Saturday, September 29, 2012

MIRLN --- 9-29 September 2012 (v15.13)

MIRLN --- 9-29 September 2012 (v15.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses (Congressional Research Service, 6 Sept 2012) - The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm's way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations, which might include in furtherance of homeland security, crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation's skies in less than 20 years. This report assesses the use of drones under the Fourth Amendment right to be free from unreasonable searches and seizures. The touchstone of the Fourth Amendment is reasonableness. A reviewing court's determination of the reasonableness of drone surveillance would likely be informed by location of the search, the sophistication of the technology used, and society's conception of privacy in an age of rapid technological advancement. While individuals can expect substantial protections against warrantless government intrusions into their homes, the Fourth Amendment offers less robust restrictions upon government surveillance occurring in public places and perhaps even less in areas immediately outside the home, such as in driveways or backyards. Concomitantly, as technology advances, the contours of what is reasonable under the Fourth Amendment may adjust as people's expectations of privacy evolve.

top

Copyright Trolls' Bogus "Negligence" Theory Thrown Out Of Court Again (EFF, 6 Sept 2012) - Judges on both coasts of the U.S. have now rejected one of the copyright trolls' favorite tactics - suing an Internet subscriber for "negligence" when someone else allegedly downloaded a movie illegally. Judge Phyllis Hamilton of the Northern California federal court threw out a negligence suit by a Caribbean holding company against a Californian, Joshua Hatfield. The company, AF Holdings, had alleged that Mr. Hatfield allowed unnamed third parties to use his Internet connection to download a pornographic movie using BitTorrent, infringing copyright. Judge Hamilton ruled that Hatfield was not responsible for the actions of strangers. She joins Judge Kaplan of the Southern District of New York, who reached the same conclusions in another case in July. The "negligence" strategy had three fatal flaws, according to the court. First, an Internet subscriber like Mr. Hatfield has no legal duty to police his Internet connection to protect copyright owners like AF Holdings. Second, even if AF had a valid "negligence" claim against Mr. Hatfield under state personal injury law, federal copyright law would override it. This is called preemption. And finally, even if copyright law didn't trump a negligence claim, Section 230 of the federal Communications Decency Act probably would.

top

Sniffing Open WiFi Networks is Not Wiretapping, Judge Says (Ars Technica, 7 Sept 2012) - A federal judge in Illinois has ruled that intercepting traffic on unencrypted WiFi networks is not wiretapping. The decision runs counter to a 2011 decision that suggested Google may have violated the law when its Street View cars intercepted fragments of traffic from open WiFi networks around the country. The ruling is a preliminary step in a larger patent trolling case. A company called Innovatio IP Ventures has accused various "hotels, coffee shops, restaurants, supermarkets," and other businesses that offer WiFi service to the public of infringing 17 of its patents. Innovatio wanted to use packet sniffing gear to gather WiFi traffic for use as evidence in the case. It planned to immediately delete the contents of the packets, only keeping the headers. Still, the firm was concerned that doing so might violate federal privacy laws, so it sought a preliminary ruling on the question. Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications "made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." Judge James Holderman ruled that this exception applies to Innovatio's proposed packet sniffing. In the Google Street View case, a California judge had suggested that WiFi communications were not public, even if they were sent without encryption.

top

- and -

'Stingray' Phone Tracker Fuels Constitutional Clash (WSJ, 13 Sept 2012) - For more than a year, federal authorities pursued a man they called simply "the Hacker." Only after using a little known cellphone-tracking device-a stingray-were they able to zero in on a California home and make the arrest. Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries. A stingray's role in nabbing the alleged "Hacker"-Daniel David Rigmaiden-is shaping up as a possible test of the legal standards for using these devices in investigations. The FBI says it obtains appropriate court approval to use the device. Stingrays are one of several new technologies used by law enforcement to track people's locations, often without a search warrant. These techniques are driving a constitutional debate about whether the Fourth Amendment, which prohibits unreasonable searches and seizures, but which was written before the digital age, is keeping pace with the times. On Thursday the government will argue it should be able to withhold details about the tool used to locate Mr. Rigmaiden, according to documents filed by the prosecution. In a statement to the Journal, Sherry Sabol, Chief of the Science & Technology Office for the FBI's Office of General Counsel, says that information about stingrays and related technology is "considered Law Enforcement Sensitive, since its public release could harm law enforcement efforts by compromising future use of the equipment." A stingray works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It lets the stingray operator "ping," or send a signal to, a phone and locate it as long as it is powered on, according to documents reviewed by the Journal. The device has various uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident.

top

- and -

Do Users of Wi-Fi Networks Have Fourth Amendment Rights Against Government Interception? (Volokh Conspiracy, Orin Kerr, 24 Sept 2012) - Here's the question: Does governmental interception and analysis of the contents of a person's wi-fi traffic constitute a Fourth Amendment search? And does it depend on whether the traffic is encrypted or unencrypted? The answer turns out to be surprisingly murky. Because the Wiretap Act has been thought to protect wireless networks, the Fourth Amendment issue has not come up: There's a surprising lack of caselaw on it. Second, there are plausible arguments on either side of the debate both for encrypted and unencrypted transmissions. So I wanted to run through the arguments and then ask which side readers find more persuasive. I'll start with unencrypted communications and then turn to encrypted communications * * * [Editor: the author, Orin Kerr, is the leading authority on the Third-Party Doctrine, and reliably working to protect and expand it; after several paragraphs, he produces this gem:] Decrypting ciphertext may seem like unlocking a locked communication, but the ciphertext is actually already exposed: Decryption is a matter of analyzing that which has been already exposed rather than bringing new things into view. From that perspective, decryption is not a search. I made this argument in an early article that I think I still find persuasive: The Fourth Amendment in Cyberspace: Can Encryption Create a Reasonable Expectation of Privacy?, 33 Conn. L. Rev. 503 (2001) . Readers are invited to read the whole article to understand the full argument (it's relatively short) * * *

top

The Constitution Project's New Report on Fusion Centers (Lawfare, 11 Sept 2012) - The Constitution Project today released a new report titled Recommendations for Fusion Centers: Preserving Privacy & Civil Liberties While Protecting Against Crime & Terrorism . In the wake of the 9/11 attacks, the federal government worked with states and some major cities to develop a network of these centers (there are now nearly 80 of them), to share information among law enforcement and some intelligence agencies. The report summarizes their development and the complex web of laws that apply to their activities, analyzes civil liberties and effectiveness issues, and recommends reforms to this set of programs.

top

Lawsuit Says Phone Companies Gouged FBI on Wiretaps (GigaOM, 11 Sept 2012) - A former New York prosecutor, John Prather, claims AT&T, Verizon, Qwest and Sprint regularly charged law enforcement agencies 10 times what they should have for routine wiretaps. He's now suing on behalf of the FBI and state and city police departments to recover many millions of dollars for overcharging that allegedly took place for almost 20 years. The case provides a window on the evolving world of wiretaps during an era of increasing surveillance. But the case is complicated because Prather stands to get a big chunk of money if the case succeeds and, as the phone companies argue, he may not be a real whistle-blower in the first place. Congress, realizing that it would be expensive for phone companies to make their equipment CALEA-compliant, authorized $500 million to help them carry out the upgrades. The law also permitted the companies to recover "reasonable" costs for carrying out wiretaps. It's those "reasonable" costs that are the basis of the lawsuit.

top

Wyndham Hotels Tries To Boot FTC From Its Premises (Steptoe, 13 Sept 2012) - Wyndham Hotels & Resorts LLC earlier this month filed a motion to dismiss a Federal Trade Commission complaint, contending that the FTC does not have the authority to regulate the data security practices of private companies. The FTC's complaint alleges that the hospitality company violated the FTC Act, which prohibits "unfair and deceptive acts or practices," by not maintaining "reasonable and appropriate" data security measures. In its motion to dismiss, Wyndham asserts that "[n]othing in the text or history of Section 5 purports to give the Commission authority to decide whether data-security protections are 'unfair,' 'reasonable,' or appropriate." While the FTC has been using Section 5 to bring an increasing number of enforcement actions against private companies based on apparent data privacy or security lapses, companies invariably settle the actions, leaving the FTC's authority unchallenged. We may now finally get to see what a court thinks of the FTC's expansive interpretation of its statutory authority.

top

Florida Court: Lawyers And Judges Should Not Be Facebook Friends (JD Supra, 13 Sept 2012) - Can't lawyers and judges just be "friends?" Apparently not, so ruled Florida's Fourth District Court of Appeal last week in Domville v. State, No. 4D12-556 (Fla. 4th DCA 2012). The Fourth District's decision is seemingly the first of its kind since the Florida Judicial Ethics Advisory Committee issued an opinion in November 2009 forbidding judges from accepting "social networking" friendships from lawyers who may appear before them. In Domville, a criminal defendant moved to disqualify the trial judge whom the defendant alleged was a Facebook friend of the prosecutor assigned to the case. The defendant supported his motion with an affidavit averring that this "Facebook relationship" caused the defendant to believe that the judge could not "be fair and impartial." The defendant further explained that he was a Facebook user and that his "friends" consisted "only of [his] closest friends and associates, persons whom [he] could not perceive with anything but favor, loyalty and partiality." On appeal, the Domville court quashed the trial court's order denying disqualification of the trial judge and, in so doing, gave the Advisory Committee's opinion much credence: "as the [Advisory] Committee recognized, a judge's activity on a social networking site may undermine confidence in the judge's neutrality." The Advisory Committee further admonished this practice because "the identification of the lawyer as a 'friend' on [a] social networking site [improperly] conveys the impression that the lawyer is in a position to influence the judge."

top

The Ethics of Cloud Computing for Lawyers (ABA GP/Solo eReport, 17 Sept 2012) - Can you legally use cloud computing in a law-firm environment? What are best practices if you use cloud computing? Of course, many ethical issues arise when lawyers seek to store confidential client data on servers to which third parties have access. It's not surprising, then, that over the last few years a number of ethics committees have wrestled with the ethical issues presented when lawyers seek to use cloud computing in their law practices. Those committees have released the following opinions: North Carolina State Bar Council 2011 Formal Ethics Opinion 6, Massachusetts Bar Association Ethics Opinion 12-03 , Oregon State Bar Formal Opinion No. 2011-188 , Professional Ethics Committee of the Florida Bar Op. 10-2 (2011), New York State Bar Association's Committee on Professional Ethics Op. 842 (2010), Pennsylvania Bar Association Ethics Opinion No. 2010-060 (2010), and Iowa Committee on Practice Ethics and Guidelines Ethics Opinion 11-01 (2011). Thus far, US ethics commissions have determined that it is ethical for lawyers to use cloud computing, with most concluding that lawyers must take reasonable steps to ensure that their law firm's confidential data is protected from unauthorized third party access. The Iowa opinion, Ethics Opinion 11-01 , handed down in September 2011, is illustrative and offers a well-balanced and thorough analysis of a lawyer's ethical obligations when using cloud computing platforms to store confidential client data. For a full list of the ethics opinions from the various jurisdictions, you can refer to an online chart recently published by the ABA. This handy chart compares and contrasts the different holdings and can be found here .

top

Could a Workplace Social Network Replace Email and Phone? One Agency Thinks So (NextGov, 14 Sept 2012) - The National Nuclear Security Administration plans to roll out a workplace social network next spring that will replace much of the agency's emailing and phone calls, Chief Technology Officer Travis Howerton said Friday. The platform, called One Voice, is a pilot that other divisions of the Energy Department may adopt in the future, Howerton said at a breakfast discussion about federal technology policy sponsored by the Association for Federal Information Resources Management, a government-industry partnership. The initial launch will be for NNSA's roughly 45,000 employees and contractors. Howerton described the social networking program as similar to Facebook in that there will be a broadly accessible layer that everyone in the system can look at as well as numerous subcommunities for people in particular divisions or with certain expertise. Accessing the site will require extensive authentication, he said. Additional authentication will be required for specific communities that discuss sensitive information, he said. The social networking platform will include embedded systems for instant messaging, Web conferencing and other tools, he said. A social information exchange rather than a one-to-one email exchange will help employees to filter out more extraneous information and will reduce the pressure to send unnecessary responses, he said. It also will bring useful participants into a conversation that an emailer might not have thought to include and filter out those who are extraneous, he said. The system will archive all information so less institutional knowledge will be lost when an employee leaves the agency or changes jobs, he said.

top

Dutch Court Rules Linking to Photos is Copyright Infringement (ArsTechnica, 14 Sept 2012) - A Dutch court has ruled that the website GeenStijl infringed copyright by linking to unauthorized copies of nude pictures of reality star Britt Dekker. The pictures originally appeared in the Dutch version of Playboy magazine. According to the Associated Press, the website has been ordered to pay €28,400 ($36,000) and will face further fines if it does not remove the links. Linking generally does not constitute copyright infringement in the United States. However, the US government has begun prosecuting the operators of "link sites" that contain large numbers of carefully organized links to infringing content.

top

Cybersecurity Bill: Why Senator is Taking His Case Straight to Top CEOs (CSM, 19 Sept 2012) - Seeking to overcome opposition from the US Chamber of Commerce and other business groups to a cybersecurity bill, Sen. Jay Rockefeller (D) of West Virginia took the unusual step Wednesday of writing the CEOs of the 500 largest US companies to request their views on cybersecurity and the legislation aimed at protecting the nation's critical infrastructure from computer attacks. Senator Rockefeller wrote a day after two other Senate Democrats, Chris Coons of Delaware and Richard Blumenthal of Connecticut, wrote a joint letter to President Obama calling on him to issue an executive order aimed at protecting critical infrastructure from cyberattack. Rockefeller and Sen. Diane Feinstein (D) of California also have called for presidential action. Recipients of Rockefeller's letter included Virginia Rometty, CEO of IBM, as well as the chiefs of ExxonMobil, Wal-Mart, General Electric, Ford and big utility companies. But the mailing list also sent it to many company chieftans whose cybernetworks are unlikely to be vital to the nation's welfare. While Rockefeller has in the past polled small groups of businesses, it was apparently the first time detailed views on this subject were being requested en masse. Responses to such letters are purely voluntary, but usually receive thoughtful replies, according to a spokesman for the Senate Commerce, Science and Transportation committee where Rockefeller serves as chairman. Rockefeller's letter appeared aimed at building an independent assessment of business viewpoints that might defuse lobbying that many blamed for the failed vote. One such letter (to IBM) is here .

top

Data Breach Insurance Coverage Lawsuit Highlights Necessity for Cyber Liability (Scott & Scott LLP, Sept 2012) - In August of 2012, the Sixth Circuit ruled on a case that determined who is responsible for the costs associated with loss of data arising from a hacking incident in Retailer Ventures, Inc. v. Nat'l Union Fire Ins. Co., -- F.3d --, 2012 WL 3608432 (6th Cir. Aug. 23, 2012). In this matter, DSW Shoe Warehouse was targeted by computer hackers who successfully accessed their systems and harvested the credit card and checking account information for more than 1.4 million DSW customers. In its efforts to conduct thorough investigations into the incident and comply with the numerous state and federal data breach notification requirements, DSW incurred expenses of more than $5M. DSW sought to offset these costs (which, by the way, are not at all atypically large for a data breach of this size), by making a claim on its insurance policy under an endorsement called "Computer & Funds Transfer Fraud Coverage." While this endorsement may seem like a no-brainer policy to make a data breach claim under, the language of the policy provided coverage for loss "resulting directly" from theft as a result of computer fraud. Here, however, the insurance provider refused to cover the loss, claiming that any loss sustained did not "result directly" from the hacking event. On appeal, the Sixth Circuit affirmed the lower court's award in favor of DSW that the insurance provider had breached the contract with DSW when it refused to cover DSW's claim as the language of the policy was ambiguous, and thus should be construed in a light most favorable to the non-drafting party. While DSW ultimately prevailed, this case highlights how important it is to have a cyber liability policy in place that is written to specifically cover the costs associated with a data breach event. When forced to rely on non-cyber liability endorsements, the insured may find itself having to engage in legal gymnastics to argue that it is entitled to coverage of associated breach costs. Even for events involving a fraction of the number of users, costs can quickly extend to the 6 figures and beyond. If your company routinely handles sensitive customer information, be sure you and your vendors have cyber liability policies in place to cover the costs related to these unfortunate events.

top

- but -

Don't Waste Your Money On Cyber Breach Insurance (Dark Reading, 26 Sept 2012) - As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs. Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure. "These insurance policies can't eliminate risk, they can only help you control and minimize it," says Rich Santalesa, senior counsel for Infolaw Group. "It's really one arrow in the quiver of those dealing with today's cyber risks and some of the liabilities that can spring from them." One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area. "If you demonstrate that you're a really good driver, then your car insurance rates go down," he says. "In the cyber world, it's not quite there yet because people just don't know what those profiles are and how to accurately evaluate those levels of risk." Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says. "So they don't get blindsided by something in their clients' environments, the application process of these insurance policies is actually pretty extreme," he says. "They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable."

top

Eleventh Circuit Rules "Damages" Properly Alleged in Data Breach-Identity Theft Lawsuit (Information Law Group, 17 Sept 2012) - In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft. The Court's opinion, decided under Florida law, gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims. See Curry v. AvMed, Inc. , No. 11-13694, 2012 WL 2012 WL 3833035, - F.3d -- (11th Cir. Sep. 5, 2012) . After amending their complaint several times, the plaintiffs alleged that AvMed was negligent in protecting their sensitive information; was negligent per se when it violated Fla. Stat. § 695.3025, which protects medical information; breached its contract (or alternatively, implied contract) with Plaintiffs; were unjustly enriched; breached the implied covenant of good faith and fair dealing; and breached the fiduciary duty it owed to Plaintiffs. The federal district court dismissed the case for failure to state a cognizable injury. On appeal, the circuit court held that allegations of identity theft that caused monetary damages - an issue of first impression in the Eleventh Circuit - are an injury in fact sufficient to confer Article III standing. The court also added that allegations of monetary loss are cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty.

top

Feds Charge Activist with 13 Felonies for Rogue Downloading of Academic Articles (Wired, 18 Sept 2012) - Federal [prosecutors] added nine new felony counts against well-known coder and activist Aaron Swartz, who was charged last year for allegedly breaching hacking laws by downloading millions of academic articles from a subscription database via an open connection at MIT. Swartz , the 25-year-old executive director of Demand Progress , has a history of downloading massive data sets, both to use in research and to release public domain documents from behind paywalls. He surrendered in July 2011, remains free on bond and faces dozens of years in prison and a $1 million fine if convicted. Like last year's original grand jury indictment on four felony counts , (.pdf) the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT's attempts to kick his laptop off the network while downloading millions of documents from JSTOR, a not-for-profit company that provides searchable, digitized copies of academic journals that are normally inaccessible to the public. Using a program named keepgrabbing.py, the scraping took place from September 2010 to January 2011 via MIT's network, and was invasive enough to bring down JSTOR's servers on several occasions, according to the indictment. In essence, many of the charges stem from Swartz allegedly breaching the terms of service agreement for those using the research service. "JSTOR authorizes users to download a limited number of journal articles at a time," according to the latest indictment. "Before being given access to JSTOR's digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR's computer servers with automated programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques." MIT authorizes guests to use the service, which was the case with Swartz, who at the time was a fellow at Harvard's Safra Center for Ethics. The case tests the reach of the Computer Fraud and Abuse Act , which was passed in 1984 to enhance the government's ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality. The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website's terms of service or a company's computer usage policy, a position a federal appeals court in April said means "millions of unsuspecting individuals would find that they are engaging in criminal conduct." The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites' terms of service were better left to civil lawsuits.

top

Library of Congress Unveils New Bill-Tracking Site to Replace THOMAS (Hillicon Valley, 19 Sept 2012) - The Library of Congress on Wednesday unveiled Congress.gov, a new site that will allow members of the public to learn about past and pending legislation. The site, which offers bill summaries, bill texts and vote tallies, will eventually replace THOMAS, Congress's current legislative database. Congress.gov offers a host of improvements over the old service. The site is now accessible on mobile devices and features live and archived video of floor debates. The Library of Congress also cooperated with the House and Senate to provide profiles and biographical data of every member of Congress, along with information on all the bills they have introduced. The new site features a dramatically overhauled search engine, which allows users to search across numerous years. THOMAS required users to specify a particular congressional session. Search results are now sorted by relevance instead of bill number. Users can narrow the results by choosing to view measures only from particular parties, committees, years or other categories. Congress.gov also features multimedia presentations on the legislative process and provides a glossary of legislative terms.

top

Comprehensive Risk Assessment Guidance for Federal Information Systems Published (NIST, 20 Sept 2012) - Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to its original 2002 publication, is the authoritative source of comprehensive risk assessment guidance for federal information systems, and is open for public comments through November 4. "Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations-using the results to determine appropriate risk responses," said NIST Fellow Ron Ross. Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.* The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in risk management, says Ross.

top

Company Computers are Not SCA 'Facilities' (Steptoe, 20 Sept 2012) - A former employee who remotely accessed company computers over 125,000 times in order to transmit spyware and monitor network communications did not violate the Stored Communications Act (SCA). The U.S. District Court for the Southern District of Ohio ruled last week in Freedom Banc Mortgage Services, Inc., v. O'Harra that while the former employee's actions did violate the Computer Fraud and Abuse Act, they did not violate the SCA because the company network did not constitute an electronic communications "facility" within the meaning of the SCA. This reading of the SCA conflicts with a number of other federal district court rulings, which have held that the statute covers private servers.

top

Six Ventures Bring Data to the Public as Winners of Knight News Challenge (Knight Foundation, 20 Sept 2012) - Six media innovation ventures that make it easier to access and use information on local communities, air quality, elections, demographics and more received a total of $2.22 million today as winners of the Knight News Challenge: Data. The data challenge, one of three launched by the John S. and James L. Knight Foundation this year, accelerates projects with funding and advice from Knight's network of media innovators. For the data round, Knight Foundation sought ideas that make the large amounts of information produced each day available, understandable and actionable. "The winning projects go well beyond collecting data to unlocking its value in simple and powerful ways, so journalists can analyze numbers and trends, and communities can make decisions on issues important to them," said Michael Maness, vice president for journalism and media innovation at Knight Foundation.

  • Safecast: Creating a community of citizen and professional scientists to measure and share data on air quality in Los Angeles and other U.S. cities. The air quality effort is inspired by Safecast's success in providing radiation data following Japan's 2011 nuclear disaster.
  • LocalData : Providing a set of tools that communities can use to collect data on paper or via a smartphone app, then export or visualize the data via an easy-to-use dashboard. The city of Detroit has used the tools, created by Code for America fellows, to track urban blight.
  • Open Elections : Creating the first freely available, comprehensive source of U.S. election results, allowing journalists and researchers to analyze trends that account for campaign spending, demographic changes, legislative track records and more. Senior developers from The Washington Post and The New York Times lead the project.
  • New Tools for OpenStreetMap : Launching tools that make it easier for communities to contribute to OpenStreetMap, the community-mapping project used by millions via foursquare and Wikimedia and becoming a leading source for open, street-level data. DevelopmentSeed will create the tools.
  • Pop Up Archive : Taking multimedia content - including audio, pictures and more - from the shelf to the Web, so that it can be searchable, reusable and shareable. Founded by University of California grad students and SoundCloud Fellows , the project beta tested by helping archive the collection of the independent, Peabody-winning production team the Kitchen Sisters.
  • Census.IRE.org : Providing journalists and the public with a simpler way to access Census data, so they can spend less time managing the information and more time analyzing it and finding trends. The project is led by a senior developer from the Chicago Tribune in partnership with Investigative Reporters and Editors (IRE) .

top

Attorney Had Implied, Irrevocable License to Use Complaint Allegedly Drafted by Former Client (Wolters Kluwer IP Law Daily, 21 Sept 2012; subscription required) - Because an attorney had an implied license to use a complaint allegedly drafted and copyrighted by a former client during the course of litigation in which the attorney continued to represent other clients, the former client's copyright suit based on the attorney's filing of an allegedly infringing second complaint in the earlier suit was rejected by the federal district court in Brooklyn ( Unclaimed Property Recovery Service, Inc. v. Kaplan, September 20, 2012, Marbley, A. ). The court declined to address the "novel" question of whether a legal complaint qualifies for copyright protection. The attorney, Norman Kaplan, represented Unclaimed Property Recovery Service (NPRS), its manager Bernard Gelb (not an attorney), and others in a class action against Chase Manhattan Bank. After Kaplan resigned as attorney for NPRS and Gelb in the class action but continued to represent other plaintiffs, Gelb obtained certificates of registration from the U.S. Register of Copyrights for the first complaint and exhibits. After Kaplan filed the second complaint in the class action, Gelb and UPRS brought this suit seeking statutory damages for copyright infringement and a permanent injunction against Kaplan's copying or republishing of the first class action complaint. Kaplan contended that the first complaint and exhibits did not qualify for copyright protection because they contained only facts. The court, however, found it unnecessary to address this novel question. Even assuming that the first complaint and exhibits qualified for copyright protection were substantially similar to the second complaint and exhibits, Kaplan had an implied license that was a complete defense to the claim of copyright infringement, the court held. Gelb and UPRS conceded that Kaplan had a license to the file the first complaint and exhibits. A client who assists in the preparation of a legal document, and hands it over to his attorney for filing, impliedly gives the attorney license to use the document through the course of the litigation, the court observed.

top

Louboutin's Soles are Red, Tiffany Boxes are Blue (Baker Hostetler, 24 Sept 2012) - Single color trademarks are registerable, protectable, and enforceable. So held the Second Circuit in its long awaited decision in the Christian Louboutin SA v. Yves Saint Laurent America Holding Inc. case. In doing so, the Second Circuit rejected the District Court's finding that Christian Louboutin's trademark on red-soled shoes may be invalid in itself and that single color trademarks in the fashion context were unenforceable. In light of the fact that the District Court was inclined to cancel Louboutin's registration, the Second Circuit's decision represents a victory for Louboutin and other designers, as well as purveyors of any goods or services that seek to utilize upon a single color as a trademark. The Second Circuit overturned the District Court's holding that barred a single color serving as a trademark in the fashion industry. Citing a prior Supreme Court opinion on the subject, Qualitex Co. v. Jacobson , 514 U.S. 159, 34 USPQ2d 1161 (1995), the Court explained that "the Supreme Court specifically forbade the implementation of a per se rule that would deny protection for the use of a single color as a trademark in a particular industrial context." See Opinion . The Second Circuit did explain that a single color almost never would be inherently distinctive, and therefore could only become a trademark if it acquired secondary meaning. The Court also rejected the District Court's suggestion of a fashion industry specific rule.

top

First NLRB Decision on Employer Social Media Policies (Employer Law Report, 24 Sept 2012) - Employers adopting social media policies have to consider whether they would be struck down by the National Labor Relations Board (NLRB) if challenged as invalid under Section 7 of the National Labor Relations Act. Section 7 protects the rights of union, as well as non-union, employees to communicate at or away from work about terms and conditions of employment. Citing a desire to provide guidance to employers regarding workplace regulation of employee use of social media, the chief lawyer for the NLRB (its "General Counsel") issued guidance reports in August 2011 , January 2012 and May 2012 to show what sorts of social media policies the General Counsel believes violate Section 7. The NLRB considers but is not bound by the General Counsel's guidance when issuing decisions. Until recently, the NLRB itself had not had occasion to issue a decision on a social media policy. 

In Costco Wholesale Corporation (NLRB Case No. 34-CA-012421) , the NLRB considered a social media policy for the first time. The NLRB invalidated portions of Costco's policies and in doing so signaled that it will probably track closely with the General Counsel's guidance when reviewing social media policies. That means a very aggressive review and the likelihood that policies which are not drafted narrowly and carefully will be struck down. Reviewing an unfair labor practice charge filed by the United Food and Commercial Workers' Union challenging various Costco employee handbook policies, the NLRB considered the following two policies which relate to social media use * * *

top

A New Issue For Bitcoin: Crypto Key Disclosure (TechDirt, 24 Sept 2012) - The debate is still raging whether Bitcoin is a brilliant idea that will revolutionize business and society, a high-tech money laundering scheme, or just a fad that will soon pass into history. But in a fascinating post, Jon Matonis points to a problem that doesn't really seem to have been considered before: " Key disclosure laws may become the most important government tool in asset seizures and the war on money laundering. When charged with a criminal offense, that refers to the ability of the government to demand that you surrender your private encryption keys that decrypt your data. If your data is currency such as access control to various amounts of bitcoin on the block chain, then you have surrendered your financial transaction history and potentially the value itself." That's no mere theoretical issue in countries like Australia , South Africa and the UK that already have such key disclosure laws.

top

NBC Unpacks Trove of Data From Olympics (NYT, 25 Sept 2012) - [M]ore than 50,000 [people participated] in a dozen studies conducted by Comcast's NBCUniversal unit as part of its so-called Billion Dollar Research Lab. The research did not cost $1 billion, but NBCUniversal paid more than four times that sum in 2011 to broadcast the Olympics through 2020. As part of that giant tab, the media company gets an exceptional opportunity to study viewers' behavior. The findings of the studies, shared with The New York Times, revealed vast shifts in the way people watched the Games this year compared with the Olympics in Vancouver in 2010 and in Beijing in 2008, and they offered insight into how television will further evolve into a multiplatform experience. Think of it as the world's largest "sandbox" in which media researchers can play, said Alan Wurtzel, president of research and media development at NBCUniversal. "It gives us a glimpse into the future." For research wonks there's no event quite like the Olympics. Roughly 217 million people in the United States watched the London Games, making it the most watched television event in history. And unlike other big, live events like the Super Bowl or the Academy Awards, the Olympics offer researchers a prolonged, 17-day period during which to study behavior. That sandbox showed that eight million people downloaded NBC's mobile apps for streaming video, and there were two billion page views across all of NBC's Web sites and apps. Forty-six percent of 18- to 54-year-olds surveyed said they "followed the Olympics during my breaks at work," and 73 percent said they "stayed up later than normal" to watch, according to a survey of about 800 viewers by the market research firm uSamp. The results signaled vast changes from just two years ago in Vancouver, when tablets and mobile video streaming were still in their infancy. The two most streamed events on any device during the London Olympics, the women's soccer final and women's gymnastics, surpassed all the videos streamed during the Vancouver Olympics combined. The growing number of viewers who own tablets will only lead to more streaming. "That's clearly a glimpse of where tablets are going," Mr. Wurtzel said. Thinking ahead to the Winter Olympics in Sochi, Russia, in 2014 and to the Summer Games in Rio de Janeiro in 2016, he added: "All bets will be off as the price of tablets goes down." But perhaps the most important results for NBC's business interests were its findings that the deluge of online viewing options did not cannibalize the coveted prime-time audience, Mr. Wurtzel said.

top

Your Smartphone Is Listening To You Sleep (Fast Company, 25 Sept 2012) - Last week Siri, Apple's voice-commanded digital assistant, got an upgrade that gave her many new powers. But developments in voice recognition tech across all kinds of devices mean that your next-next-gen smartphone will easily surpass Siri's passive listening skills and turn it, and systems like it, into chat-happy, always-on life mates. Nuance is the company behind many of the innovations in voice recognition, and may or may not have played a part in the latest iteration of Siri, which grew out of SRI International. The recent advances in voice tech are partly due to developments in the core technology of voice recognition and partly due to Nuance's clever choice to make a database of millions of bits of real speech from its users, which it can use to train and optimize its algorithms--even to the point of better understanding different dialects. This week the company's chief technology officer Vlad Sejnoha revealed that Nuance has been working with chip manufacturers to give smartphones an amazing new voice-command power. Nuance wants to give phones the power to listen to you when they're otherwise "asleep." The scenario Nuance's CTO imagines is that in the future your phone will always be listening. So your phone is quietly sitting there, sipping at battery power so it doesn't consume that precious resource, until you ask it when your next meeting is, or if it can text your partner or if it's going to rain later. The benefits are obvious, says Sejnoha--there's less of a barrier to using it because you don't have to turn on the device, and indeed if a strong mic is involved, you won't even have to be near it. Nuance is even working on making its system better at isolating a user's voice from background chatter so you could even drop it into conversations with your friends, throwing a question at your smartphone even while talking to other people in a noisy environment.

top

Dead Model's Parents Can't get Facebook Messages, Judge Says (GigaOM, 27 Sept 2012) - A California judge has shut down a U.K. couple's attempt to obtain the Facebook messages of their daughter, a 23-year-old model who died in a mysterious tragedy. The judge's decision highlights, once again, growing questions over privacy and how to handle social media after we die. The California case turns on Sahar Daftary, a former "Face of Asia" winner, who fell 150 feet from the balcony of a luxury apartment in Manchester. Her parents had asked Facebook for her messages in the hopes they would shed light about how and why she died. But in his ruling last week, Judge Paul Grewal quashed the request after Facebook argued that turning over the messages could violate federal privacy laws. Daftary's mother had argued that, as the executor of her daughter's will, she had a right to access Sahar's Facebook account. But Facebook pointed to a law called the Stored Communications Act that forbids companies from sharing users' emails without their permission. The judge sided with Facebook. Both sides have a point here. On one hand, family members may want to learn more about a loved one's last days. But on the other, Facebook is right to worry about privacy laws. Facebook and other companies are probably also keen to avoid getting caught in the middle of a fight between relatives (or, worse, insurance companies) over a dead person's profile. Finally, there is the issue of what the dead person themselves would have wanted. As social media lawyers Venkat Balasubramani and Eric Goldman point out , what if the departed want to take their Facebook secrets to the grave?

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

FOLLOW YOUR LENT BOOK ON THE INTERNET (Houston Chronicle, 23 July 2002) -- Scenario No. 1: You read a book. It's a wonderful read. You tell a few people about the book. You might even let a friend borrow it. But the book eventually ends up on your bookshelf, where you can admire it. Scenario No. 2: You read a book. It's a wonderful read. Instead of letting it collect dust on your shelf, you leave your book in some public place so other people can read it. The Internet allows you to follow its path forever. Which scenario appeals to you? If the second one sounds intriguing, make your way to BookCrossing (www.bookcrossing.com) and become a member of a worldwide book community. BookCrossing works like this: First, read a good book. Second, register the book at the Web site along with your comments. You get a BookCrossing identification number. You can download a label, write the number on it and affix it to the book. Or you can write it on a bookmark or include it in a handwritten note. Third, "release" the book to a friend, donate it to charity, "forget" it on an airplane or bus or leave it in a restaurant. The label or your note will tell people to go to the Web site and add their comments, then pass the book on when they've read it. Each time someone records a journal entry on your "released" book, you will be notified by e-mail. When you drop off a book, you also can enter "Release Notes" on the location, and others can go hunting for it. As of Monday, there were 13,499 books "in the wild" in the United States, including 73 in Houston, five at Bush Intercontinental Airport, three in Baytown, four in Galveston and 18 in The Woodlands. [Editor's note: first-sale doctrine; "fair use"; important principles that will suffer continued challenge.]

top

YALE ACCUSES PRINCETON OF HACKING (Salon.com, 26 July 2002) -- Yale University complained to the FBI on Thursday that admissions officials at Princeton hacked into a Yale Web site that was set up for prospective students. Yale said it found 18 unauthorized log-ins to the Web site that were traced back to computers at Princeton, including computers in the admissions office. "We're assessing the information to see if there is a federal violation," FBI spokeswoman Lisa Bull said. The head of admissions at Princeton said the school just checked the site to see how secure it was. Princeton gained access by looking up students who had applied to both schools [using birthdates and social security numbers to gain entry]. "It was really an innocent way for us to check out the security," Stephen LeMenager, Princeton's dean of admissions, told the Yale Daily News, which broke the story Thursday in its online edition. "That was our main concern of having an online notification system, that it would be susceptible to people who had that information -- parents, guidance counselors, and admissions officers at other schools." Yale said Princeton's actions violated the privacy of the students. http://www.salon.com/tech/wire/2002/07/25/yale_princeton/index.html?

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, September 08, 2012

MIRLN --- 19 August - 8 September 2012 (v15.12)

MIRLN --- 19 August - 8 September 2012 (v15.12)

permalink

NEWS | LOOKING BACK | NOTES

Software Can Be a "Good" under the California UCC (Charlie Bieneman, 9 August 2012) - Sale of a software license constituted sale of a "good" for purposes of applying the California UCC. Gross v. Symantec Corp. , No. C 12-00154 CRB (N.D. Cal. July 31, 2012). A putative class action plaintiff sued Symantec, alleging that a free trial for its software "was essentially a scam, and that the software does not increase security." Among other causes of action, the plaintiff alleged a breach of the express warranties set forth in the California Uniform Commercial Code, Cal. Com. Code § 2312 . The court held that, in California, the UCC applied to this type of software transaction, and UCC warranties could govern the license. Symantec argued that the California UCC "only covers the sale of goods, which excludes licenses for the use of intellectual property, like Symantec's software." Citing RRX Indus., Inc. v. Lab-Con, Inc., 772 F.2d 543, 546 (9th Cir. 1985), the court acknowledged that "[s]oftware transactions often straddle the line between goods and services, so courts look to the 'essence of the agreement' to determine how best to characterize the transaction." The transaction here was similar to a retail purchase of licensed software at a bricks and mortar store, to which the Ninth Circuit had previously suggested the California UCC would apply. The present software transaction "resembles the sale in RRX Industries, except that it doesn't include the installation, training, maintenance, and upgrading services that might have jeopardized the applicability of the California UCC in that case."

top

Huge Jump in Number of Fines for UK Data Breaches (Help New Security, 15 August 2012) - The Information Commissioner's Office (ICO) has revealed a huge increase in the number of penalties handed out for organisations in breach of the Data Protection Act. Over the last year, ICO has issued 68 warning notices for data security lapses, which is up 48 percent from the same point last year. Its fines reached nearly £2m over the last year. According to these figures, the ICO has also increased the amount and frequency of fines it hands out, with 15 fines totalling £1.8m imposed over the past year - a significant increase on the mere six fines totalling £431,000 it handed out in the previous year.

top

Pipeline Cybersecurity: Federal Policy (CRS Report, 16 August 2012) - The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyber infiltration of supervisory control and data acquisition (SCADA) systems could allow successful "hackers" to disrupt pipeline service and cause spills, explosions, or fires-all from remote locations. In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines. An April 2011 White House proposal and the Cybersecurity Act of 2012 (S. 2105) both would mandate cybersecurity regulations for privately owned critical infrastructures sectors like pipelines. A revised version of S. 2105, S. 3414, would permit the issuance of regulations but would focus on voluntary cybersecurity measures. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways * * *

top

A MOOC Without an Instructor (InsideHigherEd, 21 August 2012) - There's a new kind of massive open online course (MOOC), and it lacks an instructor, The New York Times reported. The course will combine existing materials from the Massachusetts Institute of Technology OpenCourseware project, quizzes from Codeacademy and study groups from Open Study, and will be coordinated by Peer 2 Peer University. With those services, organizers said, an instructor (while central to other MOOC offerings) won't be necessary. The first offering will be on a computer programming language and is called "A Gentle Introduction to Python." InsideHigherEd's take on the program: http://www.insidehighered.com/blogs/hack-higher-education/mechanical-mooc

top

Shrinkwrap Licenses and IP (MLPB, 21 August 2012) - Mark A. Lemley, Stanford Law School, has published Intellectual Property and Shrinkwrap Licenses. Here is the abstract: Intellectual property -- right, wrong, or indifferent -- is well on its way to becoming irrelevant in the computer world. The reason is that the debate over the appropriate scope of intellectual property protection for computer software largely ignores the role of contract law in setting rights. Software vendors are attempting en masse to "opt out" of intellectual property law by drafting license provisions that compel their customers to adhere to more restrictive provisions than copyright (and even patent) law would require. These software license agreements are of two types: bargained agreements for custom software, and unbargained "shrinkwrap licenses" imposed on mass-market purchasers. As software has become a mass-market commodity, the shrinkwrap license has tended to predominate. Can software vendors really avoid the rules of intellectual property law entirely? Can they "pick and choose" among the rights and responsibilities of copyright law, adopting copyright when it suits their purposes and discarding it otherwise? By and large, the answer to these questions has depended on whether and under what conditions shrinkwrap licenses are enforceable. This article discusses the theoretical arguments in favor of and against enforcing such shrinkwrap license terms. After weighing these arguments, I conclude that shrinkwrap licenses should not be effective to alter the balance of rights created under federal law. Paper here .

top

Political Junkies Take Note: YouTube Launches New Elections Hub (LA Times, 22 August 2012) - Political junkies will soon have a new place to get their campaign coverage fix. YouTube on Wednesday launched an Elections Hub to provide extensive online campaign coverage. The new channel will feature political reporting and analysis from such established sources as ABC News, Al Jazeera English, The New York Times, Wall Street Journal and Univision, together with popular online sources Philip DeFranco and BuzzFeed. In a reflection of the Internet's growing importance as a source of news for viewers younger than 30, YouTube's Elections Hub will offer live coverage of the Republican and Democratic national conventions and, for the first time, provide live streaming of the presidential and vice presidential debates. "We've seen there is a huge demand for political news on YouTube," said Olivia Ma, YouTube's news and politics manager. The campaigns of President Barack Obama and his likely Republican challenger, Mitt Romney, have uploaded more than 600 videos to their respective YouTube channels since April 2011, Ma said. Those campaign videos, and others mentioning the two presidential candidates, have collectively attracted almost 2 billion views on YouTube, she said. With Election Hub, viewers will select the coverage they want to follow from a menu of options. Once they've made a choice, they'll be able to watch live and on-demand campaign coverage -- and participate in discussions.

top

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices (Eric Goldman's blog, 22 August 2012) - This is a putative class action under the Video Privacy Protection Act alleging Netflix violated the VPPA (and Cal. Civ. Code 1799.3) by .. get this .. freely displaying, to a subscriber's family members, a subscriber's "recently watched" and "instant queue titles" on the subscriber's Netflix-Enabled Device. I'm surprised the court didn't just enter a three word order ("WTF") dismissing the claim. Netflix allows you to register devices that can access your Netflix account. Once you enter your password, you need not keep entering it in again. Plaintiffs alleged that this was a problem because a subscriber's family members could then access the device and see a subscriber's "recently watched" and "instant queue" titles without entering a password. Netflix did not contest that the VPPA applies to streaming video providers. As cited by the court, a different judge in the Northern District of California recently concluded that Hulu was subject to the VPPA regardless of the fact that it offers streaming services and doesn't charge its customers for some of its services. Nevertheless, the court says that plaintiffs cannot state a claim because the disclosures in question were made to the customers themselves (i.e., through their devices). Although not determinative, the court notes that Netflix's privacy policy tells users that if they share their devices or passwords with others, they take "full responsibility for their actions." Case is Mollett v. Netflix , 11-CV-01629 (N.D. Cal.; Aug 17, 2012)

top

New Documents Show That Feds Share License Plate Scanning Data With Insurance Firms (TechDirt, 22 August 2012) - It's one thing for governments to make use of license plate scanning equipment to catalog what cars are crossing their borders. But it takes it to a whole different level to then share that data with insurance firms . However, it appears that's exactly what the US government is doing. A Freedom of Information Act request by privacy group EPIC, discovered that US Customs (part of Homeland Security) is sharing license plate scans with the National Insurance Crime Bureau (NICB), which is actually an organization made up of just about every insurance company. 

The reasons for such sharing of info may appear to be noble. It's technically to try to spot stolen vehicles: The purpose of furnishing LPR information is to verify that vehicles departing from and arriving into the United States are not stolen vehicles. NICB has access to unique information regarding stolen vehicles, as well as the means of exchanging information regarding stolen vehicles with member insurance company Special Investigative Units and Federal and State law enforcement authorities.

top

YouTube Will Now Let Mobile Users Choose Whether to Watch Ads (NYT, 22 August 2012) - People often visit Web sites on their mobile phones as much or more than they do on computers. But that leaves Web companies with a challenge: how to make money on phones, where there is less space for advertisements and people have less patience for them? YouTube thinks it has an answer. On Wednesday, it introduced a new kind of ad for its mobile site that lets viewers choose whether or not to watch a video ad, and only charges advertisers if the ad is watched. This type of ad, which YouTube calls TrueView, has been available on computers since late 2010. It is well-suited for viewers using mobile devices, Google executives said, when they are often crunched for time and have little patience for unwanted interruptions.

top

U.S. Becomes First Participant in APEC Cross-Border Privacy Rules System (Steptoe, 23 August 2012) - The United States has been approved as the first formal participant in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system (CBPR). The CBPR system is a self-regulatory initiative designed to enhance the protection of consumer data moving between APEC member nations through a voluntary but enforceable code of conduct implemented by participating businesses. The FTC was also named as the system's first privacy enforcement authority. This move brings the system one step closer to implementation. Although certification under the CBPR system may require many U.S.-based companies to make significant changes to their current data privacy practices, participation in the system will allow for more efficient and secure data exchange with other APEC economies.

top

Judge Rules EBay Not Covered By Americans With Disabilities Act (OnlineMediaDaily, 23 August 2012) - Siding with eBay, a federal judge has dismissed allegations that the online auction violated the Americans with Disabilities Act by requiring sellers to use a telephone to verify their identities. U.S. District Court Judge Edward Davila in San Jose, Calif., ruled that the federal law -- which prohibits discrimination against people with disabilities -- doesn't apply to online companies like eBay. The 1990 statute says it applies to "places of public accommodation." The ruling, issued earlier this month, dismissed the bulk of a potential class-action lawsuit filed in 2010 by Melissa Earll. She alleged that as a "profoundly deaf" person, she was unable to register with eBay because the company verifies identity through telephone calls. eBay allegedly gives prospective merchants passwords over the telephone; the registrants must then enter those passwords online. Davila dismissed all of Earll's claims and ruled that she can't refile allegations relating to the ADA. "Because Earll will not be able to overcome the fact that the ADA does not apply to eBay.com by amending her complaint, leave to amend is not appropriate," Davila wrote. The decision is at odds with a recent ruling against Netflix, issued by U.S. District Court Judge Michael Ponsor in Massachusetts. That decision allowed the National Association of the Deaf to proceed with its lawsuit alleging that Netflix violates the ADA by failing to provide closed captioning online.

top

Announcing a Guide to Reporting at the 2012 Republican and Democratic National Conventions (CMLP, 23 August 2012) - As you may have seen on our home page today, the DMLP has released a Guide to Reporting at the 2012 Republican and Democratic National Conventions . I wanted to share a little more about why and how we decided to release this document. As we mentioned already, the conventions are creatures of chaos. Thousands of journalists and even more demonstrators will descend upon these cities. These crowds are typically met with an overwhelming police presence, and the clashes between protesters and the police typically result in numerous arrests. Avoiding police detention as a journalist is often a challenge, as a large tangle of laws regulates crowd behavior, and police often enforce these complex laws with sweep arrests of whole crowds. Many experienced journalists are not strangers to such tough situations, but the nature of the conventions as "national special security events" presents special concerns, especially around the norms journalists establish with local law enforcement. The Secret Service takes the lead during these national security events, and the normal journalist-police relationships that allow journalists to report from over police lines are likely to be jettisoned in favor of a strict enforcement of the law. It is vitally important for journalists to understand the fundamental mechanics of the law while on the ground, so they can be aware of when their actions risk arrest. To that end, we have provided this guide as an overview of the various legal issues presented at the RNC and DNC. Topics in the guide include an overview of basic press freedoms, a discussion of what pack in order to prepare for the situation on the ground, information as to how crowd assembly and speech is regulated (so a journalist can be aware of when police may take action against a crowd of demonstrators), laws related to recording in public, a walkthrough on how to react to interactions with the police, and a review on how your rights change when you are reporting on private land. The guide covers the law in both Tampa and Charlotte as it exists today, with helpful information drawn in from reports on past conventions. The guide is designed to allow the reader to engage at whatever the depth he or she needs. You can review the entire document , or turn to the a summary section at the front and refer to the main text as you like; readers can engage at whatever depth they need. (There's even a one-sheet printout for those that just want to have something to reference while on the ground in Tampa and Charlotte.) We have tried to make the law as clear as it can be, and noted how the police have handled enforcing the law at previous conventions, and where journalists ran into trouble.

top

The State of Cybersecurity Disclosure: Is Congressional Action Next? (CorporateCounsel.net, 24 August 2012) - It is now going on a year since the SEC issued CF Disclosure Guidance: Topic No. 2, Cybersecurity , and since that time I have been interested in seeing how the Staff has followed up on the guidance in the course of the 10-K review process. It turns out that much like after the Commission issued its interpretive release on climate change disclosures back in 2010, there hasn't been a huge uptick in the number of comments directed at the topic. The Staff has said that the main focus of comments in this area has been on situations where there has been some reported breach, and the Staff is thus particularly interested in seeing specific disclosure about that breach and the related risk or MD&A disclosure. Given this focus, there have not been many instances that I have come across where the Staff is just fishing for cybersecurity disclosures, or commenting specifically on the sometimes vague or generalized risk factors that many issuers have now added. It seems that perhaps Congress isn't too satisfied with the SEC' cybersecurity disclosure efforts, because a provision in the cybersecurity bill that stalled in Congress before the August recess addresses the SEC's guidance and implementation efforts in a "sense of Congress" statement. Notably, Section 415 of S. 3414 observes that information security risks and related events that are material to investors should be disclosed, and to this end the SEC (not later than 1 year from enactment) should evaluate existing guidance, including CF Disclosure Guidance: Topic No. 2, to determine whether the guidance should be updated or issued as an interpretive release. Under the Senate bill, the SEC would also have to provide an annual report to Congress describing the types of security risks and related events disclosed by issuers in the prior year, whether the Staff required additional information of issuers, any awareness efforts undertaken by the SEC , and any enforcement actions relating to disclosure requirements for information security risks. Could a new "Form CS" be too far behind?

top

- and -

SEC Guidance on Cyber-Disclosure Becomes Rule for Google (Bloomberg, 29 August 2012) - Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google Inc. and Amazon (AMZN).com Inc., agency letters show. The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks weren't important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation. Before the requests, Seattle-based Amazon, the largest Internet retailer, hadn't said in its reports that cyber-thieves had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January. In April, Amazon was asked by the SEC to disclose the cyber-raid in its next quarterly filing, which it did. Google (GOOG), the world's biggest search engine, agreed in May to put its previously disclosed cyber-assault in an earnings report. American International Group Inc. (AIG), Hartford Financial Services Group Inc. (HIG), Eastman Chemical Co. (EMN) and Quest Diagnostics Inc. (DGX) were also prodded to improve disclosures of cyber-risks, according to SEC letters available on the regulator's website. The SEC instituted a voluntary disclosure plan in an October advisory. This year, the SEC sent dozens of letters to some companies, asking about cyber-security disclosures and later pushing companies to disclose, spokesman John Nester said. "It's not a rule, but the SEC, by taking a policy position, can effectively create a rule," said Peter Henning, a former SEC lawyer who teaches at Wayne State University in Detroit. "It lets companies know what it would like to happen." Nester declined to say how many companies had been told to disclose in future filings. The SEC disclosure letters aren't all public yet.

top

- and -

White House Plans to Regulate Contractor Computer Security (NextGov, 27 August 2012) - The Obama administration has drafted plans to require federal contractors to adopt specific cybersecurity safeguards for company equipment that transmits government information. The proposed regulations come as the White House considers issuing an executive order that would regulate computer security at all critical businesses. Industry backlash stopped Congress from mandating such reforms. NASA, the Defense Department and the General Services Administration, which purchases goods and services for agencies across government, released the draft rules Friday. Under the plan, doing business with the government would be contingent on agreeing to protect corporate-owned devices and federal data on websites. This regulation "would add a contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the government (other than public information)," the proposal states. The provision calls for only a few computer protections and leaves vendors substantial flexibility, which troubles some computer security experts. Specifically, the administration wants "current and regularly updated" malware blockers, such as antivirus or antispyware mechanisms, as well as "prompt" installation of software patches and other security updates. Federal data posted to company Web pages must be secured through passwords or other technological restrictions. Information and equipment also would have to be sheltered by one physical element, such as a locked case, and one digital defense, such as a login. Alan Paller, research director for the SANS Institute who frequently advises the administration, called the plan "worse than useless."

top

How Do You Say 'Public Forum Doctrine' in Hawaiian? (CMLP, 27 August 2012) - It is ridiculously easy to create an online forum. Even just a few years ago, you had to have a fairly high level of technical savvy to put together such a thing - maybe some php or other coding skills, certainly a solid grip on html at the very least. But now, thanks to the likes of Facebook, Google, and plenty of other online megacorporations, all it takes is a few mouse clicks. And as a result, more government entities than ever are getting in on the action and creating forums -- in a technological sense -- for public debate. But are they also creating public forums in a legal sense? In the physical world, when the government sets aside space as free for public use, it is not allowed to discriminate based on the viewpoints that members of the public might express in such spaces. But does that principle extend by analogy to virtual spaces hosted by government agencies? That's the issue highlighted by a case filed just last week in federal court in Hawaii, in which Christopher Baker and Derek Scammon, as well as the Hawaii Defense Foundation (a pro-gun organization), are suing the Honolulu Police Department for constitutional violations after the HPD apparently removed the individual plaintiffs' comments from the Department's Facebook "fan" page. According to the complaint, Baker and Scammon both made a series of posts this past January on the wall of the HPD's " official Facebook page ," challenging the HPD on a variety of topics, including self-defense, illegal searches and seizures, and the like. Although the HPD initially responded to the plaintiffs' posts on the forum, it eventually began deleting their posts as violations of the HPD's forum guidelines, and ultimately banned the pair from the page. And appropriately enough, the case looks like it's going to boil down to a question of whether, in creating its forum on Facebook, the HPD also was creating a public forum in the legal sense. If it did, the HPD will be severely limited in the sorts of content management that it can perform in regard to deleting posts or banning commenters on the page without running afoul of core civil rights like those the plaintiffs are suing over.

top

Federal Court Allows Service of Complaint and Summons Via Yahoo Email Account (Internet Cases, 28 August 2012) - The government filed a civil suit against defendant for violation of the federal Commodity Exchange Act and related regulations. Try as it may, the government could not successfully serve the complaint and summons by traditional means. So the government asked the court for leave to file the papers via defendant's Yahoo email account. The court granted the motion. During an earlier state investigation, defendand had provided a Yahoo email address while testifying under oath. The government claimed that it had sent several messages to the same account, each time getting a confirmation receipt indicating the message had been read on a Blackberry using the Digicel network. The evidence in the record showed that Digicel is a provider of network services in the Caribbean, Central and South America. Federal Rule of Civil Procedure Rule 4(f)(3) authorizes a court to order an alternate method for service to be effected upon defendants located outside the United States, provided that such service (1) is not prohibited by international agreement and (2) is reasonably calculated to give notice to the defendant consistent with its constitutional due process rights. In evaluating whether email service in this case would run afoul of international law, the court found that the Hague Convention did not apply because defendant's precise location was not known - the only information in the record was that he was in the Caribbean, Central or South America. The Inter-American Convention on Letters Rogatory did not prohibit email service in this case, as that Convention would not necessarily preclude service by means outside the scope of its terms. The court found that email service was also reasonably calculated to give notice to defendant, based on the facts in the record. Here, the government showed that the still-active Yahoo email address about which defendant swore under oath was reasonably calculated to give notice of the action against him and an opportunity to respond. Case is U.S. Commodity Futures Trading Comm'n v. Rubio, 2012 WL 3614360 (S.D.Fla., August 21, 2012)

top

Federal CIO Council Releases BYOD Toolkit (Information Law Group, 28 August 2012) - Bring Your Own Device ("BYOD") is the latest overnight IT sensation. But like most "overnight sensations" the foundational work took years before now familiar names "suddenly" hit the bright lights. In broader response to the ongoing Consumerization of Information Technology trend ("COIT"), no less than the Federal government has jumped on the BYOD bandwagon. Last week the Federal CIO Council released a BYOD resource toolkit for agencies contemplating BYOD programs. You can download the Toolkit in PDF at http://www.cio.gov/byod-toolkit.pdf or view it online . Not surprisingly, the CIO Council views BYOD as "a growing trend that is still in its infancy, but shows early promise as a driver of cost savings, increased productivity, and improved user experience." [Editor: for law firms, see Littler's terrific analysis and resource, included in MIRLN 15.09 ]

top

Posner on "Staleness" of Digital Evidence (Volokh Conspiracy, Orin Kerr, 28 August 2012) - When the government seeks to establish probable cause that evidence or contraband is inside a home, it sometimes has to deal with concerns of "staleness." Staleness refers to the possibility that evidence or contraband previously located in the home is no longer there, because over time evidence can be moved or destroyed. In today's opinion in United States v. Seiver , Judge Posner argues that concerns over staleness are rarely relevant in cases involving digital evidence. The issue arose in a child pornography case, in which the defendant argued that evidence of child pornography receipt and possession had become "stale" because seven months had passed before the warrant was obtained. Posner rejected the argument: When you delete a file, it goes into a "trash" folder, and when you direct the computer to "empty" the trash folder the contents of the folder, including the deleted file, disappear. But the file hasn't left the computer. The trash folder is a waste paper basket; it has no drainage pipe to the outside. The file seems to have vanished only because the computer has removed it from the user interface and so the user can't "see" it any more. Virginia M. Kendall & T. Markus Funk, Child Exploitation and Trafficking 275-76 (2012); United States v. Flyer, 633 F.3d 911, 918 (9th Cir. 2011); United States v. Gourde, 440 F.3d 1065, 1071 (9th Cir. 2006) (en banc). But it's still there, and normally is recoverable by computer experts until it's overwritten because there is no longer unused space in the computer's hard drive. "Staleness" is highly relevant to the legality of a search for a perishable or consumable object, like cocaine, but rarely relevant when it is a computer file. Computers and computer equipment are "not the type of evidence that rapidly dissipates or degrades." United States v. Vosburgh, 602 F.3d 512, 529 (3d Cir. 2010). Because of overwriting, it is possible that the deleted file will no longer be recoverable from the computer's hard drive. And it is also possible that the computer will have been sold or physically destroyed. And the longer the interval between the uploading of the material sought as evidence and the search of the computer, the greater these possibilities. But rarely will they be so probable as to destroy probable cause to believe that a search of the computer will turn up the evidence sought[.]

top

Facebook and Twitter: A No-No for Federal Jurors (Mashable, 28 August 2012) - Were you hoping to waste away your hours of jury duty on Facebook or Twitter? Federal judges are hoping you won't, and have a new list of instructions from the Federal Judicial Conference Committee on how to discourage social networking in the courthouse throughout cases. While you may just be browsing breaking news or your friends' updates, judges are concerned you'll engage in external research or leak details about the case. The new guidelines , drafted in June and issued Friday, instruct judges how to best deter jurors from using Twitter, LinkedIn , Facebook or YouTube to research and communicate about the cases for which they're serving. Judges are told to review these instructions before the trial, at the close of each day before they return home, at the end of the case and at any other time deemed appropriate. "Jurors should be told why refraining from use of social media promotes a fair trial," said Judge Julie Robinson, the Conference Committee on Court Administration and Case Management chair, in a statement. "Finally, jurors should know the consequences of violations during trial, such as mistrial and wasted time." These instructions follow the results of a national survey of federal judges who reported that juror use of social media was most often reported by a fellow juror. Judges are encouraged to ask jurors to out fellow jurors who violate the instructions against social networking.

top

- and -

The Feds Try Again, But Just Won't Say Why (CMLP, 31 August 2012) - The federal courts have revised the jury instructions released in 2010 to address jurors' use of the internet and social media. But while the revised version is more specific about what activities jurors should avoid, they are still inadequate. This is because they are still in the form of a command -- "thou shalt not" -- but do not explain to jurors why they should not discuss the case or do research online. Instead, in the revised instructions -- which are suggested, not mandatory -- judges are asked to tell jurors, "I expect you will inform me as soon as you become aware of another juror's violation of these instructions." According to a U.S. Judicial Conference press release , the revised instructions are based on the findings of a 2011 Federal Judicial Center study (pdf) which found that most federal judges who reported becoming aware of juror use of social media during trial found out from fellow jurors. What the press release does not mention is that of the 508 federal judges who responded to the survey, only 30 (six percent) said that they had experienced jurors using social media during trials and deliberations. This led the study 's author to conclude that "detected social media use by jurors is infrequent, and that most judges have taken steps to ensure jurors do not use social media in the courtroom."

top

Judge Dismisses BancorpSouth Defense in Online Theft Suit (Computerworld, 29 August 2012) - A federal judge has rejected BancorpSouth's plan to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010. The customer, Choice Escrow and Title LLC in Springfield, Mo., filed a lawsuit Tupelo, Miss,-based BancorpSouth in November 2010 alleging that the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). BancorpSouth countersued earlier this year arguing that Choice Escrow was solely responsible for the breach because it allowed hackers to gain access to legitimate login credentials. The bank contended that Choice Escrow signed a contract that included an agreement not to hold BancorpSouth responsible for losses stemming from the a failure to use the online services in a secure manner. In its lawsuit, BankcorpSouth said Choice Escrow should be held liable for legal costs and other expenses for breaching the terms of the contract by filing claims against the bank. In a four-page ruling last week, Judge John Maughmer of the U.S. District Court for the Western District of Missouri rejected the bank's claims, ruling that Funds Transfer Act provisions preempted any other agreement between Choice Escrow and Bancorp South. The judge did note that both sides in the dispute had made convincing arguments to support their case. "The Court having read the briefing of the parties finds this to be a very close call," Maughmer said. "On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency," Maughmer said. "On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships."

top

How Copyright Has Driven Online Streaming Innovators Insane (TechDirt, 31 August 2012) - A little over four years ago, we wrote about the Second Circuit appeals court's ruling in the case over the legality of Cablevision's remote DVR. As we said at the time, the court came to the right result -- the remote DVR was perfectly legal -- but had to twist itself into all sorts of crazy contortions to make that argument fit within the confines of copyright law. That's because of the nature of copyright law itself, which is almost always reactive to technological changes and, because of that, always gets twisted up when important, useful and disruptive innovations come along. As we noted four years ago, copyright law "is simply not set up" to handle something like a remote DVR. Even though a home DVR is clearly legal, and the only real difference between one at home and one in the cloud is the length of the cord between the DVR and the TV, the legal arguments to make them both legal are quite twisted. Since then, we've seen a whole bunch of startups try to offer variations of streaming video online -- often relying on that quite twisted ruling in Cablevision. Each time we write about them -- companies like ivi, Zediva and Aereo -- we tend to note that all of them are doing incredibly inefficient and convoluted things on the back-end to try to stay within the confines of the law, as established by the Cablevision ruling. But to any objective observer considering what makes the most sense for a company and its users, all of the Rube Goldbergian designs of these companies seem entirely pointless. The goal is the same: to reasonably offer streaming services that match what people can do at home with a DVR or a DVD player -- but it has to be twisted to make that work within the whacked out language of the law. And that's because the law is never written with innovation in mind. Quite the opposite. The history of copyright law is that every time something new comes along, Congress duct tapes on some new "right" to make it work. The 1909 Copyright Act was driven by the scary, scary invention of the player piano, which was going to wipe out the sheet music business or something. But the internet mucks with all of that -- in part by bringing together different roles that had previously been separate. The end result is that different aspects of copyright law may or may not apply, depending on where you sit. 

Law professor James Grimmelmann has picked up on this and written an absolutely brilliant piece over at Ars Technica, where he dives into the nitty gritty details of all of this to explain how copyright law for streaming went insane . [Editor: I've been following this mess for nearly a decade - MIRLN 14.09 has a related story .]

top

Manual Examines How International Law Applies to Cyberwarfare (CIO Magazine, 3 Sept 2012) - A cybersecurity think tank has published a manual studying how international law applies to conflicts in cyberspace, where the laws of conventional warfare are more difficult to apply. The manual comes from experts working with the Cooperative Cyber Defense Center of Excellence (CCDCOE), an institute based in Tallinn, Estonia, founded in 2008 that assists NATO with technical and legal issues associated with cyberwarfare-related issues. The center's 215-page study, called the "Tallinn Manual on the International Law Applicable to Cyber Warfare" and published by Cambridge University Press, is intended as a reference for legal advisers for government agencies. It examines existing international law that allows countries to legally use force against other nations, as well as laws governing the conduct of armed conflict. "One of the challenges states face in the cyber environment is that the scope and manner of international law's applicability to cyber operations where in offense or defense has remained unsettled since their advent," wrote Michael N. Schmitt, project director and chairman of the International Law Department at the U.S. Naval War College, in the manual's introduction. "The threshold questions are whether the existing law applies to cyber issues at all, and, if so, how." The Tallinn Manual was written by a group of experts from nations including Australia, Canada, the U.S., the Netherlands and the U.K. The manual is not NATO's official doctrine but a compilation of views.

top

E-Mail Service for All Documents in Florida Cases (Futurelawyer, 4 Sept 2012) - E-Mail Service for All Documents in Florida Cases . Well, it's here. Florida attorneys have been busy lately modifying their word processor signature blocks with email addresses, or notifying attorneys in pending cases of their email address. Starting today, all pleadings must be served on opposing counsel via email; but, I suspect that many attorneys will also continue to serve paper copies while the system gears up. Later in the year, it will likely come to pass that Florida lawyers will also be efiling documents with the court system. Welcome to the future.

top

FTC Publishes Guide to Help Mobile App Developers Observe Truth-in-Advertising, Privacy Principles (BeSpacific, 5 Sept 2012) - "The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps . The FTC's new publication, Marketing Your Mobile App: Get It Right from the Start , notes that there are general guidelines that all app developers should consider.

top

Police Seizure of Text Messages Violated 4th Amendment, Judge Rules (ArsTechnica, 5 Sept 2012) - At 6:08am, on October 4, 2009, Trisha Oliver frantically called 911 from her apartment in Cranston, Rhode Island when her six-year-old son, Marco Nieves, stopped breathing. The Fire Department took Marco to Hasbro Children's Hospital, where he was found to be in full cardiac arrest. He died 11 hours later. By 6:20am, Sgt. Michael Kite of the Cranston Police Department had arrived at the apartment, where he found Oliver, her boyfriend Michael Patino, and their 14-month-old daughter, Jazlyn Oliver. Kite observed a couple of stripped beds and linens on the floor, a trash can with vomit inside it, dark brown vomit in a toilet, and, crucially, a cell phone on the kitchen counter. Kite picked up the cell phone, and it was at that point-in the just-released opinion of a Rhode Island state court-that police proceeded to mangle a murder case and violate Patino's Fourth amendment rights by viewing text messages without a warrant. Kite viewed a text message on the phone, which was owned by Trisha Oliver, reading "Wat if I got 2 take him 2 da hospital wat do I say and dos marks on his neck omg." The message was sent from Oliver to Patino, although the sending of the message apparently failed. There were other messages on the phone "with profane language and references to punching Marco-three times-the hardest of which was in the stomach," according to court records. Patino was arrested and charged with murder. Kite claims he picked up the phone because it was "beeping," and that he thought it might help get in touch with the boy's birth father. But yesterday, Rhode Island Superior Court Associate Justice Judith Savage threw out nearly all of the evidence police collected from that point on, including the contents of cell phones, phone records and communications provided by Verizon, T-Mobile, and Sprint Nextel, landline phone records, and even Patino's "confession for the death of Marco Nieves." Savage said almost all the evidence obtained by police was "tainted by the illegal search made by Sgt. Kite or the other illegal searches and seizures of cell phones and their contents."

top

FBI vs. Google: The Legal Fight to Unlock Phones (WSJ, 6 Sept 2012) - A legal battle is brewing between technology companies and the U.S. government over whether law-enforcement agents have the right to obtain passwords to crack into smartphones of suspects. Google Inc. earlier this year refused to unlock an alleged pimp's cellphone powered by its Android software-even after the Federal Bureau of Investigation obtained a search warrant. Google's unusual and controversial challenge to the search warrant indicates how murky the legal standards are for new technologies such as smartphones. Under the Supreme Court's so-called Third Party Doctrine, government agents can often obtain data stored with third parties without obtaining a search warrant. But that standard doesn't take into account data as sensitive as a password-which can be the key to unlocking a larger trove of information such as emails, texts, calls and address lists. Asking a third party for a password "is awfully new and aggressive," said Paul Ohm, associate professor at the University of Colorado Law School and former federal prosecutor. "Generally, we don't like the FBI to have access to our keys even with a warrant."

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CITIBANK BANS CREDIT CARDS FROM USE IN WEB GAMBLING (New York Times, 15 June 2002) -- Citibank has agreed to block use of its credit cards for Internet gambling transactions. The decision came after regulators from New York State told Citibank that it could face criminal prosecution for aiding in the promotion of online gambling, which is illegal in the state. Citibank joins a handful of other major credit card issuers, including ProvidianBank, that have already said they will try to block use of their cards for Internet gambling. Citibank, with 33 million Visa and MasterCard holders, is the nation's largest credit card issuer. Other banks have said they are blocking the transactions because of the unclear legal status of online gambling, but also because of the financial realities that many customers refuse to pay gambling charges, often arguing that someone else used their card to place the bet. But the Citibank decision raises another possible stumbling block for banks that allow their cards to be used for online gambling transactions - the prospect of criminal prosecution. http://www.nytimes.com/2002/06/15/business/15GAMB.html

top

ISRAELI DEVICE DETECTS CELL PHONES ACTING AS BUGS (New York Times, 10 June 2002) -- Imagine your company is holding secret talks to buy another firm when your main competitor suddenly snaps it up from under your nose, apparently aware of all the details of the negotiations. While you instigate a widespread investigation, the culprit could be nothing more sinister than a cell phone ``accidentally" left in the corner of the room, placed in a plant pot or taped under the boardroom table. With a slight modification, cell phones become high-quality bugs. An owner can call the phone from anywhere in the world without it emitting a ringing tone while its screen remains blank, apparently turned off. ``The beauty of the cell phone as a bug is that it's an innocent looking and ubiquitous object," said Ben Te'eni, co-founder of Netline Communications Technologies, which has developed a device for detecting cell phone communications, especially from cell phones in apparently dormant mode. http://www.nytimes.com/reuters/technology/tech-tech-israel-netline.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top