Saturday, March 26, 2011

MIRLN --- 6-26 March 2011 (v14.04)

MIRLN --- 6-26 March 2011 (v14.04) --- by Vince Polley and KnowConnect PLLC
(supplemented by related Tweets: #mirln)

The MIRLN podcasts now are on iTunes -- or search for “MIRLN”. Or, you can find them at, and an RSS feed is available.

·      Dead.Ly URL’s and Authoritarian Social Network Tracking
·      Massive Intervention
·      Mass. AGO Web Communications Policies
·      Software Best Practices and Open Source Derivative Works
·      Michigan Town Split on Child Pornography Charges
·      New Report on Business Models for Scholarly Publishing
·      Cost of a Data Breach Climbs Higher
·      Hacking of DuPont, J&J, GE Were Undisclosed Google-Type Attacks
·      Judge: Debt Agency Can’t Contact or Search for Woman on Facebook
·      Important Ninth Circuit Ruling on Keyword Advertising
·      Researchers Show How a Car’s Electronics Can Be Taken Over Remotely
·      Google Again Sued Over Gmail Content Scanning
·      Law Enforcement Use of GPS Devices, and More from CRS
·      The “Adam Smith” Award for Innovation in Legal Service Delivery
·      Legal Industry Does Not Exist on ‘LinkedIn Today’
·      Radio Daze
·      Robots and the Law?
·      The Digital Pileup
·      As Law Student Readies Reverse Auction Site, Law Bloggers React to ‘eBay’ of Lawyering
·      What Auditors Are Saying About Compliance And Encryption
·      Web Host Liable For Contributory Infringement
·      New Site Offers Free Video ‘Nuggets’ of CLE
·      Righthaven Loses Second Fair Use Ruling Over Copyright Lawsuits
·      Crowdsourcing the Preservation of U.S. War Papers
·      Chin Decides Google Books Settlement Would ‘Go Too Far’
·      Spot Me If You Can: Uncovering Spoken Phrases In Encrypted VoIP Conversations
·      Cornell Library Rejects Non-Disclosures On Journal Pricing; Will Reveal All Prices
·      The Deplorable State of Law Firm Security


Dead.Ly URL’s and Authoritarian Social Network Tracking (ZDnet, 27 Feb 2011) - The escalating unrest in North Africa and other parts of the world continues to make us wonder about the fundamental levers of control of the entire internet, and its uses for mass interactions and broadcasts., the uniform resource locator (web site url address) shortener widely used by marketers and Twitter users relies on .ly, the Internet country code top-level domain (ccTLD) for Libya and it’s still far from clear who ultimately controls the off switch for those domains. According to they have five root nameservers for the .ly ccTLD: two in Oregon, one in the Netherlands and two in Libya. The Oregon and Netherlands servers are presumably reliant on obtaining updates from the .LY registry inside Libya. If they can’t, at some point they will consider the data they have stale/obsolete and stop providing information on the .LY domain. If the Libyan registry is cut off the internet the availability of .LY domains would be compromised somewhere between 0 and 28 days, with inconsistencies increasing as attempts to ‘phone home’ to the Libyan TLD servers got no response.

Massive Intervention (Der Spiegel, 28 Feb 2011; computer-translated version) - The businessman wanted to go home. Eight hours had taken the flight from India, but now delayed by the customs officials at the Munich Airport his return. A routine check, said. Personal, luggage, laptop. It did, but the conscience of the passengers was clear and there was nothing to declare. Only with his computer, the inspectors disappeared into the next room. Shortly after clear: everything is fine. Safe journey home. The little stopover at the airport “Franz Josef Strauss in mid-2009 has what it takes, in Berlin again ignite a debate on the powers of investigative authorities. It’s in the digital age is an issue that divides the black-yellow coalition in the federal government: when and how far the state may enter to combat crime in the computers of its citizens? For the merchant from Bavaria was under that control a little more baggage than the first. On his computer had the Bavarian State Criminal Police Office (LKA) a spyware hiding. The secret at the airport installed program secured by the police far-reaching access to the laptop. Once the device connects to the Internet, it sent every 30 seconds a photo of the screen to the investigators - some 60,000 in three months.,1518,748110,00.html&prev=_t& [Spotted by MIRLN reader Michael Fleming of Cray, Inc.]

Mass. AGO Web Communications Policies (Office of the Attorney General, March 2011) - The Attorney General’s Office uses several social media tools for outreach, education and information. These online tools help the office reach more residents with helpful consumer and safety information, and are intended to enhance, but not replace, the office’s interaction with constituents and the media. [Editor: discussion of the AGO’s blog, Twitter, Flickr, YouTube, and e-newsletter communications vehicles]

Software Best Practices and Open Source Derivative Works (Citizen Media Law Project, 2 March 2011) - We received a request not long ago from one of the lawyers in our Online Media Legal Network who is looking for legal resources on a couple different issues tied to software development, particularly open source software development. And frankly, they’re the sorts of resources that we expect more and more lawyers will have need for. Thus, we’re reposting the requests here - along with my first stab at researching them - in the hopes of drumming up a bit of crowdsourcing to find the answers. The first request was for best practices, procedures, and policies relating to management of the software development function. Of particular concern is situations where developers are writing original code, licensing commercial code, and using open source code in developing software that is redistributed to nonprofits. What recommendations are out there for such best practices in complying with the various licenses? Next, the lawyer was wondering at what point the GNU General Public License (“GPL”) kicks in and “infects” other software. As the lawyer says, “Clearly derivative works are covered, but I am trying to get a better handle on how much linking, touching, combining, etc. gives rise to the viral requirement.” [Editor: the story carries links to various relevant resources.]

Michigan Town Split on Child Pornography Charges (NYT, 7 March 2011) - People in this economically pressed town near Lake Michigan are divided into two camps: Those who think Evan Emory should pay hard for what he did, and those who think he should be let off easy. Mr. Emory, 21, an aspiring singer and songwriter, became a household name here last month when he edited a video to make it appear that elementary school children in a local classroom were listening to him sing a song with graphic sexual lyrics. He then showed the video in a nightclub and posted it on YouTube. Tony Tague, the Muskegon County prosecutor, stands firmly in the first camp: He charged Mr. Emory with manufacturing and distributing child pornography, a crime that carries a penalty of up to 20 years in prison and 25 years on the sex offender registry. Mr. Emory, who had gotten permission to sing songs like “Lunchlady Land” for the first graders, waited until the students left for the day and then recorded new, sexually explicit lyrics, miming gestures to accompany them. He then edited the video to make it seem as if the children were listening to the sexual lyrics and making faces in response. Mr. Emory’s supporters, including the almost 3,000 people who have “liked” the “Free Evan Emory” page on Facebook, say the charge is a vast overreaction to a prank gone astray, and a threat to free expression. Legal experts say the case — and the strong reactions it has drawn from places as far as Ireland and Australia— underscores the still evolving nature of the law when it comes to defining child pornography in the age of Facebook, YouTube and sexting. But with the rise of technology, said Carissa B. Hessick, an associate professor at the Sandra Day O’Connor College of Law at Arizona State and an expert on child pornography and criminal sentencing, “now we have situations where people are being arrested and charged” in connection with digitally altered images, where no child was abused.

New Report on Business Models for Scholarly Publishing (InsideHigherEd, 7 March 2011) - University presses need to consider new business models, and share information on successful new approaches, but no one model should be assumed to be correct for all, according to a report being released today by the Association of American University Presses. “[T]he simple product-sales models of the 20th century, devised when information was scarce and expensive, are clearly inappropriate for the 21st-century scholarly ecosystem. As the report details, new forms of openness, fees, subscriptions, products, and services are being combined to try to build sustainable business models to fund innovative digital scholarly publishing in diverse arenas,” the report says. The report stresses the role of university presses in vetting and improving scholarly writing, not just publishing it, and that emphasis turns up in several recommendations. “Open access is a principle to be embraced if publishing costs can be supported by the larger scholarly enterprise. University presses, and nonprofit publishers generally, should become fully engaged in these discussions,” the report says. Another recommendation: “Proposals and plans for new business models should explicitly address the potential impact of the new model on other parts of the press’s programs, as well as explicitly address the requirements, both operational and financial, for making the transition to a new model.”

Cost of a Data Breach Climbs Higher (Ponemon Institute, 8 March 2011) - Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore. But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it. It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.
·      Rapid response to data breach costs more. For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more. Fueling this rush to notify is compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws. It seems that U.S. companies have this urgency to just get the notification process over with. Unfortunately, these companies are in such a hurry to do the right thing and notify victims that they end up over-notifying. This causes customers who are not actually at risk to lose trust in the company and abnormal customer churn increases. Companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification, ultimately spend less on data breaches.
·      Malicious or criminal attacks are causing more breaches. This year malicious attacks were the root cause of 31 percent of the data breaches studied. This is up from 24 percent in 2009 and 12 percent in 2008. The significant jump in malicious attacks over the past two years is certainly indicative of the worsening threat environment. Malicious attacks come from both outside and inside the organization, ranging from data-stealing malware to social engineering. What’s more, these data breaches are the most expensive. Malicious attacks create more costs because they are harder to detect, the investigation is more involved and they are more difficult to contain and remediate. Another reason malicious attacks are so expensive is the criminal is out to monetize their work; they’re trying to profit off the breach. However, it’s not always the bad guys doing bad things that cause data breaches. It’s often your best employees making silly mistakes. Negligence is still the leading cause of data breaches at 41 percent. [Editor: This is the definitive benchmark study of breach costs, conducted with the same methodology over several years. Well worth study.]

Hacking of DuPont, J&J, GE Were Undisclosed Google-Type Attacks (Bloomberg, 8 March 2011) - The FBI broke the news to executives at DuPont Co. late last year that hackers had cracked the company’s computer networks for the second time in 12 months, according to a confidential Dec. 9, 2010, e-mail discussing the investigation. About a year earlier, DuPont had been hit by the same China- based hackers who struck Google Inc. and unlike Google, DuPont kept the intrusion secret, internal e-mails from cyber-security firm HBGary Inc. show. As DuPont probed the incidents, executives concluded they were the target of a campaign of industrial spying, the e-mails show. The attacks on DuPont and on more than a dozen other companies are discussed in about 60,000 confidential e-mails that HBGary, hired by some of targeted businesses, said were stolen from it on Feb. 6 and posted on the Internet by a group of hacker-activists known as Anonymous. The companies attacked include Walt Disney Co., Sony Corp., Johnson & Johnson, and GE, the e-mails show. The incidents described in the stolen e-mails portray industrial espionage by hackers based in China, Russia and other countries. U.S. law enforcement agencies say the attacks have intensified in number and scope over the past two years. A Baker Hughes spokesman, Gary Flaharty, confirmed in an interview last month that his company’s networks were breached. Baker Hughes decided the intrusion was not a material event and so didn’t file a disclosure with U.S. regulators, he said. [Editor: on 5 Nov 2010 I tweeted from a DC symposium on law & national security: “FBI: every CEO in America knows that their company networks have been penetrated; often results in complete access.” There’s real, unreported, huge economic activity going on behind/under these penetrations.]

Judge: Debt Agency Can’t Contact or Search for Woman on Facebook [or other SM services] (AP, 9 March 2011) - A Florida judge has ordered a debt collection agency to not use Facebook or any other social media site in an attempt to locate a woman over a $362 unpaid car loan. Judge W. Douglas Baird also ordered Mark One Financial LLC of Jacksonville, Fla. to refrain from contacting the woman’s family or friends on Facebook.

Important Ninth Circuit Ruling on Keyword Advertising (Eric Goldman, 9 March 2011) - We’ve had surprisingly few appellate decisions involving keyword advertising generally, and almost none involving trademark owners’ lawsuits against keyword advertisers (as opposed to suing keyword sellers like search engines). On that basis alone, this ruling is important. The case is also remarkable because the opinion, written by highly regarded Judge Wardlaw, gets so many things right. Perhaps that sounds like damning with faint praise, but the reality is that the Ninth Circuit’s Internet trademark law has become horribly tortured due to deeply flawed opinions like the 1999 Brookfield case. This opinion deftly cuts through the accumulated doctrinal cruft and lays a nice foundation for future Internet trademark jurisprudence. The only sour note is that the opinion makes some unnecessary and empirically shaky “presumptions”--exactly the kind of unfortunate appellate court fact-finding that got the Ninth Circuit into trouble into the first place. Still, given how this opinion could have turned out, I still give this opinion very high marks. * * * I am often asked by other Internet Law professors for a single keyword advertising case they should consider teaching. Until now, I haven’t had a good answer. I’ve taught several keyword ad cases over the years. The last two years I’ve taught the Hearts on Fire case, which has been pretty good. Other folks have taught the Second Circuit’s Rescuecom case, a theoretically interesting case but a lousy teaching case. In my opinion, this ruling is clearly the best keyword advertising teaching case now available. Unless something better comes along, I’ll be substituting this case for the Hearts on Fire case in my Internet Law reader. Assuming many of my colleagues make the same choice, I expect this opinion will be an instant classic.

Researchers Show How a Car’s Electronics Can Be Taken Over Remotely (NYT, 10 March 2011) - With a modest amount of expertise, computer hackers could gain remote access to someone’s car — just as they do to people’s personal computers — and take over the vehicle’s basic functions, including control of its engine, according to a report by computer scientists from the University of California, San Diego and the University of Washington. Although no such takeovers have been reported in the real world, the scientists were able to do exactly this in an experiment conducted on a car they bought for the purpose of trying to hack it. Their report, delivered last Friday to the National Academy of Sciences’ Transportation Research Board, described how such unauthorized intrusions could theoretically take place. Because many of today’s cars contain cellular connections and Bluetooth wireless technology, it is possible for a hacker, working from a remote location, to take control of various features — like the car locks and brakes — as well as to track the vehicle’s location, eavesdrop on its cabin and steal vehicle data, the researchers said. They described a range of potential compromises of car security and safety. The new report is a follow-on to similar research these experts conducted last year, which showed that cars were increasingly indistinguishable from Internet-connected computers in terms of vulnerability to outside intrusion and control. That project tried to show that the internal networks used to control systems in today’s cars are not secure in the face of a potential attacker who has physical access to the vehicle.

Google Again Sued Over Gmail Content Scanning (Information Week, 10 March 2011) - Attorneys representing former Gmail user Kelly Michaels of Smith County, Texas, have sued Google, claiming that its Gmail service violates users’ privacy by scanning e-mail messages to serve relevant ads. This is not the first time Google has faced such a suit. Another Texas resident, Keith Dunbar, made similar claims in November, 2010. It’s an issue Google has been dealing with since Gmail was introduced in 2004. At Google’s request, the Dunbar suit has been sealed. However, in a reply filed prior to the sealing of the case, Google’s attorneys provide highlighted terms of service and the company’s privacy policy as exhibits to show that users are informed about how Gmail operates. Michaels’s complaint takes the novel approach of arguing that while Google asks users to accept its terms of service, the company doesn’t require that users actually understand what they’re agreeing to. Such comprehension is all but impossible, the complaint suggests, because terms of service documents are difficult to read, if they’re read at all. The complaint bemoans how users who wish to read Google’s Terms of Service have to scroll through a small text box with something like 92 paragraphs or visit a 15-page print-friendly version. Then there’s a separate Program Policy and Privacy Policy, each on different Web pages, and the Privacy Policy includes some 55 external links. It’s widely known that people don’t read lengthy documents online, particularly dry legalese. There’s even Internet shorthand for the phenomenon: “TL; DR,” which stands for “too long; didn’t read.” Sadly for the plaintiff, there’s no legal recognition of “TL; DR,” even if companies like Google and Facebook recognize the problem. Both companies have acknowledged how difficult it is to read and understand lengthy privacy and terms of service documents, and have tried to make them less impenetrable. [TMI?]

Law Enforcement Use of GPS Devices, and More from CRS (FAS, 10 March 2011) - When law enforcement agencies use a Global Positioning System device to track the motor vehicle of a potential suspect, is that a “search” that is subject to constitutional protections under the Fourth Amendment? Or is it comparable to visual inspection of public information that enjoys no such protection? The Supreme Court has not ruled on the subject, and lower courts have issued a range of opinions in different cases, according to a new report (pdf) from the Congressional Research Service that carefully delineated the issues. “Depending on how one reads the courts’ decisions, one could conclude that there is a split in the courts regarding whether law enforcement must first obtain a warrant before using a GPS device. Conversely, one could also conclude that the courts’ decisions are reconcilable and that the outcomes of the cases are fact-sensitive.”

The “Adam Smith” Award for Innovation in Legal Service Delivery (AdamSmithEsq, 10 March 2011) - A couple of weeks ago I learned that the legal department of Kraft Foods issued its “Adam Smith” award, for innovation in the delivery of legal services, to Clifford Chance, and Kraft intends it to be an annual award. I was curious to learn more. The first thing I learned was that the award was not named for the publication you’re reading, but for the original Adam Smith himself. Officially, the award is the “Kraft Foods Free Market Award,” but internally it’s known as the Adam Smith Award, and that is the name by which it will henceforth be known here, and in all right-thinking circles. The award goes to “the firm that best demonstrates the principles of free market competition.” Marc Firestone, Kraft Foods Executive Vice President, Corporate & Legal Affairs and General Counsel, said the genesis of the award was finding a way to lower costs for legal work and in the process they discovered that returning to basic economic principles was the key. Kraft has about 120 lawyers around the globe but they lack robust electronic connections other than email. Clifford Chance, by contrast, has a robust internal communications system. “After three years of spinning our wheels,” [DGC] Gerd reported, Clifford Chance was able to help Kraft’s legal department get truly connected globally in very short order. This makes great sense to me: Integrated global legal services are the core competence of Clifford Chance, but nowhere on the top 100 list for Kraft, nor should they be. The innovation was establishing internal blogs and discussion boards at Kraft addressing specific subject matter areas. The basic insight came from Clifford Chance but was adapted by Kraft for its own corporate culture, as I read it, and this could be an example of the most robust kind of innovation-sharing between firms and clients that we could imagine. The thinking must go as follows:
·      Law firm has practice X (Knowledge Management as an expertise, in this case)
·      Which client could use if it worked in their corporate environment (turning law firm KM theories into blogs and discussion boards)
·      So that both client and law firm “win,” in the sense that the both learn something from each other.
What Kraft did, then, plain and simple, was to set up those blogs and discussion boards, even though they were something Clifford Chance had never looked at internally in terms of its own KM efforts. [Editor: fascinating role-reversal – here it’s the law firm leading and the client following, in a classic implementation of knowledge management. I’m especially surprised that it’s Kraft – back in the mid-1990s they had a forward-thinking “knowledge management” culture. For more on KM implementation, and discussion of its implications for “Enterprise 2.0” see materials at KnowConnect:]

Legal Industry Does Not Exist on ‘LinkedIn Today’ (, 11 March 2011) - LinkedIn announced Thursday that it has launched “LinkedIn Today,” which some have described as an effort to become the “The Wall Street Journal of social news.” LinkedIn describes LinkedIn Today as a site that “delivers the day’s top news, tailored to you based on what your connections and industry peers are reading and sharing.” Unless, of course, you are a lawyer or in the legal profession, in which case you get absolutely nothing. Yes, despite lawyers’ pretty heavy use of LinkedIn as a social media tool, LinkedIn Today seems to forget that we even exist. As Bob Ambrogi similarly observed Thursday on his LawSites blog, LinkedIn Today offers a lengthy list of industries you can choose to tailor your reading, but law isn’t one of them. In addition, he notes, the site does not draw on any legal-news sources. “Given the apparent widespread use of LinkedIn among legal professionals of all kinds, it is surprising that this new service would skip right over the entire industry,” Ambrogi adds.

Radio Daze (Tablet, 11 Feb 2011) - Last year, a young man called in to a radio station with a problem. He’d recently attended a bachelor party, he said, and a friend of the groom-to-be, clueless of the unwritten etiquette of maledom, brought his girlfriend along, derailing what was supposed to be a weekend of gambling, girls, and general debauchery. The caller told his story with passion and verve, and then asked the station’s listeners for their advice on how to treat his clueless pal. Or at least he would have, had this been a real conversation. The young man—who asked to remain nameless in order to protect his chances for future employment—was an actor, and the staged call an audition. A short while later, he received the following email: “Thank you for auditioning for Premiere On Call,” it said. “Your audition was great! We’d like to invite you to join our official roster of ‘ready-to-work’ actors.” The job, the email indicated, paid $40 an hour, with one hour guaranteed per day. But what exactly was the work? The question popped up during the audition and was explained, the actor said, clearly and simply: If he passed the audition, he would be invited periodically to call in to various talk shows and recite various scenarios that made for interesting radio. He would never be identified as an actor, and his scenarios would never be identified as fabricated—which they always were. Curious, the actor did some snooping and learned that Premiere On Call was a service offered by Premiere Radio Networks, the largest syndication company in the United States and a subsidiary of Clear Channel Communications, the entertainment and advertising giant. Premiere syndicates some of the more sterling names in radio, including Rush Limbaugh, Glenn Beck, and Sean Hannity. But a great radio show depends as much on great callers as it does on great hosts: Enter Premiere On Call. “Premiere On Call is our new custom caller service,” read the service’s website, which disappeared as this story was being reported (for a cached version of the site click here). “We supply voice talent to take/make your on-air calls, improvise your scenes or deliver your scripts. Using our simple online booking tool, specify the kind of voice you need, and we’ll get your the right person fast. Unless you request it, you won’t hear that same voice again for at least two months, ensuring the authenticity of your programming for avid listeners.” The actors hired by Premiere to provide the aforementioned voice talents sign confidentiality agreements and so would not go on the record. But their accounts leave little room for doubt. All of the actors I questioned reported receiving scripts, calling in to real shows, pretending to be real people. Frequently, one actor said, the calls were live, sometimes recorded in advance, but never presented on-air as anything but real. Follow-up stories began to emerge in early March:

Robots and the Law? (Volokh Conspiracy, 12 March 2011) - I want to ask a follow-up to Orin’s post below on Judge Friendly and Air Law. I’ve taken an increasing interest in robotics — partly just robotics for its own interest, but also as a law professor from the standpoint of robots and the law. It started, in my case, from spending time on battlefield robotics, but it has morphed into a larger interest in robotics and the law, and perhaps future law. So I read Orin’s post, and the comments, and wonder whether there is a “there” to robotics and the law. I don’t mean from the standpoint of teaching a course; I tend to resist that kind of course on pedagogical grounds. I mean from the standpoint of a lawyer looking down the road and trying to anticipate what might be future areas of practice. I agree with Jay’s comment to Orin’s post that we academics often tend to underestimate just how much particular specialization occurs in law practice on account of the particulars of statutes and regulation and the complicated factual circumstances of usage — we academics tend to dismiss the crucial details by saying, well, it’s all just tort or products liability, whereas from the practicing lawyer’s standpoint, the devil, and the practice, are in the details. E.g., I mentioned robots and the law to a sophisticated law and economics professor, and he said, tell me if I’m wrong, but is there anything to this other than regular old tort and products liability law? What’s different about robots? I don’t know that there is — but I do wonder if that answer isn’t doing precisely what Jay warns against, correctly in my view — professorial reductionism. Sure, it’s all just tort, but will that be true from the practice perspective? My question is this: if you assume, as I do, that robots will increasingly enter ordinary life, in ways that involve important things such as nursing care, and at least partly autonomous activities as well as gross locomotion and other physical activities, in ordinary and routine life ... what, if any, practice specialities in law are likely to emerge from that? Speculate on ways in which this area might or might not become a genuinely distinct branch of law — but without simply engaging in pro forma reductivism of the “it’s all just products liability!” kind. Of course this involves some speculation on the direction of technology and the social uses of robots, too. (ps. Let me head off now any comments related to the 3 Laws and all that. Love Asimov too, but let’s not go there here. I want to know what, if anything, might emerge as a practical law speciality in this area.)

The Digital Pileup (NYT Op-Ed, 13 March 2011) – Some facts of life are just plain counterintuitive. It can be too cold to snow. Heavy things float. Martinis have calories. Here’s another one with significantly greater import: Electronic information is tangible. The apps we use, the games on our phones, the messages we incessantly tap — all of it may seem to fly through the air and live in some cloud, but in truth, most of it lands with a thump in the earthly domain. Because electronic information seems invisible, we underestimate the resources it takes to keep it all alive. The data centers dotting the globe, colloquially known as “server farms,” are major power users with considerable carbon footprints. Such huge clusters of servers not only require power to run but must also be cooled. In the United States, it’s estimated that server farms, which house Internet, business and telecommunications systems and store the bulk of our data, consume close to 3 percent of our national power supply. Seventy percent of the digital universe is generated by individuals as we browse, share, and entertain ourselves. And the growth rate of this digital universe is stunning to contemplate. The current volume estimate of all electronic information is roughly 1.2 zettabytes, the amount of data that would be generated by everyone in the world posting messages on Twitter continuously for a century. That includes everything from e-mail to YouTube. More stunning: 75 percent of the information is duplicative. By 2020, experts estimate that the volume will be 44 times greater than it was in 2009. There finally may be, in fact, T.M.I. Proliferating information takes a human toll, too, as it becomes more difficult to wade through the digital detritus. We’re all breeding (and probably hoarding) electronic information. Insensitive to our data-propagating power, we forward a joke on a Monday that may produce 10 million copies by Friday — probably all being stored somewhere. Despite the conveniences our online lives provide, we end up being buried by data at home and at work. An overabundance of data makes important things harder to find and impedes good decision-making. Efficiency withers as we struggle to find and manage the information we need to do our jobs. Estimates abound on how much productivity is lost because of information overload, but all of them are in the hundreds of millions of dollars yearly. In the corporate realm, companies stockpile data because keeping it seems easier than figuring out what they can delete. This behavior has hidden costs and creates risks of security and privacy breaches as data goes rogue. In addition, large corporations face eye-popping litigation costs when they search for information that may be evidence in a lawsuit — so-called e-discovery — that can add up to millions of dollars a year. Cases are often settled because it’s cheaper to just pay up. With so many resource challenges facing them, most companies postpone the effort and cost of managing their data. [Editor: Every page on carries varying superscript tag-lines, like “Can we find what we need, just when we need it?” or “Could we save less information, and find more?”. Knowledge management addresses some of these challenges; click on one of these superscripts for more detail.]

As Law Student Readies Reverse Auction Site, Law Bloggers React to ‘eBay’ of Lawyering (ABA Journal, 14 March 2011) - Niznik’s graduation musings led him to contemplate the plight of indebted law students struggling to find jobs in a bleak economic climate as well as the expensive and largely inaccessible nature of the legal profession. His answer to both issues is at once goofy and serious. The New York Law School student founded Shpoonkle, a playfully named website that allows attorneys and law firms to bid on legal requests submitted by clients. The service is free for now, but Niznik said attorneys may be charged membership fees in the future. Though it has yet to officially launch, lawyers and clients have already started joining the site. According to Niznik, more than 20 attorneys joined Shpoonkle since the site opened Tuesday, and membership numbers are increasing daily. The idea behind Shpoonkle is relatively simple: Clients can sift through offers made by attorneys and pick the one that suits their budget. “Privacy shouldn’t be a concern” because only lawyers can view cases posted on the site, Niznik said. Shpoonkle’s motto is “Justice You Can Afford!” but it may not be the kind of justice some attorneys are willing to embrace. Last week, as news of the legal service hit the blogosphere, some law blogs disparaged the website, mocking everything from its name to its purpose. On his New York criminal defense blog Simple Justice, Scott Greenfield said, “Any lawyer who signs up for this service should be immediately disbarred, then tarred and feathered, then publicly humiliated.” Calling the site the “eBay of lawyering,” Greenfield argues the service will lower the integrity of the legal profession. [Editor: reminds me of (Austin, Texas), and their early work in 2002.]

What Auditors Are Saying About Compliance And Encryption (Dark Reading, 15 March 2011) - In more than half of the audits they have conducted, both internal IT security and external auditors say the companies either failed or had serious deficiencies in their security compliance. And more than half say organizations are employing encryption purely for compliance reasons, according to a new report. The Ponemon Institute’s “What Auditors Think About Crypto” report, commissioned by Thales, is based on a survey of more than 500 auditors. Nearly half of them believe that audits and assessments should be mainly for rooting out risks and vulnerabilities, 42 percent say it should be for determining compliance for internal policies, and 34 percent say it should be for checking compliance with regulatory and legal mandates. Report here: (requires registration) -- from the report itself:
“Following are some of the most salient findings of this research.
·      A large number of respondents say their organizations are not taking data security seriously, and may not be allocating enough resources to achieve a reasonable state of compliance with laws and regulations, as well as a high security posture.
·      In the world of compliance, business units rather than legal, IT or compliance, own the budget and thus determine whether or not to invest in audits.”

Web Host Liable For Contributory Infringement (, 15 March 2011) - A South Carolina jury’s recent $770,750 verdict against Bright Builders Inc. marks the first time a Web-hosting company has been found liable for contributory infringement without actual notice that a customer’s Web site lists fake products for sale. South Carolina District Judge Margaret Seymour’s March 14 judgment in Roger Cleveland Golf Company Inc. v. Prince followed the jury’s March 10 verdict. The jury returned a $28,250 statutory damages verdict against Web site owners Christopher Prince and Prince Distribution LLC for trademark counterfeiting and infringement. The verdict included damages against both sets of defendants for violating the South Carolina Unfair Trade Practices Act. The jury found that Bright Builders and Prince were both liable for Prince’s Web site, which sold counterfeit Cleveland Golf clubs. The total judgment was based on the Prince defendants’ infringement of 11 Cleveland Golf registered trademarks, plus post-judgment interest. According to court papers, Prince’s Web site claimed to be “your one stop shop for the best copied golf clubs on the Internet.” Cleveland Golf originally filed suit against the Prince defendants because the Web site name and its claims were so brazen, said Christopher Finnerty, a Boston partner at Columbia, S.C.-based Nelson Mullins Riley & Scarborough and lead counsel on the case. “Usually, there’s a little cloak and dagger when counterfeit goods are sold online,” Finnerty said. “Their Web sites don’t usually advertise that they’re selling counterfeit goods.” The plaintiffs discovered Bright Builders’ role during its deposition of Prince and filed an amended complaint naming the company as a defendant, Finnerty said. For other Internet intermediaries, the ruling means that once they know or should have known that their customers are selling infringing goods, “they can’t remain willfully blind and wait for the brand owner to provide notice,” Finnerty said.

New Site Offers Free Video ‘Nuggets’ of CLE (Robert Ambrogi, 16 March 2011) - At the ACLEA annual meeting last summer, I gave a plenary talk, “10 Ways Technology is Rewiring Lawyers’ Brains … and What it Means for CLE.” Several times during that talk, when I wanted examples of online CLE sites that were engaged in social media, that were transparent about their products and pricing, that understood the concept of delivering value, and that highlighted consumer feedback and ratings, I kept coming back to one provider, Again last month, I wrote about this company when it became the first CLE provider to offer video courses via a mobile phone. Now it has unveiled another feature that shows it to be a step ahead of the social media curve. This time, it has launched a completely free e-learning website for lawyers, Borrowing from the hundreds of hours of video content Lawline has created, the site breaks up these videos into mini lessons that answer specific questions. Rather than sit through an entire CLE course, you can spend just a few minutes watching the segment that speaks to the particular issue you’re interested in. Perhaps you want a quick refresher on what constitutes an employee at will. Or you want to hear about the jurisdictional issues in setting up an online business. Or maybe you want to review the qualifications for an H1-B visa. There are hundreds of these to choose from. Of course, Lawline is a commercial enterprise, so it is not giving away all of every course. Rather, it has extracted from each course what it describes as the “golden nuggets” of information. Depending on the course, this can range from five short clips to more than 30. If at any point you decide that you want to purchase the full course, you can, of course, do that. Each “nugget” includes social media tools that allow you to share or e-mail the clip or embed it in a web page or blog post. Also, each short video is shown on a page that includes the relevant slides from the course presentation. [Editor: I’d appreciate hearing from users of this site.]

Righthaven Loses Second Fair Use Ruling Over Copyright Lawsuits (Las Vegas Sun, 18 March 2011) - An Oregon nonprofit did not infringe on copyrights when it posted without authorization an entire Las Vegas Review-Journal story on its website, a judge ruled Friday. U.S. District Judge James Mahan said during a hearing he planned to dismiss, on fair use grounds, a copyright infringement lawsuit filed against the Center for Intercultural Organizing (CIO), in Portland, Ore. The lawsuit was filed last year by Righthaven LLC of Las Vegas, the Review-Journal’s copyright enforcement partner that also enforces copyrights for the Denver Post. Mahan, who last year raised the fair use issue in the CIO case without being prodded to do so by CIO attorneys, said the copyright lawsuit would be dismissed because the nonprofit used it in an educational way, the CIO didn’t try to use the story to raise money and because the story in question was primarily factual as opposed to being creative. The judge also found there was no harm to the market for the story. Separately, Righthaven on Thursday filed at least its 250th lawsuit since March 2010. The latest suit, filed in U.S. District Court for Colorado, is over the Denver Post TSA pat-down photo. This brings to at least 46 the number of lawsuits over that photo.

Crowdsourcing the Preservation of U.S. War Papers (ReadWriteWeb, 18 March 2011) - The Center for History and New Media at George Mason University has joined forces with crowdsourcing document outfit Scripto, open source document transcription tool, to transcribe and share a piece of U.S. history thought to be lost. The project “Papers of the War Department, 1784-1800“ seeks to transcribe and digitize copies of papers from a formative part of American history, previously thought to be lost to fire. Projects like these rarely suffer from a surfeit of funding, so using Scripto to coordinate a crowdsourced transcription has made the project possible. The collection consists of 45,000 documents consisting of hundreds of thousands of individual pages from the records of what later came to be known as the Department of Defense. Volunteers register to become a Transcription Associate and then can browse to select whichever document they wish to transcribe or search the collection if they have particular interests. In addition to making it financially feasible, letting the public take a hand in such a project has the benefit of bringing history close to the volunteer and turning that volunteer into an evangelist for the importance of history to contemporary life. Also, it gives the historians involved a sense, as the documents are transcribed, for what the public finds the most compelling. The project is funded by the National Historical Publications & Records Commission of the National Archives and the National Endowment for the Humanities’ Office of Digital Humanities.

Chin Decides Google Books Settlement Would ‘Go Too Far’ (NLJ, 23 March 2011) - Google’s attempt to build the world’s biggest digital library was sidetracked yesterday as a federal judge rejected a settlement between the Internet giant and authors and publishers who sued for copyright infringement. Judge Denny Chin said the settlement, which was reached in 2008 to resolve two lawsuits challenging the mass scanning of books and the display of “snippets” for online searching “would simply go too far.” The deal “would grant Google significant rights to exploit entire books, without the permission of the copyright owners,” said Judge Chin, a former Southern District judge who kept the case when he was elevated to the Second Circuit. “Indeed, the Amended Settlement Agreement would give Google a significant advantage over competitors, rewarding it for engaging in wholesale copyrighted works without permission, while releasing claims well beyond those presented in the case.” However, the judge said that many of his concerns could be addressed if the amended agreement was “converted from an ‘opt-out’ settlement to an ‘opt-in’ settlement” and he urged the parties to consider that as they return to negotiations. A central problem, Judge Chin said, was that the settlement “would transfer to Google certain rights in exchange for future and ongoing arrangements including the sharing of future proceeds, and it would release Google (and others) from liability for certain future acts.” The Justice Department submitted a statement of interest calling it an “attempt to use the class action mechanism to implement forward-looking business arrangements that go far beyond the dispute before the Court in this litigation.” Judge Chin said he was bothered because figuring “a mechanism for exploiting unclaimed books is a matter more suited for Congress than this court.” As for the concern that the settlement would release claims that go far beyond the pleadings, the judge made clear the case was brought to challenge “snippets” for online searching, with Google arguing it was fair use to make small portions of the works available through search requests. “The case was about the use of an indexing and searching tool, not the sale of complete copyrighted works,” he said.

Spot Me If You Can: Uncovering Spoken Phrases In Encrypted VoIP Conversations (Paper by Johns Hopkins’ Charles Wright et al., March 2011) – Abstract: Despite the rapid adoption of Voice over IP (VoIP), its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that when the audio is encoded using variable bit rate codecs, the lengths of encrypted VoIP packets can be used to identify the phrases spoken within a call. Our results indicate that a passive observer can identify phrases from a standard speech corpus within encrypted calls with an average accuracy of 50%, and with accuracy greater than 90% for some phrases. Clearly, such an attack calls into question the efficacy of current VoIP encryption standards. In addition, we examine the impact of various features of the underlying audio on our performance and discuss methods for mitigation.

Cornell Library Rejects Non-Disclosures On Journal Pricing; Will Reveal All Prices (TechDirt, 25 March 2011) - One of the more pernicious areas of locking up knowledge that we’ve seen and discussed involves academic journals. These tend to involve private publishers who get a tremendous amount of completely free labor in terms of content submissions and even reviewers/editors... and then demand the copyrights of the research, while charging universities ridiculously high fees. Those publishers have also gone to great lengths to try to block the US government from trying to make federally funded research available to the public at no cost after a limited amount of time. And, of course, the journals often rely on secrecy to get the most money -- including requiring universities to sign non-disclosure agreements (NDAs) that forbid them from revealing how much they’re paying for a journal. 

It’s nice to see some universities really starting to push back, and it’s even nicer when it’s a university that I attended and from which I received two degrees. My sister informs me that Cornell University has decided to take a stand and is refusing to sign any NDAs from various journals, and will make the prices they’re being charged for such journals public. As the University made clear in a statement about this policy, it feels these agreements go against the basic nature of openness and fairness * * *

The Deplorable State of Law Firm Security (Sharon Nelson, 25 March 2011) - In our most recent Digital Detectives podcast for Legal Talk Network, John and I were happy to welcome Rob Lee, a Director with the information security firm Mandiant and the curriculum lead for digital forensic training at the SANS Institute, to discuss the deplorable state of law firm security. It resonated with us that Rob believes that law firm security is about five years behind the rest of the business world. That may be kind. Certainly we’ve never done a law firm security assessment without finding significant vulnerabilities and Rob’s experience has been the same. He talks extensively about Advanced Persistent Threats, the concept of defense in depth and the importance of security assessments. As he notes, hacking into law firms is so easy that the Chinese don’t even waste their “A” teams on it – the junior rookie squads can handle it. The attitude of many law firms is that “it can’t happen here.” What’s amazing is how many times it already has. If you’re interested in law firm security, Rob offers a wealth of information in this podcast - our thanks for his willingness to share his knowledge!

The MIRLN podcasts now are on iTunes -- or search for “MIRLN”. You can also find them at, and an RSS feed is available. MIRLN 14.04 podcast: “Cybersecurity” (17 March 2011; 10 minutes) - Discussion of recently reported attacks on high-profile companies like GE, Sony, Johnson & Johnson, and the implications for cyber-integrity and data governance.

Susan Landau on Surveillance or Security? The Risks Posed by New Wiretapping Technologies (Berkman Center, 8 March 2011; 64 minutes) - The reliance of business and commerce on IP-based networks leaves the U.S. highly exposed and vulnerable to cyberattack, yet U.S. law enforcement remains focused on building wiretapping systems within communications infrastructure. By embedding eavesdropping mechanisms into communications technology itself, we build tools that could easily be turned against us. In this talk based on her new book, Susan Landau — currently a fellow at the Radcliffe Institute for Advanced Study at Harvard — asks: In a world that has Al-Qaeda, nation-state economic espionage, and Hurricane Katrina, how do we get communications security right? [Editor: Superb, comprehensive discussion of IP infrastructure implications for communications security, ranging from EPCA to CALEA to FISA, from the FBI to the NSA to Northrop Grumman to Ericson, from the US to Greece to France to China – really terrific.] See also Susan Landau’s testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security on government eavesdropping.

Data Privacy - EPCA Revisited (Stanford CIS, 24 Jan 2011) - Does the Fourth Amendment protect the privacy of your webmail? Does the government have to get a search warrant before tracking the location of your phone? What are the latest electronic privacy developments in courts and in Congress? In connection with Data Privacy Day 2011, two experts will discussed the state of electronic communications law. Kevin Bankston, senior staff attorney at the Electronic Frontier Foundation, discussed recent cases he has litigated involving the Electronic Communications Privacy Act—the decades—old law that regulates electronic communications privacy—and EFF’s efforts as part of the “Digital Due Process” Coalition to update that law for the 21st century. Susan Freiwald, Professor of Law at University of San Francisco School of Law, focused on the constitutional tensions underlying these current debates over online and wireless communications privacy, with a special focus on her work defending the locational privacy of cell phone users and privacy in stored email. [Editor: very useful discussion–aside from Prof. Freiwald’s annoying habit of constant, albeit useful, interruptions–of the history behind EPCA/SCA and geo-tracking; I’d love to hear the other side of the issue presented as thoroughly as in this presentation. The discussion of the Warshak case illuminates the MIRLN podcast 14.02 -]

**** RESOURCES ****
WIPO Launches New On-line Tool to Facilitate Brand Searche (WIPO, 8 March 2011) - A new on-line tool launched by WIPO on March 8, 2011, will make it easier to search over 640,000 records relating to internationally protected trademarks, appellations of origin and armorial bearings, flags and other state emblems as well as the names, abbreviations and emblems of intergovernmental organizations. The Global Brand Database allows free of charge, simultaneous brand-related searches across multiple collections. At present, the Global Brand Database search interface allows users to access three WIPO databases – international trademarks registered under the Madrid system for the international registration of marks; appellations of origin registered under the Lisbon system for the international registration of appellations of origin; and armorial bearings, flags and other state emblems as well as the names, abbreviations and emblems of intergovernmental organizations protected under Article 6ter of the Paris Convention for the Protection of Industrial Property – by means of one simple, user-friendly screen.,0

**** FUN ****
Cleveland Browns Lawyer Letter Is Apparently Real (Lowering the Bar, 18 March 2011) - Occasionally you do come across things that seem just too good to be true, and like others I was suspicious of this correspondence that circulated recently. As you may recall, this purports to be (1) a 1974 letter from a lawyer and Cleveland Browns season-ticket holder threatening to sue the team if any person in his party sustained an injury from “the sailing of paper airplanes” by unruly fans, and (2) a rudely hilarious (or hilariously rude) response to this ridiculous threat, sent by the team’s general counsel. Turns out that the Cleveland Plain Dealer followed up on this, and managed to reach both of the people involved, who said that both the letters were real. This was good enough for the professional urban-legend checkers at, so it’s good enough for me. The general counsel, James Bailey, now lives in San Diego. Bailey also confirmed he had copied Art Modell, the team’s owner, on the letter, which might not have been the best idea. “I should have been more cautious,” Bailey said. “After I wrote it, I heard about it right away from Art. He said something like, ‘What the hell are you doing?’ He was not a guy lacking passion.” The complainer, Dale Cox, has since moved to Idaho but is still practicing law (and, he says, is still a Browns season-ticket holder, which might show his judgment has not improved). He told the Plain Dealer he wasn’t mad about the response and that in fact he “thought it was pretty cool.” Whether he’s remembering that correctly or just doesn’t want to seem like a sore loser now, that’s the right response. He also claimed to have “used that letter a couple times myself since,” but if he did, he did not provide details. I came across a couple of posts suggesting that Mark Twain originally came up with this idea, but if he did, I couldn’t find it; and it would probably be public domain and/or fair use anyway, if like Mr. Cox you wanted to use this yourself.

FBI Surveillance near ABA? -- see for a screen shot of nearby WiFi networks I took while at the ABA on 22 March 2011.

FBI’S CYBERCRIME INFO-SHARING (Wired News, 5 Jan. 2001) The FBI announced Friday the completion of a program that seeks to combat cybercrime by encouraging companies to share information about Internet attacks they have experienced. Participating companies and the FBI would use encrypted e-mail and a secure website to warn each other about new hacking attempts, computer viruses and other Internet-based criminal activity. By encouraging communication among tech companies, the FBI hopes to reduce the impact of Internet crime, which according to one estimate takes a $1.6 trillion bite annually out of the global economy.,1283,41030,00.html

PENTAGON BAFFLED BY HACKER FILE THEFTS (Commerce Times, 7 May 2001) -- A hacking group, most likely Russian-based, has stolen thousands of files in consistent attacks over the past three years from the Pentagon and other government agencies, according to an article written by a National Security Agency (NSA) consultant. The sophisticated attempts amount to “the most persistent and serious computer attack against the United States to date,” wrote James Adams. The attacks were first detected in March 1998, Adams reports, and have been investigated extensively since then in a project code-named Moonlight Maze. After researchers traced the attacks to seven Russian Internet addresses, a complaint was filed with

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at Get supplemental information through Twitter: #mirln.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. InsideHigherEd -
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog,
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

No comments: