Saturday, November 10, 2012

MIRLN --- 21 October – 10 November 2012 (v15.15)

MIRLN --- 21 October - 10 November 2012 (v15.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES

Cyberattacks in U.S. Cost an Average $8.9 Million Annually to Clean Up, Study Says (Network World, 8 Oct 2012) - According to a survey of 56 corporate and governmental organizations conducted by the Ponemon Institute, the average amount they paid for all the costs associated with cyberattacks was $8.9 million during the past year. That's up 6% from the previous year's study. And for the first time, Ponemon expanded the survey to other countries, including the United Kingdom, Germany, Australia and Japan. Costs ascribed to cyberattacks in those locales was significantly lower: $5.9 million in Germany and $5.1 million in Japan, for example. The study, sponsored by HP Enterprise Security, offers some explanation for why the U.S. cybercrime figure is far higher. "We found that U.S. companies were much more likely to experience the most expensive types of cyber attacks, which are malicious insiders, malicious code and web-based incidents," the report says. In the U.K. and Australia, where cybercrime costs per year were $3.2 million and $3.3 million respectively, denial-of-service attacks were more commonplace. German companies were the least likely to experience malicious code and denial-of-service, while Japanese companies least likely to experience malicious insiders and Web-based attacks. The study cited five "external" cost factors associated with cybercrime: business disruption, information loss or theft, revenue loss, equipment damages and "other." The "internal cost" factors were detection, investigation and escalation, containment, recovery and subsequent efforts to ward off future attacks.

top

Cyber Pain is Insurers' Gain (Australian Financial Review, 16 Oct 2012) - Major Australian companies are scrambling to secure cyber insurance to cover themselves for hundreds of millions of dollars in losses in the wake of the Alan Jones social media campaign and a string of shareholder class actions for data security breaches. In a flying visit to Australia, global cyber insurance practice leader at insurance giant Aon, Kevin Kalinich, has met with leading Australian companies across banking, superannuation, retail and healthcare, as they hit the panic button over new technology risks. Cyber insurance has exploded from a $200 million market just four years ago and is soon expected to reach $1 billion a year in premiums. "The top 70 advertisers for the radio station had attacks on their emails, on their social media systems, on their call centres, so the developments in technology has created new exposures that were not present 10 years ago, five years ago, even three years ago," Mr Kalinich said. "There are a number of cases going through the courts now where insurers are denying coverage rather than willingly paying for a large catastrophic loss [unless they have specific cyber insurance]," Mr Kalinich said. The companies Aon met this week are taking up coverage of up to $100 million - the average loss in Australia for a data breach is $2.16 million - but are increasingly seeking to ensure they are covered for social media risks as well, including Facebook, Twitter and the risk of online activists. "If you can demonstrate to the underwriters that you have good training and practices with your employees, then you can cover defamation, slander, libel, copyright, trademark. They can be included in the cyber liability placement but you have to have good practices in place," he said.

top

Pacemaker Hack Can Deliver Deadly 830-Volt Jolt (Computerworld, 17 Oct 2012) - Pacemakers from several manufacturers can be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away, the result of poor software programming by medical device companies. The new research comes from Barnaby Jack of security vendor IOActive, known for his analysis of other medical equipment such as insulin-delivering devices. Several medical manufacturers are now selling bedside transmitters that replace the wand and have a wireless range of up to 30 to 50 feet. In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, Jack said. With that wide transmitting range, remote attacks against the software become more feasible, Jack said. Upon studying the transmitters, Jack found the devices would give up their serial number and model number after he wirelessly contacted one with a special command. With the serial and model numbers, Jack could then reprogram the firmware of a transmitter, which would allow reprogramming of a pacemaker or ICD in a person's body. A successful attack using the flaw "could definitely result in fatalities," said Jack, who has notified the manufacturers of the problem but did not publicly identify the companies. In a video demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop.

top

Outsourcing Privacy (InsideHigherEd, 22 Oct 2012) - After several years of negotiating, a dozen colleges have reached an agreement with Microsoft that could inspire more institutions to outsource their internal communications and data storage systems to the company and its far-flung servers - even when those systems hold sensitive student and research data. Since 2010 Microsoft had been in talks with a dozen universities about drawing up a standard contract that would address colleges universities' obligations to federal privacy laws such at the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA). The idea was to eliminate the tedium and expense of negotiating around these compliance issues with each and every university client. Now, after several years, those talks have finally born fruit, according to Tracy Futhey, the chief information officer at Duke University. Microsoft on Friday announced that it had signed up Duke, Emory and Thomas Jefferson Universities and the Universities of Iowa and Washington for its new, cloud-based e-mail and work software, Office365. The deals will save the universities on infrastructure costs by migrating various internal communication and data systems to Microsoft's servers - a move that would have been virtually impossible without resolving FERPA and HIPAA concerns.

top

Pinterest: Fair Use of Images, Building Communities, Fan Pages, Copyright (Berkman's CMLP, 22 Oct 2012) - When using Pinterest (and Flickr and YouTube and Facebook and on and on), what copyright, fair use, trademark and other issues weigh on building communities and corporate use of fan pages and social media generally? A hypothetical "Company" has plans for its Pinterest "community", and in particular, wonders about these situations:

  • Using Images of Identifiable People
  • Fair Use and Images

· Trademarks: When is a "Fair Use" Argument Strongest?

· Why Attribution and Linking to Original Sources is Important

3 introductory questions: Question #1 : Someone used to be a paid Company sponsor or spokesperson. They are no longer. Can the Company continue to post a photo of the old sponsor to Pinterest? Short Answer: If the contract with the sponsor expressly permits it, yes. Ordinarily, the contract would specify engagement for limited time, and that would prohibit rights to use images beyond the contract period. But it really depends on what the contract says. Q uestion #2 : Can the Company post a photo of a fan of the Company? Short Answer: Express consent is required, either through a release or the fan's agreement (whenever the photo is submitted) to terms of service. Exceptions are discussed below. Question #3 : Can the Company post a photo of a Coca-Cola bottle on its Pinterest page? Short Answer: If the use of the image does not suggest (implicitly or explicitly) endorsement or association, then yes. Below is discussion of these issues, with "Guidelines" at the end.

top

A Healthy Reminder From Amazon: You Don't Buy Ebooks, You Rent Them (GigaOM, 22 Oct 2012) - Sometimes the language we use fails to capture the essence of what we're doing when we are online, or lulls us into a false sense of security about our behavior and what it means. For example, we've gotten pretty used to the idea that we can "buy" ebooks from Amazon: we just click a button and pay with a credit card and there it is on our Kindle. Except that we aren't really buying it in the traditional sense of the word; we are merely renting it, or paying for access to it under a specific set of circumstances - and a recent incident in which a woman's account was blocked and all of her books removed without explanation is a healthy reminder of that. Norwegian technology blogger Martin Bekkelund describes how his friend Linn Jordet Nygaard found that her Amazon account had been shut down and access to all of her Kindle books (about 60 of them) had been blocked. Although some initial reports said that her books had been wiped from her device remotely - echoing an earlier incident several years ago, in which Amazon deleted copies of 1984 and Animal Farm from users' Kindles because of a licensing error - it later emerged that Nygaard's Kindle had malfunctioned, but she still wasn't able to access her books even through her account.

top

FTC Recommends Best Practices for Companies That Use Facial Recognition Technologies (FTC, 22 Oct 2012) - The Federal Trade Commission today released a staff report "Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies" for the increasing number of companies using facial recognition technologies, to help them protect consumers' privacy as they use the technologies to create innovative new commercial products and services. Facial recognition technologies have been adopted in a variety of contexts, ranging from online social networks and mobile apps to digital signs, the FTC staff report states. They have a number of potential uses, such as determining an individual's age range and gender in order to deliver targeted advertising; assessing viewers' emotions to see if they are engaged in a video game or a movie; or matching faces and identifying anonymous individuals in images. Facial recognition also has raised a variety of privacy concerns because - for example - it holds the prospect of identifying anonymous individuals in public, and because the data collected may be susceptible to security breaches and hacking.

top

Hebrew U. Loses Lawsuit Over Einstein's Image (InsideHigherEd, 23 Oct 2012) - A federal judge has rejected a lawsuit by Hebrew University of Jerusalem against GM for the auto company's use of an Albert Einstein image pasted onto a muscled physique, The Detroit News reported. Hebrew University said that Einstein's will gave it rights to the use of his image. In this case GM used the image in an ad that ran in People magazine with the tag line "Ideas are sexy too." Judge Howard Matz ruled that GM was within its rights. "[Einstein] did become the symbol and embodiment of genius. His persona has become thoroughly ingrained in our cultural heritage. Now, nearly 60 years after his death, that persona should be freely available to those who seek to appropriate it as part of their own expression, even in tasteless ads," he ruled.

top

- and -

The Use and the Fury: Faulkner Estate's New Enforcement Efforts (Baker & Hostetler, 4 Nov 2012) - In a pair of lawsuits filed about a week ago, Faulkner Literary Rights, LLC ("Faulkner Literary"), the owner of the literary rights to the late William Faulkner's works, sued Sony Picture Classics ("Sony"), as well as Northrop Grumman Corporation ("Northrop Grumman") and Washington Post Company ("Washington Post") in the federal district court for the district of Mississippi. In both cases, Faulkner Literary brought claims for copyright infringement, unfair competition under the Lanham Act and state law claims for quotations from Faulkner's works. In the first lawsuit, Faulkner Literary claims that Woody Allen's latest hit, Midnight in Paris uses, without authorization, a quote from the Faulkner novel Requiem for a Nun. The line in Requiem for a Nun-a book approximately 250 pages long-is "The past is never dead. It's not even the past." In Midnight in Paris, the lead character, Gil Pender, played by Owen Wilson, is able to time travel between current day Paris and Paris of the 1920's. At one point he exclaims: "The past is not dead! Actually, it's not even past. You know who said that? Faulkner. And he was right. And I met him, too. I ran into him at a dinner party." Midnight in Paris lasts 94 minutes, and the accused dialogue only a few seconds.

top

- and -

Stupid Lawyer Tricks (And How the PTO Could Help Stop Them) (EFF, 30 Oct 2012) - We've seen some absurd trademark threats in recent years, but this one sets the bar at a new low: The Village Voice is suing Yelp for trademark infringement based on Yelp's creation of various "Best of" lists. Yes, that's correct, the publisher behind the paper (as well as several other weeklies around the U.S.) has managed to register trademarks in the term "Best of " in connection with several cities, including San Francisco, Miami, St. Louis and Phoenix. And it now claims that Yelp's use of those terms infringes those trademarks and deceives consumers. Right. First, a practical question: deceives consumers about what? Trademark law is supposed to ensure that consumers can trust that the goods and services they buy come from the sources they expect, e.g., that the Pepsi you just bought really was manufactured by Pepsi. That helps consumers, because it gives mark-owners an incentive to maintain the expected level of quality. And it helps mark-owners, because they can build customer loyalty and good will. But you don't need a survey or even a lawyer to figure out that no one actually thinks the Village Voice is associated with Yelp because both publish "best of" lists - not least because no one associates the term "Best of" with any particular news source. Second, the more important question: What is going on at the Patent and Trademark Office? For decades, folks have been complaining (with good reason) that the patent examiners need to do a better job of screening out bogus patent applications. It's clear that the problem extends to the trademark side as well. The PTO has allowed companies and individuals to register marks in any number of obviously generic and/or descriptive terms, such as " urban homestead " (to refer to urban farms), " gaymer " (to refer to gay gamers), and " B-24 " (to refer to model B-24 bombers). Once a mark is registered, it is all too easy for the owner to become a trademark bully. And while companies like Yelp have the resources to fight back (as we expect it will), small companies and individuals may not. Just as dangerous, the trademark owner may go upstream, to intermediaries like Facebook who have little incentive to do anything other than take down an account or site that's accused of infringement.

top

Risks of Data Portability (Bruce Schneier, 24 Oct 2012) - Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person's data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual's lifetime of data must be exported 'without hindrance,' then one moment of identity fraud can turn into a lifetime breach of personal data. They have a point. If you're going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it's going to become an attack vector for identity theft and other malfeasance.

top

Study Finds Significant Juror Interest In Internet, But No Use - Yet (Berkman's CMLP, 25 Oct 2012) - A survey of jurors from 15 trials has found that jurors generally understand instructions not to use the Internet or social media to research or communicate about trials, but also that many jurors wish they could use technology to do some sort of research about the cases they sat on. Very few, however, reported that they had violated admonishments not to research or discuss the case with others prior to deliberations, and all of these involved pre-deliberation discussions with either fellow jurors or family members. None involved the internet or social media. questioned impaneled jurors from six criminal and nine civil trials, as well as jurors from the voir dire phase (i.e., including those both ultimately chosen to serve on the jury and those that were not) of these trials plus an additional seven civil cases that settled during jury selection. In all the cases, the jurors were instructed during voir dire and trial not to use the internet or social media to research or communicate about the case. The majority of jurors reported in the survey that they understood these admonitions. Among prospective jurors, 87 percent understood that they should not use the internet or social media to communicate with friends or family or to post information about the case, and two-thirds said that researching the case online would violate the judges' instructions. But that did not mean that they did not want to. Significant percentages of prospective jurors said they wished they could use the internet to research legal terms (44 percent), the case itself (26 percent), the parties (23 percent), the lawyers (20 percent), the judge (19 percent), the witnesses (18 percent), and fellow jurors (7 percent). Eight percent wanted to be able to e-mail family and friends about the case, five percent wanted to connect with a fellow juror online, and three percent wanted to connect with another trial participant. Three percent each wanted to be able to tweet or blog about the trial, and two percent wanted to post something about the trial on a social networking site.

top

Court Instructs Parties to Utilize Predictive Coding, Requires Show of Cause to Avoid It (KL Gates, 26 Oct 2012) - Following argument on partial summary judgment and a motion to dismiss in the Delaware Court of Chancery on Monday, Vice Chancellor J. Travis Laster turned to the topic of a scheduling order and, apparently without outside provocation, addressed the issue of predictive coding: The Court : Thank you. Why don't you all talk about a scheduling order for the litigation on the counterclaims. This seems to me to be an ideal non-expedited case in which the parties would benefit from using predictive coding. I would like you all, if you do not want to use predictive coding, to show cause why this is not a case where predictive coding is the way to go.

I would like you all to talk about a single discovery provider that could be used to warehouse both sides' documents to be your single vendor. Pick one of these wonderful discovery super powers that is able to maintain the integrity of both side's documents and insure that no one can access the other side's information. If you cannot agree on a suitable discovery vendor, you can submit names to me and I will pick one for you.

top

MOOCs for Credit (InsideHigherEd, 29 Oct 2012) - Coursera, the largest provider of massive open online courses (MOOCs), has entered into a contract to license several of the courses it has built with its university partners to Antioch University, which would offer versions of the MOOCs for credit as part of a bachelor's degree program. The deal represents one of the first instances of a third-party institution buying permission to incorporate a MOOC into its curriculum -- and awarding credit for the MOOC -- in an effort to lower the full cost of a degree for students. It is also a first step for Coursera and its partners toward developing a revenue stream from licensing its courses. "It's a very different kind of arrangement than our university partnerships," says Daphne Koller, a Coursera co-founder, who along with her co-founder Andrew Ng has signed deals to host MOOCs from 33 universities on Coursera's platform. Antioch will pay Coursera an undisclosed amount for permission to use several courses, including ones from Duke University and the University of Pennsylvania. The company will share that revenue with the universities, which own intellectual property rights for their courses as part of their contracts with Coursera.

top

Why We Have an Open Wireless Movement (EFF, 30 Oct 2012) - In troubled times, it's important to help each other out. Right now, we're witnessing an unprecedented hurricane hitting the Eastern Seaboard of the United States, and the ensuing damage and power outages are crippling rescue efforts, businesses large and small, and personal communications. Communication is critical in time of crisis, and the Internet allows for the most effective way of getting information in and out. With readily available networks, government officials could use tools like Twitter to quickly spread information, citizen reports could help focus assistance where it is needed most, and social media updates could help reassure friends and loved ones-keeping mobile phone lines open for emergencies. To take advantage of the Internet, people should not have to attempt to skirt restrictive Terms of Service to attempt to tether their smartphones . And tethering would not be necessary if there were ubiquitous open wireless, so that anyone with a connection and power can share their network with the neighborhood. Last year, we wrote a post titled "Why We Need An Open Wireless Movement." Today, EFF is proud to announce the launch of the Open Wireless Movement-located at openwireless.org -a coalition effort put forth in conjunction with nine other organizations: Fight for the Future, Free Press, Internet Archive, NYCwireless, the Open Garden Foundation, OpenITP, the Open Spectrum Alliance, the Open Technology Institute, and the Personal Telco Project.

top

- and -

EFF Launches New Transparency Project (EFF, 2 Nov 2012) - From cell phone location tracking to the use of surveillance drones, from secret interpretations of electronic surveillance law to the expanding use of biometrics, EFF has long been at the forefront of the push for greater transparency on the government's increasingly secretive use of new technologies. With the launch of our new Transparency Project , we've made the information we've received easier to access and added new tools to help you learn about the government and file your own requests for information. The new name-Transparency Project-reflects the fact that EFF's work has expanded far beyond filing and litigating federal Freedom of Information Act requests. While that work still makes up a solid core of what our Transparency Team does, we also seek information from state and local governments, regularly report on transparency issue more broadly, and provide tools to help you find out more about our government and what it's up to. The new Transparency Project section of our website helps to promote these goals. Some of the new features include: * * *

top

Court OKs Warrantless Use of Hidden Surveillance Cameras (CNET, 30 Oct 2012) - Police are allowed in some circumstances to install hidden surveillance cameras on private property without obtaining a search warrant, a federal judge said yesterday. CNET has learned that U.S. District Judge William Griesbach ruled that it was reasonable for Drug Enforcement Administration agents to enter rural property without permission -- and without a warrant -- to install multiple "covert digital surveillance cameras" in hopes of uncovering evidence that 30 to 40 marijuana plants were being grown. Yesterday Griesbach adopted a recommendation by U.S. Magistrate Judge William Callahan dated October 9. That recommendation said that the DEA's warrantless surveillance did not violate the Fourth Amendment , which prohibits unreasonable searches and requires that warrants describe the place that's being searched. Two defendants in the case, Manuel Mendoza and Marco Magana of Green Bay, Wis., have been charged with federal drug crimes after DEA agent Steven Curran claimed to have discovered more than 1,000 marijuana plants grown on the property, and face possible life imprisonment and fines of up to $10 million. Mendoza and Magana asked Callahan to throw out the video evidence on Fourth Amendment grounds, noting that "No Trespassing" signs were posted throughout the heavily wooded, 22-acre property owned by Magana and that it also had a locked gate. Callahan based his reasoning on a 1984 Supreme Court case called Oliver v. United States , in which a majority of the justices said that "open fields" could be searched without warrants because they're not covered by the Fourth Amendment. What lawyers call " curtilage ," on the other hand, meaning the land immediately surrounding a residence, still has greater privacy protections. "Placing a video camera in a location that allows law enforcement to record activities outside of a home and beyond protected curtilage does not violate the Fourth Amendment," Justice Department prosecutors James Santelle and William Lipscomb told Callahan As digital sensors become cheaper and wireless connections become more powerful, the Justice Department's argument would allow police to install cameras on private property without court oversight -- subject only to budgetary limits and political pressure.

top

How to Get Your Readers to Love Paywalls (PaidContent, 31 Oct 2012) - Okay, maybe "love" is too strong a word, but a new study suggests that newspapers enacting paywalls should emphasize financial need, not profit motives, when announcing them to readers. The study, " Paying for What Was Free: Lessons from the New York Times Paywall ," is by Columbia University associate research scientist Jonathan Cook and Indiana University assistant professor Shahzeen Attari. They surveyed 954 New York Times readers shortly after the paper announced , in March 2011, that it would enact a metered paywall, and then again 11 weeks after the paywall was implemented. In the post-paywall survey, participants read one of two "justification" paragraphs, one emphasizing a profit motive and one emphasizing financial need (that paragraph concluded, "if the NY Times does not implement digital subscriptions, the likelihood that it will go bankrupt seems high"). Participants then "rated how the information changed their support for the paywall and their willingness to pay." The results showed that "When participants were provided with a compelling justification for the paywall - that the NYT was likely to go bankrupt without it - their support and willingness to pay increased. In contrast, when participants were provided with a justification that emphasized financial stability, their support and willingness to pay decreased."

top

Minneapolis Police Pushing for More License Plate Data Privacy (ArsTechnica, 1 Nov 2012) - A Minneapolis municipal committee is now advocating on behalf of local police for a change in Minnesota's state law concerning the right to access data collected from license plate readers (LPRs). For now, the city maintains a massive database collected from its 11 LPR readers that hold each license plate number seen, along with the corresponding GPS location data, date, and time for the previous 90 days. In a meeting Thursday, the Committee of the Whole Agenda heard discussions regarding a new proposal from the city police department that would restrict access to license plate reader records. Under the proposed rules, only the police would have access to the entire database, and a non-police individual would only be able to access the data that pertained to his or her car. Currently, a rather liberal open records state law known as the Data Practices Act makes all government data public by default. If approved by the Minneapolis city council, such changes could be put forward to the state legislature as soon as next year. As we reported earlier this year, license plate readers are largely on an unchecked rise throughout the United States. Millions of new records are collected by law enforcement agencies on a daily basis, often with little oversight. The new proposal comes after increased scrutiny over the practice in Minneapolis, after a local reporter managed to track the mayor's movements in August 2012 by filing a request with the police.

top

Another Court Finds Online Statements With Links Are Not Defamatory (Eric Goldman's blog, 1 Nov 2012) - Eric posted about Redmond v. Gawker Media , a California case where the court found that use of links by a Gawker author helped defeat a claim for defamation. This case reaches a similar result. Seldon, proceeding pro se, sued Compass Restaurant and several Jane Does (including an email address) for disseminating an email that allegedly contained multiple defamatory statements about him. You can click through to the decision to see the statements, but among other things the email calls him a "serial suer, scammer, spammer, embezzler, and revenge artist." The email offered a few "supporting links," including an LA Times Article, a few links from Justia, one from Pacer, and one from WIPO. The court says that in determining whether a statement is actionable or a mere statement of opinion, the court looks to the statement overall, in context. An opinion can still be actionable if it implies a basis on undisclosed facts. On the other hand, a statement of opinion that discloses background facts is not actionable. In fact, these statements are more likely to be understood by the audience as mere conjecture. The court concludes (citing to Sandals Resort v. Google ) that the statement in this case falls in the latter category. It is accompanied by articles in the form of links, and the email expressly says that it contains "supporting links". Like the Gawker ruling Eric blogged about, this is a great result for bloggers, and anyone who traffics in links and commentary online. It's also good illustration of how the context rule plays out online. (See also " A Twitter Exception for Defamation? ")

top

Coke Gets Hacked and Doesn't Tell Anyone (Bloomberg, 4 Nov 2012) - FBI officials quietly approached executives at Coca-Cola Co. (KO) on March 15, 2009, with some startling news. Hackers had broken into the company's computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time. Coca-Cola, the world's largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees -- and in some cases even from senior executives. When hackers last year waged a large-scale attack on BG Group Plc (BG/), raiding troves of sensitive data, the British energy company never made it public. Luxembourg-based steel maker ArcelorMittal (MT) also kept mum when intruders targeted, among others, its executive overseeing China. As did Chesapeake Energy Corp. (CHK), after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale. "Investors have no idea what is happening today," says Jacob Olcott, a former cyber policy adviser to the U.S. Congress. "Companies currently provide little information about material events that occur on their networks." In the U.S., the Securities and Exchange Commission last year said that companies are required to report any material losses from such attacks, and any information "a reasonable investor would consider important to an investment decision." To gain access to confidential deal information, hackers often target links in a chain of outside organizations that handle such information on the company's behalf, such as banks and law firms. China-based cyberthieves, for instance, hacked into the computer networks of seven law firms in 2010 to get more information about BHP Billiton Ltd.'s ultimately unsuccessful $40 billion bid to acquire Canadian company Potash Corp. of Saskatchewan, Inc., Bloomberg reported in January. Intruders took a similar approach last year in a breach that ultimately targeted Chesapeake Energy, the second-largest U.S. natural gas producer, according to a person familiar with the situation and computer logs viewed by Bloomberg News. The logs indicate that Comment group obtained information about Chesapeake's efforts to sell natural-gas leases by hacking into an office of Jefferies Group Inc. (JEF) , which is advising on the sales. [ Polley : long, interesting story. The timing is co-incident with other testimony before the US Senate about the complete penetration of a US law firm's files by Chinese actors; same event?]

top

New Twitter Policy Lets Users See Tweets Pulled Down for Copyright (GigaOM, 4 Nov 2012) - Twitter has made a significant shift in how it responds to copyright complaints. In the past, such complaints caused tweets to vanish without a trace but now people can see the place where a tweet once stood - and the reaction to its disappearance. The tweet announcing the policy suggested it was in the name of "#transparency." This is consistent with other efforts by Twitter to shine light on a copyright process that critics say is susceptible to abuse by content owners. In January, for instance, Twitter published 4,410 DMCA takedown requests it received in the previous year.

top

Verdict Is Out on Virtual Lawyers, But Firms Find Fewer Objections (WSJ, 5 Nov 2012) - Uncertainty about the impact of the presidential election has sent Americans searching for legal advice about everything from green-card sponsorship rules to possible changes to the estate tax. To the surprise of many in the legal establishment, a growing number of those help-seekers are getting their guidance online. In recent years, Web-based attorneys have gone mainstream, with pitches aimed at the cost-conscious. And while critics question whether their advice hits the mark, they concede the online model can work in some relatively simple situations. An in-office consultation can cost as much as $1,000 an hour, though rates vary depending on location and a lawyer's area of expertise. Attorneys on San Francisco-based Pearl.com, in contrast, charge an average of $30 to $40 to answer a range of questions, many of which are basic preliminary inquiries (example: "What's the difference between a will and a trust?"). At Avvo.com, based in Seattle, attorneys provide advice at no cost to promote their practices, and the site makes money through advertising and enhanced listings. For the lawyers, the advantages include savings on overhead, and the possibility of luring more substantial business from customers satisfied with the short answers. Perhaps more disconcerting to purists, some leading players aren't exclusively law-focused. Pearl.com, which says its annual revenue now tops $100 million, also offers assistance from computer technicians and relationship counselors. Avvo.com proffers legal help alongside medical and dental advice (legal questions account for about 80% of its traffic).

top

The FISA Amendments Act Authorizes Warrantless Spying on Americans (Stanford, 5 Nov 2012) - Next week, the lame duck Congress will take up the issue of whether to extend the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) of 2008. The House of Representatives passed a five year extension, but during the floor debate on that bill, lawmakers demonstrated a fundamental misunderstanding about how the FAA affects the privacy of Americans on American soil. Before rubber-stamping the bill, lawmakers in the Senate have the opportunity to address the misunderstanding and better protect American privacy. This post is the first in a series. * * * [ Polley : author Jennifer Granick provides a thoughtful, thorough parsing of the law. In a related vein, see " Looking Back " below, for 2 ten-year-old stories on the subject.]

top

Attorney SEO to be Addressed by Florida Bar (Lawyerist.com, 5 Nov 2012) - As reported by Gary Blankenship in Lawyers must take care on how they drive traffic to their websites : " Using secretive techniques to lure Internet users to a law firm website with false or deceptive information is wrong, members of the Bar's Standing Committee on Advertising agree, but the committee wants more time to research the technical issues before approving an advisory opinion. The committee met September 20 at the Bar's Midyear Meeting in Orlando and reviewed a proposed advertising advisory opinion that addressed hidden text and meta tags (words on a webpage that are not visible to the viewer)." But there's just one problem. These folks don't really seem to know SEO. For example, they seem to imply that the use of the keywords meta tag can be used to optimize positions in search engine results. However, the keywords meta tag is not used by search engines (at least not by Google, at least not since 2009) to rank sites.

top

Social Media, Growing in Legal Circles, Find a Role in Florida Murder Case (NYT, 6 Nov 2012) - When Mark O'Mara agreed to defend George Zimmerman in the Trayvon Martin murder case, one of his first major decisions was to embrace the Internet. He set up a legal defense Web site for his client, a Twitter page and a Facebook account, all with the purpose of countering what he called the "avalanche of misinformation" about the case and Mr. Zimmerman. It was a risky move, unorthodox for a criminal defense lawyer, legal experts said, but a bold one. Late last month, the judge in the case, rebuffing the prosecution, allowed Mr. O'Mara to keep the online presence. In so doing, the judge sanctioned the use of social media in a high-profile murder case that was already steeped in the power of Facebook, Twitter and blogs. Not long after Mr. Martin was shot and killed, protesters took their cues from Facebook and demonstrated across the country. Angry words coursed through Twitter. Mr. Zimmerman, in hiding, started a Web site to raise money. The Martin family's lawyers, who made ample use of traditional media, used Twitter to bring attention to Mr. Martin's death. Social media is playing a role in the courtroom, too. Mr. O'Mara wants to use Mr. Martin's Facebook page and Twitter feed to bolster Mr. Zimmerman's claim of self-defense. But he will most likely face a protracted battle to authenticate the material, in part because Mr. Martin is no longer alive. Last month, the judge allowed Mr. O'Mara to subpoena Twitter and Facebook for the information. In ways large and small, the State of Florida v. George Zimmerman is serving as a modernized blueprint for deploying social media in a murder case.

top

The Lawfare Wiki Document Library (Lawfare, 8 Nov 2012) - The next big phase of Lawfare expansion involves the creation of a large document library-a kind of one-stop-shopping for primary source material in the field of national security law. We are building this library as a wiki in collaboration with the Harvard Law School National Security Research Committee (NSRC), a student practice organization that provides legal research services for academics and policymakers on a variety of national security law issues. The library will be a searchable database of primary source material built in large measure by the Lawfare reader community and curated by Lawfare and the NSRC as a research tool for the scholarly, journalistic, and research communities. Having built the technical architecture, we are now engaged in an early phase of the project-which involves seeding the wiki with a core body of important documents in the field: cases, treaties, statutes, etc. Each document will be accompanied by a summary that explains what it is and why it's important-a summary that the reader community will then be able to edit and expand upon by adding links to major scholarly treatments and the like. We want your help with this initial phase. The more people we can get to summarize documents, the more quickly we can build a first-rate resource that we can then open up to a wider group of contributors. If you're interested in contributing to the document wiki, send an email to Julia Lohmann , Raffaela Wakeman , or Wells Bennett , and they'll assign you one to work on.

top

NOTED PODCASTS

Sending Secrets: Security and Cryptography in a Quantum World (Santa Fe Institute, 2011; 70 minutes) - Caesar shifted each letter three places in the alphabet. Much of modern computer science was born in the effort to break the Nazi Enigma code, and Cold War spies used code books that fit inside a walnut. Nowadays, the cryptography we depend on every day - for instance, to send our credit card information when we buy something on the Web - relies in turn on the mathematics of prime numbers. But in 1994, Peter Shor discovered that a future quantum computer could crack our cryptosystems by breaking large numbers into their prime factors. Cris will start by describing how these cryptosystems work, and how a quantum computer could break them. (Nothing beyond high-school math, he promises!) He'll end by giving a personal view about whether quantum computers can be built - and what kinds of cryptography could remain secure even if and when they are built. [ Polley : This has the first explanation I've understood describing quantum computing, and how it might enable code-breaking. I've just returned from a terrific symposium by the Santa Fe Institute on resilience in complex systems. The Institute is the most catholic, cross-disciplinary gathering I've encountered since the MIT Media Lab, and I strongly encourage you to explore possible collaboration with them.]

top

RESOURCES

Smart Policies for Smartphones: Acceptable Online Activities During Work Hours (IBM, 17 Oct 2012) - IBM has published a social media policy that some think is exemplary for any organization that wants to pursue the dual goals of encouraging employees to engage in social media and protecting the organization's reputation. Current IBM social computing guidelines are here .

top

FUN

New Book: Law of Superheroes (PatentlyO, 25 Oct 2012) - The book that we've all been waiting for is finally out: The Law of Superheroes . I am serious here -- at least that I have been waiting for this book ever since I discussed the project with co-author James Dailey a few years ago when he visited the Mizzou campus. Daily and Ryan Davidson have turned their popular blog ( lawandthemultiverse.com ) into book published by Gotham Books, a division of Penguin. Daily is a patent attorney and the book answers many IP questions that may have vexed comic book readers:

· Does Batman's use of Wayne Enterprises' advanced technologies to stop crimes (at night) negate patentability?

· Does Spiderman infringe any genetic engineering patents?

· In our universe, the Beatles broke up and John Lennon died. However, there are other (far better) universes where that did not happen. What copyright laws would apply when someone wants distribute copies of the Beatles' 40 th Anniversary Album that was brought back from that alternate universe?

One of the book's thirteen chapters focuses on intellectual property. But the book as a whole covers a host of topics ranging from Constitutional law to immigration; from criminal procedure to the legal treatment of non-human intelligence. Great work by Daily and Davidson! I am already looking for Volume II. Law students beware: the book offers a host of original hypothetical questions that would be readily used on final examinations.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

HOW FAR WILL THE FEDS GO TO PUSH FAVORABLE SURVEILLANCE LAWS? (Steptoe & Johnson's e-Commerce law week, 7 Sept 2002) -- A former member of the Justice Department's Computer Crime and Intellectual Property Section will reveal in a forthcoming law review article that the Department purposely kept hidden a November 2000 order issued by the only federal Magistrate Judge in San Jose, California. The order determined that the old pen register/trap-and-trace provisions of federal surveillance law applied only to telephones and did not authorize government use of pen registers and trap-and-trace devices with respect to electronic communications (like e-mail). The order squarely contradicted DOJ's view of the law. Although this particular issue was resolved in the government's favor by the USA PATRIOT Act last fall, it shows how far the government will go to get ISPs to comply with its surveillance orders. Even though the government was aware of the order, it continued to ask ISPs to install surveillances on e-mail communications under the pen/trap provisions and never mentioned the order. This should serve as a reminder that, when presented with a surveillance order, ISPs and other companies should undertake an independent evaluation of the order's lawfulness rather than simply relying on DOJ's interpretation of the law. http://www.steptoe.com/webdoc.nsf/ListServEntry?OpenForm

top

INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT: THE BIG BROTHER THAT ISN'T (Orin S. Kerr -- George Washington University Law School) -- Abstract: This article argues that the common wisdom on the USA Patriot Act is wrong. Far from being a significant expansion of law enforcement powers online, the Patriot Act actually changed Internet surveillance law in only minor ways and added several key privacy protections. The article focuses on three specific provisions of the Patriot Act: the provision applying the pen register law to the Internet, the provisions relating to Carnivore, and the new computer trespasser exception to the Wiretap Act. By explaining the basic framework of surveillance law and applying it to the Patriot Act, the author shows how the Internet surveillance provisions of the Patriot Act updated the law in ways that both law enforcement and civil libertarians should appreciate. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=317501

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top