Saturday, July 30, 2011

MIRLN --- 10-30 July (v14.10)

MIRLN --- 10-30 July (v14.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

COMING PROGRAM (ABA Annual meeting): "eAttorney, MiAttorney: How Technology Has Changed Communication and Collaboration With Clients." August 5 from 8:30 a.m. to 10:00 a.m. at the Metro Toronto Convention Center, Room 716B, 700 Level, South Building. Panel: Daniel Schwartz, Michael Downey, Jordan Furlong, Dennis Kennedy.

READER COMMENTS

RE " Catch Me If You Can (Law Tech News, 1 June 2011)" from MIRLN 14.09 : "Very interesting to see this in real life. It struck me back when I first started thinking about security and search that it is a security breach accelerator. It is possible to identify the presence of restricted documents with specific information by using carefully crafted full text search queries. This sounds like a very similar exploit. Search engine results need to enforce the same access/inclusion and reporting policies as access to the documents themselves. Proactive auditing of search queries is also a good idea. Not exposing document titles or content summaries is not enough - any indication of a search match is enough." [Rob Pettengill]

NEWS | LOOKING BACK | NOTES

Alabama Lawyer Group Sues Legalzoom, Wants Ban In State (Birmingham News, 10 June 2011) - The DeKalb County Bar Association said today it has filed a lawsuit that asks a judge to bar the online forms company LegalZoom.com from doing business in Alabama, saying the Los Angeles-based firm is engaging in the unauthorized practice of law. The suit filed in DeKalb County Circuit Court requests that LegalZoom be permanently prohibited from creating legal documents and related services for Alabama residents. Fort Payne attorney Daniel Campbell, president of county's bar association, said in a statement that LegalZoom's offering of standard legal forms such as wills and incorporation papers that are then customized to the buyer's preference has been prohibited by Alabama law for many years. "Alabama's unauthorized practice of law statutes prohibit anyone who is not a lawyer from advising or counseling another person on legal matters, and from preparing or assisting another person in preparing any document or instrument such as a will or deed in Alabama," the bar association said in a statement.

top

DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools (FastCompany, 8 July 2011) - A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House have been aware of the threat for quite some time. When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that "I am aware of instances where that has happened," after some hesitation. This supply chain security issue essentially means that, somewhere along the line, technology being marketed in the United States was either compromised or purposely designed to enable cyberattacks. Schaffer, who has an extensive background in cybersecurity and communications infrastructure management, did not elaborate on the compromised tech that DHS has encountered. However, he did emphasize that foreign components are found in many American-manufactured devices. As a matter of sheer speculation, it is not hard to imagine computers, portable devices, and components marketed in the United States being purposely infected with malware, spyware, or other forms of security-compromising software by request of either foreign companies or foreign governments. More worryingly, the hearing specifically mentioned hardware components as possibly being compromised--which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.

top

Nothing Personal: How Database Licenses Make Pirates of Us All (InsideHigherEd, 11 July 2011) - The other day, as I was tracking down the text of a classic article in JSTOR to refer to in a blog post, I was struck by the pop-up box that required me to agree to terms of service before it would let me see the article. I actually read it this time instead of clicking through. It reads: "Your use of the JSTOR archive indicates your acceptance of JSTOR's Terms and Conditions . JSTOR's Terms and Conditions provides, in part, that unless you have obtained prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in the JSTOR archive only for your personal, non-commercial use." This is standard database license language, though most databases don't thrust it in your face every time you search. I understand discouraging people from downloading massive amounts of articles and doing evil things with them, like posting them online for anyone to read or putting them up on torrent sites. I get it. I wouldn't do that. But even though I had clicked through that annoying pop up box any number of times, it suddenly struck me as a bit bizarre that in order to see a scholarly article in this paragon of scholarly databases, I have to swear I will do nothing with the material that might be for other than personal, non-commercial use. Does that mean I can't write about that article I looked up in places like this blog? This is, after all, public, and I just swore I would use the article only for personal use. Whoops! My bad. Would it mean I couldn't use JSTOR in research for a book? D'oh! I'm certain I consulted databases when writing a book that earns me a hundred dollars every ten years or so. I should be ashamed of myself. In the past, libraries didn't stop you at the door and demand that you agree to a pledge that you won't in any way profit from your visit or use what you learned when visiting the library for some public purpose. We actually thought - silly us! - that libraries were meant to help you build new things and go public with ideas. (And crazy founders! They actually thought copyright would promote science and the useful arts! But that's another story. We're talking licenses, here.) Libraries don't set policy for the use of materials, now, publishers and vendors do. JSTOR isn't quite as strict as some databases. SciFinder Scholar instructs users to contact the company, er, society and pony up for a different service if they are doing research for a consulting job, and users agree that "I will delete stored records when I no longer need them for the relevant research project, or after the completion of my degree program, whichever occurs first." (Have you purged those citations from EndNote yet? You haven't? Dude.) And then there are those curious restrictions within restrictions; you are not allowed to place a link to a Harvard Business Review article that your library licenses for campus use in a syllabus, for example. The library pays for campus use - but not that kind of campus use. For that, you pay extra. Clicking through that little notice is as routine as being instructed every time we fly how to fasten a seat belt. (Seriously: how likely will we pay attention to safety features of an airplane when the instructions start out with "insert the metal tab into the buckle"?) It's no more likely to lead to reflection than that FBI warning on every video that details the years in jail and fines you might incur. (Five years, to be precise, and $250,000. You should know that by now. You've seen it a million times.) We agree to absurd terms of service all the time and swear we read through agreements that we haven't. It's part of modern life. But still: personal use ? What does that even mean in a scholarly context?

top

How Digital Detectives Deciphered Stuxnet (Wired, 11 July 2011) - It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the "clean" cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings. Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month. [W]hen the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate - later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why? [Editor: Bruce Schneier liked this story, too. It reads like a Neal Stephenson novel.]

top

DOJ: We Can Force You to Decrypt that Laptop (CNET, 11 July 2011) - The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution's Fifth Amendment, which broadly protects Americans' right to remain silent. In a brief filed last Friday, Fricosu's Colorado Springs-based attorney, Philip Dubois, said defendants can't be constitutionally obligated to help the government interpret their files. "If agents execute a search warrant and find, say, a diary handwritten in code, could the target be compelled to decode, i.e., decrypt, the diary?" To the U.S. Justice Department, though, the requested court order represents a simple extension of prosecutors' long-standing ability to assemble information that could become evidence during a trial. The department claims: "Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible." Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form." In an amicus brief ( PDF ) filed on Friday, the San Francisco-based Electronic Frontier Foundation argues that the Justice Department's request be rejected because of Fricosu's Fifth Amendment rights. The Fifth Amendment says that "no person...shall be compelled in any criminal case to be a witness against himself." [Editor: I seem to recall reading one of these law review articles, which essentially concluded that if you'd never written down your passphrase (but it existed only in your memory), then you couldn't be compelled to decrypt the files. For key files, I've followed that practice.]

top

A New U.S. Law-Enforcement Tool: Facebook Searches (Reuters, 12 July 2011) - U.S. law-enforcement agencies are increasingly obtaining warrants to search Facebook, often gaining detailed access to users' accounts without their knowledge. A Reuters review of the Westlaw legal database shows that since 2008, federal judges have authorized at least two dozen warrants to search individuals' Facebook accounts. Many of the warrants requested a laundry list of personal data such as messages, status updates, links to videos and photographs, calendars of future and past events, "Wall postings" and "rejected Friend requests." Federal agencies seeking the warrants include the FBI, DEA and ICE, and the investigations range from arson to rape to terrorism. The Facebook search warrants typically demand a user's "Neoprint" and "Photoprint" -- terms that Facebook has used to describe a detailed package of profile and photo information that is not even available to users themselves. These terms appear in manuals for law enforcement agencies on how to request data from Facebook. The manuals, posted on various public-advocacy websites, appear to have been prepared by Facebook, although a spokesman for the company declined to confirm their authenticity. None of the warrants discovered in the review have been challenged on the grounds that it violated a person's Fourth Amendment protection against unlawful search and seizure, according to a review of the cases. Some constitutional-law experts said the Facebook searches may not have been challenged because the defendants - not to mention their "friends" or others whose pages might have been viewed as part of an investigation -- never knew about them. By law, neither Facebook nor the government is obliged to inform a user when an account is subject to a search by law enforcement, though prosecutors are required to disclose material evidence to a defendant. Twitter and several other social-media sites have formally adopted a policy to notify users when law enforcement asks to search their profile.

top

Secret Service Descends on Artist For Mildly Creepy Public Photography (TechDirt, 12 July 2011) - So this is one of those interesting scenarios that really tests the boundary between what people find to be socially unacceptable behavior versus what is actually illegal under current law. Artist Kyle McDonald put a strange art project into practice when he installed what amounts to surveillance software on the public computers at an Apple store and used the images collected to create a presentation that he hoped would give us, by the facial expressions captured, insight into our relationship with the computers we use. An interesting project that borders on creepy. But it is illegal? Apparently, the Secret Service is now involved: " On three days in June, McDonald's program documented people staring at computers in Apple stores. Since the stores wiped their computers every night, he had to go back in and reinstall the program each day he took photos. He uploaded a collection of the photos to a Tumblr blog, and last Sunday he set up 'an exhibition' at the Apple stores. During the unauthorized event at the Apple stores on West 14th Street and in Soho, when people looked at an Apple store machine, they saw a picture of themselves. Then they saw photos of other people staring at computers. Amazingly, nobody made a fuss. [...] Over the course of the project, McDonald set up roughly 100 Apple store computers to call his servers every minute. That's a lot of network traffic, and he learned that Apple monitors traffic in its stores when he received a photo from a Cupertino computer of what appeared to be an Apple technician. The technician had apparently traced the traffic to the site McDonald used to upload the program to Apple Store computers; and installed it himself. McDonald figured that Apple had decided the program wasn't a big deal. That was until four Secret Service men in suits woke him up on Thursday morning with a search warrant for computer fraud. They confiscated two computers, an iPod and two flash drives, and told McDonald that Apple would contact him separately." Even more interesting than his project about how people perceive their relationship with their computer might be how people perceive the artist's actions here. Many people seem to be up in arms, and feel quite strongly that his actions were criminal and should be punished. But what crimes did he actually commit? None of the immediately obvious arguments would appear to be viable when you consider the facts of the situation. [Editor: Interesting legal analysis - there's an artist who's done something quite similar, but he blanked-out the key faces of most subjects - but not all. His work is showing in Europe, apparently without legal repercussions.]

top

Judge Rules "Locker" Site is Not Direct Copyright Infringer (ArsTechnica, 12 July 2011) - A federal judge in Miami has dismissed direct copyright infringement charges against Hotfile, a popular online "locker" service that the major Hollywood studios allege is responsible for massive copyright infringement. But he allowed the case to proceed on charges that Hotfile has induced and profited from the infringing activities of its users. The 9-page opinion , first reported by the Hollywood, Esq. blog , provides early clues about how Judge Adalberto Jordan views the defendants, Hotfile and its alleged owner Anton Titov. The case, which began in February , represents the latest front in the never-ending arms race between Hollywood studios and users seeking free copies of their movies. Hotfile is a "cyberlocker" site. Users upload files they wish to share with others and are rewarded financially if these files prove popular. The studios allege that the overwhelming majority of the files users upload to Hotfile are copyrighted content being distributed without the consent of copyright holders' like themselves. Hotfile, for its part, argues that it is providing an ordinary Web-hosting service and is not responsible for content its users choose to upload. Hotfile lacks any interface for browsing or searching the files on the site, allowing it to plausibly deny any knowledge of their contents. The studios allege that Hotfile "relies on third-party pirate link sites to host, organize and promote URL links to Hotfile-hosted infringing content." Hotfile faces two distinct charges: direct and secondary liability. The studios argued that Hotfile is directly liable for the infringing actions of its users because it owns and operates the servers through which the infringing copies were made. It also argues that they are secondarily liable under the inducement theory articulated by the Supreme Court in the 2005 Grokster decision. [Editor: this is important, and implicates Cloud storage services like Dropbox, too. See "Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011)" from MIRLN 14.09 .]

top

Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies (ArsTechnica, 13 July 2011) - The Do Not Track efforts led by self-managed advertising groups aren't going as well as some might hope, with at least eight participating companies continuing to track users across the Web even after they opt out. The finding highlights the weaknesses of an entirely voluntary system: just because the companies say they will do it doesn't necessarily mean that they will. The Network Advertising Initiative (NAI) is one of several self-regulating groups aimed at adopting voluntary codes of conduct when it comes to advertising to users online. Late last year, those groups (including the NAI) announced that they would begin pushing the Advertising Option Icon , an icon that is meant to let users know which sites are participating in behavioral tracking. Users would then be able to easily opt out of any behaviorally targeted advertising if they so choose. Collectively, the groups represent some 5,000 other companies that advertise online, though use of the icon itself is voluntary as long as they offer the opt-out functionality. But how many companies are actually respecting those rules? Stanford's Center for Internet & Society recently examined the tracking behavior of 64 of 75 of NAI's member companies when users turn on the Do Not Track settings or opt out of behavioral ad tracking. Of the 64, the CIS said that 33 companies left their tracking cookies in place after the user opted out. This in itself sounds surprising, but it's not-as part of their agreement with NAI, companies only have to agree to stop offering behaviorally targeted ads to users when users want to opt out. They can continue to keep cookies on your machine, as long as those cookies aren't being used to create specially targeted ads. So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox , Internet Explorer , and Safari , which we just learned is actually a step beyond NAI's baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest's sake, it's worth noting that Google falls into this category). That leaves us with the eight companies dwelling in the hall of shame: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street On Demand, and TARGUSinfo AdAdvisor. These guys all specify in their privacy policies that users can opt out of behavioral tracking and advertising, but the CIS researchers found that they all kept some form of unique user information around on the user's computer even after opting out. Most of them removed certain pieces of information while keeping other items, but one (Vibrant Media) simply kept on tracking as if the user had never opted out in the first place.

top

Senators Ask Spy Chief: Are You Tracking Us Through Our iPhones? (Wired, 14 July 2011) - Two key senators want to know if the leader of the vast U.S. intelligence apparatus believes it's legal for spooks to track where you go through your iPhone. In a letter that Sens. Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) will send later on Thursday, obtained by Danger Room, the senators ask Director of National Intelligence James Clapper, "Do government agencies have the authority to collect the geolocation information of American citizens for intelligence purposes?" Both senators are members of the panel overseeing the 16 intelligence agencies. In May, they sounded warnings that the Obama administration was secretly reinterpreting the Patriot Act to allow a broader amount of domestic surveillance than it had publicly disclosed. "[R]ecent advances in geolocation technology have made it increasingly easy to secretly track the movements and whereabouts of individual Americans on an ongoing, 24/7 basis," they write. "Law enforcement agencies have relied on a variety of different methods to conduct this sort of electronic surveillance, including the acquisition of cell phone mobility data from communications companies as well as the use of tracking devices covertly installed by the law enforcement agencies themselves." Wyden and Udall want "unclassified answers" from Clapper. If Clapper thinks his spies can go after U.S. citizens' geodata, they want the "specific statutory basis" for that collection, along with a description of any "judicial review or approval by particular officials" that might accompany it. They also want to know if Clapper thinks there's any affirmative legal "prohibition" to geodata collection by spies, if the spy chief doesn't think it's legal. The senators note that legislative restrictions on GPS acquisition so far only apply to cops and feds, not spies. "Clearly Congress needs to also understand how intelligence authorities are being interpreted as it begins to consider legislation on this issue," they write. They also remind Clapper that the FISA Amendments Act is set to expire at the end of the year. The letter asks Clapper to disclose if the surveillance dragnet it authorizes includes the communications of "law-abiding Americans," the key objection from civil libertarians to the Act, and if any "significant interpretations of the FISA Amendments Act [are] currently classified."

top

- and -

The Government Just Admitted For The First Time It Is Using Cell Phone Data To Track Your Location (Business Insider, 26 July 2011) - A group of Senators questioned the general attorney for the National Security Agency Tuesday about whether U.S. intelligence agencies are using cell phone geo location data to track U.S. citizens without their knowledge. According to The Wall Street Journal, the leader of the National Counterterrorism Center Matthew Olson told the Senate Select Committee on Intelligence that: "There are certain circumstances where that authority may exist." The response came after repeated questions by Sen. Ron Wyden (D., Ore) whether the government has authority to "use cell site data to track the location of Americans inside the country." Olson admitted the possibility, said "it's a very complicated question," and told the committee the intelligence community is working on a memo to better answer the question.

top

How Khan Academy Is Changing the Rules of Education (Wired, 15 July 2011) - "This," says Matthew Carpenter, "is my favorite exercise." I peer over his shoulder at his laptop screen to see the math problem the fifth grader is pondering. It's an inverse trigonometric function: cos-1(1) = ?. Carpenter, a serious-faced 10-year-old wearing a gray T-shirt and an impressive black digital watch, pauses for a second, fidgets, then clicks on "0 degrees." Presto: The computer tells him that he's correct. The software then generates another problem, followed by another, and yet another, until he's nailed 10 in a row in just a few minutes. All told, he's done an insane 642 inverse trig problems. "It took a while for me to get it," he admits sheepishly. Carpenter, who attends Santa Rita Elementary, a public school in Los Altos, California, shouldn't be doing work anywhere near this advanced. In fact, when I visited his class this spring-in a sun-drenched room festooned with a papercraft X-wing fighter and student paintings of trees-the kids were supposed to be learning basic fractions, decimals, and percentages. As his teacher, Kami Thordarson, explains, students don't normally tackle inverse trig until high school, and sometimes not even then. But last November, Thordarson began using Khan Academy in her class. Khan Academy is an educational website that, as its tagline puts it, aims to let anyone "learn almost anything-for free." Students, or anyone interested enough to surf by, can watch some 2,400 videos in which the site's founder, Salman Khan, chattily discusses principles of math, science, and economics (with a smattering of social science topics thrown in). The videos are decidedly lo-fi, even crude: Generally seven to 14 minutes long, they consist of a voice-over by Khan describing a mathematical concept or explaining how to solve a problem while his hand-scribbled formulas and diagrams appear onscreen. Like the Wizard of Oz, Khan never steps from behind the curtain to appear in a video himself; it's just Khan's voice and some scrawly equations. Initially, Thordarson thought Khan Academy would merely be a helpful supplement to her normal instruction. But it quickly become far more than that. She's now on her way to "flipping" the way her class works. This involves replacing some of her lectures with Khan's videos, which students can watch at home. Then, in class, they focus on working problem sets. The idea is to invert the normal rhythms of school, so that lectures are viewed on the kids' own time and homework is done at school. It sounds weird, Thordarson admits, but this flipping makes sense when you think about it. It's when they're doing homework that students are really grappling with a subject and are most likely to need someone to talk to. And now Thordarson can tell just when this grappling occurs: Khan Academy provides teachers with a dashboard application that lets her see the instant a student gets stuck.

top

Getty Images Says Google Plus Terms of Service is "OK" (ReadWriteWeb, 15 July 2011) - Should photographers be concerned about Google Plus ? This is the subject on an ongoing debate right now, due to the wording Google uses in its Terms of Service - specifically parts that seem to indicate it will have rights to photos posted on the new social network. But some folks, including both professional photographers and an intellectual property attorney say the reaction is overblown. The issue is not a "Google" problem - it's something to consider before posting your images online, anywhere on the Web. This week, the lawyers at stock photography leader Getty Images have decided to weigh in on the situation, too, as it relates to the company's Flickr Collection contributors. Getty's verdict? "We're OK with Google+," it says. Members of the private group (note: link only works for members) "Getty Images Contributors" on Flickr were recently informed by a company representative that Getty's lawyers have deemed Google Plus OK for them to use. "The important thing to watch out for in Terms of Service, and it's the same as we've talked about for contests, is that whatever they do (or allow third parties to do) with the images should be in the context of the service itself, not to re-license or otherwise commercialize the images to other parties (or even the main company itself) outside of the context they're posted for," writes Flickr member Tom W at Getty Images, in a message posted to all group members. Tom cites specific sections of the Google Plus ToS (11.2 and 11.3) in his post, explaining that their intent is to allow Google to provide copies of the images to third parties "in the context of the service - social networking, photo-sharing, etc." For example, if members wanted to allow their friends to print copies of their photos, like Flickr does with Snapfish. However, says Tom, Google does "not provide for licensing to another party for their own use." [Editor: also carries a useful checklist for parsing photo-license Terms of Service generally.]

top

Financial Services Industry Group Issues Social Media Guidance (Hogan Lovells, 15 July 2011) - A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns. The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks. These risks are discussed in the context of three types of social media use: (1) By a financial institution to communicate with or service the financial institution's customers; (2) By the financial institution's employees in their personal or professional capacities; and (3) By the financial institution's employees or contractors outside the office. The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms. It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media. The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities. While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media. Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media. It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

top

Cooley Law School Sues Bloggers and Lawyers (InsideHigherEd, 15 July 2011) - The Thomas M. Cooley Law School, a freestanding institution in Michigan, on Thursday sued four anonymous individuals who have posted critical comments online and lawyers who have started an investigation into Cooley's job placement rates. The suits charge defamation, interference with business interests and other violations of the law. "With ethics and professionalism at the core of our law school's values, we cannot - and will not - sit back and let anyone circulate defamatory statements about Cooley or the choices our students and alumni made to seek their law degree here," said Brent Danielson, chair of Cooley's board, in an announcement of the suits. One of the anonymous bloggers being sued runs a site called Thomas M. Cooley Law School Scam "to bring truth and awareness to the students getting suckered in by this despicable excuse for a law school." The blog questions Cooley's academic quality and charges that very few of its graduates find jobs. (Cooley says 76 percent of graduates find jobs, and that the figure was higher before the economic downturn.) The law firm being sued is Kurzon Strauss, in New York, which ran a notice on the J.D. Underground website stating (according to the complaint) that it was "conducting a broad, wide-ranging investigation of a number of law schools for blatantly manipulating their post-graduate employment data and salary information" to take advantage of "the blithe ignorance of naive, clueless 22-year olds who have absolutely no idea what a terrible investment obtaining a J.D. is." The notice specifically requests information about Thomas Cooley and, according to the law school, suggested that it was "perhaps one of the worst offenders" in manipulating the data. Currently the J.D. Underground website features a posting with some similar language (but not nearly as strong) to that cited in the complaint, and another posting from the law firm retracting some of its earlier statements, suggesting that "certain allegations ... may have been couched as fact." David Anziska, a partner in the firm, said in an interview Thursday that "this is one of the most ridiculous lawsuits filed in recent memory." Anziska said that the firm will not only defend itself, but plans to sue Cooley for its suit. He declined to comment on the status of the investigation into job-placement rates of Cooley and other law schools, but said that the notice prompted more than 50 responses.

top

NCAA Social Networking Regulations Provide Challenge for MU Compliance Department (Missourian, 16 July 2011) - Social networking websites like Facebook and Twitter have made student athletes more accessible than ever. The 140-character limit on Twitter might not necessarily encourage a meaningful discourse, but things as simple as an athlete checking in while on vacation or a fan telling a recruit why he should commit to his favorite school can still make an impact. On [June] 21, the University of North Carolina received a Notice of Allegations from the NCAA detailing a litany of violations committed by their athletics programs. Among them was the failure to "adequately and consistently monitor social networking activity" by student athletes that should have caused the school to discover other violations sooner than they did. The implication seen by many in the NCAA's ruling - that athletic departments should be going through the entirety of their student athletes' social networking pages for potential violations - is troublesome for officials like Mitzi Clayton, MU's assistant athletics director for compliance. Clayton said she views such rigorous monitoring as an unattainable goal. [C] ompliance at MU continues to rely on the system already in place. Individual programs are tasked with monitoring the social networking activities of athletes, a practice once primarily concerned with potential image issues that may now focus more heavily on looking for potential violations. The football program, for example, uses a computer program called UDiligence. Designed primarily to protect student athletes from damaging the reputations of themselves and their schools, UDiligence searches for trigger words in student activity and alerts team officials when any red flags pop up. Other sports opt for a simpler approach, and a captain or coach frequently checks on posts from the team's players.

top

Wikipedia Rolling Out Article Rating System (ReadWriteWeb, 18 July 2011) - Love it or hate it, you can't say Wikipedia is slow to innovate. The giant encyclopedia site announced this weekend that it will now roll-out site-wide an article rating system that allows page visitors to rate an entry on a scale of 1 to 5 on trustworthiness, objectivity, completeness and quality of writing. Article raters have the option of self-identifying as a subject matter expert for whatever article they rate. Wikipedia says that after limited testing of the feature, user response has been overwhelmingly positive; readers have said they found the rating system useful, that they felt compelled to give feedback and have been shown increasingly likely to begin editing articles for the first time after using the rating tool. Data about article ratings is also made available for export and outside analysis under a Creative Commons license. The feature is limited to English Wikipedia for now.

top

Multinational Employers Face Multiple Facebook Rulings (Proskauer, 20 July 2011) - Recent prosecutions by the National Labor Relations Board have the employer community all atwitter over the Board's apparent social media policy. While social media law is too new and undeveloped to give a clear picture, the Labor Board's approach appears to give employees broad latitude to disparage their employer on Facebook and similar social media sites - viewing the online exchanges more like water cooler conversations among coworkers than public broadcasts to actual or potential customers. Early indications are that foreign tribunals are taking a different approach. In several recent cases, they have affirmed the employers' right to dismiss employees for comments made in social media forums.

top

Social Media History Becomes a New Job Hurdle (NYT, 20 July 2011) - Companies have long used criminal background checks, credit reports and even searches on Google and LinkedIn to probe the previous lives of prospective employees. Now, some companies are requiring job candidates to also pass a social media background check.

A year-old start-up, Social Intelligence, scrapes the Internet for everything prospective employees may have said or done online in the past seven years. Then it assembles a dossier with examples of professional honors and charitable work, along with negative information that meets specific criteria: online evidence of racist remarks; references to drugs; sexually explicit photos, text messages or videos; flagrant displays of weapons or bombs and clearly identifiable violent activity. "We are not detectives," said Max Drucker, chief executive of the company, which is based in Santa Barbara, Calif. "All we assemble is what is publicly available on the Internet today." The Federal Trade Commission, after initially raising concerns last fall about Social Intelligence's business, determined the company is in compliance with the Fair Credit Reporting Act, but the service still alarms privacy advocates who say that it invites employers to look at information that may not be relevant to job performance.

top

Cyber Weapons: The New Arms Race (Business Week, 20 July 2011) - In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company's top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira's source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee's webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. "There are lots of knuckleheads out there that take what they can and leave," he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn't want a computer he could sell on Craigslist. He wanted Nicira's ideas. Those familiar with the burglary refuse to talk about it on the record, citing orders handed down by the federal investigators. In private, they share a common concern: Cyber espionage and nation-state-backed hacking incidents appear to be increasing in frequency and severity. What once seemed the province of Hollywood-high-tech robbers with guns; Internet worms that take out power plants-has become real. They fear that online skirmishes and spying incidents are escalating into a confusing, vicious struggle that involves governments, corporations, and highly sophisticated free-ranging hackers. This Code War era is no superpower stare-down; it's more like Europe in 1938, when the Continent was in chaos and global conflict seemed inevitable. Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That's changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google (GOOG) accused China of spying on the company's workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. (INTC) The hacked included Adobe Systems (ADBE), Juniper Networks (JNPR), and Morgan Stanley. (MS) Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. "It'd be fair to say that at least 2,000 companies have been hit," Brenner says. "And that number is on the conservative side." Dozens of others, ranging from Lockheed Martin (LMT) and Intel (INTC) to the Indian Defense Ministry, the International Monetary Fund, and the Pacific Northwest National Laboratory, have suffered similar assaults. Earlier this year hackers raided the computer networks of RSA (EMC), a marquee security firm that protects other companies' computers. They stole some of the most valuable computer code in the world, the algorithms behind RSA's SecureID tokens, a product used by U.S. government agencies, defense contractors, and major banks to prevent hacking. It was like breaking into a heavily guarded locksmith and stealing the master combination that opened every vault in every casino on the Las Vegas Strip. This month the Pentagon revealed that it, too, had been hacked: More than 24,000 files were stolen from the computers of an unnamed defense contractor by "foreign intruders."

top

FFIEC Ups The Ante On Authentication (Steptoe, 21 July 2011) - The Federal Financial Institutions Examination Council (FFIEC) has released a Supplement to its 2005 Authentication in an Internet Banking Environment Guidance. The overarching thrust of the Supplement is that, because fraudsters are becoming increasingly sophisticated at breaking through customer authentication systems with techniques like keylogging and man-in-the-middle attacks, financial institutions should use systems of layered security to prevent fraudulent activity. The FFIEC now also recommends that banks "offer" multifactor authentication to their business customers. As we have previously reported, some courts have said that a bank's failure to follow the FFIEC's Guidance could give rise to a negligence claim. And it is possible that courts and regulators could look to the FFIEC's Guidance when evaluating the cybersecurity of non-financial institutions, as well. Banks and other companies should therefore look closely at the Guidance and the Supplement and evaluate whether their own authentication systems are up to snuff in light of their particular circumstances.

top

Uniform Electronic Legal Material Act approved by the Uniform Law Commission (BeSpacific, 21 July 2011) - Uniform Electronic Legal Material Act Drafted by the National Conference of Commissioners on Uniform Law - approved and recommended for enactment, July 18, 2011: "A new act approved [July 12, 2011] by a national law group establishes an outcomes-based, technology-neutral framework for providing online legal material with the same level of trustworthiness traditionally provided by publication in a law book. The Uniform Electronic Legal Material Act was approved today by the Uniform Law Commission (ULC) at its 120th Annual Meeting in Vail, Colorado. Increasingly, state governments are publishing laws, statutes, agency rules, and court rules and decisions online. In some states, important state-level legal material is no longer published in books, but is only available online. While electronic publication of legal material has facilitated public access to the material, it has also raised concerns. Is the legal material official, authentic, government data that has not been altered? For the long term, how will this electronic legal material be preserved? How will the public access the material 10, 50, or 100 years from now? The Uniform Electronic Legal Material Act provides a consistent approach to solving these problems."

top

Thousands of Scientific Papers Uploaded to The Pirate Bay (GigaOM, 21 July 2011) - A user called Greg Maxwell just uploaded a torrent with 18,592 scientific publications to The Pirate Bay, in what appears to be a protest directed both at the recent indictment of programmer Aaron Swartz for data theft as well as the scientific-publishing model in general. All of the documents of the 32-gigabyte torrent were taken from JSTOR, the academic database that's at the center of the case against Swartz. The torrent consists of documents from the Philosophical Transactions of the Royal Society, the copyright to which has long since expired. However, the only way to access these documents until now has been via JSTOR, as Maxwell explains in a long and eloquent text on the Pirate Bay, with individual articles costing as much as $19. "Purchasing access to this collection one article at a time would cost hundreds of thousands of dollars," he writes. Maxwell goes on to explain that he gained access to the documents years ago in what he says was a legal manner, but was afraid to publish them because of potential legal repercussions from the publishers of scientific journals. He says the indictment of Aaron Swartz, who allegedly tried to download thousands of files from JSTOR through the library at MIT, made him change his mind.

top

How Much Data is Facebook Giving Law Enforcement Under Secret Warrants? (Ride The Lightning, 21 July 2011) - The short answer is that no one knows. According to Reuters , since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorism. What interested me most is that these warrants demands a user's "Neoprint" and Photoprint" - terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook's claim that the "Download Your Account" button gives you everything that Facebook itself possesses. Reuters apparently gleaned some of this information from Westlaw, where it found that at least 11 warrants have been granted since the beginning of 2011, double the number granted in all of 2010. The real truth is that no one knows how many warrants have been granted since it is likely that many records have been sealed. Facebook could tell us, of course, but declines to do so. It does say that it pushes back against law enforcement "fishing expeditions." Now that gives me a lot of comfort because my trust in Facebook is so absolute. That "trust" is buttressed by the fact that Facebook doesn't tell users about the warrants to give them a chance to challenge those warrants legally. Why not Facebook? Twitter (and others) have adopted a policy notifying users of law enforcement warrants. If Facebook is as interested in user rights as it claims, it is time to rectify this omission.

top

UK Government Clears Staff to Share Restricted Documents Via the Cloud Service (IT Pro, 21 July 2011) - Government staff will soon be able to share "restricted" documents in the cloud, following a deal between the services arm of the Foreign and Commonwealth office, and the software as a service provider Huddle. FCO Services will run Huddle's software on its internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted. Other Government departments, including the Department of Environment and Rural Affairs, and the Cabinet Office, already use a public version of Huddle for "external collaboration," sharing documents up to IL2. This service is already being used by businesses, including Kia Motors, P&G and Disney.

top

EU Cookies--Where Did the Pieces Fall? (Wiley Rein, July 2011) - The deadline has come and gone for European Union (EU) Member States to start requiring companies to obtain individuals' consent prior to placing cookies on computers, mobile devices and other hardware. In its wake, industry players continue to struggle to understand what this cookie consent requirement means. U.S. companies should consider basic compliance steps if they offer websites, mobile applications or other online offerings to EU individuals, as EU regulators have long sought to hold such U.S. companies responsible. "Consent" was left ambiguous by EU lawmakers in late 2009 amendments to the EU E-Privacy Directive (directive 2009/136/EC, which amended directive 2002/58/EC). Thus, substantial uncertainty has persisted about whether the new EU law might disrupt the function of cookies. For many years, EU data protection authorities (DPAs) have contended that a foreign website operator placing a cookie on a computer in the European Union is availing itself of "equipment" located in the EU. Thus, they argue, that operator is subject to EU law. By this theory, a U.S.-based website operator would be required to obtain the informed, opt-in consent of EU individuals before placing cookies on their hard drives. Not surprisingly, recent guidance from individual Member State DPAs concerning the cookie consent requirement does not disclaim a potential extraterritorial reach. Where a U.S. company has a prominent presence in the European Union, and especially where that company is active in online behavioral advertising, the threat of DPA action on cookies is greater. EU authorities have been mixed on the question of whether prior "opt in" consent is necessary to place a cookie. Interpretive language in the E-Privacy Directive itself suggests that consent could be based merely on an individual's browser settings. Despite the May 2011 implementation deadline, many Member States have failed to fully implement the directive amendments. Even where legislation is in effect, it often fails to specify whether opt-in consent is necessary. Finally, Member States seem to be taking markedly different approaches to implementing the amendment, creating yet another "regulatory patchwork" in the EU privacy area. U.S. companies that direct online offerings to EU individuals should continue to monitor how the cookie consent requirements develop. But it seems premature to overhaul online offerings in order to create a mechanism for obtaining opt-in cookie consent. For example, the United Kingdom's implementation of the directive mentions that browser settings can be the basis for consent. Though UK privacy regulators contend in informal statements that default browser settings are insufficient, their proposed response-to work with browser providers to change default settings-seems unlikely to produce results in a commercially reasonable time frame.

top

Sony Insurer Sues to Deny Data Breach Coverage (Reuters, 22 July 2011) - One of Sony Corp's insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year. The dispute comes as demand soars for "cyberinsurance," with companies seeking to protect themselves against customer claims and associated costs for data and identity theft. How to write such policies has become a huge subject of debate in the insurance industry. Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general." "Zurich doesn't think there's coverage, but to the extent there may be a duty to defend it wants to make sure all of the insurers with a potential duty to defend are contributing," said Richard Bortnick, an attorney at Cozen O'Connor and publisher of the digital law blog CyberInquirer. Bortnick, who is not involved in the case, said that while Sony may be able to claim there was property damage as a result of the data breach, Zurich is likely to argue that the sort of general liability insurance it wrote for Sony was never intended to cover digital attacks. Sony has said it expects the hacking to drag down operating profit by 14 billion yen ($178 million) in the current financial year, including costs for boosting security measures. Zurich American, in its court papers, said 55 purported class-action complaints have been filed in the United States against Sony. The insurer also said Sony has been subject to investigations by state and federal regulators since the breach.

top

France Telecom to Bid Adieu to Minitel (WSJ, 25 July 2011) - Next year, Minitel-France's precursor to the Internet-will finally meet its maker. For 30 years the toaster-sized screen weathered the Internet revolution. Despite a text-only service, basic graphics and snail-like speed, the terminal generated €30 million ($43.1 million) in revenue in 2010, with around 85% redistributed to service providers such as banks and weather forecasters, according to France Telecom SA, which operates the service. Despite the service still being profitable, the telecommunications operator has decided to swing the axe. "The Minitel will die on June 30, 2012," said a France Telecom spokeswoman on Friday, explaining that the architecture the Minitel runs on has become obsolete. That Minitel survived so long is a reminder that even in today's fast-changing technological world the key to online success lies with a sturdy, easy-to-use system that guarantees a secure connection. The Minitel was ordered up by the French government in the late 1970s as part of an initiative to get people to share information and, eventually, reduce the consumption of paper. Launched in 1982, the box-like terminal with its monochrome screen and small keyboard was dished out by France Telecom to millions of French homes, where users paid by the minute to log on, chat, buy train tickets and check bank accounts. [Editor: I fondly remember using Minitel from my Paris office in the late 1990s; simple, functional, and ahead-of-its-time; one of the reasons I came to appreciate French engineering and philosophy.]

top

With Digital Mapmaking, Scholars See History (NYT, 26 July 2011) - Few battles in history have been more scrutinized than Gettysburg's three blood-soaked days in July 1863, the turning point in the Civil War. Still, there were questions that all the diaries, official reports and correspondence couldn't answer precisely. What, for example, could Gen. Robert E. Lee actually see when he issued a series of fateful orders that turned the tide against the Confederate Army nearly 150 years ago? Now historians have a new tool that can help. Advanced technology similar to Google Earth, MapQuest and the GPS systems used in millions of cars has made it possible to recreate a vanished landscape. This new generation of digital maps has given rise to an academic field known as spatial humanities. Historians, literary theorists, archaeologists and others are using Geographic Information Systems - software that displays and analyzes information related to a physical location - to re-examine real and fictional places like the villages around Salem, Mass., at the time of the witch trials; the Dust Bowl region devastated during the Great Depression; and the Eastcheap taverns where Shakespeare's Falstaff and Prince Hal caroused. "Mapping spatial information reveals part of human history that otherwise we couldn't possibly know," said Anne Kelly Knowles, a geographer at Middlebury College in Vermont. "It enables you to see patterns and information that are literally invisible." It adds layers of information to a map that can be added or taken off at will in various combinations; the same location can also be viewed back and forth over time at the click of a mouse. Today visitors to Gettysburg can climb to the cupola of the Lutheran seminary, where Lee stationed himself on July 2, the second day of fighting; or stand on Seminary Ridge, where the next day Lee watched from behind the Confederate lines as thousands of his men advanced across the open farmland to their deaths in the notorious Pickett's Charge. But they won't see what the general saw because the intervening years have altered the topography. Over the decades a quarry, a reservoir, different plants and trees have been added, and elevations have changed as a result of mechanical plowing and erosion. Geographic Information Systems, known as GIS, allowed Ms. Knowles and her colleagues to recreate a digital version of the original Gettysburg battlefield from historical maps, documented descriptions of troop positions and scenery, and renderings of historic roads, fences, buildings and vegetation. "The only way I knew how to answer the question," about what Lee saw, Ms. Knowles said, "was to recreate the ground digitally using GIS and then ask the GIS program: What can you see from a certain position on the digital landscape, and what can you not see?" She said her work helps "make Lee's dilemma more vivid and personal." Nineteenth-century military leaders relied primarily on their own eyes, and small differences in elevation were strategically important. "Lee probably could not have possibly seen the massive federal forces building up on the eastern side of the battlefield on Day 2 during the famous attack on Little Round Top," Ms. Knowles said. "He had to make decisions with really inadequate information."

top

LOOKING BACK - MIRLN TEN YEARS AGO

HACK INSURER ADDS MICROSOFT SURCHARGE (ZD Net News, 20 August 2001) -- Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in premiums to clients that use Microsoft's Internet Information Server software, which the Code Red worm feasted on. In light of the $2 billion in damage caused by Code Red, founder and CEO John Wurzler's decision just before the virus hit seems prescient. Wurzler gained notoriety earlier this year for hiking cyberinsurance

rates on companies that use Microsoft NT software on their servers. So far, Wurzler appears to be the only insurer singling out Microsoft for higher rates. And some security officials are not kind in their comments. http://www.zdnet.com/zdnn/stories/news/0,4586,2805929,00.html?chkpt=zdnnp1tp02

top

VIRTUAL SHAREHOLDER MEETINGS FLOP (CNET News, 7 September 2001) -- Annual reports, proxies and other corporate documentation are still shipped out by paper mail to shareholders every year. Shareholders still gather annually for a physical meeting with the board of directors. And although there have been some changes in the law to move things into the age of cyberspace, most observers say that the physical world will be with us for some time. And maybe that's for good reason. Advocates say it's in the shareholders' interest to keep meetings in person and that moving them online could put their rights in jeopardy. However, Delaware has already passed one law, and Massachusetts is working another that would allow companies to communicate with shareholders electronically and even hold shareholders' meetings online. While these new rules make it easier to disseminate information, critics charge that they also allow corporations to avoid confrontation. The Delaware law, which went into effect last year, allows a company to hold its annual meeting solely online. But to date, no company has done so. http://news.cnet.com/news/0-1005-200-7083108.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, July 09, 2011

MIRLN --- 19 June 2011 - 9 July (v14.09)

I'm moderating a 90-minute July 26 webinar by SMU, Univ of Texas, and the InternetBar.org on ODR - "The Future Of Justice: How Technology is Shaping the Dispute Resolution Ecosystem". Panelists include Ethan Katsh and Prof. Vikki Rogers; $10 registration ends July 10; $49 thereafter. Join us! http://bit.ly/mzH2Of

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Catch Me If You Can (Law Tech News, 1 June 2011) - Could Matthew Kluger, a mergers and acquisitions attorney arrested on April 6, 2011, on charges of insider trading, have been caught before he did so much damage? That was the disturbing question CIOs discussed behind closed doors at many law firms this spring. Although it's possible to discover the kind of information theft that Kluger allegedly committed, the odds are stacked against it, say CIOs, software vendors, analysts, and IT security experts. That has law firms increasingly worried. Kluger's is just the latest in a string of law firm insider trading cases over the last two years, but it has ratcheted up the level of concern throughout BigLaw. Perhaps it's because the case involved three of the most respected firms in the world: Cravath, Swaine & Moore; Skadden, Arps, Slate, Meagher & Flom ; and Wilson Sonsini Goodrich & Rosati. If it happened to them, it could happen to any law firm. What, exactly, happened? Kluger and two accomplices - a Wall Street trader and a mortgage broker - allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades. At his most recent employer, Wilson Sonsini, Kluger took information from M&A deals he was not involved with (in an apparent effort to avoid detection), according to the charges. He got the information from the firm's document management system (DMS), say prosecutors. Kluger had access to information on M&A deals in Wilson Sonsini's DMS, but he did not open the documents - to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. "Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions," the charges state (http://1.usa.gov/ltn642). Could someone really get that much information without opening the documents? "Easy," says George Rudoy, CEO of Integrated Legal Technology. "Even with all the effort of organizing ethical walls, I have not heard nor seen firms locking the title of the documents. If you go directly into the document management system, you can read all the titles and in most cases you can read short descriptions even if the document is locked." Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it's often easy to figure out the codes.

top

Law Firm Not Liable for Purchasing Competitor's Name as Keyword to Drive Traffic to Own Website (ABA Journal, 8 June 2011) - Once upon a time, when bus benches and the yellow pages offered some of the only ways to promote a personal injury firm effectively, competitors tried to crowd each other out or dominate the space with the biggest ad. It wasn't unheard-of to put a billboard up right next to another law firm's offices. And, now that the Internet provides another option, purchasing key words to drive traffic to a website is simply another form of acceptable proximity advertising, a Wisconsin judge has ruled. Although Habush Habush & Rottier had argued that it had a privacy right in the names of its name partners, Milwaukee County Circuit Judge Charles Kahn Jr. effectively told the plaintiff personal injury firm, "Welcome to the 21st century," reports the Milwaukee Journal-Sentinel. While there may be a privacy issue, Kahn held, another law firm's purchase of the names Habush and Rottier as advertising key words on the Internet is a reasonable commercial use. The Habush firm plans to appeal today's ruling, as competitor Cannon & Dunphy celebrated its victory. Kahn was somewhat sympathetic to an argument that it is unethical for a law firm to misrepresent itself by using another law firm's name. However, he said there is no ethical prohibition, at present, against doing so. "The time may come when a legislature, regulatory board or supreme court determines that the conduct at issue in this case is deceptive and misleading and therefore improper," he wrote. "But no such body has yet drawn this conclusion." [Editor: I think I agree that overriding ethical concerns should cause a different result. For good, albeit 15-month-old, summary of social media legal ethics/practice issues look at: http://solopracticeuniversity.com/2010/03/11/a-dozen-social-media-ethics-issues-for-lawyers/ ]

top

NATO Uses Twitter to Help Gather Targets in Libya (Mail & Guardian, 16 June 2011) - NATO is using information gleaned from Twitter to help analysts judge which sites could be targeted by commanders for bombing and missile strikes in Libya. Potentially relevant tweets are fed into an intelligence pool then filtered for relevance and authenticity, and are never passed on without proper corroboration. However, without "boots on the ground" to guide commanders, officials admit that Twitter is now part of the overall "intelligence picture". They said Nato scooped up all the open source information it could to help understand Gaddafi, who is constantly changing his tactics and concealing himself -- and his forces -- in places such as schools and libraries. [NATO] monitors Twitter feeds from Tripoli and other places for "snippets of information". These could then be tested, corroborated or not, by Nato's own sources, including direct lines of communication with the rebels, and imagery and eavesdropping from Nimrod spy planes. Nato is also aware that Gaddafi might be using Twitter to feed false information. "We have to be careful it is not used for propaganda [by Gaddafi's forces]," the Nato official said.

top

Court: Passwords + Secret Questions = 'Reasonable' eBanking Security (June 17, 2011) - A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week - if adopted by a U.S. district court in Maine - will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days. In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco's account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco's line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans. Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto's motion for summary judgment and granting the bank's motion. A copy of the recommended decision is available here (PDF).

top

- and -

Bank Left Holding the Bag in Phishing Attack (Steptoe's E-Commerce Law Week, 7 July 2011) - The U.S. District Court for the Eastern District of Michigan has held Comerica Bank responsible for withdrawals made by a hacker who had "phished" a Comerica customer in order to gain access to the customer's accounts. Even though the customer's employee had fallen for the phishing trick - an email made to look like it was from the bank, which asked for confidential account information - the court held that the bank failed to prove that it had acted in accordance with "reasonable commercial standards" when it allowed the hacker's wire transfers to go through. Though the decision in ExperiMetal, Inc., v. Comerica Bank involves an interpretation of Michigan law, that law is based on the Uniform Commercial Code, meaning the decision will have at least persuasive effect in other states. This case underscores the importance for financial institutions of having well-developed procedures for detecting fraudulent transactions as part of their overall security programs. Until an effective means is developed to prevent phishing attacks altogether, some of the defense will need to focus on limiting the damage phishers can do once they are inside the bank's network.

top

What Big Media Can Learn From the New York Public Library (The Atlantic, 20 June 2011) - With all [recent] change -- not to mention a possible $40 million budget cut looming -- it would be no surprise if the library was floundering like the music industry, newspapers, or travel agents. (Hey, man, we all get disintermediated sooner or later.) But that's the wild thing. The library isn't floundering. Rather, it's flourishing, putting out some of the most innovative online projects in the country. On the stuff you can measure -- library visitors, website visitors, digital gallery images viewed -- the numbers are up across the board compared with five years ago. On the stuff you can't, like conceptual leadership, the NYPL is killing it. The library clearly has reevaluated its role within the Internet information ecosystem and found a set of new identities. Let's start from here: One, the New York Public Library is a social network with three million active users and two, the New York Public Library is a media outfit. The library still lends books, but over the past year, the NYPL has established itself as a beacon in the carcass-strewn content landscape with smart e-publications, crowdsourcing projects, and an overall digital strategy that shows a far greater understanding of the power of the Internet than most traditional media companies show. Biblion, a storytelling app whose iPad icon features the lion head, is the flashiest of these efforts. It presents a slice of the library's 1939 World Fair Collection in a format that, while controversial, pushed the traditional boundaries of the e-publication. Moving around the app doesn't feel like flipping through the pages of a museum catalog or crawling around a website. To me, it felt like a native application for the tablet era, a new form for the more spatial experience afforded by the tablet's touchiness. Even for those who didn't like the interface, the question had to be asked: this thing came out of a library? Then there is the library's slick crowdsourcing projects, which allow users to digitize beautiful old menus from New York's restaurants and plot historical maps of the city onto the GPS-enabled digital maps of today. Both projects are both useful and feature user interfaces that best most commercial crowdsourcing applications.

top

The North Carolina Bar's Double Standard for Data and Dollars (Carolyn Elefant, 20 June 2011) - Two months ago, North Carolina released Proposed Formal Ethics Opinion 6 , Subscribing to Software as a Service (SaaS) While Fulfilling the Duties of Confidentiality and Preservation of Client Property. As others, including my Social Media for Lawyers co-author Nicole Black, NC Bar LPM Advisor Eric Mazzone, e-lawyering pioneer Richard Granat and North Carolina virtual lawyer Steph Kimbro have already written, the decision represents a step backward for lawyers - and indeed, may have the effect of precluding lawyers from using popular services like Google docs, Mozy, email or texting even for entirely non-confidential purposes. It's bad enough that North Carolina's proposed opinion will make it nearly impossible for lawyers to take advantage of new technologies that could reduce the cost of legal service. But to add insult to injury, FEO 6′s stringent regulations applies only to use of SaaS (or cloud) vendor services, while giving online banking services for trust account management a pass, in an proposed opinion released the same day, FEO 7 Using Online Banking to Manage a Trust Account. Yet, there's no rational justification for North Carolina to maintain a double-standard for online management of client dollars and client data. North Carolina's proposed FEO 7 requires lawyers using online banking to exercise reasonable care, specifically, taking steps to minimize the risk of loss or theft of client money. Though the Opinion states that lawyers have an affirmative duty to understand the risks of online banking and to employ best practices such as strong password policies, the Opinion goes on to state that: "Understanding the contract with the depository bank and the use of the resources and expertise available from the bank are good first steps toward fulfilling the lawyer's fiduciary obligations." Simply put, lawyers can meet their ethics obligations by relying on banks as a trusted source of information regarding online banking security practices.
Contrast the bar's deferential approach towards online banking with its adversarial attitude towards SAAS companies. Lawyers can't simply rely on a cloud providers' expertise in security practices or on the company's representations regarding its security practices. Instead, lawyers are required (not encouraged, but required!) to:

  • personally, or through a security expert, evaluate the company's measures for safeguarding the physical and electronic security of data, including but not limited to "firewalls, encryption techniques, socket security features, and intrusion-detection systems."
  • investigate a cloud provider's financial history
  • review the cloud provider's security audits, and
  • install special security software to ensure that users connected to cloud vendors are protected against malware and viruses.

top

Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery (Insurance Journal, 20 June 2011) - Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing. James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter. Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer's commitment to a market can be tested, citing what he calls the "naive" capacity that exists. The coverage has evolved quickly- Whetstone compares the product's acceptance to that of employment practices liability (EPL) coverage- to where cyberinsurance is a "must-have" for most firms today. The underwriting has also changed. "We used to really focus our underwriting attention on how well they could prevent the breach, but we've added another phase to it," says Whetstone. "Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It's the same with this incident response plan."

top

Business Must Report Data Breaches to Public, EU Says (ZDnet, 21 June 2011) - Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London. On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years. "I intend to introduce a mandatory requirement to notify data security breaches - the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," Reding said at the British Bankers' Association's Data Protection and Privacy Conference. In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services.

top

Survey: 90% of Companies Say They've Been Hacked (PC World, 22 June 2011) - If it sometimes appears that just about every company is getting hacked these days, that's because they are. In a new survey ( download .pdf ) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their companies' computers were breached at least once by hackers over the past 12 months. Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months. Those numbers are significantly higher than similar surveys and suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks. "We expected a majority to say they had experienced a breach," said Johnnie Konstantas, director of product marketing at Juniper. "But to have 90% saying they had experienced at least one breach and more than 50% saying they had experienced two or more, is mind blowing," she said. It suggests "that a breach has become almost a statistical certainty," these days. The organizations that participated in the Ponemon survey cut across both the private sector and government and ranged from relatively small entities with less than 500 employees to enterprises with more than 75,000. The online survey was conducted over a five-day period earlier this month. Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls. [Editor: see discussion in MILRN 14.08 under "Senators Ask SEC for Guidance on Information Security Risk Disclosure" et al. This is becoming a huge governance issue, I think.]

top

U. of Michigan Library Opens Up Orphan Works (InsideHighedEd, 23 June 2011) - The University of Michigan Library will announce today that it will be allowing authorized library patrons to access all of its digitized "orphan works" in full. Students and guests will now be able to access online any texts they would have been able to find in the stacks, Michigan officials said in a press release. This is the latest step in Michigan's attempts to identify and unlock the orphans -- books whose copyright holders cannot be found or contacted -- in its collection. The university announced last month that it is also working to identify more orphans among the millions of volumes held by HathiTrust Digital Library, a Michigan-based aggregator of university library collections. Other institutions are preparing making their own orphans available to authorized students and researchers, officials said in Wednesday's press release. In light of a federal court's recent rebuke of Google's attempts to sell broad access to orphan works through its controversial Google Books Project, experts have speculated that it may be up to Congress to determine how orphans can and cannot be used. Michigan is not waiting around to open up its own orphans to authorized users, a move that it sees as covered by the "fair use" exemptions to copyright law.

top

Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says (ABA Journal, 23 June 2011) - A lawyer who sends a Facebook friend request to executives of a corporation he or she knows is represented by counsel in a litigation matter is violating a legal ethics rule against ex parte communications with parties, the San Diego County Bar Ethics Committee held in an advisory ethics opinion (PDF) last month. However, "nothing in our opinion addresses the discoverability of Facebook ruminations through conventional processes, either from the user-represented party or from Facebook itself," writes the San Diego committee in its opinion. "The conclusion we reach is limited to prohibiting attorneys from gaining access to this information by asking a represented party to give him entry to the represented party's restricted chat room, so to speak, without the consent of the party's attorney. The evidentiary, and even the disciplinary, consequences of such conduct are beyond the scope of this opinion and the purview of this committee." The opinion is billed in a Recorder article as the first to address the issue. But prior ethics opinions in New York and Philadelphia have focused on similar Facebook friending concerns:

Lawyers Can't Friend Potential Witnesses Under False Pretenses, Ethics Opinion Says

Attorney Can't Ask 3rd Party to 'Friend' Witness on Facebook, Opinion Says

Friending a Naive Adverse Witness for Info Could Violate Ethics Rules

[Editor: Eric Goldman's blog also has a useful analysis of the San Diego holding: http://blog.ericgoldman.org/archives/2011/06/san_diego_count.htm]

top

What The Drake Prosecution Was Really About - IG Report Vindicates NSA Whistleblowers (Jesselyn Radack, Daily Kos, 23 June 2011) - The Department of Defense Inspector General just released a heavily redacted version of the Intelligence Audit "Requirements for the TRAILBLAZER and THINTHREAD SYSTEMS." NSA whistleblower Tom Drake served as a critical material witness during the investigation for this report. Drake's reward was an indictment under the Espionage Act. This Report is what the government's case against NSA whistleblower Tom Drake was really about. Drake would have been on trial this week had the Justice Department's case not crumbled two weeks ago in the face of negative judicial rulings and almost universally critical media coverage (chiefly inThe New Yorker and on 60 Minutes, The Washington Post, and Politico). The newly-released IG report completely vindicates Drake, and the Hotline complainants (former NSA officials J. Kirk Wiebe, Bill Binney and Ed Loomis, and former House Intelligence Committee staffer Diane Roark) who raised concerns that the National Security Agency (NSA) was trading the security of the American people for a undeveloped funding vehicle (Trailblazer) that needlessly invaded the privacy of Americans; all the while NSA rejected a viable, cheaper program (ThinThread) that contained privacy protections and was ready to deploy prior to 9/11. My organization, Government Accountability Project (GAP), represents Drake, Binney and Wiebe. [Editor: see discussion and related stories in MIRLN 14.07 about the Drake prosecution.]

top

Court Conducts In Camera Review of Plaintiff's Facebook Page to Resolve Discovery Dispute (Eric Goldman's blog, 24 June 2011) - Background: Discovery disputes over Facebook accounts and whether they are discoverable in civil cases are piling up. Courts and litigants continue to grapple with the central problem that even to the extent the information is properly discoverable, at least some portion of a litigant or party's Facebook's account deserves privacy protection and should also be protected by federal statutes such as the Stored Communications Act. On the other hand, an opposing litigant needs to get access to the Facebook profile in order to determine whether something contained in the account is relevant, in order to articulate a "likely to lead to the discovery of admissible evidence" argument. Courts have come up with interesting and mostly imperfect ways to solve this problem. In one case, a court suggested that the litigants "friend" the court so the court could review the contents of the account which would be visible to the witness's friends. (" Judge Offers to Facebook 'Friend' Witnesses in Order to Resolve Discovery Dispute. ") In this case, the court conducted an in camera review of the plaintiff's Facebook profile and determined what information was discoverable. * * * It still feels awkward that the court took the approach of actually logging in to plaintiff's Facebook account using plaintiff's password. Isn't this a violation of the Facebook terms of service? There's another issue lurking in the background of these disputes that courts will be forced to confront: can a party be forced to consent to disclosure of information that falls under the Stored Communications Act? No case has directly confronted this question, although one court has held that a party's default and fugitive status is not consent. (See " Being a Fugitive is Not Consent for Production under the Stored Communications Act .")

top

Lawsuit: Sony Laid Off Security Staff, Unprepared for PS3 Hacks (ArsTechnica, 24 June 2011) - A new class-action lawsuit has been filed against Sony that claims the company has been negligent with online security, leading to multiple hostile attacks and the loss of customers' private data. The suit claims that personal information-including credit card numbers and expiration dates-were taken from Sony's servers, and cites a number of confidential witnesses who claimed Sony's security was inadequate. Perhaps most damning is the claim that Sony laid off employees working in security before the attacks. "Sony was more concerned about their development server being hacked rather than some consumer's data being stolen," according to a confidential witness quoted in the complaint. "They want to protect themselves and not the people that use their servers." While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact. The suit claims that Sony "spent lavishly to secure its proprietary development server containing its own sensitive information," while not providing nearly the same level of security for the information of its customers. The suit asks for "appropriate" restitution for class members, credit-monitoring services, and "exemplary damages" if its found that Sony acted in a reckless or negligent manner.

top

Companies Are Erecting In-House Social Networks (NYT, 26 June 2011) - What would Facebook look like without photos of drunken nights out and tales of misbehaving cats? It might look a lot like the internal social network at the offices of Nikon Instruments. The tone is decidedly businesslike, as employees exchange messages about customer orders, new products and closing deals. And the general rule is that "if you don't want your company president to see it, don't post it," said John G. Bivona, a customer relations manager at Nikon Instruments, which makes microscopes. As social networks increasingly dominate communications in private lives, businesses of all sizes - from tiny start-ups to midsize companies like Nikon to behemoths like Dell - are adopting them for the workplace. Although it is difficult to quantify how many companies use internal social networks, a number of corporate software companies have sensed the opportunity and offer various systems, some free to existing customers, others that charge a fee per user. It's one more instance of how consumer technology trends, like the use of tablet computers, are crossing into office life. Because of Facebook, most people are already comfortable with the idea of "following" their colleagues. But in the business world, the connections are between colleagues, not personal friends or family, and the communications are meant to be about work matters - like team projects, production flaws and other routine business issues. At Nikon, for example, which employs 500 people in offices throughout the United States, Canada and Brazil, a code of conduct for using the service leaves little room for the idle chit-chat that is pervasive on Facebook. Still, it can be tricky to transport the mores and practices of social networking into the office. For instance, some workers prefer to be "lurkers" who read posts rather than write them. Others are just not interested. At Symantec, the computer security company, a few employees initially disliked the idea of an internal social network, but nevertheless used it to air their complaints. Another issue is how to protect corporate secrets. The systems are generally set up so that companies can determine who sees particular files and who belongs to specific groups on the network. Yet problems still arise over where the data is ultimately stored. Some social network providers use their own servers. But that may conflict with the rules of some potential clients that prohibit storing company information outside their firewall, said Susan Landry, an analyst with Gartner. [Editor: these tools dovetail with "knowledge management" processes, facilitating communities of practice and lubricating knowledge-flows. Listen to Harvard Prof. Andrew McAfee's 2009 podcast "Enterprise 2.0: How Organizations Are Exploiting Web 2.0 Technologies and Philosophies", available at KnowConnect.com]

top

'Times' Ticks On (InsideHigherEd, 28 June 2011) - The New York Times Company plans to continue its slow advance into the realm of higher education this fall. It announced today that it is teaming up with the University of Southern California to offer continuing education programs to try to tap a growing market of adults looking to pick up new skills. The new programs will comprise sequences of online courses taught by USC faculty through the Times Company's online learning platform. While the programs will not count toward any degree, they represent the media company's first foray into multicourse online sequences intended to confer a coherent body of knowledge. And that is yet another step toward full-fledged degree programs, which are coming, according to Felice Nudelman, the company's executive director of education. The company is pursuing partnerships that might soon have it stamping its seal on diplomas, Nudelman says. "We intend to grow in that market," she says. "With USC, we are excited with this first step because we are excited about the potential for further depth and collaboration." The Times Company, which has seen its annual revenues fall by about 30 percent in the last five years, has waded into the waters of higher education more deliberately than some of its peers -- most notably the Washington Post Company, which now pays for its journalism operations largely off the back of Kaplan Inc., one of the country's largest degree-granting enterprises. But the Times's activities in higher education have picked up in recent years. The Times Company in 2008 purchased a majority stake inEpsilen, an online learning and social networking platform. It has since teamed up with a number of colleges and universities to offer online courses in which students can earn certificates and, in some cases, transferable credits. The Times Company would not disclose how much money it has been making from its higher ed forays, but Nudelman says it has been "very happy" with the outcome so far. At a time when many institutions are entering into financial partnerships with outside education companies to help grow their online infrastructures, sometimes to the chagrin of traditional faculty, the Times is trying to position itself as an alternative to companies that offer similar services but seem like less natural allies to universities. "It is a model that we find our colleagues in the education sector to be comfortable with, and it's a model that benefits both in terms of revenue," says Nudelman.

top

Newsgathering Law: A Guide for Reporting (Citizen Media Law Project, 28 June 2011) - Post by David Ardia: "I'm excited to announce the latest installment in a series of legal modules we are publishing in conjunction with Poynter's News University. The free course, entitled Newsgathering Law & Liability: A Guide for Reporting , is designed for reporters, citizen journalists and anyone who wants to know more about the laws that relate to gathering content, interviewing sources and handling documents. It's chock full of interactive exercises and quizzes and anyone can enroll at the NewsU site and take the course at their own pace. I co-authored the module with Geanne Rosenberg , Chair of the Department of Journalism and the Writing Professions at the City University of New York's Baruch College. This is our second course module at NewsU. The first, entitled Online Media Law: The Basics for Bloggers and Other Publishers , went live in 2008 and -- shockingly -- is NewsU's most popular legal course. Hopefully we will catch some of that magic with this one."

top

FFIEC Releases Banking Authentication Guidance (DigitalIDNews, 29 June 2011) - The Federal Financial Institutions Examination Council released new guidance for financial institutions on online customer authentication to accounts. The council first releases guidance in 2005 recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats. The latest report reinforces those expectations. "Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks," the supplement states. "It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution's customer awareness and education program." The new guidance recognizes the emergence of malware and new, more sophisticated man in the middle and man in the browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices. Lacking from the report is any guidance on how financial institutions should do authentication on mobile devices. The FFIEC's Guidance is here: http://images.avisian.com/Auth-ITS-Final_6-22-11_FFIEC_Formated.pdf

top

Olympic Social Media Guidelines In Full: Athlete Photos But No Video (PaidContent.org, 29 June 2011) - News media this week reported next year's London Olympics will allow athletes to tweet from the Summer Games. In fact, that consent was contained in general guidelines applying to all social media, which were issued to athletes back in May and which themselves are a variant of guidelines issued for Vancouver 2010 and, later, the Youth Olympic Games in Lausanne… They are permissive yet notably try to protect broadcasters and sponsors. Video and audio from within venues is banned and other material must be "in a first-person, diary type format and should not be in the role of a journalist". Athletes are forbidden from promoting their sponsors in social media. In parts, the guidelines are loose enough to potentially be contradictory. Athletes are allowed to "post still photographs" from inside venues but not to "distribute these photographs". "Taking Facebook as an example, we would be crazy not to want to be involved in a platform that has half a billion active users - that's one in 12 people in the world," according to IOC communications director Mark Adams. IOC Guidelines are here: http://www.olympic.org/Documents/Games_London_2012/IOC_Social_Media_Blogging_and_Internet_Guidelines-London.pdf

top

U.S. Company Preying on Foreigners Feels the Wrath of the FTC (Steptoe's E-Commerce Law Week, 30 June 2011) - Kryptonite may be Superman's weakness, but it apparently has no effect on the Federal Trade Commission's enforcement powers. The FTC recently reached a settlement with Balls of Kryptonite, a California retailer that had tricked British customers into believing that it was based in England. The enforcement action was brought under Section 5 of the FTC Act, which prohibits unfair or deceptive practices; the Undertaking Spam, Spyware, and Fraud Enforcement With Enforcers beyond Borders Act (U.S. SAFE WEB Act); and the FTC Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule). The U.S. SAFE WEB Act allows the agency to bring actions against U.S. companies that harm foreign nationals. Balls of Kryptonite was also accused of misrepresenting its participation in the EU-U.S. Safe Harbor Framework. Under the settlement, the company will be banned from using foreign website suffixes (such as ".co.uk"), and will cease certain business practices that were determined to be unfair or deceptive. Balls of Kryptonite will also be fined $500,000. The action represents the first time that the FTC has punished a company under the U.S. SAFE WEB Act for doing harm to foreign nationals.

top

Alarm Over ABA Study of Online Advertising Proves Unfounded (NLJ, 30 June 2011) - The ABA's Commission on Ethics 20/20 caused a minor stir last fall when it launched a study into the ethics of online client development tools including Facebook. The Commission on June 29 released its conclusions, and they are hardly drastic. Rather than develop a new set of rules pertaining specifically to online advertising, the commission recommended several relatively minor clarifications to the existing rules. The point was to offer attorneys more guidance about their ethical responsibilities when it comes to online client development, according to the report submitted by the commission, which is chaired by Wilmer Cutler Pickering Hale and Dorr partner Jamie Gorelick. The commission's Technology Working Group looked at recent surveys of how lawyers use technology, examined marketing Web sites, reviewed litigation and disciplinary proceedings involving online client development, and considered suggestions by other ABA sections. "As a result of these efforts, the commission concluded that no new restrictions on lawyer advertising are required," the panel wrote. "For example, the commission concluded that Rule 7.1's prohibition against false and misleading communications is readily applicable to online advertising and other forms of electronic communications that are used to attract new clients." The relatively small scale of the proposed changes has helped ease the concerns that surfaced among legal marketers in October when the review was announced. Some marketers feared that the inquiry would lead to onerous restrictions, while others applauded the possibility that the ABA would clear up unanswered questions about what is permissible online. Massachusetts lawyer Robert Ambrogi said that the proposals strike a "sensible balance" between the need to regulate lawyer advertising and lawyers' ability to use technology to educate consumers. [Editor: There are some areas of concern in the proposed revised rules - e.g., the requirement that disclaimers be "conspicuously placed" Comment 3 to Rule 1.18. The Commission's Report here: http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20110629ethics202technologyclientdevelopmentinitialresolutionsandreport.authcheckdam.pdf ]

top

Talking (Exclamation) Points (NYT, 1 July 2011) - In an essay published in 1895 called "How to Tell a Story," Mark Twain chastised writers who use "whooping exclamation-points" that reveal them laughing at their own humor, "all of which is very depressing, and makes one want to renounce joking and lead a better life." One shudders to imagine what Twain would have made of e-mail. Writing is by definition an imperfect medium for relaying the human voice. And in the age of electronic communication, when that voice is transmitted so often via e-mail and text message, many literate and articulate people find themselves justifying the exclamation point to convey emotion, enthusiasm or excitement. Some do so guiltily, as if on a slippery slope to smiley faces. "I've degenerated to the point where I allow one per e-mail, but I don't feel good about it," said Alex Knight, a media and technology investor in Seattle. "If I use one, I will go back and delete the previous ones. It's sort of 'Sophie's Choice.' " In their book "Send: Why People Email So Badly and How to Do It Better," David Shipley and Will Schwalbe say that the exclamation point was originally reserved for an actual exclamation ("My goodness!" or "Good grief!") but that they have become unexpected champions of this maligned punctuation. "We call it the ur emoticon," Mr. Schwalbe said in a recent phone conversation. "In an idealized world, we would all be able to do what our English teachers told us to do, which is to write beautiful prose where enthusiasm is conveyed by word choice and grammar." [Editor: There's quite a bit more here; it's thoughtful and useful.]

top

So Sue Me: Are Lawyers Really the Key to Computer Security? (ArsTechnica, 1 July 2011) - If your code gets hacked, are you the one on the hook? In the early decades of the software industry, the answer was usually "no." Software licenses routinely disclaimed liability, and until recently, security flaws were considered to be just another fact of life. When problems were discovered, companies were expected to fix them quickly, but they were rarely on the hook for the resulting damage. That's changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own. It's too early to know if these particular lawsuits will get anywhere, but they're part of a growing trend. As online services become an ever more important part of the American economy, the companies that create them increasingly find that security problems are hitting them where it really hurts: the bottom line. The world in which software companies could safely treat security as an afterthought is gone-but it's not yet clear what will replace it. Class action lawsuits and FTC enforcement actions are two possible mechanisms for getting companies to take security seriously. But there are other candidates, including prospective security audits, education, and data retention rules. The right rules will encourage companies to take security seriously, but too much regulation could unduly hamper the software development process. [Editor: Some leaders in the Intelligence Community are pointing to lawsuits-and the resulting move toward better governance-as a useful security development. Me, too.]

top

Ear! Ear! Podcast Gains Are in the Listening, Not Creating (Dennis Kennedy, 1 July 2011) - Podcasts have become a great way to get free, informative audio programs on a seemingly limitless number of topics, including legal topics. However, most lawyers are not taking full advantage of the potential of podcasts. That might be because most articles about lawyers and podcasting focus on lawyers creating their own podcasts. While podcasting might make sense for a limited number of lawyers, listening to podcasts will have value for many lawyers. In this column, we'll focus on listening to podcasts, how to start listening to podcasts and, if you already do so, how to improve your experience.

top

Job Posting to LinkedIn Group Doesn't Violate Non-Solicitation Clause (Eric Goldman's blog, 3 July 2011) - Enhanced developed software, and had a relationship with Hypersonic, which modified existing software. The two companies often jointly bid on projects together. They were parties to an agreement which contained the following non-solicitation clause: "Employee Protection. During the term of this Agreement and for a period of twelve (12) months from the date of effective date of its termination, unless mutually agreed to in writing otherwise the Parties . . . shall refrain from soliciting or inducing, or attempting to solicit or induce, any employee of the other Party in any manner that may reasonably be expected to bring about the termination of said employee toward that end . . . ." Some time after Enhanced and Hypersonic unsuccessfully bid on a project, Hypersonic posted an open position for an outside sales representative to "its LinkedIn webportal" (which the court describes as "a social internet site that connects businesses and people"). An Enhanced employee saw the posting and informed the President of Hypersonic that he was interested. After this, the employee met with Hypersonic's owner and hammered out a deal. Hypersonic then filed a complaint for declaratory relief regarding the enforceability of the agreement between Hypersonic and Enhanced. (There must have been some sabre-rattling obviously that prompted the filing of the complaint by Hypersonic.) The trial court concludes that Hypersonic did not violate the non-solicitation clause by posting the opening on LinkedIn. The appeals court affirms. The court looks to the dictionary definitions of the relevant terms ("solicit" and "induce") and concludes that Hypersonic did not solicit or induce the Enhanced employee to terminate his relationship with Enhanced: "[t]he record clearly supports that [the employee] made the initial contact with Hypersonic after reading the job posting on a publicly available portal of LinkedIn. In other words, [the employee] solicited Hypersonic." A previous case addressing the question of whether recruiters violated their non-compete clause by "connecting" (on LinkedIn) with candidates who were in discussions with their previous employer settled quietly. Here's Evan Brown's initial post on the case: " Nefarious LinkedIn use finally makes it to the courts ." Here is a copy of the stipulated permanent injunction , which imposes broad restrictions on the defendants' solicitation of certain customers, but interestingly does not mention LinkedIn. [Editor: instant case: Enhanced Network Solutions Group v. Hypersonic Technologies Corp. , 2011 WL 2582870 (Ind. Ct. App. June 30, 2011)]

top

Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information (BeSpacific, 4 July 2011) - "The purpose of this proposed DFARS rule is to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyberintrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. This rule addresses the safeguarding requirements specified in Executive Order 13556, Controlled Unclassified Information. On-going efforts, currently being led by the National Archives and Records Administration regarding controlled unclassified information, may also require future DFARS revisions in this area. This case does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate." Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)

top

Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011) - Amazon.com made waves in March when it announced Cloud Player, a new "cloud music" service that allows users to upload their music collections for personal use. It did so without a license agreement, and the major music labels were not amused. Sony Music said it was keeping its "legal options open" as it pressured Amazon to pay up. In the following weeks, two more companies announced music services of their own. Google, which has long had a frosty relationship with the labels, followed Amazon's lead; Google Music Beta was announced without the Big Four on board (read our first impressions). But Apple has been negotiating licenses so it can operate iCloud with the labels' blessing. The different strategies pursued by these firms presents a puzzle. Either Apple wasted millions of dollars on licenses it doesn't need, or Amazon and Google are vulnerable to massive copyright lawsuits. All three are sophisticated firms that employ a small army of lawyers, so it's a bit surprising that they reached such divergent assessments of what the law requires. So how did it happen? And who's right? [Editor: Pretty interesting piece, parsing the reverberations of the MP3 case, Cablevision's user-dedicated remote-storage DVR service, de-duplication thinking, and possible litigation strategies of Google and Amazon.]

top

Google Loses Street View Battle, But Did It Win Wiretap War? (Steptoe's E-Commerce Law Week, 7 July 2011) - In a recent ruling from the Northern District of California, a federal judge dismissed some claims but allowed others to proceed in a case brought against Google for alleged privacy violations in connection with its Street View program. In the class action suit, the plaintiffs brought claims against Google for violations of the wiretap portions of the federal Electronic Communications Privacy Act (ECPA) and various state laws that allegedly occurred when Google collected private information from unencrypted wireless networks while its specially outfitted cars drove through neighborhoods across the country, taking pictures for Google Street View. The court in In re Google Inc. Street View Electronic Communications Litigation allowed the plaintiffs' ECPA claim to go forward, but dismissed their state law claim. Although most attention in the media will focus on the court's ruling on the ECPA claim, the more consequential aspect of the ruling may be the court's decision that ECPA preempts state wiretap statutes, and that plaintiffs therefore could not bring claims against Google for violations of those statutes. As we recently reported, most courts have found that ECPA does not preempt state law. But now that another federal court has found that ECPA does preempt state wiretap laws, more courts could follow suit. This is a big deal for communications providers that want to monitor communications for purposes of network security or behavioral advertising, for example, since some state wiretap laws are more restrictive than ECPA. It also matters for employers who want to monitor employee communications. Ultimately, the preemption question will have to be resolved by the circuit courts, the Supreme Court, or Congress.

top

NOTED PODCASTS

Joi Ito: How to Save the Internet from its Success (Radio Open Source, 7 June 2011; 28 minutes) - If the Internet dream could take human form, it might look and sound a lot like cheerful, boyish, 44-year-old Joi Ito, the new director of the fantasy factory known as the MIT Media Lab. Like the Web, he's everywhere and nowhere - often, in fact, 30,000 feet in the air, circumnavigating the planet every couple of weeks, but wrapped always in a digital cloud of conversation and omnidirectional exploration.

top

Seth Flaxman & Paul Schreiber on a Netflix for Voting (Berkman, 24 May 2011; 61 minutes) - TurboVote is a service that makes voting by mail and voter registration as simple as renting a DVD with Netflix. Seth Flaxman - Co-Founder and Executive Director of Democracy Works (and a former Berkman Center intern) - and Paul Schreiber - one of the software engineers behind Barack Obama's 2008 presidential campaign - talk about how, in two months for spare change, TurboVote built what the government couldn't do for any price, and discuss the project's legal, technical and philosophical issues.

top

RESOURCES

Know Your Rights! (EFF, June 2011) - Your computer, your phone, and your other digital devices hold vast amounts of personal in- formation about you and your family. This is sensitive data that's worth protecting from prying eyes - including those of the government. The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else.

top

LOOKING BACK - MIRLN TEN YEARS AGO

THE CHANGING MOVIE RENTAL BUSINESS In the four years since movies in digital video disk (DVD) format have been on the market, the VHS rental business has been stagnant. DVD sales have outpaced rental revenue by more than four to one in total dollars, and in a dramatic shift in video economics many movie studios are now selling their DVDs to Wal-Mart, Target, and other retailers for approximately the same price they charge a rental chain such as block buster. Warner Home Video president Warren Lieberfarb says, "We are trying to drive this to be a mass distributed, high-volume impulse purchase, like a trade softback or paperback book. Ultimately, DVDs will be distributed as ubiquitously as paperback books." Lieberfarb predicts that the lower prices of DVD movies means that "Blockbuster is finished," but Blockbuster chairman John Antioco disagrees: "DVD sales will never replace rentals. If Warner lowers the price, that will be the best news I have heard in a long time. We can lower our price somewhat to the renter and our margins would improve." (New York Times 16 Apr 2001) http://www.nytimes.com/2001/04/16/business/16DISC.html

top

CAR SPY PUSHES PRIVACY LIMIT (ZDNET News, 20 June 2001) -- Car renters beware: Big Brother may be riding shotgun. In a case that could help set the bar for the amount of privacy drivers of rental cars can expect, a Connecticut man is suing a local rental company, Acme Rent-a-Car, after it used GPS (Global Positioning System) technology to track him and then fined him $450 for speeding three times. The case underscores the ways that new technologies can invade people's privacy, said Richard Smith, chief technologist at the not-for-profit Privacy Foundation. "Soon our cell phones will be tracking us," he said. "GPS could be one more on the checklist here. Frankly, giving out speeding tickets is the job of the police, not of private industry." http://www.zdnet.com/zdnn/stories/news/0,4586,2778752,00.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top