Saturday, August 20, 2011

MIRLN --- 1-20 August 2011 (v14.11)

MIRLN --- 1-20 August 2011 (v14.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | RESOURCES | LOOKING BACK | NOTES

A Case for Pseudonyms (EFF, 29 July 2011) - There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that's easier to pronounce or spell in a given culture. Online, the reasons multiply. Internet culture has long encouraged the use of "handles" or "user names," pseudonyms that may or may not be tied to a person's offline identity. Longtime online inhabitants may have handles that have spanned over twenty years. Pseudonymous speech has played a critical role throughout history as well. From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius' letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day. A new debate around pseudonymity on online platforms has arisen as a result of the identification policy of Google+, which requires users to identify by "the name your friends, family, or co-workers usually call you". This policy is similar to that of Facebook's which requires users to "provide their real names and information." Google's policy has in a few short weeks attracted significant attention both within the community and outside of it, sparking debate as to whether a social platform should place limits on identity. A considerable number of Google+ users have already experienced account deactivation as a result of the policy, which Kirrily "Skud" Robert, a former Google employee kicked off the service for identifying as "Skud," has closely documented . [Editor: interesting.]

top

Second Annual Ponemon Cost of Cyber Crime Study is Released (Ponemon Institute, 2 August 2011) - Today we released our Second Annual Cost of Cyber Crime Study. Our findings support other research studies suggesting increases in the frequency, severity and overall cost of cyber attacks on private and public sector organizations. [Editor: Very interesting analysis, with a US focus. Summary PowerPoint here . Biggest cost categories were information loss, business disruption, and revenue loss. Most-affected industries are defense, utilities/energy, and financial services. Oddly, smaller companies seem to have larger losses; larger companies face worse rogue-insider threats.]

top

FINRA to Issue More Guidance on Social Media (MoFo, 3 August 2011) - Social media continues to be a priority of the Financial Industry Regulatory Authority, Inc. ("FINRA"), and we can expect more guidance soon, according to a top official. The official, FINRA Chairman and CEO Richard G. Ketchum, recently noted that FINRA's Social Networking Task Force continued to examine issues relating to the use of social media by member firms, but had yet to release new guidance on the topic.1 He said that FINRA intended to provide further guidance on social media issues this year. FINRA last issued guidance on this topic in Regulatory Notice 10-06. The Social Networking Task Force, which was organized by FINRA in 2009, is composed of FINRA staff and industry representatives. The task force discusses how firms and their registered representatives can use social media sites for legitimate business purposes in a manner consistent with investor protection. Regulatory Notice 10-06, which included input from the task force, provides significant guidance with respect to social media issues, but the landscape of social media is constantly changing, leaving many open questions. Social media issues are currently hot topics, and many firms are finding it hard to wait for FINRA's guidance. In May 2011, a leading retail brokerage firm announced its intention to allow its advisers certain access to social media sites, such as Twitter and LinkedIn, but no other major American wealth management firm has done so. In light of Mr. Ketchum's announcement, and given the desire of broker-dealers to use social media, we believe it is a good time to review FINRA's current position on social media matters, most of which is described in Regulatory Notice 10-06. * * *

top

Newspaper's Discussion About Trademark Owner Protected as Nominative Use (Eric Goldman, 3 August 2011) - I'm sure any trademark experts reading this post are scratching their heads at the blog post title. Newspapers discussing a trademarked product qualify for the nominative use defense. Well, duh. Why is that even a question that needs to be answered? Well, because sometimes trademark owners bring asinine lawsuits. In particular, this case may be part of an emerging trend in the surgical procedure industry to misuse trademark law as a weapon against unwanted criticism. See, e.g., the Lifestyle Lift cases (1, 2). This case involves the Lap Band surgical procedure. 1 800 GET THIN is a marketing agent for the procedure. The LA Times has repeatedly criticized the Lap Band. In one passage, it arguably implied that 1 800 GET THIN provided the procedure rather than just marketed it. Even against a pushover defendant, this is a weak point to gripe about. But against a well-regarded journalistic institution like the LA Times, there's simply no point in tangling in court. Yet, 1 800 GET THIN still cranked up the machinery of justice. Predictably, the court expends few words in tossing the false designation of origin claim on nominative use grounds. The court also tosses the Lanham Act false advertising claim because the news article was editorial content, not advertising. This outcome was so predictable that most trademark litigators probably would have advised 1 800 GET THIN that it had no chance of winning and it should not even try. In fact, the LA Times may very well extract some cash out of 1 800 GET THIN for bringing such a weak case. The case doesn't mention an anti-SLAPP motion, but this case seems tailor-made for anti-SLAPP protection. Otherwise, it's a strong candidate for a Lanham Act fee shift and perhaps Rule 11 sanctions. Despite the "sun rising in the East" nature of this case's legal outcome, I still wanted to highlight it because it reminds us that trademark law's overexpansive sweep creates several problem. (I discuss these concerns in more detail in my paper, Online Word of Mouth and its Implications for Trademark Law). First, to the extent such a thing exists, this was an example of trademark bullying. The LA Times isn't an easy target for bullying, but smaller defendants will just capitulate in the face of 1 800 GET THIN's trademark threats. Second, the LA Times didn't make a trademark "use" at all. We should have never reached the nominative use defense because there was no trademark use in the first place. The fact that courts aren't gatekeeping at that level lets weak trademark cases get further than they should. In this situation, relying on the nominative use defense works fine in the Ninth Circuit but is dicey in other circuits that don't cleanly recognize a nominative use defense. Third, if the LA Times doesn't get 100% compensation from 1 800 GET THIN, then a travesty still occurred even though the LA Times prevailed in court. A final thought. Having seen so many such lawsuits, I must admit that I become more suspicious of any trademark owner who resorts to completely meritless trademark litigation. It makes me wonder what they are trying to hide. In this case, the fact that the Lap Band and 1 800 GET THIN desperately grasped at legal straws makes me more skeptical of the legitimacy of their offerings. Case is 1 800 GET THIN v. Hiltzik , 2:11-cv-00505-ODW -E (C.D. Cal. July 25, 2011)

top

Do Changes to a Blog Post's URL and the Site's Metatags Restart the Statute of Limitations? (Volokh Conspiracy, 3 August 2011) - An interesting decision, stemming from the Wolk v. Olson litigation. Here's the legal background: A publisher is generally not be liable once the statute of limitations (generally a year or longer) has run since the original publication. At that point, under the "single publication rule" - which is generally accepted in most states, and has generally been applied to the Internet in the cases that have considered the issue - no further lawsuits can be brought based on the original post, even if the publisher eventually learns that the post is false. The mere fact that a blog post is being copied to a reader's computer each time it's accessed doesn't constitute a new publication that restarts the statute of limitations. But do changes to the post constitute a republication, and restart the statute? Sufficiently substantive changes might, but for modest changes - such as most changes in a URL - the answer is likely no. A few cases have so held, see Canatella v. Van De Kamp (9th Cir. 2007) and In re Davis (W.D. Ky. 2006) ; the judge in this case suggested that she took a similar view, though she ultimately decided the case on other grounds * * *

top

Public Porn Prevents Policeman's Privacy (Steptoe, 4 August 2011) - An Illinois Appellate Court has ruled that an employer that monitored the communications of an employee did not violate Illinois' eavesdropping law (720 ILCS 5/14). The employee, a police officer, had been surfing pornography websites on a workplace computer. Even though Illinois law requires the consent of all parties to an electronic communication before monitoring is allowed, the law defines "electronic communication" narrowly, as a communication that both the "sending" and "receiving" parties intend to be private. The court reasoned that because the porn sites did not intend their outgoing communications to be private, the officer's surfing was not covered by the eavesdropping law.

top

Law Firms Restricting Use of Social Media Demonstrates Lack of Trust (Kevin O'Keefe, 4 August 2011) - Boston lawyer and management consultant, Jay Shepherd, joined the discussion on law firms restricting their employees use of social media with a post at the Above the Law yesterday. In addition to the reasons against restricting the use of social media shared by Arik Hanson and I, Shepherd says restricting use of social media demonstrates lack of trust. [F]irms that restrict or censor their lawyers' computer activities are telling them that they don't trust these professionals to do their work. Rules like this end up replacing actual management, where partners actually pay attention to whether work gets done well and timely. Imagine if a firm banned the use of everything that its lawyers could use to chat with family and friends, check movie times, or shop for clothes or airline tickets. In other words, the lawyers couldn't have freakin' telephones on their desks. (I flat-out stole this notion from a Golden Practices blog post.) Small-firm owners: If you trust your younger lawyers to have a telephone, then you also need to trust them with social media. It's 2011 (pronounced "twenty-eleven"). It's not just lawyers in small firms ala Shepherd who think law firms restricting the use of social media by lawyers is a little nuts. Seattle's Bruce Johnson, a leading First Amendment Attorney with Davis Wright Tremaine, upon hearing that upwards of 45% of law firms were restricting the use of social media commented on this blog's Facebook Page, ...[T]hat is stunning. It's like ordering lawyers not to have or use business cards."

top

Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act (Eric Goldman's blog, 4 August 2011) - I blogged about a case involving a labor dispute between Pulte Homes and Laborers' International Union of North America (LIUNA). After Pulte terminated a LIUNA member for alleged misconduct and poor performance, LIUNA became embroiled in a labor-relations dispute with Pulte. LIUNA allegedly exhorted its members and others to "bombard Pulte's sales offices and three of its executives with thousands of phone calls and e-mails." LIUNA allegedly hired an auto-dialing service and encouraged its members to call Pulte. It also used engaged in a web-based email campaign where it encouraged visitors to its website to "fight back" and send e-mails to "specific Pulte executives." Pulte sued LIUNA, asserting claims under the Computer Fraud and Abuse Act and state law. The district court denied Pulte's request for an injunction and dismissed Pulte's claims. Here is my blog post covering the district court's ruling: " Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act ." The Sixth Circuit reversed the district court's ruling, finding that a phone or email bombardment campaign can constitute a violation of the Computer Fraud and Abuse Act. Case is Pulte Homes, Inc. v. Laborers' Int'l Union, et al. , 09-2245; 10-1673 (6th Cir. Aug 2, 2011)

top

As Hackers Steal Up to $1B Annually from Biz Bank Accounts, Victims May Have No Recourse (ABA Journal, 4 August 2011) - Some $43 million was stolen in conventional bricks-and-mortar robberies, heists and stickups of U.S. banks last year. Meanwhile, cybercrooks stole hundreds of millions in what is being called a national security threat. The exact amount isn't known. But security experts say up to $1 billion annually is being taken by hackers through online schemes targeting commercial accounts. That's particularly bad news for the businesses, including law firms, that own the accounts, because their losses, unlike thefts from bank accounts held by individuals, often aren't covered by federal deposit insurance, Bloomberg reports. Small businesses "just don't have any clue, and everyone expects their bank to protect them," Avivah Litan of computer analyst Gartner Inc. tells the news agency. "Businesses are not equipped to deal with this problem, and banks are barely equipped." Sophisticated software and appropriate anti-fraud procedures can offer significant protection against hacking, the article says, but businesses-and many banks-are operating with less-than-optimum setups. As large sums of money are sometimes literally stolen by far-distant hackers under the shocked gaze of victimized business employees, neither banks nor law enforcement, seemingly, can do much to help. Using inexpensive malware that allows them to take over the computer's operations as if they were sitting at the keyboard, cybercriminals, often based in Eastern Europe, can route large sums of money via the Internet to confederates or accounts they control. Valiena Allison, CEO of Experi-Metal Inc., for instance, got a call from her bank one morning a couple of years ago about a wire transfer. She hadn't authorized it, and said so. But the company's infected computer had, and over $5 million had been stolen, in unauthorized transfer after unauthorized transfer, by the end of the day. The bank recovered all but about $500,000 of the money. But that was the company's loss, the bank said, because it had allowed its computer system to be taken over as a result of falling victim to a phishing scheme. A federal judge in Michigan last month disagreed, however, finding that the bank should have refused the transfer instructions due to facts including their frequency and the locations (Estonia and Russia) to which the money was being sent, Lori Desjardins of Pierce Atwood wrote in a recent Lexology (reg. req.) post. A Maine-based business, Patco Construction Inc., saw $500,000 siphoned from its accounts over a couple of days in 2009, and has now gone back to paper checks, as an earlier ABAJournal.com post details. A federal magistrate judge in a May recommendation said Patco had to take the loss concerning some $345,000 that the bank couldn't recover. And a U.S. District Judge in Portland agreed, holding in a written opinion (PDF) today that Patco agreed with the bank's security procedures.

top

Are You Prepared for a Disaster? If Not, It's Time to Get Your House in Order! (ABA Annual meeting, 7 August 2011) - Disasters - everything from hurricanes and tornadoes to a computer virus or a flood in your basement - were on the agenda at a program Saturday during the American Bar Association Annual Meeting in Toronto. Whatever the unexpected life situation, the preeminent question is: Are you prepared? For the most part people hold a general belief that disasters happen to other people. Panelists at the program said they hope to turn that kind of thinking around, at least, in lawyers. "Disaster preparedness is cost-effective and easy to integrate," said Gary A. Munneke, a professor at Pace University School of Law, in New York. "When disaster strikes, there is not time to plan-it's simply time to react." Munneke said there are three parts to the process: planning, response and recovery. "If lawyers are failing to plan, they are planning to fail," said Catherine Sanders Reach, the director of the ABA Legal Technology Resource Center in Chicago. She admonished lawyers to "get your house in order." Panelist David F. Bienvenu, chair of the ABA Special Committee on Disaster Response and Preparedness, lived through Hurricane Katrina in New Orleans. He was featured in a video about the need for all lawyers and firms to plan for a disaster. The video opened the program. "Are you prepared? It's not a question of if, but when," Bienvenu says in the video. Bienvenu said the ABA is not asking lawyers to do something the ABA has not done. The association has updated its business continuity plan and is working toward certification. The special committee also developed a guide for lawyers/firms on developing their own business continuity plan.

top

The DA Thinks You Are Liberal (InsideHigherEd, 8 August 2011) - Whether professors lean left or are so liberal that they are biased is much debated in higher education and in American society. But in what may be a new twist, the Nevada Supreme Court last week upheld the exclusion of a faculty member from a jury. His disqualifying trait? Being a professor. The ruling came in an appeal of a drug sale conviction in a case in which a professor was rejected for jury service. The professor was one of the peremptory challenges by the prosecution. While no reason needs to be given for peremptory challenges, in this case, the defense argued that minority citizens were being excluded with peremptory challenges. (The professor is identified in the court documents as a Middle Eastern computer science professor.) The prosecutor then defended the exclusion by saying that it had nothing to do with the potential juror's ethnicity, but rather with his being a professor. "Professors are notoriously liberal," the prosecutor said, according to the Supreme Court ruling, adding that "I just don't like them on my juries, period." The Nevada Supreme Court's decision doesn't explore the issue of whether professors can be presumed to be liberal. Rather, it faults the defense for failing to challenge the exclusion sufficiently at the time it was made, or for presenting new evidence that the argument was pretextual or otherwise illegitimate.

top

Army to Shut Down eArmyU (Army Times, 8 August 2011) - The eArmyU civilian education option that has provided distance learning support services to 64,000 soldiers over the past decade will be shuttered next year. The 1,429 soldiers enrolled in the program today may continue to register for eArmyU courses until March 31, 2012 even if a course runs past the shutdown date. Each of the soldiers has been sent a letter by the Human Resources Command, encouraging them to continue taking eArmyU classes until March 31, when they will be transitioned to regular tuition assistance. HRC officials said many of these soldiers are simultaneously enrolled in traditional tuition assistance courses, so they are familiar with that program. "While eArmyU has run successfully for 10 years, its has reached a point of maturity, essentially meeting its recruiting and retention objective (and) increasing soldiers' participation in their own education development," said Command Sgt. Maj. Bruce A. Lee, command sergeant major of the Human Resources Command. Online courses leading to degrees today account for nearly 78 percent of tuition assistance enrollments, which is a major reason why the eArmyU option is being discontinued. Today more than 1,500 schools offer online degrees within the traditional tuition assistance portal of GoArmyEd, compared to 30 available under eArmyU.

top

Hostile Witness (InsideHigherEd, 9 August 2011) - These days there are enough blogs on the theme that law school is a scam that there are multiple blogrolls on the subject, where readers can pick among First Tier Toilet! , Fluster Cucked , Subprime JD , Tales of a Fourth-Tier Nothing and more. Most of these blogs are run by law students or recent graduates frustrated by a lousy job market, student loan debt and a feeling that they were ripped off by their law schools. Another unemployed lawyer blog probably wouldn't attract much attention, but these "scam" bloggers have been abuzz about the latest arrival on their blogrolls: a blog sharing many of their points of view, but written by a tenured law professor. "I can no longer ignore that, for a very large proportion of my students, law school has become something very much like a scam," says the introductory post of the blog, Inside the Law School Scam. "Yet there is no such thing as a 'law school' that scams its students -- law schools are abstract social institutions, not concrete moral agents. When people say 'law school is a scam,' what that really means, at the level of actual moral responsibility, is that law professors are scamming their students." The professor has gone on in subsequent posts to describe his law faculty colleagues as overpaid, and as inadequate teachers. "The typical professor teaches the same classes year after year. Not only that -- he uses the same materials year after year. I'm not going to bother to count -- this is law school after all, and we don't do empirical research -- but I bet that more than half the cases I teach in my required first-year course were cases I first read as a 1L 25 years ago. After all I use the same casebook my professor used. I even repeat some of his better jokes (thanks Bill)," says one post. And that was followed by another criticizing the gradual decline in teaching loads of professors at law schools (a trend that has been documented elsewhere ), and arguing that students are paying quite a bit for minimal teaching time and effort. Of his fellow law professors, he writes: "They are like the most burnt out teachers at your high school, if you went, as I did, to a middling-quality public school. But with this difference: the most burnt-out teachers at your high school still had to show up for work for seven hours a day. Also, they didn't get paid $200,000 (or even quite a bit more) per year. And you didn't pay $50,000 a year for the benefit of their talents." And LawProf says he's just getting started. The author identifies himself only as "a tenured mid-career faculty member at a Tier One school." He agreed to reveal his identity to Inside Higher Ed, and his description is accurate.

top

ABA Releases "Managing E-Discovery and ESI" - An Excellent Resource (Sharon Nelson, 10 August 2011) - I was recently honored to get an advance copy of Managing E-Discovery and ESI , a wonderful new sourcebook from the American Bar Association authored by Michael Berman, Courtney Barton and the Honorable Paul Grimm, in conjunction with a stellar cast of contributors. My first reaction to the breadth and scope of the book was simply "wow!" At over 800 pages, the book moves with assurance and expertise from pre-litigation through trial. Rather than having too many cooks in the kitchen, the numerous authors represent a collective wisdom about e-discovery, with each having niche areas of keen knowledge.

top

Offensive Cyber Tools to Get Legal Review, Air Force Says (Secrecy News, 10 August 2011) - Even the most highly classified offensive cyberwar capabilities that are acquired by the Air Force for use against enemy computer systems will be subject to "a thorough and accurate legal review," the U.S. Air Force said in a new policy directive (pdf). The directive assigns the Judge Advocate General to "ensure all cyber capabilities being developed, bought, built, modified or otherwise acquired by the Air Force that are not within a Special Access Program are reviewed for legality under LOAC [Law of Armed Conflict], domestic law and international law prior to their acquisition for use in a conflict or other military operation." In the case of cyber weapons developed in tightly secured Special Access Programs, the review is to be performed by the Air Force General Counsel, the directive said. See "Legal Reviews of Weapons and Cyber Capabilities," Air Force Instruction 51-402, 27 July 2011. The Air Force directive is somewhat more candid than most other official publications on the subject of offensive cyber warfare. Thus, "for the purposes of this Instruction , an Air Force cyber capability requiring a legal review prior to employment is any device or software payload intended to disrupt, deny, degrade, negate, impair or destroy adversarial computer systems, data, activities or capabilities." On the other hand, cyber capabilities requiring legal review "do not include a device or software that is solely intended to provide access to an adversarial computer system for data exploitation," the directive said.

top

A Legal Guide for Digital Journalists (Robert Ambrogi, 12 August 2011) - Although it was launched in June, it has taken me this long to get around to checking out the Digital Journalist's Legal Guide created by the Reporters Committee for Freedom of the Press . Now that I've had the chance to explore it, I have no doubt this will quickly become an essential resource both for established journalists and independent bloggers. The guide is designed to provide legal guidance to anyone who disseminates news online. It covers key areas of media and access law: access to courts, copyright and trademark, censorship, Internet regulation, invasion of privacy, libel, newsgathering, open records and meetings, and sources and subpoenas. The guide is layered in a way that allows a user to get quick answers on a topic and also drill down deeper into it. The front page of each section contains a summary of the applicable legal principles, answers to common questions about the topic, and links to pages that provide more detailed discussions about specific aspects of the topic. These section front pages also include links to relevant news articles from the RCFP website covering actual court cases and legal stories. Those links are effective at helping to illustrate how these legal principles are applied in real-world situations. Well before it published this guide, the RCFP's website was already the preeminent source of legal guidance for journalists. Over the years, RCFP has published an array of legal guides on First Amendment, access, privacy, privilege and other media-law issues.

top

Making Clouds Less Ominous (InsideHigherEd, 12 August 2011) - A group of 12 high-profile research universities is currently negotiating with commercial e-mail providers to create a standard contract that would reduce the costs and anxieties associated with outsourcing the handling of sensitive institutional data to cloud-based vendors. If successful, the talks could pave the way for universities to move other types of data to the cloud - a migration that has been stalled by persistent concerns among institutions that are worried about putting sensitive university data on non-university servers, campus technology officials say. The discussions might also provide a model for other joint contracts between universities and technology vendors. Companies that run university e-mail systems negotiate individual contracts with their various clients. These negotiations often involve haggling over whether the company can provide its services in a way that does not put the university at risk of violating state and federal laws - as well as its own policies - regarding privacy, data security, accessibility, and other matters. "Every time we go to vendors, we start those conversations anew - it's like Groundhog Day ," says James Hilton, the CIO of the University of Virginia, one of the institutions involved in the talks. "It's inefficient on their side, and it's inefficient on our side." The idea behind the group push for a standard contract is to "aggregate some of our terms and needs upfront and just do it once," Hilton says. According to campus officials, the 12 universities have been hammering out the details of a possible standard contract with cloud-based e-mail vendors for the last year or so. The universities at the table include Virginia, Duke University, and 10 other "premier research universities," says Hilton. (The effort grew out of conversations among members of the Common Solutions Group , a consortium that includes six universities from the Ivy League and five from the Big Ten.) On the vendor side, Microsoft, the second-largest e-mail provider for colleges and universities, confirmed that it is involved in the talks. The largest provider, Google, would not comment. The most salient concerns around outsourcing to cloud providers - compliance with the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Americans With Disabilities Act (ADA), and other laws - are common to many colleges and universities. A standard document addressing those concerns could allow institutions and cloud-based vendors to check off compliance issues with a single stroke, eliminating many billable hours on both sides of the negotiating table, says Tracy Futhey, the CIO at Duke.

top

Monitoring School-Issued Email Accounts (Dan Solove, 14 August 2011) - A recent case provides some guidance about when schools can monitor email accounts they issue to students. In Reichert v. Elizabethtown College , 2011 WL 3438318 (E.D.Pa. August 5, 2011), a troubled student (Christopher Reichert) had a heated exchange with the chairman of the education department, Dr. Carroll Tyminski. Afterwards, Tyminski arranged for Reichert's email account to be monitored. Reichert sued under various federal and state electronic surveillance and computer misuse laws as well as a common law privacy tort.

top

Revealed: Operation Shady RAT (McAfee White Paper, August 2011) - For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely. Having investigated intrusions such as Operation Aurora and NightDragon (the systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they've been compromised and those that don't yet know. Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon. I find the question ironic because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures in the last six months have, in fact, been a result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec. On the other hand, the targeted compromises we are focused on-known as advanced persistent threats (APTs)-are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth-closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has "fallen off the truck" of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries. [Editor: wow.]

top

'The Economist' Examines Emerging Alternatives to Traditional Law Firms (Law.com, 15 August 2011) - In an article last week, The Economist takes a look at a few ways that technology is providing clients with alternatives to traditional law firms. These alternatives include things like LawPivot, which some have compared to "Quora for legal advice." [Note to self: Learn what Quora is so that I can possibly then understand what LawPivot is.] They also include "unconventional law firms" such as Axiom and Clearspire that are pursuing new business models. I have mentioned Axiom before, noting its highly personal approach to the law firm website, which includes huge, day-in-the-life photos of Axiom lawyers doing things like gardening, having breakfast with their families or dancing. The Economist adds that Axiom, which is now 11 years old, has been able to grow its revenue steadily as companies seek ways to trim their legal spending: from $55 million in 2008, to $80 million in 2010, to an expected $120 million in 2011. Axiom differs from most firms in that it typically does not charge by the hour, but rather agrees to a flat fee for a project or for a set period of time that one of its teams will be engaged. It is also different from most law firms in that it employs only experienced lawyers, maintains little office space and charges significantly lower rates than most big law firms (about $200 an hour for highly experienced lawyers, according to a Daily Journal article written in early in 2010). Another law firm discussed by The Economist is Clearspire. Clearspire is made up of approximately 20 lawyers who work from home but "collaborat[e] on a multi-million-dollar technology platform that mimics a virtual office." Clients can use the platform, as well, to do things like make changes to their own documents. With respect to billing, The Economist states that: From the start, Clearspire offers cost estimates for each phase of a legal job. Employees who underestimate how long it will take cannot simply jack up the bill-they must take the hit themselves. But if a lawyer finishes his work faster than promised, he gets a third of the savings. The client also gets a third, as does Clearspire. This gives everyone a stake in making the process more efficient and predictable. Clearspire also has an unusual, dual corporate structure: it consists of a law firm with salaried lawyers, and also a separate entity that is responsible for business development.

top

A Look at Texas's New Anti-SLAPP Law (CMLP, 15 August 2011) - Back in mid-June, Texas's new anti-SLAPP law finally took effect . (Since the bill passed both houses of the Texas legislature unanimously, it took effect immediately when Gov. Rick Perry signed it.) The CMLP's legal guide is updated to reflect the new statute. It's a good bill, and the whole "unanimous passage" part is a good sign for the larger anti-SLAPP project, so it's worth taking a moment to see how the Texas statute stacks up. The new law (the "Citizens Participation Act") casts a wide net: it covers any exercise (in any medium) of free speech, petition, or association rights. That sounds nice in the abstract, but the trick is in the definitions. The "right of association" doesn't get any clarification beyond reference to "individuals who join together to collectively express, promote, pursue, or defend common interests," but that could provide some interesting arguments for defendants getting sued for posts on message boards and the like. It doesn't limit protections to "matters of public concern," like other sections: here, all we have are "common interests," which could be a very broad provision indeed. And the text of the "right of association" section could even cover straight-up person-to-person communication - private emails, etc. The bill only requires those "individuals" to "communicat[e]" about "common interests." If courts are willing, they could take that provision a very long way indeed. The statute also has a few bits that tip the scales slightly in favor of the little guy. Like I said, communications about goods and services in the marketplace are protected, but only from the customer end: businesses can't use the anti-SLAPP statute to kill lawsuits against them over their advertising. And if a defendant frivolously tries to use the statute, they "may" (not "must" or "shall") be on the hook for some of the plaintiff's legal fees, but there's no punitive damage award running from defendants to plaintiffs. (That's in contrast to, say, Washington's law, which levies identical damage awards against SLAPP-happy plaintiffs or against defendants who frivolously use the anti-SLAPP statute.) Speaking of those damage awards (look, ma! transitions!), Texas's damage scheme is interesting when contrasted with a statute like Washington's . When Washington recently updated their anti-SLAPP statute, they based it heavily on California's, but added damages above and beyond just recovering court costs and attorneys' fees. Washington's new statute provides for an automatic $10,000 award, on top of the costs and fees. That's a nice bit of deterrence, and has the benefit of consistency; against the massive plaintiffs that can use SLAPP suits to great effect, though, ten grand is a drop in the bucket. Texas takes a different approach: On top of the fees and costs, the court "shall" award the defendant damages "sufficient to deter the party who brought the legal action from bringing similar actions." It's not optional - the judge has to give some sort of punitive damage award; the discretion lies in the size of the damages. It'll be interesting to see how judges wield that provision; the flexibility could be useful in really bringing the hammer down on any big corporate plaintiffs while allowing some leniency for little-guy plaintiffs who sue Michael Moore ( for example ). On the other hand, though, we have to trust judges to actually impose those big fines. And how would a judge figure out how big is big enough? Try to quantify the monetary value of shutting down a critic, then add $1? We'll have to wait and see how judges handle that foggy mandate. All in all, though, the Texas anti-SLAPP bill looks like a real beast.

top

Friending for Evidence (Lawyerist.com, 15 August 2011) - Are you completely ignoring social media? Are you blocking access to social media sites at your firm? Are you using social media to get evidence for trial? If you're not careful, you may be violating your state's ethics rules. Federal prosecutors are scouring the Facebook pages of defendants. More and more divorce cases include incriminating evidence captured on social media sites. As the use of social media evidence at trial continues to grow, some courts are beginning to delve into the ethical boundaries of obtaining such evidence and even a lawyer's ethical obligations to provide competent representation. In their recent Law.com article, Ethical Bounds of Using Evidence From Social Networks , H. Christopher Boehning and Daniel J. Toal, provide a brief synopsis of recent decisions discussing how lawyers in certain jurisdictions may permissibly obtain information on social networking sites. Here are some areas the synopsis covers * * *

top

Navy Issues Online Guide to Google+ (FCW, 16 August 2011) - Although Google+ has attracted more than 10 million users since its recent debut, many people in government are wondering what it is and how it ought to be used. Thanks to the Navy, now there is an overview of the new site. The Navy recently published a 13-page online guide titled "What's the deal with Google+?" on the SlideShare website, providing a basic introduction to the new social networking site and how it could be used by individuals. The Navy's presentation had been viewed by 606 people as of Aug. 16. [1480 views on 18 August] One of the first questions it tackles is whether Google+ is like Facebook or something different. According to the Navy, the new site is different and offers several advantages over Facebook. [Editor: quite useful]

top

Law Firms on Facebook: 5 Examples of 'Doing It Right' (JD Supra, 16 August 2011) - We're frequently asked to provide examples of 'well-done' law firm Facebook pages. Here's a look at some of the pages we offer in response, with accompanying annotations to explain a few of the things we think each firm is doing well. This is by no means a complete list, nor a complete appraisal of 'what makes a good law firm Facebook page.' As you will see, each page below includes some aspect or element that serves as a good example of what you might do to create your firm's presence on Facebook.

top

As the Gavels Fell: 240 Years at Old Bailey (NYT, 17 August 2011) - For 240 years the grand parade of human greed, love, cruelty, longing, and foolishness was captured in the Proceedings, the published record of trials that took place at the Old Bailey, the central criminal court, in London. Now, powerful digital tools developed by an international team of researchers to search these trial reports and summaries have begun to offer new insights into the evolution of the justice system, the institution of marriage and changing morals. The Old Bailey offers a unique window into the criminal justice system and, by extension, British culture. The free searchable online archive, oldbaileyonline.org, contains accounts of nearly 198,000 trials between 1674 and 1913. "It's the largest body of accurately transcribed historical texts online," said Tim Hitchcock , a historian at the University of Hertfordshire in England and part of the team. "All of human life is here." Mr. Hitchcock argues that new methods of digitally analyzing and mapping the history of crime using the entire Proceedings will revise "the history of the criminal trial." After scouring the 127 million words in the database for patterns in a project called Data Mining With Criminal Intent , he and William J. Turkel , a historian at the University of Western Ontario, came up with a novel discovery. Beginning in 1825 they noticed an unusual jump in the number of guilty pleas and the number of very short trials. Before then most of the accused proclaimed their innocence and received full trials. By 1850, however, one-third of all cases involved guilty pleas. Trials, with their uncertain outcomes, were gradually crowded out by a system in which defendants pleaded guilty outside of the courtroom, they said. Conventional histories cite the mid-1700s as the turning point in the development of the modern adversarial system of justice in England and Colonial America, with defense lawyers and prosecutors facing off in court, Mr. Hitchcock and Mr. Turkel said. Their analysis tells a different story, however. "Mapping all trials suggests that the real moment of evolution was in the first half of the 19th century," with the advent of plea bargains that resulted in many more convictions, Mr. Hitchcock said. "The defendant's experience of the criminal justice system changed radically. You were much more likely to be found guilty." Last month the scholars submitted an article to the British journal Past and Present on their findings.

top

New Notaries Needed For SSL Certs (ReadWriteWeb, 19 August 2011) - Tim Greene, writing this week in Network World, brings up the latest developments in improving SSL certificates. As many of you recall, earlier this year we had two big security breaches involving these certs, including a situation where Comodo issued and then revoked a series of nine fake certs. While the fakes weren't actually used, it was a close enough call. The problem is that your browser has a hard-coded list of certificate authorities (CAs). If you haven't ever been to this part of your browser settings, you can bring it up now (Firefox is Tools/Options/Advanced, Chrome is Tools/Options/Under the Hood, etc.) and see a long list of CAs, some from companies that you may recognize (Microsoft, Thawte, Verisign) and many from companies that you probably have never heard of. (How many of us had ever heard of Comodo before the cert hack reported earlier this year? My point exactly.) Every time you go to a site using https:, it checks in with these CAs to determine if the cert from the destination website is legit or not. Most of the current browser versions will report on the identity of the website in the address bar and whether or not it checks out. To combat the bad guys, many more sites are now using SSL protocols: Gmail now defaults to it for reading your emails is one notable example. But all this security infrastructure goes out the window if the certs can't be trusted. Getting a cert is easy: it just costs money (here is one place you can comparison shop for them) and even your friendly registrar can quickly provide one. You can also self-sign your website with your own cert, which will bring up a warning in most modern browsers for your visitors. When you purchase a cert, a chain of trust is established between the CA and your website using the cert, as you can see in the PayPal example above. But what if this circle of trust is compromised, as the character played so brilliantly by Robert DeNiro asks in the "Focker" films? That is why we need an Internet SSL notary public for SSL certs. Unlike the notaries that we all use from time to time for our paperwork, the process would involve a crowdsourced collection of certs that people already have trusted, rather than a single entity that would vet the certs from on high. And this being the Internet, of course there are two different proposed notary standards called Perspectives from a team at Carnegie Mellon and Convergence from an independent test lab. They both make use of Firefox plug-ins, and both are relatively new and unused by the vast majority of sites and the browsing public. The idea is just like picking which search engine site you will use by default, you can also choose which collect of notaries to trust for your SSL certs. Whether these notary efforts will catch on isn't a sure bet: indeed, they have to be widely deployed before they are truly useful, and support more than just Firefox browsers too. But we definitely are overdue for better SSL root CA infrastructure, otherwise we will suffer the same fate as Ben Stiller's character.

top

U.S. Court Fends Off Foreign Wiretap Orders (Steptoe, 18 August 2011) - The common wisdom is that Europe is much more protective of privacy than the United States. Just last week, the New York Times featured a story about growing support in Europe for a "right to be forgotten" - that is, to have information about oneself wiped off the Internet. But it's important not to confuse "wisdom" with truth. A recent case illustrates why. In In re Dr. Jurgen Toft, a U.S. bankruptcy judge put the kibosh on German and English court orders that would have required U.S. email providers to intercept and disclose a German debtor's emails. Aside from showing that European notions of privacy aren't always what they're cracked up to be, the case demonstrates the many different ways in which communications providers are confronted with demands for information. It also shows that the United States is hardly the only country that takes an expansive view of its authority to access communications in other countries.

top

RESOURCES

New Searchable Version of U.S. Code Website Launched by House in Beta (BeSpacific, 17 August 2011) - "The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. It is prepared by the Office of the Law Revision Counsel of the United States House of Representatives."

top

LOOKING BACK

INFORMATION OVERLOAD IS A STATE OF MIND A new study titled "The Next Big Thing" found surprising anecdotal evidence that people who receive the greatest volume of electronic information reported a greater ability to cope, while the group that feels the most overwhelmed has the least amount of data to deal with. "We went into the survey expecting to find people were really struggling. We were surprised to find they were thriving," says the study's publisher, Josh Clark. "Anecdotally, there are people out there who are feeling overwhelmed, but practice makes perfect. The people who are most comfortable practice dealing with high volumes of information, and they are coping beautifully." The study's authors caution that because their response group was predominantly male with 42% working in the technology sector, its results cannot be extrapolated to the entire U.S. population. Nevertheless, the comparatively high response rates for the study mean the results are meaningful, and the results bear out what previous studies and empirical evidence has shown -- that simplicity is the key to success in the technology age. (Newsbytes 7 Jun 2001) http://www.newsbytes.com/news/01/166615.html

top

CAR SPY PUSHES PRIVACY LIMIT (ZDNET News, 20 June 2001) -- Car renters beware: Big Brother may be riding shotgun. In a case that could help set the bar for the amount of privacy drivers of rental cars can expect, a Connecticut man is suing a local rental company, Acme Rent-a-Car, after it used GPS (Global Positioning System) technology to track him and then fined him $450 for speeding three times. The case underscores the ways that new technologies can invade people's privacy, said Richard Smith, chief technologist at the not-for-profit Privacy Foundation. "Soon our cell phones will be tracking us," he said. "GPS could be one more on the checklist here. Frankly, giving out speeding tickets is the job of the police, not of private industry." http://www.zdnet.com/zdnn/stories/news/0,4586,2778752,00.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: