MIRLN --- 6-26 May 2012 (v15.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)
permalinkNEWS | BOOK REVIEW | LOOKING BACK | NOTES
- Harvard Releases Big Data for Books
- Incorporation by Reference in a Clickwrap Agreement
- Symantec: Malicious Cyber Attacks Increased by 81 Percent in 2011 and Data Breaches Up
- Major Cyber Attack Aimed at Natural Gas Pipeline Companies
- Perils of Social Media for Lawyers: Badgerland Style
- ACTA Unlikely to be Ratified in Europe, Says Kroes
- Hello From the Back of the Room
- Retired Justice's Online Game Teaches Civics
- Law School Plans to Offer Web Courses for Master's
- Cyber Briefings 'Scare The Bejeezus' Out Of CEOs
- BYOD Stirs Up Legal Problems
- Few Companies Fight Patriot Act Gag Orders, FBI Admits
- Unpacking Privacy's Price
- Protecting State Secrets as Intellectual Property: A Strategy for Prosecuting WikiLeaks
- Web-Based Dispute Resolution Systems Gain Traction ("ODR")
- Free Guide on Maintaining Privacy, Security of EHRS
- Reminder To Congress: Cops' Cellphone Tracking Can Be Even More Precise Than GPS
- Citizen Counter-Surveillance of the Police? There's an App For That
- Patent Protector or Pest?
- A More Refined French Cookie Recipe
- DOJ's Public Statements Provide a Road Map for Citizens to Sue in Cop Recording Cases
- Copyrighting Fashion
- FTC Taps Privacy Advocate Paul Ohm as Adviser
- Cyber Attacks: Insurers Seeking to Develop Risk Management Standards
- 'Clueless' Boards Risk Lawsuits, Threaten National Security
- Study: Patriot Act Doesn't Give Feds Special Access to Cloud Data
- IBM'S Siri Ban Highlights Companies' Privacy, Trade Secret Challenges
- Flashing Headlights to Warn Oncoming Drivers of a Speed Trap = Constitutionally Protected Speech
- CEOs Are Finally Warming Up to Social Media
- French Court Narrows the Scope of Workplace Privacy
Harvard Releases Big Data for Books (NYT, 24 April 2012) - Harvard is making public the information on more than 12 million books, videos, audio recordings, images, manuscripts, maps, and more things inside its 73 libraries. Harvard can't put the actual content of much of this material online, owing to intellectual property laws, but this so-called metadata of things like titles, publication or recording dates, book sizes or descriptions of what is in videos is also considered highly valuable. Frequently descriptors of things like audio recordings are more valuable for search engines than the material itself. Search engines frequently rely on metadata over content, particularly when it cannot easily be scanned and understood. Harvard is hoping other libraries allow access to the metadata on their volumes, which could be the start of a large and unique repository of intellectual information. "This is Big Data for books," said David Weinberger, co-director of Harvard's Library Lab. "There might be 100 different attributes for a single object." At a one-day test run with 15 hackers working with information on 600,000 items, he said, people created things like visual timelines of when ideas became broadly published, maps showing locations of different items, and a "virtual stack" of related volumes garnered from various locations. Harvard plans also to eventually include circulation data on the items as well, said Stuart Shieber, director of Harvard's Office for Scholarly Communication, who oversaw the project. "We have to be careful how we do that, to avoid releasing any personal information."
Incorporation by Reference in a Clickwrap Agreement (SIPR, 1 May 2012) - How explicit does a click-wrap agreement have to be concerning updates and revisions that may later be incorporated into the agreement? In Noll. v. eBay, Inc. , No. 5:11-CV-04585 (N.D. Cal., April 23, 2012), the court denied eBay's motion to dismiss a breach of contract claim in a class-action complaint based on eBay's revisions to a "Fee Schedule" which was accessible via hyperlinks included in eBay's User Agreement.
Symantec: Malicious Cyber Attacks Increased by 81 Percent in 2011 and Data Breaches Up (Privacy & Security Matters, 2 May 2012) - Symantec has released its annual Internet Security Threat Report , and the numbers are astounding. According to the report, malicious attacks on networks skyrocketed by 81 percent in 2011. The report also highlights that advanced persistent threats, known as APT attacks, are spreading to organizations of all sizes, with the number of daily APT attacks increasing from 77 per day to 82 per day by the end of 2011. Such attacks are no longer limited to large organizations, as demonstrated by the data in the report. According to Symantec, more than 50 percent of such attacks target companies with fewer than 250 employees. It is possible that smaller organizations are now being targeted because they are somehow related to larger companies, through supply chain or other relationships - and they are less well-defended. The 2011 Report also includes information regarding data breaches. According to Symantec, approximately 1.1 million identities were stolen per data breach on average in 2011, and hacking incidents exposed 187 million identities in 2011 - the largest number for any type of data breach in 2011. Now here comes the "kicker"…….the most frequent cause of data breaches was theft of loss of unencrypted data on a computer or other medium on which data is stored or transmitted, such as a smartphone, USB drive, or a backup device. These theft or loss related breaches exposed 18.5 million identities .
Major Cyber Attack Aimed at Natural Gas Pipeline Companies (CSM, 5 May 2012) - A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security. At least three confidential "amber" alerts - the second most sensitive next to "red" - were issued by DHS beginning March 29, all warning of a "gas pipeline sector cyber intrusion campaign" against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago - and may also affect Canadian natural gas pipeline companies - is continuing. "ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies," the confidential April 13 alert warns. "Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today." In Friday's public warning, ICS-CERT reaffirms that its "analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source." It goes on to broadly describe a sophisticated "spear-phishing" campaign - an approach in which cyber attackers attempt to establish digital beachheads within corporate networks. Yet there are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday's public notice. One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.
Perils of Social Media for Lawyers: Badgerland Style (Kevin O'Keefe, 8 May 2012) - The drumbeat on the perils of social media continues. This time from my home state of Wisconsin. Thomas Watson , Senior Vice President at Wisconsin Lawyers Mutual Insurance Company, writes in Wisconsin Lawyer Magazine "…[Social media's] use presents many dangers to lawyers trying to operate competent and ethical practices." Watson threw a few bones out on the benefits of social media in two paragraphs, including that it's an inexpensive way to market and provides an opportunity to demonstrate to tech-savvy clients that an attorney has competency in their area of expertise and commerce. (I've always considered the fastest growing segment of Americans on Facebook, those over 55, as the tech-savvy folks.) Watson then goes on in 20 paragraphs to scare unknowing lawyers from using social media and to provide lawyers looking to keep the status quo with all the ammo they'll need to kill a firm initiative focused on using the Internet to build relationships and enhance one's reputation. I don't know whether Watson uses Twitter, Facebook, or a blog to build and nurture relationships or enhance his reputation as a thought leader on malpractice insurance statewide or nationwide. He may not fully appreciate how social media works nor the benefits it brings to the public an lawyers. I understand that he is just doing his job as a legal malpractice carrier and that he is citing other authorities for much of what he writes. But my gut tells me articles like this on the perils of social media do far more harm than good to lawyers and the public we serve.
ACTA Unlikely to be Ratified in Europe, Says Kroes (The Guardian, 8 May 2012) - The Acta treaty that has been the subject of street protests around Europe is unlikely to be ratified by the European Union, according to Neelie Kroes, the powerful European commissioner for telecoms and technology. Speaking on Friday, Kroes said that "we are now likely to be in a world without Sopa " - the US's proposed Stop Online Piracy Act - "and Acta." Acta, the Anti-Counterfeiting Trade Agreement, has been signed by 22 of the EU's 27 countries, as well as the US and Japan. But even in some of the countries that have signed it, parliaments have declined to ratify it due to public pressure. Ryan Heath, a spokesman for Kroes's office, said the European commission has not changed its position on the usefulness of Acta, and was continuing to work toward its ultimate ratification, but added that Kroes was "observing political reality". Kroes's comments come weeks before the commission, the EU executive, is due to make public new rules to ensure that musicians and film-makers get paid, and while it is trying to overhaul the bloc's copyright regime to cater for the internet era. Critics say the commission is holding back planned reviews of the EU's own rules because officials are worried it will come up against the same kind of resistance as Sopa and Acta.
Hello From the Back of the Room (Inside Higher Ed, 9 May 2012) - Where do you situate yourself for lectures, keynotes, and conference talks? Increasingly, I'm finding myself hanging out at the back of the room. I'm the guy you see standing against the wall. Not fully in, not totally out. Our crowd of back-wallers seems to be growing. Recently I was at a really great talk. Lots of free seats in the auditorium, and a crowd of us lurking on the back wall. I've been thinking about what is pulling me and others like me to the back of the room, and what is being lost in this transition * * * [Editor: this strongly resonated with me, both as a speaker and listener.]
Retired Justice's Online Game Teaches Civics (Gov't Technology, 9 May 2012) - When are my property taxes due? How do I find out about childhood vaccination programs? Who is responsible for protecting the water supply? Where do citizens go to get answers to these questions? Nonprofit civic education group iCivics, led by former Supreme Court Justice Sandra Day O'Connor, partnered with the National Association of Counties (NACo) to develop a free, online game called Counties Work to help increase knowledge of the functions of county government. According to The Hill's Technology Blog, Counties Work will be awarded the 2012 Gold Circle Award for Innovative Communications Award by the American Society of Association Executives on May 24. Targeted toward junior high and high school age students, Counties Work was first launched in summer 2011. Creators claim that iCivics is the first online interactive game with a county government focus. Players answer citizen questions, accept or reject suggestions, make infrastructure decisions, consider tax rates, build capital projects and manage emergencies.
Law School Plans to Offer Web Courses for Master's (NYT, 9 May 2012) - The law school of Washington University announced Tuesday that it would offer, entirely online, a master's degree in United States law intended for lawyers practicing overseas, in partnership with 2tor, an education technology company. Legal education has been slow to move to online classes, and the new master's program is perhaps the earliest partnership between a top-tier law school and a commercial enterprise. "We don't know where the students are going to come from exactly, but we believe there is demand abroad for an online program with the same quality that we deliver in St. Louis, accessible to people who can't uproot their lives to come to the United States," said Kent D. Syverud, the dean of the law school, which currently offers students on campus a Master of Law degree, or LL.M., in United States law for foreign lawyers. Graduates of the new program, which will include live discussions via webcam and self-paced online materials, would probably be eligible to take the California bar exam. Washington University will share the revenues from the $48,000 program - the same tuition paid by students at the St. Louis campus - with 2tor, which will provide marketing, the Web platform and technical support, including a staff member to monitor each live class and deal with any technical problems that arise. 2tor, a four-year-old company based in Maryland, has partnerships in place with the University of Southern California, Georgetown and the University of North Carolina for online graduate degree programs in education, business, public administration and nursing. Largely because of American Bar Association rules, however - under which approved law schools may not count more than 12 credits of distance education toward a Juris Doctor degree - legal education has been slow to shift to online classes. Students who earn a J.D. from a bar association-approved law school are automatically eligible to take the bar exam nationwide. But beyond that, each state sets its rules on who can take the bar exam. California, for example, is the only state that allows graduates of Concord Law School - which is not approved by the bar association, but offers a fully online Juris Doctor - to take its bar exam.
Cyber Briefings 'Scare The Bejeezus' Out Of CEOs (NPR, 9 May 2012) - For the CEOs of companies such as Dell and Hewlett-Packard, talk of cyberweapons and cyberwar could have been abstract. But at a classified security briefing in spring 2010, it suddenly became quite real. "We can turn your computer into a brick," U.S. officials told the startled executives, according to a participant in the meeting. The warning came during a discussion of emerging cyberthreats at a secret session hosted by the office of the Director of National Intelligence and the departments of Defense and Homeland Security, along with Gen. Keith Alexander, head of the U.S. military's Cyber Command. The meeting was part of a public-private partnership dubbed the "Enduring Security Framework" that was launched at the end of 2008. The initiative brings chief executives from top technology and defense companies to Washington, D.C., two or three times a year for classified briefings. The purpose is to share information about the latest developments in cyberwarfare capabilities, highlighting the cyberweapons that could be used against the executives' own companies. "We scare the bejeezus out of them," says one U.S. government participant. The hope is that the executives, who are given a special one-day, top-secret security clearance, will go back to their companies and order steps to deal with the vulnerabilities that have been pointed out. "I personally know of one CEO for whom it was a life-changing experience," says Richard Bejtlich, chief security officer for Mandiant, a cybersecurity firm. "Gen. Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known [about the cyberthreats] but did not, and now it has colored everything about the way he thinks about this problem." Among the computer attack tools discussed during the briefings are some of the cyberweapons developed by the National Security Agency and the Cyber Command for use against U.S. adversaries. Military and intelligence officials are normally loath to discuss U.S. offensive cybercapabilities, but the CEOs have been cleared for some information out of a concern that they need to know what's possible in the fast-evolving world of cyberwarfare.
BYOD Stirs Up Legal Problems (Network World, 10 May 2012) - Let's say you need to pull some corporate data off an employee's personal iPad. Under the newly and hastily crafted bring-your-own-device policy, or BYOD, the employee is required to hand over the iPad to the IT computer forensics team. ( A sampling of BYOD user policies ) The team finds child pornography on the iPad in areas unrelated to the job. Did the team have permission to conduct e-discovery on personal data? Is the team obligated to call law enforcement? Would the finding be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios? Welcome to the foggy world of BYOD, where the blending of personal and work lives on a single device open up a host of problems. CIOs often fret about security and management, but BYOD can land a company in murky legal water, too. "It's a slippery slope," says Ben Tomhave, principal consultant at tech consultancy LockPath. While he isn't a lawyer, Tomhave is co-vice chairman and incoming co-chairman of the American Bar Association's SciTech Information Security Committee and regularly blogs about risk management issues. If CIOs think they can get off this slippery slope by blocking BYOD at the front door, think again. Juniper Networks just released results of a survey of more than 4,000 mobile-device users and IT professionals. This IT-gets-burned stat stood out: Many employees circumvent their employers official mobile-device policies, with 41 percent of all respondents who use their personal devices for work doing so without permission from the company, the report states.
Few Companies Fight Patriot Act Gag Orders, FBI Admits (Wired, 10 May 2012) - Since the Patriot Act broadly expanded the power of the government to issue National Security Letters demanding customer records, more than 200,000 have been issued to U.S. companies by the FBI. But the perpetual gag orders that accompany them are rarely challenged by the ISPs and other recipients served with such letters. Just how rare these challenges are became more evident following the recent release of a 2010 letter from the Justice Department to a federal lawmaker. In December 2010 in a letter (.pdf) from Attorney General Eric Holder to Senator Patrick Leahy (D-Vermont), the FBI asserted that in February 2009 it began telling recipients they had a right to challenge the built-in gag order that prevents them from disclosing to anyone, including customers, that the government is seeking customer records. That policy was mandated by a 2008 appellate court decision, which found that the never-ending, hard-to-challenge gag order was unconstitutional. Holder noted, however, that in the year and 10 months since the FBI started notifying recipients of this right, only a small handful had asserted that right. "Thus far, there have been only four challenges to the non-disclosure requirement," Holder wrote, "and in two of the challenges, the FBI permitted the recipient to disclose the fact that an NSL was received." Since Holder wrote the letter, the number of gag order challenges has risen to at least five. In March, Threat Level reported that an unnamed company had challenged a National Security Letter it had received earlier this year. The latest challenge occurred sometime around the end of January, when an unknown provider of communication services in the United States - possibly a phone company, or perhaps even Twitter - got a letter from the FBI demanding it turn over information on one, or possibly even hundreds, of its customers. [Editor: Hooray for Twitter.]
Unpacking Privacy's Price (by Chris Hoofnagle and Jan Whittington; SSRN; 14 May 2012) - Abstract: "This article introduces a transaction cost economic framework for interpreting the roles consumers play in social networking services ("SNSs"). It explains why the exchange between consumers and SNSs is not simple and discrete, but rather a continuous transaction with atypical attributes. These exchanges are difficult for consumers to understand and come with costs that are significant and unanticipated. Under current structures of governance, there is no exit for consumers who wish to leave an SNS. In other contexts, similar transactions are bounded by tailored consumer protections. This article explains the need for tailored consumer protection in the SNS context. Specifically, we argue that a consumer right to rescind enrollment in an SNS, triggering a deletion of and ability to export information shared with the service, is appropriate given the skewed aspects of personal information transactions."
Protecting State Secrets as Intellectual Property: A Strategy for Prosecuting WikiLeaks (Stanford J of Int'l Law, 15 May 2012; by James Freedman) - Criminal statutes generally deployed against those who leak classified government documents - such as the Espionage Act of 1917 - are ill-equipped to go after third-party international distribution organizations like WikiLeaks. One potential tool that could be used to prosecute WikiLeaks is copyright law. The use of copyright law in this context is rarely mentioned, and when it is, the approach is largely derided by experts, who decry it as contrary to the purposes of copyright. Using copyright to protect state secrets, however, particularly if done through suit in a foreign court, escapes a number of the impediments to a WikiLeaks prosecution, such as the limited scope of narrowly tailored U.S. criminal statutes or the need to apply U.S. law extraterritorially and extradite defendants. Admittedly, using copyright law for these purposes presents its own set of problems, perhaps most intractable under U.S. law, but still significant in the case of suits brought in a foreign court under foreign law. This Note will explore these difficulties, such as the government works issue, potential fair use or fair dealing defenses, as well as various non-legal obstacles to success, eventually reaching the conclusion that prosecuting WikiLeaks internationally for copyright violations is potentially more viable than any of the methods of criminal prosecution heretofore explored publicly by government attorneys and legal scholars.
Web-Based Dispute Resolution Systems Gain Traction ("ODR") (Christy Burke, 15 May 2012) - Courtroom showdowns make for great movie scenes, but To Kill a Mockingbird's Atticus Finch would be shocked to hear that the courts are only resolving a fraction of today's legal disputes. A growing number of cases are being resolved by online tools, and sometimes lawyers and judges are not even involved. Impartial web-based systems apply computation, algorithms and cryptographic technology to bring about resolution quickly and inexpensively. A growing stable of private sector companies are beginning to compete with the judicial system for "customers" and are also changing the face of traditional Alternate Dispute Resolution or ADR, which has typically included mediation, arbitration and other alternatives to the courts. Not only are approaches to justice and negotiation changing, but some of these new systems like those provided by Fair Outcomes, are actually prompting lawyers and their customers to be more honest about the value of a case and their realistic objectives from the outset, providing disincentives to lie, bully and posture. Utopian though it may sound, this is actually becoming a reality. Atticus would be happy to hear that, at least! A potential paradigm shift is in the making here, but what is motivating parties to look outside traditional courts, mediation and arbitration and flock to the web for resolving their disputes? In short, overburdened courts, lean economic times, cost, and convenience all figure into the mix.
Free Guide on Maintaining Privacy, Security of EHRS (AAFP, 16 May 2012) - The Office of the National Coordinator (ONC) for Health Information Technology has released a new resource to help physicians incorporate mandatory privacy and security safeguards into their electronic health record (EHR) systems. The free manual, titled Guide to Privacy and Security of Health Information (47-page PDF; About PDFs ), reiterates the importance of guarding the privacy and security of patient information stored and transmitted electronically. The ONC guide offers physicians a variety of tools, including a security risk analysis of a practice's EHR, tips on successful partnering with EHR vendors, and a 10-step privacy and security plan.
Reminder To Congress: Cops' Cellphone Tracking Can Be Even More Precise Than GPS (Forbes, 17 May 2012) - In the wake of a historic Supreme Court ruling that police can't use GPS devices planted on a car to track suspects without a warrant, Congress is reconsidering the question of what kinds of location tracking constitute an invasion of privacy. And one privacy and computer security professor wants to remind them that the gadget we all carry in our pockets can track us more precisely than any device merely attached to our car-even without the use of GPS. On Thursday the House Judiciary Committee held a hearing to discuss a proposed bill to limit location tracking of electronic devices without a warrant, what it's calling the Geolocational Privacy and Surveillance Act, or the GPS Act. And ahead of that hearing, University of Pennsylvania professor Matt Blaze submitted written testimony (PDF here) that points out that phone carriers, as well as the law enforcement agencies that they share data with, can now use phones' proximity to cell towers and other sources of cellular data to track their location as precisely or even more precisely than they can with global positioning satellites. Thanks to the growing density of cell towers and the proliferation of devices like picocells and femtocells that transmit cell signals indoors, even GPS-less phones can be tracked with a high degree of precision and can offer data that GPS can't, like the location of someone inside a building or what floor they're on.
Citizen Counter-Surveillance of the Police? There's an App For That (CMLP, 17 May 2012) - Despite the welcome 7th Circuit decision in ACLU v. Alvarez on May 8 that directed a federal district court to enjoin the application of the Illinois eavesdropping statute to an ACLU police accountability program, citizens around the country remain vulnerable to arrest and harassment for recording audio and video of police in public spaces. Cases like Glik v. Cunniffe and Alvarez indicate that the tides are changing in favor of First Amendment protections of police oversight and, in Illinois, at least two county court judges have also found the Illinois eavesdropping statute unconstitutional . Some, like the ACLU, have launched initiatives to publicly record audio and video of police conduct, and the Alvarez case was pursued by the ACLU specifically to allow ALCU staff to legally record police without fear of reprisal under the eavesdropping statute. Along these lines, many individuals have been using a suite of cell phone apps developed by open government activist Rich Jones to record audio and video of encounters with law enforcement officers. Jones launched the OpenWatch.net project in January 2011, which now boasts three smartphone apps designed to secretly record citizen encounters with police officers. Jones has also produced a version of his software for the ACLU of New Jersey to support their police accountability programs. In a recent interview with Jones, he told me that he launched the project to supply technology "to provide documentary evidence of uses and abuses of power… [as] part of a new wave of document-based journalism." "If we're going to lose all of our privacy," Jones says, "then we're damn well going to get some transparency." In practice, after downloading the OpenWatch or CopRecorder app to a cell phone, a user just needs to open the app and press a button to record audio (in the case of CopRecorder) or both audio and video (in the case of OpenWatch) through the camera and microphone built into their phone. After hitting "record," the app disappears from view to hide the fact that the user is recording. And when the user reopens the app to end the recording, they are asked whether they would like to upload the recording to OpenWatch's public database.
Patent Protector or Pest? (Inside Higher Ed, 17 May 2012) - The question was simple enough: Has the University of South Florida ever had a business relationship with Intellectual Ventures, a leading collector of patents and a partner of many colleges? That inquiry began a 12-day saga -- which ended in a curt no-comment and a reference to an obscure provision of Florida open-records law -- that underscores the hesitancy of most anyone within higher education to talk about Intellectual Ventures. Two top officers at the tech transfer professional association, the Association of University Technology Managers, declined to comment. They weren't alone. Officials at seven of the nine universities (among them three Ivies) that were revealed in a court filing to be investors in Intellectual Ventures also wouldn't talk. Most colleges that license their patents to Intellectual Ventures choose to remain anonymous, and often cite open-records exemptions if anyone asks about their affiliation. In contrast, other universities (including two in Florida) had no problem disavowing any connection to the company. Intellectual Ventures says it works with scores of colleges worldwide and touts itself as a champion of university-employed inventors whose patents might never be commercialized otherwise. Faculty members at the California Institute of Technology and the University of British Columbia are among those who have worked with Intellectual Ventures, but those universities are the exception in choosing to reveal their relationships. Australia's Edith Cowan University and the Indian Institute of Technology, Bombay have also disclosed their partnerships with IV. Since its beginnings about a decade ago, Intellectual Ventures has grown to be one of the largest holders of patents in the U.S. and abroad. And while many within higher education think highly of the company, others have a less rosy impression. Intellectual Ventures takes advantage of patent laws and squelches innovation by threatening lawsuits, critics say, and universities betray their values when they work with the company.
A More Refined French Cookie Recipe (Steptoe, 17 May 2012) - The French data protection authority last month released a revised version of its guidance on cookies. The newest guidance from the Commission National de l'Informatique et des Libertés (CNIL) offers additional advice on acceptable means for website operators to obtain user consent for the use of cookies. It also adds analytic cookies (i.e., those cookies used primarily to measure website traffic) to the list of cookies exempt from the prior consent requirement, citing the "very limited risk" their use poses to user privacy. Nevertheless, the CNIL has set certain conditions that must be met by website operators in order to be considered eligible for this exception.
DOJ's Public Statements Provide a Road Map for Citizens to Sue in Cop Recording Cases (CMLP, 21 May 2012) - In May 2010, Christopher Sharp used his cell phone to record video of his friend being arrested by the Baltimore Police at the Preakness Stakes. The police demanded that Sharp surrender his phone, stating that the contents might be evidence; when the phone was returned, Sharp discovered that the video he had made, plus a number of other unrelated videos, had been deleted. The ACLU (a leading voice on the First Amendment right to record in public, as reflected in its efforts in Glik v. Cunniffe and ACLU v. Alvarez ) helped Sharp file suit against the Baltimore PD for violation of his First Amendment rights in Sharp v. Baltimore City Police Department , a civil rights action filed in the U.S. District Court for the District of Maryland. In January 2012, the Department of Justice got involved in the case. Contrary to what might be expected, the DOJ was not supporting the police department - instead, it filed a " Statement of Interest " in support of Sharp's position in the case. The Statement of Interest reads like an amicus curiae brief (compare the CMLP's brief in Glik and the Reporters Committee for Freedom of the Press's brief in Alvarez ); it contains strong arguments that there is a First Amendment right to record the police, that Baltimore police officers violated Sharp's First, Fourth, and Fourteenth Amendment rights when they deleted his footage, and that the Baltimore PD's attempt to prevent future violations of citizens' rights through revised policies and training protocols was insufficient. Then, on May 14, 2012, the DOJ took further action in the Sharp case, this time sending an open letter ( available publicly on the DOJ's website ) to the parties in advance of a settlement conference scheduled by the court. The DOJ served the letter on counsel for the parties, taking the position that if Sharp and the Baltimore PD were to settle the case, any settlement should require that the police department adopt "policy and training requirements that are consistent with important First, Fourth and Fourteenth Amendment rights at stake when individuals record police officers in the public discharge of their duties."
Copyrighting Fashion (Samson Vermont of U. Miami law school; 21 May 2012) - Samson Vermont, University of Miami School of Law, has published The Dubious Legal Rationale for Denying Copyright to Fashion. Here is the abstract: "This essay clarifies the useful article doctrine and argues that it does not, as clarified, bar copyright for fanciful clothing. Clarification is necessary because the drafters of the 1976 Act botched their attempt to codify the doctrine. As written, the Act denies copyright to a useful article unless its aesthetic features are separable from its utilitarian function. Separability, however, is irrelevant. What matters is whether the article has unconstrained features. The features of many fanciful garments are unconstrained enough for copyright. Indeed, they are more unconstrained than the features of other useful articles that courts already protect."
FTC Taps Privacy Advocate Paul Ohm as Adviser (Computerworld, 21 May 2012) - The U.S. Federal Trade Commission has hired Paul Ohm, a privacy advocate and critic of current online privacy practices, as a senior privacy adviser for consumer protection and competition issues affecting the Internet and mobile services. Ohm, a University of Colorado Law School professor, will take a leave of absence from the school to serve in the FTC's Office of Policy Planning. The office focuses on long-range competition and consumer-protection policy efforts, and it advises FTC staff on cases raising complex policy and legal issues. [Editor: Ohm is talented, and the leading authority on de-anonymization.]
Cyber Attacks: Insurers Seeking to Develop Risk Management Standards (Cameron McKenna, 22 May 2012) - In a recent FT article, Janet Williams, the lead on cybercrime initiatives for the Association of Chief Police Officers, commented that insurers should agree only to provide cover against cyber attacks to companies that meet a minimum cyber defence Kitemark standard. Insurers have responded to the notion of establishing minimum security standards to prevent cyber attacks through the launch of The Cyber Insurance Working Group. The Group comprises technology insurers including Liberty, Zurich and CNA Europe, plus specialist technology insurance broker Oval. Other insurers selling cover for cyber attacks and security/data breaches could be keen to participate. The Group plans regular meetings to develop a framework of recommended information security practices and procedures, including adequate business continuity plans and corporate information security policies. The aim is that insurers providing security cover will be able to demand a specific structured demonstration of commitment from their insureds and ultimately avoid the costly fall out from claims, particularly in circumstances where there is little scope for insurers to make any significant recoveries in the event of a loss. Cyber attacks involving a complex web of data/security breaches and multiple individuals can be difficult to prosecute through the criminal courts and whilst companies and insurers may want to pursue civil cases against cyber offenders, it remains to be seen whether these actions would suffer from the same obstacles. [Editor: makes sense; this is how building codes emerged in the US.]
'Clueless' Boards Risk Lawsuits, Threaten National Security (Network World, 23 May 2012) - For far too many boards of directors and senior management of critical infrastructure industry sectors, cybersecurity and privacy are less than afterthoughts. They are barely even thoughts. That's a key finding of "Governance of Enterprise Security: CyLab 2012 Report," ( View PDF ) a global survey of industries by Carnegie Mellon CyLab and its sponsor, RSA, The Security Division of EMC. Jody Westby, CEO of Global Cyber Risk and the author of the report, wrote in Forbes last week that boards of directors are essentially "clueless" about cybersecurity, saying 75% of the survey respondents were from critical infrastructure industry sectors -- "primarily the financial, energy/utilities, IT/telcom and industrial." "According to the survey results, 71% of their boards rarely or never review privacy and security budgets; 79% rarely or never review roles and responsibilities; 64% rarely or never review top-level policies and; 57% rarely or never review security program assessments." Beyond this, Westby says 79% of boards in the energy/utilities sector were not conducting cyber insurance reviews. "What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity."
Study: Patriot Act Doesn't Give Feds Special Access to Cloud Data (Computerworld, 23 May 2012) - An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday. The governments of several other countries, including the U.K., Germany, France, Japan and Canada, have laws in place allowing them to obtain personal data stored on cloud computing services, said the study, by Hogan Lovells, an international law firm that focuses on government regulations and other topics. The Patriot Act, passed as an anti-terrorism measure in 2001, is "invoked as a kind shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere," wrote study co-authors Christopher Wolf, based in Washington, D.C., and Winston Maxwell, based in Paris. "However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data." Since late 2011, some European cloud providers have promoted their services as so-called safe havens from the U.S. Patriot Act. In September 2011, Ivo Opstelten, the Dutch minister of safety and justice, said that U.S. cloud providers could be excluded from Dutch government because of the Patriot Act. Opstelten later softened his stance. But the Hogan Lovells study, released by think tank the Openforum Academy Wednesday, said there are "misconceptions" about the Patriot Act and other countries' laws allowing access to cloud data.
IBM'S Siri Ban Highlights Companies' Privacy, Trade Secret Challenges (ArsTechnica, 23 May 2012) - Apple's digital "assistant" Siri isn't welcome at IBM; neither are Apple's voice dictation features in the iPhone and iPad. IBM CIO Jeanette Horan revealed in an interview with Technology Review that the company turns off Siri on employees' iPhones for fear that the service stores employees' queries somewhere outside of IBM's control. The move highlights some of the problems large enterprises face when employees begin using their own devices at work. The revelation is making waves among the Apple blogosphere, but the company's policy isn't actually all that surprising. Siri-and Apple's voice dictation features-send voice commands through the Internet to Apple's servers for processing before returning a text result. Apple doesn't make it clear whether it stores that data, for how long, or who has access to it. (As noted by our friends at Wired , this behavior from Siri is what caused the ACLU to post a warning about the technology in March of this year.) IBM most likely wants to protect its trade secrets, which is why it wouldn't want any sort of spoken data from employees being stored on Apple's servers. What is surprising? It appears that not many companies have joined IBM in forbidding the use of Siri for security purposes. I asked on Twitter whether anyone else's companies have a similar policy, and received extremely few responses saying yes. The only people-so far-who have acknowledged any kind of Siri policy were government workers and some school employees . Most said their employers had not yet added Siri to their list of forbidden technologies. Some responses did point out that their employers blocked the use of Google's services for the same reasons (storing data on Google's servers), implying that corporations are still catching up on what kind of risks Siri and voice dictation services might present.
Flashing Headlights to Warn Oncoming Drivers of a Speed Trap = Constitutionally Protected Speech (Volokh Conspiracy, 24 May 2012) - So held a Florida trial court judge , and he wasn't the first - I think I've seen this in a few cases, but the one for which I have a citation is State v. Walker, No. I-9507-03625 (Williamson Cty. (Tenn.) Cir. Ct. Nov. 13, 2003). Whether this is the right answer is not clear. It's a special case of warnings to hide one's illegal conduct because the police are coming - though here done by a stranger rather than by a lookout who's in league with the criminals - and that in turn is a special case of what I call Crime-Facilitating Speech (see 57 Stan. L. Rev. 1095 (2005)), which is to say speech that conveys information that makes it easier for people to commit crimes or to get away with crimes. The Supreme Court has never squarely confronted this question. When I've blogged about this in the past, some people have argued that flashing headlights should be protected because it's encouraging legal behavior (slowing down) rather than illegal behavior, but I don't think that can dispose of the issue: Many lookouts do the same, e.g., when a lookout warns would-be robbers to abandon their plans because a police car is driving by.
CEOs Are Finally Warming Up to Social Media (Mashable, 24 May 2012) - CEO's are finally embracing social media's role in engaging business and customers, according to a recent IBM Global CEO Study. For businesses, social media is currently the least-utilized method for connecting with their audiences. The hierarchy of connecting is as follows: face-to-face interactions, websites, channel partners, call centers, traditional media, advisory groups, and then, finally, social media. However, social media is expected to jump to the number two spot within three to five years - and traditional media will plummet to the bottom of the list - according to IBM's report of their findings . Out of the 1,709 CEOs interviewed for the study - hailing from 64 countries and 18 industries - only 16% currently participate in social media. However, that percentage is expected to grow to 57% within the next five years, according to the IBM analysis. As Mashable previously reported, these numbers coincide with the "conservative optimism" regarding social media engagement for businesses. More than half of business owners (64%) believe in social media as a useful tactic for marketing - they just aren't willing to jump into it full-force yet.
French Court Narrows the Scope of Workplace Privacy (Steptoe, 24 May 2012) - The Bordeaux Court of Appeals in France has ruled, in Pierre B. v. Epsilon Composite, that a company was justified in reviewing emails sent by an employee using a workplace computer, since the employee had not identified the messages as personal. The employer was also justified in firing the employee when it discovered that he had emailed confidential work files from his work email to his personal email account, in violation of company rules and a confidentiality agreement he had signed. As we previously reported, the Cassation Court's 2001 decision in Nikon France SA v. Frédéric O. established that employees have a right to privacy in personal messages transmitted using a workplace computer, even where an employer has banned non-business use of the computer. But, since then, French courts have refined the Nikon decision in ways that narrow employees' privacy rights in the workplace in favor of employers. This decision continues that trend.
BOOKS
A Practical Guide to Software Licensing for Licensees and Licensors (4 th Edition, by Ward Classen; review by Michael Yang) - "The latest edition of H. Ward Classen's A Practical Guide to Software Licensing for Licensees and Licensors (Model forms and annotations included in print and on CD-Rom, Chicago: American Bar Association, 4th ed. 2011 $129.95, pp. 987, ISBN: 978-1-61632-813-9) is a practical reference manual that combines the most useful aspects of treatise, textbook and form book. The fourth edition has been updated with some of the latest developments in software licensing, including sections on UCITA "bomb shelter" legislation, cloud computing and software as a service (SaaS) models, and privacy issues under HIPAA and HITECH. Going beyond a mere discussion of licensing matters, the book provides guidance on areas that have significant influence on the licensing process, including topics such as the negotiation process, intellectual property law, export issues, bankruptcy issues, and the use of additional documents related to the license agreement, such as master agreements, service level agreements, confidentiality agreements, and escrow agreements. Most practitioners when looking for reference books on software licensing are likely to be seeking sample contract language and form contracts, and this book does not disappoint in that regard. At nearly 1,000 pages in length, the book is split nearly 50/50 between substantive chapters and model forms. Those using A Practical Guide solely as a form book will find that it is more than sufficient in providing sample language for most software licensing circumstances a practitioner might face (made particularly handy by the included CD containing a slew of model forms), but it is much more than just a form book."
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
CYBERATTACK COULD RESULT IN MILITARY RESPONSE (USA Today, 14 Feb. 2002) -- The United States might retaliate militarily if foreign countries or terrorist groups abroad try to strike this country through the Internet, the White House technology adviser said. We reserve the right to respond in any way appropriate: through covert action, through military action, any one of the tools available to the president," Richard Clarke said at a Senate Judiciary subcommittee hearing on cyberterrorism. Clarke said Iran, Iraq, North Korea, China, Russia and other countries already are having people trained in Internet warfare. Clarke refused to say what level of cyberattack might lead to a military response from the United States. "That's the kind of ambiguity that we like to keep intentionally to create some deterrence," he told reporters. So far, the United States has not caught any foreign governments or terrorist group using Internet warfare, although that does not mean it has not been attempted, Clarke said. We cannot point to a specific foreign government having done a specific unauthorized intrusion into a U.S. government network," Clarke said. "There are lots of cases where there has been unauthorized intrusions but we have never been able to prove to our particular satisfaction that a particular government did it." But, he added, "if I was a betting man, I'd bet that many of our key infrastructure systems already have been penetrated." http://www.usatoday.com/life/cyber/tech/2002/02/14/cyberterrorism.htm
ARTIFICIAL INTELLIGENCE SYSTEM ACTS AS JOURNALIST (Online Journalism Review, 5 Feb. 2002) -- Columbia University has developed experimental software called the Columbia Newsblaster that can read a variety of news articles on a topic and then write a lead and summary of the most important information. Newsblaster uses natural language processing and artificial intelligence to interpret and rank the importance of facts contained in news material. A prototype currently digests news from 13 sources including Yahoo, ABCNews, CNN, Reuters, Los Angeles Times, CBS News, Canadian Broadcasting Corporation, Virtual New York, Washington Post, Wired, and USA Today. While Newsblaster is intended as an aid to both average new consumers and journalists who have to deal with an increasing flood of information sources, Dan Dubno, producer and technologist for CBS News, is worried that such technology could dull the "editorial edge" a reporter or editor brings to covering a story. http://ojr.usc.edu/content/story.cfm?request=690
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top