Saturday, March 13, 2010

MIRLN --- 21 February - 13 March (v13.04)

(supplemented by related Tweets:

• Many HIPAA Changes Under The HITECH Act Now Effective
• Heartland Posts 4Q Loss on Settlement Costs
• Widespread Data Breaches Uncovered by FTC Probe
• Student Files Petition To Preserve Evidence In Webcam Spying Case
o Remotely Spying on Kids with School Laptops
• Thousands of Authors Opt Out of Google Book Settlement
• Rootkits Work Nicely on Smartphones, Thank You
• Social Media Trends at Fortune 100 Companies
• Judge Dismisses Defamation Lawsuit Brought Against Boing Boing By Co. Targeting Ads Based on Phone Numbers
• ‘Pension Committee’ Clarifies E-Discovery Requirements
• Google to Appeal Italian Court Ruling
• Step 1 for Legal Holds: Trigger Events
• Avatar Rape
• New U.S. Military Policy Opens Up Social Media to the Troops
• Social Networks Play a Major Part in How We Get News
• German Court Overturns Law on Phone, E-Mail Data
• Dancing Tot Prevails Over UMG in YouTube Fair Use Case
o Viacom: "Fair Use Works For Us," Unlikely To Sue Bloggers
• Trial Judges Impose Penalties for Social Media in the Courtroom
• Why We Tweaked Our Copyright Notice
• RealNetworks Deal to Discontinue DVD-Copying Software Includes $4.5 Million for Studios’ Legal Tab
• FDIC: Hackers Took More Than $120m in Three Months
• U.S. Hopes Exports Will Help Open Closed Societies
• Law Firms Slow to Awaken to Cybersecurity Threat
• European Parliament Rips Global IP Accord
• Bad Employee! 12% Knowingly Violate Company IT Policies
• 20 Ways to Link Dispersed Legal Departments
• HHS Publishes List of Entities Reporting Health Information Breaches
• Why Social Media Policies Don’t Work
• Instant Ads Set the Pace on the Web


Many HIPAA Changes Under The HITECH Act Now Effective (McGuire Woods, 18 Feb 2010) - Having reached the one year anniversary of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, many changes to the HIPAA Privacy and Security Rules are now effective. Unfortunately, since the Department of Health and Human Services has not yet issued guidance with respect to most of these changes, Covered Entities and Business Associates must begin good faith compliance based solely on the language of the HITECH Act. Below are some highlights.

Heartland Posts 4Q Loss on Settlement Costs (Business Week, 18 Feb 2010) - Heartland Payment Systems Inc. on Thursday posted a fourth-quarter loss and missed Wall Street expectations as it booked charges to settle claims over a data breach. The company, which processes credits card payments, also declared a quarterly dividend of 1 cent per share payable March 15 to shareholders of record on March 5. For the three months ending Dec. 31, the company said it lost $9.6 million, or 26 cents per share. That compared to a profit of $8 million, or 21 cents per share, in the year-ago period. The results included charges of $23.7 million related to settlement offers over a data breach in late 2008. The money went to Visa credit and debit card issuers to cover losses incurred after hackers installed spying software on Heartland’s computer network. Excluding one-time charges, the company earned 16 cents per share for the quarter. On that basis, analysts polled by Thomson Reuters expected a profit of 20 cents per share.

Widespread Data Breaches Uncovered by FTC Probe (FTC, 22 Feb 2010) - The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.

Student Files Petition To Preserve Evidence In Webcam Spying Case (, 22 Feb 2010) - A student who has accused his suburban Philadelphia school district in a lawsuit of spying on him and other students via their school-issued webcams will ask district officials not to remove any potential evidence from student computers, his lawyer said Monday. Lawyers for the Lower Merion School District are due in federal court on the issue Monday afternoon, on an emergency petition from student Blake Robbins of Penn Valley. Lower Merion officials confirmed last week they had activated the webcams to try to find 42 missing laptops, without the knowledge or permission of students and their families. Both the FBI and local authorities are investigating whether the district broke any wiretap, computer-use or other laws. The American Civil Liberties Union filed a brief in support of the student Monday, arguing that the photo amounts to an illegal search.

- and -

Remotely Spying on Kids with School Laptops (Schneier, 24 Feb 2010) - It’s a really creepy story. A school issues laptops to students, and then remotely and surreptitiously turns on the camera. (Here’s the lawsuit.) This is an excellent technical investigation of what actually happened. This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon. [Editor: Schneier’s posting is comprehensive. If the stated facts are true, this is a ground-breaking invasion, and (if understood widely enough) a reasonable ground for US Congressional action.]

Thousands of Authors Opt Out of Google Book Settlement (The Guardian, 23 Feb 2010) - Former children’s laureates Quentin Blake, Anne Fine and Jacqueline Wilson, bestselling authors Jeffrey Archer and Louis de Bernières and critical favourites Thomas Pynchon, Zadie Smith and Jeanette Winterson have all opted out of the controversial Google book settlement, court documents have revealed. Authors who did not wish their books to be part of Google’s revised settlement needed to opt out before 28 January, in advance of last week’s ruling from Judge Denny Chin over whether to allow Google to go ahead with its divisive plans to digitise millions of books. The judge ended up delaying his ruling, after receiving more than 500 written submissions, but court documents related to the case show that more than 6,500 authors, publishers and literary agents have opted out of the settlement. As well as the authors named above, these include the estates of Rudyard Kipling, TH White, James Herriot, Nevil Shute and Roald Dahl, Man Booker prizewinners Graham Swift and Keri Hulme, poets Pam Ayres, Christopher Middleton, Gillian Spraggs and Nick Laird, novelists Bret Easton Ellis, James Frey, Monica Ali, Michael Chabon, Philip Hensher and Patrick Gale, historian Simon Sebag Montefiore, biographer Victoria Glendinning and bestselling author of the Northern Lights trilogy Philip Pullman. Ursula K Le Guin, who gained significant author support for her petition calling for “the principle of copyright, which is directly threatened by the settlement, [to] be honoured and upheld in the United States”, also opted out.

Rootkits Work Nicely on Smartphones, Thank You (Dark Reading, 23 Feb 2010) - Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones. The researchers, who are presenting their findings at a mobile computing workshop in Maryland, are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless -- all without the user’s knowledge. Rootkit attacks on smartphones -- or upcoming tablet computers -- could be more devastating because smartphone owners tend to carry their phones with them all of the time, the researchers say. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s GPS receiver. Smartphones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

Social Media Trends at Fortune 100 Companies (Mashable, 23 Feb 2010) - PR firm Burson-Marsteller studied the 100 largest companies in the Fortune 500 list and found that 79% of then use Twitter, Facebook, YouTube or corporate blogs to communicate with customers and other stakeholders. The firm broke its findings down by region (North America, Europe, Asia-Pacific and Latin America) and network. Twitter is the most popular platform that the companies use; two-thirds of the Fortune 100 have at least one Twitter account. Actually, they have an average of 4.2 Twitter accounts. Fifty-four percent have at least one Facebook fan page, 50% have at least one YouTube channel, and 33% have at least one corporate blog. Twenty percent of the companies use all four social media platforms. Social networks like Twitter and Facebook are mostly West-oriented; Asia-Pacific companies don’t use them as much, instead preferring corporate blogs. When they do use Twitter or Facebook, it’s usually to engage consumers in Europe and North America. There are a bunch of other interesting stats in the study — including proof that consumers actually do like to engage with companies via social media, making all those channels worthwhile. We’ve embedded Burson-Marsteller’s presentation below.

Judge Dismisses Defamation Lawsuit Brought Against Boing Boing By Co. Targeting Ads Based on Phone Numbers (Online Media Daily, 23 Feb 2010) - In a victory for Web publisher Boing Boing, a judge in California has dismissed a defamation lawsuit brought by Magic Jack, a company that offers a USB dongle for Voice over Internet Protocol service. Marin County Superior Court Judge Verna Adams ruled that Magic Jack’s complaint -- about a Boing Boing item that accused Magic Jack of being a “snoop” because it planned to serve ads based on phone numbers users called -- was barred by California’s broad anti-SLAPP (strategic lawsuits against public participation) statute. That law provides for a quick dismissal of lawsuits that are aimed at squelching debate about matters of public interest.

‘Pension Committee’ Clarifies E-Discovery Requirements (, 23 Feb 2010) - In a bombshell opinion and order issued just weeks ago by U.S. Southern District of New York Judge Shira A. Scheindlin, litigants and lawyers have been admonished (again) about their discovery obligations, particularly, to preserve, collect and produce electronic documents, records and data in their possession, custody, or control. Scheindlin, one of the foremost experts on the law of electronic discovery, was the author of the Zubulake line of decisions that many say ushered in a new era of robust electronic discovery. Now, her new blockbuster is the Pension Committee decision,[FOOTNOTE 1] which carries the picturesque title, “‘Zubulake’ Revisited: Six Years Later.” Pension Committee promises to be a guide and oft-cited framework for complying with electronic discovery requirements. Since the new decision copiously analyzes a series of discovery failures that led to sanctions against numerous plaintiff-companies, it is a practical roadmap on how real people and real attorneys may be confronted by real challenges regarding compliance only to wind up making judgments that come back to haunt them. Pension Committee also is a kind of “how-to” manual setting forth key principles relating to issuing, monitoring, and enforcing litigation holds, discharging preservation and search techniques, and documenting appropriate behind-the-scenes conduct so that the responding party can withstand accusations of insufficient disclosure by the adversary. Then, too, there is advice regarding sanctions, what needs to be proved and by whom, the criteria of “relevance” and “prejudice,” the legal behavior standards of negligence, gross negligence and willfulness, available remedies and, even, the text of an actual spoliation instruction.

Google to Appeal Italian Court Ruling (The Telegraph, 24 Feb 2010) - The trial centred on footage posted on Google Video that showed a Down’s syndrome teenager being bullied by four other boys at a school in Turin. The footage was uploaded to the site in September 2006, and remained online for two months before being removed following complaints from web users. Prosecutors in Milan brought the case after being contacted by a charity, Viva Down. The court argued that the boy’s privacy had been violated and that Google should have removed the footage quicker than it did. Three Google employees – David Drummond, Peter Fleischer and George Reyes, who has since left the company – were found guilty of failing to apply with the Italian privacy code, and were given six-month suspended sentences. But Google said the ruling was “ludicrous”, and pledged to appeal against a “chilling decision” that had potentially far-reaching implications for scores of websites.

Step 1 for Legal Holds: Trigger Events (, 24 Feb 2010) - This series of articles provides an overview of the steps necessary to implement a legally defensible, written litigation hold and are based on the “Seven Steps for Legal Holds of ESI and Other Documents” (ARMA International 2009). The seven steps for legal holds are designed to help organizations tackle the seemingly daunting task of implementing written litigation holds. Although this series was conceived months ago, written litigation holds are now more important than ever in light of U.S. District Court Judge Shira Scheindlin’s Opinion and Order in The Pension Committee v. Banc of America, Case No. 05-cv-9016 (SDNY Jan. 11, 2010, as amended Jan. 15, 2010). Her introduction is a fitting opening to the series: In an era where vast amounts of electronic information is available for review, discovery in certain cases has become increasingly complex and expensive. Courts cannot and do not expect that any party can meet a standard of perfection. Nonetheless, the courts have a right to expect that litigants and counsel will take the necessary steps to ensure that relevant records are preserved when litigation is reasonably anticipated, and that such records are collected, reviewed, and produced to the opposing party. As discussed six years ago in the Zubulake opinions, when this does not happen, the integrity of the judicial process is harmed and the courts are required to fashion a remedy.
[Step 2 “Analyze the Trigger Event”:; Step 3 “Define the Scope”:; Step 4 “Implementation”:; Step 5 “Enforcement”:; Step 6 “Modification”:; Step 7 “Monitor and Remove”:]

Avatar Rape (InsideHigherEd, 25 Feb 2010) - Avatar harassment and sexual assault remain controversial issues because institutions hosting virtual worlds are not accustomed to dealing with — or even discussing — digital forms of these distressing behaviors. Harassment and assault are frequent infractions in virtual environs, including those frequented by students and professors. London journalist Tim Guest, author of Second Lives: a Journey Through Virtual Worlds, estimated that “about 6.5 percent of logged-in residents” have filed one or more abuse reports in Second Life. By the end of 2006, he writes, Linden Lab, creator of Second Life, “was receiving close to 2,000 abuse reports a day.” Current statistics are unavailable. But you can monitor the types of offenses and where they occurred in Second Life by accessing its community incident report chronicling the 25 most recent infractions and resulting penalties. On Dec. 28, 2009, five of the 25 infractions concerned “indecency: broadly offensive content or conduct”; three, sexual harassment; and two, intolerance. Most penalties included warnings with four one-day suspensions and one three-day suspension. (In fairness, Linden Lab has tried to crack down on these community infractions, hosting guides such as this to inform users about abuse and how to file reports about repeat offenders.) Educational institutions with a presence in or that introduced students to virtual worlds might want to analyze the phenomenon of avatar rape, which presents a unique challenge to traditional jurisprudence. Rape is assumed to be both physical and geographical, as in a crime scene. Both dimensions are missing on the Web. Nevertheless, avatars are symbols of the self. As such, it behooves us to investigate:
• How avatar rape happens in virtual worlds.
• What concepts and theories apply when the act is neither physical nor geographical.
• Why the discussion is even necessary.

New U.S. Military Policy Opens Up Social Media to the Troops (Mashable, 26 Feb 2010) - A new policy released today by the Pentagon has reversed multiple bans on social media websites and tools, effective immediately. This policy includes YouTube, Facebook, MySpace, Twitter, Google Apps, and other social tools.
Certain branches of the military, such as the U.S. Marines, ban the use of social media because they are a “proven haven for malicious actors and content and are particularly high risk due to information exposure.” Today’s decision, handed down by the Office of Deputy Secretary of Defense William Lynn, will reverse that ban and others, such as the one the U.S. Army has had on YouTube since 2007.
The new policy is far reaching, but as NYT’s At War Blog points out, it isn’t without caveats. The change only affects the military’s non-classified Internet network, known as NIPRNET. It also gives commanders at all levels leeway in temporarily banning specific social tools. In other words, you can expect some commanders to reinstate some of these bans for security reasons.

Social Networks Play a Major Part in How We Get News (Mashable, 1 March 2010) - The latest study from Pew Internet analyzes the news consumers in America and various different ways of finding news. Based on a sample of 2,259 adults, the study reveals that three fourths of the people (75%) who find news online get it either forwarded through email or posts on social networking sites, and half of them (52%) forward the news through those means. However, the study also shows that very few people nowadays (7%) are getting information from a single media platform. In fact, nearly half of Americans (46%) claim they get news from four to six media platforms on a typical day. And while TV is still the biggest source of news (78% of Americans say they get news from a local TV station), Internet sits on second place (61% of users get news online), ahead of radio and newspapers. Interestingly enough, relatively few people – only 17 percent – claim they read news in a national newspaper such as the New York Times or USA Today.

German Court Overturns Law on Phone, E-Mail Data (AP, 2 March 2010) - Germany’s highest court on Tuesday overturned a law that let anti-terror authorities retain data on telephone calls and e-mails, saying it posed a “grave intrusion” to personal privacy rights and must be revised. The court ruling was the latest to sharply criticize a major initiative by Chancellor Angela Merkel’s government and one of the strongest steps yet defending citizen rights from post-Sept. 11 terror-fighting measures. The ruling comes amid a European-wide attempt to set limits on the digital sphere, that includes disputes with Google Inc. over photographing citizens for its Street View maps. The Karlsruhe-based Federal Constitutional Court ruled that the law violated Germans’ constitutional right to private correspondence and failed to balance privacy rights against the need to provide security. It did not, however, rule out data retention in principle. The law had ordered that all data — except content — from phone calls and e-mail exchanges be retained for six months for possible use by criminal authorities, who could probe who contacted whom, from where and for how long.

Dancing Tot Prevails Over UMG in YouTube Fair Use Case (ArsTechnica, 2 March 2010) - The mother of a dancing toddler is dancing after winning a closely watched copyright case. US District Judge Jeremy Fogel granted partial summary judgment to Stephanie Lenz last week in her battle against Universal Music Group, putting a halt to Universal’s attempts to paint Lenz as having “bad faith” and “unclean hands” in her lawsuit. As a result, the doors have been opened for Lenz to collect attorneys’ fees in her case, though other damages aren’t likely to come Lenz’s way. Universal, the world’s largest music label, had sent a takedown notice to YouTube in 2007 over a video clip of Lenz’s child bouncing to Prince’s “Let’s Go Crazy.” Watching the (now re-uploaded) clip, it’s clear that the music is merely blasting in the background while the video was being recorded and, in some places, the song is barely even recognizable. The initial takedown appears to have been the typical DMCA notice that the labels fire off when they detect a video they believe is infringing, but Lenz pushed back with the help of the Electronic Frontier Foundation. The EFF and Lenz filed a lawsuit against Universal, arguing that the video was “self-evident noninfringing fair use” and the DMCA takedown was bogus. Universal shot back by saying that even if the clip constituted fair use, it was still infringing and therefore the takedown notice was made in good faith. That’s right: Universal said that it was possible for a clip of the music to be used legally (according to US Copyright Law) while also being infringing at the same time, simply because the song itself was copyrighted and owned by Universal. Universal lobbed numerous arguments at Lenz and the EFF over the next two-and-a-half years. Some of these included a strange argument that the DMCA notice in question was not technically a DMCA notice and therefore could not be litigated as one (Judge Fogel flatly rejected this claim), that it was unreasonable to expect Universal to consider fair use before sending takedown notices (also rejected), and that the EFF itself was more interested in “attention-grabbing press releases” that further its own “philosophical objections” than it was in filing legitimate lawsuits. On top of that, Universal made numerous affirmative defenses for its actions by telling the court that Lenz acted in bad faith when uploading the video to YouTube because usage of the site does not constitute “private viewing,” and that her First Amendment rights were not harmed enough to warrant monetary damages. The label also said Lenz had “unclean hands” for making supposedly false allegations in her lawsuit (though Lenz shot back that Universal should seek sanctions against her if it believes she engaged in misconduct). In his ruling last week, Judge Fogel analyzed the arguments over damages, but eventually granted Lenz’ motions for partial summary judgment. The decision will allow Lenz to recover attorneys’ fees from her initial case against the bogus takedown, but not necessarily other damages that may have been incurred while fighting Universal. (In order to win further damages, Lenz would have had to prove that Universal knowingly sent the notice in bad faith.)

- and -

Viacom: "Fair Use Works For Us," Unlikely To Sue Bloggers (ArsTechnica, 11 March 2010) - Viacom is unlikely to sue bloggers for posting their own clips of The Daily Show or The Colbert Report, contrary to reports floating around on the Internet. The company clarified its position to Ars on Thursday, noting that it tries to be as permissive as possible when it comes to fair use and that individual bloggers have never been on the studio's radar. The confusion began when the Hollywood Reporter ran a story on Wednesday titled "Viacom will sue bloggers who post unauthorized 'Daily Show' clips," quoting Viacom spokesperson Tony Fox. "Yes, we intend to do so," Fox was quoted saying. "My feeling is if (websites) are making money on our copyrighted content, then that is a problem."

Trial Judges Impose Penalties for Social Media in the Courtroom (Citizen Media Law, 3 March 2010) - As state and federal courts continue to struggle with the use of social media in courtrooms and courthouses, recently state judges in Colorado and Ohio took action against courtroom observers who used social media technology in court. An Ohio judge imposed the more serious penalty against two trial attendees who separately pointed a Flip camera and a cell phone towards to the jury during trial testimony in a murder case. On February 16, Dwayne Davenport went on trial for the fatal shooting of Michael Grissett in East Cleveland on January 16, 2009. (Two other defendants in the case pleaded guilty, and are awaiting sentencing.) As reported by the Cleveland Plain Dealer, on the second day of trial jurors noticed that Andre Block (the defendant’s friend) and Dwight Davenport (the defendant’s cousin), who were seated in the back row of the courtroom observing the trial, were pointing the above-mentioned devices at the jury. After jurors complained to Common Pleas Judge Nancy Margaret Russo, she ordered Block and Dwight Davenport arrested for contempt of court and declared a mistrial in the case. At a hearing on the contempt citation held on February 25, Judge Russo told Block and Dwight Davenport that they were guilty of “intimidating and frightening my jury,” and that their actions had made the jurors fearful of jury service, forcing the mistrial. Block, who used a Flip phone to record about eight minutes of the proceedings, claimed that he was taking video of the defendant, his friend Dwayne Davenport, to remember him in case Davenport was sent to prison. Judge Russo sentenced Block to 60 days in prison. Another recent incident arose during the Colorado murder case against Willie Clark, accused of killing Denver Broncos cornerback Darrent Williams. Judge Christina Habas has imposed strict restrictions (pdf) on trial observers, including a prohibition on all communications from the courtroom, whether by blogging, text messaging, or other means, and a ban on cameras and cell phones from an entire section of the courthouse. Despite these restrictions, numerous signs in the courthouse summarizing the rules, security checkpoints at both the courthouse and courtroom doors, and an announcement of the cell phone ban at the start of proceedings, Robert Forto—who was covering the case for his blog—had his iPhone with him in the courtroom. His daughter called him, then his wife sent him a text message, and then his daughter left a voicemail. Forto texted his daughter, saying “I can’t talk right now.” A sheriff’s deputy saw Forto send the text message and removed Forto from the courtroom and took his cell phone.

Why We Tweaked Our Copyright Notice (ArsTechnica, 3 March 2010) - A couple of weeks ago, we ran an article on the various overbroad copyright notices one finds in books and on TV sports. You know the sort of thing—”any other use of this telecast or any pictures, descriptions, or accounts of the game without the NFL’s consent is prohibited.” The piece focused on a pair of lawyers who had complained about such notices back in 2007, and we wanted to know what had happened with those complaints. The short answer: not much. Readers pointed out that our own footer contains a pretty strong copyright statement of its own: “The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast Digital.” But of course, you can reproduce and distribute and cache much of this information for a variety of reasons under US copyright law. We told readers that we would look into the issue, and Editor-in-Chief Ken Fisher agreed to ask our corporate lawyers about making a small change to the notice. The lawyers had no problem with the proposed change, and we pushed out the updated page code this weekend. The notice now says, “Except where permitted by law, the material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast Digital.” It’s not a major change, and the notice doesn’t alter anyone’s rights under US law one way or the other. We do think it was important to make clear in such notices that there are limits to copyright law, however, and that the company’s claims to its material are not so absolute as such notices can make them sound.

RealNetworks Deal to Discontinue DVD-Copying Software Includes $4.5 Million for Studios’ Legal Tab (, 4 March 2010) - Good luck trying to burn a copy of your favorite DVD now. RealNetworks agreed to kill DVD-copying software that raised the hackles of movie studios in Hollywood. The company will also pay $4.5 million to cover the studios’ legal fees and costs for the copyright fight that ensued in the Northern District of California. The concessions came in a Monday settlement agreement and a consent judgment, approved by Judge Marilyn Hall Patel on Wednesday. RealNetworks threw in the towel after Patel repeatedly sided with the major movie studios and the DVD Copy Control Association. The judge granted a preliminary injunction against RealNetworks’ software, RealDVD, in August. Patel concluded that it violated the Digital Millennium Copyright Act by circumventing copy control locks on DVDs. She gave little credence to Real’s defense that DVD owners have a fair use right to copy their own movies. The studios were represented by Munger, Tolles & Olson, while Akin Gump Strauss Hauer & Feld represented the DVD CCA. Wilson Sonsini Goodrich & Rosati represented RealNetworks.

FDIC: Hackers Took More Than $120m in Three Months (Computerworld, 8 March 2010) - Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation. Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said. Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

U.S. Hopes Exports Will Help Open Closed Societies (NYT, 8 March 2010) - Seeking to exploit the Internet’s potential for prying open closed societies, the Obama administration will permit technology companies to export online services like instant messaging, chat and photo sharing to Iran, Cuba and Sudan, a senior administration official said Sunday. On Monday, he said, the Treasury Department will issue a general license for the export of free personal Internet services and software geared toward the populations in all three countries, allowing Microsoft, Yahoo and other providers to get around strict export restrictions. The companies had resisted offering such services for fear of violating existing sanctions. But there have been growing calls in Congress and elsewhere to lift the restrictions, particularly after the postelection protests in Iran illustrated the power of Internet-based services like Facebook and Twitter. The Treasury Department’s action follows a recommendation by the State Department in mid-December that the Office of Foreign Assets Control, which is run by the Treasury, authorize the downloading of “free mass-market software” in Iran by Microsoft, Google and other companies. The administration’s blanket waiver does not apply to encryption and other software that makes it harder for the authorities to track people’s Internet activity. That category of technology does not fall within the mass-market services that can be downloaded free from the Internet, he said. But the official said the Treasury would grant licenses to such providers on a case-by-case basis, and would generally look favorably on them. One such service, known as Haystack, is awaiting a waiver from the State Department, and is subsequently likely to obtain a Treasury license.

Law Firms Slow to Awaken to Cybersecurity Threat (, 9 March 2010) - An oddly worded e-mail was the first sign of something amiss at Los Angeles firm Gipson Hoffman & Pancione. It didn’t read like the messages the firm’s attorneys usually sent each other -- didn’t pass the “smell test.” His suspicions raised, the recipient, associate Gregory Fayer, picked up the phone and discovered that the colleague who supposedly sent the e-mail knew nothing of it. Other attorneys at the firm also received the bogus e-mail, which was eventually traced to China -- where Gipson Hoffman is litigating a $2.2 billion copyright infringement suit against the government. Fayer was well aware that cyberattackers often use fake e-mail messages to break into computer networks. The firm couldn’t directly link the bogus messages to its lawsuit -- the FBI is still investigating the matter -- but found it hard to dismiss as mere coincidence. Notably, the episode followed closely on the heels of Google’s announcement that hackers had broken into the Gmail accounts of several Chinese human rights activists. Although the public acknowledgement of the attack was unusual, it was hardly the first time that a law firm has been targeted by a sophisticated network of overseas hackers looking to infiltrate computer systems in order to gather data or monitor attorney activity, according to attorneys and technology experts. Law firms have dealt quietly with cyberattacks for years, but lately those strikes appear to be on the rise, said Marc Zwillinger, a former partner at Sonnenschein Nath & Rosenthal who this month opened Zwillinger Genetski, a Washington law boutique specializing in internet security and data privacy. “The activity focusing on law firms has definitely picked up in the past year or two, compared to what it was,” said Zwillinger, who has advised law firms dealing with cybersecurity breaches. “We’ve been seeing a fair bit of activity where the attacker is looking to acquire information that has strategic value.” Law firms are attractive targets for cyberattackers because they maintain sensitive client information on their systems, according to attorneys and technology consultants. Firms don’t often realize that their computer systems have been infiltrated and rarely go public if they do face a security breach, Zwillinger and other internet security experts said.

European Parliament Rips Global IP Accord (Wired, 10 March 2010) - The European Parliament delivered a political blow to Hollywood and the Obama administration, voting Wednesday 663 to 13 in opposition to a proposed and secret intellectual property agreement being negotiated by the European Union, United States and a handful of others. Wednesday’s developments concerning the Anti-Counterfeiting and Trade Agreement are substantial because the European Union’s 27 countries vastly outnumber the remaining countries negotiating the deal. They are Australia, Canada, Japan, South Korea, Mexico, Morocco, New Zealand, Singapore, Switzerland and the United States. Ambassador Ron Kirk, the top U.S. trade official, is spearheading the deal that began being crafted under the George W. Bush administration. Kirk’s office declined comment. To be sure, there is a dispute and heavy confusion concerning whether internet service providers under ACTA would be forced to punish customers deemed copyright scofflaws by reducing or eliminating service, according to a string of leaked documents. So parliament members also agreed Wednesday to oppose the measure if it contains so-called “three strikes” or “graduated response” policies — regardless of whether that’s now in the text. And because of the text’s secrecy, parliament on Wednesday also demanded (.pdf) that the private agreement still under negotiation be publicly released. Whether parliament’s action scuttles ACTA is another matter. Michael Geist, a law professor at the University of Ottawa, said in a telephone interview that Wednesday’s resolution also OKs more ACTA global negotiations on behalf of the European Union. Geist said he expects Europe to participate in the next round of ACTA negotiations to get underway April 12 in New Zealand.

Bad Employee! 12% Knowingly Violate Company IT Policies (ArsTechnica, 10 March 2010) - By now, it’s practically a mantra that the biggest problem with corporate IT security is the employees themselves. However, we usually assume that’s due to ignorant users or poorly enforced policies. Not so for a chunk of the US working population—according to a survey conducted by Harris Interactive, 12 percent admitted to knowingly violating IT policy in order to get work done.

20 Ways to Link Dispersed Legal Departments (, 10 March 2010; by Rees Morrison) - A legal department that speaks with a single voice, thinks with a single mind, and acts like a partnership will outperform one that is fragmented with uneven or inconsistent practices and policies. General counsel of dispersed legal departments, those with lawyers based in several locations around the world, have a particular problem of striving to nurture a sense that members work in a single, unified department. It is true that the larger the department, the more techniques of solidarity help, but even a small department, if its members are not in the same location, can benefit. In this article I discuss 20 techniques, by increasing order of difficulty or cost to bring about, that increase coherence and effectiveness in a spread-out legal department.

HHS Publishes List of Entities Reporting Health Information Breaches (Steptoe & Johnson’s E-Commerce Law Week, 11 March 2010) - The Department of Health and Human Services has published on its website a list of the breaches of unsecured health information affecting 500 or more individuals that have been reported since the Health Information Technology for Economic and Clinical Health (HITECH) Act took effect in September 2009. The Federal Trade Commission previously issued its own final rule regarding breaches of unsecured health information by entities not subject to the Health Insurance Portability and Accountability Act. Breaches affecting more than 500 individuals also must be reported to the FTC, which will maintain a publicly available database of all reported breaches in order to "provide businesses with information about potential sources of data breaches," keep the public informed, and aid policymakers in developing data breach regulations.

Why Social Media Policies Don’t Work (GigaOM, 12 March 2010) - Maybe Thomson Reuters was feeling nostalgic about the flurry of negative attention that both the New York Times and the Washington Post got last year when they came out with policies on the use of social media tools such as Twitter and Facebook. For whatever reason, the wire service recently issued new guidelines for its staff, and they suffer from many of the same problems that both the NYT and WaPo policies did. All of these flaws boil down to one thing: A desire to control something that fundamentally can’t be controlled, and a fear of what happens when that control is lost. Without even bothering to enumerate the positive aspects of social-media use, the policy starts in with the warnings right away: “We want to encourage you to use social media approaches in your journalism but we also need to make sure that you are fully aware of the risks — especially those that threaten our hard-earned reputation for independence and freedom from bias or our brand.” The risks, of course, are everywhere — someone might say something embarrassing, or post a tweet that others could twist to disparage Reuters: “The advent of social media does not change your relationship with the company that employs you — do not use social media to embarrass or disparage Thomson Reuters. Our company’s brands are important; so, too, is your personal brand. Think carefully about how what you do reflects upon you as a professional and upon us as an employer of professionals.”

Instant Ads Set the Pace on the Web (NYT, 12 March 2010) - Advertisers have been able to direct online messages based on demographics, income and even location, but one element has been largely missing until recently: immediacy. Advertisers booked slots in advance, and could not make on-the-fly decisions about what ads to show based on what people were doing on the Web. Now, companies like Google, Yahoo and Microsoft let advertisers buy ads in the milliseconds between the time someone enters a site’s Web address and the moment the page appears. The technology, called real-time bidding, allows advertisers to examine site visitors one by one and bid to serve them ads almost instantly. For example, say a man just searched for golf clubs on eBay (which has been testing a system from a company called AppNexus for more than a year). EBay can essentially follow that person’s activities in real time, deciding when and where to show him near-personalized ads for golf clubs throughout the Web. If eBay finds out that he bought a driver at another site, it can update the ad immediately to start showing him tees, golf balls or a package vacation to St. Andrew’s, Scotland, often called the home of golf. If a woman was shopping, eBay could change the ad’s color or presentation. While companies have been plugging real-time bidding for a couple of years, industry heavyweights are now behind it. Google introduced its revised DoubleClick Ad Exchange, offering real-time bidding, in September. Yahoo is testing the process on its Right Media Exchange, and Microsoft on its AdECN exchange. A consumer would barely notice the shift, except that ads might seem more relevant to exactly what they are shopping for. It is another way in which marketers are massaging information — and something that has raised ire in Washington, where the Federal Trade Commission has been holding discussions on tailored advertising. “The fact that you can be auctioned off in 12 milliseconds or less just illustrates how privacy in this country has rapidly eroded,” said Jeffrey Chester, executive director of the consumer group Center for Digital Democracy.

This Law is My Law (Berkman Center, 25 Feb 2010) - This week we sit down with Carl Malamud, who with the group is pushing to put law in the public domain. We covered the issue of copyright on law a few months ago in Radio Berkman 129, where Steve Schultze introduced us to RECAP – a software that helps legal researchers bypass hefty fees for access to legal documents. There is now a movement afoot, not just to bypass the system that puts law behind a paywall, but to remove it altogether. If you think this is a small issue – note that Americans spend some $10 billion a year just to access legal documents, everything from local building codes to Supreme Court records. The Executive Branch alone pays $50 million to access district court records. Some cash-strapped law schools ration students’ access to per-page charging services for legal records. And journalists, non-profits, and average citizens interested in legal research are feeling just as nickeled-and-dimed by fees. [Editor: good 25-minute podcast about PACER/RECAP, Oregon’s copyright claims in its Code, and open access to the law. ONE STAR]

**** RESOURCES ****
Social Networking and Constituent Communications: Member Use of Twitter During a Two-Month Period in the 111th Congress (Congressional Research Service, February 2010) - Beginning with the widespread use of e-mail by Congress in the mid-1990’s, the development of new electronic technologies has altered the traditional patterns of communication between Members of Congress and constituents. Many Members now use e-mail, official websites, blogs, YouTube channels, and Facebook pages to communicate with their constituents--technologies that were either non-existent or not widely available 15 years ago. These technologies have arguably served to enhance the ability of Members of Congress to fulfill their representational duties by providing greater opportunities for communication between the Member and individual constituents, supporting the fundamental democratic role of spreading information about public policy and government operations. In addition, electronic technology has reduced the marginal cost of constituent communications; unlike postal letters, Members can reach large numbers of constituents for a relatively small fixed cost. Despite these advantages, electronic communications have raised some concerns. Existing law and chamber regulations on the use of communication media such as the franking privilege have proven difficult to adapt to the new electronic technologies. This report examines Member use of one specific new electronic communication medium: Twitter. After providing an overview and background of Twitter, the report analyzes patterns of Member use of Twitter during August and September 2009.

Data Security, Third-Party Privacy Claims, and Insurance Coverage Under CGL “Personal and Advertising Injury” Coverage (Jones Day, Feb 2010) - For a company faced with a data breach resulting in the possible disclosure of private information, an important question is how, if at all, commercial general liability insurance will respond to third-party claims alleging damages. If your company has specialty coverage for data security loss, cybertheft, or similar liabilities, then your right to coverage might be clear. If you do not have such special coverage available, however, then you might nevertheless have a prospect of recovering defense costs and indemnity under your CGL policy. [Editor: useful re-survey of the issues and arguments.]

FCC Releases Internet Speed Test Tool (Reuters, 11 March 2010) - The U.S. Federal Communications Commission on Thursday launched a broadband test service to help consumers clock the speed of their Internet. Located at the site, the test is aimed at allowing consumers to compare their actual speeds with the speeds advertised by their providers. The FCC release follows an FCC meeting in September where officials said that actual speeds were estimated to lag by as much as 50 percent during busy hours. "The FCC's new digital tools will arm users with real-time information about their broadband connection and the agency with useful data about service across the country," FCC Chairman Julius Genachowski said in a statement. The FCC is also collecting information about where broadband is not available. Consumers can email the FCC at or call the FCC.

First of a Kind Court Ruling Allows Online News Service to “Deep Link” (Financial Times 22 Aug 2000) - A Rotterdam court has ruled against PCM, publisher of most of the Netherlands’ national dailies, which had sought an injunction against Internet upstart, whose Web site consisted largely of news headlines with hyperlinks to the online newspaper sources. PCM had objected to the links going directly to the story pages, rather than to the newspaper’s home page, where advertising revenues are more lucrative. PCM, pointing to the ads that support the Kranten site, had argued that the hyperlink system was analogous to “knocking a hole in a side wall of a café” owned by someone else, and demanding that those who entered through the hole “buy a drink from a stall set up outside.” The court found that PCM could just as easily place ads next to the individual news items, however, and that external links only resulted in increased traffic. PCM is now considering setting up a similar service to
retain more control over revenue and content. [link broken]

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at Get supplemental information through Twitter:

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. InsideHigherEd -
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog,
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.