. Perhaps those are just “fair use,” perhaps they should be monetized through a blanket license, but they are the major concern of rightsholders and seem at least worth discussing in more depth.

TRO IN WEB ADVERTISING CASE COULD AUGUR MAJOR PROBLEM FOR SEARCH ENGINES AND ISPS (Steptoe & Johnson’s E-Commerce Law Week, 28 May 2009) - The Federal Trade Commission has won a temporary restraining order barring Yahoo!, Microsoft Network’s Live Search, AltaVista, and AllTheWeb from running certain deceptive advertisements -- even though the FTC did not name these search engines as defendants. The FTC’s complaint alleges that one or more unknown defendants violated the “deceptive acts or practices” prong of the FTC Act by purchasing search engine advertising that falsely suggested that the defendants were affiliated with the federal government’s “Making Home Affordable” program; however, clicking on the displayed links directed consumers to commercial websites that collected personal information and offered “paid home loan modification or foreclosure relief services.” In addition to directly enjoining the defendants from placing their deceptive ads, the TRO also requires the four search engines to: (1) “identify all persons” who paid them to place the ads; (2) “refuse to place paid advertisements that contain active hyperlinks that are labeled, or any other domain name containing the top level domain name ‘gov,’ for any such person”; and (3) send the FTC copies of all ads placed by such persons, along with the conditions for triggering the ads, the number of times the hyperlinks in the ads were clicked, and the amount paid for each ad. The court explained that it was imposing these requirements on the search engines pursuant to Rule 65(d)(2)(C) of the Federal Rules of Civil Procedure, which states that a preliminary injunction may bind persons who receive notice of the injunction and “are in active concert or participation with” the parties to a case. FTC order here:

ID-THEFT RULING: SET YOUR OWN FRAUD ALERTS (, 29 May 2009) - Companies that sell “identity-theft protection” present an alluring but questionable proposition. For as much as about $100 per year, the main thing they do is set fraud alerts that force banks to call people before new lines of credit are opened in their names. The alerts can be useful, but people can set them themselves, for free. Now even that function could be taken away from the ID theft-prevention services. A federal court in California has blocked Tempe, Ariz.-based LifeLock, one of the industry’s biggest players, from setting fraud alerts with Experian, one of the three main credit-reporting agencies that manage the fraud alerts. Experian is suing LifeLock, claiming that LifeLock’s automatic renewal of customers’ fraud alerts — which happens every 90 days, when they expire — costs Experian millions of dollars in processing expenses. In a ruling last week, a judge agreed with one of Experian’s central arguments, which is that LifeLock isn’t authorized to set alerts for consumers, and that federal law requires consumers to set alerts themselves by contacting credit bureaus directly. The ruling has caused at least one ID-theft prevention service, Debix, to announce it plans to drop fraud alerts and offer credit monitoring instead. The trend is likely to play out across the industry.

OBAMA’S PUBLIC-PRIVATE CYBERSECURITY CHALLENGE (Business Week, 30 May 2009) - As part of its effort to address national cybersecurity concerns, the Obama Administration is urging closer cooperation between the government and private industry. In a 38-page report released May 29 on the government’s 60-day review of cyberspace policy, the Administration said the nation is at a “crossroads,” where digital information permeates national life, but that it’s also using infrastructure which is inherently insecure and vulnerable to attacks that can cause devastating disruptions. To overcome these weaknesses, the report calls for closer cooperation and more robust information-sharing between itself and private industry. While the government has the responsibility to protect and defend the country against attacks, it’s the private sector that builds and operates most of the systems, from computers and the software running on them to the telecommunications networks that connect them. “Private-sector engagement is required to help address the limitations of law enforcement and national security,” the report says. It goes on to say that leaders of various industries need to share more information about attacks and their financial impact. Security experts say the report struck a familiar tone. “It’s a fresh coat of paint on the same old stuff,” says John Pescatore, vice-president for information security research at Gartner (IT). Eleven years ago, President Bill Clinton signed Presidential Decision Directive 63, which among other things called for public-private partnerships to protect critical infrastructure. The main result was the creation of several Information Sharing & Analysis Centers, or ISACs, meant to bring together executives from private industry and government to share information about attacks and vulnerabilities. Several ISACs were created in industries such as electricity, water, and public transportation. All of them, except for the one created for the financial industry, effectively failed, Pescatore says. “In the ISACs, the government basically wanted companies to give it lots of information without getting anything back in return,” he says. And companies that have participated are loath to disclose sensitive information about attacks because doing so might also lead to the disclosure of trade secrets and other proprietary information. Companies reporting data theft often don’t trust the government to keep their sensitive information out of the hands of the public and competitors; many computer crimes go unreported as a result. Some companies have also worried that sharing too much information with participating competitors might be interpreted as collusion under antitrust laws. Cybersecurity report here:

US GRAPPLES WITH HOW TO RETALIATE IN CYBER ATTACKS (Washington Post, 2 June 2009) - In the murky world of computer espionage, the U.S. faces hard choices on how to retaliate when government or privately owned networks come under cyber attack, senior military and intelligence officials said Tuesday. As the administration grapples with how best to defend its computer networks, debate is raging over how far the U.S. can go in pursuit of cyber criminals, and even what constitutes a digital act of war. The most immediate challenge is identifying the hacker, terrorist or enemy nation that launched the attack in vast and anonymous cyberspace, officials said. That hurdle is complicated by privacy debates over how deeply the government can wade into privately owned systems to investigate threats, and how it should handle attacks against a company, as opposed to a federal agency. U.S. law allows “hot pursuit” of criminals, said former Air Force Secretary Michael Wynne, so computer users “may have to tolerate some hot pursuit” through their digital world so authorities can track and ultimately respond to cyber crimes.

ANOTHER COURT RULING IN SPAIN FINDS PERSONAL FILE SHARING TO BE LEGAL (TechDirt, 2 June 2009) - While the entertainment industry has been working over time to try to stop file sharing in Spain, court ruling after court ruling has found that personal file sharing is perfectly reasonable and legal -- and that sites that merely link to content rather than host it (i.e., search engines and trackers) aren’t breaking copyright law either. In the latest such case, a judge found that a guy who downloaded and shared over 3,000 movies wasn’t violating copyright law, because it was all for personal use with no intent to profit.

REPORT: SOCIAL NETWORKING UP 83 PERCENT FOR U.S. (CNET, 3 June 2009) - The explosion in social networking may be even greater than imagined. The time that people in the U.S. spend on social network sites is up 83 percent from a year ago, according to a report from market researcher Nielsen Online. Facebook enjoys the top spot among social networks, with people having spent a total of 13.9 billion minutes on the service in April of this year, 700 percent more than in April 2008, Nielsen said. Minutes spent on Twitter soared a whopping 3,712 percent to almost 300 million, versus around 7.8 million from the same month a year ago. Former top dog MySpace watched its usage drop nearly one-third to around 4.9 billion minutes, from 7.2 billion in April 2008. MySpace still scored the number one spot for online video among the top 10, thanks to its users streaming more than 120 million videos from the site for April of this year. But the report also offered a cautionary note: the social networking user can be fickle, quickly bouncing from one service to another. “Remember Friendster? Remember when MySpace was an unbeatable force? Neither Facebook nor Twitter are immune,” said Gibs. “Consumers have shown that they are willing to pick up their networks and move them to another platform, seemingly at a moment’s notice.” Despite its growth and popularity, Twitter may be especially vulnerable to users who don’t stick around. Another Nielsen report from April found that 60 percent of Twitter users--dubbed Twitter Quitters by the media--abandon their tweets after only one month of use. Only about 30 percent of users on MySpace and Facebook jump ship.

NEW PROGRAMS PUT CRIME STATS ON THE MAP (Wall Street Journal, 3 June 2009) - When a burglar broke into a home on the outskirts of Riverdale Park, Md., last month, some locals quickly received an email alert about the incident. Once police confirmed the crime on the scene, they followed up with a more thorough email disclosing the time, location and type of crime. The alert is part of a crime-information service that the Riverdale Park police department provides its residents about illegal activity in their neighborhoods. “It helps us keep the public informed,” says Teresa Chambers, police chief of Riverdale Park, a suburb of Washington, D.C. “It’s also a way for us to solicit help [from residents] in solving some of these crimes.” Across the country, Americans can increasingly track crime trends block by block as more police departments contract with Internet-based crime-mapping services. Since 2007, more than 800 police departments have begun working with Web sites like, and The services take live feeds from police record-keeping systems and automatically post the data on their sites. While the Web sites are free for consumers, they charge police departments about $200 a month to participate and they also sell advertising. Police say they use the sites to help change citizens’ behavior toward crime and encourage dialogue with communities so that more people might offer tips or leads. Some of the sites have crime-report blogs that examine activity in different locales. They also allow residents to offer tips and report crimes under way.

- and -

MAP OF DISPUTES BETWEEN WTO MEMBERS (WTO website, June 2009) - The World Trade Organization has recently posted on its website an interactive map that depicts disputes between its member states. The top of the webpage shows a list of highlight-able choices among types of member-state involvement in disputes: as complainant, respondent, or either. The accompanying map shows member-state areas of the world in a color range of whitish pink to red, to indicate the range in the number of disputes (0-100), and non-member-state areas in gray; the United States is bright red.

WEB SERIES TIED TO ‘BLADE RUNNER’ IS IN THE WORKS (New York Times, 4 June 2009) - Here is some news that will make fans of the 1982 science-fiction cult film “Blade Runner” shudder with either anticipation or trepidation. On Thursday the film’s director, Ridley Scott, announced that a new division of his commercials company, RSA Films, was working on a video series called “Purefold.” The series of linked 5- to 10-minute shorts, aimed first at the Web and then perhaps television, will be set at a point in time before 2019, when the Harrison Ford movie takes place in a dystopian Los Angeles. Mr. Scott, his brother Tony and his son Luke are developing the project in conjunction with the independent studio Ag8, which is run by one of the creators of “Where are the Joneses?” a British Web sitcom that solicited storyline suggestions from the audience. Similarly, “Purefold” will harvest story input from its viewers, in conjunction with the social media site FriendFeed. But the series won’t be hewing too closely to the specific characters or situations in “Blade Runner.” Some of that material stemmed from the Philip K. Dick novel “Do Androids Dream of Electric Sheep?” which the “Purefold” creators do not have rights to. “We don’t take any of the canon or copyrighted assets from the movie,” said David Bausola, founding partner of Ag8, who said he hoped the series would debut later this summer and that the first episodes would depict events about two years into the future. “It’s actually based on the same themes as ‘Blade Runner.’ It’s the search for what it means to be human and understanding the notion of empathy. We are inspired by ‘Blade Runner.’” Other partners in the project include the ad and marketing agencies WPP, Publicis, Aegis Media and Naked Communications. They will bring in advertisers whose products and brands — or hypothetical future versions of them — could be featured in the series. In an indication that the filmmakers are interested in exploring a new kind of collective, social creativity, the episodes in the series will be released under a Creative Commons license, marking the first time a major Hollywood director has embraced that alternative licensing scheme. The license means fans of the series can take the episodes and remix or otherwise repurpose them, and even make their versions available commercially under the same license.

FEDERAL IT SECURITY RECOMMENDATIONS RELEASED IN FINAL NIST DRAFT (GCN, 4 June 2009) - The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final draft version of Special Publication 800-53, Revision 3, titled “Recommended Security Controls for Federal Information Systems and Organizations,” released yesterday. NIST called the document, which is expected to be finalized July 1, historic. “For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national-security systems,” NIST said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, intelligence community and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.” SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. This document specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standard (FIPS) 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.” SP 800-53/3 here:

WEB PRIVACY STUDY FINDS WIDESPREAD DATA SHARING, ‘WEB BUGS’ (RedOrbit, 4 June 2009) - Researchers at the University of California, Berkeley’s School of Information released a report late Monday (June 1) showing that the most popular Web sites in the United States all share data with their corporate affiliates and allow third parties to collect information directly by using tracking beacons known as “Web bugs” - despite the sites’ claims that they don’t share user data with third parties. A key focus of the School of Information report is the use of Web bugs. Web analytics companies and advertising servers use Web bugs to track users for improved marketing or behavioral profiling. A Web bug is typically a small graphic embedded in a Web page, usually in the form of a 1-by-1 pixel image that is invisible to the naked eye. It turns out that a handful of tracking companies operating Web bugs have an incredible breadth of coverage, the researchers said. For example, five tracking companies were represented on more than half of the top 100 Web sites examined in the study, while Web bugs from Google and its subsidiaries were found on 92 of the top 100 Web sites and 88 percent of the approximately 400,000 unique domains examined in the study. “Web bugs are ubiquitous,” said Soltani. During the month of March 2009, the researchers found at least one Web bug on each of the top 50 Web sites, while most sites had several Web bugs and some had as many as 100.

WEB SITE TRACKS POLICY CHANGES AT POPULAR SITES (AP, 4 June 2009) - A new Web site unveiled Thursday will track policies imposed by popular Internet sites such as Facebook and Google, hoping to help users spot potentially harmful changes., the brainchild of privacy advocacy group Electronic Frontier Foundation, will track terms of service modifications within hours of an update. The site will compare old and new policies side by side and highlight changes. With about two dozen sites covered already, plans to add more agreements, from credit card, bank, cable TV and other companies. Tim Jones, the EFF’s activism and technology manager, hopes the site will help avoid debacles such as the one faced by Facebook in February. Changes to Facebook’s terms of use over control of content went unnoticed at first. But amid protests that Facebook might hold sway over content indefinitely, the company agreed to solicit user feedback. The site reverted to the previous terms of use policies as it tried to resolve the issues raised. Ultimately, Facebook let users vote on revised terms, which clarify that users own their information, not Facebook. But Jones said many Web sites change their terms of service all the time and often don’t notify their users. “Terms of service policies are obviously really important. They form the foundation of your relationship with almost every site you visit on the Internet,” he said. “But almost no one really has time to read them or the legal background to read them.” aims to make the general public more aware of user agreements and how it affects them, Jones said. For TOSBack:

- and -

iAWFUL, THE INTERNET ADVOCATES WATCHLIST FOR UGLY LAWS (NetChoice initiative) - Reckless and misguided laws, often originating at the state level, threaten to undermine the foundation of the free and open Internet. Some of the most serious threats to the Internet come in the form of lawmakers trying to ‘fix’ it. Knee-jerk, overly prescriptive laws can destroy whole business models or stifle innovative new forms of communication before they have a chance to emerge. Too many laws are proposed without considering unintended harm they may cause to thousands of Internet companies and millions of Internet users. NetChoice is dedicated to fighting these attacks on core Internet principles. Through this site, the Internet Advocates’ Watchlist For Ugly Laws (iAWFUL) will track dangerous legislation and mobilize citizens to defeat bills and proposals that threaten the future of ecommerce and online communication. The list will be continually updated to reflect the most immediate dangers, based on regulatory severity and likelihood of passage. Launch coverage by

THE NEW STUDENT EXCUSE? (InsideHigherEd, 5 June 2009) - Most of us have had the experience of receiving e-mail with an attachment, trying to open the attachment, and finding a corrupted file that won’t open. That concept is at the root of a new Web site advertising itself (perhaps serious only in part) as the new way for students to get extra time to finish their assignments. offers a service -- recently noted by several academic bloggers who have expressed concern -- that sells students (for only $3.95, soon to go up to $5.95) intentionally corrupted files. Why buy a corrupted file? Here’s what the site says: “Step 1: After purchasing a file, rename the file e.g. Mike_Final-Paper. Step 2: E-mail the file to your professor along with your ‘here’s my assignment’ e-mail. Step 3: It will take your professor several hours if not days to notice your file is ‘unfortunately’ corrupted. Use the time this website just bought you wisely and finish that paper!!!”

JUDGE REPRIMANDED FOR FRIENDING LAWYER AND GOOGLING LITIGANT (ABA Journal, 5 June 2009) - A North Carolina judge has been reprimanded for “friending” a lawyer in a pending case, posting and reading messages about the litigation, and accessing the website of the opposing party. Judge B. Carlton Terry Jr. and lawyer Charles Shieck both posted messages about the child custody and support case heard last September, the Lexington Dispatch reports. Terry also accessed the website of the opposing litigant and cited a poem she had posted there, according to the April 1 public reprimand by the North Carolina Judicial Standards Commission. The opinion says Terry and Shieck first discussed Facebook in chambers in the presence of the opposing lawyer in the case, Jessie Conley, who said she didn’t know what Facebook was and didn’t have time for it. After the discussion, Terry and Shieck friended each other. Shieck later posted a Facebook reference to the issue of whether his client had had an affair, saying “How do I prove a negative?” according to the opinion. Shieck also wrote, “I have a wise judge.” Terry told Conley about Shieck’s posts the day after he read them. The same day during court proceedings he referenced the poem he found and posted a Facebook message that the case was in its last day of trial. After the hearing concluded, Terry disclosed to both parties that he had visited the website of Conley’s client, where he found the poem, and then disqualified himself at the request of Conley. Terry told investigators the poem had suggested that Conley’s client was not as bitter as he first thought and had given him hope for the litigants’ children. He also cooperated in the investigation, the opinion says. The opinion says the ex parte communications and the independent gathering of information indicated a disregard of the principles of judicial conduct. Reprimand here:

SAN FRANCISCO TWITTERS WITH CITIZENS TO FIX CITY (InformationWeek, 8 June 2009) - In San Francisco, if you see a pothole that needs fixing or garbage on the sidewalk, don’t just complain about it -- tweet it. The city launched a program to allow people to send Twitter messages to city government for any nonemergency communications -- requesting garbage pickup, road repair, inquiring about where to get a copy of your marriage certificate, and more. The service connects the city’s 311 call center through Twitter. To sign up, users must go to and click on “Follow Me,” and then send a direct message to “d SF311” to talk to the city. Some examples: * * *

SWEDISH PIRATE PARTY ENTERS EU PARLIAMENT: PARTIAL RESULTS (AFP, 8 June 2009) - A Swedish party that wants to legalise Internet filesharing and beef up web privacy scored a big victory Sunday by winning a European parliament seat, results showed. The Pirate Party won 7.1 percent of votes, taking one of Sweden’s 18 seats in the European parliament, with ballots in 5,659 constituencies out of 5,664 counted. The party was founded in January 2006 and quickly attracted members angered by controversial laws adopted in Sweden that criminalised filesharing and authorised monitoring of emails. Its membership shot up after a Stockholm court on April 17 sentenced four Swedes to a year in jail for running one of the world’s biggest filesharing sites, The Pirate Bay. Prime Minister Fredrik Reinfeldt’s conservative Moderates won 18.8 percent of votes and four seats, close to its score in the European election in 2004 but down sharply from the 26.1 percent it won in Sweden’s 2006 general election.

ARMY ORDERS BASES TO STOP BLOCKING TWITTER, FACEBOOK, FLICKR (Wired, 10 June 2009) - The Army has ordered its network managers to give soldiers access to social media sites like Facebook, Flickr, and Twitter, Danger Room has learned. That move reverses a years-long trend of blocking the web 2.0 locales on military networks. Army public affairs managers have worked hard to share the service’s stories through social sites like Flickr, Delicious and Vimeo. Links to those sites featured prominently on the homepage. The Army carefully nurtured a Facebook group tens of thousands strong, and posted more than 4,100 photos to a Flickr account. Yet the people presumably most interested in these sites — the troops — were prevented from seeing the material. Many Army bases banned access to the social networks. An operations order from the Army’s 93rd Signal Brigade to all domestic Directors of Information Management, or DOIMs, aims to correct that. Issued on May 18th “for official use only,” the document has not been made public until now. It is “the intent of senior Army leaders to leverage social media as a medium to allow soldiers to ‘tell the Army story’ and to facilitate the dissemination of strategic, unclassified information,” says the order, obtained by Danger Room. Therefore, “the social media sites available from the Army homepage will be made accessible from all campus area networks. Additionally, all web-based email will be made accessible.”

MAGAZINE COVER ADS, SUBTLE AND LESS SO (New York Times, 11 June 2009) - ADS have been creeping onto magazine covers lately. Sometimes it’s blatant, as at Scholastic Parent & Child, which has been running actual ads on covers. Sometimes it’s subtle, as at Entertainment Weekly, which recently made its cover into a pocket, where it inserted a pull-out ad. In its July issue, Popular Science is taking a different approach. It has created a cover sponsored by General Electric. But the G.E. affiliation becomes obvious only when the cover is held up to a Web camera. Although other magazine publishers have used cover ads to generate cash, Popular Science did not charge G.E. for the cover. Ads on covers violate rules set by the American Society of Magazine Editors, which requires a clear separation between editorial space and advertising space. Though the repercussions for putting ads on the cover are not severe — the society sends a letter of reprimand, and occasionally bars the publication from competing in the National Magazine Awards — magazines have gone to great lengths to avoid clear-cut cover advertisements. The Popular Science cover depicts windmills that look like something out of “Star Wars,” and promotes articles about energy. A box announces that the cover is three-dimensional. When a reader holds it up to a computer Webcam, it signals the computer to display Flash-based imagery. The computer shows a 3-D scene of windmills over the cover, and the reader can blow on the computer microphone to move the windmills’ blades. The technology is called augmented reality. It combines a real image with a virtual one, and viewers can adjust the real image to change the virtual one. To kick-start the technology, the providers ask viewers to hold up a trigger image — the cover, in this case — to a Webcam. (People without the Popular Science cover can go to beginning Tuesday to print out a copy of the cover and use the program.)

AGENCIES ISSUE FREQUENTLY ASKED QUESTIONS ON IDENTITY THEFT RULES (FTC, 11 June 2009) - Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC). The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy. The agencies developed answers to these FAQs to provide guidance on numerous aspects of the rules, including which types of entities and accounts are covered, establishment and administration of an Identity Theft Prevention Program, address validation requirements applicable to card issuers, and the obligations of users of consumer reports upon receiving a notice of address discrepancy. The FTC also has developed a Web site,, with additional resources and guidance for creditors and financial institutions that are within its jurisdiction.

ARE WE IN CONTROL OF OUR OWN DECISIONS? (TED Talk by Dan Ariely, 19 May 2009) - Behavioral economist Dan Ariely, the author of Predictably Irrational, uses classic visual illusions and his own counterintuitive (and sometimes shocking) research findings to show how we’re not as rational as we think when we make decisions. [Editor: pretty interesting 10-minute presentation, with implications for election ballot design.]

**** RESOURCES ****
E-POLICY PROGRAMS: ESSENTIAL FOR IP PROTECTION (ABA’s Landslide Magazine, March/April 2009; article by V. Polley) - Fourteen years ago the Internet was a novelty. Back then, communications were largely face-to-face, they used the U.S. mails or telephone, and they had some parties making limited use of early email systems. Intellectual property was little threatened by mass communication or espionage. Fourteen years later Internet-enabled workplace tools are everywhere, and they are continuing to evolve in unanticipated ways. Like an unpredictable teenager disrupting your home, they require rules and discipline. But it’s also important to listen to your teenager—simply telling her to behave is unlikely to succeed. Moreover, she probably has a better understanding than her parents of these kinds of new tools: by listening to her you can get early warning of problems. IP protection is similarly complicated in 2009, and the appropriate response comes from a measured combination of rules, discussion, and tolerance.; follow-on 15 minute audio interview of Polley by LawCast (April 2009) available here:

INFORMAL CORPORATE DISCLOSURE IN THE AGE OF TWITTER (McDermott Will & Emery, 20 May 2009) - For public companies listed on the New York Stock Exchange (NYSE), the long-standing mandatory use of press releases as a means of disseminating material company information has finally given way to the immediacy and near-ubiquity of the internet. Effective May 7, 2009, NYSE-listed companies are no longer required to use press releases to distribute material information, but only encouraged to do so. Instead, the amended NYSE Immediate Release Policy provides that, subject to certain conditions, material information required to be released promptly can be disclosed by means of any Regulation FD compliant method.1 Considered long overdue by many—the Nasdaq Stock Market made a similar change several years ago—the change is most notable for removing a relatively minor but symbolically significant obstacle to broader use of advanced technologies by public companies in their communications with investors and the public at large. The change to the NYSE’s Immediate Release Policy is consistent with guidance (the Website Guidance2) issued in 2008 by the U.S. Securities and Exchange Commission (SEC) on how company websites can be primary vehicles for communicating with investors without violating the SEC’s general antifraud rule, Rule 10b-5, or Regulation FD, which proscribes the selective disclosure of material nonpublic information. The Website Guidance, in which the SEC encouraged the use of company websites for disclosure, is not considered a change in SEC regulation, but rather a principles-based interpretation of existing relevant law and regulation applied to the challenges and opportunities faced by emerging technologies. Whether the legal framework articulated in the Website Guidance is sufficient to address the accelerating adoption by millions of corporate and individual users of communications tools and social networking sites, such as Twitter, blogs, LinkedIn and Facebook, remains to be seen, but it is essential that public companies appreciate and appropriately manage the legal risks associated with the use of these activities, and those still to emerge, in the distribution of material information to investors. [Editor: useful white paper.]

**** BOOK REVIEW ****
DISCOVERING THE DIGITAL RECORD—THE QUESTIONS FOR EXAMINATION (by Jeffrey Ritter and David Gaston) -- Nearly 200 pages, the book presents a comprehensive, integrated asset that pulls together the legal and technology knowledge required for lawyers to develop and execute competent and effective electronic discovery. “Discovering the Digital Record is designed for lawyers and IT professionals with limited e‐discovery experience,” Ritter observed. “Through training over 750 professionals in the last year, we have learned that there is a critical need to transfer to lawyers the knowledge and tools they need to effectively investigate the authenticity of digital records offered for the truth. Our new book delivers the same knowledge and tools that have been described by our students and readers as ‘remarkable, awesome, and invaluable!’”, Ritter said. “With this book, we can enable lawyers to construct efficient, powerful discovery requests that ask for the right information for proving the truth of any business record.”

**** FUN ****
WI-FI SIGNAL STATUS FOR YOU AND THE WORLD! (ThinkGeek product ad) - Here at ThinkGeek we’re pretty lazy when it comes to technology. We expect our gadgets to do all the busywork while we focus on the high level important tasks like reading blogs. That’s why we hate to have to crack open our laptops just to see if there is any wi-fi internet access about... and keychain wi-fi detectors, we would have to actually remove them from our pockets to look at them. But now thanks to the ingenious ThinkGeek robot monkeys you can display the current wi-fi signal strength to yourself and everyone around you with this stylish Wi-Fi Detector Shirt. The glowing bars on the front of the shirt dynamically change as the surrounding wi-fi signal strength fluctuates. Finally you can get the attention you deserve as others bow to you as their reverential wi-fi god, while geeky chicks swoon at your presence. You can thank us later. Product Features
• Glowing animated shirt dynamically displays the current wi-fi signal strength.
• Shows signal strength for 802.11b or 802.11g
• Black 100% Cotton T-Shirt

SOME THOUGHTS ON THE PLEASURES OF BEING A RE-READER (NYT Editorial Observer, 30 May 2009) - I’ve always admired my friends who are wide readers. A few even pride themselves on never reading a book a second time. I’ve been a wide reader at times. When I was much younger, I spent nearly a year in the old Reading Room of the British Museum, discovering in the book I was currently reading the title of the next I would read. But at heart, I’m a re-reader. The point of reading outward, widely, has always been to find the books I want to re-read and then to re-read them. In part, that’s an admission of defeat, an acknowledgement that no matter how long and how widely I read, I will only ever make my way through a tiny portion of the world’s literature. (The British Museum was a great place to learn that lesson.) And in part, it’s a concession to the limits of my memory. I forget a lot, which makes the pleasure of re-reading all the greater. The love of repetition seems to be ingrained in children. And it is certainly ingrained in the way children learn to read — witness the joyous and maddening love of hearing that same bedtime book read aloud all over again, word for word, inflection for inflection. Childhood is an oasis of repetitive acts, so much so that there is something shocking about the first time a young reader reads a book only once and moves on to the next. There’s a hunger in that act but also a kind of forsaking, a glimpse of adulthood to come. The work I chose in adulthood — to study literature — required the childish pleasure of re-reading. When I was in graduate school, once through Pope’s “Dunciad” or Berryman’s “The Dream Songs” was not going to cut it. A grasp of the poem was presumed to lie on the far side of many re-readings, none of which were really repetitions. The same is true of being a writer, which requires obsessive re-reading. But the real re-reading I mean is the savory re-reading, the books I have to be careful not to re-read too often so I can read them again with pleasure. It’s a miscellaneous library, always shifting. It has included a book of the north woods: John J. Rowlands’s “Cache Lake Country,” which I have re-read annually for many years. It may still include Raymond Chandler, though I won’t know for sure till the next time I re-read him. It includes Michael Herr’s “Dispatches” and lots of A.J. Liebling and a surprising amount of George Eliot. It once included nearly all of Dickens, but that has been boiled down to “The Pickwick Papers” and “Great Expectations.” There are many more titles, of course. This is not a canon. This is a refuge. Part of the fun of re-reading is that you are no longer bothered by the business of finding out what happens. Re-reading “Middlemarch,” for instance, or even “The Great Gatsby,” I’m able to pay attention to what’s really happening in the language itself — a pleasure surely as great as discovering who marries whom, and who dies and who does not. The real secret of re-reading is simply this: It is impossible. The characters remain the same, and the words never change, but the reader always does. Pip is always there to be revisited, but you, the reader, are a little like the convict who surprises him in the graveyard — always a stranger. I look at the books on my library shelves. They certainly seem dormant. But what if the characters are quietly rearranging themselves? What if Emma Woodhouse doesn’t learn from her mistakes? What if Tom Jones descends into a sodden life of poaching and outlawry? What if Eve resists Satan, remembering God’s injunction and Adam’s loving advice? I imagine all the characters bustling to get back into their places as they feel me taking the book down from the shelf. “Hurry,” they say, “he’ll expect to find us exactly where he left us, never mind how much his life has changed in the meantime.”

GROUP APPROVES CONTROVERSIAL SOFTWARE LAW -- The National Conference of Commissioners on Uniform State Laws (NCCUSL) voted Thursday in favor of the controversial UCITA proposal that would create common licensing rules for software and other IT transactions. The vote does not make UCITA law, but experts say that most state legislatures adopt laws recommended by the organization. Critics say UCITA would rob IT companies and other software customers of their rights and leave them at the whim of software vendors. The law deregulates product licensing and addresses software, multimedia interactive products, data and databases, and the Internet and online information. It also contains provisions to allow vendors to shut down software remotely if they suspect a violation of the licensing terms, make shrink-wrapped licensing terms enforceable even though the buyer will not see the license until after the software is purchased, ban reverse engineering, and allow vendors to disclaim warranties. (InfoWorld Electric 07/29/99) -- see also

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: