Saturday, October 22, 2011

MIRLN --- 1-22 October 2011 (v14.14)

MIRLN --- 1-22 October 2011 (v14.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | RESOURCES | FUN | LOOKING BACK | NOTES

DHS Creates New Senior Cyber Position In NPPD (FederalNewsRadio, 22 Sept 2011) - The Homeland Security Department continues to shift cybersecurity oversight chairs. Suzanne Spaulding is the new deputy undersecretary for the department's National Protection and Programs Directorate (NPPD), according to an email from Rand Beers, DHS under secretary of NPPD, obtained by Federal News Radio. Spaulding replaces Phil Reitinger, who left June 3. Reitinger joined Sony as its chief information security officer in August. "Suzanne brings a wealth of experience, having spent nearly 25 years working on national security issues in the public and private sectors," Beers wrote in the email to staff. "As deputy undersecretary, Suzanne will focus on efforts to reduce risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification." In her new role, Spaulding will oversee the US-VISIT program, infrastructure protection, the Federal Protective Service and the Office of Risk Management and Analysis. Spaulding is expected to start in early October, Beers said. Along with naming Spaulding, Beers said Greg Schaffer will move into a new position, the deputy undersecretary for cybersecurity on an interim basis. "This position will help the directorate ensure robust operations and strengthened partnerships in the constantly evolving field of cybersecurity," Beers said. Schaffer has been the acting deputy undersecretary and will assume the role of acting deputy undersecretary for cybersecurity until a permanent person is announced in the coming weeks. Spaulding comes to DHS after serving as a principal for the Bingham Consulting Group in Washington. She also was the minority staff director for the House Permanent Select Committee on Intelligence and was the general counsel for the Senate Select Committee on Intelligence. Additionally, Spaulding spent six years at the CIA and served as senior counsel and legislative director for former Sen. Arlen Specter (D-Pa.). [Editor: Suzanne is extremely capable and her background has prepared her well for this role. She's also been very active in the ABA and with the Standing Committee on Law & National Security, where I served with her from 2002-2009.]

top

Orwell's Armchair (by Derek Bambauer, forthcoming U. Chicago Law Review) - Abstract: "America has begun to censor the Internet. Defying conventional scholarly wisdom that Supreme Court precedent bars Internet censorship, federal and state governments are increasingly using indirect methods to engage in "soft" blocking of on-line material. This Article assesses these methods and makes a controversial claim: hard censorship, such as the PROTECT IP Act, is normatively preferable to indirect restrictions. It introduces a taxonomy of five censorship strategies: direct control, deputizing intermediaries, payment, pretext, and persuasion. It next makes three core claims. First, only one strategy - deputizing intermediaries - is limited significantly by current law. Government retains considerable freedom of action to employ the other methods, and has begun to do so. Second, the Article employs a process-based methodology to argue that indirect censorship strategies are less legitimate than direct regulation. Lastly, it proposes using specialized legislation if the U.S. decides to conduct Internet censorship, and sets out key components that a statute must include to be legitimate, with the goal of aligning censorship with prior restraint doctrine. It concludes by assessing how soft Internet censorship affects current scholarly debates over the state's role in shaping information on-line, sounding a skeptical note about government's potential to balance communication." [Editor: recommended by Chris Soghoian]

top

EU Cloud Vendors Liable For Breaches (SC Magazine, 29 Sept 2011) - The European Union will introduce rules that make cloud providers legally liable for data breaches. The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday. It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative. Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point. If they refused, they would be seen as unsafe, he said. Vendors must prove their security models were adequate to get accredited. Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

top

Federal Reserve Wants to Read Your Facebook Posts (FCW, 30 Sept 2011) - Complaints on Twitter or Facebook about jobs or rising food prices may become fodder for the Federal Reserve Bank of New York's assessments of the world's current economic conditions. The bank has issued a request for proposals seeking a contractor to help gauge the nation's economic mood by sampling conversations on social media platforms such as Facebook, Twitter, YouTube and blogs. The bank said it wants a Sentiment Analysis and Social Media Monitoring Solution to gather and report data from around the world, in multiple languages, on a continuous basis. The proposal calls for "Social Media Listening Platforms" to be created to "monitor billions of conversations" and generate text analytics. Bank officials state in the RFP that they want to stay current on public opinion, and social media monitoring provides a means to do that. "Social media platforms are changing the way organizations are communicating to the public," the request states. "Conversations are happening all the time and everywhere. There is need for the Communications Group to be timely and proactively aware of the reactions and opinions expressed by the general public as it relates to the Federal Reserve and its actions on a variety of subjects."

top

Law School Lets You Apply For College From Smart Phones (Atlanta TV, 3 Oct 2011) - John Marshall School of Law in Atlanta has taken the act of applying to school and brought it into the new age of technology. John Marshall has introduced a mobile application that allows potential students to apply for law school from the palm of their hand. Prospective students can visit m.johnmarshall.edu from their mobile device from their smart phone or their tablet to apply. "We want students to be able to come to a law school forum, tour our campus, talk to us and apply immediately. If they have to wait until they get home and turn on a computer, they may not apply," Alan Boyer, Associate Dean of Recruitment and Marketing said in a statement released Monday. Students who use their mobile device over the next few weeks to apply to John Marshall will also get a waiver of the customary $50 application fee.

top

Stream Away (Inside Higher Ed, 5 Oct 2011) - A federal judge on Monday threw out a lawsuit by an educational media trade group and one of its constituents against the University of California over the legality of streaming copyrighted videos on secure course websites. While the case was dismissed largely on technical grounds, U.S. District Court Judge Consuelo B. Marshall indicated that streaming a copyrighted work on a secure website is no different from holding a screening in a classroom. "The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context," Marshall wrote in her decision. Because the only rights-holding plaintiff in the case, Ambrose Video Publishing, had licensed UCLA to "publicly perform" its videos in the classroom, streaming it on a secure site was also permissible, the judge said. However, legal experts say the decision hardly resolved the central question of whether streaming copyrighted videos in online classrooms is protected under the fair use provisions to U.S. copyright law. The Association for Information and Media Equipment (AIME), along with Ambrose, brought the suit late last year after it found out that the University of California at Los Angeles was facilitating online streaming for its courses. The case attracted a great deal of attention from fair use advocates, who argued -- as did the university -- that allowing students to stream videos via password-protected course websites was no different from convening a group viewing in a classroom, which they argued was covered under fair use. AIME has countered that in order to convert the videos into digital versions that could be streamed, UCLA was copying the videos' content unlawfully.

top

- and -

Judge Suggests DMCA Allows DVD Ripping if You Own the DVD (ArsTechnica, 5 Oct 2011) - A Monday ruling suggests that educational institutions are entitled to stream legally purchased DVDs on campus without the permission of copyright holders. A federal judge dismissed a lawsuit charging UCLA with violating the Digital Millennium Copyright Act and other provisions of copyright law by ripping DVDs and streaming them to students. "UCLA is pleased that the court dismissed the plaintiffs' lawsuit challenging UCLA's practice of streaming previously purchased video content for educational purposes," said Scott Waugh, UCLA executive vice chancellor and provost. "The court ruling acknowledges what UCLA has long believed, that streaming licensed DVDs related to coursework to UCLA students over UCLA's secure network is an appropriate educational use." The lawsuit was brought by a trade association of educational video publishers called the Association for Information Media and Equipment (AIME), and one of its members, Ambrose Video Publishing. The plaintiffs allege that around January 2006, UCLA purchased video streaming software that included a DVD-ripping capability, and began streaming DVDs it had purchased-including some belonging to Ambrose-to members of the UCLA community. Ambrose and AIME sued in December 2010, alleging copyright infringement, breach of contract, and other harms. They argued that UCLA violated the anti-circumvention provisions of the DMCA when it ripped Ambrose's copy-protected DVDs. They also argued that its DVDs are sold under a licensing agreement that prohibits rebroadcast and public display. And they noted that Ambrose was just one of many copyright holders whose works were included in UCLA's 2,500-work streaming library. UCLA countered that copyright's fair use doctrine gives educators broad latitude to publicly perform copyrighted works as part of their instructional activities. They also noted that Ambrose's own catalog states that "All purchases by schools and libraries include public performance rights." As for the DMCA claim, UCLA argued that because the school was the lawful owner of the DVDs at issue, it had a right to access the DVDs and therefore could not have run afoul of the ban on circumventing access-control measures. Judge Consuelo B. Marshall sided with UCLA. He noted that the plaintiffs conceded that UCLA had the right to show its DVDs in the classroom, and ruled that UCLA's streaming service was functionally equivalent. "The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context," he wrote. Marshall also ruled that UCLA's copies of the DVDs were incidental to its lawful streaming service, and was therefore fair use. Case is Association For Information Media and Equipment v. University of California

top

How New Labor Guidelines Could Affect Your Social Media Policy (Mashable, 5 Oct 2011) - While social media has been around for a while, there are still aspects of it that are very new, such as policy development. Such policies have to stand the test of time and evolve as the workplace - and the social media platforms and their usage - changes. In August, the National Labor Relations Board (NLRB) released a report on the outcome of investigations into 14 cases involving the use of social media and employers' social media policies. The NLRB is an independent agency in the U.S. government that protects employees' rights to join together to improve wages and working conditions, with or without a union. Here's an overview of the report and some pointers on what your company should consider when it comes to social media policy development.

top

Arrested in Seattle, Computer Security Expert Creates Searchable Website of Police Dashcam Video Log (ABA Journal, 5 Oct 2011) - Arrested three years ago in Seattle when a police officer apparently didn't appreciate his "brainiac" attitude after he was questioned about swatting giant sponge golfballs from bar to bar during a pub crawl, a computer security expert has fought back bigtime. Once the obstruction case against him was dismissed, Eric Rachner pursued a public-disclosure claim against the city's police department over its failure to provide all video camera footage of his arrest, winning a $60,000 judgment. And today he filed suit against the department again, asserting claims in his King County Superior Court complaint (PDF) for false arrest, obstruction of justice, malicious prosecution and "spoliation of video evidence," reports the Seattle Times. But that's not all. Tomorrow the 35-year-old Rachner plans to activate a website that he says will allow arrested citizens and their attorneys to see whether there is any video from the dashboard cameras that police are supposed to activate during arrests. As part of the judgment in his favor in the disclosure suit, Rachner and his lawyer, Cleveland Stockmeyer, were given copies of the department's log of every dashcam arrest video shot by Seattle patrol officers between July 2008 and August of this year. By checking the log, other arrestees and their counsel "might find, as we did in Eric's case, that the video and the police reports were so at odds that they might as well have been from different incidents," Stockmeyer tells the Times. Much of Rachner's latest suit focuses on what he contends is a widespread practice of the department of failing to provide requested dashcam footage not only to arrestees who request it but even to federal investigators. The department, he alleges in the suit, "has had a policy and custom to falsely conceal video when it is requested." Other videos, he claims, have been lost and officers sometimes don't activate the dashcams when they are supposed to, all of which results in a loss of evidence. A local television station filed suit against the police last month, the newspaper says, after learning Rachner had dashcam logs that had been withheld from a reporter.

top

A Citizen's Guide to Reporting on #OccupyWallStreet (Berkman's CMLP, 7 Oct 2011) - We at the Citizen Media Law Project have taken great interest in the ongoing "Occupy Wall Street" protest in New York. Much of what we know about the protest has come from independent reporters and citizen journalists covering the story from the ground. Knowing this, we are alarmed to hear reports of policearresting reporters during the protest. This, of course, could greatly discourage press coverage of this story. In order to encourage citizen reporting from the ground in New York, and to dispel the uncertainties as to the rights of those covering the protest, we have created this special question-and-answer guide regarding covering the protest in New York as a special addendum to our CMLP Legal Guide. For more general information, you can also refer to our guide's section on New York law. Note: This guide specifically addresses the law as it pertains to New York City and the protests currently occurring in Zuccotti Park. The information provided below will not apply with respect to the other #occupy protests throughout the country. While we tried our best to present the law as it generally applies in New York, specific facts and circumstances often alter outcomes in specific cases. Also, this post provides the law as it exists in October of 2011. We do not intend to update this post as the law changes, so if you find yourself returning to this at a later time please note that the law may have changed. PDF version of the CMLP guide here.

top

Pentagon Website Covers Guantanamo Trials (Robert Ambrogi, 7 Oct 2011) - The Department of Defense has launched a website, Military Commissions, devoted to coverage of trials by the military courts in operation at Guantanamo to try accused terrorists. Notably, the site allows users to view and download documents and court filings from the commission cases against specific individuals and to obtain summaries of the charges against them. The site also provides a description of military commissions and how they work. It includes an interesting chart that compares the rules and procedures in military commissions with those in courts-martial and Article III courts. There is also a collection of significant court opinions relating to military commissions and of current and historical documents pertaining to the commissions. There is even a section providing details on travel to Guantanamo Bay. The Pentagon created the site, it says, to help "provide fair and transparent trials of those persons subject to trial by Military Commissions while protecting national security interests."

top

FOIA and the Question of Secret Law (Lawfare, 7 Oct 2011) - Charlie Savage of the New York Times has filed this FOIA suit in an effort to acquire a classified report issued by DOJ and ODNI to Congress "pertaining to intelligence collection authorities" under section 215 of the USA PATRIOT Act (permitting the government to obtain from the FISC an order for the production of "any tangible things" upon a showing of "reasonable grounds" in relation to an international terrorism or counterintelligence investigation). The report appears to have sparked fierce objections from Senators Ron Wyden and Mark Udall, who have asserted in floor debate that the government has a troubling "secret" interpretation of the PATRIOT Act. The suit itself presents the question whether legal analysis, as distinct from details of the program itself, warrants protection under FOIA exemption 1. The complain calls for release of at least a redacted version of the DOJ/ODNI report, if not the whole thing. If successful, of course, this strategy could have significant implications across a range of settings involving internal government legal advice.

top

FBI To Launch Nationwide Facial Recognition Service (NextGov, 7 Oct 2011) - The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told NextGov. The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI's existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings. Often law enforcement authorities will "have a photo of a person and for whatever reason they just don't know who it is [but they know] this is clearly the missing link to our case," said Nick Megna, a unit chief at the FBI's criminal justice information services division. The new facial recognition service can help provide that missing link by retrieving a list of mug shots ranked in order of similarity to the features of the subject in the photo. Today, an agent would have to already know the name of an individual to pull up the suspect's mug shot from among the 10 million shots stored in the bureau's existing Integrated Automated Fingerprint Identification System. Using the new Next-Generation Identification system that is under development, law enforcement analysts will be able to upload a photo of an unknown person; choose a desired number of results from two to 50 mug shots; and, within 15 minutes, receive identified mugs to inspect for potential matches. Users typically will request 20 candidates, Megna said. The service does not provide a direct match. Michigan, Washington, Florida and North Carolina will participate in a test of the new search tool this winter before it is offered to criminal justice professionals across the country in 2014 as part of NGI. The project, which was awarded to Lockheed Martin Corp. in 2008, already has upgraded the FBI's fingerprint matching service. Local authorities have the choice to file mug shots with the FBI as part of the booking process. The bureau expects its collection of shots to rival its repository of 70 million fingerprints once more officers are aware of the facial search's capabilities. [Editor: reminds me of the premise behind CBS's interesting new show " Person of Interest".]

top

Publisher Claims Ownership of Time-Zone Data (Wired, 9 Oct 2011) - The publisher of a database chronicling historical time-zone data is claiming copyright ownership of those facts, and is suing two researchers for re-purposing it in a free-to-use database relied on by millions of computers. The researchers' publicly available database was being hosted on a server at the Maryland-based National Institutes of Health, which apparently has removed the data at the request of Massachusetts-based publishing house, Astrolabe. The publisher markets its programs to astrology buffs "seeking to determine the historical time at any given time in any particular location, world-wide," and claims ownership to the data in its "AC International Atlas" and "ACS American Atlas" software programs. Astrolabe's federal lawsuit, filed last week, is among the boldest claims of copyright infringement since 2005. That's when Bikram Choudhury, the hot-yoga guru, claimed copyright to his yoga positions. Choudhury had sent cease-and-desist letters ordering studios to stop teaching what he claimed were his copyrighted yoga poses. In an out-of-court settlement, the targeted studios agreed they would not capitalize off of the Bikram brand name. But they were not prohibited from teaching his style of yoga, which was based off of an art form thousands of years old. The suit also faces the tough challenge of overcoming a 1991 Supreme Court decision, concerning a company that harvested listings from a phone company's telephone book and re-published them. The court ruled that "copyright does not extend to facts contained in [a] compilation." Astrolabe claims Arthur Olson, a computer scientist at the National Institutes of Health, and Paul Eggert, a computer scientist at the University of California at Los Angeles, have " unlawfully reproduced the works" (.pdf) and distributed them without permission from the copyright holder. The allegedly infringing database credits the Astrolabe database.

top

US Power Plants Vulnerable to Cyberattack (FT, 11 Oct 2011) - Hundreds of thousands of people in darkness, hospitals in chaos, a banking system under siege - a cyberattack on the US electricity grid could have catastrophic consequences. When federal researchers discovered that outside hackers could take control of the generators used to produce electricity in the US and destroy them, analysts warned that a coordinated assault on the grid could blackout large regions and cause devastation akin to scores of hurricanes striking at once. Regulators asked utilities to fix that design flaw, as they have with others discovered later. Now, four years since that first warning, experts say that power plants - along with financial institutions, transportation systems and other infrastructure - have become even more vulnerable. "The next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system," Leon Panetta, US defence secretary, said at his June confirmation hearing. The economic damage from a single wave of cyberattacks on critical infrastructure could exceed $700bn - or the cumulative toll of 50 major hurricanes ripping into the nation simultaneously, wrote Stanton Sloane when he was chief executive of SRA International. Skeptics argue that the dangers are being talked up by those eager to be hired to help. Other countries, such as the UK, are also exposed, but officials agree that the US is the most vulnerable to cyberattack because its companies and people are so dependent on the internet. [M]ost alarming for the US defence establishment is the lack of security around the electricity grid. Many power plants, as well as factory floors and pipelines, rely on automation equipment that can be reprogrammed remotely yet do not require even the authentication imposed on average computer users, said John Pollet of Red Tiger Security, which has carried out security assessments on more than 150 facilities: "There is a systemic problem" across all manufacturers of the gear. Some control systems can be located with special Google searches and then ordered to shut down or speed up, potentially blowing up a power or water treatment plant, presentations at Black Hat hackers conference showed in August. Many of these control systems were designed before the age of widespread internet connections.

top

- and -

Cybercrime Becomes Bigger Threat to Energy Industry than Terrorists (FuelFix, 13 Oct 2011) - In years past, discussions about security in the energy industry usually focused on protecting refineries from terrorist attacks and overseas workers from kidnapping. Today, the greater threat is the digital theft of competitive information or technical data by outside hackers or unscrupulous employees, speakers at an FBI-sponsored event on energy security said Wednesday. "The shift from physical security to data security has been a significant one for all of us," said Russell Cancilla, Vice President and Chief Security Officer at Baker Hughes. "Theft of intellectual property, state-sponsored corporate espionage, those kinds of things have grown exponentially in recent years." A few well-known incidents in the energy industry occurred in 2008, when computer systems owned by oil companies including ConocoPhillips, Marathon Oil and Exxon Mobil were reportedly hacked by outside forces seeking oil and gas lease bidding information. Sections of the U.S. power grid were also probed by outside forces in recent years, although it does not appear any damage was done. But the energy industry tends to be tight-lipped about such breaches. [Editor: Baker Hughes seems to have evolved their thinking since March's MIRLN 14.04.]

top

- and -

SEC Asks Companies to Disclose Cyber Attacks (Reuters, 13 Oct 2011) - U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses. Senator John Rockefeller had asked the SEC to issue guidelines amid concern that it was becoming hard for investors to assess security risks if companies failed to mention data breaches in their public filings. "Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement. "It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," Rockefeller said in a statement. There is a growing sense of urgency about cyber security following breaches at Google Inc, Lockheed Martin Corp, the Pentagon's No. 1 supplier, Citigroup, the International Monetary Fund and others. Tom Kellermann, chief technology officer of security firm AirPatrol Corp, said that the SEC guidance tells companies to report cyber attacks and disclose steps to remediate problems. "They must also incorporate cyber events into their material risk reports," said Kellermann, who has advised U.S. President Obama on cyber policy. The SEC gets into specifics, telling companies what type of data they might need to provide investors. "Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue," it says. SEC guidance here: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm [Editor: there's much to criticize in the guidance - e.g., the seeming requirement fully to disclose exploited vulnerabilities, which might still be exploited - but I think this is a move in the right direction. See article from Hogan Lovells.]

top

RSA Details March Cyberattack, Blames "Nation State" for SecurId Breach (Ars Technica, 12 Oct 2011) - At EMC's RSA Conference Europe in London today, RSA executives shared more details on the cyber attack that stole information on the company's SecurID authentication tokens in March. RSA executive chairman Noviello said at a press conference that two separate hacker groups worked in collaboration with a foreign government, ZDNet UK reports. He would not disclose the parties involved, but said "we can only conclude it was a nation-state sponsored attack." According to RSA executives, no customers' networks were breached as a result of the SecurID data stolen. RSA president Tom Heiser said during a presentation at the conference it was clear that the attack was intended to go after military contractors' data. The coordinated effort, which used a series of spear phishing attacks against RSA employees to penetrate the company's network, posing as people they trusted. The phishing attack installed a "zero-day" exploit to establish a foothold. IDG reported that the exploit used an Excel spreadsheet with an embedded malicious Adobe Flash file. The foothold, and the tag-team attack that followed, were used to gain access to the SecurID data. However, RSA's chief security officer Eddie Schwartz said during the press conference that the intrusion was detected before any customers were attacked. According to RSA executives, the data was used in only one attack on a customer, and that attack was unsuccessful. No other customers were affected, according to RSA, despite reports that several defense contractors, including Lockheed Martin, had experienced breaches.

top

Does Keystroke Monitoring Violate ECPA? (Steptoe, 13 Oct 2011) - A recent federal court decision points out two of the many critical ambiguities in the Electronic Communications Privacy Act (ECPA): what constitutes an "interception" under the Wiretap Act portion of ECPA, and when is an email in "electronic storage" and therefore protected by the Stored Communications Act portion of ECPA? The court in Rene v. G.F. Fishers Inc. held that the use of keystroke logging software to monitor signals sent from a keyboard to a personal computer was not an interception of an electronic communication because it did not occur on "a system affecting interstate or foreign commerce." But the court found that the same actions could violate Indiana's wiretapping law, underscoring again how state laws may be more privacy-protective than ECPA. The court also held that unopened emails in a person's inbox are in "electronic storage" within the meaning of the SCA, and reserved judgment on whether opened emails were also in electronic storage. The storage question is one that has befuddled courts for years.

top

Judge Royce Lambert: No Warrant Needed For Cell Phone Location Data (BLT, 13 Oct 2011) - Prosecutors do not need a warrant to compel a cellular phone service provider to turn over data about call location, a federal judge in Washington said in a ruling unsealed Wednesday. The ruling examines the government's attempt to get data from the undisclosed service provider amid a U.S. Attorney's Office investigation of an armed robbery of an armored truck. Chief Judge Royce Lamberth of U.S. District Court for the District of Columbia redacted the name of the service provider, the target phone number and the name of its alleged user. Lamberth ruled in part for prosecutors, reviving the government's push to obtain cell phone data. The judge reversed a magistrate judge's ruling from August. But Lamberth did not rubberstamp the government's request, submitted under the Stored Communications Act. Instead, he said prosecutors must present additional evidence to prove the requested data is material to the armed robbery investigation. The burden is lower than the one a warrant would require. The dispute gave the court the opportunity to explore the scope of a controversial Washington federal appeals court ruling about the propriety of warrantless GPS surveillance. In ruling against the government in the armed robbery matter, Magistrate Judge John Facciola said the D.C. Circuit's decision in Jones required the government to obtain a warrant to compel the disclosure of the requested cellular data. Lamberth said that Facciola concluded that cell phone data-including the location of the tower that transmitted a call-is "tantamount to the sort of continuous GPS surveillance" at issue in the GPS case. A "reasonable cellular phone customer presumably realizes that his calls are all transmitted by nearby cell-site towers, and that cellular phone companies have access to and likely store data regarding the cell-site towers used to place a customer's calls," Lamberth said. Lamberth said a person's "decision to place a cellular phone call and thus provide information regarding his location to the phone company thus defeats an individual's privacy interest in that information." Lambert's Ruling here.

top

People Are Starting To Leave Their Facebook Passwords In Their Will (Business Insider, 13 Oct 2011) - One in 10 people in the United Kingdom leave their passwords to sites such asFacebook, Flickr, andTumblr in their will, according to a story in the Guardian. Facebook makes it difficult for living members to get the passwords of their deceased relatives. As a result, a "growing numbers of people want their digital identities to be controlled after they are gone," Emma Barnett writes. "They also want their families to have access to personal photos and home videos which are now more commonly being stored in the cloud, rather in a physical album at home." The trend is increasing because people in Britain and all over the world have noticed Facebook walls of the deceased becoming easy targets for hacking and spammers. The European Union is also considering laws that would give living relatives easier access. But for now, an increasing number of wills will include a strange series of letters and numbers (or, you know, something like noah1234).

top

Three Emerging Cyber Threats (Bruce Schneier, 15 Oct 2011) - Last month, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: (1) The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior. (2) Ill-Conceived Regulations from Law Enforcement. We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I'm thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they'll all make us less safe. (3) The Cyberwar Arms Race. I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.

top

How the Top 50 Nonprofits Do Social Media (PhilanTopic, 17 Oct 2011) - We love a good infographic -- especially when it relates to things that interest us, like nonprofits and social media. This one, from craigslist founder Craig Newmark and the folks at craigconnects, kept us busy for a while. Based on an informal audit conducted in August and September, the infographic is intended to answer questions like: Do the highest-earning nonprofits use social media more effectively than nonprofits that earn less? Are those same nonprofits the most "engaging"? How are people using social media to respond to and interacting with large nonprofits? Here are a few key findings:

  • 92 percent of the top 50 nonprofits promote at least one social media presence on their homepage;
  • PBS has the most followers (840,653) on Twitter;
  • The American Cancer Society follows the most people/orgs (200,522) on Twitter;
  • Food for the Poor is the most "talkative" nonprofit on Facebook, with 220 posts over the two-month survey period;
  • The nonprofit with the highest net income, the YMCA, only posted 19 times to Facebook over the two-month survey period but has more than 24,000 fans.
top

- and -

Feds' Social Media Use Increases (NextGov, 18 Oct 2011) - Federal employees are increasingly turning to social media websites for work and personal use, particularly as more agencies lift restrictions on access, according to a new survey. The new Social Media in the Public Sector study, released Tuesday by Market Connections, found that just 19 percent of agencies ban access to some or all social media websites like Facebook, Twitter and LinkedIn. This is down sharply from 2010, when 55 percent of agencies banned access. The survey, which was conducted in September and drew nearly 900 public sector participants, including 352 federal employees and 272 government contractors, found that 74 percent of all respondents access social media websites at work, while 92 percent access them at home and 70 percent access them on mobile devices. The most widely used mobile devices by feds were the iPhone (53 percent), Blackberry (42 percent), Android (39 percent) and iPad (27 percent). LinkedIn and Twitter showed the biggest gains among social media websites used by federal respondents. Use of LinkedIn by feds, for example, grew from 32 percent in 2010 to 70 percent this year, while Twitter use increased from 30 percent last year to 55 percent this year. Eighty-six percent of federal respondents said they use Facebook, up from 72 percent last year, while 80 percent said they use YouTube, up from 61 percent in 2010, the survey found. Government-specific social networking websites also saw a boost in federal participation. According to the survey, 35 percent of federal workers and 55 percent of contractors said they use GovLoop, while GovTwit is being used by 30 percent of both government and contractor employees. Meanwhile, 37 percent of federal respondents said they are permitted to use social media as representatives of their agency, versus just 9 percent last year. Federal respondents said social media was most useful in helping inform decision making (100 percent), communicating externally with citizens and other agencies (81 percent), communicating with colleagues (78 percent), research (64 percent) and promotion/marketing (61 percent), the survey found.

top

- and -

Why I Deleted My Facebook Account (Bitter Lawyer, 18 Oct 2011) - Two weeks ago today, I did something that I thought was fairly non-controversial (I was wrong, apparently). I deactivated my Facebook account. And not just the half-hearted deactivation option Facebook offers, whereby your account remains saved and can be reactivated at any time-I actually completely deleted my account. Here's the really crazy part: I've spent the last 14 days fielding hundreds of emails from family, friends, and periphery ranging from mere curiosity to utter disbelief that I'm no longer on Facebook. No one can understand why I would ever want to disconnect myself from the (unfortunately) ubiquitous social network. Well, here's why. [Editor: isn't there some irony in the fact that she's blogging about escaping too-much-sharing with the "Screen People"? Still, I take her point.]

top

Los Angeles To Google: We Won't Pay For LAPD Seats (Business Insider, 18 Oct 2011) - One of Google's flagship government customers is trying to get out of paying for part of its contract, saying that Google has been too slow to meet its revised security requirements. Two years ago, Google got the City of LA to switch 30,000 employees from its old email system, Lotus Groupwise, to Gmail. But the deployment is going slower than expected because of additional security requirements by the LA Police Department. The LA Times reported on these problems back in April. Now, an August 2011 letter from Los Angeles CTO Randi Levin shows what the city is demanding. That letter says that CSC has been "unable to complete and comply with all LAPD security requirements" and other agencies that keep criminal records. So the city of LA is refusing to pay for those seats, and asking Google to do the work for free. "There will be no charge to the City for any Google licenses for the LAPD," proposes the letter. LA also wants Google to pay for the Groupwise licenses used by the LAPD through November 12, 2012.

top

Spanish Court Reverses Course: Says Linking To Infringing Material Is A Crime (TechDirt, 19 Oct 2011) - We've noted over and over again that Spanish courts have quite reasonably interpreted Spain's copyright law to mean that a site that just links to infringing content is not liable for the infringement. This makes a lot of sense. You should not blame a third party for the actions of its users. Yet the entertainment industry has made these rulings out to be an absolutely horrible miscarriage of justice, and have -- with the support of the US government -- pushed hard for draconian new copyright laws within the country. While public outcry (and leaked State Dept. cables showing that the US was really behind it) helped derail the effort the first time around, supporters are still trying to push it through. However, while the existing law stands, it's a bit surprising to see that one Spanish court has gone completely in the other direction and found the operators of a couple sites to be guilty of criminal copyright infringement, for which they may face a year in jail, in addition to fines. The lawyer for one of the guys suggests that this ruling is a result of politics, not the law. It's hard not to think that way given how it appears to fly in the face of most other decisions in Spain. I would imagine that there's still going to be an appeal in the case before it's really settled.

top

-but-

Supreme Court of Canada Stands Up for the Internet: No Liability for Linking (Michael Geist, 19 Oct 2011) - The Supreme Court of Canada today issued its much anticipated ruling in Crookes v. Newton, a case that focused on the issue of liability for linking to allegedly defamatory content. The court provided a huge win for the Internet as it clearly understood the significance of linking to freedom of expression and the way the Internet functions by ruling that there is no liability for a mere hyperlink. The key quote from the majority, written by Justice Abella: "I would conclude that a hyperlink, by itself, should never be seen as "publication" of the content to which it refers." This is an enormous win for the Internet since it rightly recognizes that links are just digital references that should not be viewed as republication of the underlying content.

top

Cyber Attacks and Warfare (Media Law Prof Blog, 19 Oct 2011) - Michael Gervais, Yale Law School, has published Cyber Attacks and the Laws of War. Here is the abstract:

"In the past few decades, cyber attacks have evolved from boastful hacking to sophisticated cyber assaults that are integrated into the modern military machine. As the tools of cyber attacks become more accessible and dangerous, it's necessary for state and non-state cyber attackers to understand what limitations they face under international law. 

This paper confronts the major law-of-war issues faced by scholars and policymakers in the realm of cyber attacks, and explores how the key concepts of international law ought to apply. 

This paper makes a number of original contributions to the literature on cyber war and on the broader subject of the laws of war. I show that many of the conceptual problems in applying international humanitarian law to cyber attacks are parallel to the problems in applying international humanitarian law to conventional uses of force. The differences are in degree, not of kind. Moreover, I explore the types of cyber attacks that states can undertake to abide by international law, and which ones fall short." Paper here.

top

French Cookies Are Beginning to Taste Like British Biscuits (Steptoe, 20 Oct 2011) - By the sound of things, French data protection regulators thought their lawmakers were acting a bit kooky when, as we previously reported, they passed an ordinance providing that consent for the installation of cookies by a website can be inferred by browser settings. In a public statement last month, the Commission Nationale de l'Informatique et des Libertés, France's data protection agency, stated its intention to strictly apply active consent requirements in enforcing the ordinance. Specifically, it said that browser settings allowing all cookies, without making a distinction between their purposes, cannot be deemed a valid consent expressed by the user. This new statement reflects a stricter reading of the requirements of amended EU privacy law than what was apparently expressed by French lawmakers in August, and it would appear to bring France's treatment of cookies more in line with the UK's approach.

top

RESOURCES

Find the Person Behind an Email Address (Digital Inspiration) - You get an email from a person with whom you have never interacted before and therefore, before you reply to that message, you would like to know something more about him or her. How do you do this without directly asking the other person? Web search engines are obviously the most popular place for performing reverse email lookups but if the person you're trying to research doesn't have a website or has never interacted with his email address on public forums before, Google will probably be of little help. No worries, here are few tips and online services that may still help you uncover the identity of that unknown email sender. [Editor: Interesting; the TinEye tool looks scary, and worked when I searched for one of my own head-shots; we're not too far away from full-bore facial recognition tools.]

top

FUN

Wilful vs. Willful (Volokh Conspiracy, 19 Oct 2011) - A student saw "wilful" used in an opinion, and asked whether it was a typo. How things have changed in a few decades! Here's a Google Ngrams graph comparing the use of "wilful" (blue) and "willful" (red) in Google's American English sources * * * "Wilful" was once the only common spelling (and still remains the dominant spelling in British English, again according to Google Ngrams ). But then things changed, and now "willful" is considerably more common. Indeed, a quick Westlaw query suggests that "willful" is 10 times more common in 2011 court opinions. It's thus probably wiser to use "willful," unless one knows that one's audience (say, a judge) has a contrary preference; using the more common spelling is more likely to convey your message without needlessly distracting the reader. Interestingly, the first two references I found for "wilful [sic]" in court cases were in 1962 and 1963, though in those years judicial usage was nearly evenly split between "wilful" and "willful." Those references were the only such "sic" references until 1971, but it the last few years, there have been more than 10 "wilful [sic]" references in court cases per year, which further reflects how dominant "willful" has become.

top

LOOKING BACK

CAMERAS SCANNED FANS FOR CRIMINALS (St. Petersburg Times, 31 Jan. 2001) Were you one of the 100,000 fans and workers to pass through the stadium turnstiles at Sunday's Super Bowl? Did you smile for the camera? Each and every face that entered Raymond James Stadium for the big game was captured by a video camera connected to a law enforcement control room inside the stadium and checked electronically against the computer files of known criminals, terrorists and con artists of the Tampa Police Department, the FBI and other state and local law enforcement agencies. Sunday's Super Bowl was the first major sporting event to adopt the face-matching surveillance system. But the designers of the system expect other security-sensitive sporting events, ranging from the upcoming 2002 Winter Olympics in Salt Lake City to the hooligan-plagued soccer leagues in parts of Europe, to express great interest. http://www.sptimes.com/News/013101/TampaBay/Cameras_scanned_fans_.shtml

top

U.S. CONGRESS EYES VIRTUAL ASSEMBLY OPTIONS Spooked by anthrax in the U.S. Capitol Building, lawmakers are considering an option proposed by the Democratic Leadership Council to convene "an electronic Congress." The DLC says a Web site "could easily be built" that would allow Congress and their staffers to debate, draft legislation and vote over the Internet. Such a site likely would use biometrics or "human verification" procedures to restrict access, and "the best system might require members to spread around the country to go to the nearest state capitol or city hall to use special kiosks there." The proposal, contained in an article titled "Legislating by Any Means Necessary," suggests that the site could be open to the public on "a read-only basis, so citizens could watch their representatives much as they can now on C-SPAN." A DLC staffer who worked on the report says, "This was supposed to be a conversation starter. We put this out there not as a full-baked proposal, not as an end-to-end solution." (Wired News 25 Oct 2001) http://www.wired.com/news/politics/0,1283,47841,00.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, October 01, 2011

MIRLN --- 11-30 September 2011 (v14.13)

MIRLN --- 11-30 September 2011 (v14.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | PODCASTS | LOOKING BACK | NOTES

Report - A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11 (ACLU, 7 Sept 2011) - An ACLU report release to coincide with the 10th anniversary of 9/11 warns that a decade after the attacks, the United States is at risk of enshrining a permanent state of emergency in which core values must be subordinated to ever-expanding claims of national security. The report, entitled, "A Call to Courage: Reclaiming Our Liberties Ten Years after 9/11," explores how sacrificing America's values - including justice, individual liberty, and the rule of law - ultimately undermines safety. The report begins with an examination of the contention that the U.S. is engaged in a "war on terror" that takes place everywhere and will last forever, and that therefore counterterrorism measures cannot be balanced against any other considerations such as maintaining civil liberties. The report states that the United States has become an international legal outlier in invoking the right to use lethal force and indefinite military detention outside battle zones, and that these policies have hampered the international fight against terrorism by straining relations with allies and handing a propaganda tool to enemies. Taking on the legacy of the Bush administration's torture policy, the report warns that the lack of accountability leaves the door open to future abuses. "Our nation's official record of this era will show numerous honors to those who authorized torture - including a Presidential Medal of Freedom - and no recognition for those, like the Abu Ghraib whistleblower, who rejected and exposed it," it notes. Concluding with the massive expansion of surveillance since 9/11, the report delves into the many ways the government now spies on Americans without any suspicion of wrongdoing, from warrantless wiretapping to cell phone location tracking - but with little to show for it. "The reality is that as governmental surveillance has become easier and less constrained, security agencies are flooded with junk data, generating thousands of false leads that distract from real threats," the report says. Full report here .

top

Criminal Prohibitions on the Publication of Classified Defense Information (Congressional Research Service, 8 Sept 2011) - The online publication of classified defense documents and diplomatic cables by the organization WikiLeaks and subsequent reporting by The New York Times and other news media have focused attention on whether such publication violates U.S. criminal law. The suspected source of the material, Army Private Bradley Manning, has been charged with a number of offenses under the Uniform Code of Military Justice (UCMJ), including aiding the enemy, while a grand jury in Virginia is deciding whether to indict any civilians in connection with the disclosure. A number of other cases involving charges under the Espionage Act demonstrate the Obama Administration's relatively hard-line policy with respect to the prosecution of persons suspected of leaking classified information to the media. This report identifies some criminal statutes that may apply, but notes that these have been used almost exclusively to prosecute individuals with access to classified information (and a corresponding obligation to protect it) who make it available to foreign agents, or to foreign agents who obtain classified information unlawfully while present in the United States. Leaks of classified information to the press have only rarely been punished as crimes, and we are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it. There may be First Amendment implications that would make such a prosecution difficult, not to mention political ramifications based on concerns about government censorship. To the extent that the investigation implicates any foreign nationals whose conduct occurred entirely overseas, any resulting prosecution may carry foreign policy implications related to the exercise of extraterritorial jurisdiction and whether suspected persons may be extradited to the United States under applicable treaty provisions. [Editor: Yochai Benkler has a working draft article titled "A Free Irresponsible Press: Wikileaks And The Battle Over The Soul Of The Networked Fourth Estate" here .]

top

'Find My Car' App Can Also Catch Crooks (Sydney Morning Herald, 9 Sept 2011) - [Y]ou'll never lose your car in the shopping centre again - and police now have at their fingertips technology to track down stolen and unregistered vehicles. Westfield Bondi Junction in Sydney recently added to its iPhone app the functionality for shoppers to find their parked car by entering its license plate number. The idea behind it is that if a shopper forgets where they parked then they can find their car using the app, which also lets users find out the opening hours of each retailer, see special offers and search for a store's location in the shopping centre. But Westfield said police could also use it to find stolen or unregistered vehicles. In a statement, NSW Police said it worked closely with security at Westfield Bondi Junction and utilised their technology "when required". See also http://www.theregister.co.uk/2011/09/14/find_my_car_fail/

top

This Post Should Be Considered Off the Record (TechPresident, 14 Sept 2011) - Staffers for Sen. Sheldon Whitehouse, Democrat of Rhode Island, don't mind if you read as they pass along hurricane updates or chat with other folks on Twitter. They'll even plug someone's business. Just don't talk about what you read: Whitehouse's communications director, Seth Larson, deputy press secretary, Richard Pezzillo, and new media director (!), Catherine Algeri, have disclaimers in their Twitter profiles that declare their posts - on public, unprotected accounts - to be off the record. Disclaimers in Twitter profiles are common. People from ABC News' senior White House correspondent Jake Tapper to Gerrit Lansing, press secretary at the Republican-controlled House Budget Committee, sport a tag of the tweets-are-mine-alone and/or retweets-aren't-endorsements category. But "off the record?" On Twitter? That's a new one on me. Update : Looks like Whitehouse's staff have decided to go public - their "off the record" pleas were gone from their Twitter profiles not long after I posted this piece.

top

Court Allows Recovery of Lost Business and Investigation Costs Under CFAA (Steptoe, 15 Sept 2011) - According to a recent decision, Mobil Mark, Inc., v. Paskosz, prospective plaintiffs worried that they cannot show sufficient damage or losses to state a civil claim under the Computer Fraud and Abuse Act (CFAA) should simply hire an expensive investigator. Earlier this month, the U.S. District Court for the Northern District of Illinois found that the cost of a company's investigation into a former employee's alleged data theft, and resulting lost customers and sales opportunities, can be counted as "losses" for purposes of the CFAA's $5,000 damage or loss minimum for pursuing a civil claim. While courts have been notoriously split over what exactly constitutes compensable "damage" or "loss" under the Act, this ruling continues what seems to be somewhat of a trend of increasingly expansive readings of the statute. This is good news for employers who want to use the CFAA to go after rogue employees and possibly their competitors.

top

NHL Restricts Players' Use of Social Media on Game Days (Thestar.com, 15 Sept 2011) - Thou shalt not Twitter during the game. Or before it. Or after it. Or during team meetings. The NHL and its Players' Association have put together a new social media policy, that sets a blackout period when cannot use applications such as Twitter and Facebook. Basically, players may not tweet or use social media from two hours before the puck drop until after their media requirements are completed after the game. There is no blanket off-day restriction, but the league wants players to act "appropriately" and "not disclose competitively sensitive team info," deputy commissioner Bill Daly told the Star. The league is asking players to speak, text or tweet on social media with the same caution they would speak in front of microphones, understanding what they say is public and for-the-record. A violation would subject the players to an undisclosed punishment. NHL on-ice officials are not allowed to tweet or "maintain any social media accounts," Daly told the Star.

top

Executives May Be Too Confident on Cybersecurity, Survey Finds (NYT, 15 Sept 2011) - Every week comes a new report warning how vulnerable consumers, companies and government agencies are to hackers bent on breaching computer systems and extracting sensitive data. This week came a somewhat unusual report, compiled by the global consulting firm PricewaterhouseCoopers. It surveyed more than 9,000 executives in over 130 countries and found them confident in their ability to secure their information systems and bullish about cybersecurity spending. In the survey, released Thursday, 43 percent of respondents said they had confidence in their security protocols and 50 percent said they expected their companies to spend increasing amounts of money on cybersecurity. Digital hubris can be dangerous, though. PricewaterhouseCoopers parsed the data more closely. They asked the executives about the precautions they were taking. It turned out that only 13 percent of those surveyed had actually done what the consulting firm considered to be adequate - meaning they had an overall security strategy, they had reviewed the effectiveness of their strategy and they knew precisely the types of breaches that had already hit them over the last 12 months. Even as the use of social networks has proliferated, barely one in three respondents said their companies had a policy governing their employees' use of tools like Facebook and LinkedIn. Social media, the report's authors concluded, is a double-edged sword for many companies. "It's a great business opportunity," Mark Lobel, a principal at PricewaterhouseCoopers, said by phone. "It's also a terrible avenue for data loss and data leakage." Driving the spending on security was the prospect of cyber-espionage, or snooping on sensitive company and government data, everything from blueprints of fighter jets to confidential information about mergers and acquisitions. But only 16 percent of respondents said they were prepared for cyber-espionage.

top

Amazon Cloud Earns Key FISMA Government Security Accreditation (ArsTechnica, 15 Sept 2011) - Amazon has earned the FISMA security accreditation from the US General Services Administration, a key endorsement for its cloud security model that could increase adoption among federal agencies. FISMA, the Federal Information Security Management Act, is the fifth major certification or accreditation Amazon has gained for its Web Services business featuring the Elastic Compute Cloud infrastructure-as-a-service platform. "FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls," Amazon said in an announcement today . "This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure as well as conducting third party audits. This is the first time AWS has received a FISMA Moderate authority to operate." Amazon already counted the likes of NASA's Jet Propulsion Laboratory and Treasury.gov as customers, so the company wasn't exactly struggling to land big names. But adding to its roster of accreditations could help Amazon EC2 attract more mission-critical use cases. FISMA certification had already been obtained by Google for its Apps service and by Microsoft for its cloud infrastructure and its BPOS-Federal service. Prior to today, Amazon achieved compliance with the SAS 70 Type II auditing standard, the HIPAA health data privacy act, PCI DSS credit card standards, and the ISO 27001 international security standard. The new FISMA certification covers Amazon EC2, Amazon's Simple Storage Service, the Virtual Private Cloud, and the services' underlying infrastructure.

top

FISMA Mandates Monthly Security Reports For Agencies (Information Week, 15 Sept 2011) - Federal agencies must begin reporting security data to an online compliance tool as part of fiscal year 2011 requirements for the Federal Information Security Management Act (FISMA). The Department of Homeland Security (DHS) outlined new requirements for FISMA, the National Institute of Standards and Technology (NIST) security standard for federal IT solutions. One of them calls for agencies to establish monthly data feeds to CyberScope, a compliance tool developed to help the feds to better and more actively monitor cybersecurity.

top

IRS Clarifies: Work Cellphones Are Not Taxable Perks (Hillicon Valley, 16 Sept 2011) - The Internal Revenue Service issued a notice Wednesday clarifying that employer-provided cellphones are not taxable perks. The Small Business Jobs Act of 2010 removed cellphones from the definition of "listed property," a category that normally requires additional record keeping by taxpayers. The IRS notice clarified that as a result of the law, when a business provides an employee with a cellphone to use for work, that phone is generally not a taxable benefit. The IRS also sent a memo to its examiners to explain the rule change. CTIA, a wireless trade association, praised the move. "I'm glad the IRS has finally had the last word on repeal of a rule that might have made sense in the late 1980s, but made no sense at all in today's mobile, always-connected world," wrote CTIA President Steve Largent in a blog post.

top

Symantec Survey Finds Emails Are No Longer the Most Commonly Specified Documents in eDiscovery Requests (Symantec press release, 19 Sept 2011) - Symantec Corp. (Nasdaq: SYMC) today announced the findings of its 2011 Information Retention and eDiscovery Survey which examined how enterprises manage their ever-growing volumes of electronically stored information and prepare for the eventuality of an eDiscovery request . The survey of legal and IT personnel at 2,000 enterprises worldwide found email is not the primary source of records companies must produce, and more importantly, respondents who employ best practices for records and information management are significantly less at risk of court sanctions or fines. "The fact that email is no longer the primary source of information for an eDiscovery request is a significant change from what has been the norm over the past several years," said Dean Gonsowski, eDiscovery Counsel at Symantec. "With the wide variety of sources in play, including loose documents, structured data, SharePoint content and even social media, it is not enough for legal and IT to simply focus upon email alone. It's critical for the two departments to work together to develop and implement an effective information retention policy."

top

Using Technology to Improve Client Service (ABA's Catherine Sanders Reach, 19 Sept 2011) - Everywhere you look, people are using technology outside the confines of the workplace. And no matter what type of clients you serve, it's likely they want to be able to use the same technologies for similar conveniences when they're working with you. Here are some suggestions for incorporating technology tools to give your clients enhanced options so you can meet-and even exceed-their expectations.

top

Abuse of Trust? (InsideHigherEd, 19 Sept 2011) - Less than a week after the University of Michigan brushed off a lawsuit by the Authors Guild over the university's move to make copyrighted "orphan" works in its digital collection freely available to students and faculty, the Michigan Library suspended the practice Friday, admitting "serious" flaws in its process for identifying orphans. Friday's mea culpa followed a public flogging of the library and its nonprofit digital consortium, HathiTrust, at the hands of the Authors Guild, in which the guild quickly tracked down the owners of the copyrights on several works that HathiTrust had categorized as "orphans" -- books and articles that are in copyright but whose copyright owners cannot be located or identified. "The close and welcome scrutiny of the list of potential orphan works has revealed a number of errors, some of them serious," the Michigan library wrote in its statement. "This tells us that our pilot process is flawed." The librarians said they had "learned from [their] mistakes" and have "already begun an examination of our procedures to identify the gaps that allowed volumes that are evidently not orphan works to be added to the list." The HathiTrust's Orphan Works Project -- a Michigan-led effort to identify and increase access to the orphans from the consortium's digital library -- has been suspended until the university can come up with "a more robust, transparent, and fully documented process" for making sure works are genuinely orphaned before categorizing them as such. The Authors Guild, along with authors' associations in Australia and Quebec and a handful of individual authors, had filed suit last Monday against the HathiTrust, Michigan, and several other university libraries heavily involved in the Orphan Works Project. The plaintiffs claimed that by establishing its own set of procedures for clearing orphan works for wider accessibility, the libraries were taking copyright into their own hands. They argued that the orphans should stay under lock and key until Congress passes legislation governing how orphan works can be identified and displayed. Michigan and other HathiTrust supporters argued that giving faculty members and students access to digital orphan works was protected by the "fair use" provisions of U.S. copyright law. But the Authors Guild struck back on its blog, calling into question the integrity of Michigan's process for attempting to find the copyright holders for its orphan candidates. In a series of "gotcha" blog posts, the guild documented its own efforts to find the copyright holders for HathiTrust orphans. It quickly tracked down several authors that HathiTrust had apparently been unable to reach. [Editor: EFF has a different perspective - see No Authors Have Been Harmed in the Making of This Library (EDD, 15 Sept 2011) - "We've been puzzling over the Author's Guild's decision to sue several university libraries for participating in the digitization and storage of millions of works (largely in connection with the Google Books project) and making scans of some of those works available to the academic community. Simply put, it appears that the Guild is dead set on wasting time and money addressing imaginary harms, whether or not its efforts might actually benefit either its members or the public." InsideHigherEd runs yet another perspective here .]

top

Broadband Under The Sea: Where Do Those Cables Go? (GigaOM, 20 Sept 2011) - Want to know how your email packets from Rhode Island make it over to South Africa? Or what about your VoIP call from Hong Kong to Honolulu? Now there's a map for that, thanks to the folks at Telegeography who have rolled out an interactive tool that shows you the location of various undersea cables. These cables are the links that connect the Internet across oceans and continents, and typically they only get noticed when they go down. For the truly nerdy, this makes awesome wall art (you can put it next to your spectrum allocation chart!), but if you're more like the rest of the population, it's a fun resource to turn to the next time a woman panning for copper cuts a cable, you're looking for a good place to base a data center, or you want to see how interconnected we are. For example, Hillsboro, Ore., should be known as Cabletown given that three cables land there: more than any other city in the U.S. That and other fun facts await you, although I'd like a better search function so I could easily see how many cables Google has invested in, for example. Map here . [Editor: the article on this is Neal Stephenson's "Mother Earth, Mother Board" from Wired from 1996 - here .]

top

Non-Marketing Uses of Social Media for Lawyers (Dennis Kennedy, 20 Sept 2011) - Since Tom Mighell and I haven't gotten much chance over the last year or so to write together, we jumped at the chance to write an article on "non-marketing" uses of social media for lawyers for the ABA's Law Practice Today webzine. Then we realized that volunteering to write an article is far easier than finding the time to actually write it. The result, however, is an article we really liked and one we've gotten some great feedback on. It's called "Not Your Marketer's Social Media: Ten Ways Lawyers Can Benefit from Non-Marketing Uses of Social Media. The article grew out of our podcast called "Using Social Media for Non-Marketing" and expands on some of the ideas in the podcast and adds a few new things. The main idea is that lawyers can benefit from social media in many different ways and that the over-attention on using social media for marketing to potential clients has a limiting effect on ways that lawyers think they might use social media. The article is an attempt to "think different" about social media - in practical ways that match your own personality and approach - and to go back to the basics on social media. Then, see what evolves from uses that best fit your own approach and comfort. Check out the new article and let us know what you think about it. [Editor: for example, I find about 1/3 of the stories in MIRLN thru social media tools, and I broadcast MIRLN-related items on Twitter with #mirln.]

top

Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users (Berkman guide, 20 Sept 2011) - This report explores these dilemmas and recommends principles, strategies, and tools that companies and users alike can adopt to mitigate the negative effects of account deactivation and content removal. Through case examples, we outline the ways in which platform providers can have a positive impact on user trust and behavior by being more clear and consistent in developing ToU and other policies, responding to and evaluating suspected violations, and providing opportunities for recourse and appeal. We also highlight concrete actions that users can take to educate themselves about how the moderation, takedown, and abuse-prevention mechanisms work for the services they use, provide and communicate context where necessary, and engage with companies and other users around such issues. From the activist who communicates with her network via her Facebook account, the user who posts documentary-style videos to YouTube or the citizen journalist who raises awareness with photos uploaded to Flickr, platforms that host user-generated content are increasingly used by a range of civic actors in innovative ways: to amplify voices, organize campaigns and coordinate disaster response, and advocate around issues of common concern. However, while the online space may be perceived as a public commons, private entities play a role in shaping online activity, behavior, and content via Terms of Use (ToU), community guidelines, and other mechanisms of control. Platform providers often enforce such rules in response to potential threats, misuse, or ToU violations; users must observe them or risk losing their accounts, their contacts, or their ability to post content. The clarity, transparency, and consistency of how such terms are established and implemented are important to all users, but for the growing number of human rights activists who depend on web 2.0 platforms for core elements of their work-and for whom removed content and deleted accounts can have severe consequences-the stakes are much higher. For platform providers, enforcing site guidelines can require balancing complex and often competing considerations, including supporting community norms and innovative user activity, while maintaining a safe and secure online environment, protecting the free expression and privacy rights of users while enforcing legal standards or responding to government pressure, and accounting for the potential risks faced by activists. Guide is here .

top

Full List of Sites the US Air Force Blocked to Hide from Wikileaks Info; Includes NY Times & The Guardian (TechDirt, 20 Sept 2011) - When the State Department cables leaked via Wikileaks, some government employees and agencies were put in a tough position, in that they couldn't officially view those documents, since they were still classified. As we've noted in the past, this is stupid. In business, any boilerplate non-disclosure agreement says that if some info becomes public due to a third party, the NDA no longer applies. The US government, for reasons that escape me, refuses to do the same thing for classified info that leaks -- even after the press has run stories on it. We heard all sorts of bizarre stories about government agencies trying to block access to this content which was everywhere, including reports that any Techdirt article that mentioned "Wikileaks" in the title was blocked from Defense Department computers. Jason Smathers decided to submit a Freedom of Information Act request (via the awesome Muckrock.com platform) to the US Air Force to find out what sites it was blocking. And while the Air Force initially denied the request, on appeal it just changed its mind and handed over the list, which you can see below. Most of the blocked URLs are to various Wikileaks mirror sites, but it also covers the major media properties that Wikileaks initially worked with on releasing these documents, including the NY Times and The Gu[a]rdian.

top

Apple and Dropbox Join Fight to Reform Electronic Privacy Law (EFF, 22 Sept 2011) - In April we launched "Who Has Your Back" , a campaign calling on major Internet companies like Google, Amazon and Microsoft to stand with their users when it comes to government demands for users' data. Today, we're pleased to see that two of the thirteen companies highlighted in our petition , Apple and Dropbox, have agreed to one of our requests: that they stand up for user privacy in Congress by joining the Digital Due Process coalition. Digital Due Process is a diverse coalition of privacy advocates like EFF, ACLU and the Center for Democracy & Technology and major companies like AT&T, eBay and Comcast that has come together with the shared goal of modernizing surveillance laws for the Internet age. The DDP coalition is especially focused on pressing Congress to update the woefully-outdated Electronic Communications Privacy Act or "ECPA."

top

Is it Possible to Secure Law Firm Data? (slaw, 22 Sept 2011) - To answer the question, we interviewed our friend and colleague Matt Kesner, the CIO of Fenwick & West LLP, a West Coast law firm representing high tech and bio-tech clients. Matt has "walked the walk" when it comes to security and protecting data. Is the data at a law firm really different or are there "special" considerations when dealing with security within a law firm? Matt suggested that there are a lot of tensions at play within a law firm. There's always the tension between IT and end-users. The end-users are more difficult to tame and are more independent than most other users. They don't necessarily want to comply with the stated policies and procedures, thereby making security a more difficult task. Also, they tend to be driven by what the client wants, which may be in contradiction to the security procedures of the firm. The press hasn't really identified many data breaches that have involved law firms. Since law firms are very much reputation based, they are not all that willing to publicize any data breach that may have occurred. Current data breach laws have changed that practice, but we still don't hear of many specifics concerning law firms. Matt acknowledged that there have been two breaches at his own firm. His advice for security is to learn lessons from breaches so you can avoid a recurrence - at least a recurrence of the same sort of attack. Fortunately for Matt's firm, the security incidents did not involve access to their network. Both occurrences involved their website, which was hosted externally. We are aware of some other firms being compromised, primarily through mobile devices and unprotected laptops. Matt confirmed that law firms are seeing an increase in hacking attempts. Reviews of his own firm's logs show repeated "door rattles" and attempted infiltration of the network. They are being probed a lot more often, tested with various scripts being used to determine vulnerabilities and have experienced a higher proportion of successful malware and phishing attacks against their users. Many attacks appear to be originating from China, which is consistent with our experiences gleaned from security investigations involving these attacks. Our own government has cautioned us that every cell phone and smart phone that goes into China has spyware downloaded on it by the Chinese communications infrastructure. This spyware pretty much has unfettered access to the data that you are sending and receiving even if it is encrypted in transit. Another concern is bringing laptops to China. Matt advised us to weigh the laptop before and after taking it to China as many times hardware monitoring devices will be installed in the laptop itself. He also suggested taking a disposable cell phone when traveling to China. Many in the security field have stated that we are seeing activity from China's "C-level" (rookie) hackers since law firm systems are fairly easy to penetrate. China isn't even wasting the efforts of their "B-level" or "A-level" teams when attacking U.S. systems. Essentially, China's entry level hackers are practicing on U.S. law firm networks before "graduating" to more advanced hacking activities. Matt told us that Chinese students actually take hacking classes and hack Western websites as part of their homework. Pretty scary stuff.

top

Newly Released Documents Reveal Defense Department Intelligence Violations (EFF, 22 Sept 2011) - EFF just received documents that reveal additional post-9/11 Defense Department misconduct, including attempts by the Army to investigate participants at a conference on Islamic law at the University of Texas Law School and Army-issued National Security Letters (NSLs) to telecommunications providers in violation of the law.

top

Even If You Cancel Your OnStar Service, The Company Will Still Track (And Sell) Your Location (TechDirt, 22 Sept 2011) - GM subsidiary OnStar is apparently alerting its customers that even if they decide to cancel their service in the future, OnStar will still track information about them -- and, of course, potentially sell that data: "What's changed [is that if] you want to cancel your OnStar service, we are going to maintain a two-way connection to your vehicle unless the customer says otherwise." OnStar is spinning this as a plan to make it "easier to re-enroll" as a customer, but it also seems to admit that there's demand out there for the data that OnStar collects, so it has plenty of incentive to get more such data, even from non-customers. Of course, they don't even seem to acknowledge the creepiness factor of canceling a service, and then still having that service track your every move. [GM stops - 27 Sept 2011]

top

Author Sues Production Company For Copyright Infringement For Changing The Script It Optioned From Him (TechDirt, 22 Sept 2011) - While significant parts of the rest of the world include a "moral rights" component to copyright (which covers things like proper attribution), the US has always avoided it -- even though it's supposedly required by the Berne Convention, of which the US is a participant. The US has mainly gotten around this because it's the US and it ignores international agreements when it wants to -- but also because it put in a tiny bit of moral rights in extremely limited circumstances that are so rare you'll almost never, ever hear about them. However, it does appear that some are trying to sneak in a form of moral rights via contract. 

 Copycense points us to the news of a writer, Matthew Jones, who is suing the people who optioned his screenplay (which was based on his own novel, Boot Tracks ) for changing the screenplay without his permission. He apparently wrote into the contract that such changes could not be made without his permission -- and yet the screenplay was changed to help get funding. There's an obvious contractual breach in there, but Jones is also claiming copyright infringement, suggesting that, by breaking the agreement, they were also creating an unauthorized derivative work. In this case, it's a little more confusing, because there's some question as to when the producer and director actually exercised the option to buy the screenplay/make the film. Either way, it may make for an interesting case and it makes me wonder if we'll start to see more efforts by content creators to enforce such moral-like rights via contract.

top

More Offices Let Workers Choose Their Own Devices (NYT, 23 Sept 2011) - Throughout the information age, the corporate I.T. department has stood at the chokepoint of office technology with a firm hand on what equipment and software employees use in the workplace. They are now in retreat. Employees are bringing in the technology they use at home and demanding the I.T. department accommodate them. The I.T. department often complies. Some companies have even surrendered to what is being called the consumerization of I.T. At Kraft Foods, the I.T. department's involvement in choosing technology for employees is limited to handing out a stipend. Employees use the money to buy whatever laptop they want from Best Buy, Amazon.com or the local Apple store. "We heard from people saying, 'How come I have better equipment at home?' " said Mike Cunningham, chief technology officer for Kraft Foods. "We said, hey, we can address that." Encouraging employees to buy their own laptops, or bring their mobile phones and iPads from home, is gaining traction in the workplace. A survey published on Thursday by Forrester Research found that 48 percent of information workers buy smartphones for work without considering what their I.T. department supports. By being more flexible, companies are hoping that workers will be more comfortable with their devices and therefore more productive. Corporate I.T. departments often resist allowing consumer technology on their networks because of security concerns. "They're over the denial and anger stage, and now they are in the acceptance and 'How can we help?' stage," said Mr. Schadler, who co-wrote the book "Empowered," which addresses consumer technology in the workplace. "What broke the camel's back was the iPad, because executives brought it into the company and said 'Hey, you've got to support this.'" Kraft's program is not quite companywide, however. Executives who handle confidential information, people who use laptops to operate production equipment, and most factory workers are ineligible. "It's a relatively small part of the company," Mr. Cunningham. "But it addresses the majority of the noise and complaining." [Editor: Even law firms are doing this; Wilson Sonsini's CIO, Phillip Hoare, is one of the early forward-thinkers here, and is crafting a process that helps assure security and confidentiality, even on employee-owned smart devices. Kudos.]

top

Three Emerging Cyber Threats (Bruce Schneier, 23 Sept 2011) - On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: (1) The Rise of Big Data . By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior. (2) Ill-Conceived Regulations from Law Enforcement. We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I'm thinking about data retention laws, Internet kill switches , and calls to eliminate anonymity . None of these will work, and they'll all make us less safe.
 (3)The Cyberwar Arms Race. I'm not worried about cyberwar , but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive. -- That's my list, and they all have the potential to be more dangerous than cybercriminals.

top

Facebook Hosts 4% Of All Photos Ever Taken In History (TechDirt, 24 Sept 2011) - For all the talk of how content creation is going down the drain due to lax copyright enforcement, it seems that everywhere we look, we just keep seeing more and more and more content creation. The latest is a report that Facebook currently hosts 4% of all photos ever taken . Specifically, it hosts 140 billion photos out of 3.5 trillion photos taken in history. Now, obviously, technology change is at work here. Photography really only showed up for real about a century and a half ago, and didn't really hit the mainstream until less than a century ago. And, of course, for most of that time it involved (sometimes expensive) film and the expensive step of processing it. Photography has exploded over the last decade or so with the rise of digital cameras, and, of course, high quality digital cameras built into mobile phones. 

But, really, that raises a bigger point: the tools of creation for all sorts of things have been changing rapidly and making it easier and cheaper to create content, whether it's a photograph, a song, a movie, a book or.. well... just about anything. We're being inundated with new creative works... at the same time we're being told that content creation is dying. Now, to be fair, much of the content production we're talking about is amateur production, but some of that is of fantastic quality, and is leading people into professional content creation roles. But, I guess this raises a separate question. What is the real purpose of copyright? Is it only to incentivize professional content creation , or to incentivize content creation overall? Given the stated purpose is to "promote the progress," and to provide the public with more content, I would argue the goal is to promote more overall content, and it seems that technology is doing a much better job of that than copyright.

top

Metropolitan Museum Unveils Revamped Web Site (NYT, 26 Sept 2011) - The Metropolitan Museum of Art, which has been trying to rebrand itself over the last year as a visitor-friendly art behemoth, unveiled a redesigned Web site on Monday, the first time the site has been thoroughly updated in more than a decade. It includes several new features that are beginning to become standard for large museums, like a zoomable, clickable floor plan similar to one the Art Institute of Chicago created two years ago. The Met's version allows prospective visitors to look closely at almost 400 galleries to see what to expect, and visitors already at the museum to use smartphones on parts of the site to find their way to favorite artworks. The site also shows off the results of a huge undertaking ordered by Thomas P. Campbell, the museum's director: that the curatorial departments make images and information available online for all of the almost two million items in the collection. About 340,000 comprehensive entries for objects are included on the revamped site, 200,000 of which have been created over the last nine months. The site also has a new multimedia section, making videos, recorded lectures, interactive educational programs and other digital projects more easily accessible.

top

In China, Business Travelers Take Extreme Precautions to Avoid Cyber-Espionage (Washington Post, 26 Sept 2011) - Packing for business in China? Bring your passport and business cards, but maybe not that laptop loaded with contacts and corporate memos. China's massive market beckons to American businesses - the nation is the United States' second-largest trading partner - but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive. Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers' conversations. Many other countries, including the United States, spy on one another for national security purposes. But China's brazen use of ­cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country's economy, according to experts who advise American businesses and government agencies. "I've been told that if you use an iPhone or BlackBerry, everything on it - contacts, calendar, e-mails - can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they've got it," said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution. Some industrial cyber-espionage takes place in the U.S corporate world, experts say, but not nearly to the extent found in China. Also, the U.S. government reportedly does not conduct economic espionage on behalf of U.S. industry. Travelers there often tote disposable cellphones and loaner laptops stripped of sensitive data. Some U.S. officials take no electronic gear. And a few corporate executives detour to Australia rather than risk talking business in a bugged Chinese hotel room. Other travelers hide files on thumb drives, which they carry at all times and use only on off-line computers. One security expert, who spoke on the condition of anonymity to avoid drawing scrutiny from the Chinese government, buys a new iPad for each visit, then never uses it again. "It's real easy for them [the Chinese] to read everything that goes in and out of the country because the government owns all the networks," said Jody Westby, chief executive of Global Cyber Risk, a consulting firm. "The real problem here is economic espionage," she said. "There are countries where the search for economic information and high-value data is so aggressive that companies or people are very hesitant about taking their laptops to those countries." Business travelers began adopting such safety measures for China several years ago, experts say. On the eve of the 2008 Beijing Olympics, Joel Brenner, then the U.S. national counterintelligence executive, first issued government safety guidance to overseas travelers, with such tips as: "If you can do without the device, don't take it."

top

Firings, Discipline Over Facebook Posts Leads to Surge in Legal Disputes (Business Insider, 26 Sept 2011) - In the age of instant tweets and impulsive Facebook posts, some companies are still trying to figure out how they can limit what their employees say about work online without running afoul of the law. Confusion about what workers can or can't post has led to a surge of more than 100 complaints at the National Labor Relations Board - most within the past year - and created uncertainty for businesses about how far their social media policies can go. "Employers are struggling to figure out what the right policies are and what they should do when these cases arise," said Michael Eastman, labor law policy director at the U.S. Chamber of Commerce. In one case, a Chicago-area car salesman was fired after going on Facebook to complain that his BMW dealership served overcooked hot dogs, stale buns and other cheap food instead of nicer fare at an event to roll out a posh new car model. The NLRB's enforcement office found the comments were legally protected because the salesman was expressing concerns about the terms and conditions of his job, frustrations he had earlier shared in person with other employees. But the board's attorneys reached the opposite conclusion in the case of a Wal-Mart employee who went on Facebook to complain about management "tyranny" and used an off-color Spanish word to refer to a female assistant manager. The worker was suspended for one day and disqualified from seeking promotion for a year. The board said the postings were "an individual gripe" rather than an effort to discuss work conditions with co-workers and declined to take action against the retailer. Those cases are among 14 investigations the board's acting general counsel, Lafe Solomon, discussed in a lengthy report last month on the rise in social media cases. Solomon says federal law permits employees to talk with co-workers about their jobs and working conditions without reprisal - whether that conversation takes place around the water cooler or on Facebook or Twitter. "Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law." The number of cases spiked last year after the board sided with a Connecticut woman fired from an ambulance company after she went on Facebook to criticize her boss. That case settled earlier this year, with the company agreeing to change its blogging and Internet policy that had banned workers from discussing the company over the Internet. The National Labor Relations Act protects both union and nonunion workers when they engage in "protected concerted activity" - coming together to discuss working conditions. But when online comments might be seen by hundreds or thousands of eyeballs, companies are concerned about the effect of disparaging remarks. Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online. "All of us on the management side are being inundated with calls and inquiries from clients about this," Davis said. "A lot of companies want their social media policies reviewed or they want to establish one for the first time." But the NLRB's Solomon also warns workers that not everything they write on Facebook or Twitter will be permissible under the law just because it discusses their job. "A lot of Facebook, by its very nature, starts out as mere griping," Solomon said. "We need some evidence either before, during or after that you are looking to your fellow employees to engage in some sort of group action."

top

Marine Corps Social Media Principles Manual (BeSpacific, 27 Sept 2011) - "The Marine Corps must continuously innovate to communicate in media-intensive environments, to remain the nation's force in readiness. This mission is based on the Marine Corps Vision and Strategy 2025 and the public affairs tasks outlined in the Marine Corps Service Campaign Plan for 2009-2015. While building and launching a social media program or accessing a favorite social media site can sometimes be fast, easy, and inexpensive. Existing rules for public affairs as well as personal conduct still apply. The Marine Corps encourages Marines to explore and engage in social media communities at a level they feel comfortable with. The best advice is to approach online communication in the same way we communicate in person - by using sound judgment and common sense, adhering to the Marine Corps' core values of honor, courage and commitment, following established policy, and abiding by the Uniform Code of Military Justice (UCMJ). The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps." Manual here .

top

Better Ideas Through Failure (WSJ, 27 Sept 2011) - To pitch a prospective client for her ad agency, Amanda Zolten knew she a had to take a risk. But the client's product-kitty litter-posed a unique challenge. Lucy Belle, Ms. Zolten's cat, furnished the answer. Before she and her team met with six of the company's executives, Ms. Zolten buried Lucy Belle's mess in a box of the company's litter and pushed it under the conference-room table. No one noticed until Ms. Zolten pointed it out-and the fact that no one had smelled it. Shocked, several executives pushed back from the table. Two left the room. After a pause, those who remained started laughing, says Ms. Zolten, a senior vice president with Grey New York. "We achieved what we hoped, which was creating a memorable experience," she says. She won't know for a few weeks whether Grey won the business. But her boss, Tor Myhren, has already named Ms. Zolten the winner of his first quarterly "Heroic Failure" award-for taking a big, edgy risk. Amid worries that we are becoming less innovative, some companies are rewarding employees for their mistakes or questionable risks. The tactic is rooted in research showing that innovations are often accompanied by a high rate of failure. "Failure, and how companies deal with failure, is a very big part of innovation," says Judy Estrin of Menlo Park, Calif., a founder of seven high-tech companies and author of a book on innovation. Failures caused by sloppiness or laziness are bad. But "if employees try something that was worth trying and fail, and if they are open about it, and if they learn from that failure, that is a good thing."

top

Taking A Computer Out of Screensaver Mode to See Suspect's Facebook Wall Is a Fourth Amendment Search (Volokh Conspiracy, 27 Sept 2011) - The legal question: When a computer is in screensaver mode, does a police officer's touching a key or moving the mousepad in order to reveal the contents of the screen constitute a Fourth Amendment "search"? The facts: The local police received a few citizen calls about a threat posted on Craigslist regarding possible planned violence at a local shopping mall. The police contacted Craiglist and obtained contact information for the person who posted the threat. They visited the man at his home, and the man invited the officers inside. While the officers were present in the home, an officer saw a laptop computer that was either off or in screensaver mode. The officer touched a key or moved the mousepad, and the computer came out of screensaver mode. The officer could then see the contents of the screen, and those contents revealed the suspect's Facebook wall. The Facebook wall contained a "status update" in which the suspect discussed the mall and wrote that another mall was next, and it also showed that the defendant had "liked" a group about the need to change the mall. The police arrested the suspect and took a way the computer. After being charged with making a threat, the suspect-turned-defendant moved to suppress the information relating to the threat found on the computer. He argued, among other things, that taking his computer out of screensaver mode to see the Facebook Wall was a "search" that required some sort of justification under the Fourth Amendment. The ruling:" In United States v. Musgrove , 2011 WL 4356521 (E.D.Wis. 2011) (Joseph, M.J.): Whether there is a search here is a close call because the officer did not actively open any files. A truly cursory inspection-one that involves merely looking at what is already exposed to view, without disturbing it-is not a "search" for Fourth Amendment purposes. Arizona v. Hicks, 480 U.S. 321, 328 (1987). However, this is not such a case. By touching a key or moving the mouse, the officer put into view the Facebook wall, which was not previously in view. Though a close call, the Court concludes that this was a search, however minimal, which required further authority, a warrant or consent. The government submits that the officer's manipulation of the computer was for the purpose of seizing the computer, not to conduct a preliminary search. However, intent is not generally relevant in assessing whether a search ensued. See, e.g., United States v. Mann, 592 F.3d 779, 784 (7th Cir.2010)(citing Platteville Area Apt. Ass'n v. City of Platteville, 179 F.3d 574, 580 (7th Cir.1999)). The Court therefore recommends that the defendant's Facebook wall be suppressed."

top

Bankrupt Borders Sells Customer Data to Barnes & Noble (EPIC, 28 Sept 2011) - A bankruptcy court in New York has approved the sale of customer information, including email addresses, phone numbers, mailing addresses, and birthdates, from Borders to Barnes & Noble, following an earlier determination that the transfer violated Border's privacy policy. The judge has now required that former Borders customers receive an email notification and that the companies place prominent notices on their web sites and take outs ads in USA Today. Customers will have 15 days to opt-out of the transfer.

top

Which Telecoms Store Your Data the Longest? Secret Memo Tells All (Wired, 28 Sept 2011) - The nation's major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America's largest telecoms. The single-page Department of Justice document, " Retention Periods of Major Cellular Service Providers ," (.pdf) is a guide for law enforcement agencies looking to get information - like customer IP addresses, call logs, text messages and web surfing habits - out of U.S. telecom companies, including AT&T, Sprint, T-Mobile and Verizon. The document, marked "Law Enforcement Use Only" and dated August 2010, illustrates there are some significant differences in how long carriers retain your data. Verizon, for example, keeps a list of everyone you've exchanged text messages with for the past year, according to the document. But T-Mobile stores the same data up to five years. It's 18 months for Sprint, and seven years for AT&T. That makes Verizon appear to have the most privacy-friendly policy. Except that Verizon is alone in retaining the actual contents of text messages. It allegedly stores the messages for five days, while T-Mobile, AT&T, and Sprint don't store them at all. The document was unearthed by the American Civil Liberties Union of North Carolina via a Freedom of Information Act claim. (After the group gave a copy to Wired.com, we also discovered it in two other places on the internet by searching its title.) "People who are upset that Facebook is storing all their information should be really concerned that their cell phone is tracking them everywhere they've been," said Catherine Crump, an ACLU staff attorney. "The government has this information because it wants to engage in surveillance." The biggest difference in retention surrounds so-called cell-site data. That is information detailing a phone's movement history via its connections to mobile phone towers while its traveling. Verizon keeps that data on a one-year rolling basis; T-Mobile for "a year or more;" Sprint up to two years, and AT&T indefinitely, from July 2008.

top

Pennsylvania Appeals Court Rules Text Messages Were Inadmissible Hearsay (ABA Journal, 28 Sept 2011) - A Pennsylvania appeals court has overturned a woman's drug conviction because text messages on her phone were admitted as evidence at trial. The Pennsylvania Superior Court said there was no showing that the defendant wrote the 13 drug-related text messages and they were inadmissible hearsay, the Legal Intelligencer reports. The defendant, Amy Koch, had been convicted of possession with intent to deliver marijuana and possession of marijuana as an accomplice. The trial court had reasoned that doubts about the identity of the sender or recipient of text messages went to the weight of the evidence rather than admissibility. "We disagree," the appeals court opinion said. "Authentication is a prerequisite to admissibility. … Circumstantial evidence, which tends to corroborate the identity of the sender, is required." Such authentication evidence was not offered in Koch's case, the court said. "Glaringly absent in this case is any evidence tending to substantiate that appellant wrote the drug-related text messages. No testimony was presented from persons who sent or received the text messages. There are no contextual clues in the drug-related text messages themselves tending to reveal the identity of the sender." [Editor: I wonder if her phone was password-protected, or was useable by anyone.]

top

Our Pleasure to Serve You: More Lawyers Look to Social Networking Sites to Notify Defendants (ABA Journal, 1 Oct 2011) - Although Jessica Mpafe had not seen her husband in years, she assumed he moved back to West Africa's Ivory Coast. Mpafe of Minnesota had no physical address to serve him with divorce papers. So she asked the court whether she could send the notice by general delivery, where the post office holds mail until the recipient calls for it. Kevin S. Burke, the Hennepin County, Minn., judge presiding over the case, thought that would be a waste of postage. "General delivery made sense 100 years ago, but let's be real," says Burke, implying that few use it anymore. Nor did the judge trust publishing legal notices in a trade paper when the defendant can't be located. "Nobody, particularly poor people, is going to look at the legal newspaper to notice that their spouse wants to get divorced," Burke says. On May 10 the judge wrote an order authorizing Mpafe to serve notice of process to her husband by email, "Facebook, Myspace or any other social networking site." His order stated that while the court allowed service by publication in a legal newspaper, it was unlikely the respondent would see it. "The traditional way to get service by publication is antiquated and is prohibitively expensive," Judge Burke wrote. "Service is critical, and technology provides a cheaper and hopefully more effective way of finding respondent." It was something of a radical move. While courts in Australia, Canada, New Zealand and the United Kingdom embrace electronic legal notice, it's rare in the United States. Many state and federal statutes disallow electronic service of process, lawyers say. In federal cases, some attorneys cite Federal Rule of Civil Procedure 4(f)(3), which allows service only for foreign defendants "by other means not prohibited by international agreement, as the court orders."

top

NOTED PODCASTS

The Hacker's Aegis - Protecting Hackers From Lawyers (Berkman podcast, 18 July 2011, 68 minutes) - Research on software security vulnerabilities is a valuable example of peer production. However, hackers are often threatened with intellectual property lawsuits by companies who want to keep flaws secret. Oliver Day - a senior security researcher for Internet titan Akamai - and Derek Bambauer - a professor of internet law at Brooklyn Law School - propose a liability shield for security research to improve cybersecurity in a world dependent on cloud computing and mobile platforms. [Editor: thought-provoking discussion, including a strawman framework for publicizing bugs, and the liability implications for vendors who fail to fix them. Intriguing, half-formed discussion of what motivates vendors to sue bug-discoverers.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

THE PHANTOM EDIT (Salon.com, 5 November 2001) -- "Star Wars: Episode 1 - The Phantom Menace" was widely panned by both critics and fans, but some fans did not take the film sitting down. Shortly after the film's release on video, a fan who calls himself the "Phantom Editor" re-cut the movie, making it shorter and crisper - and, yes, Jar Binks is mostly cut out of the re-edit. Shortly thereafter, other fans created still other cuts of the movie using the very digital editing technology of which George Lucas is so enamored. An underground online trading network sprung up and flourished, and eventually people began to sell their re-edited versions - much to the alarm of Lucasfilm's copyright lawyers. Salon looks at this major shift in the artistic landscape, the first time movie fans have seized the power to re-imagine and possibly improve upon the work of the professionals. http://www.salon.com/ent/movies/feature/2001/11/05/phantom_edit/index.html

top

CHINESE WILL BE MOST-USED LANGUAGE ON WEB BY 2007 Chinese will top English as the most-used language on the Web by 2007, according to forecasts by the World Intellectual Property Organization. Currently, a slim majority of the world's 460-million-plus Internet users are from English-speaking backgrounds, but by next year most Internet users will have a mother tongue other than English, and by 2003 a third of users will be communicating in another language online. The development will bring a proliferation of multilingual domain technical problems and disputes over the use of trademarks as domain names, says WIPO. (Financial Times 7 Dec 2001) http://news.ft.com/news/industries/internet&e-commerce

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top