Saturday, December 11, 2010

MIRLN --- 21 November – 11 December 2010 (v13.17)

(supplemented by related Tweets: #mirln)

·      Agencies To Look For a ‘Cloud Option’
o   GSA Chooses Google For Hosted E-Mail
·      Disney’s Earnings Leak Sprung From Goofy Mistake
·      Copyright Lawyers Sue Lawyer Who Helped Copyright Defendants
·      High Court Ruling Implies Headlines Are Copyright – We’re One Step Away From Links
·      10 Steps To Kickoff A Social Media Campaign
·      Supreme Court Won’t Hear RIAA File Sharing Case
·      Placing Files in Shared Folder Online Can Constitute Child Porn Distribution
·      Talking About Your Case On Your Blog? You May Have Just Waived Privilege
·      Facebook: State Bar Opinions Address Information Gathering
·      Google Changes Its Rank Algorithm In Response To NYT DecorMyEyes Story
·      Google Signs Deal With European Patent Office to Translate Patents
·      FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers; Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking
·      Race Is On to ‘Fingerprint’ Phones, PCs
·      Australian Government Gives Thumbs Down to PDF Format
·      New Oklahoma Law Puts Control of Deceased’s Social Media Accounts In Estate Executors
·      Companies Beware: The Next Big Leak Could Be Yours
·      FTC Offers Businesses Tips for Securing Data on Digital Copiers
·      Web Bugs the New Norm For Businesses?
·      DoD to Troops: Lawfare=Wikileaks
·      Risk of Cyber Attacks Should Be Board-Level Concern, Lloyd's Says
·      Government, Financial Industry Launch Cybersecurity Collaboration
·      Yahoo Finance Integrates Real-Time Stock Discussion From StockTwits
·      As Jurors Go Online, U.S. Trials Go Off Track
·      OFAC Expands Capacity of Designated Entities to Pay for Legal Services
·      Fail: NASA Sold Space Shuttle PCS Without Wiping Secret Data
·      UCLA Sued Over Streaming of Videos


Agencies To Look For a ‘Cloud Option’ (Computerworld, 22 Nov 2010) - The federal government is adopting a “cloud-first” policy, marking the administration’s strongest statement yet in support of Web-based computing as it looks to overhaul the way it buys information technology. Jeffrey Zients, the federal government’s first chief performance officer, announced last week that the Office of Management and Budget will now require federal agencies to default to cloud-based solutions “whenever a secure, reliable, cost-effective cloud option exists.” The shift is part of a broader set of changes aimed at improving IT procurement. In recent months, the federal government has shut down or restructured a host of technology programs after they ran over budget and behind schedule. “Fixing IT is central to everything we’re trying to do across government,” Zients said. “IT is our top priority.” Zients outlined a series of initiatives the government plans to launch in the next six months, including pilot efforts to give agencies more flexibility in how they budget for programs. In addition, the administration wants to reconstitute oversight panels known as investment review boards and establish a career path for program managers.

- and -

GSA Chooses Google For Hosted E-Mail (Computerworld, 1 Dec 2010) - The U.S. General Services Administration will become the first federal agency to use a hosted e-mail service, choosing Google, Unisys and others to offer the service. The choice is a blow to Microsoft, which has tried to position itself as offering the most secure services for the government. It said it is the first federal agency to use a cloud-based system for e-mail across the entire agency. It expects a 50 percent cost savings over the next five years compared to costs associated with its current system. See also “USDA Taps Microsoft Cloud For 120,000 Workers (Information Week, 8 Dec 2010)” here:

Disney’s Earnings Leak Sprung From Goofy Mistake (Business Week, 24 Nov 2010) - There’s an explanation now for how Disney’s earnings report this month got released early: The company made the information accessible through an easy-to-guess Web address. The Walt Disney Co. didn’t plan on posting the link on its website until after the market closed Nov. 11. But a reporter at Bloomberg News found it with simple Internet sleuthing and reported results about a half-hour before the scheduled release. That’s according to a person familiar with Bloomberg’s practices. The person isn’t authorized to speak publicly and is speaking on condition of anonymity. Security experts characterize the companies’ failure to protect such valuable information as careless lapses. The Securities and Exchange Commission isn’t saying whether it’s investigating. Disney says its own probe is ongoing.

Copyright Lawyers Sue Lawyer Who Helped Copyright Defendants (The escapist, 26 Nov 2010) - Attorneys for the U.S. Copyright Group have filed a lawsuit against a lawyer who sold “self-help” documents to people who had been sued by the USCG, demanding that he pay the costs involved in dealing with the people who used the documents he sold. Try to stick with me here, because this one gets weird. Back in August, an attorney by the name of Graham Syfert began selling documents that would allow defendants in lawsuits filed by the U.S. Copyright Group to respond in court without having to fork over the huge piles of money needed to hire an attorney. The USCG sued “thousands” of BitTorrent users who had downloaded films like The Hurt Locker, Far Cry and Call of the Wild, demanding a settlement of $2500 to avoid the much more expensive proposition of going to court. “One of the major problems that people encounter when trying to hire me on these cases, is that a settlement is approximately what an attorney would need to even begin a defense,” Syfert said at the time. His package of paperwork, on the other hand, cost just ten bucks. 19 people have thus far taken advantage of Syfert’s offer and submitted responses to the court using his package, not a huge amount by any measure but 19 more than Dunlap, Grubb and Weaver, the law firm behind the USCG lawsuits, wants to put up with. The firm threatened Syfert with sanctions soon after he began selling his forms and also said it would double its settlement requests for anyone who used them; Syfert dismissed the threats with a “tongue in cheek” email and that was that, until earlier this week. On November 22, Syfert received another email from attorney Jeff Weaver informing him that he had made a formal request for sanctions against him on behalf of the production company behind The Hurt Locker, one of the driving forces behind the USCG lawsuits. Weaver is apparently claiming that the 19 cases filed using the self-help package have cost his firm $5000 and he wants Syfert to pay.

High Court Ruling Implies Headlines Are Copyright – We’re One Step Away From Links (TechCrunch, 27 Nov 2010) - The UK’s High Court has ruled that news monitoring agencies will have to pay publishing companies to use their web content, effectively re-classifying headlines as separate literary works subject to copyright. The moves follows a legal battle between the Newspaper Licensing Agency, owned by eight of the UK’s largest newspaper groups, and Meltwater, a news monitoring agency. Although cutting agencies like Meltwater pay the NLA a fee for reproducing full-length articles, this case was supposed to clarify the limits of the NLA’s licensing scheme. Meltwater didn’t like its clients needing to have a licence from the NLA for the use of mere headlines and short extracts from its service. Instead the case has ruled that similar aggregation sites that charge for a service will have to pay for those headlines. Meltwater plans to appeal against the decision, but if it’s upheld, you can expect a wave of more legal actions. And thus the fabric of the UK’s online publishing industry will start to break down. Well done High Court. Technically, that won’t affect blogs or search sites since they don’t charge. But it’s not far away from some publishers claiming that because those links are monetised in some other way, that they can charge for their use since the headlines and, therefore the links to those, are copyright.

10 Steps To Kickoff A Social Media Campaign (Business Insider, 28 Nov 2010) - When it comes to using social media marketing to build your business, the worst action is no action, and your biggest problem is being invisible, not being talked about negatively. As long as you’re part of the conversation on the social Web, you can hear what’s being said about you and massage negative perceptions about your business.

Supreme Court Won’t Hear RIAA File Sharing Case (Wired, 29 Nov 2010) - The U.S. Supreme Court declined Monday to hear the first Recording Industry Association of America file sharing case to cross its desk, in a case that tested the so-called “innocent infringer” defense to copyright infringement. The case, which one justice voted to hear (.pdf), leaves undisturbed a federal appeals court’s decision in February ordering a university student to pay the Recording Industry Association of America $27,750 for file-sharing 37 songs when she was a high school cheerleader. The appeals court decision reversed a Texas federal judge who, after concluding the youngster was an innocent infringer, ordered defendant Whitney Harper to pay just $7,400, or $200 per song. That’s an amount well below the standard $750 fine required under the Copyright Act for each violation. Harper’s challenge weighed whether the innocent-infringer defense to the Copyright Act’s minimum $750-per-music-track fine may apply to online file sharing. Generally, an innocent infringer is someone who does not know she or he is committing copyright infringement. Attorneys for Harper told the justices (.pdf) that she should get the benefit of the $200 innocent-infringer fine, because the digital files in question contained no copyright notice. A Texas federal judge had granted Harper the innocent-infringer exemption to the Copyright Act’s minimum fine, because the teen claimed she did not know she was violating copyrights. She said she thought file sharing was akin to internet radio streaming. The 5th U.S. Circuit Court of Appeals, however, said she was not eligible for such a defense, even though she was between 14 and 16 years old when the infringing activity occurred on LimeWire. The reason, the appeals court concluded, is that the Copyright Act precludes such a defense if the legitimate CDs of the music in question carry copyright notices.

Placing Files in Shared Folder Online Can Constitute Child Porn Distribution (New Jersey Law Journal, 30 Nov 2010) - Internet file sharing is just that — sharing files with other users — and it can amount to illegal offering and distributing when the files are child pornography, a state appeals court ruled Tuesday. Though the defendant didn’t affirmatively offer the materials or seek out people to take them, a fact finder could see the act of placing the files in a shared folder online, where others might access them, as “offering” or “providing” under New Jersey’s child endangerment statute, the Appellate Division ruled in State v. Lyons , A-4893-09. Richard Lyons was indicted for possessing as well as offering and distributing child pornography via LimeWire, an online file-sharing network. On May 30, 2007, a state police investigator accessed LimeWire, entered search terms indicating child pornography, located a known child-pornography file on Lyons’ computer and downloaded it, along with other files he had stored that turned out to contain pornographic materials. During questioning, Lyons acknowledged that LimeWire’s default setting was to store downloaded files in a shared folder available to all network users, though the settings could be changed to store downloaded files in a private folder not accessible to other network users. Morris County Superior Court Judge Philip Maenza dismissed the offering and distributing counts, based on Lyons’ assertion that his failure to change the LimeWire settings was an omission and that he did not knowingly distribute the video files. Lyons claimed that passive conduct cannot satisfy the meaning stated in the statute. Appellate Division Judges Joseph Lisa, Susan Reisner and Jack Sabatino reversed, holding that Lyons acted affirmatively by installing the LimeWire program, downloading the pornography files and keeping the files in a shared folder knowing that others would find them and download them.

Talking About Your Case On Your Blog? You May Have Just Waived Privilege (Stikeman, 30 Nov 2010) - On October 22, 2010, an American magistrate judge ruled that a plaintiff suing Universal Music Corp. for improperly sending a takedown notice under the Digital Millennium Copyright Act (DMCA) waived a number of heads of attorney-client privilege by discussing the details of her legal case by email and on a blog. In Lenz. v. Universal Music Corp, the plaintiff claimed damages and attorneys’ fees as a result of Universal Music Corp.’s filing of an allegedly fraudulent DMCA take-down notice seeking to have a home video of the plaintiff’s child dancing to a copyrighted song removed from YouTube. A magistrate judge ruled that plaintiff Stephanie Lenz waived attorney-client privilege by discussing her case in e-mail, on her blog, and in chat sessions. Through these online media, Lenz made representations about conversations she had had with her attorneys from Electronic Frontier Foundation (a non-profit digital rights advocacy and legal organization). These representations revealed information such as why she was suing Universal Music Corp. and legal strategies she was pursuing in her suit against the company. The magistrate judge ruled that these online communications amounted to a waiver of the attorney-client privilege. Accordingly, the magistrate ordered plaintiff to produce further documents and submit to further discovery regarding the plaintiff’s communications with her attorney as to (i) her motives for bringing the action; (ii) the specific legal strategies identified in her online discussions; and (iii) the specific factual allegations made in her online discussions. However, some have indicated that had this case been heard in Canada, the result may have been very different. Due to the high thresholds established by caselaw for determining when privilege has been waived, it is argued that a plaintiff’s mere musings or speculation about her lawyer’s legal strategy would likely not have lead to a waiver of solicitor-client privilege.

Facebook: State Bar Opinions Address Information Gathering (ABA, 30 Nov 2010) – “You represent the mother in a child custody dispute that will most likely wind up in litigation. You recently interviewed a daycare provider who may be an adverse witness in the matter. You believe that there may be some very useful information on the daycare provider’s personal Facebook page that you may be able to use to impeach her testimony at trial, but you would need to “friend” her to gain access to them. You believe that she freely gives the friend status to almost anyone who requests it, but that she would most likely not grant it to you. Can you ask your paralegal, whose name the daycare provider would not recognize, to contact the provider in order to friend her without revealing his affiliation with you so that you can gain access to her personal Facebook page?”

Google Changes Its Rank Algorithm In Response To NYT DecorMyEyes Story (TechCrunch, 1 Dec 2010) - Over Thanksgiving weekend a New York Times story, “A Bully Finds a Pulpit on the Web” clued a lot of people in to some of the drawbacks of Google PageRank. Negative attention online and complaint links from customer service sites like Get Satisfaction can actually be a benefit to business as in the problematic case of online retailer DecorMyEyes. The Times piece followed DecorMyEyes customer Clarabelle Rodriguez as she suffered online and offline harassment from DecorMyEyes founder Vitaly Borker, all in the name of improving his Google search rankings. While I saw that DecorMyEyes had dropped in the Google rankings for eyewear related searches like “La Font” directly after the piece went out, it was only a matter of time before Google did something official. From the Google blog: “We were horrified to read about Ms. Rodriguez’s dreadful experience. Even though our initial analysis pointed to this being an edge case and not a widespread problem in our search results, we immediately convened a team that looked carefully at the issue. That team developed an initial algorithmic solution, implemented it, and the solution is already live. I am here to tell you that being bad is, and hopefully will always be, bad for business in Google’s search results.” The Google post then goes on to outline the different ways the search engine could have solved the “Bad to customers = Good for PageRank” problem, by either blocking or using sentiment analysis to pull sites with a lot of negative comments down in the rankings. Using sentiment analysis in search rank is tricky however, because it would also pull down sites about unpopular politicians and controversial issues like abortion. Instead of using either of those two solutions to account for cases like the one described in the New York Times article, Google instead wrote an algorithm that can detect which hundreds of merchants (including DecorMyEyes) have provided “bad user experience” and algorithmically force them lower.

Google Signs Deal With European Patent Office to Translate Patents (Int’l Business Times, 1 Dec 2010) - Internet search company Google Inc on Tuesday said it has signed a deal with the European Patent Office (EPO) to use the company’s technology to translate patents into 29 European languages that will pave the way for a simplified European patent system. Google’s deal, which comes after years of infighting, is expected to make it easier for inventors and scientists from across the continent to access information on patents with the EPO that has 38 member countries. The European Commission has been pushing for a unified system for long but a European Union-wide standard patent had been halted for long due to a long standing dispute about which languages should take precedence on official documents. Italy and Spain had refused to accept a unified system and the contention that it was enough to have patent documents translated into English, French and German. Google’s agreement will help do away with the huge translation fees that had prevented growth and hit small businesses as it is presently 10 times more expensive to apply for a patent in Europe than in the US, European Commission said. Google transaction will also calm down fears of some countries that they will be at a language disadvantage.

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers; Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking (FTC, 1 Dec 2010) - The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities. “Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well,” said FTC Chairman Jon Leibowitz. The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses. To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices. Report here:

Race Is On to ‘Fingerprint’ Phones, PCs (WSJ, 1 Dec 2010) - David Norris wants to collect the digital equivalent of fingerprints from every computer, cellphone and TV set-top box in the world. Companies are developing digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. WSJ’s Simon Constable talks to Senior Technology Editor Julia Angwin about the next generation of tracking tools. He’s off to a good start. So far, Mr. Norris’s start-up company, BlueCava Inc., has identified 200 million devices. By the end of next year, BlueCava says it expects to have cataloged one billion of the world’s estimated 10 billion devices. Advertisers no longer want to just buy ads. They want to buy access to specific people. So, Mr. Norris is building a “credit bureau for devices” in which every computer or cellphone will have a “reputation” based on its user’s online behavior, shopping habits and demographics. He plans to sell this information to advertisers willing to pay top dollar for granular data about people’s interests and activities. It’s tough even for sophisticated Web surfers to tell if their gear is being fingerprinted. Even if people modify their machines—adding or deleting fonts, or updating software—fingerprinters often can still recognize them. There’s not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent.

Australian Government Gives Thumbs Down to PDF Format (IT News, 1 Dec 2010) - The central IT office of Australia’s Federal Government has requested that agencies consider the use of alternative file formats to Adobe’s PDF. The advice follows a study which found that while accessibility of the Portable Document Format (PDF) has improved over time and remains a popular format for many organisations, it was less accessible to visually-impaired users. Published by the Australian Government Information Management Office (AGIMO), “The Australian Government’s study into the Accessibility of the Portable Document Format for people with a disability,” concluded that if PDF was used, accessible alternative file formats should be made available.,government-gives-thumbs-down-to-pdf-format.aspx

New Oklahoma Law Puts Control of Deceased’s Social Media Accounts In Estate Executors (IBT, 2 Dec 2010) - Estate executors or administrators in Oklahoma have the power to access, administer or terminate the online social media accounts of the deceased, according to a new state law. According to former state Rep. Ryan Kiesel (D-Seminole), who had co-authored House Bill 2800 before he left office, the law would remind the people of Oklahoma as they go about their estate planning that, in addition to their personal and real property, they should make plans for the vast amount of intellectual property we leave behind. “The number of people who use Facebook today is almost equal to the population of the United States. When a person dies, someone needs to have legal access to their accounts to wrap up any unfinished business, close out the account if necessary or carry out specific instructions the deceased left in their will,” Kiesel said. “Digital photo albums and e-mails are increasingly replacing their physical counterparts, and I encourage Oklahomans to think carefully about what they want to happen to these items when they pass away,” he said. The bill, which became a state law on Nov. 1, assumes a Facebook page or other social network account is the property of the person who creates and uses it. However, most websites claim the information as their own in service agreements when users sign up. Kiesel has acknowledged the law may conflict with service agreements, but said the law is intended to get people thinking seriously about what they leave behind on Facebook and other websites. “We’re not just leaving a couple of shoeboxes full of mementos behind,” Kiesel said. “We’re leaving behind potentially thousands of photographs and all kinds of aspects of our lives online.” The law is the first of its kind in the U.S.

Companies Beware: The Next Big Leak Could Be Yours (AP, 2 Dec 2010) - WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next. Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. And there is nothing about WikiLeaks’ release of U.S. diplomatic documents to suggest that the group can’t — or won’t — use the same methods to reveal the secrets of powerful corporations. And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there’s new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider. Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with the Mandiant Corp., an Alexandria, Va.-based security firm that investigates computer intrusions. WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy. Julian Assange, WikiLeaks’ founder, told Forbes magazine that the number of leaks his site gets has been increasing “exponentially” as the site has gotten more publicity. He said it sometimes numbers in the thousands per day.

FTC Offers Businesses Tips for Securing Data on Digital Copiers (FTC, 3 Dec 2010) - The Federal Trade Commission, the nation’s consumer protection agency, has tips for businesses on how to safeguard sensitive data stored on the hard drives of digital copiers. Here are the highlights of the FTC’s new publication, Copier Data Security: A Guide for Businesses: 
Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, the data cannot be retrieved. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable.
For more information about securing sensitive data, see Protecting Personal Information: A Guide for Business.

Web Bugs the New Norm For Businesses? (SlashDot, 3 Dec 2010) –
An anonymous reader writes: “What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers’ email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?”

DoD to Troops: Lawfare=Wikileaks (Lawfare, 3 Dec 2010) - Those of you concerned about the Wikileaks disclosures will be reassured to know that the military IT folks are on the case and are aggressively cracking down on–drum-roll, please–us. That’s right, folks, Wikileaks, Lawfare. It’s all the same. They’re both on the Internet, after all. I awoke this morning to an email from alert reader Jeffrey A. Sherman, a reserve JAG Army Captain in the 2nd Stryker Brigade Combat Team, 25th Infantry Division, which is currently deployed in Iraq. He notified me that the following text now appears on his computer when he tries to access Lawfare:
Due to the recent disclosure of US Classified Information to public news and media sources, the site you are attempting to access may potentially be hosting US Classified Information (CONFIDENTIAL to SECRET//NOFORN) documents. Downloading, copying, typing text into another document or email, printing, saving to a workstation, server, or any drive connected to a NIPR or Unclassified system is considered a compromise of that system. Additionally, printing, sending, transmitting or forwarding this information is also considered a SPILL and established SPILL cleanup procedures must be followed. Users will lose network access until the incident can be fully resolved IAW USF-I and CENTCOM standards, including user training.
Viewing these documents is not considered a spill in of itself; however, once a user identifies the information as classified or potentially classified, the individual should immediately cease viewing the item and close their web browser.
IAW with DOD guidance and USF-I OPSEC Hash 10-2, all personnel are to refrain from viewing any of the articles pertaining to Wikileaks releases on their DOD NIPR system.
If you have questions regarding this message contact the JNCC-I IA Office, VoSIP: 708-243-6391.
Logged Information
Proxy Server: ARIF1-N-1-PROXY
IP Address:
UTC Timestamp: 2010-12-03 12:06:25
Category: Government/Legal;Blogs/Personal Pages
I cannot tell you how much I resent this. It’s not just the stupidity of the failure to distinguish between leaks and commentary on national security law–which inevitably will occasionally touch on leaks. It’s also the ridiculous phrase “May Potentially Contain Classified Information,” which in this instance translates roughly to “Does Not Contain or Discuss Classified Information Not Already Disclosed by Entities With Orders of Magnitude More Readers.” We have not posted any State Department cables here on Lawfare. The most we have done is linked to a New York Times article that refers to some cables and re-quoted what the Times had already quoted. We have actually taken pains over the life of this blog–and before–to avoid compromising sensitive material in the course of work that necessarily brings us into contact with it. On a few occasions, we have gone so far as to decline to post on sensitive matters that have come our way as a result of accidental disclosures. We write off of the public record here at Lawfare. Some of my press friends may not admire that, but that’s what we do. Glad to know the military appreciates the effort.

Risk of Cyber Attacks Should Be Board-Level Concern, Lloyd's Says (Insurance Journal, 6 Dec 2010) - Digital risks must be a board-level concern for business as the range, frequency and scale of cyber attacks increases, according to a new report. Many companies are unwittingly vulnerable to the possibility of data leakage, phishing attacks, trojans or advance persistent threats, according to a new report from Lloyd's, the world's leading specialist insurance market, and HP, the world's largest technology company. The report, "Managing digital risks: trends, issues and implications for business," warns that, as businesses become more reliant on technology, they will face more complex and damaging digital attacks as sophisticated attackers quickly adapt their methods to steal from, disrupt and spy on businesses.  Report here: 

Government, Financial Industry Launch Cybersecurity Collaboration (Information Week, 7 Dec 2010) - Federal agencies have teamed up with the financial services industry to promote a common way for the public and private sector to coordinate on cybersecurity. The effort is aimed at speeding the commercialization of technologies being developed to protect U.S. critical infrastructure so that both the federal government and private organizations can benefit from them, according to the White House. The National Institute of Standards and Technology (NIST) of the Department of Commerce, the Science and Technology Directorate of the Department of Homeland Security (DHS/S&T), and the Financial Services Sector Coordinating Council (FSSCC) released a memo Monday agreeing to pool their collective cybersecurity resources to facilitate innovation; identify and fight cybersecurity vulnerabilities; and develop more efficient and effective cybersecurity processes that can be used in the financial services sector as well as by other organizations.

Yahoo Finance Integrates Real-Time Stock Discussion From StockTwits (Mashable, 7 Dec 2010) - Yahoo Finance announced Tuesday that is has begun pulling data from StockTwits’s API, which curates stock-related conversation from Twitter tagged with $[stock symbol] (i.e. $AMZN) and messages sent through its own microblogging platform. StockTwits’s stream appears in a newly launched Market Pulse section, designed to help users keep track of real-time, user-generated finance news discussion on the web. We’ve pulled up the page for Google below. Unfortunately, the stream is not yet integrated into the main dashboard pages, which includes quotes, charts, news and other information for each stock. Instead, users have to navigate to a separate “Market Pulse” page on the left sidebar, which severely limits the stream’s exposure.

As Jurors Go Online, U.S. Trials Go Off Track (Reuters, 8 Dec 2010) - The explosion of blogging, tweeting and other online diversions has reached into U.S. jury boxes, raising serious questions about juror impartiality and the ability of judges to control courtrooms. A Reuters Legal analysis found that jurors’ forays on the Internet have resulted in dozens of mistrials, appeals and overturned verdicts in the last two years. For decades, courts have instructed jurors not to seek information about cases outside of evidence introduced at trial, and jurors are routinely warned not to communicate about a case with anyone before a verdict is reached. But jurors these days can, with a few clicks, look up definitions of legal terms on Wikipedia, view crime scenes via Google Earth, or update their blogs and Facebook pages with snide remarks about the proceedings. The consequences can be significant. A Florida appellate court in September overturned the manslaughter conviction of a man charged with killing his neighbor, citing the jury foreman’s use of an iPhone to look up the definition of “prudent” in an online dictionary. In June, the West Virginia Supreme Court of Appeals granted a new trial to a sheriff’s deputy convicted of corruption, after finding that a juror had contacted the defendant through MySpace. Also in September, the Nevada Supreme Court granted a new trial to a defendant convicted of sexually assaulting a minor, because the jury foreman had searched online for information about the types of physical injuries suffered by young sexual assault victims. Reuters Legal, using data from the Westlaw online research service, a Thomson Reuters business, compiled a tally of reported decisions in which judges granted a new trial, denied a request for a new trial, or overturned a verdict, in whole or in part, because of juror actions related to the Internet. The data show that since 1999, at least 90 verdicts have been the subject of challenges because of alleged Internet-related juror misconduct. More than half of the cases occurred in the last two years. Judges granted new trials or overturned verdicts in 28 criminal and civil cases -- 21 since January 2009. In three-quarters of the cases in which judges declined to declare mistrials, they nevertheless found Internet-related misconduct on the part of jurors. These figures do not include the many incidents that escape judicial notice.

OFAC Expands Capacity of Designated Entities to Pay for Legal Services (Lawfare, 8 Dec 2010) - OFAC has issued a final rule amending the TSR and GTSR sanction regimes to expand the options for designated entities to pay for certain legal services. Presumably this is at least indirectly responsive to issues that arose over the past year when the ACLU and CCR sought to represent Anwar al-Aulaqi’s father in the targeted killing case, and when the Humanitarian Law Project litigation (which dealt with the 2339B material support regime, not an IEEPA regime) raised similar questions about the provision of legal services to designated terrorist organizations. Whatever the origin, the full details of the new rule are posted here, and the summary follows: ”SUMMARY: The Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury is amending the Global Terrorism Sanctions Regulations (“GTSR”) and the Terrorism Sanctions Regulations (“TSR”) to expand the scope of authorizations in each of those programs for the provision of certain legal services. In addition, OFAC is adding new general licenses under the GTSR, the TSR, and the Foreign Terrorist Organizations Sanctions Regulations to authorize U.S. persons to receive specified types of payment for certain authorized legal services.”

Fail: NASA Sold Space Shuttle PCS Without Wiping Secret Data (Computerworld, 8 Dec 2010) - For sale, used computer packed full of secret NASA Space Shuttle data. As part of a plan to securely end the Space Shuttle program, NASA is getting rid of old computers. However, NASA officials failed to delete sensitive data on PCs and hard drives before selling the equipment. The Office of Inspector General found “serious” security breaches at NASA centers in Florida, Virginia, Texas and California. NASA is full of very bright minds, so how did it manage to make such a noob mistake of selling PCs without wiping the hard drives? An audit [PDF] found 10 of 14 computers that failed tests to ascertain they’d been wiped properly. One computer that was to be sold still contained sensitive Space Shuttle data, which was subject to export control by the International Traffic in Arms Regulations. All electronic storage media is supposed to be wiped of data “to the degree that there is reasonable assurance that the data cannot be retrieved or reconstructed,” the audit stated. NASA approved software for sanitizing hard drives include DBAN (Darik’s Boot and Nuke), Secure Erase, and WipeDrive/WipeDrive Pro. Contractors in charge of deleting sensitive information used DBAN and Active@KillDisk - which is not NASA approved at Johnson’s disposition center. Ames used BCwipe, which is DOD compliant, but not NASA approved. USA used Symantec DateGone which is not approved by NASA, DOD or NSA.

UCLA Sued Over Streaming of Videos (InsideHigherEd, 10 Dec 2010) - After a public copyright dispute in January, the Association for Information and Media Equipment says it has filed suit against the University of California at Los Angeles and the system’s Board of Regents. The association, a trade group that represents 16 educational media companies, objected to UCLA’s practice of allowing students to stream copyrighted videos on their course websites. Since course websites are not classrooms, the group said, the “fair use” exemptions for educational use do not apply. UCLA has said that since the course websites are password-protected, streaming videos on the site is the same as showing them in class, except far more convenient for students and professors. Allen Dohra, president of the trade group and vice president of Ambrose Video Publishing, which is named as a co-plaintiff in the suit, said in a press release that UCLA is undermining Ambrose’s own streaming service, which it offers at a price to subscribers. “UCLA’s behavior spells catastrophe for the entire educational video market, which increasingly will turn to streaming video,” the group said in the release.

Kim Dulin and David Weinberger on the Meta-Library (Berkman Center, 9 Nov 2010) - s more and more content moves into the cloud libraries are decreasingly the single place to go to find the material you need for your research (except for rare books and special collections). But libraries know a huge amount about their contents. This metadata is becoming even more valuable as research moves online, since now it can be deployed to help scholars and researchers discover, understand, and share what they need to know. The co-directors of the Harvard Library Innovation Lab at Harvard Law School—Kim Dulin and David Weinberger—along with members of the Lab will demonstrate their lead project (ShelfLife) and talk about the Lab’s proposed multi-library metadata server (LibraryCloud).

**** RESOURCES ****
OECD Privacy Guidelines: Thirty Years in the Public Sector (The Privacy, edited by Richard Purcell) - At the 30th Anniversary of the OECD Privacy Guidelines, we present a comparative study of how those guidelines have influenced the development of laws, regulations and public policy in five representative OECD member states – Australia, Canada, Japan, Spain, and the United States.

The Cyberthreat, Government Network Operations, and the Fourth Amendment (Jack Goldsmith paper, 9 Dec 2010) - Many corporations have intrusion-prevention systems on their computers’ connections to the Internet. These systems scan the contents and metadata of incoming communications for malicious code that might facilitate a cyber attack, and take steps to thwart it. The United States government will have a similar system in place soon. But public and private intrusion-prevention systems are uncoordinated, and most firms and individual users lack such systems. This is one reason why the national communications network is swarming with known malicious cyber agents that raise the likelihood of an attack on a critical infrastructure system that could cripple our economic or military security. To meet this threat, imagine that sometime in the near future the government mandates the use of a government-coordinated intrusion-prevention system throughout the domestic network to monitor all communications, including private ones. Imagine, more concretely, that this system requires the National Security Agency to work with private firms in the domestic communication network to collect, copy, share, and analyze the content and metadata of all communications for indicators of possible computer attacks, and to take real-time steps to prevent such attacks. This scenario, I argue in this essay, is one end point of government programs that are already up and running. It is where the nation might be headed, though perhaps not before we first suffer a catastrophic cyber attack that will spur the government to take these steps. Such a program would be controversial. It would require congressional approval and in particular would require mechanisms that credibly establish that the NSA is not using extraordinary access to the private network for pernicious ends. But with plausible assumptions, even such an aggressive program could be deemed consistent with the U.S. Constitution, including the Fourth Amendment. Paper here:

**** FUN ****
Law and the Multiverse; Superheroes, supervillains, and the law (blog) – If there’s one thing comic book nerds like doing it’s over thinking the smallest details. Here we turn our attention to the hypothetical legal ramifications of comic book tropes, characters, and powers. Just a few examples: Are mutants a protected class? Who foots the bill when a hero damages property while fighting a villain? What happens legally when a character comes back from the dead? [Creative, out of-the-box subject matter for lawyers: e.g., how does The Rule Against Perpetuities play if you’re immortal? or “Fee Simple and Alter-Egos” and “Is Batman a State Actor?”]

**** DIFFERENT ****
Lapsed Magazine Subscriptions (InsideHigherEd, 9 Dec 2010) - The most important shift brought about by the Web has been to move more of us from being consumers to producers. The fact that you are reading this blog now, and maybe will comment on the post - or tweet or blog yourself, is testament to this fact. Distressingly, the practice of higher ed has largely lagged this transition - too little of our student's time is spent producing for the world (writing, making videos, posting and sharing) - and too much time is still spent consuming words from the mouths of our professors. Today, in some of our courses and on some of our campuses, the transition to student as producer (student as research, student as writer, student as colleague), has already begun. In some courses, the lecture model has been inverted - so that the student time shifts lecture material at her convenience - and precious in-person class time is spent debating, discussing, creating, and sharing. In some courses and on some campuses, the Web has transformed learning into an active experience in the same way that the Web has transformed media. Which brings me to the subject of magazines in which I no longer subscribe. I'm somewhat saddened by my abandoned identity of a magazine subscriber. In days past, most of us defined ourselves by what we consumed. Magazines were a big part of my self-identity. Now, with more time spent writing - I have less time to consume - and many more options to consume via the Web in small chunks. The reams of paper that previously moved through my home have been replaced mostly by bits - but I'm nostalgic for those days of magazines strewn around the house.

MOVING ON TO M-COMMERCE -- In the rapidly growing market for “m-commerce” (e-commerce via mobile devices), Motorola is staking out new ground with a purchasing system for mobile phones that features voice-activated authentication of credit cards. Rather than typing numbers on a phone keypad to make a purchase, customer credit card numbers are stored on the cell-phone operator’s computer server. Once the customer approves a purchase, the information is sent from the server to the online merchant. In some cases, customers can choose items to buy and approve credit card purchases simply by speaking commands into the phone. The technology is based on software from Trintech Group. (Wall Street Journal 2 Feb 2000)

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at Get supplemental information through Twitter:

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. InsideHigherEd -
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog,
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

No comments: