Saturday, February 12, 2011

MIRLN --- 23 Jan – 12 Feb 2011 (v14.02)


(supplemented by related Tweets: http://twitter.com/vpolley #mirln)

·      Peer review: Trial by Twitter
·      E-Discovery Burden, the Judges’ Guide, and an Alternative to AFAs
·      Internet-Proofing your Cease and Desist Letter
·      Who Owns Student-Created Intellectual Property?
·      Banks May Soon Require New Online Authentication Steps
·      Foursquare’s Stalker Problem
·      Internet Service Customers’ Online Profiling Claims Proceed
·      Value Of Hacked Information Can Be Determined By Production Costs
o   CA8: Cell Phone is “Computer” For 18 U.S.C. Sec. 1030 Purposes
·      Killer Text: A Russian Suicide Bomber Blows Up By Accident
·      The Law of Decoy Cameras in Restrooms
·      Do Employers Really Tread a Minefield When Firing Employees for Facebook Gaffes?
o   Facebook Firing Case Is Settled
·      Sixth Circuit Holds Probable Cause Warrant Required for Private Email
·      Cost of Regulatory Security Compliance? On Average, $3.5m
·      EFF Releases Report Analyzing Surveillance of Americans During Intelligence Investigations Conducted Between 2001 and 2008
·      Watch Your Social Media Posts Because Lawyer Regulators, FTC May Be
·      Yellow Pages Companies Challenge Seattle Opt-out Ordinance on First Amendment Grounds
·      Top UK Court OKs Tweets and Live-Texting Under Most Circumstance
·      IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim
·      First Joint Russian-U.S. Report on Cyber Conflict
·      LexisTexas: Privatizing Access to Public Courts
·      DoD Leads In Federal Open Source Usage
·      NIST Issues Cloud Security Guidelines
·      The Rise of LinkedIn as Login of Choice
·      75% Of Small Businesses Are Increasing Social Media Spending This Year
·      Is It Copyright Infringement To Pass A DMCA Notice On To ChillingEffects
·      Second Life Forum Selection Clause Upheld
·      Court Holds that Data About Car Speed and Brake Usage Stored in Car’s Computer Protected by Fourth Amendment
·      Leaked Security Firm Documents Show Plans to Discredit WikiLeaks, Glenn Greenwald

NEWS | PODCASTS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

Peer review: Trial by Twitter (Nature, 19 Jan 2011) - “Scientists discover keys to long life,” proclaimed The Wall Street Journal headline on 1 July last year. “Who will live to be 100? Genetic test might tell,” said National Public Radio a day later. These and hundreds of similarly enthusiastic headlines were touting a paper in Science1 in which researchers claimed to have identified a set of genes that could predict human longevity with 77% accuracy — a finding with potentially huge implications for medicine, health policy and the economy. But even as the popular media was trumpeting the finding, other researchers were taking to the web to criticize the paper’s methodology. “We expect that most of the results of this study will not have the same longevity as its participants,” sniped a blog posted by researchers at the personal genomics company 23andMe, based in Mountain View, California. This critical onslaught was striking — but not exceptional. Papers are increasingly being taken apart in blogs, on Twitter and on other social media within hours rather than years, and in public, rather than at small conferences or in private conversation. In December, for example, many scientists blogged immediate criticisms of another widely publicized paper2 — this one heralding bacteria that the authors claimed use arsenic rather than phosphorus in their DNA backbone. http://www.nature.com/news/2011/110119/full/469286a.html?s=news_rss

E-Discovery Burden, the Judges’ Guide, and an Alternative to AFAs (InsideCounsel, 20 Jan 2011) - For years judges have relied heavily on the counsel appearing before them to learn how electronically stored information (ESI) had to be processed for review and production. Of course, at times the lawyers for the producing parties had more interest in arguing how burdensome and oppressive the production requests were than in enlightening the court about cost-effectiveness; at other times counsel may have had only limited experience with new technology. The eDiscovery Institute, a 501(c)(3) nonprofit research organization, has just released a publication for judges that provides a detailed, vendor-neutral look at technologies and processes that can greatly reduce the cost of handling ESI, the “Judges’ Guide to Cost-Effective E-Discovery,” by Anne Kershaw and myself, with a foreword by the Hon. James C. Francis IV, Magistrate Judge for the Southern District of New York. The Judges Guide has been distributed in hard copy form to all U.S. Magistrate Judges and is available for download free of charge at www.eDiscoveryInstitute.org/JudgesGuide. http://www.insidecounsel.com/Exclusives/2011/1/Pages/EDiscovery-Burden-the-Judges-Guide-and-an-Alternative-to-AFAs.aspx?utm_source=ic&utm_medium=email&utm_campaign=ictechenewsa&cmpid=ictech

Internet-Proofing your Cease and Desist Letter (Eric Goldman, 22 Jan 2011) - I blogged some time ago about steps you can take to “‘Internet-Proof’ Your Cease and Desist Letter.” Here’s what happens when you don’t. The law firm Lazar, Akiva & Yagoubzadeh sent a cease and desist letter to Boing Boing. When you send a letter to someone like Boing Boing, they are going to post it . . . so if you send one, you should make sure it’s clean and defensible (and relatively reasonable). Apparently, this particular one was not, and Boing Boing posted the letter. (See “Stupid legal threat of the young century.”) Boing Boing also said it was one of the worst letters they had received (and it seems like they receive a lot of cease and desist letters): “Boing Boing has been on the receiving end of one or two stupid legal threats in our day but this one from the firm of Lazar, Akiva & Yagoubzadeh takes the cake, the little cake topper, the frosting and all the candles, as well as the box and the cake-stand and the ornamental forks.” In response, the company on whose behalf the letter was sent walked back the allegations in the letter. It also publicly severed its relationship with the law firm who sent the letter. (“K-12 tutoring company fires law firm over blog spat“) (California Watch) (via Volokh). Internet justice in action! Boing Boing didn’t even have to have its lawyers write a response back. They simply posted the letter, and things took care of themselves. http://blog.ericgoldman.org/archives/2011/01/internetproofin.htm

Who Owns Student-Created Intellectual Property? (Legal Blog Watch, 24 Jan 2011) - When teens select a college, they have historically considered factors like the school’s cost, academic programs, location and climate. Now it seems they should consider whether a school will claim an ownership right if the students create a new invention while attending the school. That’s what happened to University of Missouri student Tony Brown, after he and three fellow students created NearBuy, an iPhone application intended to help track local apartment rentals. According to Yahoo News, the university initially demanded 25 percent ownership and two-thirds of the profits from the app, which has been downloaded more than 250,000 times. The university has since revised its policy to state that it will not claim an ownership interest in inventions created for school contests, by extracurricular clubs, or as the result of an individual’s initiative. However, if a student invention was created under a professor’s supervision or with the use of school resources or grant money, then the school can assert the same ownership right as it does for faculty inventions. Universities tend to have more established policies regarding inventions created by their professors; however, school policies related to student inventions may still be lagging behind social changes and the general pace of technology. Given that student inventions have the same potential for success as faculty inventions, it is foreseeable that other universities could also rewrite their policies to state that they own everything created by a student that involves the use of any university-provided resources (i.e., Internet access, dormitory rooms, etc.). Students in this position would be forced to surrender some or all of the control of their products and profits. A school with such a policy might also be able to claim ownership rights in student copyrights for any literary or artistic works that they create and even the profits from advertisements that run on students’ blogs. http://legalblogwatch.typepad.com/legal_blog_watch/2011/01/who-owns-student-created-intellectual-property.html

Banks May Soon Require New Online Authentication Steps (Computerworld, 25 Jan 2011) - The Federal Financial Institutions Examination Council (FFIEC) could soon release new guidelines for banks to use when authenticating users to online banking transactions. The new guidelines will clarify the FFIEC’s existing guidelines on the subject and more explicitly inform banks about what they need to do to bolster online authentication, said Avivah Litan, an analyst at Gartner. Litan and others recently met with the FFIEC’s IT subcommittee to discuss the updates. “They have been talking about it and debating it for a while,” Litan said. “My understanding is that [the subcommittee meeting] was the last step in the process before they issue the new guidance.” The FFIEC is an interagency council that develops standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC). In 2005, it issued a set of guidelines, titled “Authentication in an Internet Banking Environment.” They called on banks to upgrade their single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006. The guidance left it largely up to the banks to choose whatever second form of authentication that they felt was the most appropriate for their needs. The FFIEC listed several available authentication technologies that banks could choose from, including biometrics, one-time passwords and token-based authentication. Since the guidelines were issued, many banks have added a second authentication layer for users when conducting certain kinds of online transactions. However, in many cases, the added measures have been largely cosmetic in nature and have done little to bolster authentication in the way the FFIEC had originally intended, Litan said. http://www.computerworld.com/s/article/9206158/Banks_may_soon_require_new_online_authentication_steps?taxonomyId=82 [Google is enabling multi-factor authentication, too – see http://lifehacker.com/#!5756977/set-up-googles-two+step-verification-now-for-seriously-enhanced-security-for-your-google-account]

Foursquare’s Stalker Problem (The Daily Beast, 25 Jan 2011) - In the world of social networking, Carri Bugbee is hardly a novice. The social-media marketing strategist from Portland, Oregon, has 7,164 followers on Twitter, 1,197 friends on Facebook, and more than 500 connections on LinkedIn. But when she ventured into the world of geotagging—the technology behind many of the social networks that broadcast your location to the Internet—she received an unsettling wake-up call. One evening last February, she picked up her phone and “checked-in” to a local restaurant on foursquare, the popular location-based social network that lets others know where you are in real-time. Foursquare posted her location to her feed and Bugbee went back to chatting with her friends over the menu. That’s when the hostess came over to the table and told her she had a call on the restaurant telephone. Bugbee didn’t recognize the male voice on the other end of the line, and the voice didn’t offer to introduce itself. It told her she shouldn’t use foursquare because if she did, certain people might find out where she lived. She nervously laughed off the creepy comment, telling the caller it was pretty hard to find her house. That set him off. “You stupid bitch,” he said, an opening to a string of insults. She quickly hung up, rattled. The caller had tracked down Bugbee through PleaseRobMe.com, a website designed to warn people about the risks of geotagging by aggregating and publicizing updates from foursquare. In Bugbee’s case, the warning was effective. PleaseRobMe shut down last spring after a string of incidents like Bugbee’s suggested it might be a little too helpful to would-be criminals. Nevertheless, its founders said they had accomplished their goal of educating users about the risks of broadcasting their location to the world. And even without PleaseRobMe, it’s often easy enough to find someone’s location on foursquare itself, especially since many people cross-post their check-ins on Twitter and other websites. Ben Jackson and Larry Pesce had both safety and privacy in mind when they started ICanStalkU.com in May. With $1,000 and some programming language, the New England-based securities information researchers picked up where PleaseRobMe left off. ICanStalkU shows that even if you try to avoid location-based social networks like foursquare, you may still be unwittingly telling the Internet exactly where you are. ICanStalkU automatically searches thousands of photos on Twitter for geotags, tiny location markers attached to about three percent of all photos posted to the micro-blogging site. Then it turns them into a location message, showing how photos can be used to trace people in real time, using information many have no idea they put out there. http://www.thedailybeast.com/blogs-and-stories/2010-08-08/foursquare-and-stalking-is-geotagging-dangerous/full/ [Editor: there’s more here to read; illustrates the emergence of gaps—unintended consequences?—as technology surpasses thorough understanding, not to mention the law. The idea of automated scraping of GPS data from Flickr-like photo sites, and attributing it to an individual, is an perfect example.]

Internet Service Customers’ Online Profiling Claims Proceed (CCH’s Advertising Law Guide, 25 Jan 2011) - Customers of an Internet service provider could go forward with Computer Fraud and Abuse Act (CFAA) and common-law trespass to chattels claims against the ISP for unlawfully diverting their online communications to a third-party Internet advertising company, the federal district court in Billings, Montana has decided. The customers’ claims under the Electronic Communications Privacy Act (ECPA) and for common-law invasion of privacy, however, were dismissed because the customers gave consent for the interception of their communications. The ISP allegedly allowed the advertiser to install software onto its network. The advertiser then allegedly used the software to gather information to create profiles of the ISP’s customers in order to target them with preference-sensitive advertisements. Dale Mortensen and Melissa Becker, individually, and on behalf of themselves and all others similarly situated, Plaintiffs, v. Bresnan Communication, L.L.C. Defendant., U.S. District Court, D. Montana. [Editor: See Steptoe’s blurb on the case here: http://www.steptoe.com/publications-7337.html]

Value Of Hacked Information Can Be Determined By Production Costs (Steptoe’s E-Commerce Law Week, 27 Jan 2011) - The Sixth Circuit recently held in U.S. v. Batti that, under the Computer Fraud and Abuse Act, the value of information that is obtained from a computer without authorization can be determined based on the cost of producing that information, at least where that information has no readily ascertainable market value. This is a useful holding for the government, and by extension for companies, since it makes it easier to convict hackers or disloyal employees of felonies when they access confidential information that cost a lot to create but can’t be easily sold. http://www.steptoe.com/publications-7358.html

- and -

CA8: Cell Phone is “Computer” For 18 U.S.C. Sec. 1030 Purposes (FourthAmendment.com, 8 Feb 2011) - The Eighth Circuit holds that a cell phone is a “computer” for U.S. Sentencing Guidelines enhancement purposes, adopting the district court’s findings and the government’s argument. United States v. Kramer, 10-1983 (8th Cir. February 8, 2011): “We acknowledge that a “basic” cellular phone might not easily fit within the colloquial definition of “computer.” We are bound, however, not by the common understanding of that word, but by the specific — if broad — definition set forth in § 1030(e)(1). Now it may be that neither the Sentencing Commission nor Congress anticipated that a cellular phone would be included in that definition. As technology continues to develop, § 1030(e)(1) may come to capture still additional devices that few industry experts, much less the Commission or Congress, could foresee. But to the extent that such a sweeping definition was unintended or is now inappropriate, it is a matter for the Commission or Congress to correct. We cannot provide relief from plain statutory text. See United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (“As more devices come to have built-in intelligence, the effective scope of [§ 1030(e)(1)] grows. This might prompt Congress to amend the statute but does not authorize the judiciary to give the existing version less coverage than its language portends.”).” http://fourthamendment.com/blog/index.php?blog=1&title=ca8_cell_phone_is_computer_for_u_s_s_g_p&more=1&c=1&tb=1&pb=1

Killer Text: A Russian Suicide Bomber Blows Up By Accident (ZDnet, 27 Jan 2011) - On the heels of the serious explosions January 24th at Domodedovo airport in Moscow that killed 39 people and injured 178 more, Russian security services have released strange details of a failed New Years Eve plot to detonate an explosive in Red Square on New Year’s Eve. An unnamed woman, described as a ‘black widow’, was set to detonate a belt of explosives in Red Square when instead the explosive went off early inside the safe house she was in. The bomb, like a number of home made explosives used by militants or terrorists around the globe, was set to be triggered via a cell phone signal, specifically a text message. According to a report by The Daily Telegraph, a text message wishing her a “Happy New Year” was sent to this woman by her mobile phone provider, causing the connected explosive device to detonate. http://www.zdnet.com/blog/security/killer-text-a-russian-suicide-bomber-blows-up-by-accident/8015?tag=mantle_skin;content

The Law of Decoy Cameras in Restrooms (Legal Blog Watch, 28 Jan 2011) - Via the Legal As She Spoke blog, I see that patrons of the bathroom in the Circle K convenience store in Yuba County, Calif., are not happy about a surveillance camera aimed straight at the toilet area. Customers such as Robert Donaldson told CBS13 that they were shocked to emerge from the stall to see an electronic eye pointed right at them. Donaldson fears he will end up seeing his trip to the bathroom on YouTube someday. Circle K, however, says the camera is merely a decoy intended to curtail vandalism, and that it doesn’t record anything. Is the camera violating privacy laws? According to Legal As She Spoke, if the camera was found to be “operable” while patrons used the restroom, this would constitute a crime under California law. LASS adds that: “the requisite intrusion could be found through the mere existence of the camera in the restroom if the camera had the capability of recording customers. The camera does not necessarily have to be functional or even plugged in. All the would-be plaintiffs have to prove is that it was possible for store employees to render the camera functional, thereby invading the privacy of anyone who used the restroom.” http://legalblogwatch.typepad.com/legal_blog_watch/2011/01/the-law-of-decoy-cameras-in-restrooms.html

Do Employers Really Tread a Minefield When Firing Employees for Facebook Gaffes? (Eric Goldman’s Blog, 28 Jan 2011) - I’m not sure why, but this Wall Street Journal article (“Can Employers Fire Over Facebook Gaffes?“) screamed out for a comment. Maybe this is just a case of headline puffery, but the idea that there is some sort of legal minefield facing private employers who fire their employees over Facebook gaffes sounds silly. Most states adhere to some version of the “employment at will” rule, which means that you can fire an employee for any reason or no reason at all. Numerous exceptions have chipped away at this rule over the years, but as long as you steer clear of those exceptions, there’s nothing out there as far as I know that says you can’t fire an employee for a Facebook gaffe. In any event, there hasn’t been much activity in the courts over social media-related firings when it comes to private sector employees. You would think from reading the article that examples of employers stepping on legal landmines would be plentiful, but the examples from the article aren’t particularly relevant. Some involve public sector employees (admittedly an area of a fair amount of litigation activity). Another example includes the Cisco in-house lawyer/blogger who butted heads with someone he called a patent troll. A third case involved restaurant employees whose semi-private page their supervisor accessed. (Claims around the allegedly improper access of employee communications by employers has been an area where there actually has been a lot of activity. See, e.g., “Pure Power Boot Camp v. Warrior Fitness Boot Camp“ (granting summary judgment in favor of ex-employees based on the improper access of their emails by the employer).) I think we will be hard pressed to see an example of a private company getting into hot water for disciplining or firing its employee over a Facebook gaffe (unless of course, there are other issues in the background). (Maybe I’m wrong, and there are a slew of cases cycling their way through the courts, but the article certainly does not cite to any.) The article does make a good point that social media allows the private and public to mix in ways that was not possible or likely before, and this could have legal consequences (e.g., an employer finds out about an employee’s health condition or membership in a protected class). The article also highlights the ongoing case involving the NLRB, which argued that Facebook posts complaining about employment conditions can be “concerted activity,” and the employer’s social media policy in that particular case chilled or restricted this activity. (As this post in the Courant notes, settlement discussions are ongoing in that case: “Settlement Talks Underway In Facebook Firing Case.” Here’s a post from Molly DiBianca that tells everyone to take a deep breath on this issue: “Employers, Don’t Despair. Social-Media Policies Are Not Prohibited by the NLRA.”) http://blog.ericgoldman.org/archives/2011/01/do_employers_re.htm

- and -

Facebook Firing Case Is Settled (WSJ, 8 Feb 2011) - A company that fired a worker after she posted negative remarks about her boss on Facebook has settled a complaint brought by the National Labor Relations Board by agreeing to revamp its rules to ensure they don’t restrict workers’ rights, the NLRB said. A separate, private settlement was reached between the employer—ambulance service American Medical Response of Connecticut Inc.—and the employee, though terms of that agreement weren’t immediately available. The worker, Dawnmarie Souza, was a member of the Teamsters union and the Teamsters represented her before the NLRB. The case had become a test of how much latitude employees may have when posting comments about work matters from their home computers on social media sites such as Facebook. When the National Labor Relations Board issued its complaint about the firing last fall, it alleged the firing was illegal because the online posting constituted “protected concerted activity” under the National Labor Relations Act. That law allows employees to discuss the terms and conditions of their employment with co-workers and others, and the employee involved in the case had posted comments about her supervisor and responded to further comments from her co-workers, the NLRB said. The NLRB had also alleged the company maintained and enforced overly broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. At the time the complaint was announced, American Medical Response of Connecticut denied the allegations and said the employee in question was discharged “based on multiple, serious complaints about her behavior.” The employee was also being held accountable for negative personal attacks that she posted on Facebook about a coworker, the company said at the time, and added that it believes those statements were not concerted activity protected under federal law. Under the terms of the settlement approved by the NLRB’s Hartford, Conn., Regional Director Jonathan Kreisberg, the company agreed to revise its rules. The company agreed not to discipline or discharge employees for engaging in discussions about wages and other work issues when not on the job, the NLRB said. http://online.wsj.com/article/SB10001424052748704422204576130631738779412.html

Sixth Circuit Holds Probable Cause Warrant Required for Private Email (Wiley Rein, Jan 2011) -- In United States v. Warshak, 2010 WL 5071766 (Dec. 14, 2010), the U.S. Court of Appeals for the Sixth Circuit ruled that the Fourth Amendment prevents law enforcement from obtaining stored email communications without a warrant issued based on a showing of probable cause. Accordingly, the court held to be unconstitutional, the provision of the Stored Communications Act (SCA), 18 U.S.C. §§ 2701 et seq., a part of the Electronic Communications Privacy Act (ECPA), that permits warrantless government access to certain stored emails. The Sixth Circuit decision has several notable elements that may affect the way in which electronic communications service providers-such as Internet Service Providers (ISPs) and social networking sites-handle their obligations to government investigators under the SCA. It serves as yet another indication of the need for clarifying amendments to the ECPA. http://www.wileyrein.com/publications.cfm?sp=articles&id=6646 [Editor: very, very useful analysis of the case and the possibility that too-eager cooperation with subpoena requests (from law enforcement) could imperil ISP immunities.]

Cost of Regulatory Security Compliance? On Average, $3.5m (Network World, 31 Jan 2011) - The cost of achieving regulatory security compliance is on average $3.5 million each year, according to a survey of 160 individuals leading the IT, privacy and audit efforts at 46 multinational organizations. “The True Cost of Compliance,” a research study done by Ponemon Institute and sponsored by Tripwire, makes the point that if that $3.5 million figure for the average cost sounds high, the average cost for organizations that experience non-compliance-related problems is far higher -- $9.4 million. Costs related to “business disruption, reduced productivity, fees, penalties and other legal and non-legal settlement costs” pile up when legal and regulatory compliance goals are not met, the study asserts. The array of regulatory requirements facing organizations runs the gamut from the U.S. state laws for data breach to Sarbanes-Oxley to the European Union’s Privacy Directive and more. But the Payment Card Industry Data Security Standard was deemed to be “most important” in terms of influence and “the most difficult to comply with,” according to the survey’s respondents. The Ponemon report covered industries that include consumer products, technology, retail, industrial, public sector, healthcare, communications, education and research, financial services, transportation, pharmaceutical and energy. The survey respondents hold job titles that include chief information security officer, compliance officer, IT operations leader, audit director and others. http://www.networkworld.com/news/2011/013111-cost-regulatory-security-compliance.html?elq_mid=12510&elq_cid=996107 The Ponemon study is here: http://www.tripwire.com/ponemon-cost-of-compliance/

EFF Releases Report Analyzing Surveillance of Americans During Intelligence Investigations Conducted Between 2001 and 2008 (BeSpacific, 1 Feb 2011) - In a review of nearly 2,500 pages of documents released by the Federal Bureau of Investigation as a result of litigation under the Freedom of Information Act, EFF uncovered alarming trends in the Bureau’s intelligence investigation practices. The documents consist of reports made by the FBI to the Intelligence Oversight Board of violations committed during intelligence investigations from 2001 to 2008. The documents suggest that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed. In particular, EFF’s analysis provides new insight into the number of Violations Committed by the FBI... http://www.bespacific.com/mt/archives/026401.html Report here: https://www.eff.org/files/EFF%20IOB%20Report.pdf

Watch Your Social Media Posts Because Lawyer Regulators, FTC May Be (ABA Journal, 1 Feb 2011) - While social media marketing is still in its Wild West stage, devil-may-care attorneys recklessly exploiting the media could soon face grief, according to a panel that helped open LegalTech New York 2011 this week. Lawyers engaging in hyperbole on blogs, artificially inflating the number of followers they have on Twitter or otherwise using social media deceptively may soon be getting a call from their disciplinary authority or even the Federal Trade Commission. “You have to be aware of the risks, and you have to make sure you have policies and procedures in place,” said panel member Michael Lackey Jr., a Washington, D.C.-based partner at Mayer Brown. The problem, Lackey indicated on Monday, is that sites like Facebook, Twitter and LinkedIn are still so new that many attorneys do not see social media as subject to the same rules that govern promotion in more traditional media. Some Twitter users, for example, try to exaggerate their status on the network by following (linking to) tens of thousands of complete strangers whose Twitter posts they never read. Generally a small but significant percentage of these newly followed users will give a link back as part of an unspoken “wink and a nod”: You pretend to follow me, I’ll pretend to follow you, and we’ll both seem more important. In everyday marketing, it’s a practice often seen as a harmless fib. But for those who practice law, the behavior could be frowned upon by a disciplinary authority, according to panelist Bradley Shear, a Bethesda, Md., attorney. Meanwhile, other attorneys eager to make reputations for themselves could fall into a similar trap by giving casual legal advice on blogs, in Twitter posts or in online discussion communities read anywhere in the world. No matter how well-meaning, such activity could be characterized by state authorities as practicing law outside a jurisdiction, according to Lackey. http://www.abajournal.com/news/article/watch_your_social_media_posts_because_lawyer_regulators_ftc_may_be/

Yellow Pages Companies Challenge Seattle Opt-out Ordinance on First Amendment Grounds (Eric Goldman’s blog, 3 Feb 2011) - In what many will probably characterize as a dinosaur’s last gasp litigation strike, two yellow pages companies sued to invalidate the City of Seattle’s scheme to allow its residents to opt-out from yellow pages distribution. They are likely to be successful this time around. In fact, after reviewing plaintiffs’ summary judgment motion, I’m surprised the City of Seattle just doesn’t go back to the drawing board and rewrite the statute. Conceptually, yellow pages fall within the category of materials that citizens should be able to opt-out from. Yellow pages are not political speech. They are heavy and cost money to dispose of, and they are delivered somewhat intrusively to your doorstep. Should the government be allowed to restrict delivery of this material to citizens who opt-out? The answer is likely yes, and the classic case cited in support of the constitutionality of an opt-out is Rowan v. United States Post Office, 39 U.S. 728 (1970). Rowan involved a statute which allowed people to opt-out from mailings which the recipients deemed obscene and which were sent through the postal service. Although not perfectly analogous, it certainly lends some support to the general idea that an opt-out from unwanted intrusive communications should be constitutionally acceptable. http://blog.ericgoldman.org/archives/2011/02/yellow_pages_co_1.htm

Top UK Court OKs Tweets and Live-Texting Under Most Circumstance (ABA Journal, 3 Feb 2011) - Journalists, legal teams and the public are all permitted to use Twitter to send live tweets from the United Kingdom’s highest court, according to guidance provided today. Because its proceedings don’t involve jurors or witnesses, says the U.K. Supreme Court in a press release (PDF) concerning “live text based communications,” there is ordinarily no reason why they would pose a problem, and they will routinely be allowed. However, in some matters, such as child-welfare cases and any matter in which there is a court restriction on reporting, live-blogging will be banned and notice will be posted on the courtroom doors, reports the Daily Mail. Its article also provides a rundown on what has happened so far concerning live-texting in the lower courts. “The rapid development of communications technology brings with it both opportunities and challenges for the justice system,” says the supreme court’s president in the press release. “An undoubted benefit is that regular updates can be shared with many people outside the court, in real time, which can enhance public interest in the progress of a case and keep those who are interested better informed.” http://www.abajournal.com/mobile/article/top_uk_court_oks_live_tweets_under_most_circumstances/

IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim (Information Law Group, 3 Feb 2011) - In one of InfoLawGroup’s first blogposts to kick off 2011 we surveyed a handful of privacy lawsuits that are in the process of potentially altering the privacy and security legal risk landscape. ILG recently discovered another case (through an excellent service we use called Nymity), one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court upheld a lower court’s dismissal of a lawsuit involving the unauthorized disclosure of sensitive personal information, including names, addresses, social security numbers, marital status, dates of birth, medical and dental insurers and health insurance plan information. While we have seen plenty of courts dismissing data breach cases on motion to dismiss, most of those have focused on the lack of alleged damages. In Cooney, however, the court actually rendered a decision on whether any common law duty exists to safeguard personal information for purposes of a negligence claim. The Cooney court’s ultimate answer was that no such duty exists. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court. http://www.infolawgroup.com/2011/02/articles/lawsuit/il-appellate-court-no-duty-exists-to-safeguard-ssns-for-purposes-of-a-negligence-claim/

First Joint Russian-U.S. Report on Cyber Conflict (EastWest Institute, 3 Feb 2011) - The EastWest Institute released the first joint Russian-American report aimed at defining the “rules of the road” for cyber conflict. Prepared by a team of Russian and U.S. experts convened by EWI, Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace explores how to extend the humanitarian principles that govern war to cyberspace. “Today, nearly all critical civilian infrastructure is online, from the electricity grids that support hospitals to the systems that guide passenger planes through the air,” says EWI Chief Technology Officer and Distinguished Fellow Karl Rauscher, who led the U.S. experts group. “And, by and large, it is not protected by international norms.” Rauscher and Andrey Korotkov, the leader of the Russian experts group, are the principal co-authors of the report. They led the cyber and traditional security experts through a point-by-point analysis of the Geneva and Hague Conventions. Ultimately, the group made five immediate recommendations for Russian and U.S.-led joint assessments, each exploring how to apply a key convention principle to cyberspace, each focused on a crucial question: *** http://www.ewi.info/working-towards-rules-governing-cyber-conflict Report here: http://dl.dropbox.com/u/869038/US-Russia.pdf

LexisTexas: Privatizing Access to Public Courts (Justia blog, by Carl Malamud, 4 Feb 2011) - In April 2010, Karen McPeters filed a federal class action complaint against Montgomery County, Texas, and LexisNexis seeking to enjoin the county from requiring litigants to file all documents with the court through LexisNexis File & Serve. In the complaint, she alleged that the fees amounted to a poll tax and a denial of due process and equal protection. The Court dismissed her federal claims and declined to exercise supplemental jurisdiction to hear her state claims, suggesting that they are more properly heard by the state courts. We have pulled the filings for the federal case and posted them to Justia Dockets & Filings. (For free! The irony.) McPeters filed in state court on January 25, 2011, according to Courthouse News. Courthouse News and 3 Geeks and Law Blog (see also their April post) posted about this case this week, and they have done a great job covering the details and legal analysis—so I’ll leave that to them. I decided to post on about this anyway because I think it’s important that this issue get as much coverage as possible. It highlights the current problems with our pay-to-play legal system in a way that everyone—lawyers and consumers—can understand. Based on the allegations in the complaint, McPeters tried to file a civil rights complaint in the County court and the Clerk refused to accept a paper filing presented to her. She also returned a mailed complaint back to the Plaintiff marked “VOID,” based on the Judge’s 2003 ruling requiring that all civil filings (with some exceptions) be filed through the LexisNexis product. The federal court found that she did have two alternatives to e-filing on her own: (1) seek leave of the Court to file a hard copy and (2) use the public access terminal at the Courthouse. However, they expressed concerns about the e-filing system, in general: “Although no federal statutory or constitutional claim is available in this case, the Court is indeed troubled by certain aspects of the e-filing system at issue. It is not clear that the e-filing system, and the accompanying fees, were properly adopted within the bounds of applicable Texas law.” (at 19). http://onward.justia.com/2011/02/04/lexistexas-privatizing-access-to-public-courts/

DoD Leads In Federal Open Source Usage (Slashdot, 4 Feb 2011) - GMGruman writes

NIST Issues Cloud Security Guidelines (Information Week, 4 Feb 2011) - Organizations implementing cloud computing should think about security first before deploying a production environment, according to the National Institute of Standards and Technology (NIST). The advice is one of several guidelines NIST has issued in one of two draft documents on cloud computing, which offer the first set of guidelines for how the federal government manages security and privacy in the cloud. Government agencies look to NIST for guidance in deploying technologies, and the standards body sets security requirements for technology the government uses under the Federal Information Security Management Act (FISMA). At the behest of U.S. CIO Vivek Kundra, NIST hastened its publishing of cloud computing security guidelines to promote a “cloud-first” mandate he handed down in December. The policy asks agencies to first consider the cloud when considering new IT projects. One of the new documents, NIST Special Publication (SP) 800-145, defines cloud computing, while the other, SP 800-144, sets guidelines for security and privacy. In addition to thinking of security first, organizations also should ensure, if using a public cloud from a service provider, that it meets designated security and privacy requirements. They also should see to it that their client-side computing environment can meet the same standards as well, according to NIST. http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?articleID=229201197&subSection=Security

The Rise of LinkedIn as Login of Choice (ReadWriteWeb, 7 Feb 2011) - Over the last year, Facebook has become increasingly dominant in terms of being used as the user identity and login on third-party sites. Last summer, we reported that Facebook had dominated as the third-party login of choice, surpassing sites like Twitter, Google and Yahoo in all realms but one - news. News sites saw users logging in almost twice as often using Twitter. Now, it looks like another site is gaining ground in another realm. Career-centric social network LinkedIn is growing as the login of choice for business-to-business (B2B) sites, proving once again that users prefer certain identities for certain online activities. Gigya, a provider of tools for social sharing and third-party logins, took a look at the numbers and found that, since its last round-up of social logins in July 2010, LinkedIn has skyrocketed as the login of choice for B2B sites. According to Rachel Peterson, a spokesperson for the company, LinkedIn has seen increased use as a third-party login ever since it updated its profile API. The site has seen an increase from 3% to 20% in just over six months. “LinkedIn has a strong case that a single social graph through Facebook is not sufficient,” said Peterson. “Professionals want to apply different profile data to business oriented sites and share that content with a different group of people than their FB friends.” http://www.readwriteweb.com/archives/the_rise_of_linkedin_as_login_of_choice_infographi.php

75% Of Small Businesses Are Increasing Social Media Spending This Year (Business Insider, 8 Feb 2011) - In December, SaleSpider conducted a survey and one-on-one interviews to find out how mid to small-sized companies use social media. Of the 384 businesses that responded, most thought social media marketing worked really well and planned to up their efforts in 2011. Here are the significant findings:
·      75% of small businesses will do even more social media marketing in 2011
·      63% thought social networking drove their sales and increased revenue
·      40% of the 63% said social networking made a “significant’ impact on their sales and revenue
·      In 2011, most small business are going to spend between 26% and 50% of their time and budget on social networking (34%)
·      53% are currently using or will soon use social networking sites from their mobile device.

Is It Copyright Infringement To Pass A DMCA Notice On To ChillingEffects (TechDirt, 9 Feb 2011) - Tom Rubin, who happens to be Microsoft’s chief counsel for intellectual property strategy, has a blog post up at the Center for Internet and Society at Stanford, where he highlights the worrying trend of filers of DMCA takedown notices forbidding the recipient to publish or pass the notice on to third parties like ChillingEffects. From the notice: “IMPORTANT NOTICE: None of the information contained in this legal notice is to be transmitted and/or released to any third party, including but not limited to Chilling Effects (chillingeffects.org), without the express written permission of the copyright owner and or his agent. As stated in Section 512 of the Digital Millennium Copyright Act, and in the normal course of processing and notifying the infringing counter party, recipient must only include information specific to that counter party’s infringement and must not include this entire notice. Any re-transmission in whole or in part of this legal notice by the intended recipient will be a direct violation of U.S. and International Copyright Law and will be prosecuted to the fullest extent of the law by the copyright owner.” Yes, that’s right. The company is claiming that the DMCA takedown notice itself is copyrighted and that passing it along will constitute infringement. Of course, this raises some questions. http://www.techdirt.com/articles/20110208/13530413008/is-it-copyright-infringement-to-pass-dmca-notice-to-chillingeffects.shtml

Second Life Forum Selection Clause Upheld--Evans v. Linden Research (Eric Goldman, 9 Feb 2011) - Evans v. Linden Research, Inc. (E.D. Pa. Feb. 3, 2011); This lawsuit is similar to the Bragg lawsuit from a few years ago, which argued that land purchases in Second Life were equivalent to real property purchases (due to marketing representations made by Second Life), so Second Life couldn’t unilaterally reclaim land from its users. In 2007, Bragg won a favorable jurisdictional ruling, defeating Second Life’s invocation of the forum selection clause in its user agreement. See Bragg v. Linden Research, Inc., 487 F. Supp. 2d 593 (E.D. Pa. 2007). The parties subsequently settled. Now, another group of plaintiffs are taking a run at Second Life on the same basic theories. I don’t normally blog on forum selection clause cases any more, but this case is interesting because Second Life changed its fate. In contrast to the Bragg ruling, this opinion upheld Second Life’s forum selection clause, shipping the case from ED Pa. to ND Cal. The new case involves the same basic arguments as the Bragg case, filed in the same court against the same defendant, and the decisions were written by the same judge. How did Second Life work this turnaround? After the Bragg ruling, Second Life changed its user agreement’s forum selection clause to basically mimic the approach eBay uses in its user agreement: mandatory jurisdiction/venue in Second Life’s home court except for permissive virtual arbitration for low-dollar-value disputes. eBay adopted this structure in the early 2000s after it got a scary ruling in Comb v. PayPal, and since then eBay has had some litigation success with its new clause. Here, Second Life changed its contract from a mandatory arbitration clause--which failed--to eBay’s mandatory jurisdiction/venue + permissive arbitration approach--which works. Nicely done. http://blog.ericgoldman.org/archives/2011/02/second_life_for.htm

Court Holds that Data About Car Speed and Brake Usage Stored in Car’s Computer Protected by Fourth Amendment (Volokh Conspiracy, 9 Feb 2011) - A California appellate court has handed down a fascinating opinion today in State v. Xinos on whether and how the Fourth Amendment regulates government access to data stored in a car’s internal computer that controls the airbags and seatbelts. After a fatal car accident, the police downloaded the data from the impounded car and used it to help reconstruct the accident and convict the driver of vehicular manslaughter. The information from the computer “showed information captured during the five seconds before defendant’s vehicle experienced a change in velocity. It disclosed the vehicle’s speed during the five seconds before the incident” and showed that the brakes had been activated at that time. Held: The data was protected by the Fourth Amendment, the retrieval of the data was unconstitutional, and the conviction had to be overturned. http://volokh.com/2011/02/09/court-holds-that-data-about-car-speed-and-brake-usage-stored-in-cars-computer-protected-by-fourth-amendment/

Leaked Security Firm Documents Show Plans to Discredit WikiLeaks, Glenn Greenwald (ReadWriteWeb, 10 Feb 2011) – “You’ve angered the hive,” said Anonymous, in response to the efforts of security firm HBGary’s attempts to infiltrate and expose its inner workings. As we reported yesterday, the loose collective of online vigilantes - Anonymous - responded to a story in The Financial Times and the actions of HBGary’s CEO Aaron Barr by hacking into the company’s systems and releasing tens of thousands of its emails and documents. Among those documents, an outline of plans to systematically discredit WikiLeaks, along with Salon journalist (and WikiLeaks supporter) Glenn Greenwald.” A proposal entitled “The WikiLeaks Threat” was developed by Palantir Technologies, HBGary, Berico Technologies upon request from Hunton and Williams, a law firm whose clients include Bank of America, the bank widely rumored to be the target of WikiLeaks’ next leak. The proposal (mirrored on the WikiLeaks site) offers suggestions on how to disrupt and discredit WikiLeaks apparently included cyberattacks on its infrastructure and leaking misinformation in the hopes that WikiLeaks could be caught in a “gotcha” moment. More surprising and arguably more troubling: the proposal suggests an attack on Glenn Greenwald, a journalist who has been an active supporter of WikiLeaks and of Bradley Manning, the U.S. soldier charged with leaking many of the classified documents that WikiLeaks distributed. “This level of support needs to be disrupted.” The proposal suggests that “without the support of people like Glenn WikiLeaks would fold.” That seems a rather silly contention, but the idea that one would target a journalist like this is chilling to say the least. It’s worth noting that nothing in the document or its accompanying email chain suggests that these plans ever became more than PowerPoint presentations. There’s no indication that the Bank of America signed off on support for a smear campaign. And HBGary has not commented on the attacks by Anonymous or on the veracity of any of these documents. http://www.readwriteweb.com/archives/leaked_security_firm_documents_show_plans_to_discr.php  

**** NOTED PODCASTS ****
Haiti Sings: Using the Law to Empower Musicians (Boston University, 14 Jan 2011) – [Editor: Illuminating 4m30s videocast about the Haitian musicians and the Internet Bar’s project there. Note: I’m on their advisory board. For more information, visit http://internetbar.org/ or email Jeff Aresty: jeffaresty@gmail.com.] http://www.bu.edu/buniverse/view/?v=DCtuDTp

**** RESOURCES ****
State Cyberbullying Laws: A Brief Review of State Cyberbullying Laws and Policies (Jan 2011) – [Editor: table listing by State, of types of cyberbullying laws; supplemented by State-by-State description of laws and pending laws, most with URL references.] http://www.cyberbullying.us/Bullying_and_Cyberbullying_Laws.pdf

**** DIFFERENT ****
Google Goes High Brow – Unveils Museum Art Project Powered By Street View ‘Indoor’ Tech (TechCrunch, 1 Feb 2011) - Google has gone all high brow on us, unveiling its Art Project, a collaboration with art museums around the world to enable people to enjoy their collections without leaving the house. It’s powered in-part by Google’s Street View ‘indoor’ technology and started off as a ‘20% project’ – the time set aside for Google engineers to work on their own ideas. Eighteen months in the making, Google says it’s worked with 17 art museums including, Altes Nationalgalerie, The Freer Gallery of Art Smithsonian, National Gallery (London), The Frick Collection, Gemäldegalerie, The Metropolitan Museum of Art, MoMA, Museo Reina Sofia, Museo Thyseen – Bornemisza, Museum Kampa, Palace of Versailles, Rijksmuseum, The State Hermitage Museum, State Tretyakov Gallery, Tate, Uffizi and Van Gogh Museum. The results consist of a slick website featuring “super high resolution images” of famous artworks, all nicely collated and supported by 360 degree ‘Street View’-style tours of individual galleries. Other Google tech tie-ins include videos from YouTube and those 360 degree tours of museums showing up on Google Maps. As for the employment of Street View, a special ‘trolley’ was used by Google to capture those 360 degree images of the interior of various galleries, which were then stitched together to enable navigation of over 385 rooms within the featured museums. And when Google says “super high resolution”, the company is referring to the use of so-called ‘gigapixel’ photo capturing technology. Each such image contains around 7 billion pixels, the search giant tell us, “enabling the viewer to study details of the brushwork and patina beyond that possible with the naked eye.” http://eu.techcrunch.com/2011/02/01/google-goes-high-brow-unveils-museum-art-project-powered-by-street-view-indoor-tech/ See also NYT article on 7 Feb 2011 -- http://www.nytimes.com/2011/02/07/arts/design/07google.html?_r=1&ref=arts]

Website Challenges Visitors to Do Nothing (Mashable, 22 Jan 2011) - We’ve found it: the perfect weekend activity. Here’s a website that doesn’t want you to do anything. That’s right, nothing. This simple site, Do Nothing for Two Minutes, challenges you to do just that — nothing — and if you touch your mouse or keyboard during the countdown, you’re greeted with a “Fail” message. We would suggest Do Nothing for 2 Minutes creator Alex Tew and developer Ben Dowling add a motion-sensing webcam to the mix, so the only way to pass this challenging test would be to remain still, barely breathing. http://mashable.com/2011/01/22/do-nothing-website/ [The internet version of intro-Zazen meditation?]

**** LOOKING BACK - MIRLN TEN YEARS AGO ****
E-COMMERCE PROTOCOL AIMS AT QUICK DISPUTE RESOLUTION In an effort to speed up e-commerce dispute resolution, a number of major companies, including AT&T, DaimlerChrysler and Microsoft, are signing on to an “e-commerce protocol” drafted by the American Arbitration Association. The document, being released today, lists only vague principles, such as “fairness,” “continuity of business” and “commitment to technology,” but arbitration association president William K. Slate II says his organization will be rolling out over the next several months “proprietary” technologies that will make it possible to resolve disputes quickly. (Wall Street Journal 4 Jan 2001) http://interactive.wsj.com/articles/SB978566423262962375.htm

EMAIL-LESS WHITEHOUSE? (NewsFactor Network, 22 Jan. 2001) Discovering what many Internet users already fear -- a loss of privacy -- President George W. Bush has sworn off using e-mail messages, at least while he is in the White House. “E-mail is very permanent,” said Andrew Shen of the Electronic Privacy Information Center, “and the executive office is not covered by the 1974 federal privacy act.” Bush told reporters over the weekend that he will talk with his father, former President George H.W. Bush, over the phone on a regular basis and “bounce things off him sometimes.” http://www.newsfactor.com/perl/story/6892.html

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. BNA’s Internet Law News, http://ecommercecenter.bna.com
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. Law.com
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.