Saturday, July 25, 2009

MIRLN --- 5-25 July 2009 (v12.10)

• Great Wall of Facebook: the Social Network’s Plan to Dominate the Internet — and Keep Google Out
• For Jurors in Michigan, No Tweeting (or Texting, or Googling) Allowed
• Spies Like Us: NSA to Build Huge Facility in Utah
• Another City Caught Lowering Yellow Light Times to Catch More Red Light Runners
• Weitzner to Head NTIA Policy Shop
o Twitter Nabs a Legal Eagle from Google
• Cybersecurity Plan to Involve NSA, Telecoms
• British Spy Chief’s Cover Blown on Facebook
• Court: IP Addresses Are Not ‘Personally Identifiable’ Information
• LinkedIn Reviews Can Come Back to Haunt Employers, Lawyers Say
• New Law Floods California with Medical Data Breach Reports
• Everything Ohio, and Then Some, is on New Web Site
• Easy Cybersecurity -- Publish SSNS
• Accessing Employees’ Private Internet Chatroom Violates Stored Communication & Wiretap Laws
• Prosecutor: Cloud Computing is Security’s Frontier
o Concerns Raised as LA Looks to Google Web Services
• AP Proposes New Article Formatting for the Web
• Employer Violates the National Labor Relations Act by Selectively Targeting Union Related E-Mails
• North Korean Cyberattacks
• 85 Percent of U.S. Businesses Breached
o Data Attacks More Frequent than CEOS Think
• Clearing Rights for Content: Ask First
o Legal Row Over National Portrait Gallery Images Placed on Wikipedia
• Republishing Third Party Ratings in Marketing Material Might be Copyright/Trademark Infringement
• Middle East Blackberry Update Spies on Users
• PCI Council Publishes Wireless Security Guidelines for Payment Cards
• Facebook Violates Canadian Privacy Law
• Amazon Erases Orwell Books From Kindle
• The Future Of Scholarship? Harvard Goes Digital With Scribd
• Social Networks Appeal, But Not to the Firm
• University of Michigan, Amazon Offer 400,000 Titles with Print-On-Demand


**** NEWS ****
GREAT WALL OF FACEBOOK: THE SOCIAL NETWORK’S PLAN TO DOMINATE THE INTERNET — AND KEEP GOOGLE OUT (Wired 17.07, 22 June 2009) - Today, the Google-Facebook rivalry isn’t just going strong, it has evolved into a full-blown battle over the future of the Internet—its structure, design, and utility. For the last decade or so, the Web has been defined by Google’s algorithms—rigorous and efficient equations that parse practically every byte of online activity to build a dispassionate atlas of the online world. Facebook CEO Mark Zuckerberg envisions a more personalized, humanized Web, where our network of friends, colleagues, peers, and family is our primary source of information, just as it is offline. In Zuckerberg’s vision, users will query this “social graph” to find a doctor, the best camera, or someone to hire—rather than tapping the cold mathematics of a Google search. It is a complete rethinking of how we navigate the online world, one that places Facebook right at the center. In other words, right where Google is now. [Editor: quite interesting explication of how Facebook could leverage social connections to more-tailored/more-effective “search” and give Google a real run-for-the-money.]

FOR JURORS IN MICHIGAN, NO TWEETING (OR TEXTING, OR GOOGLING) ALLOWED (Nat’l Law Journal, 1 July 2009) - Call it the silencing of the tweets. The Michigan Supreme Court has laid the hammer down on gadget-happy jurors in banning all electronic communications by jurors during trial, including tweets on Twitter, text messages and Google searches. The ruling, which takes effect Sept. 1, will require Michigan judges for the first time to instruct jurors not to use any handheld device, such as iPhones or Blackberrys, while in the jury box or during deliberations. The state’s high court issued the new rule on Tuesday in response to prosecutors’ complaints that jurors were getting distracted by their cell phones, smart phones and PDAs, in some cases texting during trial or digging up their own information about a case and potentially tainting the judicial process. Wouldn’t common sense suggest that’s wrong? “I don’t think jurors go out and Google stuff thinking it’s wrong. Sometimes it just doesn’t click,” said Charles Koop, immediate past president of the Prosecuting Attorneys Association of Michigan, which pushed for the new rule. “I think it brings home to the conscientious jurors -- which most jurors are -- that I’m not supposed to do this.’” The new rule also helps older judges, who might not be tech-savvy, stop jurors from doing things in their courtroom that they are unaware of, said Koop, prosecuting attorney in Antrim County, Mich. “Judges of an older age may not be in tune as much as younger judges as to what’s going on out there,” Koop said, adding the constantly evolving PDAs are especially problematic for the courts. “It’s a new technology. We’re playing catch-up.”

SPIES LIKE US: NSA TO BUILD HUGE FACILITY IN UTAH (Salt Lake Tribune, 2 July 2009) - Hoping to protect its top-secret operations by decentralizing its massive computer hubs, the National Security Agency will build a 1-million-square-foot data center at Utah’s Camp Williams. The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will be constructed on a 200-acre site near the Utah National Guard facility’s runway. Congressional records show that initial construction -- which may begin this year -- will include tens of millions in electrical work and utility construction, a $9.3 million vehicle inspection facility, and $6.8 million in perimeter security fencing. The budget also allots $6.5 million for the relocation of an existing access road, communications building and training area. Officials familiar with the project say it may bring as many as 1,200 high-tech jobs to Camp Williams, which borders Salt Lake, Utah and Tooele counties. It will also require at least 65 megawatts of power -- about the same amount used by every home in Salt Lake City combined. A separate power substation will have to be built at Camp Williams to sustain that demand, said Col. Scott Olson, the Utah National Guard’s legislative liaison. He noted that there were two significant power corridors that ran though Camp Williams -- a chief factor in the NSA’s desire to build there.

ANOTHER CITY CAUGHT LOWERING YELLOW LIGHT TIMES TO CATCH MORE RED LIGHT RUNNERS (TechDirt, 2 July 2009) - It’s been shown repeatedly that redlight cameras don’t appear to make intersections any safer, but they do act as a nice revenue generator for cities. In fact, at times it’s such a tempting revenue generator that city officials cannot resist the urge to tamper with the timing of the lights to get more people running “red” lights that really should have been yellow. The latest such case, as pointed out by Jeff Nolan, happened in Arizona. According to regulations, the yellow light at a certain intersection was required to last 4.3 seconds: 4 seconds for the road being 40 mph and another 0.3 seconds due to the way the road curves. Yet, over 1,000 motorists were ticketed, in part because the traffic light had been adjusted so that the yellow light only lasted 3 seconds, 70% of the required length. Thanks to some enterprising motorists who timed the light and complained, those who were caught are getting back their money and having the citations removed from their record.

WEITZNER TO HEAD NTIA POLICY SHOP (National Journal, 2 July 2009) - Daniel Weitzner will be the next chief of the policy office at the Department of Commerce’s National Telecommunications and Information Administration, according to government sources. Weitzner served as a technology advisor to President Obama’s campaign for president. He has been involved in the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology and co-directs MIT’s Decentralized Information Group with Internet expert Tim Berners-Lee. Weitzner was a founder and deputy director for the Center for Democracy and Technology and has also been a senior staff counsel at the Electronic Frontier Foundation. Weitzner was among the first to advocate user control technologies such as content filtering and rating to protect children and avoid government censorship of the Internet, according to his bio on, the World Wide Web Consortium. His arguments played a critical role in the 1997 Supreme Court case Reno v. ACLU, awarding strong free speech protections to the Internet. Weitzner successfully advocated for adoption of amendments to the Electronic Communications Privacy Act creating new privacy protections for online transactional information such as Web site access logs.

- and -

TWITTER NABS A LEGAL EAGLE FROM GOOGLE (New York Times, 11 July 21, 2009) - Twitter, the popular micro-blogging service, has stolen a prominent Google lawyer. The start-up has hired Alexander Macgillivray, deputy general counsel for products and intellectual property at Google, to be its general counsel, according to a person with knowledge of the hiring. Mr. Macgillivray has been an important member of the Google legal team, spearheading the controversial settlement with authors and book publishers over Google’s scanning of millions of out of-print library books. Mr. Macgillivray, 36, has also represented Google in a wide variety of other matters, including Viacom’s copyright lawsuit against YouTube and complaints from The Associated Press that Google improperly used its content. Before he joined Google, Macgillivray was with Wilson Sonsini Goodrich & Rosati, the prominent Silicon Valley law firm.

CYBERSECURITY PLAN TO INVOLVE NSA, TELECOMS (Washington Post, 3 July 2009) - The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials. President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems. But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency’s involvement in warrantless wiretapping during George W. Bush’s presidency would draw controversy. Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network. Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks. Proponents of involving the government said such efforts should harness the NSA’s resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said. “That’s the secret sauce,” one official said. “It’s the stuff they have that the private sector doesn’t.” The pilot program has two goals. The first is to prove that the telecommunications firm can route only traffic destined for federal civilian agencies through the monitoring system. The second is to test whether the technology can work effectively on civilian government networks. The sensor box would scan e-mail messages and other content just before they enter the civilian agency networks. The classified NSA system, known as Tutelage, has the ability to decide how to handle malicious intrusions -- to block them or watch them closely to better assess the threat, sources said. It is currently used to defend military networks.

BRITISH SPY CHIEF’S COVER BLOWN ON FACEBOOK (Reuters, 4 July 2009) - The wife of the new head of Britain’s spy agency has posted pictures of her husband, family and friends on Internet networking site Facebook, details which could compromise security, a newspaper said on Sunday. Sir John Sawers is due to take over as head of the Secret Intelligence Service in November. The SIS, popularly known as MI6, is Britain’s global intelligence-gathering organization. In what the Mail on Sunday called an “extraordinary lapse,” the new spy chief’s wife, Lady Shelley Sawers, posted family pictures and exposed details of where the couple live and take their holidays and who their friends and relatives are. The details could be viewed by any of the many millions of Facebook users around the world, but were swiftly removed once authorities were alerted by the newspaper’s enquiries.

COURT: IP ADDRESSES ARE NOT ‘PERSONALLY IDENTIFIABLE’ INFORMATION (MediaPost, 6 July 2009) - In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information. “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft’s user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don’t include people’s names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals. Last month, Jones sided with Microsoft and dismissed the case before trial. But some say that Jones’s decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users’ IP addresses as soon as possible. Additionally, a court in New Jersey ruled last year that Internet service providers can’t disclose users’ IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private. Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as “a silly decision.” “The judge didn’t understand the significance of the IP address or the reason that it was collected,” he says. Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable. Ruling here:

LINKEDIN REVIEWS CAN COME BACK TO HAUNT EMPLOYERS, LAWYERS SAY (ABA Journal, 7 July 2009) - Management-side employment lawyers are advising their clients against writing recommendations for current or recent employees on LinkedIn. If an employer writes a positive review for an employee who is later fired, that review could be presented as evidence that discrimination rather than performance brought on the termination, lawyers told the National Law Journal. “Generally, my advice is that I think employers are often better served by merely stating dates of employment, positions with the company and salary, and staying away from much more because there are so many potential ramifications if they say something,” Carolyn Plump, a partner at Philadelphia’s Mitts Milavec told the National Law Journal. “If they say something negative, there could be a lawsuit. If they say something positive, there could be a lawsuit.” The story cites a recent poll from Jump Start Social Media stating that 75 percent of hiring managers use LinkedIn to research candidates. Employee-rights attorney Linda Friedman of Chicago’s Stowell & Friedman said LinkedIn recommendations can also backfire on a plaintiff. If a supervisor makes identical recommendations on LinkedIn or another website of everyone under him or her, that could disprove a discrimination claim, Friedman said.

NEW LAW FLOODS CALIFORNIA WITH MEDICAL DATA BREACH REPORTS (Wired, 9 July 2009) - California officials have received more than 800 reports of health data breaches in the first five months after a new state law went into effect January 1. The law requires health care organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health. The agency, however, says it was surprised by the large number of reports it received in such a short period, according to the Journal of the American Health Information Management Association, and expects that number to increase dramatically as organizations become more familiar with the reporting procedures. Of the cases reported, which also include complaints from patients, officials have conducted full investigations on 122 cases so far and confirmed 116 as actual breaches. The types of breaches run the gamut from unintentionally faxing a patient’s chart or test reports to the wrong phone number to intentional snooping by workers. Most of the breaches reported so far have been unintentional. Officials can fine offending organizations or individuals up to $250,000 for a breach, depending on the nature of the breach and the extent of the harm it caused. Los Angeles-based Kaiser Permanente Bellflower Medical Center was the first to be fined this amount after investigators determined that 23 hospital workers inappropriately accessed the medical records of Nadya Suleman, aka “the Octomom”.

EVERYTHING OHIO, AND THEN SOME, IS ON NEW WEB SITE (Columbus Dispatch, 9 July 2009) - Ohio Secretary of State Jennifer Brunner fulfilled one of her 2006 campaign pledges yesterday by unveiling an online tool offering access to a plethora of information about Ohioans, their counties and their state. That includes detailed statistics for each county compiled from 18 different state and federal sources about the economy, public safety and other areas affecting quality of life. For example, it’s possible to review and compare poverty statistics, foreclosure rates and other economic indicators over time, plus data for 300 other indicators, even including the number of library visits in each county. The site is designed for researchers, chambers of commerce, nonprofit groups applying for grants, students, and state and local governments considering important public-policy decisions. The idea is to identify areas of strength and help understand challenges. The data will be updated as new information becomes available, and other sources may be added depending on demand, Brunner said. “Essentially, we look at this as a resource that will provide Ohioans with quick and easy access to information about the issues that impact all the communities in the state,” Brunner said of her “Better Lives, Better Ohio” initiative. Pursuing the initiative was one of four major goals Brunner set for the office, including restoring trust in Ohio elections. Her office held community forums to solicit input about what data should be made available on the site, and the computer work to generate it was done in-house, Brunner said. The total cost was about $100,000, mostly to hire Michelle Hussong, who has a doctorate in sociology and previously worked for the Ohio Department of Education, to oversee the effort, Brunner said. The online tool can be found at

EASY CYBERSECURITY -- PUBLISH SSNS (Stewart Baker’s blog, 8 July 2009) - Two Carnegie Mellon researchers published a study the other day “Predicting Social Security Numbers from Public Data” in which they demonstrated that it was almost trivially easy to guess the first 5 digits of a person’s social security number based on where and when they were born. Since many (most?) security functions rely on the secrecy of those 5 digits and the public confirmation of the last 4 digits by a user, it is now almost trivially easy to extrapolate a person’s full 9-digit SSN. Any company that continues to use SSNs for security features is well beyond foolish. And any user who voluntarily chooses a partner who uses SSNs as a security feature is simply courting identity theft. Why anyone would do so is beyond me ... but companies and users continue down this benighted path. Is there any way to make them stop this unwise practice? I suppose we could outlaw it and make it a crime or some such heavy handed regulatory solution. But, in keeping with my view that more transparency generally equals greater security, here’s an easier solution -- the US government should simply publish a book (call it the Green Pages, since Yellow and White are already taken) listing everyone who has a social security number and making the SSNs public. That would instantly drain the SSN of all security value and return it to its original function as an accounting identifier. At that point, anyone who continued to use SSNs for security would be so negligent that the tort lawyers would have a field day.

ACCESSING EMPLOYEES’ PRIVATE INTERNET CHATROOM VIOLATES STORED COMMUNICATION & WIRETAP LAWS (Ogletree Deakins, 10 July 2009) Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (D.N.J., June 16, 2009) – A federal jury in Newark recently imposed compensatory and punitive damages on an employer whose managers surreptitiously monitored employees’ postings on a private Internet chatroom. The managers obtained the chatroom password from a female employee and then terminated the employees responsible for creating the chatroom. The jury found the employer liable for violating both the federal Stored Communications Act and the New Jersey Wiretapping and Electronic Surveillance Control Act, because they obtained the chatroom password by duress. This decision reminds employers that they must remain ever mindful of the employee’s expectation of privacy and the limitations it can impose on their conduct.

PROSECUTOR: CLOUD COMPUTING IS SECURITY’S FRONTIER (CNET, 10 July 2009) - As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday. The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies increasingly distribute software and store data online via hosted computing services, Matthew Parrella, an assistant U.S. attorney based in San Jose, Calif., said at Symantec’s Norton Cyber Crime Day. “That model of importation of software is becoming obsolete because we’re seeing on the horizon cloud computing where so many of these operations are pushed from a user’s PC or a user’s computer onto Google Docs or,” he said. Looking ahead five years, “I’m thinking the attack is going to be on cloud computing centers,” said Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney’s Office. The immediate threat will be attacks to steal data from the servers they are stored on, either remotely or by an insider or someone who gains access to the data center, he said. Later on it’s likely any stolen data could be pirated, he said. FBI agent Donna Peterson said her office had seen a “tremendous uptick in large-scale, fairly devastating data breaches,” with the biggest heist being close to $10 million stolen in 24 hours. Cyberthieves “are getting more organized and their technical sophistication is better,” she said. “They do what they need to get the job done...if they can use a 5-year-old exploit in conjunction with an exploit that they paid a programmer in another country $60,000 to (write), they will do it.” Cybercriminals can spend anywhere from two weeks to six weeks to completely own a corporate target’s computer system so completely that “you won’t even know that they’re there,” she said. Businesses have opened on a Monday morning only to discover that so much money has been stolen since employees went home on Friday that they are no longer solvent and there is no record on their systems of the activity, Peterson said.

- and -

CONCERNS RAISED AS LA LOOKS TO GOOGLE WEB SERVICES (, 17 July 2009) - Security and privacy concerns have been raised over a multimillion-dollar proposal by Los Angeles to tap Google’s Internet-based services for government e-mail, police records and other confidential data. At issue is the security of computerized records on everything from police investigations to potholes as the nation’s second-largest city considers dumping its in-house computer network for Google e-mail and office programs that are accessed over the Internet. Paul Weber, president of the Los Angeles Police Protective League, complained Thursday that the union had scant information on the plan or what it would mean for the safety of sensitive records, such as narcotics or gang investigations. The shift toward doing more over the Web could make it much easier for hackers to gain access to corporate or government files. No longer would someone need to try to break through layers of security firewalls. As various personal and work accounts become increasingly linked together, all one needs is a single password to access documents just like a regular employee. If approved, Los Angeles would be the second major city after Washington, D.C., to use Google’s Internet-based services, known as Google Apps. The company has been promoting the package to other government agencies, too, as a way to cut costs and ensure access to Google-developed technical innovations. Google said in a statement that more than 1.75 million businesses use the technology. An unknown number of them pay the Mountain View company $50 per user per year for a premium version designed for businesses, government agencies and other robust needs. In a statement, Google said its services, which can store information at a number of Google-run data centers around the world, are “extremely reliable, safe and secure.” [Editor: Reportedly, Google will not provide legally sufficient security assurances.]

AP PROPOSES NEW ARTICLE FORMATTING FOR THE WEB (Washington Post, 10 July 2009) - The Associated Press is proposing that publishers attach descriptive tags to news articles online in hopes of taming the free-for-all of news and information on the Web and generating more traffic for established media brands. Tags identifying the author, publisher and other information - as well as any usage restrictions publishers hope to place on copyright-protected materials - would be packaged with each news article in a way that search engines can more easily identify. By doing so, the AP hopes to make it easier for readers to find articles from more established news providers amid the ever-expanding pool of content online. That, in turn, could lead to more traffic and more online advertising revenue for a beleaguered news industry.

EMPLOYER VIOLATES THE NATIONAL LABOR RELATIONS ACT BY SELECTIVELY TARGETING UNION RELATED E-MAILS (Vorys, 10 July 2009) - The United States Court of Appeals in Washington, D.C., recently held that an employer committed an unfair labor practice by selectively enforcing its e-mail usage policy against an employee who sent union-related e-mails. The case, Guard Publishing Company v. National Labor Relations Board, is a reminder that e-mail policies must be carefully drafted and consistently enforced to avoid potential legal pitfalls. The employer, a daily newspaper, claimed that the union-related e-mails violated its policy prohibiting e-mails “used to solicit or proselytize for commercial ventures, religious or political causes, outside organizations, or other non-job-related solicitations.” Despite this policy, the employer routinely allowed e-mails offering tickets for sporting events and requesting services such as dogwalking. When the Union filed its initial charge with the NLRB, it argued that the National Labor Relations Act provided employees with a statutory right to use an employer’s e-mail system for certain union-related purposes. The NLRB disagreed, holding that an employer may limit non-work-related use of its e-mail system so long as it does not discriminate against protected union activity. The NLRB defined discriminatory treatment narrowly as the “unequal treatment of equals.” Applying this standard, the NLRB held that, with the exception of one e-mail that was not a solicitation, the employer did not discriminate against union-related emails. The NLRB based this decision on the theory that the employer made a distinction between personal solicitations (e.g., “My car is for sale”) and group/organization solicitations (e.g., “Girl Scout Cookies for sale”). The outcome would have been different had the employer previously allowed group/organization solicitations, only to take action when those group/ organization solicitations were union related. On appeal, the Court of Appeals held that the employer had in fact discriminated against protected union activity. The Court noted that the personal/group distinction relied on by the NLRB was not contained in the employer’s e-mail policy. Nor was it discussed in the employee’s disciplinary notice. In fact, the notice cautioned the employee against using the e-mail system for union/personal business. See also

NORTH KOREAN CYBERATTACKS (Bruce Schneier essay, 13 July 2009) - To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. “Cyber Blitz hits U.S., Korea” was the headline in Thursday’s Wall Street Journal. North Korea was blamed. Where were you when North Korea attacked America? Did you feel the fury of North Korea’s armies? Were you fearful for your country? Or did your resolve strengthen, knowing that we would defend our homeland bravely and valiantly? My guess is that you didn’t even notice, that -- if you didn’t open a newspaper or read a news website -- you had no idea anything was happening. Sure, a few government websites were knocked out, but that’s not alarming or even uncommon. Other government websites were attacked but defended themselves, the sort of thing that happens all the time. If this is what an international cyberattack looks like, it hardly seems worth worrying about at all. [Editor: thoughtful, useful essay.]

85 PERCENT OF U.S. BUSINESSES BREACHED (, 13 July 2009) - The fourth annual U.S. Encryption Trends Study was released today by The Ponemon Institute. The study says that 85 percent of surveyed businesses have experienced a data breach in the past year, up from 60 percent in the 2008 study. According to the report, organizations see a need to protect mobile devices. “More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices -- a sign that organizations recognize that valuable data is more mobile than ever,” the report said. Companies are right to be concerned about breaches, the report said, referring to an earlier study by The Ponemon Institute that found that breaches cost businesses, on average, $202 per record and, in total, an average of $6.6 million.

- and -

DATA ATTACKS MORE FREQUENT THAN CEOS THINK (SC Magazine, 15 July 2009) - CEOs often have a rosier view of data protection in their organization than other executives, according to a study released Wednesday by the Ponemon Institute and software security vendor Ounce Labs. In the study of 213 CEOs and other senior executives, 92 percent of respondents said that their company’s data has been attacked in the past six months. But, CEOs are often more confident about their organization’s ability to prevent data breaches than are other executives, the study found. And CEOs are less aware of data breaches that have occurred, the study found. Respondents were asked how often their company’s data is attacked, and 33 percent of C-level executives -- which included COOs, CIOs and division presidents -- replied “hourly or more often,” while just 17 percent of CEOs said the same. Twenty percent of C-level executives said their data is attacked daily, while 15 percent of CEOs said the same. And, 48 percent of CEOs said their data was “rarely” attacked, compared to 32 percent of other C-level executives who said so.

CLEARING RIGHTS FOR CONTENT: ASK FIRST (, 13 July 2009) - No one enjoys clearing rights. Checking that you may use content (whether on your Web site, in a publication, or for a performance) and won’t be sued over it takes time and effort. And, for e-commerce counsel clients, that means more money. Yet, applying [the] rules to using content on an e-commerce Web site is even more difficult because “commercial speech” remains an evolving area of the law. The legal rules for online content constantly evolve as copyright and other intellectual property laws struggle to adjust “rights” to the stresses caused since digital technology redefined the many ways to “copy” content. (Editor’s note: For a list of Web sites where one can request permission for a variety of content, see, “Links to Help e-Commerce Players Identify Rights Owners and Clear Rights.” The list is not comprehensive, because there are too many possible rights-owners from whom permission must be sought to cover all entities or people for every instance. A good basic resource on the mechanical process of clearing rights is “Getting Permission: How to License & Clear Copyrighted Materials Online and Off,” by Richard Stim, Esquire (Nolo Press, 2007).) [Editor: useful overview of the process.]

- and -

LEGAL ROW OVER NATIONAL PORTRAIT GALLERY IMAGES PLACED ON WIKIPEDIA (The Guardian, 14 July 2009) - The National Portrait Gallery has threatened legal proceedings for breach of copyright against a man who downloaded thousands of high-resolution images from its website, and placed them in an archive of free-to-use images on Wikipedia. There has been no formal response from the internet encyclopedia but Derrick Coetzee, who downloaded the images, promptly uploaded the letter from the London lawyers Farrar and Co, “to enable public discourse on the issue”. He said he was taking legal advice. Photographs of works of art are protected by copyright in the UK, but not in the US, where Coetzee lives. All the creators of the original images are long since dead, but the photographs were only taken for the NPG as part of a £1m digitisation project in the last couple of years. The gallery stressed today that they hoped to avoid taking any further legal action, and said they were not considering suing Wikipedia. It said it would be happy for the online site to use low-resolution images but was “very concerned” about loss of revenue from copyright fees for the high-resolution versions, which form a significant part of its income.

REPUBLISHING THIRD PARTY RATINGS IN MARKETING MATERIAL MIGHT BE COPYRIGHT/TRADEMARK INFRINGEMENT (Eric Goldman, 14 July 2009) - A Colorado judge has reached the remarkable conclusion that a hospital publicizing its star ratings and other recognition from a third party rating service in its marketing material might be committing copyright and trademark infringement. This is a little like saying that it could be copyright and trademark infringement for a law school to include its US News rankings in its marketing material or for a book publisher to issue a press release announcing its ranking on the New York Times bestseller list. [Editor: Reminds me of the row a decade ago between Amazon and the NYT over publishing the NYT books bestseller listings. See “Looking Back” below.]

MIDDLE EAST BLACKBERRY UPDATE SPIES ON USERS (Wired, 14 July 2009) - A BlackBerry update that a United Arab Emirates service provider pushed out to its customers contains U.S.-made spyware that would allow the company or others to siphon and read their e-mail and text messages, according to a researcher who examined it. The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers. The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP. Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain. “When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load. The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server. The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software. Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world. RIM denies involvement, and confirms that it’s spyware:

PCI COUNCIL PUBLISHES WIRELESS SECURITY GUIDELINES FOR PAYMENT CARDS (NetworkWorld, 15 July 2009) - Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council. In the past, the council has issued standards that have become required by Visa, MasterCard, banks and others for secure processing of payment and debit cards. Troy Leach, the council’s technical director, emphasized that the recommendations in the “PCI Data Security Standard (DSS) Wireless Guideline” are not mandatory for businesses handling payment cards and using WLANs. But he adds, “This is probably the way wireless should have been deployed all along.”

FACEBOOK VIOLATES CANADIAN PRIVACY LAW (The Canadian Press, 16 July 2009) - The writing is on the wall for Facebook, the popular social networking site: do more to protect the privacy of Canadian users or face the threat of court action. Privacy Commissioner Jennifer Stoddart posted that message for all to see Thursday in a report that warns the personal information of Facebook members may be at risk. Facebook, with nearly 12 million Canadian users and some 250 million worldwide, allows people to keep in touch with friends and family by updating their pages with a stream of fresh messages and photos. Stoddart said Facebook breaches federal privacy law by keeping users’ personal information indefinitely - even after members close their accounts. She also raised concerns about the sharing of users’ files with the almost one million third-party developers scattered across the globe who create Facebook applications such as games and quizzes. Stoddart applauded Facebook for making some changes, but urged the site to remedy outstanding privacy shortfalls, raising the possibility of legal proceedings if it doesn’t comply.

AMAZON ERASES ORWELL BOOKS FROM KINDLE (New York Times, 17 July 2009) - In George Orwell’s “1984,” government censors erase all traces of news articles embarrassing to Big Brother by sending them down an incineration chute called the “memory hole.” On Friday, it was “1984” and another Orwell book, “Animal Farm,” that were dropped down the memory hole — by In a move that angered customers and generated waves of online pique, Amazon remotely deleted some digital editions of the books from the Kindle devices of readers who had bought them. An Amazon spokesman, Drew Herdener, said in an e-mail message that the books were added to the Kindle store by a company that did not have rights to them, using a self-service function. “When we were notified of this by the rights holder, we removed the illegal copies from our systems and from customers’ devices, and refunded customers,” he said. Digital books bought for the Kindle are sent to it over a wireless network. Amazon can also use that network to synchronize electronic books between devices — and apparently to make them vanish. People who bought the rescinded editions of the books reacted with indignation, while acknowledging the literary ironies involved. “Of all the books to recall,” said Charles Slater, an executive with a sheet-music retailer in Philadelphia, who bought the digital edition of “1984” for 99 cents last month. “I never imagined that Amazon actually had the right, the authority or even the ability to delete something that I had already purchased.” Amazon appears to have deleted other purchased e-books from Kindles recently. Customers commenting on Web forums reported the disappearance of digital editions of the Harry Potter books and the novels of Ayn Rand over similar issues. Amazon’s published terms of service agreement for the Kindle does not appear to give the company the right to delete purchases after they have been made. It says Amazon grants customers the right to keep a “permanent copy of the applicable digital content.” Justin Gawronski, a 17-year-old from the Detroit area, was reading “1984” on his Kindle for a summer assignment and lost all his notes and annotations when the file vanished. “They didn’t just take a book back, they stole my work,” he said. On the Internet, of course, there is no such thing as a memory hole. While the copyright on “1984” will not expire until 2044 in the United States, it has already expired in other countries, including Canada, Australia and Russia. Web sites in those countries offer digital copies of the book free to all comers.

THE FUTURE OF SCHOLARSHIP? HARVARD GOES DIGITAL WITH SCRIBD (ArsTechnica, 17 July 2009) - Today, with the announcement that Harvard University Press will publish 1,000 digitized books on Scribd, the academic world took one more step in its glacially slow march into the digital age. Over ten years ago, when I first started my graduate work in the humanities, there was already much talk of the looming crisis in academic publishing. Print runs for academic works written by even major scholars in a given discipline are pitifully small—1,000 would be considered decent-sized. The work of junior faculty, who are trying to publish to beef up a CV, means that the runs are smaller still. It’s very hard to make money on such small print runs, which result in books with sky-high cover prices and limited availability. All of this has made it harder for scholars to publish and harder for non-specialists to justify the effort and expense of obtaining good, scholarly work. In sum, the present situation benefits nobody—scholars, the public, or the financially strapped publishing houses. But there’s a bit of a chicken-and-egg problem to moving scholarship online. Scholarly publishers, which are central to the all-important vetting and peer review process, don’t do digital, and they look down on anything published in a digital format. And that attitude pervades the academic community: scholars still pursue the peer-reviewed printed book as the ultimate CV trophy and turn their noses up a digital, giving the publishers little incentive to experiment with digital distribution. But, as HUP’s tiny little 1,000-book foray into the world of digital possibly indicates, academic publishers may be forced into the arms of digital by the same rapidly changing circumstances that are pushing regular book publishers toward outlets like Scribd.

SOCIAL NETWORKS APPEAL, BUT NOT TO THE FIRM (ABA Journal, 22 July 2009) - If the question last year was whether lawyers would ever take to the Internet’s social media, the answer this year has to be a resounding yes—on a personal level. Asked for the ABA’s 2009 Legal Technology Survey Report whether they personally maintain a presence in an online community or social network such as Facebook, LinkedIn, LegallyMinded or Legal OnRamp, 43 percent of respondents answered yes, almost triple the 15 percent positive responses in the 2008 survey. Their law firms also tripled their social network presence, but the percentages were much smaller. When asked whether their firms maintain a presence in an online community or social network, only 12 percent of respondents said yes, up from 4 percent in the 2008 survey. The ABA’s Legal Technology Resource Center has been conducting legal technology surveys since 1990. For the 2009 survey, between 778 and 928 ABA members completed questionnaires for each of the six survey volumes between January and May. Each survey volume begins with a Trend Report that summarizes the notable results and highlights changes from previous years. The Trend Report is followed by detailed charts and tables.

UNIVERSITY OF MICHIGAN, AMAZON OFFER 400,000 TITLES WITH PRINT-ON-DEMAND (, 21 July 2009) - The University of Michigan said Tuesday it is teaming up with to offer reprints of 400,000 rare, out-of-print and out-of-copyright books from its library. Seattle-based Amazon’s BookSurge unit will print the books on demand in soft cover editions at prices from $10 to $45.

8 THINGS WE HATE ABOUT IT (HBS podcast, 2 June 2008) - You may think that hate is too strong of a word for feelings toward a corporate department. I don’t. Yesterday, I was interviewing an executive on his perceptions of IT and he couldn’t spit his frustration out fast enough. He said, “In the quest of getting things organized, they are introducing a bunch of bureaucracy and, in the process, they’re abdicating their responsibility for making sure the right things get done.” This is completely typical of management’s frustration - no, management’s hatred - of IT. [15 minute audio, recommended to me by a senior manager with experience inside and outside of IT departments.]

**** RESOURCES ****
CLOUD COMPUTING (NIST, 26 June 2009) - NIST is posting its working definition of cloud computing that serves as a foundation for its upcoming publication on the topic (available below). Computer scientists at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government. NIST’s role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards. To learn more about NIST’s cloud efforts, join the NIST cloud computing announcement mailing list (very low volume) by sending an email to “” with “subscribe cloudlist” in the message body text.

YAMMER (Wikipedia article) – Yammer is a microblogging service launched in September 2008. Like Twitter, it allows users to post updates of their activities, follow others’ updates, tag content, and create memes. Unlike Twotter, Yammer focuses on businesses, and only individuals with the same email domain can join a given network. [Editor: if/when critical mass is achieved in a user organization, the company can buy a Yammer instance, and redeploy it inside the company’s security zone.]

AMAZON SUES OVER NYT BESTSELLER LIST -- In an effort to settle the question of whether a bestseller list is proprietary and copyrightable, last week sued the New York Times in Seattle federal court. Since May 17, Amazon has featured the Times bestseller list on its Web site, and offered a 50% discount on the books named. On May 28 a lawyer for the Times wrote a letter asking Amazon to stop posting the list, which the Times licenses to rival bookseller Amazon claims it’s making “fair use” of the list, similar to the way that a movie might be listed as having won an Academy Award, and added language clarifying that the Times didn’t endorse the Amazon site. The Times termed the modifications “inadequate.” Borders Group, which also uses the list, also has received a letter from the Times, and says it’s not sure how it will respond. (Wall Street Journal 7 Jun 99)

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: