Saturday, December 11, 2010

MIRLN --- 21 November – 11 December 2010 (v13.17)

(supplemented by related Tweets: #mirln)

·      Agencies To Look For a ‘Cloud Option’
o   GSA Chooses Google For Hosted E-Mail
·      Disney’s Earnings Leak Sprung From Goofy Mistake
·      Copyright Lawyers Sue Lawyer Who Helped Copyright Defendants
·      High Court Ruling Implies Headlines Are Copyright – We’re One Step Away From Links
·      10 Steps To Kickoff A Social Media Campaign
·      Supreme Court Won’t Hear RIAA File Sharing Case
·      Placing Files in Shared Folder Online Can Constitute Child Porn Distribution
·      Talking About Your Case On Your Blog? You May Have Just Waived Privilege
·      Facebook: State Bar Opinions Address Information Gathering
·      Google Changes Its Rank Algorithm In Response To NYT DecorMyEyes Story
·      Google Signs Deal With European Patent Office to Translate Patents
·      FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers; Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking
·      Race Is On to ‘Fingerprint’ Phones, PCs
·      Australian Government Gives Thumbs Down to PDF Format
·      New Oklahoma Law Puts Control of Deceased’s Social Media Accounts In Estate Executors
·      Companies Beware: The Next Big Leak Could Be Yours
·      FTC Offers Businesses Tips for Securing Data on Digital Copiers
·      Web Bugs the New Norm For Businesses?
·      DoD to Troops: Lawfare=Wikileaks
·      Risk of Cyber Attacks Should Be Board-Level Concern, Lloyd's Says
·      Government, Financial Industry Launch Cybersecurity Collaboration
·      Yahoo Finance Integrates Real-Time Stock Discussion From StockTwits
·      As Jurors Go Online, U.S. Trials Go Off Track
·      OFAC Expands Capacity of Designated Entities to Pay for Legal Services
·      Fail: NASA Sold Space Shuttle PCS Without Wiping Secret Data
·      UCLA Sued Over Streaming of Videos


Agencies To Look For a ‘Cloud Option’ (Computerworld, 22 Nov 2010) - The federal government is adopting a “cloud-first” policy, marking the administration’s strongest statement yet in support of Web-based computing as it looks to overhaul the way it buys information technology. Jeffrey Zients, the federal government’s first chief performance officer, announced last week that the Office of Management and Budget will now require federal agencies to default to cloud-based solutions “whenever a secure, reliable, cost-effective cloud option exists.” The shift is part of a broader set of changes aimed at improving IT procurement. In recent months, the federal government has shut down or restructured a host of technology programs after they ran over budget and behind schedule. “Fixing IT is central to everything we’re trying to do across government,” Zients said. “IT is our top priority.” Zients outlined a series of initiatives the government plans to launch in the next six months, including pilot efforts to give agencies more flexibility in how they budget for programs. In addition, the administration wants to reconstitute oversight panels known as investment review boards and establish a career path for program managers.

- and -

GSA Chooses Google For Hosted E-Mail (Computerworld, 1 Dec 2010) - The U.S. General Services Administration will become the first federal agency to use a hosted e-mail service, choosing Google, Unisys and others to offer the service. The choice is a blow to Microsoft, which has tried to position itself as offering the most secure services for the government. It said it is the first federal agency to use a cloud-based system for e-mail across the entire agency. It expects a 50 percent cost savings over the next five years compared to costs associated with its current system. See also “USDA Taps Microsoft Cloud For 120,000 Workers (Information Week, 8 Dec 2010)” here:

Disney’s Earnings Leak Sprung From Goofy Mistake (Business Week, 24 Nov 2010) - There’s an explanation now for how Disney’s earnings report this month got released early: The company made the information accessible through an easy-to-guess Web address. The Walt Disney Co. didn’t plan on posting the link on its website until after the market closed Nov. 11. But a reporter at Bloomberg News found it with simple Internet sleuthing and reported results about a half-hour before the scheduled release. That’s according to a person familiar with Bloomberg’s practices. The person isn’t authorized to speak publicly and is speaking on condition of anonymity. Security experts characterize the companies’ failure to protect such valuable information as careless lapses. The Securities and Exchange Commission isn’t saying whether it’s investigating. Disney says its own probe is ongoing.

Copyright Lawyers Sue Lawyer Who Helped Copyright Defendants (The escapist, 26 Nov 2010) - Attorneys for the U.S. Copyright Group have filed a lawsuit against a lawyer who sold “self-help” documents to people who had been sued by the USCG, demanding that he pay the costs involved in dealing with the people who used the documents he sold. Try to stick with me here, because this one gets weird. Back in August, an attorney by the name of Graham Syfert began selling documents that would allow defendants in lawsuits filed by the U.S. Copyright Group to respond in court without having to fork over the huge piles of money needed to hire an attorney. The USCG sued “thousands” of BitTorrent users who had downloaded films like The Hurt Locker, Far Cry and Call of the Wild, demanding a settlement of $2500 to avoid the much more expensive proposition of going to court. “One of the major problems that people encounter when trying to hire me on these cases, is that a settlement is approximately what an attorney would need to even begin a defense,” Syfert said at the time. His package of paperwork, on the other hand, cost just ten bucks. 19 people have thus far taken advantage of Syfert’s offer and submitted responses to the court using his package, not a huge amount by any measure but 19 more than Dunlap, Grubb and Weaver, the law firm behind the USCG lawsuits, wants to put up with. The firm threatened Syfert with sanctions soon after he began selling his forms and also said it would double its settlement requests for anyone who used them; Syfert dismissed the threats with a “tongue in cheek” email and that was that, until earlier this week. On November 22, Syfert received another email from attorney Jeff Weaver informing him that he had made a formal request for sanctions against him on behalf of the production company behind The Hurt Locker, one of the driving forces behind the USCG lawsuits. Weaver is apparently claiming that the 19 cases filed using the self-help package have cost his firm $5000 and he wants Syfert to pay.

High Court Ruling Implies Headlines Are Copyright – We’re One Step Away From Links (TechCrunch, 27 Nov 2010) - The UK’s High Court has ruled that news monitoring agencies will have to pay publishing companies to use their web content, effectively re-classifying headlines as separate literary works subject to copyright. The moves follows a legal battle between the Newspaper Licensing Agency, owned by eight of the UK’s largest newspaper groups, and Meltwater, a news monitoring agency. Although cutting agencies like Meltwater pay the NLA a fee for reproducing full-length articles, this case was supposed to clarify the limits of the NLA’s licensing scheme. Meltwater didn’t like its clients needing to have a licence from the NLA for the use of mere headlines and short extracts from its service. Instead the case has ruled that similar aggregation sites that charge for a service will have to pay for those headlines. Meltwater plans to appeal against the decision, but if it’s upheld, you can expect a wave of more legal actions. And thus the fabric of the UK’s online publishing industry will start to break down. Well done High Court. Technically, that won’t affect blogs or search sites since they don’t charge. But it’s not far away from some publishers claiming that because those links are monetised in some other way, that they can charge for their use since the headlines and, therefore the links to those, are copyright.

10 Steps To Kickoff A Social Media Campaign (Business Insider, 28 Nov 2010) - When it comes to using social media marketing to build your business, the worst action is no action, and your biggest problem is being invisible, not being talked about negatively. As long as you’re part of the conversation on the social Web, you can hear what’s being said about you and massage negative perceptions about your business.

Supreme Court Won’t Hear RIAA File Sharing Case (Wired, 29 Nov 2010) - The U.S. Supreme Court declined Monday to hear the first Recording Industry Association of America file sharing case to cross its desk, in a case that tested the so-called “innocent infringer” defense to copyright infringement. The case, which one justice voted to hear (.pdf), leaves undisturbed a federal appeals court’s decision in February ordering a university student to pay the Recording Industry Association of America $27,750 for file-sharing 37 songs when she was a high school cheerleader. The appeals court decision reversed a Texas federal judge who, after concluding the youngster was an innocent infringer, ordered defendant Whitney Harper to pay just $7,400, or $200 per song. That’s an amount well below the standard $750 fine required under the Copyright Act for each violation. Harper’s challenge weighed whether the innocent-infringer defense to the Copyright Act’s minimum $750-per-music-track fine may apply to online file sharing. Generally, an innocent infringer is someone who does not know she or he is committing copyright infringement. Attorneys for Harper told the justices (.pdf) that she should get the benefit of the $200 innocent-infringer fine, because the digital files in question contained no copyright notice. A Texas federal judge had granted Harper the innocent-infringer exemption to the Copyright Act’s minimum fine, because the teen claimed she did not know she was violating copyrights. She said she thought file sharing was akin to internet radio streaming. The 5th U.S. Circuit Court of Appeals, however, said she was not eligible for such a defense, even though she was between 14 and 16 years old when the infringing activity occurred on LimeWire. The reason, the appeals court concluded, is that the Copyright Act precludes such a defense if the legitimate CDs of the music in question carry copyright notices.

Placing Files in Shared Folder Online Can Constitute Child Porn Distribution (New Jersey Law Journal, 30 Nov 2010) - Internet file sharing is just that — sharing files with other users — and it can amount to illegal offering and distributing when the files are child pornography, a state appeals court ruled Tuesday. Though the defendant didn’t affirmatively offer the materials or seek out people to take them, a fact finder could see the act of placing the files in a shared folder online, where others might access them, as “offering” or “providing” under New Jersey’s child endangerment statute, the Appellate Division ruled in State v. Lyons , A-4893-09. Richard Lyons was indicted for possessing as well as offering and distributing child pornography via LimeWire, an online file-sharing network. On May 30, 2007, a state police investigator accessed LimeWire, entered search terms indicating child pornography, located a known child-pornography file on Lyons’ computer and downloaded it, along with other files he had stored that turned out to contain pornographic materials. During questioning, Lyons acknowledged that LimeWire’s default setting was to store downloaded files in a shared folder available to all network users, though the settings could be changed to store downloaded files in a private folder not accessible to other network users. Morris County Superior Court Judge Philip Maenza dismissed the offering and distributing counts, based on Lyons’ assertion that his failure to change the LimeWire settings was an omission and that he did not knowingly distribute the video files. Lyons claimed that passive conduct cannot satisfy the meaning stated in the statute. Appellate Division Judges Joseph Lisa, Susan Reisner and Jack Sabatino reversed, holding that Lyons acted affirmatively by installing the LimeWire program, downloading the pornography files and keeping the files in a shared folder knowing that others would find them and download them.

Talking About Your Case On Your Blog? You May Have Just Waived Privilege (Stikeman, 30 Nov 2010) - On October 22, 2010, an American magistrate judge ruled that a plaintiff suing Universal Music Corp. for improperly sending a takedown notice under the Digital Millennium Copyright Act (DMCA) waived a number of heads of attorney-client privilege by discussing the details of her legal case by email and on a blog. In Lenz. v. Universal Music Corp, the plaintiff claimed damages and attorneys’ fees as a result of Universal Music Corp.’s filing of an allegedly fraudulent DMCA take-down notice seeking to have a home video of the plaintiff’s child dancing to a copyrighted song removed from YouTube. A magistrate judge ruled that plaintiff Stephanie Lenz waived attorney-client privilege by discussing her case in e-mail, on her blog, and in chat sessions. Through these online media, Lenz made representations about conversations she had had with her attorneys from Electronic Frontier Foundation (a non-profit digital rights advocacy and legal organization). These representations revealed information such as why she was suing Universal Music Corp. and legal strategies she was pursuing in her suit against the company. The magistrate judge ruled that these online communications amounted to a waiver of the attorney-client privilege. Accordingly, the magistrate ordered plaintiff to produce further documents and submit to further discovery regarding the plaintiff’s communications with her attorney as to (i) her motives for bringing the action; (ii) the specific legal strategies identified in her online discussions; and (iii) the specific factual allegations made in her online discussions. However, some have indicated that had this case been heard in Canada, the result may have been very different. Due to the high thresholds established by caselaw for determining when privilege has been waived, it is argued that a plaintiff’s mere musings or speculation about her lawyer’s legal strategy would likely not have lead to a waiver of solicitor-client privilege.

Facebook: State Bar Opinions Address Information Gathering (ABA, 30 Nov 2010) – “You represent the mother in a child custody dispute that will most likely wind up in litigation. You recently interviewed a daycare provider who may be an adverse witness in the matter. You believe that there may be some very useful information on the daycare provider’s personal Facebook page that you may be able to use to impeach her testimony at trial, but you would need to “friend” her to gain access to them. You believe that she freely gives the friend status to almost anyone who requests it, but that she would most likely not grant it to you. Can you ask your paralegal, whose name the daycare provider would not recognize, to contact the provider in order to friend her without revealing his affiliation with you so that you can gain access to her personal Facebook page?”

Google Changes Its Rank Algorithm In Response To NYT DecorMyEyes Story (TechCrunch, 1 Dec 2010) - Over Thanksgiving weekend a New York Times story, “A Bully Finds a Pulpit on the Web” clued a lot of people in to some of the drawbacks of Google PageRank. Negative attention online and complaint links from customer service sites like Get Satisfaction can actually be a benefit to business as in the problematic case of online retailer DecorMyEyes. The Times piece followed DecorMyEyes customer Clarabelle Rodriguez as she suffered online and offline harassment from DecorMyEyes founder Vitaly Borker, all in the name of improving his Google search rankings. While I saw that DecorMyEyes had dropped in the Google rankings for eyewear related searches like “La Font” directly after the piece went out, it was only a matter of time before Google did something official. From the Google blog: “We were horrified to read about Ms. Rodriguez’s dreadful experience. Even though our initial analysis pointed to this being an edge case and not a widespread problem in our search results, we immediately convened a team that looked carefully at the issue. That team developed an initial algorithmic solution, implemented it, and the solution is already live. I am here to tell you that being bad is, and hopefully will always be, bad for business in Google’s search results.” The Google post then goes on to outline the different ways the search engine could have solved the “Bad to customers = Good for PageRank” problem, by either blocking or using sentiment analysis to pull sites with a lot of negative comments down in the rankings. Using sentiment analysis in search rank is tricky however, because it would also pull down sites about unpopular politicians and controversial issues like abortion. Instead of using either of those two solutions to account for cases like the one described in the New York Times article, Google instead wrote an algorithm that can detect which hundreds of merchants (including DecorMyEyes) have provided “bad user experience” and algorithmically force them lower.

Google Signs Deal With European Patent Office to Translate Patents (Int’l Business Times, 1 Dec 2010) - Internet search company Google Inc on Tuesday said it has signed a deal with the European Patent Office (EPO) to use the company’s technology to translate patents into 29 European languages that will pave the way for a simplified European patent system. Google’s deal, which comes after years of infighting, is expected to make it easier for inventors and scientists from across the continent to access information on patents with the EPO that has 38 member countries. The European Commission has been pushing for a unified system for long but a European Union-wide standard patent had been halted for long due to a long standing dispute about which languages should take precedence on official documents. Italy and Spain had refused to accept a unified system and the contention that it was enough to have patent documents translated into English, French and German. Google’s agreement will help do away with the huge translation fees that had prevented growth and hit small businesses as it is presently 10 times more expensive to apply for a patent in Europe than in the US, European Commission said. Google transaction will also calm down fears of some countries that they will be at a language disadvantage.

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers; Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking (FTC, 1 Dec 2010) - The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities. “Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well,” said FTC Chairman Jon Leibowitz. The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses. To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices. Report here:

Race Is On to ‘Fingerprint’ Phones, PCs (WSJ, 1 Dec 2010) - David Norris wants to collect the digital equivalent of fingerprints from every computer, cellphone and TV set-top box in the world. Companies are developing digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. WSJ’s Simon Constable talks to Senior Technology Editor Julia Angwin about the next generation of tracking tools. He’s off to a good start. So far, Mr. Norris’s start-up company, BlueCava Inc., has identified 200 million devices. By the end of next year, BlueCava says it expects to have cataloged one billion of the world’s estimated 10 billion devices. Advertisers no longer want to just buy ads. They want to buy access to specific people. So, Mr. Norris is building a “credit bureau for devices” in which every computer or cellphone will have a “reputation” based on its user’s online behavior, shopping habits and demographics. He plans to sell this information to advertisers willing to pay top dollar for granular data about people’s interests and activities. It’s tough even for sophisticated Web surfers to tell if their gear is being fingerprinted. Even if people modify their machines—adding or deleting fonts, or updating software—fingerprinters often can still recognize them. There’s not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent.

Australian Government Gives Thumbs Down to PDF Format (IT News, 1 Dec 2010) - The central IT office of Australia’s Federal Government has requested that agencies consider the use of alternative file formats to Adobe’s PDF. The advice follows a study which found that while accessibility of the Portable Document Format (PDF) has improved over time and remains a popular format for many organisations, it was less accessible to visually-impaired users. Published by the Australian Government Information Management Office (AGIMO), “The Australian Government’s study into the Accessibility of the Portable Document Format for people with a disability,” concluded that if PDF was used, accessible alternative file formats should be made available.,government-gives-thumbs-down-to-pdf-format.aspx

New Oklahoma Law Puts Control of Deceased’s Social Media Accounts In Estate Executors (IBT, 2 Dec 2010) - Estate executors or administrators in Oklahoma have the power to access, administer or terminate the online social media accounts of the deceased, according to a new state law. According to former state Rep. Ryan Kiesel (D-Seminole), who had co-authored House Bill 2800 before he left office, the law would remind the people of Oklahoma as they go about their estate planning that, in addition to their personal and real property, they should make plans for the vast amount of intellectual property we leave behind. “The number of people who use Facebook today is almost equal to the population of the United States. When a person dies, someone needs to have legal access to their accounts to wrap up any unfinished business, close out the account if necessary or carry out specific instructions the deceased left in their will,” Kiesel said. “Digital photo albums and e-mails are increasingly replacing their physical counterparts, and I encourage Oklahomans to think carefully about what they want to happen to these items when they pass away,” he said. The bill, which became a state law on Nov. 1, assumes a Facebook page or other social network account is the property of the person who creates and uses it. However, most websites claim the information as their own in service agreements when users sign up. Kiesel has acknowledged the law may conflict with service agreements, but said the law is intended to get people thinking seriously about what they leave behind on Facebook and other websites. “We’re not just leaving a couple of shoeboxes full of mementos behind,” Kiesel said. “We’re leaving behind potentially thousands of photographs and all kinds of aspects of our lives online.” The law is the first of its kind in the U.S.

Companies Beware: The Next Big Leak Could Be Yours (AP, 2 Dec 2010) - WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next. Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. And there is nothing about WikiLeaks’ release of U.S. diplomatic documents to suggest that the group can’t — or won’t — use the same methods to reveal the secrets of powerful corporations. And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there’s new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider. Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with the Mandiant Corp., an Alexandria, Va.-based security firm that investigates computer intrusions. WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy. Julian Assange, WikiLeaks’ founder, told Forbes magazine that the number of leaks his site gets has been increasing “exponentially” as the site has gotten more publicity. He said it sometimes numbers in the thousands per day.

FTC Offers Businesses Tips for Securing Data on Digital Copiers (FTC, 3 Dec 2010) - The Federal Trade Commission, the nation’s consumer protection agency, has tips for businesses on how to safeguard sensitive data stored on the hard drives of digital copiers. Here are the highlights of the FTC’s new publication, Copier Data Security: A Guide for Businesses: 
Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, the data cannot be retrieved. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable.
For more information about securing sensitive data, see Protecting Personal Information: A Guide for Business.

Web Bugs the New Norm For Businesses? (SlashDot, 3 Dec 2010) –
An anonymous reader writes: “What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers’ email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?”

DoD to Troops: Lawfare=Wikileaks (Lawfare, 3 Dec 2010) - Those of you concerned about the Wikileaks disclosures will be reassured to know that the military IT folks are on the case and are aggressively cracking down on–drum-roll, please–us. That’s right, folks, Wikileaks, Lawfare. It’s all the same. They’re both on the Internet, after all. I awoke this morning to an email from alert reader Jeffrey A. Sherman, a reserve JAG Army Captain in the 2nd Stryker Brigade Combat Team, 25th Infantry Division, which is currently deployed in Iraq. He notified me that the following text now appears on his computer when he tries to access Lawfare:
Due to the recent disclosure of US Classified Information to public news and media sources, the site you are attempting to access may potentially be hosting US Classified Information (CONFIDENTIAL to SECRET//NOFORN) documents. Downloading, copying, typing text into another document or email, printing, saving to a workstation, server, or any drive connected to a NIPR or Unclassified system is considered a compromise of that system. Additionally, printing, sending, transmitting or forwarding this information is also considered a SPILL and established SPILL cleanup procedures must be followed. Users will lose network access until the incident can be fully resolved IAW USF-I and CENTCOM standards, including user training.
Viewing these documents is not considered a spill in of itself; however, once a user identifies the information as classified or potentially classified, the individual should immediately cease viewing the item and close their web browser.
IAW with DOD guidance and USF-I OPSEC Hash 10-2, all personnel are to refrain from viewing any of the articles pertaining to Wikileaks releases on their DOD NIPR system.
If you have questions regarding this message contact the JNCC-I IA Office, VoSIP: 708-243-6391.
Logged Information
Proxy Server: ARIF1-N-1-PROXY
IP Address:
UTC Timestamp: 2010-12-03 12:06:25
Category: Government/Legal;Blogs/Personal Pages
I cannot tell you how much I resent this. It’s not just the stupidity of the failure to distinguish between leaks and commentary on national security law–which inevitably will occasionally touch on leaks. It’s also the ridiculous phrase “May Potentially Contain Classified Information,” which in this instance translates roughly to “Does Not Contain or Discuss Classified Information Not Already Disclosed by Entities With Orders of Magnitude More Readers.” We have not posted any State Department cables here on Lawfare. The most we have done is linked to a New York Times article that refers to some cables and re-quoted what the Times had already quoted. We have actually taken pains over the life of this blog–and before–to avoid compromising sensitive material in the course of work that necessarily brings us into contact with it. On a few occasions, we have gone so far as to decline to post on sensitive matters that have come our way as a result of accidental disclosures. We write off of the public record here at Lawfare. Some of my press friends may not admire that, but that’s what we do. Glad to know the military appreciates the effort.

Risk of Cyber Attacks Should Be Board-Level Concern, Lloyd's Says (Insurance Journal, 6 Dec 2010) - Digital risks must be a board-level concern for business as the range, frequency and scale of cyber attacks increases, according to a new report. Many companies are unwittingly vulnerable to the possibility of data leakage, phishing attacks, trojans or advance persistent threats, according to a new report from Lloyd's, the world's leading specialist insurance market, and HP, the world's largest technology company. The report, "Managing digital risks: trends, issues and implications for business," warns that, as businesses become more reliant on technology, they will face more complex and damaging digital attacks as sophisticated attackers quickly adapt their methods to steal from, disrupt and spy on businesses.  Report here: 

Government, Financial Industry Launch Cybersecurity Collaboration (Information Week, 7 Dec 2010) - Federal agencies have teamed up with the financial services industry to promote a common way for the public and private sector to coordinate on cybersecurity. The effort is aimed at speeding the commercialization of technologies being developed to protect U.S. critical infrastructure so that both the federal government and private organizations can benefit from them, according to the White House. The National Institute of Standards and Technology (NIST) of the Department of Commerce, the Science and Technology Directorate of the Department of Homeland Security (DHS/S&T), and the Financial Services Sector Coordinating Council (FSSCC) released a memo Monday agreeing to pool their collective cybersecurity resources to facilitate innovation; identify and fight cybersecurity vulnerabilities; and develop more efficient and effective cybersecurity processes that can be used in the financial services sector as well as by other organizations.

Yahoo Finance Integrates Real-Time Stock Discussion From StockTwits (Mashable, 7 Dec 2010) - Yahoo Finance announced Tuesday that is has begun pulling data from StockTwits’s API, which curates stock-related conversation from Twitter tagged with $[stock symbol] (i.e. $AMZN) and messages sent through its own microblogging platform. StockTwits’s stream appears in a newly launched Market Pulse section, designed to help users keep track of real-time, user-generated finance news discussion on the web. We’ve pulled up the page for Google below. Unfortunately, the stream is not yet integrated into the main dashboard pages, which includes quotes, charts, news and other information for each stock. Instead, users have to navigate to a separate “Market Pulse” page on the left sidebar, which severely limits the stream’s exposure.

As Jurors Go Online, U.S. Trials Go Off Track (Reuters, 8 Dec 2010) - The explosion of blogging, tweeting and other online diversions has reached into U.S. jury boxes, raising serious questions about juror impartiality and the ability of judges to control courtrooms. A Reuters Legal analysis found that jurors’ forays on the Internet have resulted in dozens of mistrials, appeals and overturned verdicts in the last two years. For decades, courts have instructed jurors not to seek information about cases outside of evidence introduced at trial, and jurors are routinely warned not to communicate about a case with anyone before a verdict is reached. But jurors these days can, with a few clicks, look up definitions of legal terms on Wikipedia, view crime scenes via Google Earth, or update their blogs and Facebook pages with snide remarks about the proceedings. The consequences can be significant. A Florida appellate court in September overturned the manslaughter conviction of a man charged with killing his neighbor, citing the jury foreman’s use of an iPhone to look up the definition of “prudent” in an online dictionary. In June, the West Virginia Supreme Court of Appeals granted a new trial to a sheriff’s deputy convicted of corruption, after finding that a juror had contacted the defendant through MySpace. Also in September, the Nevada Supreme Court granted a new trial to a defendant convicted of sexually assaulting a minor, because the jury foreman had searched online for information about the types of physical injuries suffered by young sexual assault victims. Reuters Legal, using data from the Westlaw online research service, a Thomson Reuters business, compiled a tally of reported decisions in which judges granted a new trial, denied a request for a new trial, or overturned a verdict, in whole or in part, because of juror actions related to the Internet. The data show that since 1999, at least 90 verdicts have been the subject of challenges because of alleged Internet-related juror misconduct. More than half of the cases occurred in the last two years. Judges granted new trials or overturned verdicts in 28 criminal and civil cases -- 21 since January 2009. In three-quarters of the cases in which judges declined to declare mistrials, they nevertheless found Internet-related misconduct on the part of jurors. These figures do not include the many incidents that escape judicial notice.

OFAC Expands Capacity of Designated Entities to Pay for Legal Services (Lawfare, 8 Dec 2010) - OFAC has issued a final rule amending the TSR and GTSR sanction regimes to expand the options for designated entities to pay for certain legal services. Presumably this is at least indirectly responsive to issues that arose over the past year when the ACLU and CCR sought to represent Anwar al-Aulaqi’s father in the targeted killing case, and when the Humanitarian Law Project litigation (which dealt with the 2339B material support regime, not an IEEPA regime) raised similar questions about the provision of legal services to designated terrorist organizations. Whatever the origin, the full details of the new rule are posted here, and the summary follows: ”SUMMARY: The Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury is amending the Global Terrorism Sanctions Regulations (“GTSR”) and the Terrorism Sanctions Regulations (“TSR”) to expand the scope of authorizations in each of those programs for the provision of certain legal services. In addition, OFAC is adding new general licenses under the GTSR, the TSR, and the Foreign Terrorist Organizations Sanctions Regulations to authorize U.S. persons to receive specified types of payment for certain authorized legal services.”

Fail: NASA Sold Space Shuttle PCS Without Wiping Secret Data (Computerworld, 8 Dec 2010) - For sale, used computer packed full of secret NASA Space Shuttle data. As part of a plan to securely end the Space Shuttle program, NASA is getting rid of old computers. However, NASA officials failed to delete sensitive data on PCs and hard drives before selling the equipment. The Office of Inspector General found “serious” security breaches at NASA centers in Florida, Virginia, Texas and California. NASA is full of very bright minds, so how did it manage to make such a noob mistake of selling PCs without wiping the hard drives? An audit [PDF] found 10 of 14 computers that failed tests to ascertain they’d been wiped properly. One computer that was to be sold still contained sensitive Space Shuttle data, which was subject to export control by the International Traffic in Arms Regulations. All electronic storage media is supposed to be wiped of data “to the degree that there is reasonable assurance that the data cannot be retrieved or reconstructed,” the audit stated. NASA approved software for sanitizing hard drives include DBAN (Darik’s Boot and Nuke), Secure Erase, and WipeDrive/WipeDrive Pro. Contractors in charge of deleting sensitive information used DBAN and Active@KillDisk - which is not NASA approved at Johnson’s disposition center. Ames used BCwipe, which is DOD compliant, but not NASA approved. USA used Symantec DateGone which is not approved by NASA, DOD or NSA.

UCLA Sued Over Streaming of Videos (InsideHigherEd, 10 Dec 2010) - After a public copyright dispute in January, the Association for Information and Media Equipment says it has filed suit against the University of California at Los Angeles and the system’s Board of Regents. The association, a trade group that represents 16 educational media companies, objected to UCLA’s practice of allowing students to stream copyrighted videos on their course websites. Since course websites are not classrooms, the group said, the “fair use” exemptions for educational use do not apply. UCLA has said that since the course websites are password-protected, streaming videos on the site is the same as showing them in class, except far more convenient for students and professors. Allen Dohra, president of the trade group and vice president of Ambrose Video Publishing, which is named as a co-plaintiff in the suit, said in a press release that UCLA is undermining Ambrose’s own streaming service, which it offers at a price to subscribers. “UCLA’s behavior spells catastrophe for the entire educational video market, which increasingly will turn to streaming video,” the group said in the release.

Kim Dulin and David Weinberger on the Meta-Library (Berkman Center, 9 Nov 2010) - s more and more content moves into the cloud libraries are decreasingly the single place to go to find the material you need for your research (except for rare books and special collections). But libraries know a huge amount about their contents. This metadata is becoming even more valuable as research moves online, since now it can be deployed to help scholars and researchers discover, understand, and share what they need to know. The co-directors of the Harvard Library Innovation Lab at Harvard Law School—Kim Dulin and David Weinberger—along with members of the Lab will demonstrate their lead project (ShelfLife) and talk about the Lab’s proposed multi-library metadata server (LibraryCloud).

**** RESOURCES ****
OECD Privacy Guidelines: Thirty Years in the Public Sector (The Privacy, edited by Richard Purcell) - At the 30th Anniversary of the OECD Privacy Guidelines, we present a comparative study of how those guidelines have influenced the development of laws, regulations and public policy in five representative OECD member states – Australia, Canada, Japan, Spain, and the United States.

The Cyberthreat, Government Network Operations, and the Fourth Amendment (Jack Goldsmith paper, 9 Dec 2010) - Many corporations have intrusion-prevention systems on their computers’ connections to the Internet. These systems scan the contents and metadata of incoming communications for malicious code that might facilitate a cyber attack, and take steps to thwart it. The United States government will have a similar system in place soon. But public and private intrusion-prevention systems are uncoordinated, and most firms and individual users lack such systems. This is one reason why the national communications network is swarming with known malicious cyber agents that raise the likelihood of an attack on a critical infrastructure system that could cripple our economic or military security. To meet this threat, imagine that sometime in the near future the government mandates the use of a government-coordinated intrusion-prevention system throughout the domestic network to monitor all communications, including private ones. Imagine, more concretely, that this system requires the National Security Agency to work with private firms in the domestic communication network to collect, copy, share, and analyze the content and metadata of all communications for indicators of possible computer attacks, and to take real-time steps to prevent such attacks. This scenario, I argue in this essay, is one end point of government programs that are already up and running. It is where the nation might be headed, though perhaps not before we first suffer a catastrophic cyber attack that will spur the government to take these steps. Such a program would be controversial. It would require congressional approval and in particular would require mechanisms that credibly establish that the NSA is not using extraordinary access to the private network for pernicious ends. But with plausible assumptions, even such an aggressive program could be deemed consistent with the U.S. Constitution, including the Fourth Amendment. Paper here:

**** FUN ****
Law and the Multiverse; Superheroes, supervillains, and the law (blog) – If there’s one thing comic book nerds like doing it’s over thinking the smallest details. Here we turn our attention to the hypothetical legal ramifications of comic book tropes, characters, and powers. Just a few examples: Are mutants a protected class? Who foots the bill when a hero damages property while fighting a villain? What happens legally when a character comes back from the dead? [Creative, out of-the-box subject matter for lawyers: e.g., how does The Rule Against Perpetuities play if you’re immortal? or “Fee Simple and Alter-Egos” and “Is Batman a State Actor?”]

**** DIFFERENT ****
Lapsed Magazine Subscriptions (InsideHigherEd, 9 Dec 2010) - The most important shift brought about by the Web has been to move more of us from being consumers to producers. The fact that you are reading this blog now, and maybe will comment on the post - or tweet or blog yourself, is testament to this fact. Distressingly, the practice of higher ed has largely lagged this transition - too little of our student's time is spent producing for the world (writing, making videos, posting and sharing) - and too much time is still spent consuming words from the mouths of our professors. Today, in some of our courses and on some of our campuses, the transition to student as producer (student as research, student as writer, student as colleague), has already begun. In some courses, the lecture model has been inverted - so that the student time shifts lecture material at her convenience - and precious in-person class time is spent debating, discussing, creating, and sharing. In some courses and on some campuses, the Web has transformed learning into an active experience in the same way that the Web has transformed media. Which brings me to the subject of magazines in which I no longer subscribe. I'm somewhat saddened by my abandoned identity of a magazine subscriber. In days past, most of us defined ourselves by what we consumed. Magazines were a big part of my self-identity. Now, with more time spent writing - I have less time to consume - and many more options to consume via the Web in small chunks. The reams of paper that previously moved through my home have been replaced mostly by bits - but I'm nostalgic for those days of magazines strewn around the house.

MOVING ON TO M-COMMERCE -- In the rapidly growing market for “m-commerce” (e-commerce via mobile devices), Motorola is staking out new ground with a purchasing system for mobile phones that features voice-activated authentication of credit cards. Rather than typing numbers on a phone keypad to make a purchase, customer credit card numbers are stored on the cell-phone operator’s computer server. Once the customer approves a purchase, the information is sent from the server to the online merchant. In some cases, customers can choose items to buy and approve credit card purchases simply by speaking commands into the phone. The technology is based on software from Trintech Group. (Wall Street Journal 2 Feb 2000)

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at Get supplemental information through Twitter:

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. InsideHigherEd -
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog,
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

Saturday, November 20, 2010

MIRLN --- 1-20 November 2010 (v13.16)

(supplemented by related Tweets: #mirln)

·      Facebooking in Court: Coping With Socially Networked Jurors
·      USPTO Launches Second Peer To Patent Pilot in Collaboration with New York Law School
·      Report Reveals the Riskiest Web Domains to Visit
·      Ind. AG Sues Wellpoint for $300k Over Data Breach Notification Delay
·      Who Is John Doe? Who Wants To Know?
·      French Court: Deeplinking to Genuine Source of Downloadable Software Did Not Amount to an IP Rights Infringement
·      Are these Records?
o   White House Orders Standard Practices on Unclassified Information
·      White House CIO Council Releases Draft Guidance on U.S. Govt Cloud Computing
·      Proper Data Disposal Means More Than Just Taking Out the Trash
·, All Over Again
·      Spam Filter Excuse for Missing a Deadline Flies in the Northern District of Illinois
·      Protecting and Securing Confidential Client Data
·      New Business Center Can Help Boost Compliance with FTC Law
·      The New Frontier of Employee Avatar Appearance Codes
·      “Should Lawyers Twitter?”
o   New AMA Policy Helps Guide Physicians’ Use of Social Media
o   Seeking Clients Via Facebook? In Ky., Bar May Regulate Social Media Comments
·      Holding on to a Domain Name to Gain Leverage in a Business Dispute Can Constitute Cybersquatting
·      A Lack of Transparency in S.E.C. Disclosure Rule
·      Company Accused of Firing Over Facebook Post
·      Twitter Clarifies Usage Rules, but AFP Still Claims Unbridled Right to Use Content Uploaded to Twitter
·      Gartner: Social Networking Slowly Taking Over E-Mail
·      Britain to Tape Traders’ Cell Phones to Fight Fraud
·      NYPD Uses Google Street View Images as Evidence in Heroin-Dealing Case
·      Lenz Waived Attorney-Client Privilege Through Chats, Blogging
·      Cybersecurity and Rerouting of Internet Traffic to Chinese Servers
·      Request for Discovery of Facebook Profile and Photos Rejected as a Fishing Expedition


Facebooking in Court: Coping With Socially Networked Jurors (, 14 Oct 2010) - Constant thought-sharing defines our Information Age. At the office, in the car or anywhere else, we share every detail of our daily existence in real time on Facebook. Most of the time, this is acceptable and constitutionally protected behavior. But what happens in the courtroom when jurors post their opinions about a case online during trial? Last month, one Michigan juror found out. Before the case was over, this juror posted on Facebook how it was “gonna be fun to tell the defendant they’re GUILTY.” Alert defense counsel saw the posting, and the trial judge dismissed the juror, fined her $250 and ordered her to write a five-page essay about the constitutional right to a fair trial. This is the new courtroom reality, one that offers courts less control over what information flows in and out of the jury box. The problem is that, over the centuries, our legal system developed rules designed to ensure that the facts presented to a jury are scrutinized and challenged by both sides. Jurors were asked to hear all the evidence, refrain from sharing opinions and ultimately deliberate in secret. But modern, socially networked jurors accustomed to accessing and sharing information are colliding with this fishbowl experience and disrupting trials in ways few know how to address. [Editor: good overview piece, with discussion of emergence of new standards, such as by the Judicial Conference of the US]

USPTO Launches Second Peer To Patent Pilot in Collaboration with New York Law School (USPTO, 19 Oct 2010) - The United States Patent and Trademark Office (USPTO) today announced a second Peer To Patent pilot program will be initiated with New York Law School’s Center for Patent Innovations (CPI). The new, one-year pilot will begin on October 25 and will expand on the previous pilot program—which was limited to software and business methods applications—to also include applications in biotechnology, bioinformatics, telecommunications, and speech recognition. The Peer To Patent pilot program, begun in 2007, opens the patent examination process to public participation in the belief that such participation accelerates the examination process and improves the quality of patents. Under the pilot program, inventors can opt to have their patent applications posted on the website. Volunteer scientific and technical experts then discuss the applications and submit prior art they think might be relevant to determining if an invention is new and non-obvious, as the law requires. After the review period, the prior art is sent to the USPTO patent examiners for their consideration during examination. The original Peer To Patent pilot, which ran from June 2007 until June 2009, opened the patent examination process up to online public participation for the first time in history. [Editor: a former colleague writes: “Many corporate lawyers are leery of letting employees participate, fearing that a company whose patent application is denied could sue unfavorable reviewers and their employers. However, subject matter experts have generally been quite willing to participate. Many agree with the USPTO that they can contribute to a system that will favor better patents and prevent frivolous ones from being approved by examiners who lack key knowledge of the concerned technologies.”]

Report Reveals the Riskiest Web Domains to Visit (Security Week, 26 Oct 2010) - Web risk climbed to a record 6.2% of more than 27 million live domains evaluated for the 2010 Mapping the Mal Web report released today by McAfee. According to the report, the world’s most heavily trafficked web domain, .COM, is now the riskiest, with fifty-six percent of all risky sites discovered ending in .COM. While .COM is the riskiest top-level domain, the riskiest country domain is Vietnam (.VN). Japan’s .JP ranks as the safest country domain for the second year in a row and .TRAVEL as the safest overall domain. It’s interesting to note that .JP (currently $89.99 at GoDaddy) and .TRAVEL ($89.99 at Moniker) domains are also some of the most expensive domains. Are cybercriminals getting cheap with other people’s credit cards? Or do the higher price make it more risky? “Last year Vietnam’s .VN was a relatively safe domain, and this year it jumped to the third most dangerous domain. Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught,” said Paula Greve, director of web security research for McAfee Labs. Report here:

Ind. AG Sues Wellpoint for $300k Over Data Breach Notification Delay (Business Week, 29 Oct 2010) - The Indiana attorney general’s office is suing health insurance giant WellPoint Inc. for $300,000 for waiting months to notify customers that their medical records, credit card numbers and other sensitive information may have been exposed online. The lawsuit filed Friday in Marion County accuses WellPoint of violating a state law that requires businesses to provide notification of data breaches in a timely manner. State officials say the personal records were exposed for at least 137 days between last October and March. The suit says WellPoint learned of the problem Feb. 22 but didn’t start notifying customers until June.

Who Is John Doe? Who Wants To Know? (Media Law Prof Blog, 1 Nov 2010) - Lior Strahilevitz, University of Chicago Law School, has published Pseudonymous Litigation at 77 University of Chicago Law Review 1239 (2010). Here is the abstract: “We presently lack a good theory for when we should permit parties to litigate using a pseudonym, and American and European legal systems differ sharply on the question. This essay attempts to leverage one of the developments associated with the information age to make progress towards a satisfying answer. The relevant development is the newfound ease with which one can air a grievance pseudonymously or anonymously via online feedback sites, rating sites, and similar forums. Given the availability of these sometimes attractive alternatives to litigation, the legal system should answer the question of whether to permit a party to litigate as a “John Doe” by determining whether a particular grievance is optimally resolved via legal dispute resolution mechanisms or the self-help alternatives that have arisen online and elsewhere. These alternative mechanisms are markedly inferior to litigation at addressing certain types of disputes and markedly superior at addressing other sorts of controversies. Many of the factors most relevant to determining whether a dispute is best addressed in a court or in a less costly forum – such as the existence of legal issues of first impression, the public relations sophistication and reputational stakes of the parties, the existence of material factual disputes, the degree to which the parties’ conduct violates existing social norms, and the magnitude of the harms suffered – are not easily discerned at the outset of litigation. It therefore may be optimal to permit a party to litigate to final judgment using a pseudonym and to consider revealing the litigant’s identity at the conclusion of proceedings. Such determinations could be based on either a balancing test that weighs the relevant aforementioned factors or a less precise bright-line rule, such as “prevailing party pseudonymity.” The essay examines how such approaches would have played out in Doe v. Smith, a Seventh Circuit invasion of privacy case that expressed misgivings about permitting pseudonymous litigation despite quite sympathetic facts.” Article here:

French Court: Deeplinking to Genuine Source of Downloadable Software Did Not Amount to an IP Rights Infringement (Bird & Bird, 2 Nov 2010) - A French court has held that an unauthorised direct link to downloadable software, bypassing the home page of the software publisher, does not itself amount to an infringement of intellectual property rights. Nor did sponsored links to competing software amount to unfair competition.

Are these Records? (NARA, 2 Nov 2010) - Federal agencies’ Facebook posts, YouTube videos, blog posts, and tweets… are all of these Federal records? Increasingly, Federal agencies are using web 2.0 and social media tools to quickly and effectively communicate with the public. These applications, sites, and tools encourage public participation and increase our ability to be more open and transparent. The informal tone of the content, however, should not be confused with insignificance. Agencies must comply with all records management laws, regulations, and policies when using web 2.0 and social media tools. On October 20, 2010, the National Archives and Records Administration issued “Guidance on Managing Records in Web 2.0/Social Media Platforms” also known as NARA Bulletin 2011-02. The bulletin says that the “principles for analyzing, scheduling, and managing records are based on content and are independent of the medium; where and how an agency creates, uses, or stores information does not affect how agencies identify Federal records.” The following questions are meant to help agencies determine record status:
·      Is the information unique and not available anywhere else?
·      Does it contain evidence of the agency’s policies, business, mission, etc.?
·      Is this tool being used in relation to the agency’s work?
·      Is use of the tool authorized by the agency?
·      Is there a business need for the information?
If the answers to any of the questions are yes, then the content is likely to be a Federal record. While an agency may determine that content is non-record because it is duplicative and found elsewhere in an agency’s recordkeeping system, agencies should also consider the fact that social media platforms can offer better indexing, opportunity for public comment, and other collaboration.

- and -

White House Orders Standard Practices on Unclassified Information (Wired, 4 Nov 2010) - The White House released an executive order Thursday that aims to standardize how agencies handle unclassified information that carries statutory protections against dissemination. Such information — designated “controlled unclassified information,” or CUI — is currently handled in an ad hoc manner, with each agency creating its own policies, procedures and markings for safeguarding the information. This can create confusion with those requesting documents under the Freedom of Information Act, and among agency personnel handling such requests. “This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing,” according to the order, signed by President Obama. “The fact that these agency-specific policies are often hidden from public view has only aggravated these issues“ (.pdf). To standardize the management of such information, the directive orders all executive branch agencies to produce a list of all the categories and subcategories they currently use to distinguish CUI from other unclassified information and to submit the list within six months to the National Archives and Records Administration (NARA). For each category, the agencies must cite the relevant law, regulation or government policy that justifies protecting the information from dissemination. “If there is significant doubt about whether information should be designated as CUI, it shall not be so
designated,” according to the order. The NARA has a year to winnow these lists down to a single list of acceptable categories and subcategories for CUI.

White House CIO Council Releases Draft Guidance on U.S. Govt Cloud Computing (Information Law Group, 3 Nov 2010) - A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release. A product of FedRAMP (the Federal Risk and Authorization Management Program), the guidance draft is the result of an 18-month inter-agency effort by the National Institute of Standards and Technology (NIST), General Services Administration (GSA)(see GAO-10-855T), the CIO Council and others, including state and local governments, industry, academia, and additional governmental bodies, such as the Information Security and Identity Management Committee (ISIMC). Comments on the draft can be submitted online until December 2nd here. While we’ll be posting further analysis of the cloud computing guidance draft, the three chapters of the draft’s tripartite organization focus on: 
·      Cloud Computing Security Requirements Baselines;
·      Continuous Monitoring; and a
·      Potential Assessment & Authorization Approach.
An appendix contains materials on assessment procedures and security documentation templates. While the end goal of this FedRAMP initiative is to streamline federal governmental cloud computing vetting and procurement across agencies, it clearly remains to be seen how this ultimately works out in the field.

Proper Data Disposal Means More Than Just Taking Out the Trash (Steptoe & Johnson’s E-Commerce Law Week, 4 Nov 10) -- An attorney who improperly disposed of client records was publicly reprimanded by the Indiana Supreme Court, which stated that the attorney’s failure to properly destroy the documents before disposing them left his clients vulnerable to the theft of privileged client information. While that case (In the Matter of: Steven C. Litz) involved physical documents, the same ethics requirement would also apply to disposal of electronic records. The proper disposal method of personal records is important not just for lawyers but for any entity that handles personal data, as Federal Trade Commission enforcement actions illustrate., All Over Again (Robert Ambrogi, 4 Nov 2010) - The legal news and information site got a major facelift this week, and the new look is more than skin deep. In addition to a cleaner and more consistent design throughout, the revamped features a broader array of news and voices, from both within and without the network of ALM,’s parent company. The site’s new look is evocative of a newspaper layout. The new home page appears cleaner but also packs in a lot more information than was there before — although there is a bit of vertical scrolling required to take it all in. The site includes more content from throughout the ALM network of newspapers, magazines, newsletters, websites and special reports. All of it can now be accessed with a single log-in. New features on the front page include a video center, a selection of special reports, and a selection of “top jobs” from openings listed on Notably, now incorporates content from outside the ALM network as well, making it more of single-stop destination for news. A front-page section titled “More Stories From the Web” links to legal news from various news organizations and wire services. A second section, “Other Voices from the Legal Web,” displays a Twitter feed of legal-industry tweets. As it did before, the front page continues to display recent posts from blogs within the Blog Network (of which this blog is a member). Also new to the page are lists of the most-viewed and most-commented stories. There is a separate, “most mentioned” box which, frankly, I cannot understand. It doesn’t explain the source of the mentions. I presume it means “most searched,” because if you click on any of the items listed, it takes you to a search for that item. [Editor: look for a new ABA website, too – but not before February.]

Spam Filter Excuse for Missing a Deadline Flies in the Northern District of Illinois (Eric Goldman, 4 Nov 2010) - Pace et al. vs. AIG, 8 C 945 (N.D. Ill.; Nov. 1, 2010) -- As the court notes in this case, ‘I missed a deadline because I did not receive electronic notice of a filing’ is becoming the “modern [lawyer’s] version of the classic ‘my dog ate my homework’ line.” The court granted AIG’s motion for summary judgment on March 30, 2010. The notice of appeal would have been due on April 29, 2010. After the due date, on May 27, 2010, Appellants moved for an extension of the deadline to file a notice of appeal. Initially, they argued that they never received a copy of the court’s March 30, 2010 order, but they wisely changed course and blamed it on their overzealous spam filter. Ultimately, the court grants the motion and extends the deadline, even though six lawyers were listed as counsel on the case, and a local rule requires local counsel to be responsible for receiving notices and notifying “the designating attorney of their receipt and contents.” In the process of granting the extension, the court beats up on counsel for appellants, noting that “[t]here can be no doubt that Appellants are guilty of neglect in this case . . . “ The court runs through the numerous other cases where courts have rejected the spam filter excuse, but finds that in many of those cases, the failure to act on an e-filed document was part of an overall pattern of lack of diligence or lack of credibility on the part of the lawyer who offered this excuse: * * *

Protecting and Securing Confidential Client Data (Law Tech News, 5 Nov 2010) - Law firms are entrusted with the most sensitive and valuable information the release of which may be devastating for affected clients, as well as for the firm. In light of state and federal legislation regulating health, financial, and technology secrets, a law firm may face criminal, regulatory, or disciplinary proceedings from an unauthorized release of information. A law firm may also face civil claims, ranging from breach of contract and fiduciary duty to malpractice, defamation, or other torts. Law firms may lose loyal clients, or jeopardize the privacy and financial interests of loyal employees. Despite these realities, law firms generally do not employ, or enforce the level of security that certain clients -- particularly those dealing with heavily regulated or confidential information -- use and take for granted in their own operations. However, the twin questions that law firms need to address today are: how important to its clients are the secrets entrusted by them to the firm, and is the firm taking adequate steps to fulfill its obligations to safeguard that information? The duty to protect information generally arises from one (or more) of six sources. These are:
• fiduciary duty;
• ethical duty under the Rules of Professional Conduct, Rule 1.6;
• court-imposed obligations, including rules protecting confidential information in family law matters, and protective orders entered in particular cases;
• contractual obligations with clients and non-clients, including law firm employees;
• state or federal statutes that apply to persons who receive or retain certain types of information, such as medical or financial-related information, and state secrets; and
• obligations imposed generally through tort law, such as the obligation to avoid publicizing another's private information.
As should be evident in reviewing the foregoing non-exhaustive list of duties and obligations, improper disclosure may violate multiple duties and/or obligations, and result in severe consequences, regardless of whether the disclosure was intentional or inadvertent. [Editor: there’s other useful material in this article; see also the piece titled “Law Firms Face Risks in Handling Personal Information” in the RESOURCES section below.]

New Business Center Can Help Boost Compliance with FTC Law (FTC, 5 Nov 2010) - The Federal Trade Commission has a new Business Center at that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces. The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics. A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information. A new video encourages businesses to use and share the free resources in the Business Center to enhance compliance and build their customers’ trust. Companies can use the compliance tips in their newsletters and blogs, share the resources with their social and professional networks, use the videos for in-house trainings or presentations, and order free materials to hand out at conferences or community events. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad.

The New Frontier of Employee Avatar Appearance Codes (MoFo, 5 Nov 2010) - Should companies reasonably ask employees to moderate the appearance of their virtual characters—or “avatars”—to conform to the company’s dress code policies? Many companies currently maintain virtual worlds on their own computer networks (akin to the popular Second Life platform) that give employees the freedom to create their own virtual self-images that interact with the avatars of other employees. And given the almost limitless visual possibilities in creating and clothing avatars, they are frequently crafted to look far more risqué or outlandish than their real-world creators. A number of commentators in the business world have already begun to weigh in on whether companies can or should lawfully regulate the appearance of their employees’ avatars, when such appearance crosses the bounds of professional propriety and potentially offends colleagues. A well-publicized October 2009 report by IT technology consulting firm, Gartner Inc., found that “Avatars are creeping into business environments and will have far reaching implications for enterprises, from policy to dress code, behavior and computing platform requirements,” and estimated that by year-end 2013, 70% of enterprises will have behavior guidelines and dress codes established for all employees who maintain avatars inside a virtual environment associated with the enterprise. Although the first avatar appearance case remains to be seen, companies that are considering establishing employee avatar appearance codes should consider all of the following: * * *

“Should Lawyers Twitter?” (ABA Journal, 5 Nov 2010) - With a front-page feature story on Twitter in Sunday’s New York Times Business Section, it is perhaps a good time to visit the question: “Should Lawyers Twitter?” In the tradition of Donald Rumsfeld and now Randy Moss, let me proceed by asking and answering my own questions. What is the functionality of Twitter? Twitter is a wide-open Web service that lets you either (A) publish 140-character “tweets” that can be anything from a deep but brief legal thought to notes from a talk to a rant on your service frustration with American Airlines; and (B) “follow” other folks who are tweeting by reading their tweets. You can go to Twitter periodically to catch up without having the miscellaneous communication clog up your e-mail inbox. What problem does Twitter solve? Think of Twitter as a meta watercooler. It allows you to track and share thoughts across a wide range of folks. This may or may not solve a problem for you. I find the most useful aspect of Twitter to be (A) as an übereditor for news and developments across the Web; (B) a way to stay in tune with the thinking of folks who may be professionally important to me; and (C) a way to track what’s happening at conferences I can’t attend. [Editor: there’s more – interesting stuff that resonates with me.]

- and -

New AMA Policy Helps Guide Physicians’ Use of Social Media (AMA, 8 Nov 2010) - Millions of Americans use social networks and blogs to communicate, but when those users are physicians, challenges to the patient-physician relationship can arise. New policy adopted today by the American Medical Association (AMA) aims at helping physicians to maintain a positive online presence and preserve the integrity of the patient-physician relationship. “Using social media can help physicians create a professional presence online, express their personal views and foster relationships, but it can also create new challenges for the patient-physician relationship,” said AMA Board Member Mary Anne McCaffree, M.D. “The AMA’s new policy outlines a number of considerations physicians should weigh when building or maintaining a presence online.” The new policy encourages physicians to:
·      Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.
·      Routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.
·      Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.
·      Consider separating personal and professional content online.
·      Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.
The new policy on professionalism when using social media was adopted today at the AMA’s semi-annual policy making meeting in San Diego. [Editor: I’m curious about how other, non-law professions are adapting to social media opportunities; their experiences may illuminate our options.]

- and -

Seeking Clients Via Facebook? In Ky., Bar May Regulate Social Media Comments (ABA Journal, 18 Nov 2010) - Lawyers in Kentucky who reach out to potential clients through social media such as Facebook and MySpace may see their comments regulated by the Kentucky Bar Association. The bar has proposed a regulation that would bar solicitations through social media unless lawyers pay a $75 filing fee and permit regulation by the bar’s Advertising Commission, the Louisville Courier-Journal reports. Some lawyers contacted by the newspaper criticized the proposal, saying it isn’t clear what kinds of comments would be regulated because of vague language. Critics said the proposal could be interpreted to regulate posts about lawyers’ views on legal issues, their latest court wins, or basic information such as their employment and education. But Lexington lawyer Ben Cowgill told the Courier-Journal he disagreed with those interpretations. “Does a lawyer engage in an ‘advertisement' of legal services merely by posting on Facebook that he is happy about winning a big case, or that she is burning the midnight oil on behalf of a client? No, not in my opinion,” said Cowgill, the bar’s former chief disciplinary counsel. The blog Kentucky Law Review posted the proposed amendment to the bar’s advertising rules, which authorize an advertising commission to review lawyer ads for compliance with the ethics rules. The proposed amendment defines "advertisement" as any communication containing a lawyer’s name or other identifying information. It goes on to list some exceptions. One exception is made for lawyer blogs that communicate in real time about legal issues, as long as there is no reference to an offer of legal services. “Communications made by a lawyer using a social media website such as MySpace and Facebook that are of a nonlegal nature are not considered advertisements,” the proposal says. “However, those that are of a legal nature are governed by [the advertising rules].”

Holding on to a Domain Name to Gain Leverage in a Business Dispute Can Constitute Cybersquatting -- DSPT Int’l v. Nahum (Eric Goldman, 6 Nov 2010) - This case involves the familiar story of a company leaving the domain name registration in the hands of someone who performed web design services (in this case, the registration was left in the name of the web designer’s brother) and the registrant later refusing to turn over the domain name due to a dispute over unfulfilled obligations to the registrant. On appeal, the key question was whether Lucky’s actions fit the statutory definition of cybersquatting - i.e., whether the domain name was registered or used with a “bad faith intent to profit from the plaintiff’s mark.” Lucky argued that there was no “bad faith intent to profit” from DSPT’s trademark because he only used the domain name to try to get money which he was rightfully owed, and even if he intended to profit from something, it was not from DSPT’s goodwill in the mark. The Ninth Circuit disagreed, construing the statute broadly, to find that holding the domain name hostage “to get leverage in a business dispute can establish a violation.” The court notes that while the initial registration of the domain name was obviously not in bad faith, Lucky’s subsequent “use” of the domain name in bad faith was enough to constitute a violation. Interestingly, the court acknowledged that Lucky never actually offered to “sell” the domain name back to DSPT.

A Lack of Transparency in S.E.C. Disclosure Rule (NYT, 8 Nov 2010) - Has the Securities and Exchange Commission bungled its disclosure rules? That’s the question being whispered around Wall Street trading floors after a series of company disclosures in recent weeks from the likes of Microsoft and Google that appear to have created an awful lot of confusion, potentially giving some savvy investors an edge while potentially putting the rest of us at a disadvantage. Here’s the back story: A little over a week ago, Microsoft decided to change the way it releases market-moving news like its earnings report. Instead of issuing a press release that it distributed across hundreds of news services, terminals and Web sites instantaneously, Microsoft has chosen to take advantage of some vaguely worded guidance from the S.E.C. that now allows companies to publish market-moving news directly on their own Web sites without requiring any wider distribution. So, on Oct. 28, at 4:15 p.m. Eastern time, Microsoft published its earnings report on its Web site. At 4:28 p.m., Microsoft filed its 8-K earnings report with the S.E.C., which companies are supposed to do before, or at least simultaneously with, the publication of an earnings report. Then, at 4:44 p.m., almost a half-hour after Microsoft had published its results, it issued a media advisory in a traditional press release to remind the world that it had released its earnings, though it didn’t include any numbers, just a link to its Web site. So if you had gone to Yahoo Finance or Google Finance looking for a copy of the earnings report, it wasn’t there. Microsoft isn’t alone. Google began publishing its results on its own Web site over the summer for the first time, too. The results were equally jarring. Google issued its second quarter results at 4 p.m.; the Reuters news wire didn’t move a headline about the earnings until 4:21 p.m. In an age of high-frequency trading when every millisecond counts — even in after-hours trading — the move toward companies’ distributing earnings and other market-moving information via their Web sites rather than through wider distribution channels raises some serious questions about transparency. And if Microsoft and Google are doing it, the rest of the Fortune 500 can’t be far behind. The S.E.C. passed Regulation Fair Disclosure — known as Regulation F.D. — in October 2000 to combat selective disclosure of market-moving information so that certain investors wouldn’t be able to trade ahead of others. But this latest disclosure trend may undermine some of that.

Company Accused of Firing Over Facebook Post (NYT, 8 Nov 2010) - In what labor officials and lawyers view as a ground-breaking case involving workers and social media, the National Labor Relations Board has accused a company of illegally firing an employee after she criticized her supervisor on her Facebook page. This is the first case in which the labor board has stepped in to argue that workers’ criticisms of their bosses or companies on a social networking site are generally a protected activity and that employers would be violating the law by punishing workers for such statements. The labor relations board announced last week that it had filed a complaint against an ambulance service, American Medical Response of Connecticut, that fired an emergency medical technician, accusing her, among other things, of violating a policy that bars employees from depicting the company “in any way” on Facebook or other social media sites in which they post pictures of themselves. Lafe Solomon, the board’s acting general counsel, said, “This is a fairly straightforward case under the National Labor Relations Act — whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that.” That act gives workers a federally protected right to form unions, and it prohibits employers from punishing workers — whether union or nonunion — for discussing working conditions or unionization. The labor board said the company’s Facebook rule was “overly broad” and improperly limited employees’ rights to discuss working conditions among themselves. Moreover, the board faulted another company policy, one prohibiting employees from making “disparaging” or “discriminatory” “comments when discussing the company or the employee’s superiors” and “co-workers.” The board’s complaint prompted Morgan, Lewis & Bockius, a law firm with a large labor and employment practice representing hundreds of companies, to send a “lawflash” advisory on Monday to its clients, saying, “All private sector employers should take note,” regardless “of whether their work force is represented by a union.” The firm added, “Employers should review their Internet and social media policies to determine whether they are susceptible to an allegation that the policy would ‘reasonably tend to chill employees’ “ in the exercise of their rights to discuss wages, working conditions and unionization.

Twitter Clarifies Usage Rules, but AFP Still Claims Unbridled Right to Use Content Uploaded to Twitter (Eric Goldman, 9 Nov 2010) - Twitter recently issued new guidelines regarding use of the “Twitter” and “Tweet” marks, and use of the underlying tweets by users and third parties as well: “Guidelines for Use of the Twitter Trademark.” The guidelines prompted some criticism that Twitter was over-reaching and that it was putting the squeeze on the vibrant ecosystem which helped it grow in the first place. (See “Twitter Investor Defends New ‘Tweet’ Usage Rules,” for a discussion of some reactions and responses from an investor in Twitter.) Before talking about the trademark-related issues, I thought it was worth discussing a copyright/licensing issue that was lurking around. Twitter’s guidelines contain its views on whether and when you can reproduce someone else’s Tweets. This was largely thought to be an issue that would not come up in practice, but a case currently pending in the Southern District of New York (Agence France-Presse v. Morel) actually turns on the issue of whether uploading content to Twitter results in some sort of broad license to third parties. Agence France-Presse was accused by a photographer of downloading photos (of the Haiti earthquake aftermath) from a Twitter (or TwitPic) account and then licensing those photos to third parties. I thought the case would quickly settle, but it’s still ongoing. Surprisingly (almost shockingly), AFP is continuing to take the position that uploading photos to Twitter and TwitPic results in some sort of implied license for the world to use whatever content is uploaded. I think AFP is unlikely to prevail on its motion for a variety of reasons, but Twitter’s guidelines make clear that AFP’s interpretation of the Twitter terms of service is off-base, to say the least. Twitter’s terms contain language making clear that “you own your Tweets.”

Gartner: Social Networking Slowly Taking Over E-Mail (Macworld, 11 Nov 2010) - If you find yourself using Facebook to send out work-related emails to coworkers, you’re not alone. According to a new report issued by Gartner, 20 percent of business users will use social networks as their primary means of business communications by 2014. Gartner says it expects e-mail clients from Microsoft and IBM will soon start integrating with social networking sites, giving users access to their e-mails, contacts and calendars from their favorite social networking platform. What’s more, Gartner says that contact lists, calendars and messaging clients on smartphones will all be capable of connecting with social networking platforms by 2012. “The rigid distinction between e-mail and social networks will erode,” says Gartner analyst Monica Basso. “E-mail will take on my social attributes… while social networks will develop richer e-mail capabilities.” Gartner also predicts that more of these social network-enabled e-mail clients will move away from on-premises networks and into the cloud. By the end of 2010, Gartner projects that 10 percent of corporate e-mail accounts will be in the cloud, up from 7 percent in 2009.

Britain to Tape Traders’ Cell Phones to Fight Fraud (NYT, 11 Nov 2010) - Investment bankers and traders in Britain will have their mobile phone conversations recorded in the latest step by the country’s financial regulator to crack down on insider trading and market abuse. The Financial Services Authority, Britain’s financial watchdog, said Thursday that under new rules, effective next November, all financial services firms will be required to record any relevant communication by employees on their work cellphones. Companies would also be responsible for discouraging employees from taking client orders or discussing and arranging transactions on their private cellphones, where conversations cannot be recorded. The new rule makes Britain the only country in Europe to explicitly require the taping of conversations on business cellphones, according to the F.S.A. Rules in other European countries merely require companies to ensure that all relevant conversations are recorded. The F.S.A. already required the recording of conversations on office land lines and the storage of business e-mails, but exempted cellphones until now because the technology was not available, Ms. Bailey said. The rule will affect about 16,000 cellphones issued by financial services firms, which will be required to keep the recorded conversations for six months. The new rule will also require “firms to take reasonable steps to ensure that such communications do not take place on private communication equipment that firms cannot record mainly for privacy reasons,” the F.S.A. wrote in the policy statement published Thursday.’%20mobile%20calls&st=cse

NYPD Uses Google Street View Images as Evidence in Heroin-Dealing Case (LA Times, 11 Nov 2010) - The New York Police Department is using Google Maps with Street View as a crime-fighting tool. On Wednesday, the NYPD announced the arrest and indictment of seven people accused of being in a heroin-selling ring in Brooklyn. The police used images found on Google’s Street View as evidence, according to a report from NBC New York. Investigators, who built their case against the suspects over a four-month period, said Street View captured the ring standing on a Brooklyn street corner, in front of a Bodega where open-air drug sales occurred regularly, NBC New York reported. A few of the suspects can be seen on Google Maps’ Street View images for the intersection of Jackson Street and Kingsland Avenue. Over the course of the investigation, the suspects allegedly made more than 20 sales of heroin to undercover NYPD officers, NBC New York reported.

Lenz Waived Attorney-Client Privilege Through Chats, Blogging (BNA’s E-Commerce & Tech Law, 12 Nov 2010) - In addition to copyright infringement, trademark infringement, loss of employment, loss of prospects for employment, loss of friends, loss of privacy, cyber-bullying, cyber-stalking, defamation, juror misconduct, home robbery while you’re out of town, and plain old creating evidence that can later be used against you in court, we can now add waiver of attorney-client privilege to the list of bad things that can happen through ill-advised use of social media. That is what appears to be happening in Lenz v. Universal Music Corp., No. 07-3783 (N.D. Calif.), where a magistrate judge ruled late last month that plaintiff Stephanie Lenz waived attorney-client privilege by going on and on (and on) about her case in e-mail, on her blog, and in Gmail chat sessions. Through these online media, Lenz made representations about conversations she allegedly had with her Electronic Frontier Foundation attorneys -- conversations that involved why she sued Universal and discussions of legal strategies she was pursuing in her suit against the company. The magistrate judge ruled Oct. 22 that these online communications amounted to a waiver of the attorney-client privilege and that the communications were relevant to the plaintiff’s motives for filing suit against Universal. The magistrate ordered EFF to produce all documents previously requested by Universal but withheld due to a claim of attorney-client privilege; additionally, the plaintiff must submit to an additional deposition by Universal’s counsel.

Cybersecurity and Rerouting of Internet Traffic to Chinese Servers (Bobby Chesney on LawFare, 17 Nov 2010) - Not too many folks are familiar with the U.S.-China Economic and Security Review Commission, a body Congress created in 2000 to report periodically on, well, economic and security issues associated with the U.S.-China relationship. Its most recent report to Congress may get a fair amount of extra attention, however, in light of a fascinating–and disturbing–cybersecurity incident it describes. As Ellen Nakashima pointed out at the Post’s Checkpoint Washington blog today, the Commission’s report describes (at pages 243-44) an incident in which a Chinese state-owned entity rerouted a vast amount of internet traffic through Chinese servers: “For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from U.S. government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM. Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications. This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ‘‘spoofed’’ site). Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack. Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.”

Request for Discovery of Facebook Profile and Photos Rejected as a Fishing Expedition -- McCann v. Harleysville Insurance (Eric Goldman, 17 Nov 2010) - We've blogged about several decisions involving disputes around the discovery of social network profiles. An appeals court in New York recently rejected a party's request for the contents of plaintiff's Facebook profile because the party seeking the discovery "failed to establish a factual predicate with respect to the relevancy of the evidence." The plaintiff was involved in an auto accident, and settled with the other driver, and then went after the driver's insurance company. The insurance company sought disclosure of photographs from plaintiff's Facebook profile, and sought "an authorization for plaintiff's Facebook account." The court found that the defendant failed to put forth a sufficient factual predicate that anything relevant was contained in the profile, and thus the request smacked of a "fishing expedition." However, the court also found that the plaintiff's request for a protective order should not have been granted - i.e., defendant could come back, establish the "factual predicate," and obtain the necessary information. As with the other cases involving the discovery of social networking profile information, this case illustrates the logistical challenges posed in these situations. The party seeking discovery should not be able to rummage around in the other side's Facebook account. On the other hand, if there is relevant evidence, the party seeking discovery should not be deprived of access to it just because it's contained in a social networking profile. (There's also the issue of whether private messages are protected from disclosure by virtue of federal statutes.)

Lessig & Zittrain Take On...Competition (Berkman Center, 9 Sept 2010) - Radio Berkman returns from summer vacation with a big new episode in which Professors Zittrain and Lessig think through the Microsoft antitrust case and its implications for the current technology competition landscape, with some help from an audience of Berkman summer interns. From the MediaBerkman blog: “The year was 1998. Cher’s autotune anthem Believe was one of the year’s biggest hits, Titanic had swept the Oscars, and in some sterile software campus in the Northwest, Bill Gates was rehearsing a deposition. It’s been over 12 years since Gates’ and Microsoft’s anti-trust battle with the Department of Justice and the Federal Trade Commission first hit the courts. It is still seen as a watershed for the management of technology companies in the dot com age. But in the dozen years that have passed, people are still speculating whether the anti-trust case against Microsoft made any difference, and whether the software and technology companies of today are engaging in anti-competitive practices similar to or more risky than the ones that got Microsoft in trouble. Who are the Microsofts of today? Facebook? Apple? Google? And how do we manage competition in the digital age? Today, two of the leading minds on the Internet and law, Jonathan Zittrain and Larry Lessig, take on competition.”

**** RESOURCES ****
“Law Firms Face Risks in Handling Personal Information” (Hunton & Williams, Summer 2010) -- This article seeks to provide an overview of key privacy and information security issues impacting the practice of law. Law firms may collect, use and disclose personal information in numerous circumstances, both as providers of legal services and as employers. In safeguarding personal information that pertains to their employees or clients, or other individuals, law firms must comply with applicable privacy and information security laws as well as their professional duty of confidentiality. The article provides an overview of potential legal issues that law firms may encounter in connection with (i) hiring and employee administration functions; (ii) safeguarding the security of personal information that a law firm maintains; (iii) managing service providers that access personal information for which the firm is responsible; (iv) handling information security breaches; and (v) operating the firm’s Internet assets. The article also touches on privacy and information security laws outside the United States, including the legal requirements relevant to cross-border transfers of personal information. The final topics the article addresses are examples of privacy and information security enforcement actions, including judicial enforcement of professional ethics rules, and a brief discussion of some of the key pending privacy and information security legislative initiatives. Law firms should expect that they will face increasing attempts by unauthorized persons to gain access to information that they maintain, including personal information. One of a law firm’s greatest assets – its reputation – is threatened by the possibility of a breach that ruins a deal or embarrasses a client. A simple misstep in the safeguarding of personal information can lead to far-reaching and expensive consequences, including the loss of revenue and client trust. Accordingly, law firms would be well-served to take a proactive approach to privacy and information management by voluntarily implementing comprehensive measures to protect the security, confidentiality and integrity of personal information. Williams).pdf [Editor: Workmanlike survey of most of the important issues, but gives short shrift to lawyers’ heightened obligations owing to clients. See also “Cyberspace Under Siege” (ABA Journal, 1 Nov 2010) here:]

Updated Legal Guide Section: Securing Trademark Rights (Citizen Media Law Project, 5 Nov 2010) - We here at CMLP headquarters are always thinking about ways to improve our Legal Guide in order to make it more useful for you, our readers. As part of this ongoing effort, we recently updated the section on Securing Trademark Rights: Ownership and Federal Registration. The expanded section provides step-by-step instructions on filing for a federal trademark registration and links to important forms and manuals on the U.S. Patent and Trademark Office website, as well as information on maintaining your trademark rights through proper usage. Guide here:

The Emerging Field of Internet Governance (Laura DeNardis @ Yale Law School, 17 Sept 2010) – Abstract: While much Internet research focuses on Internet content and usage, another important set of questions exists at a level of technological design and governance orthogonal to content and therefore generally outside of public view. Internet governance scholars, rather than studying Internet usage at the content level, examine what is at stake in the design, administration, and manipulation of the Internet’s actual protocological and material architecture. This architecture is not external to politics and culture but, rather, deeply embeds the values and policy decisions that ultimately structure how we access information, how innovation will proceed, and how we exercise individual freedom online. “Governance” in the Internet governance context requires qualification because relevant actors are not only governments. Governance is usually understood as the efforts of nation states and traditional political structures to govern. Sovereign governments do perform certain Internet governance functions such as regulating computer fraud and abuse, performing antitrust oversight, and responding to Internet security threats. Unfortunately, some governments also use content filtering and blocking techniques for surveillance and censorship of citizens. Many other areas of Internet governance, such as Internet protocol design and coordination of critical Internet resources, have historically not been the exclusive purview of governments but of new transnational institutional forms and of private ordering. Without this qualification, the Internet governance nomenclature might incorrectly convey that this type of scholarship somehow advocates for greater government control of the Internet (Johnson, Crawford, and Palfrey 2004). The study of Internet governance is concerned with a number of overarching questions. How are we to understand the role of private Internet ordering and corporate social responsibility in determining communicative contexts of political and cultural expression? How can conflicting values be balanced: for example, the desire for interoperability versus the need to limit some exchanges based on authentication and trust? How should critical Internet resources be allocated, and by whom, to maximize technical efficiency but also achieve social goals? How do repressive governments “govern” the Internet through filtering, blocking, and other restraints on freedom of expression? What is the appropriate relationship between sovereign nation-state governance and nonterritorial modes of Internet governance? What are the connections between Internet protocol design, innovation, and individual civil liberties? To what extent are the problems of Internet governance creating new global governance institutions and what are the implications? Internet governance research brings these important public interest issues to light and produces the theoretical and applied research that influences some of the most critical policy debates of our time. This paper presents a taxonomy for understanding current themes and controversies in Internet governance, presents a canon of interdisciplinary Internet governance scholarship, and identifies some emerging issues that present a moment of opportunity for new research. The following are the current themes this paper describes: critical Internet resources; Internet protocols; Internet governance-related intellectual property rights; Internet security and infrastructure management; and communication rights. Areas in need of additional research involves the increasing privatization of Internet governance, particularly at the level of infrastructure management. Recommended areas for additional study include: 1) private sector backbone peering agreements at Internet exchange points (IXPs); 2) network management via deep packet inspection; and 3) the increasing use of trade secrecy laws in information intermediation.

**** FUN ****
The T_Mobile Welcome Back (YouTube, 29 Oct 2010) – [Editor: 3 minute, truly wonderful video clip of a terrific piece of performance art at London’s Heathrow airport.]

Texas Supreme Court Cites The Wisdom Of Spock On Star Trek (TechDirt, 31 Oct 2010) - NSILMike points us to an amusing bit of news concerning a recent ruling in the Texas Supreme Court, where the court cited Star Trek’s Spock (though, it’s mostly hidden in a footnote): Appropriately weighty principles guide our course. First, we recognize that police power draws from the credo that “the needs of the many outweigh the needs of the few.” Second, while this maxim rings utilitarian and Dickensian (not to mention Vulcan21), it is cabined by something contrarian and Texan: distrust of intrusive government and a belief that police power is justified only by urgency, not expediency. Then, if you jump down to Footnote 21, you get: See STAR TREK II: THE WRATH OF KHAN (Paramount Pictures 1982). The film references several works of classic literature, none more prominently than A Tale of Two Cities. Spock gives Admiral Kirk an antique copy as a birthday present, and the film itself is bookended with the book’s opening and closing passages. Most memorable, of course, is Spock’s famous line from his moment of sacrifice: “Don’t grieve, Admiral. It is logical. The needs of the many outweigh . . .” to which Kirk replies, “the needs of the few.” And so, Spock is now a legal authority on the Texas Constitution. Very logical.

TECHNICAL TINKERING SPARKS PROTESTS -- U.S. TV broadcaster CBS has come under fire for tampering with its live broadcast from Times Square on New Year’s Eve, after it used digital technology to erase the billboard logo of its rival network, NBC, and substituted its own logo instead. The network was caught by surprise by the criticism, and CBS TV’s president insisted, “Any time there’s an NBC logo up on our network, we’ll block it again.” But veteran CBS evening news anchorman Walter Cronkite called it “flat-out dishonest. CBS and the rest of the broadcasters must pledge to refrain from the use of the technique in any manner.” The technology, which could also enable newspapers to alter video clips on their Web sites, is available from Princeton Video Image. CBS has been using it for several months on its morning news program, and it was used in more than 1,200 live broadcasts around the world last year, including European football games. (The Guardian 14 Jan 2000),3604,122355,00.html

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at Get supplemental information through Twitter:

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. InsideHigherEd -
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog,
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.