Saturday, July 04, 2009

MIRLN --- 14 June – 4 July 2009 (v12.09)

• Trade Sanctions and Web 2.0: Are US Regulations Hurting Free Speech in Iran?
o Twitter Plays Key Role in DOS Attacks in Iran
• Heartland CEO Says Data Breach was ‘Devastating’
• Privacy Experts Concerned Over Google Cloud Services
• Microsoft Veteran Launches Twitter Search Engine
• Breach Notification Laws to Take Effect in Alaska and South Carolina on July 1
• FTC Action Requires Prominent Notice and Express Consent Before Use of Tracking Software
o Industry Tightens its Standards for Tracking Web Surfers
• Bozeman to Job Seekers: We Won’t Seek Passwords
• FTC Plans to Monitor Blogs for Claims, Payments
• Dunkin’ Donuts iPhone App Makes Coffee More Social
• Court Says Anti-Telemarketing Law Covers Unsolicited Text Messaging
• Email Patterns Can Predict Impending Doom
o The Online Ad that Knows Where Your Friends Shop
• TJX Reaches Settlement with States on Data Theft
• Apple’s Obsession with Secrecy Grows Stronger
• EU Wants Tighter Privacy on Social Networks
• FBI Compounds Mystery with Secret Justification of Gag Order
• ICANN Names New CEO
• Obama Seeks Input on Classification of Records
o Online Tool Will Track U.S. Tech Spending
• High Court Won’t Block Remote Storage DVR System
• Study: Older C-Level Execs Avoid Twitter, Blogs
• Judge Throws Out Conviction in Cyberbullying Case


**** NEWS ****
TRADE SANCTIONS AND WEB 2.0: ARE US REGULATIONS HURTING FREE SPEECH IN IRAN? (EFF, 15 June 2009) - For the past few days, Iranians have been taking advantage of US-hosted communication services like Twitter and Facebook to communicate with each other about their contested election, uncover and compare facts, and convey their experiences to the rest of the world. They’ve done that despite apparent attempts to block these sites by the Iranian authorities. For those watching and listening, it’s been a bracing demonstration of the power of the Internet — and the latest Web 2.0 services — to enhance free speech, wherever you live. But EFF has also been watching with concern the blocking of Web 2.0 sites in countries like Iran. This new threat doesn’t come from foreign governments: it appears to be coming from the ambiguity of the United States own exports’ regulations, and how they should be applied to new web sites and services. The problem, as is so often the case in the clash between new technology and the law, lies in the mismatch between the language of the old regulations and the new world of the Internet. The United States’ export law bans much US trade with counties like Cuba, Iran, the Sudan and Syria. [W]e’ve seen evidence that corporate lawyers advising Web 2.0 companies may be acting defensively to protect their Internet clients from prosecution under the export laws. Earlier this year, LinkedIn appeared to deliberately block its Sudanese and Syrian users from its website, presumably out of fear that their site be classed outside of the law’s free speech exceptions. And ComputerWorld last week quoted two export lawyers who thought that websites like Twitter and Facebook would be affected by sanction regulations because they provide “services” rather than simply information materials. “If you ask any lawyer who regularly practices in this area, they would say don’t offer the service [to sanctioned countries],” one lawyer is reported to have said. Iran is, of course, one of those countries currently under stiff sanctions from the U.S.

- and -

TWITTER PLAYS KEY ROLE IN DOS ATTACKS IN IRAN (ComputerWorld, 18 June 2009) - The unrest in Iran is serving as a warning on how easy it is for individuals and groups to use a social networking tool like Twitter to mobilize a cyber-army against a political or commercial target anywhere in the world. Over the past few days, news media reports have described how Twitter is being used by ordinary Iranians to receive and broadcast real-time information on the political unrest in the country after recent elections. But a still developing and less benign use of Twitter in Iran has been its application in denial-of-service attacks against key government officials, including those affiliated with President Mahmoud Ahmedinejad. Initially, the tweets directed users to online locations with links that users could click on to participate in a DoS attack against a particular Iranian Web site, said Richard Stiennon, founder of IT-Harvest, a Birmingham, Mich.-based consultancy. A Google Doc circulating on the Web, for instance, lists several URLs pointing to Iranian Web sites listed by categories such as “Governmental and HARDLINE NEWS,” “Police, Ministry of Interior,” “Central Bank,” “Commerce Banks” and “Office of Ahmadijenad and Khameneie.” When a user clicks on any of the links, it initiates a continuous stream of page refresh requests to the targeted Web site that will eventually overcome the site if enough people click on the link. More recently, tweets have begun circulating that allows users to achieve the same result by simply clicking on the embedded URL in the message. As soon as a user hits the page, as many as 24 frames open up simultaneously and refresh continuously, causing a DoS attack against the 24 separate Web sites Stiennon said.

HEARTLAND CEO SAYS DATA BREACH WAS ‘DEVASTATING’ (ComputerWorld, 17 June 2009) - Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. “I wanted to throw up. It was devastating,” says Carr, recalling how he felt upon realizing that one of his worst fears had come true. “People had asked me for years ‘what keeps you awake at night’ and I would keep telling them it was the fear of a data breach,” he told Computerworld. Five months after Heartland announced what some think may be the biggest data breach ever, Carr is working over-time to limit the fallout from the incident, and the damage to the company’s reputation.

PRIVACY EXPERTS CONCERNED OVER GOOGLE CLOUD SERVICES (, 17 June 2009) - A number of high-profile privacy and information security experts have written to Google chief executive Eric Schmidt demanding the search firm change its privacy settings to improve users’ security. They are concerned that Google’s default privacy settings for some of its cloud-based services are not adequate. Unless a user enables specific security options any email, document, spreadsheet, presentation and calendar plan is transferred to Google’s servers without encryption. The letter adds: “We ask you to increase users’ security and privacy protection by enabling by default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar, a technology already enabled by default for Google Voice, Health, AdWords and AdSense.” Good related Berkman podcast by Chris Soghoian here: EFF commentary here:

MICROSOFT VETERAN LAUNCHES TWITTER SEARCH ENGINE (CNET, 17 June 2009) - The former head of Microsoft’s search unit may have left Redmond, but he is still very much in the search game. Ken Moss, who led the search engineering team at Microsoft for five years, has spent the last months building CrowdEye, a real-time search engine that aims to allow users to better mine Twitter to get a pulse on hot topics. The service, which is going into public beta on Thursday, offers up not only the latest tweets on a topic, but also a list of the most popular links on a topic and a tag cloud of associated terms. “I think that real-time search is the next big thing in search,” Moss said in a telephone interview. “It’s an area that has been underexploited to date.” Searching Twitter is good for news, he said, but also for things such as finding the latest viral video or a solution to a new software bug. Of course, Moss is not alone in this thinking. Twitter has its own search engine, while others such as Topsy and OneRiot, are also mining the twitterverse. Among its features, CrowdEye has a historical view that allows one to see how the discussion on a topic has evolved. Although, for now, that historical period is only three days.

BREACH NOTIFICATION LAWS TO TAKE EFFECT IN ALASKA AND SOUTH CAROLINA ON JULY 1 (Steptoe & Johnson’s E-Commerce Law Week, 18 June 2009) - Two more states will soon begin enforcing data breach notification requirements. As we previously reported, Alaska governor Sarah Palin signed a bill in June 2008 that will require any person or business that owns or licenses the personal information of a state resident to notify the resident if this information is breached, subject to a risk of harm threshold. And South Carolina governor Mark Sanford signed a bill in April 2008 that will require any person that does business in the state, “own[s] or licens[es]” data that includes “personal identifying information,” and discovers a breach of this information to notify any affected state residents “whose personal identifying information ... was not rendered unusable through encryption, redaction, or other methods.” The South Carolina law requires notification only if the personal information “was, or is reasonably believed to have been, acquired by an unauthorized person,” and “illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.” Both states’ laws take effect on July 1, 2009.

FTC ACTION REQUIRES PROMINENT NOTICE AND EXPRESS CONSENT BEFORE USE OF TRACKING SOFTWARE (Steptoe & Johnson’s E-Commerce Law Week, 18 June 2009) - Sears Holdings Management Corporation (SHMC) has agreed to settle Federal Trade Commission charges stemming from its alleged failure to “disclose adequately” that software it offered to visitors to and would monitor their Internet use and send this information to SHMC’s servers. As part of the settlement, SHMC agreed to: obtain customers’ express consent to the download or installation of any tracking software; make a prominent post to the SHMC website to inform existing users of the software that it was tracking their Internet use; assist consumers in uninstalling the tracking software; cease collecting data transmitted by any software installed before the agreement; and destroy any information collected by the software. SHMC also agreed to “[c]learly and prominently” notify consumers of the tracking functions in any future SHMC software prior to its installation and outside of any license agreement -- including by disclosing the types of data collected, “how the data may be used,” and “whether the data may be used by a third party.” Settlement agreement here:

- and -

INDUSTRY TIGHTENS ITS STANDARDS FOR TRACKING WEB SURFERS (New York Times, 1 July 2009) - IN an effort to fend off federal regulation, major trade groups in the advertising industry have announced stricter guidelines on how their members use and collect online data. In a report to be released Thursday, a consortium of the trade groups intends to address a growing concern in Washington and among consumer advocates that people are being tracked too much online, with information about their Web surfing, shopping habits and overall interests being collected for advertising purposes. Congress held hearings on the subject in June, asking executives from Facebook, Google and Yahoo to testify, and the Federal Trade Commission issued a report in February that urged updated principles for self-regulation. All along, most advertisers, agencies and publishers have been arguing that they can keep an eye on their own practices, and don’t need government intervention. The jump in interest from Washington hastened the report’s release, said Stuart P. Ingis, a partner at the Venable law firm and a lawyer for the trade groups. The report, “Self-Regulatory Principles for Online Behavioral Advertising,” reflects several of the commission’s suggestions from February. The principles are meant to go into effect in 2010, affecting the more than 5,000 companies that belong to the sponsoring organizations, including Google, Microsoft, Yahoo, Disney and Verizon. In one big change, the report instructs members to provide notice, either in an ad or on a Web site (rather than hidden in the privacy policy), that behavioral information is being collected. Mr. Ingis said the exact form of the notice had not been decided on — it could be a link that says “Why did I get this?” or “interest-based advertising,” meaning information on advertising based on Web visits and behaviors, he said. The report also suggests an enforcement process, so that competitors or consumers can bring complaints if a company violates the principles. “Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies,” the report says. It also says consumers must approve the collection of “sensitive data” — mostly on finances or health. Another issue privacy watchdogs have raised is that consumers have no access to the data being collected about them — it is all done behind the scenes. Giving consumers access to the data is “an interesting concept,” Mr. Ingis said, noting that what the companies collect shows up as “a bunch of ones and zeros.” “The data is in computer wording, programming speak, and to the consumer would mean nothing,” he said. (A handful of online companies, including Google, have translated the data, however, and have said they will give consumers access.)

BOZEMAN TO JOB SEEKERS: WE WON’T SEEK PASSWORDS (CNET, 20 June 2009) - The city of Bozeman, Mont., has rescinded its long-standing policy that job applicants provide user names and passwords to social-networking sites such as Facebook and MySpace. According to a press release issued Friday: “The extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community. We appreciate the concern many citizens have expressed regarding this practice and apologize for the negative impact this issue is having on the City of Bozeman.” The city stopped the practice as of midday Friday, until it “conducts a more comprehensive evaluation of the practice,” the release said. Bozeman, which is about 100 miles north of Yellowstone National Park, found itself in the international spotlight this week when the local media reported that the city government’s background check included evaluating job candidates’ suitability based on their social-networking site postings. The city had been doing so for a few years. The background check form stated: “Please list any and all current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo,, MySpace, etc.” Groups, including the Electronic Frontier Foundation, a digital rights organization, derided the practice. “I think it’s indefensibly invasive and likely illegal as a violation of the First Amendment rights of job applicants,” EFF attorney Kevin Bankston told CNET News earlier this week. “Essentially, they’re conditioning your application for employment on your waiving your First Amendment rights...and risking the security of your information by requiring you to share your password with them...Where does it stop? How about a photocopy of your diary?” City Manager Chris Kukulski noted to KBZK TV that information wasn’t sought until “you were conditionally offered the job.” The passwords already received will remain the city’s confidential property, CBS affiliate reported.

FTC PLANS TO MONITOR BLOGS FOR CLAIMS, PAYMENTS (Washington Post, 21 June 2009) - Savvy consumers often go online for independent consumer reviews of products and services, scouring through comments from everyday Joes and Janes to help them find a gem or shun a lemon. What some fail to realize, though, is that such reviews can be tainted: Many bloggers have accepted perks such as free laptops, trips to Europe, $500 gift cards or even thousands of dollars for a 200-word post. Bloggers vary in how they disclose such freebies, if they do so at all. The practice has grown to the degree that the Federal Trade Commission is paying attention. New guidelines, expected to be approved late this summer with possible modifications, would clarify that the agency can go after bloggers - as well as the companies that compensate them - for any false claims or failure to disclose conflicts of interest. It would be the first time the FTC tries to patrol systematically what bloggers say and do online. The common practice of posting a graphical ad or a link to an online retailer - and getting commissions for any sales from it - would be enough to trigger oversight.

DUNKIN’ DONUTS IPHONE APP MAKES COFFEE MORE SOCIAL (CNET, 22 June 2009) - Dunkin Run is basically a social game, with a payoff of coffee and baked goods. Users can start a “Dunkin’ Run” from their computer, mobile device, or iPhone, and let everyone know they are hitting the road. This type of application that comes with a tangible payoff would drive membership in a variety of social networks, and would certainly keep me logged into my otherwise useless Facebook profile. Dunkin’ Run brings customers a completely new and unique social online group ordering experience and tools. To begin, “Runners” can initiate a group order on through their computer or mobile device, or via an iPhone application available for free download at the iTunes online store. Immediately, interactive alerts are sent to the Runner’s list of friends or co-workers, telling them when a trip to Dunkin’ Donuts is planned along with a personal message inviting them to place an order online. Invitees can view the Dunkin’ Donuts menu to place their order, and registered users can select from their own personal list of favorites and/or previous orders. All Dunkin’ Donuts core foods and beverages are presented using interactive product images to make personalizing an order both simple and fun. All of the orders are integrated onto a single page/screen which the Runner either prints or uses their iPhone or mobile device to bring to any Dunkin’ Donuts store. Dunkin’ Donuts crew members will use this checklist to fulfill orders quickly and ensure order accuracy. The Runner can also use this page as a checklist to ensure that everyone in the group gets what he or she ordered.

COURT SAYS ANTI-TELEMARKETING LAW COVERS UNSOLICITED TEXT MESSAGING (TechDirt, 22 June 2009) - Via Michael Scott we learn that the 9th Circuit Court of Appeals has found that the Telephone Consumer Protection Act (TCPA) also applies to unsolicited text messages. The TCPA covers certain kinds of commercial marketing over telephones, and has a rule against the use of “automatic telephone dialing systems,” but it wasn’t clear if text messaging was an automatic telephone dialing system. The court has now said yes. Separately, the case looked at whether or not agreeing to a basic terms of service also represented “express consent” which is needed under the TCPA. In this case, the woman had purchased a ringtone, but did not believe she had consented to commercial text messages. In buying the ringtone, the woman agreed to an extremely broadly worded terms of service that was probably purposely designed by lawyers to cover a wide swath of potential other things -- such as allowing the company to let others market things to the user. The question was whether or not other companies, who purchased the phone number from the ringtone company, could then market to the woman. The court here finds that dubious as well, noting that “express consent” is “[c]onsent that is clearly and unmistakably stated,” which the court feels was not the case here, since the consent was only for the ringtone company to market messages, not anyone else (even though the marketing company -- in this case Simon & Schuster -- noted that the text message was “powered by” the ringtone company): “Thus, Satterfield’s consent to receive promotional material by Nextones and its affiliates and brands cannot be read as consenting to the receipt of Simon & Schuster’s promotional material.” More on the case—Satterfield v. Simon & Schuster—here:

EMAIL PATTERNS CAN PREDICT IMPENDING DOOM (NewScientist, 22 June 2009) - Email logs can provide advance warning of an organisation reaching crisis point. That’s the tantalising suggestion to emerge from the pattern of messages exchanged by Enron employees. After US energy giant Enron collapsed in December 2001, federal investigators obtained records of emails sent by around 150 senior staff during the company’s final 18 months. The logs, which record 517,000 emails sent to around 15,000 employees, provide a rare insight into how communication within an organisation changes during stressful times. Ben Collingsworth and Ronaldo Menezes at the Florida Institute of Technology in Melbourne identified key events in Enron’s demise, such as the August 2001 resignation of CEO Jeffrey Skilling. They then examined the number of emails sent, and the groups that exchanged the messages, in the period around these events. They did not look at the emails’ content. Menezes says he expected communication networks to change during moments of crisis. Yet the researchers found that the biggest changes actually happened around a month before. For example, the number of active email cliques, defined as groups in which every member has had direct email contact with every other member, jumped from 100 to almost 800 around a month before the December 2001 collapse. Messages were also increasingly exchanged within these groups and not shared with other employees. Menezes thinks he and Collingsworth may have identified a characteristic change that occurs as stress builds within a company: employees start talking directly to people they feel comfortable with, and stop sharing information more widely. They presented their findings at the International Workshop on Complex Networks, held last month in Catania, Italy.

- and -

THE ONLINE AD THAT KNOWS WHERE YOUR FRIENDS SHOP (New York Times, 25 June 2009) - If a marketer asked people to hand over a list of all their friends so it could show them ads, few would comply. On social-networking sites like Facebook and MySpace, though, friendships are obvious, and advertisers are beginning to examine those connections. Two companies in particular, 33Across and Media6Degrees, are analyzing such connections, and they are not interested in basic friend lists, but in interactions on the sites, taking note when a user visits a friend’s page, sends a video or exchanges an instant message. In turn, they can identify people who are friends with a company’s existing customers, and then advertise to them. “The implications for this are pretty amazing,” said K-Yun Steele, vice president of Zenith Interactive, part of the Zenith Media unit of the Publicis Groupe, which works with clients including JPMorgan Chase, Puma and General Mills. He has tested both 33Across and Media6Degrees. Instead of using research to identify which Web sites are popular with certain demographic targets, these companies let “the consumer do the heavy lifting for you purely because of the proximity of that customer to other customers,” Mr. Steele said. “There’s a certain traction that you get when you target consumers that you know talk to each other, that you don’t get when you advertise like you would in print.” Advertisers, eager for any information that allows them to waste fewer ads and spend less money, are trying Media6Degrees and 33Across to see whether friendships are a better indicator of who might like their products than other indicators like age, gender, geography or interests. “Instead of understanding all these things about people, you could understand who was connected to who,” said Eric Wheeler, the chief executive of 33Across. “The reality is, those people are very similar not only in socioeconomic terms, but in terms of what they click and buy, so it’s very valuable.” Both companies try to link a Web site visitor to his friends (anonymously, they say). Media6Degrees and 33Across begin at an advertiser’s Web site. When someone visits a certain page — something that indicates interest, like a shopping-cart page or a product information page — the companies place a cookie (a tiny bit of text, like an identification number) on her computer. When she visits another site that has been programmed to look for that cookie, the new site can identify her as someone who has already put something in her shopping cart at a certain beauty site. Meanwhile, Media6Degrees and 33Across use data from social-networking sites to map users’ interactions. To see the connections, 33Across receives data on the type of interaction, like an instant message or a shared video link. The companies then extend those connections to build a big audience. If a certain customer most frequently communicates with 30 people, the companies look at who those 30 people interact with the most, and so on. By doing this for all the customers for a certain brand, they can build up a large network for ads.

TJX REACHES SETTLEMENT WITH STATES ON DATA THEFT (AP, 23 June 2009) - The parent company of retailers T.J. Maxx and Marshall’s will pay $9.75 million in a settlement with multiple states related to a massive data theft that exposed tens of millions of payment card numbers. Framingham, Mass.-based TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations. But TJX stressed that it “firmly believes” that it did not violate any consumer protection or data security laws. TJX said the settlement’s costs are already accounted for in a 2007 reserve it created. According to a filing with the Securities and Exchange Commission filing earlier this month, as of May 2 — before the settlement was announced — the reserve was $39.5 million, the company’s estimate of the total potential costs related to pending litigation, investigations and other costs. The breach — disclosed in January 2007 — and exposed at least 45.7 million credit and debit cards to possible fraud in the computer systems breach that began in July 2005. The breach wasn’t detected until December 2006. Under the settlement with a multistate group of 41 Attorneys General, TJX must also certify that its computer system meets detailed data security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system. In April 2008, TJX Cos. offered to set aside $24 million to reimburse customers who through their MasterCard credit cards were defrauded because of a data breach last year. A similar agreement was made with Visa-card issuing banks the prior November for up to $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges. In January, TJX Cos. offered a 15 percent discount to its customers during a “Customer Appreciation” day to reward customers’ loyalty as the company dealt with the breach.

APPLE’S OBSESSION WITH SECRECY GROWS STRONGER (New York Times, 23 June 2009) – Apple is one of the world’s coolest companies. But there is one cool-company trend it has rejected: chatting with the world through blogs and dropping tidbits of information about its inner workings. Few companies, indeed, are more secretive than Apple, or as punitive to those who dare violate the company’s rules on keeping tight control over information. Employees have been fired for leaking news tidbits to outsiders, and the company has been known to spread disinformation about product plans to its own workers. “They make everyone super, super paranoid about security,” said Mark Hamblin, who worked on the touch-screen technology for the iPhone and left Apple last year. “I have never seen anything else like it at another company.” Secrecy at Apple is not just the prevailing communications strategy; it is baked into the corporate culture. Employees working on top-secret projects must pass through a maze of security doors, swiping their badges again and again and finally entering a numeric code to reach their offices, according to one former employee who worked in such areas. Work spaces are typically monitored by security cameras, this employee said. Some Apple workers in the most critical product-testing rooms must cover up devices with black cloaks when they are working on them, and turn on a red warning light when devices are unmasked so that everyone knows to be extra-careful, he said. Apple’s decision to severely limit communication with the news media, shareholders and the public is at odds with the approach taken by many other companies, which are embracing online outlets like blogs and Twitter and generally trying to be more open with shareholders and more responsive to customers. “They don’t communicate. It’s a total black box,” said Gene Munster, an analyst at Piper Jaffray who has covered Apple for the last five years. For corporate governance experts, and perhaps federal regulators, the biggest question is whether Mr. Jobs’s approach has led to violating laws that cover what companies must disclose to the public about the well-being of their chief executive. On that key issue, the experts are divided. Most governance experts do seem to agree on one point: that the secrecy that adds surprise and excitement to Apple product announcements is not serving the company well in other areas.

EU WANTS TIGHTER PRIVACY ON SOCIAL NETWORKS (Mashable, 24 June 2009) - Are social networks such as Facebook and MySpace doing enough to protect their users’ privacy? In the European Union, they might need to do more. A panel of European regulators has laid out operating guidelines for social networks, which will ensure their compliance with strict – albeit sometimes vague – online privacy laws in the European Union. These laws mostly stem from the European Union Directive on Data Protection of 1995, which, among other regulations, prohibits collection of personal information without consumers’ permission, forbids employers to read workers’ private e-mail, and doesn’t allow companies to share personal information on users without their permission. However, according to data-privacy lawyer Jan Dhont at Lorenz in Brussels, these regulations aren’t always very clear. For example, the companies that collect personal information must use it for “legitimate purposes,” which can be interpreted in many different ways. Nevertheless, the guidelines that were laid out will require quite a bit of effort from sites such as Facebook and MySpace, who cannot neglect their European user base and will therefore surely at least try to comply to avoid clashing with the EU regulators. According to the guidelines, social networks must set security settings to high by default; they must allow users to limit data disclosed to third parties, and they must limit the use of sensitive information (race, religion, political views) in behavioral advertising. Furthermore, social networks must delete accounts that have been inactive for long periods, as well as discard users’ personal information after they delete their accounts; an interesting regulation in view of the recent Facebook scandal, in which Facebook claimed ownership of all the content you’ve ever uploaded even if you quit the service. Facebook later apologized and restored their previous Terms of Service, even letting users be part of the decision process in creating the new ToS. However, it must be noted that even if this sounds like democracy, it’s a frail one, as Facebook still sets up the stage and has the last word on every decision. Article 29 Working Group paper on the subject is here: (registration required)

FBI COMPOUNDS MYSTERY WITH SECRET JUSTIFICATION OF GAG ORDER (ArsTechnica, 25 June 2009) - When the FBI uses a national security letter (NSL) to force the cooperation of an ISP or phone company in the surveillance of a suspect, the agency typically slaps a gag order on the service provider to prevent it from revealing the existence of the NSL. Civil liberties groups have successfully challenged the DOJ on these gag orders in the ongoing Doe v. Holder, and last month the Obama administration decided not to appeal a federal court ruling that the FBI must justify these gag orders by meeting a relatively high First Amendment standard. The implication of the court’s ruling was that the FBI would finally have to justify the gag order that it had placed on the John Doe in the Doe v. Holder case, so that the plaintiff could talk about the NSL. The FBI has now cooperated, and has given the court a justification of the gag order, in secret. The classified declaration that justifies the gag order can’t even be seen by Doe’s attorneys at the ACLU. In a statement, the ACLU elaborated on the move: “The government did not even file a redacted version of its secret affidavit or even an unclassified summary of what the secret affidavit says. Basically, the government is asking us just to trust that the gag is justified.” The group further explained that its attorneys “obviously can’t respond meaningfully to arguments that we’re not even allowed to see,” so they’re trying to get some form of access to the document. This would come in the form of either limited attorney access, or a summary of the filing’s contents. To add insult to injury, it’s not even clear that the investigation that sparked the five-year legal battle is still going on. The FBI quit asking Doe for records over two years ago, but it still maintains that revealing the identify of the ISP would result in various harms.

ICANN NAMES NEW CEO (CNET, 26 June 2009) - Former U.S. cybersecurity official Rod Beckstrom has been named the new CEO and president of ICANN. His appointment was announced at the annual meeting Friday in Australia of ICANN, which stands for the Internet Corporation for Assigned Names and Numbers. A global nonprofit, ICANN is responsible for assigning and managing Internet domain names and IP addresses, among other tasks. Beckstrom, who received his MBA from Stanford University, has served on the boards of several nonprofit groups and written four books. But it was his role as director of the U.S. National Cybersecurity Center (NCSC) where he made an impression. As head of the federal center, he oversaw a large, disparate agency spanning civilian, military and intelligence communities. However, Beckstrom resigned his government role in March after complaining of interference from the National Security Agency. In a letter to Department of Homeland Security Secretary Janet Napolitano, he said the NSA dominated most of his agency’s efforts and that he was “unwilling to subjugate the NCSC underneath the NSA.” Beckstrom defended the achievements of the NCSC and said he favored a decentralized approach so that security is not handled by any single organization. Beckstrom’s ICANN appointment triggered favorable statements from many sides. “Rod Beckstrom is strikingly well-prepared to undertake a new role as CEO of ICANN,” Vint Cert, who is considered to be the “father” of the Internet, said in a statement. “His experience in industry and government equip him for this global and very challenging job.” Beckstrom is an “outstanding choice to head ICANN. He understands people, institutions, and technology,” Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), said in a statement. “He recognizes both the potential and the challenges for ICANN. And has stood up for the civil liberties of Internet users with courage and foresight.”

OBAMA SEEKS INPUT ON CLASSIFICATION OF RECORDS (Washington Post, 27 June 2009) - President Obama wants your advice on how the government should keep its secrets. A month ago, he issued a memorandum directing national security advisers to recommend ways to improve the rules by which records are classified and later opened to the public. Starting Monday, tech-savvy citizens as well as federal officials will be able to weigh in on the complicated debate. Beth Noveck, head of the White House’s open government project, said yesterday that a blog dedicated to suggestions about the classification process will be set up on, where the open government project has been accepting ideas over the past month for how agencies can be more transparent. Suggestions from the blog will be considered for the final recommendations sent to the president. The Declassification Policy Forum is the latest effort by the White House to include citizens in the policymaking process. Noveck, deputy chief technology officer in the Office of Science and Technology Policy, said “creating an open conversation about secrecy represents an important step in the administration’s commitment to an open dialogue, even in the most difficult areas.” Noveck said she expects to hear from librarians, archivists and other record management experts that government officials would not otherwise consult. The questions posed on the forum will include: How should the government determine what records should be classified? How can the government improve access to digital records once they are declassified? How can technology be used to improve the declassification process?

- and -

ONLINE TOOL WILL TRACK U.S. TECH SPENDING (New York Times, 30 June 2009) - The Obama administration introduced online tools on Tuesday that will track and analyze the more than $70 billion a year that the federal government spends on information technology. The new Web tools, called IT Dashboard, are part of a Web site set up to monitor government spending, Administration officials said the technology-tracking dashboard was a step toward greater openness and accountability in government, and a model for the kinds of tools it would increasingly make available to the public for other kinds of spending, like following the flow of dollars in the economic recovery package. The dashboard was developed quickly, in about six weeks. Mr. Kundra said that the data was not yet complete, and that further features were planned, including a blog so people could contribute ideas and comments. But the goal, he said, was to “democratize the data” as quickly as possible to get the expected benefits of openness — pressure for greater efficiency and innovations contributed by outside experts and the public. The site has graphics showing total spending on computer hardware, software and services by agency. A user can then click to see the particulars on hundreds of technology projects — a description of each, the amount being spent, the government manager responsible and the names of the private sector suppliers (though many of the contractor lists are not yet filled in). Projects are rated for on-schedule performance and color-coded accordingly — green, yellow or red. Users, Mr. Kundra said, will be able to pluck the source data from the Web site and do their own analyses. Much of the raw data on the site has been public information for years. But analysts said it was typically in government forms and available from different agencies, so it was mainly industry experts and consultants who had the knowledge and incentive to collect and cull it. The dashboard will make it easier for companies to track contracts on which rivals are struggling — and compete for the business.

HIGH COURT WON’T BLOCK REMOTE STORAGE DVR SYSTEM (Washington Post, 29 June 2009) - Cable TV operators won a key legal battle against Hollywood studios and television networks on Monday as the Supreme Court declined to block a new digital video recording system that could make it even easier for viewers to bypass commercials. The justices declined to hear arguments on whether Cablevision Systems Corp.’s remote-storage DVR system would violate copyright laws. That allows the Bethpage, N.Y.-based company to proceed with plans to start deploying the technology this summer. With remote storage, TV shows are kept on the cable operator’s servers instead of the DVR inside the customer’s home, as systems offered by TiVo Inc. and cable operators currently do. The distinction is important because a remote system essentially transforms every digital set-top box in the home into a DVR, allowing customers to sign up instantly, without the need to pick up a DVR from the nearest cable office or wait for a technician to visit. Movie studios, TV networks and cable TV channels had argued that the service is more akin to video-on-demand, for which they negotiate licensing fees with cable providers. They claimed a remote-storage DVR service amounts to an unauthorized rebroadcast of their programs. In a statement, the Copyright Alliance, whose members include Hollywood studios and television broadcasters, called the Supreme Court action “unfortunate and potentially harmful to creators and creative enterprises across the spectrum of copyright industries.” Cablevision argued its service was permissible because the control of the recording and playback was in the hands of the consumer.

STUDY: OLDER C-LEVEL EXECS AVOID TWITTER, BLOGS (ClickZ, 30 June 2009) - Are corporate executives embracing Twitter and blogs? Not if they’ve received an invitation to join the AARP. A survey of top executives at U.S. companies reveals that only 1 percent of those over the age of 50 provide daily contributions to a work-related blog. Forbes Insights performed the study sponsored by Google. Another 4 percent in this age group say they contribute several times a week. In contrast, 35 percent of executives ages 40 to 49 say they maintain a work-related blog daily. That figure increases to 56 percent of the executives under the age of 40. The study featured an interview with Zappos CEO Tony Hsieh, 35, who pointed out that the online retailer has over 400 employees on Twitter. “The world is becoming more and more transparent whether companies choose to accept it or not,” Hsieh told Forbes Insights. Meanwhile, a chief legal officer over the age of 50 said he didn’t see the business value of the interactive tools. Here are [some of] the study’s other findings.
Who’s on Twitter?
The study found a generation gap for those using Twitter and other micro-blogging platforms. Respondents were asked whether they either tweet or generate microfeeds. Here’s the breakdown:
• 3 percent of the executives over 50 participate in Twitter or another microblog.
• 34 percent of the executives ages 40 to 49 participate.
• 56 percent of the executives under 40 participate.
What Information Do Executives Seek?
The top three research topics that C-level executives seek are competitor analysis (53 percent), customer trends (41 percent), and corporate developments (39 percent). However, information priorities vary by job function:
• Of those executives in sales and marketing, 76 percent say they seek customer trends.
• Of those executives in finance, 63 percent said they seek competitor analysis.
• Of those executives in IT, 59 percent seek technology trends. Related ComputerWorld story here:

JUDGE THROWS OUT CONVICTION IN CYBERBULLYING CASE (New York Times, 2 July 2009) - A federal judge on Thursday threw out the conviction of a Missouri woman on charges of computer fraud for her role in creating a false MySpace account to dupe a teenager, who later committed suicide. The judge, George H. Wu, said that he was tentatively acquitting the woman, Lori Drew, of misdemeanor counts of gaining access to computers without authorization and that the ruling would be final when he issued his written decision. In November, a federal jury here convicted Ms. Drew of three misdemeanor charges under the Computer Fraud and Abuse Act, a federal law intended to combat computer crimes. Legal experts followed the case closely, saying it was the first time the statute had been used to prosecute a patron of a social networking site for abuses of the site. But on Thursday, Judge Wu said the federal statute was too “vague” when applied in this case and that were he to allow Ms. Drew’s conviction to stand, “one could literally prosecute anyone who violates a terms of service agreement” in any way. Some experts in cyberbullying and computer fraud criticized prosecutors for using the computer fraud law against Ms. Drew. “This law was designed to criminalize computer hacking, not people going to a Web site and violating terms of service that can be obscure and frankly arbitrary,” said Matthew L. Levine, a former federal prosecutor and defense lawyer in New York. “This sets a very bad precedent of using this law for that purpose.”

**** RESOURCES ****
OBAMA’S TEAM: THE FACE OF DIVERSITY (National Journal, 22 June 2009) – [profile of several dozen “key players” in the Obama Administration]

RETURN OF THE MARK OF ZOTERO (InsideHigherEd, 1 July 2009) - Man is, of course, the tool-making animal -- but can’t we maybe give it a rest for a while? Evidently not. At this point we need digital tools to manage all the digital tools we have on hand. One day all of our devices will be able to communicate among themselves (“friending” each other while we aren’t looking) which I’m pretty sure leads to an apocalyptic scenario in which human beings end up living in caves. And yet, damn it, some of the tools are useful. A couple of years ago, this column pointed out an application that seemed a genuinely useful and non-time-wasting addition to the intellectual workbench. This was Zotero, a plug-in for the Firefox browser, Zotero allows you to gather, organize, and annotate material while doing research online. With Zotero, you can build up a collection of digital documents, cataloging and sorting it as you go. You can gloss the material so harvested, attaching your notes as you go. Zotero is particularly useful for gathering bibliographical data, and allows you to export it in a wide range of standard scholarly citation formats. Produced by the Center for New Media History at George Mason University, Zotero was (and remains) free. When I wrote about it in ‘07, enthusiasts were looking forward to Zotero 2.0 -- and not patiently. Various upgrades became available, but the substantially reworked Zotero was only released six weeks ago, in mid-May. At the time, as luck would have it, I was in a clinic being treated for exposure to more than 400 blog feeds per day. The twitchiness having now abated, I’ve been briefed on the latest model of Zotero by an “information-research specialist,” which is what librarians call themselves these days. The distinctive thing about Zotero 2.0, now in its beta version, is that it will allow you to store your collection (i.e., digital document archive, plus notes, plus bibliographical data) on a server, rather than on your hard drive. This has at least two important consequences. The first is that you can add to your Zotero files – or retrieve them – from any computer with web access. The old version stored the data on whatever machine you happened to be using at the time. I have a laptop somewhere in my study, for example, that contains records gathered last year ago, but not available to me at the moment because I am not exactly sure where that laptop is. Once I find it, however, it will be possible to ship this data off into “the cloud.” That means I can synchronize my old laptop, our household desktop computer, and the netbook I do most of my writing on now, so that the same Zotero files are always available on all of them. This was possible with the earlier version, but you had to make a point of transferring the files, which evidently I never got around to doing. The other major development is that Zotero 2.0 allows users to create groups that can share data. Members of a class or a research group are able to transfer files into a common pool. (So far, it is possible to do this with bibliographical references but not with documents, though the Zotero people are working on finding a way to store the latter.) You also have the option of creating a sort of haute Facebook presence. Dan Cohen, the director of the Center, explains: “Zotero users get a personal page with a short biography and the ability to list their discipline and interests, create an online CV (simple to export to other sites), and grant access to their libraries.” Thanks to such profiles, it should be easier to find other researchers who share your particular interests, and so engage in the cooperative exchange of references and ideas -- at least, assuming your notion of the life of the mind is not that of a zero sum game, or indeed of bellum omnia contra omnes. It will be interesting to see how that shakes out, discipline by discipline, sub-field by sub-field. [Editor: Sounds like an interesting tool. I’d appreciate feedback from any lawyer/users.]

Y2K SCARE LEADS TO LARGER ADVANCES -- Experts say the Y2K bug may actually benefit companies and the economy in general, as it forced many firms to completely overhaul their computer systems and re-engineer their business processes to become more efficient. Federal Reserve Governor Alan Greenspan noted in his June 1 congressional testimony that the American economy “is displaying a remarkable run of economic growth that appears to have its roots in ongoing advances in technology,” and many experts say the Y2K bug is to blame. The millennium bug gave senior management an urgent deadline for assessing their computer systems as well as their entire business processes, resulting in “a dramatic surge in buying” of ERP systems, which reorganize and integrate a firm’s accounting and other business practices. Thus many companies’ antiquated business operations have been modernized, merged, and streamlined to prepare for Y2K, producing benefits such as increased productivity, improved customer responsiveness, reduced inventory, and increased efficiency. (Philadelphia Inquirer 07/01/99)

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: