Saturday, October 20, 2012

MIRLN --- 1-20 October 2012 (v15.14)

MIRLN --- 1-20 October 2012 (v15.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | PODCASTS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

ANNOUNCEMENT

As you may know, I sit on the board of the Internet Bar Organization. Their PeaceTones initiative (helping musicians protect and distribute their music to international markets) was recently nominated for the Innovating Justice Awards for their work. Please help support PeaceTones by taking a minute and voting quickly at http://www.innovatingjusticeawards.com/View-Idea/165?idea=1660 . Thanks!

top

Rent-To-Own PCS Surreptitiously Captured Users' Most Intimate Moments (Ars Technica, 24 Sept 2012) - Seven rent-to-own companies and a software developer have settled federal charges that they used spyware to monitor the locations, passwords, and other intimate details of more than 420,000 customers who leased computers. The software, known as PC Rental Agent , was developed by Pennsylvania-based DesignerWare. It was licensed by more than 1,617 rent-to-own stores in the US, Canada, and Australia to report the physical location of rented PCs. A feature known as Detective Mode also allowed licensees to surreptitiously monitor the activities of computer users. Managers of rent-to-own stores could use the feature to turn on webcams so anyone in front of the machine would secretly be recorded. Managers could also use the software to log keystrokes and take screen captures. "In numerous instances, data gathered by Detective Mode has revealed private, confidential, and personal details about the computer user," officials with the Federal Trade Commission wrote in a civil complaint filed earlier this year. "For example, keystroke logs have displayed usernames and passwords for access to e-mail accounts, social media websites, and financial institutions." In some cases, webcam activations captured images of children, individuals not fully clothed, and people engaged in sexual activities, the complaint alleged. Rental agreements never disclosed the information that was collected, FTC lawyers said.

top

In Clickwrap Data Pass Contract Dispute, Second Circuit Sacks E-mail Notice of Post-Transaction Terms (Proskauer, 25 Sept 2012) - In an important opinion on the enforceability of online contract terms, Senior Circuit Judge Robert D. Sack walks through the last decade and a half of online contracting law on the way to invalidating an arbitration provision in an agreement involving a so-called Web loyalty program. Judge Sack concluded in Schnabel v. Trilegiant Corp. , 2012 U.S. App. LEXIS 18875 (2d Cir. 2012), that an arbitration provision contained in an e-mail sent to consumers after they enrolled in such a program did not provide sufficient notice to support a conclusion that they had assented to arbitrate. It is worth noting that two forms of notice of the arbitration provision were actually alleged to have been provided to the consumer: the post-transaction e-mail, and a clickable link to the "Terms and Conditions" of the agreement that was presented at the time of enrollment in the disputed program. The efficacy of the second form of notice was not before the court, however, because that issue was deemed to have been waived at the lower court level. Thus, whether the presentation of the clickable link to the terms was sufficient notice of the arbitration provision was addressed with the comment that it "might have created a substantial question" as to whether the arbitration provision was enforceable.

top

Apple Shareholders Request Information From Board on Privacy/Security Risk (Mintz Levin, 26 Sept 2012) - This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks. The proposal, which is available here , was prompted by concern that recent issues such as the unauthorized access to iPhone users' address books and the release of one million Unique Device IDs could place the company's growth opportunities at risk. The shareholder proposal references a recent study conducted by Carnegie Mellon University's Cylab that made various recommendations to boards including, annual reviews of privacy and security programs to gage effectiveness and identify gaps and requiring regular privacy and security reports from management. The interest in privacy and security as risk management issues at both the shareholder and board level is increasing. A recent study conducted by Corporate Board Member & FTI Consulting, Inc. surveyed 11,340 corporate directors and 1,957 general counsel regarding legal risks on their radar. For the first time in the 12 years since the study has been conducted, data security was noted as the most prevalent concern among both directors (48 percent) and general counsel (55 percent). This level of concern has almost doubled in the last four years. For instance, in 2008, only 25 percent of directors and 23 percent of general counsel identified data security as an area of great concern. Moreover, 33 percent of general counsel surveyed believe their board is not effective at managing cyber risk. This is one of the lowest ratings among the 13 risk management areas surveyed.

top

Department of Commerce Goes Live with FOIAonline (DoC, 1 Oct 2012) - Today, as part of administration-wide efforts to ensure public trust through transparent, efficient, and effective government, the Department of Commerce launched a new online tool through which the public can submit Freedom of Information Act (FOIA) requests. The interface, FOIAonline , will enable the public and departmental FOIA professionals to access an automated online tracking and records management system for the first time. Additionally, the system will eliminate the need for individuals to search for contact information when submitting requests for multiple agencies, thereby speeding up the FOIA process. FOIAonline will also automatically provide tracking numbers for requests much like consumers use to track packages online. The requester can then view the status of the request online, eliminating the wait time for manual replies from agencies. Further, FOIAOnline will enable Commerce to publish FOIA documents in electronic format with the request, which will decrease the duplicate requests workload while allowing the public access to more information. This availability of additional information will allow greater detail for researchers, journalists and the public.

top

YouTube Introduces 'Appeals Court' for Copyright Fights (Mashable, 3 Oct 2012) - Ever had a video taken down on YouTube because a copyright holder claimed you're using some of their footage without permission? As of Wednesday, you've got one extra shot at appealing that decision. Previously, if you believed your video did not infringe on copyrighted content, you could file a "dispute" with the video giant. But if the rights holder disputed your dispute, you were fresh out of luck. The video stayed down. Now YouTube has added a second and third layer to the process - the "appeal." If a content holder still insists you're using their material without permission after you appeal, they have to go the extra mile and file a DMCA takedown notice. In the meantime, your video will go back up. If you appeal that takedown notice, the copyright holder will have to take the case to court - but you'll also have one "strike" against you on YouTube. Three strikes and you're out of the service.

top

Patriot Act Focus Ignores Governmental Access to Data in the Cloud in Multiple Jurisdictions (Hogan Lovells, 3 Oct 2012) - This article examines the extent to which access to data in the Cloud by governments in various jurisdictions is possible, regardless of where a Cloud provider is located. "Governmental access," as that term is used here, includes access by all types of law enforcement authorities and other governmental agencies, recognizing that the rules may be different for law enforcement and national security access Governments need some degree of access to data for criminal (including cybercrime) investigations and for purposes of national security. But privacy and confidentiality also are important issues. This paper does not enter into the ongoing debate about the potential for excessive government access to data and insufficient procedural protections. Rather, this White Paper undertakes to compare the nature and extent of governmental access to data in the Cloud in many jurisdictions around the world.

top

Look Out, LegalZoom! Jacoby & Meyers Gets into Legal Forms (WSJ, 3 Oct 2012) - There may be a glut of attorneys chasing pricey corporate work these days, but one law firm is placing its bets on increased demand at the budget end of the spectrum. Jacoby & Meyers LLC, the firm that decades ago pioneered legal advertising on television, is going into the legal forms business. It's happening via a licensing deal with USLegal Forms Inc. The firm gets access to some 85,000 legal templates and documents, as well as a very Google GOOG +1.43%-friendly domain name, LegalForms.com. The move puts Jacoby & Meyers-which bills itself as "America's Most Familiar Law Firm"-in a position to take on companies such as LegalZoom.com Inc., which provide consumers with a very cheap alternative to lawyers: do-it-yourself legal documents for divorces, wills, real estate leases and other routine transactions. The difference here, according to Jacoby & Meyers, is that the firm will be able to augment the bare-bones product-say, a $20.95 will for a New York resident with no children-with legal advice from its own attorneys. That's something other form providers cannot do, because in the U.S., only businesses that are wholly lawyer-owned are permitted to practice law. "We're going to have three options," Keith Givens, a national partner with the firm, said of the expansion into providing legal forms. "There's the do-it-yourself, it's extremely affordable. Or if you want to talk to a lawyer, it would probably be a little more." Then there's the full-service model, where a firm lawyer guides the client through the transaction in the traditional manner (often for a fixed-fee or on a contingency basis).

top

Lawsuits by Doctor, Dentist Over Patients' Reviews Dismissed (CMLP, 4 Oct 2012) - A doctor in New York and a dentist in Oregon have both found out that it may not be easy to sue for libel over online reviews of their services, after their separate lawsuits were both dismissed. And it turns out that most of the dentists and doctors who have sued over online reviews have reached similar results. In the New York case , doctor Trilby J. Tener sued over a comment posted to the physician review website vitals.com . The comment, posted April 12, 2009, stated that "Dr. Tener is a terrible doctor. She is mentally unstable and has poor skills. Stay far away!!!" Dr. Tener discovered the comment when she did a Google search for herself on May 28, 2009. But she did not file suit until April 8, 2010, four days before the expiration of the one-year statute of limitations (running from the day when the statement was initially posted). She then attempted to amend the complaint on June 8, 2010 to change the named defendant, claiming that it took that long to determine who was responsible for the posting. These cases stand as data points showing growing trend. According to this list of lawsuits (pdf) brought by doctors and dentists over online reviews of their services compiled by Eric Goldman of Santa Clara School of Law, physicians have not been very successful in such suits. Several suits have been dismissed under anti-SLAPP statutes. See Gilbert v. Sykes , 53 Cal. Rptr. 3d 752 (Cal. App. Ct. 2007); Kim v. IAC/InterActive Corp. , 2008 WL 3906427 (Cal. App. Ct. 2008); Wong v. Jing , 189 Cal. App. 4th 1354 (Cal. App. Ct. 2010); Rahbar v. Batoon , No. CGC-09-492145 (Cal. Super., San Francisco filed Sept. 2, 2009), No. CGC-10-502884 (Cal. Super., San Francisco filed August 20, 2010), and No. CGC-11-515742 (Cal. Super., San Francisco filed Sept. 8, 2011). (In one case, the court declined to dismiss a doctor's lawsuit under Maine's anti-SLAPP law, finding that the plaintiff was likely to be able to prove that the patient fabricated the story posted on the review site. See Lynch v. Christie, 2011 WL 3920154 (D. Me. Sept. 7, 2011), appeal dismissed, No. 11-2172 (1st Cir. 2011).) Others have been dismissed under section 230 of the Communications Decency Act . Other cases were withdrawn, and some settled.

top

Social Media Fails the '47 Percent' Video Taper (Columbia Journalism Review, 4 Oct 2012) - When Mother Jones premiered the now-infamous 47 percent video on September 17, it received two million views in 24 hours and rapidly changed the discourse surrounding the campaign. The next morning, some outlets were already asking, "Is Mitt Romney over?" But why did the source of the video go to a news outlet like Mother Jones , instead of distributing it independently? The last decade, after all, has seen a rise in citizen and crowd-sourced journalism. The source tried; a Buzzfeed chronology shows repeated attempts to distribute the material starting two weeks after the May 17 fundraiser. But the story didn't go viral until David Corn, Washington bureau chief at Mother Jones , convinced the source to give him the whole tape, portions of which were used in Corn's Sept. 17 story. That four-month process would suggest that civilians can act as civic watchdogs, chronicling events of huge news value, but that journalists are still needed to verify and contextualize the findings before they break as news.

top

Gotcha! Group Uncovers Privacy Lies in Websites' Fine Print (InfoWorld, 5 Oct 2012) - What are the odds that the average person reads the ToS (terms of service) before signing on to a new social networking site, email service, or any other service or software? Probably slightly worse than the odds that the average user will, indeed, RTFM (read the freaking manual) before calling the help desk when trying to figure out a new software or service. In other words: slim to nil. A group of privacy enthusiasts has launched a free, open-source-inspired project called Terms of Service; Didn't Read (ToS;DR) in the hopes of helping users make better-informed choices before blithely clicking Agree when presented with those walls of legalese. By the group's assessment, clicking "I have read and agree to the terms of service" is the "biggest lie on the Web." That tendency to blindly agree to ToS is understandable. The wording tends to be dense and confusing to the point that you need a lot of time -- and perhaps a law degree -- to realize whether your click means you're about to hand over all rights to your personal data; your self-created content; personal info on your friends, family, and peers; and more. That's where ToS;DR comes in. It's a website that rates and labels site terms of privacy policies, from very good (Class A) to very bad (Class E). Per the creators' description of the project, "We are three volunteers who met through free software and online rights advocacy. We are trying to fight the unfair situation in which big websites make us sign Terms-of-Service agreements that are too long to read and understand."

top

Facebook's Email Scanning Isn't A Privacy Issue, It's A Credibility Issue (ReadWriteWeb, 5 Oct 2012) - Facebook confirmed on Thursday that it scans private messages for links and records them as likes, according to the Wall Street Journal and other news outlets. The revelation undermines not only Facebook's commitment to remove phony links but the company's very credibility. Facebook has not kept secret its scanning of private messages for references to criminal activity. What is new is that it also looks for links and records those as likes. This practice gives the appearance that more people are liking more things on the social network. Facebook clarified the discovery, noting that the scanned links were counted as engagement, not endorsement. It also said there was a bug that had scanned links being counted as double, but it conceded that this was one of the ways it boosted the number of shares. But the main thrust of the statement was to stress that no private user information was shared. "Absolutely no private information has been exposed," the company said, and "when the count is increased via shares over private messages, no user information is exchanged, and privacy settings of content are unaffected." This statement misses the point. Facebook's practice of scanning messages and counting links as likes isn't a privacy issue. It's common knowledge that what users do online - even in so-called private messaging - is potentially public. Rather, Facebook's activity raises a credibility issue. It shows that the company is fudging the numbers when it comes to advertising.

top

Judge Dismisses Claims Against Pandora for Violating Michigan's Version of the VPPA (Venkat Balasubramani, 5 Oct 2012) - The plaintiffs sued Pandora for improperly disclosing their "listening history" and related information (bookmarked tracks, stations, recent activity, and bookmarked artists). Plaintiffs alleged that Pandora disclosed this information in violation of Michigan's version of the federal Video Privacy Protection Act (VPPA) to other Pandora users, non-subscribers, and finally through Facebook integration to their Facebook friends. Judge Armstrong of the Northern District dismisses the lawsuit. Although the dismissal is without prejudice, the judge sends a signal that this lawsuit is probably dead. The key question was whether Pandora engaged in "selling . . . , renting, or lending . . . sound recordings." While the VPPA only covers " video cassette tapes or similar audio visual materials ," states have added their own protections to the mix. California, for example, enacted the Reader Privacy Protection Act. (See Eric's post on that statute and its possible breadth here .) There's an argument to be made that music should be treated differently from books and videotapes because books and videotapes typically provide more insight into a person's intellectual direction and shouldn't be disclosed to third parties without consent. In any event, the Michigan statute covers "sound recordings" so music obviously comes within this definition. There is of course a big question about whether the Michigan statute (which was enacted more than 20 years ago) was even intended to apply to services such as Pandora. The answer has to be no, but the court gets to this result by analyzing the text of the statute with copyright licensing concepts overlaid on top. In contrast, the Hulu decision from a couple of weeks ago denied Hulu's motion to dismiss. The differences in text between the VPPA and the Michigan statute probably accounts for this variation. The VPPA defines consumers as anyone who "rents, purchases, or subscribes ," and defines a provider as anyone engaged in the business of "rental, sale, or delivery " of videos or similar audio visual materials. Pandora also raised a consent argument based on its terms of service. The court doesn't rely on this argument, and it's unclear if the Michigan statute's exception for written consent applies to online terms. This is an ongoing battle in the VPPA realm. See the testimony of Prof. McGeveran with respect to the consent provisions of the VPPA: " Testimony of William McGeveran ".

top

Tips for Updating Your Company's Social Media Policy (Mashable, 6 Oct 2012) - As social media continues to evolve, it's important for us to keep up with the changes. Back in 2009, Mashable published one of the first articles about what to include in a social media policy . It is still relevant today, but social media has changed. This year, the National Labor Relations Board (NLRB) has issued three reports regarding social media in the workplace. The last one was specifically focused on social media policies. Jon Hyman, partner in the labor and employment group of Kohrman Jackson & Krantz P.L.L . and author of the Ohio Employer's Law Blog , provides a brief overview of these three NLRB reports. "The first two reports focus primarily on what is, and what is not, protected concerted activity under the National Labor Relations Act (NLRA). In summary, the NLRA gives all private-sector employees (whether or not in a labor union) the right to engage in protected concerted activity - to talk between and among themselves about wages, benefits and other terms and conditions of employment." The third report was unique in that it focused on social media policies. Hyman explains the big takeaway for employers in the report. "It is very difficult for a business to craft a social media policy with any substance behind it that will pass muster with the NLRB's Office of General Counsel. The NLRB's position on social media policies remains an absolute mess. Employers need to be able to adopt bright line rules to guide their employees towards proper conduct. Yet, this report puts employers in the dangerous position of being fearful of drawing even the simplest of lines. The result is that businesses will be fearful of adopting any rules, creating online anarchy among their employees."

top

Anatomy of a Brokerage IT Meltdown (Information Week, 8 Oct 2012) - The network slowdown was one of the first clues that something was amiss at GunnAllen Financial, a now defunct broker-dealer whose IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm. It was the spring of 2005. Over a period of roughly seven business days, traffic had slowed to a crawl at the Tampa, Fla.-based firm, which had outsourced its IT department to The Revere Group. GunnAllen's acting CIO, a Revere Group partner, asked a member of the IT team to investigate. Dan Saccavino, a former Revere Group employee who at the time served at GunnAllen as the IT manager in charge of the help desk, laptops, and desktops, says he and another network engineer eventually pinpointed the cause of the slowdown: A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem. As a result, none of the company's trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulations. Despite the fact that at least five people at The Revere Group knew about the engineer's action, it's unclear whether it was reported at the time to GunnAllen or regulators. The SEC didn't reference the incident in a subsequent announcement about a settlement with GunnAllen for unrelated privacy and data security violations, and interviews with former Revere Group employees reveal that regulators may have known about only a fraction of the data security failures at the firm. What follows is a chronicle of one firm's myriad IT and other missteps over a period of at least four years, as related by former employees and various official documents. It's a cautionary tale of what happens when a company tosses all IT responsibility over a wall and rarely peeks back. It also reveals what happens when an IT outsourcing vendor gets in over its head, and it points to the failures of regulators to identify and clean up a corporate mess on a grand scale.

top

Court: Taking Over Employee's Social Media Account A-OK Under CFAA (Ars Technica, 8 Oct 2012) - A federal judge rejected a Pennsylvania woman's argument that her employer violated a federal anti-hacking statute when it took control of her LinkedIn account after firing her. The court ruled the harms cited by the plaintiff were too speculative to pass muster under the Computer Fraud and Abuse Act (CFAA). Linda Eagle was the head of a company called Edcomm when it was acquired in 2010. But relations soured and Eagle was fired the following year. Eagle had shared her LinkedIn password with another Edcomm employee so that she could help Eagle manage the account. When Eagle was shown the door, her former assistant changed the password on her account, freezing Eagle out of it. Edcomm then replaced Eagle's name and picture with the name and photograph of her successor. Eagle sued in federal court, arguing, among other things, that the company's actions violated the Computer Fraud and Abuse Act. But the court dismissed that argument last week. The CFAA requires the plaintiff to demonstrate she was harmed by the defendant's unauthorized access to a computer system. Eagle had argued the loss of her LinkedIn account damaged her reputation, since she was unable to respond in a timely fashion to messages sent to her on the site. She also claimed that as a result, she lost business opportunities including one valued at more than $100,000. But the court ruled those were not the kind of harms that triggered liability under the CFAA. "Plaintiff is not claiming that she lost money because her computer was inoperable or because she expended funds to remedy damage to her computer. Rather, she claims that she was denied potential business opportunities as a result of Edcomm's unauthorized access and control over her account." Lost opportunities are "simply not compensable under the CFAA," the court ruled. The court also ruled that reputational harms were not grounds for a CFAA lawsuit.

top

DLA Demands Chip Makers Tag Products With Plant DNA (Aol Defense, 8 Oct 2012) - November, the Defense Logistics Agency will require companies selling microcircuits to the military to stamp their products with an unlikely seal of authenticity: plant DNA. It's an innovative initiative in the fight against counterfeit computer chips, which has been a major concern in the Senate, but it's only one piece of the answer. DLA plans to put out a formal Request For Information sometime this month to ask industry to offer other, complementary authenticity-checking technologies, and Congress is watching closely. The brilliance of DNA tagging is that it's inexpensive, widely applicable, and virtually unhackable, at least according to its inventors. [James] Hayward's firm starts with natural plant DNA. Then they engineer it -- the process is a trade secret -- to create unique strands of genetic code, which in various formulations can be mixed with ink used to mark products or directly infused into materials used to make them like silicon, plastic, wire, or textiles. The technology is already widely used in bank notes in Europe, where it has helped convict more than 30 counterfeiters. Applied DNA is even experimenting with ways to "tag" diesel fuel. Once the DNA is embedded in the product, by whatever means, you detect it with a swab test, or you can shine a CSI-style black light (provided by Applied DNA) onto the tag: If it reflects a particular wavelength, it's authentic.

top

Supreme Court Allows Wiretapping Immunity Law to Stand (Ars Technica, 9 Oct 2012) - The Supreme Court declined to review a lower court ruling in a case that challenged a Bush-era law (the FISA Amendments Act), retroactively giving telecommunications firms-including Verizon, Sprint, and AT&T-legal immunity after performing warrantless wiretapping at the government's request. The case, Hepting v. AT&T , was a class-action suit filed in 2006 by the American Civil Liberties Union and Electronic Frontier Foundation on behalf of customers. They originally sought billions of dollars in damages by arguing the telecom firms violated both users' privacy and federal law. However, in the wake of this lawsuit and others like it, Congress passed the retroactive immunity law (FISA AA). The central question in the Hepting case was whether these immunity provisions were constitutional. In 2011, the Ninth Circuit Court of Appeals affirmed (PDF) the district court's ruling, which confirmed congressional authority to delegate oversight power-allowing the Attorney General to step in and halt private party telecom cases in certain circumstances, such as Hepting . The Ninth Circuit found the US Constitution does not forbid such delegated action. However, the EFF still has another case pending, Jewel v. NSA , which targets the federal agencies involved as well as the government officials behind them (including President George W. Bush and other members of his administration).

top

Social Media as Client Retention Tool for Law Firms (Kevin O'Keefe, 10 Oct 2012) - I was meeting with the head of business development for a 300 person law firm within the last couple weeks. Rather than discussing the tactics of social media, we were focused on strategy. When we got to discussing the target audience the firm wanted to reach through social media, he said there were three audiences and in this order. One, current clients. Two, mainstream media and bloggers. And three, prospective clients. This business development professional was much more concerned about retaining clients and expanding the legal work it was doing for these clients than gaining prospective clients. The firm's profitability had come from doing work across various practice areas for the same clients. They did it through nurturing relationships with these clients. Now turning to social media, the firm wanted to stay true to this strategy. Wise move. A recent study from the Social Habit , a social media research company, finds that 53% of Americans who follow brands in social media are more loyal to those brands. The business development professional I was meeting with is not alone. A number of our client law firms have told me they need not get one new client for their blogging and other social media efforts to be a success. Clients have told these law firms they want the firm's lawyers to keep them up to speed with legal information and insight. Clients expected this because of the substantial fees they were paying. More than alerts and legal newsletters, the info clients are looking for is similar to that being quickly shared between the firm's lawyers by email. Firms are now sharing such insight via blogs. Finally law firms are finding that if their lawyers are viewed as thought leaders and the 'go to' lawyer in their field, there is less pressure to reduce rates. Blogging and other social media allows lawyers to maintain or acquire such status.

top

Obstacles to Open Access to Law (Lawyerist, 10 Oct 2012) - To some extent, the Law Via the Internet conference is a catalog of the difficulties involved in publishing the law, which are magnified when you do it digitally. When you have effectively infinite copies, how do you ensure that the copy you have is accurate one before you submit it to the court? Moreover, if you are submitting, say, an unpublished opinion with a declaration or in an appendix, in what format do you submit it so that the court can check its accuracy, too? This is not solved merely by using established research services. The former SCOTUS reporter said he had a file full of evidence of errors from Westlaw and LexisNexis. Nearly all the citations in the briefs we file are proprietary, based on the reporter volumes published by private companies. Effectively, that makes it difficult to cite a case unless you have access to Westlaw or Lexis. Even Fastcase, which does an excellent job attaching citations to cases, has to wait for Westlaw or Lexis to publish the case so it can get the cite. Putting law in the public domain where it belongs require a public domain system of citation that does not depend on third parties. This is long overdue. Getting the law into the world doesn't count if you still need a private entity's pricey directions in order to find it. Once you solve all those problems, you can start worrying about things like crowdsourced headnotes and collaborative annotation .

top

- and -

ABA Asks Lawyer-Blogger to Take Down ABA Ethics Opinion (Lawyerist.com, 18 Oct 2012) - If you try to publish an ABA ethics opinion on your blog without first seeking permission, you can apparently expect a copyright takedown notice. That's what lawyer-blogger Ernie Svenson got (PDF) when he published ABA Formal Ethics Opinion 06-442 . I had to link to it in Google's cache because PDF for Lawyers apparently got the same notice and the ABA won't give it to you unless you pay $20. The ABA has every legal right to claim copyright on its ethics opinions and sell them. It is a private company, not a governmental entity. However, it also has the right to have those ethics opinions ignored by everyone because they aren't freely available for review and comment. Open access to regulations is essential if you want anybody to follow them or take them seriously. Read Ethics Alert: Be Careful About Posting ABA Formal Ethics Opinions On The Web on Ernie the Attorney. [Polley: increasing blow-back on this by Carolyn Elefant on 19 Oct 2012.]

top

South Carolina Supreme Court Creates Split with Ninth Circuit on Privacy in Stored E-Mails (Volokh Conspiracy, 10 Oct 2012) - In the last decade, lower courts have divided on the proper privacy protections that apply to opened e-mail held by Internet service providers. The Stored Communications Act gives high privacy protection to e-mails in the course of delivery, and then gives lesser privacy to remotely stored files in the cloud. The difficult question is how to treat opened e-mails held by an ISP: After the user has looked at the e-mail and read it, does the Stored Communications Act treat that copy of an already accessed e-mail stored on the server as an e-mail in the course of delivery or does it treat that copy as a remotely stored file in the cloud? In Jennings v. Jennings , handed down today, the Supreme Court of South Carolina considered this question in the context of access to opened e-mails held by Yahoo!. The case involves a domestic dispute. A husband was cheating on his wife, and the wife's daughter-in-law figured out the husband's e-mail password and logged in to his personal account to read the e-mails between the husband and his paramour. The daughter-in-law found the e-mails and shared them. The husband filed suit under several laws including the Stored Communications Act, 18 U.S.C. 2701, which only allows a civil suit if the e-mails accessed were in "electronic storage." In the Jennings case, all five Justices agreed that the e-mails viewed by the daughter-in-law were not in "electronic storage" under the definition. But they divided sharply as to why, with no view getting a majority.

top

Netflix Settles with Deaf-Rights Group, Agrees to Caption All Videos By 2014 (Ars Technica, 10 Oct 2012) - In an agreement that the National Association for the Deaf (NAD) calls "a model for the streaming video industry," Netflix has agreed to caption all of its shows by the year 2014. The online-streaming giant is already captioning 82 percent of its videos, according to the consent decree [ PDF ] filed in court yesterday. Now, it's bound to finish its entire library, reaching the 90 percent mark in 2013 and 100 percent by 2014. The company has also agreed to speedily caption new content. The agreement says that Netflix will put captions on new content within 30 days by 2014; within 14 days by 2015; and within 7 days by 2016, "and shall strive to reach a point at which Conforming Captions are provided simultaneously with launch at all times." Netflix provides its service on more than 1,000 devices; its captioning service works on most, but not all, of those. The company promises to make "good faith, diligent efforts" to get it working on all devices, but it isn't obligated to get 100% device compatibility. The agreement ends a class-action lawsuit that NAD filed in 2010, claiming that Netflix's website was a "place of public accommodation" that was out of compliance with the Americans with Disabilities Act.

top

Court Deals Double Whammy To Government On Email Searches (Steptoe, 11 Oct 2012) - A federal magistrate in Kansas has ruled in In the Matter of Applications for Search Warrants for Information Associated With Target Email Address that the government must use a search warrant to obtain any stored electronic communications, contrary to the Electronic Communications Privacy Act. Even more significantly, the magistrate determined that the typical warrant used by law enforcement for electronic communications -- which demands all communications associated with a particular account -- is invalid for lack of particularity. Rather, the magistrate ruled, the warrant must state with specificity which emails are to be disclosed so that the communications provider can separate the communications relevant to the crime under investigation from purely innocent communications. This is the first reported decision to apply the Fourth Amendment's particularity requirement in this way. If upheld, it would deal a sharp blow to the government's longstanding method of seeking communications content from providers. Ironically, by limiting the government to only specified categories of email, the decision could impose new burdens on communications providers, since it would likely be left to them to sort through all the emails in an account to determine which ones fit the specific criteria set out in a warrant.

top

Hathitrust Wins on Fair Use, and Just About Everything Else (Matthew Sag, 11 Oct 2012) - Yesterday, District Judge Harold Baer , Jr., handed down his decision in Authors Guild v. HathiTrust , a case that spins out of the long-running Google Books dispute. The decision is a landmark win for the HathiTrust, the University defendants, people with print-disabilities, Google, the Digital Humanities and, I would argue, for humanity in general. The HathiTrust is a digital repository of millions scanned university library books that became available to various universities by virtue of the Google Books project. About 3/4 of the books are still in copyright. In 2011 HathiTrust announced plans to embark on an innovative orphan works program (OWP), but dropped (or at least shelved) the plan soon after in light of criticism as to its implementation. Spurred into action by the OWP, in September 2011 the Authors Guild filed a copyright lawsuit against HathiTrust, five universities, and multiple university officials. The Authors Guild suit alleged that library digitization for any purpose amounts to copyright infringement. The purposes specifically under attack in this case were (i) preservation; (ii) to enable non-expressive use such as conducting word searches; and (iii) to facilitating access by persons who are blind or visually impaired. This is not about scanning books to make extra copies for the public at large. As the Court explained, "No actual text from the book is revealed except to print-disabled library patrons at [University of Michigan]." Authors Guild v. HathiTrust, p 16. This case was about library digitization for three specific purposes, preservation, disabled access and non-expressive uses such as text searching and computational analysis. Here is quick and dirty summary of the key copyright issues:

· Digitization to provide access for the print-disabled held to be transformative use and, on balance, fair use.

· Digitization to provide for print-disabled students held to be (i) an obligation of universities under the ADA, (ii) fair use under section 107 of the Copyright Act and (iii) enabled by section 121 of the Copyright Act.

· Section 108 the Copyright Act was held to expand the rights of libraries, not limit the scope of their fair use rights in any way, shape or form. Given the text says "Nothing in this section . . . in any way affects the right of fair use as provided by section 107" any ruling to the contrary would have been pretty shocking.

· Digitization to create a search index held to be a transformative use, and, on balance, fair use.

[Polley: see also Prof. James Grimmelmann's post on this; "The opinion doesn't even make it seem like a close case. On every substantive copyright issue, HathiTrust won." EFF's take on the ruling is here .]

top

When In France, Don't Tie Yourself Up (Steptoe, 11 Oct 2012) - French companies looking to monitor their employees' communications should make sure they haven't unwittingly restricted themselves more than the law requires. France's highest court recently ruled in Monsieur X v. YBC, Helpevia that the right of an employer to read its employees' work-related emails can be limited by the company's own internal rules. As a general principle, this should be self-evident. The notable thing about this decision is that it interpreted a company's restrictions on email monitoring rather broadly, thus breaking with the Court's recent employer-friendly rulings on workplace privacy. The decision is also a reminder of the importance of careful drafting when it comes to company policies dealing with privacy issues.

top

Cyber Risks - an Insurance Perspective (Kennedys, 11 Oct 2o12) - Both socially and in business, we are increasingly using IT systems to interact with one another and to buy things. The rapid development and growing range of mobile internet devices - from smartphones to tablets - has further increased our use of online systems. Although the internet with its incredible connective power has created opportunity on a vast scale, there is a darker side to cyberspace. The variety and sophistication of cyber risks have increased to such an extent that, in 2011, the World Economic Forum named cyber attacks as one of the top five threats facing the world. Insureds facing cyber risks and liabilities need to be aware that traditional policies may not protect them. This article considers the various types of cyber risks; why traditional policies might not respond to such risks; why regulatory developments might make cyber cover a must-have form of cover; the rapidly growing market of specialist cyber-risks insurance products; and cloud computing.

top

American Bar Association Becomes First Nonprofit to Earn National Certification for Disaster Preparedness (4 Traders, 15 Oct 2012) - The American Bar Association is the first not-for-profit organization in the country to be certified for disaster preparedness and response under the Voluntary Private Sector Preparedness Program, PS-Prep™, approved by the Department of Homeland Security. The association is only the second U.S. business to achieve this distinction. "Our nearly 400,000 members and the public can rest assured that the ABA can recover from a severe business interruption and continue to serve their needs," said ABA President Laurel Bellows. "The organizational resilience that disaster preparedness provides is critical in an increasingly unpredictable environment of global terrorism and frequent natural disasters." Administered by DHS's Federal Emergency Management Agency, PS-Prep™ is a voluntary accreditation and certification program that promotes preparedness standards and best practices for private-sector recovery from natural disasters and other business interruptions. "Private organizations play a critical role in ensuring the resiliency of our nation," said DHS Secretary Janet Napolitano. "I applaud the American Bar Association for achieving PS-Prep™ certification and strongly urge other private sector partners to work with the PS-Prep™ program to further enhance the readiness and preparedness of our country." In 2010, then-ABA President Stephen Zack and the ABA Special Committee on Disaster Response and Preparedness initiated a review of the association's business interruption and recovery plan, eventually leading to the development of a new, more robust business-continuity management system two years later. Originally focused just on protection of data and information systems, the new ABA plan is a more comprehensive, standardized mitigation of risks, broadened to include operational risk management and multi-year budgeting, not only for technology systems but also for people, facilities and third parties for critical operations. The ABA business continuity plan conforms to the British code of practice for business continuity management, British Standard 25999-2:2007, one of three private-sector standards selected by DHS.

top

Computer Viruses Are "Rampant" on Medical Devices in Hospitals (Technology Review, 17 Oct 2012) - Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features. In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change-even to add antivirus software-because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says. As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel. The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board , of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

top

NOTED PODCASTS

Fair Use for Education: Taking Best Practices to the Next Level (Berkman, 72 minutes; 2 October 2012) - Over the past two decades copyright law has become a major impediment to learning and teaching processes. The use of copyrighted materials for educational purposes is, indeed, at the core of fair use. Yet, the high level of uncertainty regarding the particular scope of permissible uses prevents universities and colleges from exercising fair use on behalf of their students. In this talk, Niva Elkin-Koren - former dean of the University of Haifa Faculty of Law and the founding director of the Haifa Center for Law & Technology (HCLT) - shares some insights based on the building of a coalition of higher education institutions in Israel and drafting a code of fair use best practices. [Polley: I was especially interested in the idea of using coalitions of universities to create "best-practices" as shields - mirrors work that I did with the ABA in the late 1990s on email/internet usage policies.]

top

RESOURCES

World Bank "Doing Business" Law Library (World Bank, Oct 2012) - The Doing Business law library is the largest free online collection of business laws and regulations. We link to official government sources wherever possible. Translations are not official unless indicated otherwise. We update the collection regularly but are unable to guarantee that laws are the most recent version.

top

DIFFERENT

The Measurement that Would Reveal the Universe as a Computer Simulation (Technology Review, 10 Oct 2012) - One of modern physics' most cherished ideas is quantum chromodynamics, the theory that describes the strong nuclear force, how it binds quarks and gluons into protons and neutrons, how these form nuclei that themselves interact. This is the universe at its most fundamental. So an interesting pursuit is to simulate quantum chromodynamics on a computer to see what kind of complexity arises. The promise is that simulating physics on such a fundamental level is more or less equivalent to simulating the universe itself. There are one or two challenges of course. The physics is mind-bogglingly complex and operates on a vanishingly small scale. So even using the world's most powerful supercomputers, physicists have only managed to simulate tiny corners of the cosmos just a few femtometers across. (A femtometer is 10^-15 metres.) That may not sound like much but the significant point is that the simulation is essentially indistinguishable from the real thing (at least as far as we understand it). It's not hard to imagine that Moore's Law-type progress will allow physicists to simulate significantly larger regions of space. A region just a few micrometres across could encapsulate the entire workings of a human cell. Again, the behaviour of this human cell would be indistinguishable from the real thing. It's this kind of thinking that forces physicists to consider the possibility that our entire cosmos could be running on a vastly powerful computer. If so, is there any way we could ever know? Today, we get an answer of sorts from Silas Beane, at the University of Bonn in Germany, and a few pals. They say there is a way to see evidence that we are being simulated, at least in certain scenarios. [Polley: I love this kind of stuff - in 2007 I ran a MIRLN story about it, from the New York Times ]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

RIP PKI. WHY A SECURITY PLATFORM NEVER TOOK OFF (CIO, June 2002) -- PKI is dead. Mercifully. PKI arrived as a gimpy pony in the first place, and by now we are pretty tired of beating a dead horse. If you think it seems naive to summarily dismiss an entire platform, I would agree. Writing its obit wasn't my idea. It was inspired by a leading PKI vendor. Before we get to that, let's step back. As complex as Public Key Infrastructure is, the theory is sound. Crudely, it's customs for Internet transactions. The "passports" are digital certificates. A trusted third party, a Certificate Authority, publishes half of that passport as a public key. You keep the other half, the private key. To make a transaction, match the private and public keys. When it works, PKI really works. It's just that it rarely works. "Experts say the promise of PKI is real but that challenges remain." This was from a news item last week, but it might as well have been from 1997. The truth is, PKI is terminally promising. For two reasons. First, vendors, in typically greedy fashion, refused to create standards, so that as recently as last week, an engineer was wondering why one vendor's digital certificates crashed another vendor's e-mail program. Second, vendors, in typically greedy fashion, skewed the business model for PKI to generate large chunks of revenue up front, before the systems even worked, by making CIOs buy stockpiles of digital certificates-something like a camera company making you buy 1,000 rolls of film before you get a camera. http://www.cio.com/article/217093/Only_Mostly_Dead

top

PDA STALKER TECH (Salon.com, 11 June 2002) -- It's 11 p.m. Do you know where your boyfriend is? If he attends the University of California at San Diego, finding him may be as easy as turning on a PDA. The university is equipping hundreds of students with personal digital assistants that allow them to track each other's location from parking lot to lecture hall to cafeteria. The technology is sophisticated enough to pinpoint where a person is in a building -- say, a dorm -- within a margin of error of one floor. No one is forcing students to use the $549 Hewlett-Packard Jordana PDAs, which are provided for free, or requiring them to allow their buddies to watch them wander across campus on a zoomable map. But students still worry about protecting themselves from stalkers, university administrators, FBI agents and nosy parkers. The PDAs detect each other through the university's Wi-Fi (Wireless Fidelity) network, the same radio wave-based system that allows lap-toppers to go online from coffeehouses and airports. The location-tracking software itself, developed by a 15-year-old student at the university, draws upon triangulation technology used by global positioning system (GPS) devices. The PDAs figure out their locations by comparing the strength levels of signals traveling from the devices to various Wi-Fi antennas. The software only allows a person to track the location of another user if both agree. If Shapiro doesn't want his best friend to track him, he can leave him off his PDA's equivalent of an America Online "buddy list." http://www.salon.com/tech/feature/2002/06/11/stalker_tech/index.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top