Saturday, May 26, 2012

MIRLN --- 6-26 May 2012 (v15.07)

MIRLN --- 6-26 May 2012 (v15.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | BOOK REVIEW | LOOKING BACK | NOTES

Harvard Releases Big Data for Books (NYT, 24 April 2012) - Harvard is making public the information on more than 12 million books, videos, audio recordings, images, manuscripts, maps, and more things inside its 73 libraries. Harvard can't put the actual content of much of this material online, owing to intellectual property laws, but this so-called metadata of things like titles, publication or recording dates, book sizes or descriptions of what is in videos is also considered highly valuable. Frequently descriptors of things like audio recordings are more valuable for search engines than the material itself. Search engines frequently rely on metadata over content, particularly when it cannot easily be scanned and understood. Harvard is hoping other libraries allow access to the metadata on their volumes, which could be the start of a large and unique repository of intellectual information. "This is Big Data for books," said David Weinberger, co-director of Harvard's Library Lab. "There might be 100 different attributes for a single object." At a one-day test run with 15 hackers working with information on 600,000 items, he said, people created things like visual timelines of when ideas became broadly published, maps showing locations of different items, and a "virtual stack" of related volumes garnered from various locations. Harvard plans also to eventually include circulation data on the items as well, said Stuart Shieber, director of Harvard's Office for Scholarly Communication, who oversaw the project. "We have to be careful how we do that, to avoid releasing any personal information."

top

Incorporation by Reference in a Clickwrap Agreement (SIPR, 1 May 2012) - How explicit does a click-wrap agreement have to be concerning updates and revisions that may later be incorporated into the agreement? In Noll. v. eBay, Inc. , No. 5:11-CV-04585 (N.D. Cal., April 23, 2012), the court denied eBay's motion to dismiss a breach of contract claim in a class-action complaint based on eBay's revisions to a "Fee Schedule" which was accessible via hyperlinks included in eBay's User Agreement.

top

Symantec: Malicious Cyber Attacks Increased by 81 Percent in 2011 and Data Breaches Up (Privacy & Security Matters, 2 May 2012) - Symantec has released its annual Internet Security Threat Report , and the numbers are astounding. According to the report, malicious attacks on networks skyrocketed by 81 percent in 2011. The report also highlights that advanced persistent threats, known as APT attacks, are spreading to organizations of all sizes, with the number of daily APT attacks increasing from 77 per day to 82 per day by the end of 2011. Such attacks are no longer limited to large organizations, as demonstrated by the data in the report. According to Symantec, more than 50 percent of such attacks target companies with fewer than 250 employees. It is possible that smaller organizations are now being targeted because they are somehow related to larger companies, through supply chain or other relationships - and they are less well-defended. The 2011 Report also includes information regarding data breaches. According to Symantec, approximately 1.1 million identities were stolen per data breach on average in 2011, and hacking incidents exposed 187 million identities in 2011 - the largest number for any type of data breach in 2011. Now here comes the "kicker"…….the most frequent cause of data breaches was theft of loss of unencrypted data on a computer or other medium on which data is stored or transmitted, such as a smartphone, USB drive, or a backup device. These theft or loss related breaches exposed 18.5 million identities .

top

Major Cyber Attack Aimed at Natural Gas Pipeline Companies (CSM, 5 May 2012) - A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security. At least three confidential "amber" alerts - the second most sensitive next to "red" - were issued by DHS beginning March 29, all warning of a "gas pipeline sector cyber intrusion campaign" against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago - and may also affect Canadian natural gas pipeline companies - is continuing. "ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies," the confidential April 13 alert warns. "Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today." In Friday's public warning, ICS-CERT reaffirms that its "analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source." It goes on to broadly describe a sophisticated "spear-phishing" campaign - an approach in which cyber attackers attempt to establish digital beachheads within corporate networks. Yet there are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday's public notice. One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.

top

Perils of Social Media for Lawyers: Badgerland Style (Kevin O'Keefe, 8 May 2012) - The drumbeat on the perils of social media continues. This time from my home state of Wisconsin. Thomas Watson , Senior Vice President at Wisconsin Lawyers Mutual Insurance Company, writes in Wisconsin Lawyer Magazine "…[Social media's] use presents many dangers to lawyers trying to operate competent and ethical practices." Watson threw a few bones out on the benefits of social media in two paragraphs, including that it's an inexpensive way to market and provides an opportunity to demonstrate to tech-savvy clients that an attorney has competency in their area of expertise and commerce. (I've always considered the fastest growing segment of Americans on Facebook, those over 55, as the tech-savvy folks.) Watson then goes on in 20 paragraphs to scare unknowing lawyers from using social media and to provide lawyers looking to keep the status quo with all the ammo they'll need to kill a firm initiative focused on using the Internet to build relationships and enhance one's reputation. I don't know whether Watson uses Twitter, Facebook, or a blog to build and nurture relationships or enhance his reputation as a thought leader on malpractice insurance statewide or nationwide. He may not fully appreciate how social media works nor the benefits it brings to the public an lawyers. I understand that he is just doing his job as a legal malpractice carrier and that he is citing other authorities for much of what he writes. But my gut tells me articles like this on the perils of social media do far more harm than good to lawyers and the public we serve.

top

ACTA Unlikely to be Ratified in Europe, Says Kroes (The Guardian, 8 May 2012) - The Acta treaty that has been the subject of street protests around Europe is unlikely to be ratified by the European Union, according to Neelie Kroes, the powerful European commissioner for telecoms and technology. Speaking on Friday, Kroes said that "we are now likely to be in a world without Sopa " - the US's proposed Stop Online Piracy Act - "and Acta." Acta, the Anti-Counterfeiting Trade Agreement, has been signed by 22 of the EU's 27 countries, as well as the US and Japan. But even in some of the countries that have signed it, parliaments have declined to ratify it due to public pressure. Ryan Heath, a spokesman for Kroes's office, said the European commission has not changed its position on the usefulness of Acta, and was continuing to work toward its ultimate ratification, but added that Kroes was "observing political reality". Kroes's comments come weeks before the commission, the EU executive, is due to make public new rules to ensure that musicians and film-makers get paid, and while it is trying to overhaul the bloc's copyright regime to cater for the internet era. Critics say the commission is holding back planned reviews of the EU's own rules because officials are worried it will come up against the same kind of resistance as Sopa and Acta.

top

Hello From the Back of the Room (Inside Higher Ed, 9 May 2012) - Where do you situate yourself for lectures, keynotes, and conference talks? Increasingly, I'm finding myself hanging out at the back of the room. I'm the guy you see standing against the wall. Not fully in, not totally out. Our crowd of back-wallers seems to be growing. Recently I was at a really great talk. Lots of free seats in the auditorium, and a crowd of us lurking on the back wall. I've been thinking about what is pulling me and others like me to the back of the room, and what is being lost in this transition * * * [Editor: this strongly resonated with me, both as a speaker and listener.]

top

Retired Justice's Online Game Teaches Civics (Gov't Technology, 9 May 2012) - When are my property taxes due? How do I find out about childhood vaccination programs? Who is responsible for protecting the water supply? Where do citizens go to get answers to these questions? Nonprofit civic education group iCivics, led by former Supreme Court Justice Sandra Day O'Connor, partnered with the National Association of Counties (NACo) to develop a free, online game called Counties Work to help increase knowledge of the functions of county government. According to The Hill's Technology Blog, Counties Work will be awarded the 2012 Gold Circle Award for Innovative Communications Award by the American Society of Association Executives on May 24. Targeted toward junior high and high school age students, Counties Work was first launched in summer 2011. Creators claim that iCivics is the first online interactive game with a county government focus. Players answer citizen questions, accept or reject suggestions, make infrastructure decisions, consider tax rates, build capital projects and manage emergencies.

top

Law School Plans to Offer Web Courses for Master's (NYT, 9 May 2012) - The law school of Washington University announced Tuesday that it would offer, entirely online, a master's degree in United States law intended for lawyers practicing overseas, in partnership with 2tor, an education technology company. Legal education has been slow to move to online classes, and the new master's program is perhaps the earliest partnership between a top-tier law school and a commercial enterprise. "We don't know where the students are going to come from exactly, but we believe there is demand abroad for an online program with the same quality that we deliver in St. Louis, accessible to people who can't uproot their lives to come to the United States," said Kent D. Syverud, the dean of the law school, which currently offers students on campus a Master of Law degree, or LL.M., in United States law for foreign lawyers. Graduates of the new program, which will include live discussions via webcam and self-paced online materials, would probably be eligible to take the California bar exam. Washington University will share the revenues from the $48,000 program - the same tuition paid by students at the St. Louis campus - with 2tor, which will provide marketing, the Web platform and technical support, including a staff member to monitor each live class and deal with any technical problems that arise. 2tor, a four-year-old company based in Maryland, has partnerships in place with the University of Southern California, Georgetown and the University of North Carolina for online graduate degree programs in education, business, public administration and nursing. Largely because of American Bar Association rules, however - under which approved law schools may not count more than 12 credits of distance education toward a Juris Doctor degree - legal education has been slow to shift to online classes. Students who earn a J.D. from a bar association-approved law school are automatically eligible to take the bar exam nationwide. But beyond that, each state sets its rules on who can take the bar exam. California, for example, is the only state that allows graduates of Concord Law School - which is not approved by the bar association, but offers a fully online Juris Doctor - to take its bar exam.

top

Cyber Briefings 'Scare The Bejeezus' Out Of CEOs (NPR, 9 May 2012) - For the CEOs of companies such as Dell and Hewlett-Packard, talk of cyberweapons and cyberwar could have been abstract. But at a classified security briefing in spring 2010, it suddenly became quite real. "We can turn your computer into a brick," U.S. officials told the startled executives, according to a participant in the meeting. The warning came during a discussion of emerging cyberthreats at a secret session hosted by the office of the Director of National Intelligence and the departments of Defense and Homeland Security, along with Gen. Keith Alexander, head of the U.S. military's Cyber Command. The meeting was part of a public-private partnership dubbed the "Enduring Security Framework" that was launched at the end of 2008. The initiative brings chief executives from top technology and defense companies to Washington, D.C., two or three times a year for classified briefings. The purpose is to share information about the latest developments in cyberwarfare capabilities, highlighting the cyberweapons that could be used against the executives' own companies. "We scare the bejeezus out of them," says one U.S. government participant. The hope is that the executives, who are given a special one-day, top-secret security clearance, will go back to their companies and order steps to deal with the vulnerabilities that have been pointed out. "I personally know of one CEO for whom it was a life-changing experience," says Richard Bejtlich, chief security officer for Mandiant, a cybersecurity firm. "Gen. Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known [about the cyberthreats] but did not, and now it has colored everything about the way he thinks about this problem." Among the computer attack tools discussed during the briefings are some of the cyberweapons developed by the National Security Agency and the Cyber Command for use against U.S. adversaries. Military and intelligence officials are normally loath to discuss U.S. offensive cybercapabilities, but the CEOs have been cleared for some information out of a concern that they need to know what's possible in the fast-evolving world of cyberwarfare.

top

BYOD Stirs Up Legal Problems (Network World, 10 May 2012) - Let's say you need to pull some corporate data off an employee's personal iPad. Under the newly and hastily crafted bring-your-own-device policy, or BYOD, the employee is required to hand over the iPad to the IT computer forensics team. ( A sampling of BYOD user policies ) The team finds child pornography on the iPad in areas unrelated to the job. Did the team have permission to conduct e-discovery on personal data? Is the team obligated to call law enforcement? Would the finding be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios? Welcome to the foggy world of BYOD, where the blending of personal and work lives on a single device open up a host of problems. CIOs often fret about security and management, but BYOD can land a company in murky legal water, too. "It's a slippery slope," says Ben Tomhave, principal consultant at tech consultancy LockPath. While he isn't a lawyer, Tomhave is co-vice chairman and incoming co-chairman of the American Bar Association's SciTech Information Security Committee and regularly blogs about risk management issues. If CIOs think they can get off this slippery slope by blocking BYOD at the front door, think again. Juniper Networks just released results of a survey of more than 4,000 mobile-device users and IT professionals. This IT-gets-burned stat stood out: Many employees circumvent their employers official mobile-device policies, with 41 percent of all respondents who use their personal devices for work doing so without permission from the company, the report states.

top

Few Companies Fight Patriot Act Gag Orders, FBI Admits (Wired, 10 May 2012) - Since the Patriot Act broadly expanded the power of the government to issue National Security Letters demanding customer records, more than 200,000 have been issued to U.S. companies by the FBI. But the perpetual gag orders that accompany them are rarely challenged by the ISPs and other recipients served with such letters. Just how rare these challenges are became more evident following the recent release of a 2010 letter from the Justice Department to a federal lawmaker. In December 2010 in a letter (.pdf) from Attorney General Eric Holder to Senator Patrick Leahy (D-Vermont), the FBI asserted that in February 2009 it began telling recipients they had a right to challenge the built-in gag order that prevents them from disclosing to anyone, including customers, that the government is seeking customer records. That policy was mandated by a 2008 appellate court decision, which found that the never-ending, hard-to-challenge gag order was unconstitutional. Holder noted, however, that in the year and 10 months since the FBI started notifying recipients of this right, only a small handful had asserted that right. "Thus far, there have been only four challenges to the non-disclosure requirement," Holder wrote, "and in two of the challenges, the FBI permitted the recipient to disclose the fact that an NSL was received." Since Holder wrote the letter, the number of gag order challenges has risen to at least five. In March, Threat Level reported that an unnamed company had challenged a National Security Letter it had received earlier this year. The latest challenge occurred sometime around the end of January, when an unknown provider of communication services in the United States - possibly a phone company, or perhaps even Twitter - got a letter from the FBI demanding it turn over information on one, or possibly even hundreds, of its customers. [Editor: Hooray for Twitter.]

top

Unpacking Privacy's Price (by Chris Hoofnagle and Jan Whittington; SSRN; 14 May 2012) - Abstract: "This article introduces a transaction cost economic framework for interpreting the roles consumers play in social networking services ("SNSs"). It explains why the exchange between consumers and SNSs is not simple and discrete, but rather a continuous transaction with atypical attributes. These exchanges are difficult for consumers to understand and come with costs that are significant and unanticipated. Under current structures of governance, there is no exit for consumers who wish to leave an SNS. In other contexts, similar transactions are bounded by tailored consumer protections. This article explains the need for tailored consumer protection in the SNS context. Specifically, we argue that a consumer right to rescind enrollment in an SNS, triggering a deletion of and ability to export information shared with the service, is appropriate given the skewed aspects of personal information transactions."

top

Protecting State Secrets as Intellectual Property: A Strategy for Prosecuting WikiLeaks (Stanford J of Int'l Law, 15 May 2012; by James Freedman) - Criminal statutes generally deployed against those who leak classified government documents - such as the Espionage Act of 1917 - are ill-equipped to go after third-party international distribution organizations like WikiLeaks. One potential tool that could be used to prosecute WikiLeaks is copyright law. The use of copyright law in this context is rarely mentioned, and when it is, the approach is largely derided by experts, who decry it as contrary to the purposes of copyright. Using copyright to protect state secrets, however, particularly if done through suit in a foreign court, escapes a number of the impediments to a WikiLeaks prosecution, such as the limited scope of narrowly tailored U.S. criminal statutes or the need to apply U.S. law extraterritorially and extradite defendants. Admittedly, using copyright law for these purposes presents its own set of problems, perhaps most intractable under U.S. law, but still significant in the case of suits brought in a foreign court under foreign law. This Note will explore these difficulties, such as the government works issue, potential fair use or fair dealing defenses, as well as various non-legal obstacles to success, eventually reaching the conclusion that prosecuting WikiLeaks internationally for copyright violations is potentially more viable than any of the methods of criminal prosecution heretofore explored publicly by government attorneys and legal scholars.

top

Web-Based Dispute Resolution Systems Gain Traction ("ODR") (Christy Burke, 15 May 2012) - Courtroom showdowns make for great movie scenes, but To Kill a Mockingbird's Atticus Finch would be shocked to hear that the courts are only resolving a fraction of today's legal disputes. A growing number of cases are being resolved by online tools, and sometimes lawyers and judges are not even involved. Impartial web-based systems apply computation, algorithms and cryptographic technology to bring about resolution quickly and inexpensively. A growing stable of private sector companies are beginning to compete with the judicial system for "customers" and are also changing the face of traditional Alternate Dispute Resolution or ADR, which has typically included mediation, arbitration and other alternatives to the courts. Not only are approaches to justice and negotiation changing, but some of these new systems like those provided by Fair Outcomes, are actually prompting lawyers and their customers to be more honest about the value of a case and their realistic objectives from the outset, providing disincentives to lie, bully and posture. Utopian though it may sound, this is actually becoming a reality. Atticus would be happy to hear that, at least! A potential paradigm shift is in the making here, but what is motivating parties to look outside traditional courts, mediation and arbitration and flock to the web for resolving their disputes? In short, overburdened courts, lean economic times, cost, and convenience all figure into the mix.

top

Free Guide on Maintaining Privacy, Security of EHRS (AAFP, 16 May 2012) - The Office of the National Coordinator (ONC) for Health Information Technology has released a new resource to help physicians incorporate mandatory privacy and security safeguards into their electronic health record (EHR) systems. The free manual, titled Guide to Privacy and Security of Health Information (47-page PDF; About PDFs ), reiterates the importance of guarding the privacy and security of patient information stored and transmitted electronically. The ONC guide offers physicians a variety of tools, including a security risk analysis of a practice's EHR, tips on successful partnering with EHR vendors, and a 10-step privacy and security plan.

top

Reminder To Congress: Cops' Cellphone Tracking Can Be Even More Precise Than GPS (Forbes, 17 May 2012) - In the wake of a historic Supreme Court ruling that police can't use GPS devices planted on a car to track suspects without a warrant, Congress is reconsidering the question of what kinds of location tracking constitute an invasion of privacy. And one privacy and computer security professor wants to remind them that the gadget we all carry in our pockets can track us more precisely than any device merely attached to our car-even without the use of GPS. On Thursday the House Judiciary Committee held a hearing to discuss a proposed bill to limit location tracking of electronic devices without a warrant, what it's calling the Geolocational Privacy and Surveillance Act, or the GPS Act. And ahead of that hearing, University of Pennsylvania professor Matt Blaze submitted written testimony (PDF here) that points out that phone carriers, as well as the law enforcement agencies that they share data with, can now use phones' proximity to cell towers and other sources of cellular data to track their location as precisely or even more precisely than they can with global positioning satellites. Thanks to the growing density of cell towers and the proliferation of devices like picocells and femtocells that transmit cell signals indoors, even GPS-less phones can be tracked with a high degree of precision and can offer data that GPS can't, like the location of someone inside a building or what floor they're on.

top

Citizen Counter-Surveillance of the Police? There's an App For That (CMLP, 17 May 2012) - Despite the welcome 7th Circuit decision in ACLU v. Alvarez on May 8 that directed a federal district court to enjoin the application of the Illinois eavesdropping statute to an ACLU police accountability program, citizens around the country remain vulnerable to arrest and harassment for recording audio and video of police in public spaces. Cases like Glik v. Cunniffe and Alvarez indicate that the tides are changing in favor of First Amendment protections of police oversight and, in Illinois, at least two county court judges have also found the Illinois eavesdropping statute unconstitutional . Some, like the ACLU, have launched initiatives to publicly record audio and video of police conduct, and the Alvarez case was pursued by the ACLU specifically to allow ALCU staff to legally record police without fear of reprisal under the eavesdropping statute. Along these lines, many individuals have been using a suite of cell phone apps developed by open government activist Rich Jones to record audio and video of encounters with law enforcement officers. Jones launched the OpenWatch.net project in January 2011, which now boasts three smartphone apps designed to secretly record citizen encounters with police officers. Jones has also produced a version of his software for the ACLU of New Jersey to support their police accountability programs. In a recent interview with Jones, he told me that he launched the project to supply technology "to provide documentary evidence of uses and abuses of power… [as] part of a new wave of document-based journalism." "If we're going to lose all of our privacy," Jones says, "then we're damn well going to get some transparency." In practice, after downloading the OpenWatch or CopRecorder app to a cell phone, a user just needs to open the app and press a button to record audio (in the case of CopRecorder) or both audio and video (in the case of OpenWatch) through the camera and microphone built into their phone. After hitting "record," the app disappears from view to hide the fact that the user is recording. And when the user reopens the app to end the recording, they are asked whether they would like to upload the recording to OpenWatch's public database.

top

Patent Protector or Pest? (Inside Higher Ed, 17 May 2012) - The question was simple enough: Has the University of South Florida ever had a business relationship with Intellectual Ventures, a leading collector of patents and a partner of many colleges? That inquiry began a 12-day saga -- which ended in a curt no-comment and a reference to an obscure provision of Florida open-records law -- that underscores the hesitancy of most anyone within higher education to talk about Intellectual Ventures. Two top officers at the tech transfer professional association, the Association of University Technology Managers, declined to comment. They weren't alone. Officials at seven of the nine universities (among them three Ivies) that were revealed in a court filing to be investors in Intellectual Ventures also wouldn't talk. Most colleges that license their patents to Intellectual Ventures choose to remain anonymous, and often cite open-records exemptions if anyone asks about their affiliation. In contrast, other universities (including two in Florida) had no problem disavowing any connection to the company. Intellectual Ventures says it works with scores of colleges worldwide and touts itself as a champion of university-employed inventors whose patents might never be commercialized otherwise. Faculty members at the California Institute of Technology and the University of British Columbia are among those who have worked with Intellectual Ventures, but those universities are the exception in choosing to reveal their relationships. Australia's Edith Cowan University and the Indian Institute of Technology, Bombay have also disclosed their partnerships with IV. Since its beginnings about a decade ago, Intellectual Ventures has grown to be one of the largest holders of patents in the U.S. and abroad. And while many within higher education think highly of the company, others have a less rosy impression. Intellectual Ventures takes advantage of patent laws and squelches innovation by threatening lawsuits, critics say, and universities betray their values when they work with the company.

top

A More Refined French Cookie Recipe (Steptoe, 17 May 2012) - The French data protection authority last month released a revised version of its guidance on cookies. The newest guidance from the Commission National de l'Informatique et des Libertés (CNIL) offers additional advice on acceptable means for website operators to obtain user consent for the use of cookies. It also adds analytic cookies (i.e., those cookies used primarily to measure website traffic) to the list of cookies exempt from the prior consent requirement, citing the "very limited risk" their use poses to user privacy. Nevertheless, the CNIL has set certain conditions that must be met by website operators in order to be considered eligible for this exception.

top

DOJ's Public Statements Provide a Road Map for Citizens to Sue in Cop Recording Cases (CMLP, 21 May 2012) - In May 2010, Christopher Sharp used his cell phone to record video of his friend being arrested by the Baltimore Police at the Preakness Stakes. The police demanded that Sharp surrender his phone, stating that the contents might be evidence; when the phone was returned, Sharp discovered that the video he had made, plus a number of other unrelated videos, had been deleted. The ACLU (a leading voice on the First Amendment right to record in public, as reflected in its efforts in Glik v. Cunniffe and ACLU v. Alvarez ) helped Sharp file suit against the Baltimore PD for violation of his First Amendment rights in Sharp v. Baltimore City Police Department , a civil rights action filed in the U.S. District Court for the District of Maryland. In January 2012, the Department of Justice got involved in the case. Contrary to what might be expected, the DOJ was not supporting the police department - instead, it filed a " Statement of Interest " in support of Sharp's position in the case. The Statement of Interest reads like an amicus curiae brief (compare the CMLP's brief in Glik and the Reporters Committee for Freedom of the Press's brief in Alvarez ); it contains strong arguments that there is a First Amendment right to record the police, that Baltimore police officers violated Sharp's First, Fourth, and Fourteenth Amendment rights when they deleted his footage, and that the Baltimore PD's attempt to prevent future violations of citizens' rights through revised policies and training protocols was insufficient. Then, on May 14, 2012, the DOJ took further action in the Sharp case, this time sending an open letter ( available publicly on the DOJ's website ) to the parties in advance of a settlement conference scheduled by the court. The DOJ served the letter on counsel for the parties, taking the position that if Sharp and the Baltimore PD were to settle the case, any settlement should require that the police department adopt "policy and training requirements that are consistent with important First, Fourth and Fourteenth Amendment rights at stake when individuals record police officers in the public discharge of their duties."

top

Copyrighting Fashion (Samson Vermont of U. Miami law school; 21 May 2012) - Samson Vermont, University of Miami School of Law, has published The Dubious Legal Rationale for Denying Copyright to Fashion. Here is the abstract: "This essay clarifies the useful article doctrine and argues that it does not, as clarified, bar copyright for fanciful clothing. Clarification is necessary because the drafters of the 1976 Act botched their attempt to codify the doctrine. As written, the Act denies copyright to a useful article unless its aesthetic features are separable from its utilitarian function. Separability, however, is irrelevant. What matters is whether the article has unconstrained features. The features of many fanciful garments are unconstrained enough for copyright. Indeed, they are more unconstrained than the features of other useful articles that courts already protect."

top

FTC Taps Privacy Advocate Paul Ohm as Adviser (Computerworld, 21 May 2012) - The U.S. Federal Trade Commission has hired Paul Ohm, a privacy advocate and critic of current online privacy practices, as a senior privacy adviser for consumer protection and competition issues affecting the Internet and mobile services. Ohm, a University of Colorado Law School professor, will take a leave of absence from the school to serve in the FTC's Office of Policy Planning. The office focuses on long-range competition and consumer-protection policy efforts, and it advises FTC staff on cases raising complex policy and legal issues. [Editor: Ohm is talented, and the leading authority on de-anonymization.]

top

Cyber Attacks: Insurers Seeking to Develop Risk Management Standards (Cameron McKenna, 22 May 2012) - In a recent FT article, Janet Williams, the lead on cybercrime initiatives for the Association of Chief Police Officers, commented that insurers should agree only to provide cover against cyber attacks to companies that meet a minimum cyber defence Kitemark standard. Insurers have responded to the notion of establishing minimum security standards to prevent cyber attacks through the launch of The Cyber Insurance Working Group. The Group comprises technology insurers including Liberty, Zurich and CNA Europe, plus specialist technology insurance broker Oval. Other insurers selling cover for cyber attacks and security/data breaches could be keen to participate. The Group plans regular meetings to develop a framework of recommended information security practices and procedures, including adequate business continuity plans and corporate information security policies. The aim is that insurers providing security cover will be able to demand a specific structured demonstration of commitment from their insureds and ultimately avoid the costly fall out from claims, particularly in circumstances where there is little scope for insurers to make any significant recoveries in the event of a loss. Cyber attacks involving a complex web of data/security breaches and multiple individuals can be difficult to prosecute through the criminal courts and whilst companies and insurers may want to pursue civil cases against cyber offenders, it remains to be seen whether these actions would suffer from the same obstacles. [Editor: makes sense; this is how building codes emerged in the US.]

top

'Clueless' Boards Risk Lawsuits, Threaten National Security (Network World, 23 May 2012) - For far too many boards of directors and senior management of critical infrastructure industry sectors, cybersecurity and privacy are less than afterthoughts. They are barely even thoughts. That's a key finding of "Governance of Enterprise Security: CyLab 2012 Report," ( View PDF ) a global survey of industries by Carnegie Mellon CyLab and its sponsor, RSA, The Security Division of EMC. Jody Westby, CEO of Global Cyber Risk and the author of the report, wrote in Forbes last week that boards of directors are essentially "clueless" about cybersecurity, saying 75% of the survey respondents were from critical infrastructure industry sectors -- "primarily the financial, energy/utilities, IT/telcom and industrial." "According to the survey results, 71% of their boards rarely or never review privacy and security budgets; 79% rarely or never review roles and responsibilities; 64% rarely or never review top-level policies and; 57% rarely or never review security program assessments." Beyond this, Westby says 79% of boards in the energy/utilities sector were not conducting cyber insurance reviews. "What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity."

top

Study: Patriot Act Doesn't Give Feds Special Access to Cloud Data (Computerworld, 23 May 2012) - An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday. The governments of several other countries, including the U.K., Germany, France, Japan and Canada, have laws in place allowing them to obtain personal data stored on cloud computing services, said the study, by Hogan Lovells, an international law firm that focuses on government regulations and other topics. The Patriot Act, passed as an anti-terrorism measure in 2001, is "invoked as a kind shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere," wrote study co-authors Christopher Wolf, based in Washington, D.C., and Winston Maxwell, based in Paris. "However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data." Since late 2011, some European cloud providers have promoted their services as so-called safe havens from the U.S. Patriot Act. In September 2011, Ivo Opstelten, the Dutch minister of safety and justice, said that U.S. cloud providers could be excluded from Dutch government because of the Patriot Act. Opstelten later softened his stance. But the Hogan Lovells study, released by think tank the Openforum Academy Wednesday, said there are "misconceptions" about the Patriot Act and other countries' laws allowing access to cloud data.

top

IBM'S Siri Ban Highlights Companies' Privacy, Trade Secret Challenges (ArsTechnica, 23 May 2012) - Apple's digital "assistant" Siri isn't welcome at IBM; neither are Apple's voice dictation features in the iPhone and iPad. IBM CIO Jeanette Horan revealed in an interview with Technology Review that the company turns off Siri on employees' iPhones for fear that the service stores employees' queries somewhere outside of IBM's control. The move highlights some of the problems large enterprises face when employees begin using their own devices at work. The revelation is making waves among the Apple blogosphere, but the company's policy isn't actually all that surprising. Siri-and Apple's voice dictation features-send voice commands through the Internet to Apple's servers for processing before returning a text result. Apple doesn't make it clear whether it stores that data, for how long, or who has access to it. (As noted by our friends at Wired , this behavior from Siri is what caused the ACLU to post a warning about the technology in March of this year.) IBM most likely wants to protect its trade secrets, which is why it wouldn't want any sort of spoken data from employees being stored on Apple's servers. What is surprising? It appears that not many companies have joined IBM in forbidding the use of Siri for security purposes. I asked on Twitter whether anyone else's companies have a similar policy, and received extremely few responses saying yes. The only people-so far-who have acknowledged any kind of Siri policy were government workers and some school employees . Most said their employers had not yet added Siri to their list of forbidden technologies. Some responses did point out that their employers blocked the use of Google's services for the same reasons (storing data on Google's servers), implying that corporations are still catching up on what kind of risks Siri and voice dictation services might present.

top

Flashing Headlights to Warn Oncoming Drivers of a Speed Trap = Constitutionally Protected Speech (Volokh Conspiracy, 24 May 2012) - So held a Florida trial court judge , and he wasn't the first - I think I've seen this in a few cases, but the one for which I have a citation is State v. Walker, No. I-9507-03625 (Williamson Cty. (Tenn.) Cir. Ct. Nov. 13, 2003). Whether this is the right answer is not clear. It's a special case of warnings to hide one's illegal conduct because the police are coming - though here done by a stranger rather than by a lookout who's in league with the criminals - and that in turn is a special case of what I call Crime-Facilitating Speech (see 57 Stan. L. Rev. 1095 (2005)), which is to say speech that conveys information that makes it easier for people to commit crimes or to get away with crimes. The Supreme Court has never squarely confronted this question. When I've blogged about this in the past, some people have argued that flashing headlights should be protected because it's encouraging legal behavior (slowing down) rather than illegal behavior, but I don't think that can dispose of the issue: Many lookouts do the same, e.g., when a lookout warns would-be robbers to abandon their plans because a police car is driving by.

top

CEOs Are Finally Warming Up to Social Media (Mashable, 24 May 2012) - CEO's are finally embracing social media's role in engaging business and customers, according to a recent IBM Global CEO Study. For businesses, social media is currently the least-utilized method for connecting with their audiences. The hierarchy of connecting is as follows: face-to-face interactions, websites, channel partners, call centers, traditional media, advisory groups, and then, finally, social media. However, social media is expected to jump to the number two spot within three to five years - and traditional media will plummet to the bottom of the list - according to IBM's report of their findings . Out of the 1,709 CEOs interviewed for the study - hailing from 64 countries and 18 industries - only 16% currently participate in social media. However, that percentage is expected to grow to 57% within the next five years, according to the IBM analysis. As Mashable previously reported, these numbers coincide with the "conservative optimism" regarding social media engagement for businesses. More than half of business owners (64%) believe in social media as a useful tactic for marketing - they just aren't willing to jump into it full-force yet.

top

French Court Narrows the Scope of Workplace Privacy (Steptoe, 24 May 2012) - The Bordeaux Court of Appeals in France has ruled, in Pierre B. v. Epsilon Composite, that a company was justified in reviewing emails sent by an employee using a workplace computer, since the employee had not identified the messages as personal. The employer was also justified in firing the employee when it discovered that he had emailed confidential work files from his work email to his personal email account, in violation of company rules and a confidentiality agreement he had signed. As we previously reported, the Cassation Court's 2001 decision in Nikon France SA v. Frédéric O. established that employees have a right to privacy in personal messages transmitted using a workplace computer, even where an employer has banned non-business use of the computer. But, since then, French courts have refined the Nikon decision in ways that narrow employees' privacy rights in the workplace in favor of employers. This decision continues that trend.

top

BOOKS

A Practical Guide to Software Licensing for Licensees and Licensors (4 th Edition, by Ward Classen; review by Michael Yang) - "The latest edition of H. Ward Classen's A Practical Guide to Software Licensing for Licensees and Licensors (Model forms and annotations included in print and on CD-Rom, Chicago: American Bar Association, 4th ed. 2011 $129.95, pp. 987, ISBN: 978-1-61632-813-9) is a practical reference manual that combines the most useful aspects of treatise, textbook and form book. The fourth edition has been updated with some of the latest developments in software licensing, including sections on UCITA "bomb shelter" legislation, cloud computing and software as a service (SaaS) models, and privacy issues under HIPAA and HITECH. Going beyond a mere discussion of licensing matters, the book provides guidance on areas that have significant influence on the licensing process, including topics such as the negotiation process, intellectual property law, export issues, bankruptcy issues, and the use of additional documents related to the license agreement, such as master agreements, service level agreements, confidentiality agreements, and escrow agreements. Most practitioners when looking for reference books on software licensing are likely to be seeking sample contract language and form contracts, and this book does not disappoint in that regard. At nearly 1,000 pages in length, the book is split nearly 50/50 between substantive chapters and model forms. Those using A Practical Guide solely as a form book will find that it is more than sufficient in providing sample language for most software licensing circumstances a practitioner might face (made particularly handy by the included CD containing a slew of model forms), but it is much more than just a form book."

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CYBERATTACK COULD RESULT IN MILITARY RESPONSE (USA Today, 14 Feb. 2002) -- The United States might retaliate militarily if foreign countries or terrorist groups abroad try to strike this country through the Internet, the White House technology adviser said. We reserve the right to respond in any way appropriate: through covert action, through military action, any one of the tools available to the president," Richard Clarke said at a Senate Judiciary subcommittee hearing on cyberterrorism. Clarke said Iran, Iraq, North Korea, China, Russia and other countries already are having people trained in Internet warfare. Clarke refused to say what level of cyberattack might lead to a military response from the United States. "That's the kind of ambiguity that we like to keep intentionally to create some deterrence," he told reporters. So far, the United States has not caught any foreign governments or terrorist group using Internet warfare, although that does not mean it has not been attempted, Clarke said. We cannot point to a specific foreign government having done a specific unauthorized intrusion into a U.S. government network," Clarke said. "There are lots of cases where there has been unauthorized intrusions but we have never been able to prove to our particular satisfaction that a particular government did it." But, he added, "if I was a betting man, I'd bet that many of our key infrastructure systems already have been penetrated." http://www.usatoday.com/life/cyber/tech/2002/02/14/cyberterrorism.htm

top

ARTIFICIAL INTELLIGENCE SYSTEM ACTS AS JOURNALIST (Online Journalism Review, 5 Feb. 2002) -- Columbia University has developed experimental software called the Columbia Newsblaster that can read a variety of news articles on a topic and then write a lead and summary of the most important information. Newsblaster uses natural language processing and artificial intelligence to interpret and rank the importance of facts contained in news material. A prototype currently digests news from 13 sources including Yahoo, ABCNews, CNN, Reuters, Los Angeles Times, CBS News, Canadian Broadcasting Corporation, Virtual New York, Washington Post, Wired, and USA Today. While Newsblaster is intended as an aid to both average new consumers and journalists who have to deal with an increasing flood of information sources, Dan Dubno, producer and technologist for CBS News, is worried that such technology could dull the "editorial edge" a reporter or editor brings to covering a story. http://ojr.usc.edu/content/story.cfm?request=690

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, May 05, 2012

MIRLN --- 15 April – 5 May 2012 (v15.06)

MIRLN --- 15 April - 5 May 2012 (v15.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | BOOK REVIEW | LOOKING BACK | NOTES

FBI: Smart Meter Hacks Likely to Spread (Krebs on Security, 9 April 2012) - A series of hacks perpetrated against so-called "smart meter" installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology. The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

top

Face Recognition Could Catch Bad Avatars (New Scientist, 11 April 2012) - A police car rolls up to a house where the doors and windows are smashed in, rooms are ransacked and numerous high-value items are missing. Calming the home-owner, an officer begins to investigate: "Did you see the person who did it?" The shaken victim replies: "Yes, he had massive purple dreadlocks, green lips and was dressed like Michael Jackson." Such an unusual perpetrator would be easy to identify in the physical realm, but this break-in took place in a virtual world, where odd-looking avatars are the norm. It may sound like an odd crime, but Japanese police have previously arrested virtual muggers , and the FBI has investigated casinos based in the virtual world of Second Life . Virtual crimes will become more common as we venture more and more into these worlds, says computer scientist Roman Yampolskiy . To prevent this, multinational defence firm Raytheon, based in Waltham, Massachusetts, has a patent pending on fusing a person's real biometrics with their 3D avatar, so you know for sure who you are speaking to in a digital world. Yampolskiy and colleagues at the Cyber-Security Lab at the University of Louisville in Kentucky are going one step further: they are developing the field of artificial biometrics, or "artimetrics". Similar to human biometrics, artimetrics would serve to authenticate and identify non-biological agents such as avatars, physical robots or even chatbots (see "Spot the bad bot") . In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks , leaving no central authority to appeal to? Then there would be no way of linking an avatar username to a human user. Yampolskiy and colleagues have developed facial recognition techniques specifically tailored to avatars, since current algorithms only work on humans. "Not all avatars are human looking, and even with those that are humanoid there is a huge diversity of colour," Yampolskiy says, so his software uses those colours to improve avatar recognition.

top

Law Enforcement Surveillance Reporting Gap (Chris Soghoian SSRN, 11 April 2012) - Abstract: Third party facilitated surveillance has become a routine tool for law enforcement agencies. There are likely hundreds of thousands of such requests per year. Unfortunately there are few detailed statistics documenting the use of many modern surveillance methods. As such, the true scale of law enforcement surveillance, although widespread, remains largely shielded from public view. The existing surveillance statistics might be sufficient if law enforcement agencies' surveillance activities were limited to wiretaps and pen registers. However, over the last decade, law enforcement agencies have enthusiastically embraced many new sources of investigative and surveillance data for which there are no mandatory reporting requirements. As a result, most modern surveillance now takes place entirely off the books and the true scale of such activities, which vastly outnumber traditional wiretaps and pen registers, remains unknown. In this article, I examine the existing electronic surveillance reporting requirements and the reports that have been created as a result. Some of these have been released to public, but many have only come to light as a result of Freedom of Information Act requests or leaks by government insiders. I also examine several law enforcement surveillance methods for which there are no existing legally mandated surveillance reports. Finally, I propose specific legislative reporting requirements in order to enable some reasonable degree of oversight and transparency over all forms of law enforcement electronic surveillance.

top

Harms of Post-9/11 Airline Security (Bruce Schneier, 14 April 2012) - I debated former TSA Administrator Kip Hawley on the "Economist" website. I didn't bother reposting my opening statement and rebuttal, because -- even though I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security has caused. This is mostly new, so here it is, British spelling and punctuation and all. In my previous two statements, I made two basic arguments about post-9/11 airport security. One, we are not doing the right things: the focus on airports at the expense of the broader threat is not making us safer. And two, the things we are doing are wrong: the specific security measures put in place since 9/11 do not work. Kip Hawley doesn't argue with the specifics of my criticisms, but instead provides anecdotes and asks us to trust that airport security -- and the Transportation Security Administration (TSA) in particular -- knows what it's doing. This loss of trust -- in both airport security and counterterrorism policies in general -- is the first harm. Trust is fundamental to society. There is an enormous amount written about this; high-trust societies are simply happier and more prosperous than low-trust societies. Trust is essential for both free markets and democracy. This is why open-government laws are so important; trust requires government transparency. The secret policies implemented by airport security harm society because of their very secrecy. The humiliation, the dehumanisation and the privacy violations are also harms. That Mr Hawley dismisses these as mere "costs in convenience" demonstrates how out-of-touch the TSA is from the people it claims to be protecting. Additionally, there's actual physical harm: the radiation from full-body scanners still not publicly tested for safety; and the mental harm suffered by both abuse survivors and children: the things screeners tell them as they touch their bodies are uncomfortably similar to what child molesters say. In 2004, the average extra waiting time due to TSA procedures was 19.5 minutes per person. That's a total economic loss -- in America -- of $10 billion per year, more than the TSA's entire budget. The increased automobile deaths due to people deciding to drive instead of fly is 500 per year. Both of these numbers are for America only, and by themselves demonstrate that post-9/11 airport security has done more harm than good. The current TSA measures create an even greater harm: loss of liberty. Airports are effectively rights-free zones. Security officers have enormous power over you as a passenger. You have limited rights to refuse a search. Your possessions can be confiscated. You cannot make jokes, or wear clothing, that airport security does not approve of. You cannot travel anonymously. (Remember when we would mock Soviet-style "show me your papers" societies? That we've become inured to the very practice is a harm.) And if you're on a certain secret list, you cannot fly, and you enter a Kafkaesque world where you cannot face your accuser, protest your innocence, clear your name, or even get confirmation from the government that someone, somewhere, has judged you guilty. These police powers would be illegal anywhere but in an airport, and we are all harmed -- individually and collectively -- by their existence. Increased fear is the final harm, and its effects are both emotional and physical. By sowing mistrust, by stripping us of our privacy -- and in many cases our dignity -- by taking away our rights, by subjecting us to arbitrary and irrational rules, and by constantly reminding us that this is the only thing between us and death by the hands of terrorists, the TSA and its ilk are sowing fear. And by doing so, they are playing directly into the terrorists' hands.

top

Twitter's Revolutionary Agreement Lets Original Inventors Stop Patent Trolls (TechDirt, 17 April 2012) - We've talked repeatedly in the past about how even if a company got patents for solely defensive reasons, down the road, those patents can end up in the hands of trolls, who abuse them to hinder real innovation. If you talk to engineers -- especially software engineers -- in Silicon Valley, this is one of the many things they absolutely hate about patents. But, because companies often feel the need to stockpile patents as a defensive means of warding off patent lawsuits, many engineers and companies do so out of a sense of obligation. However, it appears that Twitter is thinking differently about this, and has announced that it will be using its new Innovator's Patent Agreement to guarantee that any patents obtained by employees at Twitter (past or present) grant lifetime control to the actual inventors, to prevent the patents from being used offensively against others. The basic idea makes a lot of sense. Twitter has also posted the full agreement to Github and put it under a Creative Commons license. The method by which this works is pretty creative. Basically, if the actual patent holder tries to use the patent offensively without first obtaining the permission of the inventor, the agreement allows the inventor to issue a license to the entity being sued * * *

top

Only 1 Out of 4 Companies Buying Cyberinsurance (Insurance Journal, 17 April 2012) - Nearly three in four corporate risk managers are not buying insurance policies to cover data breaches and damage to customers' privacy despite the rising threat of hacking, according to a survey released on Monday. Not only are most North American companies shunning coverage entirely, many of those who are taking out "cyberinsurance" are buying policies with only limited protection in case of an attack, consultants Towers Watson said in their annual review of corporate risk. In the wake of high-profile attacks on companies like Sony and Citigroup, insurance brokers reported last summer that interest was soaring in policies to protect against civil suits and regulatory fines from data breaches. That, in turn, led a number of insurers to start offering policies, which had an immediate downward effect on rates. Insurance brokers Marsh recently said that pressure has continued, as capacity exceeds demand. Of those not taking coverage, two-thirds said it was because their internal controls were adequate or because they did not have a significant data exposure. Fewer than half said they conducted regular "penetration tests" to assess the adequacy of their network.

top

If Lawyers Sell Legal Expertise to Clients, Who Owns the Resulting Product? (Susan Hackett, 17 April 2012) - I'm still mulling over the implications of an article by Mark Hamblett in the New York Law Journal about some lawyers who have filed suit against Lexis-Nexis and West Publishing for what these lawyers say is the "unabashed wholesale copying of thousands of copyright-protected works created by, and owned by, the attorney and law firms." While the article's story is about whether authoring lawyers or their firms are copyright holders of documents filed in courts and stored as public records-especially if folks retrieving them want to resell access to and discussion of them as Lexis and West do-I'm more interested in the corporate clients who hired the lawyers in the first place and how firms and clients are (or are not) leveraging that knowledge for reuse. To that end, I don't propose to offer my predictions for the outcome of this suit, but rather to share a bit of the resulting think-train that this case spurred in my mind. And I'm sharing it here in the New Normal column since I think the meaning of knowledge ownership and knowledge sharing in the legal profession has profound impacts on the kinds of collaborative, data-driven, process oriented, "stop-reinventing-the-wheel" discussions currently under way between many in-house counsel and their law firms. More and more clients are engaging in the creation and sharing of knowledge platforms that incorporate all kinds of material-documents, filings, memos, research, templated "answers" used by the department to answer internal client questions, etc. Of course, their efforts range from a simple repository on the client's intranet of past memos and briefs to much more sophisticated systems, databases, and extranets that share data and documents, sift and apply model past contract terms to new agreements, allow counsel to answer company manager questions online in a self-service fashion, and create the basis for new ways of focusing lawyers on routinizing those elements of work that aren't really unique from matter to matter. (See, e.g., a few of the more intense knowledge-based in-house practices we've been documenting on my company's website as we've conversed with law department leaders who have made knowledge-sharing and experience "captures" a primary mission.) It stands to reason that pretty much any client knowledge/experience-based system-no matter how sophisticated or developed-will include documents, materials, practices, and processes that were generated to some degree by the client's outside counsel. Some might include a lot of them. I'm not the copyright expert that others reading this article may be-so chime in! What I understand in general is that when retaining someone to perform services that include the provision of copyrightable material, the presumption is usually that the IP rights stay with the author who's been retained for the service, unless those rights are specially contracted to pass to the company retaining the author-the company may have some right of use for internal purposes consistent with the reason for the retention, but not an automatic right to "share." And I know that the practical attitude of most clients is that they paid-and often dearly!-for the work that the firm provided, so they feel that they have the right to use the material provided by their outside counsel again and again, and pretty much as they wish. I also know that most retention agreements are silent on this point-the parties' relative positions as I've described them are presumed. So maybe firms won't be likely to protest when clients continue to use and reuse material the firm provided in past matters for internal purposes-even those beyond the instant matter. But what about when a bunch of clients decide that they'd like to share with each other those kinds of materials that do not constitute "confidential" advice that they're willing to swap for the access to other clients' similar treasures?

top

Elite Universities' Online Play (InsideHigherEd, 18 April 2012) - Princeton University, the University of Pennsylvania and the University of Michigan at Ann Arbor have teamed up with a for-profit company to offer free versions of their coveted courses this year to online audiences. By doing so, they join a growing group of top-tier universities that are embracing massively open online courses, or MOOCs, as the logical extension of elite higher education in an increasingly online, global landscape. Princeton, Penn and Michigan will join Stanford University and the University of California at Berkeley as partners of Coursera , a company founded earlier this year by the Stanford engineering professors Daphne Koller and Andrew Ng. Using Coursera's platform, the universities will produce free, online versions of their courses that anyone can take. [Editor: I took part of the Stanford crypto course on Coursera earlier this year - good tool. (My math was too rusty to get past week-3 of the course.) NYT story here . For those of you who are educators, this is an interesting blog posting on MOOC communities/sharing.]

top

Texas Ruling Shows Why We Need a Federal Anti-SLAPP Law (Eric Goldman, 18 April 2012) - This may be the first application of Texas' new anti-SLAPP law to Internet postings. It's a fine example why Texas enacted the law in the first place. And it's a good preview of the benefits we could get from federal anti-SLAPP protection. American Heritage Capital is an online lender. Apparently, AHC didn't fund a loan requested by Mrs. Gonzalez, and Mr. Gonzalez posted critical remarks about AHC at multiple websites (including Zillow, CreditKarma and Ripoff Report). Allegedly, AHC's president then sent Mrs. Gonzalez an email threatening her if she didn't remove the posts, including the following passage: "You started this. You can end it. Otherwise I will end it for you, and it won't be pretty." AHC then sued the Gonzalezs in October 2011. In January, AHC voluntarily dropped the lawsuit against Mrs. Gonzalez. (I asked AHC's lawyer why it did so, but the lawyer declined comment; the fact that Mr. Gonzalez admitted he made the posts may have had something to do with it). In March, the court dismissed the lawsuit with prejudice and made Mr. Gonzalez eligible for anti-SLAPP fee-shifting. Last week, the court granted the fee-shift, awarding Mr. Gonzalez: * over $15k in attorneys' fees
* another $15k in sanctions
* additional financial concessions if AHC challenges this ruling on appeal and loses. Sadly, this situation is all too common. The Gonzalezs griped online about their experiences as consumers, AHC allegedly tried to bully the posts off the Internet, then AHC tried to use the court system to bully the posts offline. In states without anti-SLAPP laws (or with inadequate ones), AHC almost certainly gets its desired outcome (the content removed) to the detriment of other prospective consumers. Instead, thanks to Texas' new anti-SLAPP law, the Gonzalezs win quickly and the plaintiff writes a non-trivial check for their troubles (2x the attorneys fees). These are the kinds of outcomes I wish we'd see across the country, not just in Texas and California and a few other states with reasonably strong anti-SLAPP laws.

top

Who Has the Dirtiest Clouds? Apple, Amazon, but not Google (Peter Vogel, 18 April 2012) - Greenpeace reported that cloud computing may be popular, but generally it's not very clean and gave Apple Ds and Amazon Fs, while Google got the best grades. The Greenpeace report entitled "How Clean is Your Cloud?" made these observations about electrical consumption: (*) The electricity consumption of data centers may be as much as 70% higher than previously predicted; (*) If the cloud were a country, it would have the fifth largest electricity demand in the world.

top

Copyright and Control of Museum Art Images (MLPB, 18 April 2012) - Kenneth D. Crews, Columbia University, and Melissa A. Brown, Columbia University, have published Control of Museum Art Images: The Reach and Limits of Copyright and Licensing in The Structure of Intellectual Property Law 269-284 (Annette Kur and Vytautas Mizaras, eds., Edward Elgar, 2011). Here is the abstract: "Many museums and art libraries have digitized their collections of artworks. Digital imaging capabilities represent a significant development in the academic study of art, and they enhance the availability of art images to the public at large. The possible uses of these images are likewise broad. Many conditions of use, however, are defined by copyright law or by license agreements imposed by museums and libraries that attempt to circumscribe allowable uses. Often, these terms and conditions will mean that an online image is not truly available for many purposes, including publication in the context of research or simple aesthetic enjoyment. Not only do these terms and conditions restrict uses, they also have dubious legal standing after the Bridgeman case. This chapter examines the legal premises behind claiming copyright in art images and the ability of museums to impose license restrictions on their use.

This paper is one outcome of a study of museum licensing practices funded by The Samuel H. Kress Foundation. It is principally an introduction to the relevant law in the United States and a survey of examples of museum licenses. The project is in its early stages, with the expectation that later studies will expand on this introduction and provide greater analysis of the legal complications of copyright, the public domain, and the reach of license agreements as a means for controlling the use of artwork and potentially any other works, whether or not they fall within the scope of copyright protection."

top

New Bankruptcy Website Stores Downloaded PACER Documents for Free Reading (ABA Journal, 19 April 2012) - A new website called Inforuptcy is touted as a cheaper alternative to PACER for users searching for bankruptcy documents. The site charges users the regular PACER fee for documents that are not yet in its database. After a document is accessed, however, it remains in the website database for future users, according to the Wall Street Journal blog Bankruptcy Beat . Searching and reading a downloaded document in HTML are free, but downloading a PDF in Inforuptcy's database costs half of the PACER fee of 10 cents a page. Bankruptcy Beat's search for bankruptcy documents led to PACER download charges. That will change as more people use Inforuptcy, according to co-founder Michael Mikikian. "The more people who bypass PACER.gov and use our site instead, the more we will be able to share that information with the public," he told Bankruptcy Beat. The idea is similar to a service called RECAP that provides downloaded PACER documents, the story says.

top

Insurance Industry Responds to Cyber Attack Increase (Insurance Networking, 20 April 2012) - Last year was an extremely active year for data breaches, according to a new study. "The First Annual 2012 Data Privacy and Information Security Predictions" from Cyber Data-Risk Managers reported that there were 841 incidences of cyber data breaches in 2011, a 37.4-percent increase over 2010. Annual gross written premiums in the cyber risk market was in the $800 million range in 2011 up from $600 million in 2010, according to the Betterly Risk Consultants report, "Cyber/Privacy/Media Liability Market Survey." Meanwhile, in the U.K. a Cyber Insurance Working Group has been established with leading technology insurers, such as Liberty International Underwriters, Zurich Insurance and CNA Europe. The Working Group, launched by independent information assurance firm NCC Group , will meet regularly to drive the development of a framework of recommended information security practices and policies, including adequate business continuity plans and corporate information security policies. "The U.K. is ahead of here in United States as far as cyber insurance because privacy is more highly regarded in Europe than it is here," Marciano told Insurance Networking News. The cyber insurance market is currently worth an estimated £250 million per year across the EU with high-profile cyber attacks increasingly hitting the headlines. "In the United States there are more than 30 cyber insurance carriers with different policies because there's no standard yet," says Marciano. "We could benefit from a cyber insurance work group here because we need some kind of minimum standard for security to control the losses that we anticipate will be coming in."

top

Internet Intermediary Law Slides from Stanford Guest Lecture (Eric Goldman, 24 April 2012) - I recently guest-lectured at an Internet Law course at Stanford, run by Jennifer Granick and Richard Salgado. My slides . Jennifer asked me to cover 47 USC 230 and 17 USC 512 in a single session. I know other Internet Law professors combine the topics, but I normally don't in my Internet Law course. When I cover online copyright liability, I discuss Section 512 as a defense to secondary copyright infringement. Later, I talk about publication torts, including defamation, and then talk about Section 230 as an Internet exceptionalist approach to publication torts based on third party content. I do have a wrap-up slide at the end of my Section 230 (included in the slides linked up) that contrasts Sections 512 and 230, but I have never taught them together. I thought it worked out nicely, and it gave me a chance to show different ways plaintiffs are attacking UGC websites. Check it out.

top

Hack The Law (Shareable, 24 April 2012) - On Sunday, April 15, Brooklyn Law School's Incubator and Policy Clinic (BLIP) hosted its first " Legal Hackathon ." Describing lawyers as "traditionally conservative wallflowers and naysayers," Jonathan Askin, the founder of the BLIP Clinic, urged the crowd of lawyers, law students, coders, and entrepreneurs to join a "common mission to apply the law to pave the way for technological, civic, social, and cultural progress." The Legal Hackathon was conceived as a way to get lawyers and law students to work collaboratively with coders, policymakers, and entrepreneurs to develop creative ways for lawyers to use new technology and for coders to interact with the law. At the BLIP Clinic and elsewhere (even, tellingly, that Saturday at New York School of Law), law students and newly minted lawyers are engaging with technology, and with hacker culture, in exciting ways. The second keynote came from Tim Wu, senior advisor for consumer protection at the Federal Trade Commission and professor at Columbia Law School. Wu's keynote struck a very different chord than Rasiej's, emphasizing the historic tension between technological innovation and the law. Most of the inventions that made the information environment what it is today, Wu said, "have two things in common: they're all hacks, and most of them involved breaking the law somehow." Wu's talk emphasized the ethos of hacking, an approach to work that values play, creative problem-solving, and collaborative processes. When asked how the law can keep up with technology, Wu questioned the premise: "Is it actually our aspiration for law to keep pace with technology?" We do not want the law to react quickly, Wu argued, because it represents the slow codification of what we have to say about the authorized use of force. Ultimately, the law should protect a space for innovation, a space that would otherwise shrink and be hampered by private power, Wu said. [Editor: Sounds fascinating - wish I'd been there. Anybody have podcasts/slides?]

top

Limbaugh Copies Michael Savage's Bogus Copyright Theory, Sends DMCA Takedown to Silence Critics (EFF, 24 April 2012) - We've seen some ridiculous DMCA takedowns over the years, but we might have a new champion. On Monday, radio host Rush Limbaugh -- who over a three-day period beginning in late February attacked Georgetown law student Sandra Fluke on air for the apparently unforgivable sin of testifying before Congress to advocate for legislation she supported (a bill mandating health insurance coverage for contraception) -- turned to copyright law to go after one of his most vocal critics, the left-leaning political site Daily Kos. The site's offense? Publishing a damning montage of Limbaugh's controversial comments about Ms. Fluke. While initiating frivolous legal processes to intimidate and silence critics is hardly new, Limbaugh actually seems to be taking a specific page out of the playbook of Michael Savage, his on-again/ off-again compatriot and fellow conservative talk radio fixture. In 2007, Savage turned to copyright law in an ultimately futile attempt to silence the Council on American-Islamic Relations (CAIR) who did precisely what the Daily Kos has done here: post online a minutes-long montage of outrageous statements made by a radio host in order to criticize the host's behavior and expose it for a public audience. In Savage's case, he unsuccessfully sued CAIR for copyright infringement. (And, bizarrely, for racketeering, because posting his xenophobic anti-Muslim rant was clearly part of a vast global terrorist conspiracy targeting Michael Savage .) Limbaugh has (for now) chosen the more expeditious DMCA takedown route. Just as with Savage's ridiculous attempt to keep his own words from being used against him failed, though, so will Limbaugh's.

top

Art Is Long; Copyrights Can Even Be Longer (NYT, 25 April 2012) - It is there in the new 3-D version of "Titanic," as it was in James Cameron's original film: a modified version of Picasso's painting "Les Demoiselles d'Avignon" aboard the ship as it sinks. Of course that 1907 masterpiece was never lost to the North Atlantic. It has been at the Museum of Modern Art for decades - which is precisely the reason the Picasso estate, which owns the copyright to the image, refused Mr. Cameron's original request to include it in his 1997 movie. But Mr. Cameron used it anyway. After Artists Rights Society, a company that guards intellectual property rights for more than 50,000 visual artists or their estates, including Picasso's, complained, however, Mr. Cameron agreed to pay a fee for the right to use the image. With the rerelease of "Titanic," the society wants Mr. Cameron to pay again, asserting that the 3-D version is a new work, not covered under the previous agreement. Filmmakers are not the only ones who sometimes run afoul of artists' copyright law. In recent weeks Google Art Project, which just expanded its online collection of images to more than 30,000 works from 151 museums, agreed, because of copyright challenges, to remove 21 images it had posted. Artists' copyright is frequently misunderstood. Even if a painting (or drawing or photograph) has been sold to a collector or a museum, in general, the artist or his heirs retain control of the original image for 70 years after the artist's death. If someone wants to reproduce the painting - on a Web site, a calendar, a T-shirt, or in a film - it is the estate that must give its permission, not the museum. That is why, despite the expansion, Google Art Project still does not contain a single Picasso. Indeed, few 20th-century artists are included in the project's digital collection because copyright owners have not yet given permission. "We don't want to prevent Google from showing the work, but they won't enter into negotiations with us," Mr. Feder said.

top

Equipment Maker Caught Installing Backdoor Account in Control System Code (Wired, 25 April 2012) - A Canadian company that makes equipment and software for critical industrial control systems planted a backdoor login account in its flagship operating system, according to a security researcher, potentially allowing attackers to access the devices online. The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device. Attackers can uncover the password for a device simply by inserting the MAC address, if known, into a simple Perl script that Clarke wrote. MAC addresses for some devices can be learned by doing a search with SHODAN, a search tool that allows users to find internet-connected devices, such as industrial control systems and their components, using simple search terms. RuggedCom switches and servers are used in "mission-critical" communication networks that operate power grids and railway and traffic control systems as well as manufacturing facilities. [Editor: see follow-on story of 2 May, lauding Clarke for the disclosure.]

top

The Case Against Virtual Annual Shareholders Meetings (Broc Romanek on CorporateCounsel.net, 26 April 2012) - Over the years, I have wavered - yes, even flip-flopped - over whether allowing companies to hold virtual annual shareholder meetings (i.e. without any physical audience) is a good idea. More recently, I had gotten comfortable with the notion that it might be okay for companies that know that their meeting will be held without any controversy. The problem is how do companies really know this when so much of their vote comes in typically within the last 48 hours or so? So now we have the news that Martha Stewart Living Omnimedia intends to hold its meeting as a virtual one - as noted in its proxy statement - complete with an online shareholders forum, as noted in these additional soliciting materials . And even though the company is a controlled one - by Martha Stewart herself and family - I can't help but think this is a problem given Mark Borges' blog that the company is the target of a shareholder class action lawsuit alleging that the company's disclosure for a proposal to increase the share reserve of its omnibus stock plan was inadequate (plaintiff is seeking an injunction to prevent the company from bringing the proposal to a vote at its annual meeting in late May). A company with a controversy should have its management team and board available to face interested shareholders once a year.

top

Social Media Guidelines: My Top [University] Picks (InsideHigherEd, 26 April 2012) - When I search for "social media guidelines," sans quotes on Google, there are 41,200,000 results. Corporate sites, blog posts, higher education institutions, and more provide a rich amount of social media guideline examples. When I'm out on the road working with schools or conference attendees, I am often asked to provide social media guideline resources. In the spirit of sharing, here are my top picks for social media guidelines that are easily applicable for folks in Student Affairs * * *

top

Cloud Computing: Legal Standards Up in the Air (Christian Science Monitor, 26 April 2012) - With the advent of Google Drive , we talk about cloud computing as if the bits and bytes of our lives are stored somewhere up in the air, but, really, the "clouds" are very terrestrial. What's more up in the air are the laws that govern who can access your stuff and how. "The problem that cloud computing has, more generally, is that (the real world) assumes that rights are based geographically," Mark Radcliffe, senior partner at law firm DLA Piper, said in an interview with the newspaper. "That assumption is not realistic in the cloud." One concern some have expressed online and out loud is how law enforcement could gain access to your digital life stored in a cloud. With a computer in your home, you'd have to be served a warrant for legal access to your hard drive. But with remote storage, you may not know whether a subpoena or warrant has been served on the cloud service provider. "Law enforcement can subpoena the service, but it depends on their contractual obligation," Radcliffe said. In other words, what they spell out in their terms of service. Always remember, that's a contract that you agree to by using the service. Most terms of service include a clause stating the provider would give up your information if required by law, with no mention of whether it would inform you. Interestingly enough, Dropbox's Terms of Service says something a little different.

top

Amazon Outage One Year Later: Are We Safer? (Network World, 27 April 2012) - Amazon Web Services last April suffered what many consider to be the worst cloud service outage to date - an event that knocked big name customers such as Reddit, Foursquare, HootSuite, Quora and others offline, some for as many as four days. So, a year after AWS's major outage, has the leading Infrastructure-as-a-Service and cloud provider made changes necessary to prevent another meltdown? And if there is a huge repeat, are enterprises prepared to cope? The answers are not cut and dried, experts say. In part, it's difficult to answer these questions because AWS is notoriously close-lipped about the inner workings of its massive cloud operations , which not only had an outage last April, but suffered a shorter-lived disruption in August . What's more, it's hard to get a read on individual cloud customers' private plans, although industry watchers such as IDC analyst Stephen Hendrick say many enterprises have a long way to go to be fully isolated from provider shortfalls.

top

The Hard Drives Most Likely to Expose Your Data Aren't Your Own (ArsTechnica, 27 April 2012) - Hard drives that provide prime material for identity theft are more likely to come from a company for which you are an employee or client than from your own computer, according to a study released by the Information Commissioner's Office in the UK on Thursday. ICO had a computer forensics company read 200 used hard drives using freely available tools, and found that files containing personal data like bank account info and tax forms were more likely to have come from an organization than an individual. The 200 hard drives were sourced from computer trade fairs and online auction sites by the forensics company NCC Group. The drives were first searched without any particular software, and then searched again using "forensic tools freely available on the internet." Fifty-two percent of the drives had been wiped, but 48 percent still had readable information, with 34,000 recoverable files. Of the 200 drives, only two had enough data to allow a new owner to steal the former owner's identity. Four more drives, however, contained information on employees and clients of four organizations, including health and financial details.

top

Patent Office Weighs Patent Secrecy for "Economic Security" (FAS.org Secrecy News, 27 April 2012) - In response to congressional direction, the U.S. Patent and Trademark Office is considering whether to expand the scope of patent secrecy orders - which prohibit the publication of affected patent applications - in order to enhance "economic security" and to protect newly developed inventions against exploitation by foreign competitors. Currently, patent secrecy orders are applied only to patent applications whose disclosure could be "detrimental to national security" as prescribed by the Invention Secrecy Act of 1951. At the end of Fiscal Year 2011, there were 5,241 such national security secrecy orders in effect . But now the Patent Office is weighing the possibility of expanding national security patent secrecy into the "economic security" domain. "The U.S. Patent and Trademark Office is seeking comments as to whether the United States should identify and bar from publication and issuance certain patent applications as detrimental to the nation's economic security," according to a notice that was published in the Federal Register on April 20.

top

GSA Tool Lets People Verify Genuine Federal Social Media Accounts (FCW, 27 April 2012) - Federal agencies need help tracking their social media accounts, and citizens need help verifying which government accounts are authentic. Now the General Services Administration has stepped in to address both of those concerns with a new online solution. The GSA this week launched the new online Federal Social Media Registry and verification tool intended to allow users to register and verify official federal social media accounts. The registry is meant to serve as a central database to list all official, verified federal social media accounts on Twitter, Facebook, Google+ and YouTube and other services, totaling 22 networks. Debuting on Howto.gov on April 26, the registry allows users to enter an account name to determine if it is an official account sponsored by a federal agency. It also allows federal managers to submit accounts for registration and verification. While the registry is up and running, it was apparently incomplete as of April 27. A quick check of about a dozen official federal Twitter accounts indicated that about half had not been registered yet. In addition, the registry does not include official accounts at Pinterest.com, which is currently one of the fastest-growing social networks.

top

Even Harvard Can't Afford Subscriptions To Academic Journals; Pushes For Open Access (TechDirt, 30 April 2012) - Techdirt has published several posts recently about the growing anger among scholars over the way their work is exploited by academic publishers. But there's another angle to the story, that of the academic institutions who have to pay for the journals needed by their professors and students. Via a number of people, we learn that the scholars' revolt has spread there, too: " We write to communicate an untenable situation facing the Harvard Library. Many large journal publishers have made the scholarly communication environment fiscally unsustainable and academically restrictive. This situation is exacerbated by efforts of certain publishers (called "providers") to acquire, bundle, and increase the pricing on journals. Harvard's annual cost for journals from these providers now approaches $3.75M. In 2010, the comparable amount accounted for more than 20% of all periodical subscription costs and just under 10% of all collection costs for everything the Library acquires. Some journals cost as much as $40,000 per year, others in the tens of thousands. Prices for online content from two providers have increased by about 145% over the past six years, which far exceeds not only the consumer price index, but also the higher education and the library price indices."

top

Here's Why Google and Facebook Might Completely Disappear in the Next 5 Years (Forbes, 30 April 2012) - We think of Google and Facebook as Web gorillas. They'll be around forever. Yet, with the rate that the tech world is moving these days, there are good reasons to think both might be gone completely in 5 - 8 years. Not bankrupt gone, but MySpace gone. And there's some academic theory to back up that view, along with casual observations from recent history. More and more in the Internet space, it seems that your long-term viability as a company is dependent on when you were born. Think of the differences between generations and when we talk about how the Baby Boomers behave differently from Gen X'ers and additional differences with the Millennials. Each generation is perceived to see the world in a very unique way that translates into their buying decisions and countless other habits. With each succeeding generation in the Internet, it seems the prior generation can't quite wrap its head around the subtle changes that the next generation brings. Web 1.0 companies did a great job of aggregating data and presenting it in an easy to digest portal fashion. Google did a good job organizing the chaos of the Web better than AltaVista, Excite, Lycos and all the other search engines that preceded it. Amazon did a great job of centralizing the chaos of e-commerce shopping and putting all you needed in one place. When Web 2.0 companies began to emerge, they seemed to gravitate to the importance of social connections. MySpace built a network of people with a passion for music initially. Facebook got college students. LinkedIn got the white collar professionals. Digg, Reddit, and StumbleUpon showed how users could generate content themselves and make the overall community more valuable. * * * [Editor: There's more. This is a useful, cautionary perspective that resonates with me. I think Facebook already is done, but expect Google to persist and evolve.]

top

Electronic-Records Goals Aren't Met by 80% of U.S. Hospitals (Bloomberg, 1 May 2012) - More than 80 percent of hospitals have yet to achieve the requirements for the first stage of a $14.6 billion U.S. program to encourage doctors to adopt electronic medical records, the industry's largest trade group said. The program is too ambitious and goals may not be met, Rick Pollack, executive vice president of the American Hospital Association, said yesterday in a 68-page letter to the Health and Human Services Department. He cited "the high bar set and market factors, such as accelerating costs and limited vendor capacity." The records program, enacted as part of the economic stimulus law in 2009, makes hospitals eligible for payments of as much as $11.5 million if they can demonstrate "meaningful use" of computer systems, according to the Washington-based group. Hospitals and doctors who don't adopt electronic records by 2015 will be penalized with lower Medicare payments. Hospitals are "particularly concerned," he said, about a requirement in the new rules that they let patients view and download their medical records from websites. The requirement "is not feasible as proposed, raises significant security issues and goes well beyond current technical capacity," Pollack wrote. Patients' inability to easily download records from doctors and hospitals has hampered development of personal medical records systems such as a Google Inc. (GOOG) program that was shut down last year after it failed to gain enough users, said Farzad Mostashari, who leads the electronic records program at the Department of Health and Human Services.

top

Electronic Filing at Federal Circuit (PatentlyO, 3 May 2012) - If you are filing a Federal Circuit appeal, beware that the court will soon require Electronic Case Filing. The initial filing (i.e., case initiating documents) will still be done on paper, but after May 17, 2012 any subsequent filings (such as responsive briefs and petitions) must be done electronically (with some exceptions). Except as otherwise prescribed by Circuit rule or court order, all briefs, appendices, motions, petitions for rehearing, and other documents filed in cases assigned to the CM/ECF system, must be filed electronically using the CM/ECF system by a filer registered in accordance with ECF-2. Comments on the new procedures are dues by May 8, 2012. [ New Procedures ]

top

Judge Rules IP Addresses Are Insufficient Evidence To Identify Pirates (GeekoSystem, 3 May 2012) - Mass lawsuits have been one of the most effective weapons rightsholders have had against torrenters. By using IP addresses to identify infringers, rightsholders have not only been able to find a large supply of alleged infringers to take action against, but are also to attach names - and wallets - to instances of infringement. The problem is that these cases tend to operate with the pinpoint accuracy of a flamethrower, which is why New York Judge Gary Brown has ruled IP addresses are insufficient evidence to identify pirates, and has provided a lengthy and thoughtful explanation as to why that is. [A] person who has the misfortune of having their name attached to the IP address in question isn't necessarily the one who was doing the pirating. In fact, they often aren't. That's not to say they never are, but it's a bit of a mess at best. Judge Gary Brown, in his order, attempted to straighten things up a bit with a very detailed explanation of why, legally, IP addresses are not sufficient evidence to prosecute pirates. Essentially, it boils down to one major point; using an IP address used to be a pretty reasonable method to single out an individual, but it isn't anymore. In the past, file-sharing could be tracked down to a single, wired access point that was registered to a single person and could only be used by one person at any given time.

top

NOTED PODCASTS

All Your Devices Can Be Hacked (TEDx talk by Avi Rubin, 1 Dec 2011; 17min) - Avi Rubin is Professor of Computer Science at Johns Hopkins University and Technical Director of the JHU Information Security Institute. Avi's primary research area is Computer Security, and his latest research focuses on security for electronic medical records. Avi is credited for bringing to light vulnerabilities in electronic voting machines. In 2006 he published a book on his experiences since this event. [Editor: hacking implanted medical devices, automobiles' speedometer and brakes and microphones, etc.]

top

RESOURCES

Do You Have an FBI File? -- This web site helps you generate the letters you need to send to the FBI to get a copy of your own FBI file. We can help you get your files from other "three-letter agencies" (CIA, NSA, DIA, ...) too. It's quick, it's easy, and best of all, it's free! Just click on the green arrow to get started! (If you're looking for FBI files on someone else, our sister web site, Get Grandpa's FBI File , can help you obtain FBI files for deceased individuals. If you have other questions about this site, please see our frequently asked questions page. )

top

BOOKS

The CERT Guide To Insider Threats (review by on SlashDot, 18 April 2012) - While Julius Caesar likely never said 'Et tu, Brute?' the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them. The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic. The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled. With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection. The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings. While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data. In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program. The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NATIONAL ZOO CITES PRIVACY CONCERNS IN ITS REFUSAL TO RELEASE ANIMAL'S MEDICAL RECORDS (WashingtonPost.com, 6 May 2002) -- Thousands of people have peered in on the National Zoo's PandaCam to see Tian Tian and Mei Xiang cavorting. They have surfed to the zoo Web site's ElephantCam to watch the most intimate moments between Shanti and the pachyderm's newborn calf. And they have tuned into the Naked Mole-Rat Cam to follow the subterranean rodent's tubular meanderings. But don't ask to see their medical records. You won't get them. The Smithsonian Institution's National Zoo has taken the position that viewing animal medical records would violate the animal's right to privacy and be an intrusion into the zookeeper-animal relationship. The notion that animals have a right to privacy is, from a legal standpoint, odd, because courts have long held that they don't. http://www.washingtonpost.com/wp-dyn/articles/A37589-2002May5.html

top

IRS ADJUSTING SITE PAGES TO CURB FRAUD (CNET, 23 May 2002) -- The Internal Revenue Service is tweaking the technology in its Web pages so that people surfing the Web to research ways of avoiding taxes will turn up the agency's fraud pages instead. The IRS publishes information on the Internet about suspect tax schemes and online scams. The agency is trying to make those pages more prominent in search results by using key words or metatags, code that is not visible to Web surfers, but helps search engines find relevant sites. Sample metatags the IRS is looking at include the terms "pay no tax" and "form 1040." For instance, typing the words "pay no tax" into MSN and Google search engines on Thursday turned up links to sites with text such as "beat the IRS" and "offshore banking." http://news.com.com/2100-1017-921263.html?tag=fd_top

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top