Saturday, January 01, 2011

MIRLN --- 12-31 December 2010 (v13.18)


(supplemented by related Tweets: http://twitter.com/vpolley #mirln)

·      Website Privacy Policies - An Extensive Primer
·      Judges Can Have Facebook Friends, with ‘Constant Vigil,’ Says Ohio Supreme Court Board
·      Military Bans Disks, Threatens Courts-Martial to Stop New Leaks
o   Congressional Research Service Analysts Complaining About Blocked Access To Wikileaks
·      Protect Your Pre-1997 IP Address
·      EFF Victory: Appeals Court Holds that Email Privacy Protected by Fourth Amendment
·      A Mixed Ninth Circuit Ruling in MDY v. Blizzard: WoW Buyers Are Not Owners – But Glider Users Are Not Copyright Infringers
·      9th Circuit Rules Victims Needn’t Show ‘Misuse’ of Stolen Personal Data
·      UK’s Information Commissioner’s Office Issues First Data Breach Fines
·      A Magistrate Judge Correctly Ruled That A Youtube.Com User Waived The Attorney-Client Privilege By Recounting On Her Blog And In E-Mail Her Discussions With Her Attorneys
·      AMA Challenges E-Prescription Penalties
·      Vendors form ‘Legal Cloud Computing Association
·      Your Apps Are Watching You
·      The Report of Current Opinions
·      Updates to Twitter Allowed in British Courts
·      Social Media or Snake Oil: Does Social Media Measure Up to the Hype?
·      NIST Outlines An Organizational-Level Approach To Continuous Monitoring
·      Nebraska Rolls Out Free Docket App
·      Court Rejects Plaintiff’s Proposal of Class Notice via Twitter, SMS, and Email -- Jermyn v. Best Buy
o   Man Divorces Wife By SMS
·      VA Employees Using Unauthorized Cloud Services
·      Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses
·      Data Hacker Pageranks Members of the US Congress
·      First Amendment Rights To Blog A Case
·      E-Lawyering Expert: Stay Competitive With a Virtual Law Practice
·      NOAA Launches Website Housing Previously Released Public Information from the Deepwater Horizon Response
·      Email ‘Oops’ Ends With Gordon & Rees Being Booted From Case
·      MERS: How a Mortgage Clearinghouse Became a Villain in the Foreclosure Mess

PODCASTS | RESOURCES | LOOKING BACK | NOTES

Website Privacy Policies - An Extensive Primer..... (Foley Hoag, 1 Dec 2010) - If your start-up’s website will collect user information.... and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a “one size fits all, grab an example from a well know e-retailer or established company web-site that appears to have a similar business model, snip here, paste there and you’re all set” deal. My wide eyed stare of horror in reaction to this is mostly dismissed as symptomatic of the overly cautious view of life that seemingly plagues my profession. I have discussed this with a colleague Patrick Connolly and he had the great idea to write a primer on the issue of Privacy Policies for websites. Now let me warn you, Patrick’s primer is not short and it isn’t meant to be because it highlights the issues that we step through and the risks and possible reprisals that we consider when we draft a privacy policy for a particular start-up. So without further ado, here’s Patrick’s well thought out “Primer on the Website Privacy Policies”, hopefully once your done reading you’ll agree that your privacy policy is not something to be taken lightly. http://www.securityprivacyandthelaw.com/2010/12/articles/retail-customer-information-sp/website-privacy-policies-an-extensive-primer/#page=1 [Editor: Provides a useful framework to begin to work thru the issues; this is one of my three practice areas, too.]

Judges Can Have Facebook Friends, with ‘Constant Vigil,’ Says Ohio Supreme Court Board (ABA Journal, 8 Dec 2010) - An Ohio judge is allowed to have Facebook friends, the Board of Commissioners on Grievances and Discipline of the state’s top court held today. But doing so requires “constant vigil,” the board says in its written opinion, because “a judge must maintain dignity in every comment, photograph and other information shared on the social network,” reports the Associated Press. They also have to be careful to avoid bias and can’t gather evidence for cases from social media sites. A state supreme court press release provides additional details and links to a copy of the Dec. 3 opinion. http://www.abajournal.com/news/article/ohio_judges_can_have_facebook_friends_with_constant_vigil_says_state_suprem?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly

Military Bans Disks, Threatens Courts-Martial to Stop New Leaks (Wired, 9 Dec 2010) - It’s too late to stop WikiLeaks from publishing thousands more classified documents, nabbed from the Pentagon’s secret network. But the U.S. military is telling its troops to stop using CDs, DVDs, thumb drives and every other form of removable media — or risk a court martial. Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room — which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches. It’s one of a number of moves the Defense Department is making to prevent further disclosures of secret information in the wake of the WikiLeaks document dumps. Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks. To stop that from happening again, an August internal review suggested that the Pentagon disable all classified computers’ ability to write to removable media. About 60 percent of military machines are now connected to a Host Based Security System, which looks for anomalous behavior. And now there’s this disk-banning order. One military source who works on these networks says it will make the job harder; classified computers are often disconnected from the network, or are in low-bandwidth areas. A DVD or a thumb drive is often the easiest way to get information from one machine to the next. “They were asking us to build homes before,” the source says. “Now they’re taking away our hammers.” http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-martials-to-stop-new-leaks/

- and -

Congressional Research Service Analysts Complaining About Blocked Access To Wikileaks (Techdirt, 15 Dec 2010) - With the Library of Congress blocking access to Wikileaks over some misguided notion of what its legal responsibilities are, Copycense points us to a report about how librarians across the nation are now arguing over whether or not this was the right move, with many feeling that it was decidedly a bad move. However, perhaps more interesting is the claim, in the middle of the article, that analysts at the Congressional Research Service are negatively impacted by this as well: “Since the Congressional Research Service is a component of the Library, this means that CRS researchers will be unable to access or to cite the leaked materials in their research reports to Congress. Several current and former CRS analysts expressed perplexity and dismay about the move, and they said it could undermine the institution’s research activities. It’s a difficult situation,” one unidentified CRS analyst told Aftergood. “The information was released illegally, and it’s not right for government agencies to be aiding and abetting this illegal dissemination. But the information is out there. Presumably, any Library of Congress researcher who wants to access the information that WikiLeaks illegally released will simply use their home computers or cell phones to do so. Will they be able to refer directly to the information in their writings for the Library? Apparently not, unless a secondary source, like a newspaper, happens to have already cited it.” http://www.techdirt.com/articles/20101213/01240212254/congressional-research-service-analysts-complaining-about-blocked-access-to-wikileaks.shtml

Protect Your Pre-1997 IP Address (Computerworld, 10 Dec 2010) - If your company obtained its IP address space before 1997, you have probably received several letters from the American Registry for Internet Numbers Ltd. (ARIN) encouraging you to enter into a contractual agreement to protect the IP address. But should you sign it? ARIN’s contract is called the Legacy Registration Services Agreement (Legacy RSA). It proposes to give companies contractual guarantees, including grandfathering of certain protected rights; continued use -- at no extra charge, at least for now -- of IP address services like “in-addr” and “whois” listings; reduced annual fees compared with those of ARIN’s regular IP address holders; and future fee waivers, in exchange for returning unused IP address space. But be careful -- there are several issues you should consider before signing up for this. Registrants that obtained IP addresses directly from ARIN after 1997 entered into service agreements that fall under ARIN’s jurisdiction, and are therefore subject to ARIN’s resource utilization policies. But it is unclear whether IP address registrations of legacy IP address holders -- those that happened before 1997 -- were ever formally transferred to ARIN. ARIN has never claimed that it has control over these legacy IP addresses, but at the same time, it has never conceded that it lacks the authority either. http://www.computerworld.com/s/article/9200359/Protect_your_pre_1997_IP_address [This is a fairly arcane area, often overlooked in M&A transactions, which involves something like chain-of-title issues: how to prove your “ownership” of an IP address block, acquired thru a M&A transaction years ago? With the looming exhaustion of IP4 address space, such issues are coming to the fore.]

EFF Victory: Appeals Court Holds that Email Privacy Protected by Fourth Amendment (EFF, 14 Dec 2010) - In a landmark decision issued today in the criminal appeal of U.S. v. Warshak, the Sixth Circuit Court of Appeals has ruled that the government must have a search warrant before it can secretly seize and search emails stored by email service providers. Closely tracking arguments made by EFF in its amicus brief, the court found that email users have the same reasonable expectation of privacy in their stored email as they do in their phone calls and postal mail. EFF filed a similar amicus brief with the 6th Circuit in 2006 in a civil suit brought by criminal defendant Warshak against the government for its warrantless seizure of his emails. There, the 6th Circuit agreed with EFF that email users have a Fourth Amendment-protected expectation of privacy in the email they store with their email providers, though that decision was later vacated on procedural grounds. Warshak’s appeal of his criminal conviction has brought the issue back to the Sixth Circuit, and once again the court has agreed with EFF and held that email users have a Fourth Amendment-protected reasonable expectation of privacy in the contents of their email accounts. http://www.eff.org/deeplinks/2010/12/breaking-news-eff-victory-appeals-court-holds Opinion here: http://www.eff.org/files/warshak_opinion_121410.pdf

A Mixed Ninth Circuit Ruling in MDY v. Blizzard: WoW Buyers Are Not Owners – But Glider Users Are Not Copyright Infringers (EFF, 14 Dec 2010) - The Ninth Circuit today issued its decision in the second of a trio of cases that raise the critical legal question of whether “magic words” in a end-user license agreement (EULA) slapped onto a consumer product can turn buyers (or gift recipients) into mere licensees, rather than owners. Following its previous ruling in the first of these cases, Vernor v. Autodesk, the court today said yes — but there’s a twist. The case (which we’ve covered previously) pits Blizzard, the maker of World of Warcraft, against MDY, the maker of a program called Glider (what Blizzard calls a “bot”) that lets you play WoW on “auto-pilot” up to a certain level. Blizzard won in the district court, successfully arguing that WoW purchasers do not “own” their software, but merely “license” it. On this dystopian view, Blizzard owns every WoW DVD ever shipped for all eternity and may be able to use copyright law to punish WoW players who use the software in any manner not authorized by the “license” (like using Glider). The district court agreed, and MDY appealed. Ownership matters, because otherwise Blizzard and other software vendors can wipe away important consumer rights with legalese contained in license agreements. In September, the Ninth Circuit held that buyers of software (and possibly DVDs, CDs and other “licensed” content) are not owners as long as the vendor saddles the transfer with enough restrictions to transform what the buyer may think is sale into a mere license. Today, in yet another blow to user rights, the Ninth Circuit ruled that Blizzard’s license restrictions for WoW accomplish the same purpose. However, the court also held that using Glider in WoW play in violation of Blizzard’s terms did not amount to copyright infringement. Blizzard had argued that MDY was secondarily liable for copyright infringement because it provided software that allowed users to play in unauthorized ways. Not so, said the appellate court, because there was no direct liability to begin with. The license term that forbade WoW players from using Glider was a covenant — a promise not to do something — rather than a condition — limiting the scope of the copyright license. And while violating “antibot” covenants might breach a contract, it does not violate any copyright. (By contrast, creating a derivative work might.) This point may seem a bit arcane, but it’s crucial because it helps avoid a situation in which violating contracts and EULAs could result in a copyright infringement lawsuit (with the heavy club of statutory damages, attorney’s fees and low standards for injunctions) rather than just a simple breach of contract claim. http://www.eff.org/deeplinks/2010/12/mixed-ninth-circuit-ruling-mdy-v-blizzard-wow

9th Circuit Rules Victims Needn’t Show ‘Misuse’ of Stolen Personal Data (FPN, 15 Dec 2010) - Employees didn’t need to show misuse of their personal information in order to sue their employer over alleged negligence in allowing its theft, the 9th Circuit has ruled in affirming judgment. The plaintiffs are 97,000 current and former Starbucks employees whose names, addresses, and Social Security numbers were stored on a company laptop that was stolen. The plaintiffs filed a class action against Starbucks for the loss of their personal information, asserting negligence and breach of contract. Starbucks argued that, because none of the plaintiffs could show that their personal information was actually misused, they could not establish sufficient injury for purposes of standing under Article III of the Constitution. But the court concluded that an increased risk of identity theft satisfies Article III standing requirements. “If a plaintiff faces ‘a credible threat of harm,’ and that harm is ‘both real and immediate, not conjectural or hypothetical,’ the plaintiff has met the injury-in-fact requirement for standing under Article III. Here, [plaintiffs] have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data,” the court said. U.S. Court of Appeals, 9th Circuit. Krottner v. Starbucks Corp., No. 09-35823. Dec. 14, 2010. Lawyers USA No. 993-2514. http://fpn.advisen.com/articles/article134418124682987552.html?elq_mid=12209&elq_cid=996107

UK’s Information Commissioner’s Office Issues First Data Breach Fines (Steptoe’s E-Commerce Law Week, 16 Dec 2010) - Until recently, the UK’s Information Commissioner’s Office (ICO) had more bark than bite when it came to data protection. The extent of its powers was issuing enforcement notices and bringing court cases against violators of the Data Protection Act 1998. But earlier this year, as we reported, the ICO was authorized to issue monetary penalties up to ₤500,000 for individual data security breaches. And now the ICO has exercised that new power, issuing two fines totaling ₤160,000 for data breaches. Both fines were for failures to properly safeguard private and sensitive information. The ICO noted that both violators failed to take even the most basic steps to protect the information; one of the cases turned largely on the fact that the employer had failed to put encryption on a laptop that an employee used to work from home. http://www.steptoe.com/publications-7299.html

A Magistrate Judge Correctly Ruled That A Youtube.Com User Waived The Attorney-Client Privilege By Recounting On Her Blog And In E-Mail Her Discussions With Her Attorneys (CCH’s Guide to Computer Law, 16 Dec 2010; subscription required) - The user argued that her comments regarding “her counsel’s motives for representing her pro bono” did not waive the attorney-client privilege with respect to her own motivations for filing suit. However, the two subjects were closely intertwined and could not easily be separated. The user also contended that she was mistaken when she stated that her case was “not a ‘fair use’ case at all,” based on conversations with her attorneys A party may not attempt to explain an apparent admission as a misinterpretation of a conversation with counsel, and then deny the opposing party on the basis of privilege access to the very conversations at issue. When a client reveals to a third party that something is “what my lawyer thinks,” she cannot avoid discovery on the basis that the communication was confidential. Lenz v. Universal Music Corp., NDCal

AMA Challenges E-Prescription Penalties (Information Week, 16 Dec 2010) - The American Medical Association and 103 state and specialty medical societies have sent a letter to Kathleen Sebelius, secretary for the Department of Health and Human Services, requesting that the Centers for Medicare & Medicaid Services (CMS) change its e-prescribing penalty requirements, which will create a financial burden on physicians, the letter said. The request was prompted by a change in the e-prescribing policy that CMS published in the 2011 Final Fee Schedule Rule, which introduced a provision requiring a physician to report at least ten instances of using e-prescriptions for Medicare office visits and services between January 1, 2011 through to June 30, 2011. If physicians don’t meet these requirements, they will face penalties in 2012 and 2013. http://www.informationweek.com/news/healthcare/policy/showArticle.jhtml?articleID=228800678&cid=RSSfeed_IWK_News

Vendors form ‘Legal Cloud Computing Association (Robert Ambrogi, 17 Dec 2010) - Four companies that offer legal-oriented products and services through the cloud have banded together to form the Legal Cloud Computing Association. LCCA’s purpose, according to its announcement, “is to promote standards for cloud computing that are responsive to the needs of the legal profession and to enable lawyers to become aware of the benefits of computing technology through the development and distribution of education and informational resources.” The four companies that make up LCCA’s founding membership are:
Clio (Themis Solutions Inc.)
DirectLaw, Inc.
Rocket Matter LLC
Total Attorneys, LLC
As its first official act as an organization, the LCCA published its comments on the ABA Commission on Ethics 20/20 paper concerning lawyers’ use of Internet-based client-development tools (PDF). With regard to cloud computing, the LCCA proposes that the ABA endorse a minimal set of standards for cloud-computing providers along with model terms of service for cloud providers. Those minimal standards, the LCCA says, should cover data-center security, network security, software security, data-transmission security, back-ups and redundancy, confidentiality and privacy, and data portability. http://www.lawsitesblog.com/2010/12/vendors-form-legal-cloud-computing-association.html

Your Apps Are Watching You (WSJ, 18 Dec 2010) - Few devices know more personal details about people than the smartphones in their pockets: phone numbers, current location, often the owner’s real name—even a unique ID number that can never be changed or turned off. These phones don’t keep secrets. They are sharing this personal data widely and regularly, a Wall Street Journal investigation has found. An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders. The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them. Apps sharing the most information included TextPlus 4, a popular iPhone app for text messaging. It sent the phone’s unique ID number to eight ad companies and the phone’s zip code, along with the user’s age and gender, to two of them. Both the Android and iPhone versions of Pandora, a popular music app, sent age, gender, location and phone identifiers to various ad networks. Smartphone users are all but powerless to limit the tracking. With few exceptions, app users can’t “opt out” of phone tracking, as is possible, in limited form, on regular computers. On computers it is also possible to block or delete “cookies,” which are tiny tracking files. These techniques generally don’t work on cellphone apps. http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html?mod=WSJ_Tech_RightMostPopular

The Report of Current Opinions (O’Reilly Radar, 19 Dec 2010) - Public.Resource.Org will begin providing in 2011 a weekly release of the Report of Current Opinions (RECOP). The Report will initially consist of HTML of all slip and final opinions of the appellate and supreme courts of the 50 states and the federal government. The feed will be available for reuse without restriction under the Creative Commons CC-Zero License and will include full star pagination. This data is being obtained through an agreement with Fastcase, one of the leading legal information publishers. Fastcase will be providing us all opinions in a given week by the end of the following week. We will work with our partners in Law.Gov to perform initial post-processing of the raw HTML data, including such tasks as privacy audits, conversion to XHTML, and tagging for style, content, and metadata. The RECOP feed will be treated as an open source project with revision control, multiple commiters [commentors?], open discussion lists, and perhaps even multiple branches. Law.Gov participants include both for-profit organizations such as Justia and Fastcase and academic institutions such as Princeton, Cornell, and Stanford. We welcome additional participants from both communities. More details will be made available in mid-January on the Law.Gov mailing list. n addition to weekly release of all current opinions, this feed will include periodic releases of important segments of the back file, including:
·      A release of 3 million pages of 9th Circuit briefs from 1892 to 1968 which was produced in cooperation with UC Hastings College of the Law and the Internet Archive and is scheduled for release in Q1 2011.
·      Double-keyed HTML for at least the first 10 volumes of the Federal Reporter, First Series and all 30 volumes of the Federal Cases will be completed by the end of Q2 2011. This data is being furnished as part of the YesWeScan Project. Now, you too can give the gift that you can cite forever.
·      William S. Hein & Co., which provided high-resolution scans of the Federal Cases, is providing a high-resolution scan of the Federal Reporter, First Series which will be released in Q1 2011.
We are actively pursuing several other important archives that are missing such as Supreme Court Briefs, multiple versions of the annotated statutes of the 50 states, and other key collections. We would welcome the contribution of any legal publishers wishing to furnish such data. http://radar.oreilly.com/2010/12/the-report-of-current-opinions.html

Updates to Twitter Allowed in British Courts (NYT, 20 Dec 2010) - The head of the judiciary in England and Wales ruled on Monday that reporters and other observers can send updates to Twitter and other short text messages from courtrooms while trials are in session so long as the messages do not impede the judicial process. The interim decision, meant to guide courts in his jurisdiction, came a week after an appeals court judge in London barred those present at a bail hearing for Julian Assange, the WikiLeaks founder, from posting messages to Twitter. “There is no statutory prohibition on the use of live text-based communications in open court,” the judicial head, Lord Chief Justice Igor Judge, found in the Monday ruling. (The full text of the ruling is embedded at the end of this post.) “But before such use is permitted, the court must be satisfied that its use does not pose a danger of interference to the proper administration of justice in the individual case.” While cameras and sound recording equipment remain prohibited, live text updates to social networks are “unobtrusive” and “virtually silent” and therefore “unlikely to interfere with the proper administration of justice,” he wrote. Because most courtrooms require that mobile phones and other devices be switched off during proceedings, reporters or others present for the trial must ask for an exception for the purpose of sending live messages via Twitter and other text-based services. Judges can decide, however, to limit such updates. Criminal cases may be particularly sensitive, the chief justice wrote, though reporters may also be prevented from using text devices during civil trials as well, especially in situations where the posting of information could pressure or distract a future witness. In the United States, state and federal courts have taken varied approaches to Twitter. In Georgia district court last year, a federal judge denied a journalist’s request to use his Blackberry mobile phone in court to post messages, citing a federal rule that prohibits the “broadcasting” of proceedings. But a court in Connecticut allowed Twitter updates during the heavily publicized murder trial of Steven J. Hayes. In that case, defense lawyers appeared to set the grounds for a possible appeal, arguing that tens of thousands of messages had been sent from the courtroom, creating a carnival atmosphere and denying Mr. Hayes a fair trial. http://thelede.blogs.nytimes.com/2010/12/20/updates-to-twitter-allowed-in-british-courts/?scp=1&sq=twitter%20judiciary%20assange%20london&st=cse Ruling here: http://www.scribd.com/doc/45696935/Ruling-on-Twitter-in-Courts

Social Media or Snake Oil: Does Social Media Measure Up to the Hype? (ABA Journal, 2010) - Is the social media phenomenon overhyped? A growing chorus of voices says yes. Critics argue there are no credible ways to measure return on investment in social media. They also contend there’s no definitive data showing that social media create business, or that the number of followers you have on Twitter or friends on Face book translates into dollars earned. The conundrum is that both the cynics and the cheerleaders may be right. Kevin O’Keefe, CEO and publisher of Seattle-based Lexblog, which provides social media consulting to law firms, says he does think there is too much hype about social media. “There are a lot of people who don’t know what they’re talking about creating a buzz about it. It’s terribly effective, but that doesn’t mean it’s not overhyped.” Perhaps the most overhyped metric of social media is the gross number of participants. Consultants waxing on about the value of social media start with Facebook’s 500 million active users and Twitter’s 190 million monthly visitors. Yet tallies of friends on Facebook and followers on Twitter mean little. If you’re hunting for hard numbers on social media value, you may be searching for fool’s gold. Social media isn’t about statistics. It’s about good, old-fashioned relationship building. “Numbers on your return on investment are meaningless,” says Daniel Harris of Harris & Moure in Seattle and author of the China Law Blog. “It’s like saying if you speak at a seminar, what’s the return? You never know in hard numbers, but you do know when someone calls six months later and says, ‘I heard you speak. We have this matter.’” http://www.abajournal.com/mobile/article/social_media_or_snake_oil?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly [Editor: you tell me; you’re reading this, after all.]

NIST Outlines An Organizational-Level Approach To Continuous Monitoring (GCN, 21 Dec 2010) - Effective IT security requires a top-down approach, with strategic planning at the organizational level rather than on a system-by-system basis, the National Institute of Standards and Technology says in newly released draft guidelines for continuous monitoring. Many, if not all, of an agency’s IT systems are mission-critical these days, and periodic snapshots of their status do not provide adequate assurance of security, according to the initial public draft of Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.” Continuous monitoring to assess security status and enable incident response is now the standard for security assessment and maintenance. “Information security is a dynamic process that must be effectively managed to respond to new vulnerabilities, evolving threats and an organization’s constantly changing enterprise architecture and operational environment,” the publication states. The publication offers guidelines on the development of a continuous monitoring strategy and the implementation of a program based on that strategy. The program should provide visibility into assets and an awareness of threats and vulnerabilities to the system, and expose the effectiveness of security controls being used. It also should allow the organization to determine if the security controls are aligned properly with its risk tolerance and help the organization respond if it finds that security controls are not adequate. http://gcn.com/articles/2010/12/21/nist-continuous-monitoring.aspx

Nebraska Rolls Out Free Docket App (ABA Journal, 21 Dec 2010) - Attorneys and judges in Nebraska have been able to use a searchable online court calendar for several years. But since this past fall they’ve had something a lot more slick for finding court dates: an app. Last September the state of Nebraska authorized and created a free state court docket app for the iPhone and its progeny. Nebraska appears to be the only state, so far, to have created such an app. The app makes most district and all county court hearing schedules searchable by day, time and location in real time. During its first month, the app was downloaded over 150 times, says Jennifer Rasmussen, project manager at Nebraska.gov, the state portal site that handled the programming. There haven’t been any comments posted about it on iTunes, but Rasmussen figures the audience could widen considerably, with about 6,500 attorneys in the state—maybe half of them trial lawyers. http://www.abajournal.com/magazine/article/icourt_application_iphone?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly

Court Rejects Plaintiff’s Proposal of Class Notice via Twitter, SMS, and Email -- Jermyn v. Best Buy (Eric Goldman, 22 Dec 2010) - Plaintiffs brought a class action against Best Buy alleging that Best Buy failed to honor its price-match guarantee. The court certified the class with respect to New York residents who had bought certain items from Best Buy since 2002 and who were denied Best Buy’s price guarantee. The named plaintiff suggested several forms of notice to potential class members, including notification via: (1) Best Buy’s “Twelpforce“ Twitter account, (2) SMS, and (3) email. Noting that overinclusive individual notice is not required, and that Best Buy is only required to undertake “reasonable steps” to identify individual affected class members, the court rejects all three suggestions. The court conducted a random sample of Best Buy’s “Tweplforce” account and concluded that it was primarily a medium for providing technical support to customers. As with respect to the suggested notice via Twitter, the court accepts Best Buy’s argument that notice via SMS was overinclusive, based on Best Buy’s argument. The proposed email notice suffered the same fate, since Best Buy was “unable to restrict notice via email to only class members . . . [it] only collected customer emails when a customer makes a purchase on bestbuy.com; when a customer obtains a protection or service plan for an item purchased at bestbuy.com or at a Best Buy store; or when a customer voluntarily shares her email address when visiting bestbuy.com.” The court’s treatment of Twitter as an form of individual notice was interesting, and not entirely accurate. Tweets are not “individualized messages” in the sense that the list of recipients is not controlled by the sender (there’s not a finite list) - the list of recipients includes people who follow the general stream of Tweets as well as those who have opted in to receive messages. Additionally, tweets can be disseminated further by those who see initial tweets, increasing the odds that the word would get out to its intended audience. It’s also worth noting that the “Twelpforce” account is not Best Buy’s only Twitter account. For some reason, plaintiff didn’t suggest notice via Best Buy’s main account, which has approximately 123,000 followers. Given that the costs involved in disseminating notice via Twitter are de minimis, I’m surprised the court wasn’t more open to the suggestion. Also, I was surprised that neither party brought up Facebook as a possibility. Best Buy’s Facebook page is approaching 2 million followers, and offers a similarly inexpensive way to get the notice out to a broad group of interested people. I would think Best Buy’s resistance stems from not wanting to suffer any negative branding implications from including news of this class action in its overt marketing channels, but I would have thought the minimal cost would have swayed the court. http://blog.ericgoldman.org/archives/2010/12/court_rejects_p.htm

- but -

Man Divorces Wife By SMS (Emirates24, 25 Dec 2010) - A Saudi court decided to separate a national couple after the husband sent a SMS to his wife mobile phone telling her that she is divorced, a newspaper in the Gulf Kingdom reported on Saturday. The woman from the western town of Madina asked court to officially endorse her divorce and supported its complaint with the SMS from her husband, the online Arabic language daily Anakum said. “The husband told the judge he sent the message after an argument with his wife but that he did not mean to divorce her,” the paper said. “But the judge considered the SMS as a real divorce under Islam and decided to support the wife’s plea for divorce.” http://www.emirates247.com/news/region/man-divorces-wife-by-sms-2010-12-25-1.333715

VA Employees Using Unauthorized Cloud Services (Information Week, 23 Dec 2010) - The Obama administration might be pushing federal agencies to adopt cloud computing, but federal workers are already ahead of the curve, as the Department of Veterans Affairs recently discovered when it found out hospital employees were using Web-based tools from companies like Google and Yahoo on the job. The discovery isn’t shocking -- consumer adoption of cloud services has in many ways outstripped corporate and government adoption -- but it does raise security concerns, as the services being used haven’t necessarily gone through the rigorous certification process required to comply with federal cybersecurity guidelines. “The government can’t keep up with Google, Apple, Yahoo, and others who are creating grey apps for healthcare usage,” VA CIO Roger Baker said Thursday on a monthly cybersecurity conference call with reporters. “This is an issue we’re going to continue to deal with going forward. These are great tools for patient care, but at the same time we can’t use them. If we don’t figure out how to embrace them, our users will figure it out without us.” Baker applauded companies like Google for moving forward with government security certifications for “moderate” risk information, but said that the VA requires even higher security standards for personally identifiable information like the type its employees are beginning to store online. For now, the agency is treating the use of services like these as a security concern, and blocking access to sites as they became known. For example, last month the agency discovered that a few orthopedics department residents at the Jesse Brown VA Medical Center have been keeping a calendar of patient data on Yahoo Calendar for more than three years. The residents had stored full names, dates, types of surgery, and the last four digits of Social Security numbers for 878 patients on the site, sharing the same user account. When the VA discovered this, it blocked access to the site, deleted all the entries, changed the password (which hadn’t been changed once during the three years of use), and began mailing out letters of notification to all affected patients. Such a scenario has played out numerous times in recent months, Baker said. The most popular use of cloud services was by employees using Google Docs to store shift-change information and residents using it to document what type of role they played in various procedures. “While these are password-protected accounts, the issue is that they leave the VA,” Baker said. “We need to figure out how to meet this demand and still meet our requirements from the standpoint of security controls.” http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?articleID=228900122&cid=RSSfeed_IWK_All

Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses (TechDirt, 27 Dec 2010) - The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn’t really come to the US...) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn’t happy about this, but rather than fixing the problems it’s reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association -- a trade group representing banks and credit card companies -- has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities. You can see the demand letter embedded below, but it’s fairly amusing. The letter claims that the publication (which you can read about on the author’s (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) “oversteps the boundaries of what constitutes responsible disclosure.” In other words, they’re not happy about it, so Cambridge should force the student to shut up. Of course, what’s amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway: “Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry’s fraud prevention systems would be able to detect when such an attack had happened.” http://www.techdirt.com/articles/20101225/23212712406/financial-industry-favors-security-through-obscurity-demands-cambridge-censor-paper-detailing-weaknesses.shtml

Data Hacker Pageranks Members of the US Congress (ReadWriteWeb, 27 Dec 2010) - What’s the fastest way to evaluate the true behavior of a Senator or Representative in Congress? How about through a ready-made mathematical model and some charts? That’s what Josh Tauberer has created as the latest project at congress-tracking site GovTrack.us. “Bulk access to legislative information makes large-scale statistical analyses possible,” Tauberer writes. He’s performed analyses he says are like Google’s Pagerank, but for politicians: he’s tracked which politicians vote together in order to discover moderates and extremists, and he’s treated sponsorship and co-sponsorship of legislation like an endorsement of leadership, similar to the way Google treats links between web pages as an endorsement. The resulting chart, below, tracks Senate members on axis of leadership and ideology. It’s a fascinating way to see important qualitative matters quantified and to get a quick snapshot of politicians you might not follow very closely. Something like this could also be helpful in assessing claims and pushing for accountability of elected officials. http://www.readwriteweb.com/archives/data_hacker_pageranks_members_of_the_us_congress.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+readwriteweb+%28ReadWriteWeb%29&utm_content=Google+Reader

First Amendment Rights To Blog A Case (Cobalt Law Firm, 28 Dec 2010) – “Dear Mr. Olson -- We are in receipt of your letter (below) in which you demand that we cease or you will sue. We are a law firm; and we are reporting news in our blog. Clearly is that stated under the category on ‘News’ as you acknowledge in paragraph two of your letter. We acknowledge that your client has trademark rights. However, protection for trademark rights under the Lanham Act is limited to protection against another’s use of a designation to identify its business, or in marketing its goods or services in a way that causes a likelihood of confusion. Such trademark rights do not override First Amendment rights.” http://www.cobaltlaw.com/news/first-amendment-rights-to-blog-a-case Of course, this has now been picked up by TechDirt -- http://www.techdirt.com/articles/20101229/03133712447/when-sending-bogus-tm-cd-dont-send-it-to-lawyer-who-understand-tm-law.shtml

E-Lawyering Expert: Stay Competitive With a Virtual Law Practice (ABA Journal, 28 Dec 2010) - More clients than ever are seeking legal services online, and the market is growing every day with new competitors—online companies such as Legal Zoom, Inc. and “do it yourself” legal kits on the Internet, among them—that are challenging the dominance of the traditional law firm. Stephanie Kimbro, co-founder of Virtual Law Office software and a virtual law office owner, says in her book Virtual Law Practice that “mainstream legal professionals who have preferred to stick with more traditional law practice methods can no longer turn a blind eye to this change if they wish to remain competitive.” YourABA recently asked Kimbro to provide some guidance on establishing a virtual presence and best practices for effective e-lawyering. http://www.abanet.org/media/youraba/201012/article01.html

NOAA Launches Website Housing Previously Released Public Information from the Deepwater Horizon Response (NOAA, 29 Dec 2010) - NOAA today unveiled a web archive of the maps, wildlife reports, scientific reports and other previously released public information used by emergency responders, fishermen, mariners and local officials during the Deepwater Horizon oil spill. The NOAA Deepwater Horizon Library can be accessed via http://www.noaa.gov/deepwaterhorizon. “This website serves as a valuable learning tool and resource for scientists, students and historians of all backgrounds for many years to come,” said Jane Lubchenco, Ph.D., under secretary of commerce for oceans and atmosphere and NOAA administrator. “Good science underpins everything we do at NOAA, and our scientists worked tirelessly during the spill to monitor the oceans, coasts and skies. Much of that mission-critical information is now available in this library.” http://www.noaanews.noaa.gov/stories2010/20101229_dwh_library.html

Email ‘Oops’ Ends With Gordon & Rees Being Booted From Case (LegalPad, 29 Dec 2010) - It’s great the way email software autocompletes addresses for you. Except when it puts in the wrong one. That’s what happened to Braun Hagey partner J. Noah Hagey. But it wasn’t a total disaster, as it kicked off a chain of events that culminated last week with an eye-popping protective order (read it here) booting his opposing counsel and in-house lawyers off a case in federal court. Here’s what happened. Hagey represents a handful of engineers in Oakland who in September left engineering and design firm Arcadis to start their own shop. Apparently worried their former employer would try to interfere, they hired Braun Hagey and later conferred by email -- with autocomplete inserting an old Arcadis address for one of the former employees. So four message threads, including one attaching a draft declaration, were delivered to Arcadis, where an email monitoring system routed them to legal. In a declaration, Hagey said the plaintiffs didn’t realize their emails had been intercepted until lawyers at Gordon & Rees filed a counterclaim that references the day the former employees held a meeting -– a date, he said, Gordon & Rees could only have learned from the emails. Reached Wednesday, Hagey declined to comment publicly. In a declaration, Elizabeth Spangler, an inhouse lawyer at Arcadis, acknowledged receiving the threads and reviewing the draft complaint -- at which point she says she realized the material was probably privileged. She says, however, that there were no great revelations in the material, and she didn’t share it with anyone. She did say, though, that she must have inadvertently given Gordon & Rees the date on which the exiting employees met. She also said she later learned her boss, Arcadis’ General Counsel Steven Niparko, had also briefly reviewed the email. On Dec. 17, U.S. District Judge Jeffrey White ordered that Arcadis replace Gordon & Rees with new, untainted counsel. He also ordered Spangler off the case, and said the GC must be “removed from all aspects of the day-to-day management.” And he ordered Arcadis to pay fees and costs of $40,000. http://legalpad.typepad.com/my_weblog/2010/12/email-oops-ends-with-gordon-rees-being-booted-from-case.html [Editor: a possibly-unexpected outcome -- a risky way to contaminate opposing counsel.]

MERS: How a Mortgage Clearinghouse Became a Villain in the Foreclosure Mess (Washington Post, 31 Dec 2010) - In the early 1990s, the biggest names in the mortgage industry hatched a plan for a new electronic clearinghouse that would transform the home loan business - and unlock billions of dollars of new investments and profits. [A] central electronic clearinghouse would allow the companies to transfer thousands of mortgages instantaneously, greasing the wheels of a system in which loans could be repeatedly and quickly bought and sold. “Assignments are creatures of 17th-century real property law; they do not coexist easily with high-volume, late 20th-century secondary mortgage market transactions,” Phyllis K. Slesinger, then senior director of investor relations for the Mortgage Bankers Association of America, wrote in paper explaining the system. Sixteen years down the road, the mortgage business is a mess. The electronic clearinghouse has become a reality: The Virginia-based Mortgage Electronic Registrations Systems, a registry with 67 million mortgages on file, has become part of the industry’s standard operating procedure. But critics say promises of transparency and of ironing out wrinkles in record-keeping haven’t panned out. The firm, which tracks more than 60 percent of the country’s residential mortgages but whose parent company employs just 45 people in a Reston office building, is on the firing line now. * * * MERS became a stripped down version of the original idea. The first thing to go was the vault for keeping documents. MERS instead became a giant electronic card catalogue that tracked who was managing a particular loan as it was sold and resold, but it left the companies themselves responsible for guarding the mortgage (or deed of trust) and the promissory note (or IOU) - the two critical pieces of paper that prove who owns a loan. Next to go was transparency, critics say. When a home loan is securitized, at least a half-dozen parties are typically involved. The loan might be originated by a mortgage finance firm, sold to a company that aggregates them into a pool and then sells them to an investor such as a pension fund. A different “servicer” such as Bank of America is usually responsible for collecting payments. Most loans are bought and sold several times, and the servicer can change, too. The mortgage bankers decided that to simplify record-keeping, MERS would be listed as a “nominee” for the mortgage holder in local land records offices. When the loans changed hands, the new owner or servicer would register the transaction electronically in the MERS system without having to re-record the transaction across the country. But Mark Monacelli, a county recorder in Duluth, Minn., who was the lead negotiator for the association representing recorders from most of the nation’s 3,600 counties, said that practice makes it difficult for homeowners to be able to trace the chain of ownership of their loan. http://www.washingtonpost.com/wp-dyn/content/article/2010/12/30/AR2010123003056.html?hpid=topnews&sid=ST2010123003364 [Editor: Long article, interesting subject. Illustrates the tension between law and technology, and how things can go off the tracks when the tech/business side gets too far ahead of the law. This isn’t going to end prettily.]

**** NOTED PODCASTS ****
The Innovation Secrets of Steve Jobs (Carmine Gallo, 22 Nov 2010; 53 minutes) - Apple’s Steve Jobs has a reputation for innovation, particularly with Apple’s company slogan of “Think Different”. Carmine Gallo wrote a book that reviewed Jobs’ presentation secrets and now details his innovation secrets. Gallo discusses his book, including the seven points of innovation followed by Steve Jobs. Gallo also talks about the thought process that led to this follow-up to his previous successful book. [Editor: Gallo’s starts off a bit slick for my tastes, but he’s actually done a very useful job distilling and presenting here. These are extremely good points he makes, especially for younger people.] http://itc.conversationsnetwork.org/shows/detail4724.html

**** RESOURCES ****
Copyright for Internet Authors and Artists (Prof. Thomas Field, 16 Oct 2010) -- This small paper attempts to answer inquiries received during the span of at least a decade. It contains little information that is unavailable at the Copyright Office website, but it focuses on the needs of a much smaller, if sizable, audience. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1693203 [Editor: 6-page almost FAQ-like – useful for quick orientation of new clients.]

WIPO Launches On-line Tool to Assist in Filing International Trademark Applications (WIPO, 20 Dec 2010) - WIPO launched on December 20, 2010 an on-line tool - the Madrid System Goods & Services Manager (G&S Manager) - that will help trademark applicants in compiling the list of goods and services that must be submitted when filing an international application under the Madrid System for the International Registration of Marks. The G&S Manager, which can be accessed through the WIPO GOLD portal, gives access to thousands of standard terms classified in accordance with the 9th edition of the International Classification of Goods and Services for the Purposes of the Registration of Marks (Nice Classification). Applicants using the G&S Manager can select the terms that best describe the goods and services relating to the mark. Users of the Madrid system must ensure that they provide the correct description and classification of the goods and services for which the mark will be used. By selecting terms from the G&S Manager, applicants can be confident that no irregularity notice will be issued with respect to the classification or indication of those goods and services. The G&S Manager is available in the three working languages of the Madrid system, namely English, French and Spanish, and gives access to some 30,000 terms in English and their equivalents in French and Spanish. http://www.wipo.int/pressroom/en/articles/2010/article_0050.html

**** LOOKING BACK ****
JUDGE MAKES A CASE FOR THE DELETE KEY (New York Times 5 Oct 2000) - District Court Judge James Rosenbaum has published an article called “In Defense of the DELETE Key,” in which he bemoans the eternal nature of computer communications and reminisces fondly about pre-computer days when people casually spoke “off the record”: “At this earlier time, two people could easily say something -- even, perhaps, something politically incorrect -- simply between themselves. They might even have exchanged nasty notes between themselves. And when they had moved past this tacky, but probably innocent moment, it was truly gone.” Today, however, “an idle thought jotted onto a calendar, a tasteless joke passed to a once-trusted friend, a suggestive invitation directed at an uninterested recipient, if done electronically, will last forever. Years later, it can subject its author to liability.” Rosenbaum proposes a “cyber statute of limitations” -- perhaps six months for an isolated e-mail message -- after which “deleted” documents would be legally consigned to the electronic rubbish heap and become inadmissible as evidence of possible wrongdoing. He makes an exception for recovered “deleted” messages from someone who has exhibited a pattern of egregious behavior or communications. The article was published in the Summer issue of The Green Bag, a literary law journal. http://.nytimes.partners.com/2000/10/05/technology/06CYBERLAW.html [link broken]

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks. You can subscribe to the MIRLN distribution list by sending email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley)

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. BNA’s Internet Law News, http://ecommercecenter.bna.com
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. Law.com
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

No comments: