Saturday, December 14, 2013

MIRLN --- 24 Nov – 14 Dec 2013 (v16.17)

MIRLN --- 24 Nov - 14 Dec 2013 (v16.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

Fear of juror Googling didn't justify order to remove pages from lawyer website, appeals court says (ABA Journal, 4 Nov 2013) - A judge violated a lawyer's First Amendment rights when he ordered the lawyer to take down references to asbestos wins on her website during a 2011 trial on similar issues, a California appeals court has ruled. The Second District Court of Appeal ruled on behalf of lawyer Simona Farrise last week, the Recorder reports. The order was a prior restraint on speech that violated the U.S. and California constitutions, according to the decision (PDF) by the California Second District Court of Appeal. The trial judge, Thomas Anderle of Santa Barbara County, had ordered Farrise to remove two pages from her website touting victories in asbestos cases against Ford Motor Co., one of the automaker defendants in the suit being tried before Anderle. The plaintiffs, Richard and Christie Steiner, had claimed asbestos exposure from Richard's Steiner's work on automobiles contributed to his lung cancer. One Web page subject to the order touted a $1.6 million verdict against Ford and others. The write-up asserted that "at least one jury managed to successfully navigate defendants' courtroom confusion and find these companies at fault." The other Web page, also ordered removed, described a $4.35 million verdict against Ford. Volkswagen Group of America had sought removal of the Web pages, citing the possibility that a juror would find it, and Ford Motor Co. joined in the motion. Anderle granted the request, though he also told jurors they could not Google the lawyers and could not conduct independent research. Jury instructions, coupled with the possibility of contempt for those who disobey, is the proper way to handle the issue, the appeals court said.

top

Digital disappointment: why are the telcos MIA in the NSA debate? (Kevin Bankston, 21 Nov 2013) - Last Wednesday, I spent my morning in a hearing room on Capitol Hill talking about how I'd spent my summer: helping to build a broad coalition of privacy and free speech advocates, tech investors and trade associations, and Internet companies large and small, to press for greater transparency around the National Security Agency's surveillance programs. The hearing was my last public appearance as the Center for Democracy & Technology's Free Expression Director, before starting this week in my new role as the Policy Director of New America Foundation's Open Technology Institute (OTI). Also sitting at the witness table was a representative from Google, who like me was there in support of the Surveillance Transparency Act of 2013. That bill would allow companies and require the government to publish basic statistics about how the NSA is using its national security surveillance authorities to access information about Internet and telecommunications service providers' customers. Also in the hearing room, at least in spirit, was everyone else in our coalition: think tanks like OTI; nonprofit advocacy organizations from across the political spectrum, from the ACLU to Americans for Tax Reform; Internet giants like Apple, Facebook, Microsoft, and Twitter; and newer Internet players like Tumblr and Dropbox. This broad and unprecedented alliance, united to demand more transparency and accountability around the NSA's access to our personal data, stood behind me as I delivered my testimony. But do you know who didn't have my back? Who hasn't stepped up to support surveillance transparency, much less surveillance reform? Who, despite-or because of-being as deeply involved as anyone can be in the NSA's dragnet, has had nothing to say other than "no comment"? The telcos. In the current debate over NSA spying, the telecommunications companies (telcos) that provide all of us with our telephone and Internet service, the giant corporations like AT&T and Verizon that own the phone lines and cell towers and fiber optic cables and Internet exchange points that carry all of our data-and that the NSA is tapping into-are nowhere to be seen. The telcos' failure to work with the privacy community to protect their users against government overreach, in contrast with the Internet companies who've joined our coalition, is especially disappointing considering that they are the ones who should be helping the most.

top

- and -

The long arm of the national security-communications industry complex (editorial by former FCC Commissioner Michael Copps, 22 Nov 2013) - This is a story about more than just the national security implications of government surveillance, but it begins there. The New York Times reported in a front page story earlier this month that the Central Intelligence Agency is paying AT&T in excess of $10 million annually for information from the company's telephone records, including the international calls of U.S. citizens. The article pointed out that this work "is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to officials." The story adds yet another chapter to the still-unfolding revelations about National Security Agency surveillance. Every week seems to bring new reports about the close and almost seamless ties that bind the several intelligence agencies to the huge telecom and broadband companies that bestride our nation's communications infrastructure. When I became a Member of the Federal Communications Commission (FCC) in 2001, I assumed I would be privy to at least a credible amount of information about what the companies under FCC oversight were doing behind the scenes. My expectations went unfulfilled. Did I expect the nation's most sensitive intelligence information to be shared with me? No, I did not. But would it have been helpful for me to know more about how the industry executives who visited me on a whole range of non-national security communications industry issues were at the same time working hand-in-glove with the White House and these secretive agencies on a far more intimate and confidential basis than I was? Yes, absolutely. Maybe I'm a slow learner, or maybe I just wasn't supposed to know, but it finally dawned on me that the CEOs and top management who came calling on me at the FCC were far better informed and connected than I was -- because their companies were the ones running these sensitive monitoring and surveillance operations in behalf of the national security agencies. It was, very often, their workers and their technologies that drove the process. * * *

top

- and -

The NSA is tracking cell phone movements, generating 5 billion records a day (GigaOM, 4 Dec 2013) - Documents leaked by former NSA contractor Edward Snowden show that the National Security Agency is gathering a massive amount of data about the location of millions of cell phones all over the world. The news, which contradicts the agency's claims that it had only experimented with tracking but then abandoned the efforts, is likely to fuel the ongoing scandal over the U.S. government's surveillance of phone and internet activity. According to the documents, reported on Wednesday by the Washington Post, the NSA has been harvesting the location of cell phones by using interception equipment plugged into key nodes of phone carriers' networks. As the Post explains, the system relies on U.S. companies to collect the information at cell towers and other relevant locations to obtain nearly 5 billion records a day about cell phone whereabouts. For privacy advocates, the new revelations could prove especially troubling since cell phone location patterns can be deeply revealing and, unlike voice or internet data, it's not possible to disguise movements through encryption or private networks. As an ACLU technologist told the Post (which has graphics of how the system works), the only practical recourse to avoid the collection is to unplug from the networks and "live in a cave." [ Polley : Blistering report in The Atlantic about the skein of lies and misrepresentations from the Administration about these collection programs: Exactly What the State Says to Deceive You About Surveillance (The Atlantic, 11 Dec 2013); the story precisely flags the disingenuous language I decried in MILRN 16.09 , back in June when all this began to break. Then, I wrote: "Color me skeptical on this disclaimer. Also, parse their language very closely - when they say they "aren't collecting XXX-type of information under this program", they are NOT saying they don't collect it under some other program. These kinds of "lawyer tricks" are unbecoming and thwart serious debate." ]

top

- and -

New documents show how the NSA infers relationships based on mobile location data (Washington Post, 10 Dec 2013) - Everyone who carries a cellphone generates a trail of electronic breadcrumbs that records everywhere they go. Those breadcrumbs reveal a wealth of information about who we are, where we live, who our friends are and much more. And as we reported last week, the National Security Agency is collecting location information in bulk - 5 billion records per day worldwide - and using sophisticated algorithms to assist with U.S. intelligence-gathering operations. How do they do it? And what can they learn from location data? The latest documents show the extent of the location-tracking program we first reported last week. Read on to learn more about what the documents show. The NSA doesn't just have the technical capabilities to collect location-based data in bulk. A 24-page NSA white paper shows that the agency has a powerful suite of algorithms, or data sorting tools, that allow it to learn a great deal about how people live their lives. Those tools allow the agency to perform analytics on a global scale, examining data collected about potentially everyone's movements in order to flag new surveillance targets. For example, one NSA program, code-named Fast Follower, was developed to allow the NSA to identify who might have been assigned to tail American case officers at stations overseas. By correlating an officer's cellphone signals to those of foreign nationals in the same city, the NSA is able to figure out whether anyone is moving in tandem with the U.S. officer.

top

- and -

The foreign policy essay: Cheng Li and Ryan McElveen on "NSA revelations have irreparably hurt US corporations in China" (Lawfare, 8 Dec 2013) - Lawfare readers have followed and discussed the Snowden revelations with a mixture of dread and excitement. Our focus, understandably, is on the impact of the leaks on the intelligence community and on U.S. national security policy. The seemingly endless disclosures and associated news stories, along with the many declassified documents from the ODNI, have sparked discussions on technological change, government accountability and oversight, FISA reform, and other important issues. For many Americans, however, the bigger problem is the leaks' impact on the U.S. economy and on American businesses-many of whom do business overseas. European allies may eventually shrug off their frustrations with the NSA, but my Brookings colleagues Cheng Li and Ryan McElveen argue that China is far less likely to do so. The revelations are leading to a policy shift that may hinder U.S. technology firms in China for years or even decades. Cheng Li is director of research and a senior fellow at the John L. Thornton China Center in the Foreign Policy program at Brookings, and is a director of the National Committee on U.S.-China Relations. Ryan McElveen is a research assistant at the Thornton Center.

top

- and -

Ryan Lizza's flawed account of surveillance law (Lawfare, Tim Edgar, 13 Dec 2013) - Ryan Lizza's piece in this week's New Yorker , "State of Deception," is essential reading for those interested in surveillance and civil liberties. It is a gripping account of the history of the NSA telephone and Internet surveillance programs put in place after September 11. It traces these programs from their inception amid broad claims of wartime power during the first Bush Administration, explains the effort to put them under the FISA court in the second Bush Administration, and concludes with President Obama's decision to ratify them and the fallout from the Snowden revelations. Unfortunately, the piece is marred by Lizza's flawed description of surveillance law. He oversimplifies, and therefore distorts, the legal issues in a way that fits his narrative of Senator Wyden as the hero of his story. Perhaps the most important problem is that Lizza doesn't understand the issue with FISA prior to September 11 that led to these programs. He explains that while the NSA "was legally vacuuming up just about any foreign communications it wanted," it needed FISA court permission "when it targeted one side of a call or e-mail that involved someone in the United States . . . ." This is simply wrong. The NSA has been permitted for decades to collect international communications, including those with one end in the United States, as long as its target is foreign. The problem is that FISA distinguishes between collection that occurs over the air and collection that occurs from a wire, and between collection that occurs inside and outside the country. * * * [ Polley : Worth reading; now I'll turn to reading Lizza's piece.]

top

They had the beat (MLPB, 25 Nov 2013) - Jose Bellido, University of London, has published Popular Music and Copyright Law in the Sixties at 40 Journal of Law and Society 570 (2013). Here is the abstract: "Copyright and its relationship with popular music is one of the most disputed issues amongst music and copyright scholars. While some have accused copyright of being blind (or deaf) to the particularities of popular music, others have defended its significance within the industry. This article contributes to this debate by tracing the networks of connections between lawyers, musicians, and clerks that emerged in a formative period in British pop music (the Sixties). It considers how their collaborative efforts and strategies to present evidence in copyright infringement trials were articulated in an attempt to influence music copyright infringement tests in Britain. By highlighting the concrete geographical and temporal contexts from which these networks emerged and their particular contingencies, the article also casts a new light on the impact of the legal profession on copyright, showing a practice-oriented and historically situated way of observing differences between French and British copyright systems."

top

Creative Commons next generation licenses - Welcome version 4.0! (Creative Commons, 25 Nov 2013) - We proudly introduce our 4.0 licenses, now available for adoption worldwide. The 4.0 licenses - more than two years in the making - are the most global, legally robust licenses produced by CC to date. We have incorporated dozens of improvements that make sharing and reusing CC-licensed materials easier and more dependable than ever before. The 4.0 licenses are extremely well-suited for use by governments and publishers of public sector information and other data, especially for those in the European Union. This is due to the expansion in license scope, which now covers sui generis database rights that exist there and in a handful of other countries. Among other exciting new features are improved readability and organization, common-sense attribution, and a new mechanism that allows those who violate the license inadvertently to regain their rights automatically if the violation is corrected in a timely manner. You can find highlights of the most significant improvements on our website , track the course of the public discussion and evolution of the license drafts on the 4.0 wiki page , and view a recap of the central policy decisions made over the course of the versioning process.

top

Fearful of sanctions, some companies don't discard documents (ABA Journal, 27 Nov 2013) - Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith.

top

US agrees to pay $50m after 'piracy' of software (BBC, 28 Nov 2013) - The US government has agreed to pay $50m (£31m) after it was said to have pirated "thousands" of copies of military software. Apptricity, based in Texas, has provided logistics programs to the army since 2004. The company said it had discovered last year the software had been installed on many more machines than had been licensed. The Department of Justice has not commented on the settlement. The Dallas Morning News reported a DoJ spokeswoman had confirmed the agreement, but would not give more details. Apptricity's software allows the military to track the movements of soldiers as well as key supplies. It has also been used during relief efforts, most notably in Haiti following the 2010 earthquake. According to court documents filed in 2012, the deal with the military meant up to 500 named users could access the software. Apptricity later estimated that 9,000 users were accessing the program, in addition to the 500 that had been paid for. The unauthorised copying only came to light after a US Army official mentioned "thousands" of devices running the software during a presentation on technology. Apptricity called for $224m (£137m) to be paid to cover costs. [Washington Post's coverage here .]

top

It's illegal for offline retailers to collect email addresses (Eric Goldman's blog, 29 Nov 2013) - The California Supreme Court issued a decision a couple of years ago holding that a zip code is "personal identification information" under the Song-Beverly Credit Card Act of 1974, making it illegal for retailers to ask consumers to provide zip codes in connection with credit card transactions. (See " California Supreme Court Rules That a ZIP Code is Personal Identification Information - Pineda v. Williams-Sonoma .") Extending that precedent, this case holds that retailers can't ask for email addresses during credit card transactions. ( Note : the statute does not apply to online or other "card-not-present" transactions, so online retailers are off the hook.) Plaintiff alleged that Nordstrom requested his email address as a condition of completing the sale. Nordstrom allegedly asked plaintiff his email address so it could email him the receipt. According to plaintiff, this resulted in promotional emails from Nordstrom "on a nearly daily basis" as well as a general increase in email traffic. The statute prohibits retailers from "request[ing] or requir[ing] as a condition to accepting the credit card as payment . . . the cardholder to provide personal identification information." Personal identification information is defined as information concerning the cardholder, "including but not limited to, the cardholder's address and telephone number." In Pineda , the California Supreme Court held that this statute should be construed broadly, given the statute's protective purpose. Nordstrom argued that Pineda is distinguishable because an email address is something arbitrarily chosen by the holder of the email address and can frequently changed. The court disagrees, noting that someone's email address "permits direct contact and implicates the privacy interests of a cardholder." Nordstrom also argued, citing to Apple v. Superior Court , that as a new technology that was unlikely to be anticipated by the legislature at the time of enactment, the definition of personal identification information should not cover email addresses. The court says that although the California Supreme Court in Apple concluded that the same statute did not apply to internet transactions, the court's holding was not premised on the legislature's inability to anticipate these transactions but rather on the fact that zip codes could be collected for fraud-prevention purposes. Case is Capp v. Nordstrom, Inc. , No. 2:13-cv-00660 (E.D. Cal. Oct. 21, 2013)

top

Is LinkedIn's endorsement feature ethical for lawyers? (ABA Journal, 1 Dec 2013) - "Does Dennis have these skills or expertise?" If you've visited my, or anyone else's, LinkedIn profile page recently, you've been asked this question. For many lawyers, this seemingly simple inquiry has generated more questions than answers. LinkedIn is the most popular social media platform for lawyers. Most of you know your LinkedIn profile works as an extended form of a resume or biography. A relatively new feature highlights skills. You can list a number of skills that you have-public speaking, writing, leadership and legal skills like litigation, licensing or land-use finance. This can help you round out the story your profile tells. However, some lawyers and regulators have gotten hung up on what legal skills are. There has been debate about whether skills are the same as or at least imply the idea of specialty. Some will argue that lawyers shouldn't list legal skills at all. I feel that if you spend most of your days drafting contracts, it seems logical to say you have the skill of contract drafting. LinkedIn's use of skills brings us to its endorsements. Those of you who follow discussions of ethical rules will not be surprised that LinkedIn's choice of the word endorsement has triggered debate about the ethics of endorsing lawyers for their skills. To endorse someone on LinkedIn means something like "agreeing that this person has that skill." It's like a little yes vote. It's not a rating or a detailed analysis, just an acknowledgement that you think the person has the skill. Now, in the LinkedIn world, it's far better to have a recommendation than an endorsement. A recommendation typically describes a great experience working with a person. The trouble is, most people never get around to writing and posting recommendations. Endorsements are easy to do. There are two common concerns people have had with endorsements. First, LinkedIn suggests skills to endorse that you might not have. LinkedIn might suggest a transactional lawyer add litigation as a skill to endorse. But if your connections don't know exactly what you do, they could endorse you for litigation because they think you're good at everything, and you can get endorsements that don't make sense. Also, since people can see your endorsed skills, they might get confused about what you do. The good news is that there are ways to manage your endorsements and which ones appear. And if you mistakenly make an endorsement, you can withdraw it. Second, many people feel endorsements don't really have any meaning. My theory, and I admit that it is only a theory, is that there can be a point where the quantity of endorsements can tell you something useful.

top

- and -

ABA makes the Model Rules available as a mobile app (ABA Journal, 1 Dec 2013) - As a self-described "ethics nerd," Lucian T. Pera likes the idea of having easy access to a variety of reference materials on his mobile devices when he's away from the office. "I use this stuff," he says. So he was an early purchaser when the ABA Center for Professional Responsibility recently introduced its first app-the popular term for a software application, or program, that is designed to run on smartphones, tablet computers and other mobile devices. CPR's app makes it possible for lawyers to download the ABA Model Rules of Professional Conduct to their mobile devices. (Every state except California has adopted the format used by the Model Rules.) "I've got it right here on my iPhone," says Pera, a partner at Adams and Reese in Memphis, Tenn., who serves as ABA treasurer. "It's a nice, clean little app." For CPR, which has a wealth of information on ethics and related topics available for digital sharing, "it's a toe in the water," he says. But the Model Rules app is targeted toward a wider range of lawyers than those who take a specialized interest in ethics. The typical practitioner, says Pera, should have ready access to local rules of professional conduct, the Model Rules, ethics opinions and possibly a treatise or two. The benefit of apps, he says, is that those materials are accessible wherever the lawyer goes. "Then when something comes up," he says, "you pull it up and you've got what you need." The Model Rules app is not available directly from the ABA. Rather, it is being sold for $24.99 under a three-year license agreement with Ready Reference Apps, a company based in Salt Lake City. For now, at least, the app is available only from the Apple iStore as part of the company's Rulebook app, which is available at no charge. (Once that app is downloaded, the Model Rules app can be located by opening the Rulebook library manager and then navigating to "other federal authorities.")

top

URL shortening in legal briefs, and now legal opinions (Volokh Conspiracy, 2 Dec 2013) - Most readers will be familiar with URL shortening services - redirection services that give users a short web address that points to a longer one. I've come across URL shortening in legal briefs more and more, and I have used such links in briefs myself. The shortening avoids an unsightly excessively-long URL when you are linking to content on the web, and it's also easier for the reader who might hand-type the URL into a browser. In the opening brief in United States v. Auernheimer, for example, I linked to http://goo.gl/dVQ4k instead of to the ugly https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd?hl=en. In the last two years, federal court decisions have started to use URL shortening links, too. Judge Kozinski uses them extensively in today's dissent in Minority Television Project v. FCC , a case on the First Amendment implications on banning certain kinds of ads on public TV. A quick Westlaw search finds 9 judicial opinions before today's decision that use Google's URL shortener, goo.gl. Several of them use the service for maps. It's an interesting development, and I suspect it's one that we will see more of rather than less of in the future.

top

Astroturfing bust spotlights online review troubles (Corporate Counsel, 2 Dec 2013) - New York State Attorney General Eric Schneiderman in September revealed the details of a yearlong undercover operation designed to halt illegal activity occurring from New York City to as far away as Bangladesh and Eastern Europe. Schneiderman's target? Not white-collar criminals, crooked mobsters or corrupt politicians, but fake online reviewers. "Operation Clean Turf" busted 19 companies, both regular businesses and search engine optimization (SEO) firms, all of which were forced to discontinue their practices, and some of which were forced to pay penalties ranging from $2,500 to just under $100,000. To catch businesses and SEO companies "astroturfing" or putting fake consumer reviews on websites like Yelp, CitySearch or Google Local, Schneiderman's office posed as a Brooklyn, New York-based yogurt shop and called SEO companies to ask for help with online reputation management, a service that many SEO firms provide. Instead of merely offering to "manage" reputations though, several SEO representatives offered to post fake reviews of the client business online, using tactics like IP address spoofing, creating multiple profiles to add reviews and paying freelance writers from overseas to draft fake reviews. The attorney general's investigation brought to light not just the problem of fake reviews, but also underscored the difficulties of striking a balance between protecting consumers and protecting companies from nasty and inaccurate online reviews that function effectively as bad advertising.

top

UK social media users get legal advice from on high on avoiding contempt of court (TechCrunch, 4 Dec 2013) - [T]he immediacy of social media apparently makes it easy for some users to forget how far their views can travel - causing a small number of them to end up in legal hot water over the things they have posted online. Or, from the establishment perspective, to threaten the judicial process by potentially prejudicing prosecutions. The U.K. government's chief legal advisor, Attorney General Dominic Grieve, whose remit includes trying to ensure fair trials can take place, has decided the time has come to provide free legal advice (well, he calls it " advisories ") to Twitterers and Facebookers to help educate them on the responsibilities of using a "tool of mass communication". From today, Grieve will be publishing court advisory notes that have previously only been available to mainstream media outlets. The notes will be published on the gov.uk website and via the Twitter feed of the Attorney General's Office, @AGO_UK (which currently has less than 4,000 Twitter followers). As well as trying to ensure social media users don't trample over the ability of courts to conduct fair trials, Grieve noted the guidelines will aim to help people avoid saying things that might in themselves be a criminal offence. Just last week, for instance, a man who flouted court directions by posting pictures purporting to be of Jon Venables, who murdered the toddler James Bulger in 1993 when he himself was also a child, was handed a 14-month suspended prison sentence. Another recent example is Peaches Geldof, daughter of the singer Bob Geldof, who the Independent notes apologised this week for tweeting the names of two mothers whose babies were abused by the Welsh rock singer Ian Watkins.

top

Booz Allen says cyber attacks are the "new normal" for financial services industry (WSJ, 4 Dec 2013) - Five years ago, questions directed at boards of directors and senior executives at financial services firms on the toughest risk management issues might have resulted in responses like "liquidity risk," "regulatory compliance," or "bad debt." Few, if any, would have mentioned cyber security. Today, the same question generates a much different answer. In 2014, the trends that matter to CISOs, CIOs, chief risk officers and board members at large and small financial services enterprises reflect their acute concerns about cyber security risk management in today's "new normal" of persistent threats. Today, Booz Allen has compiled those areas of focus for its annual list of the "Top Financial Services Cyber Security Trends for 2014." In recent years, executives have watched the landscape change, seeing how DDoS attacks from the Izz ad-Din al-Qassam Cyber Fighters had the potential to destroy data, and reputations. They learned that cyber threats attack a bank wherever it does business, not just where it is headquartered. And they witnessed the critical benefits of public-private information sharing. "Our conversations with clients have significantly evolved from a focus on threats and capabilities to creating a balanced and holistic cyber program that responds to an institution's critical business risks, while considering the new realities of a complex and interconnected operating environment," said Bill Stewart, senior vice president and head of Booz Allen's commercial finance program. "We are increasingly helping clients to work through how best to align cyber spend with an ever increasing potential exposure. Threat actors continue to grow in sophistication, driving our clients to respond. Simply increasing spend is not the always the best option -- we are helping our clients build programs that respond to their material business risks while balancing resource expenditures." The Top Financial Services Cyber Security Trends for 2014: * * *

top

- and -

Senator wants cybersecurity answers from automakers (Tom's Guide, 5 Dec 2013) - A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy. "I write to request information regarding your company's protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles," wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson , CEO of General Motors, on Monday (Dec. 2). Markey's questions imply that he wants carmakers to apply computer-industry security processes, including implementation of anti-virus software, incident logging, incident-response planning, software vulnerability patching and third-party penetration testing - the last of which would stage real hacker attacks on mass-production vehicles. Markey, one of the half-dozen lawmakers on Capitol Hill who has demonstrated a clear understanding of computer technology, cited research done earlier this year by two Pentagon-funded "white hat" hackers. "In a recent study that was funded by the Defense Advanced Research Projects Agency (DARPA)," Markey wrote, "Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle's computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components."

top

How the Bitcoin protocol actually works (by Michael Nielsen and recommended by Bruce Schneier, 6 Dec 2013) - Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We'll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction. Understanding the protocol in this detailed way is hard work. It is tempting instead to take Bitcoin as given, and to engage in speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That's fun, but severely limits your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas. [ Polley : pretty dense reading, but more accessible than anything else I've found.]

top

FBI surveillance malware in bomb threat case tests constitutional limits (ArsTechnica, 6 Dec 2013) - The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report. The growing sophistication of the spyware-which can report users' geographic locations and remotely activate a computer's camera without triggering the light that lets users know it's recording-is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday . Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known. The 2,000-word article recounts an FBI hunt for "Mo," a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new. "The FBI's elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed onto his Yahoo e-mail account, from any computer anywhere in the world, according to the documents," reporters Craig Timberg and Ellen Nakashima wrote. "The goal of the software was to gather a range of information-Web sites he had visited and indicators of the location of the computer-that would allow investigators to find Mo and tie him to the bomb threats." "We have transitioned into a world where law enforcement is hacking into people's computers, and we have never had public debate," Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. "Judges are having to make up these powers as they go along."

top

Woman's 140K tapes of TV news to be digitized, by Bay Area nonprofit (SiliconValley.com, 9 Dec 2013) - A woman who faithfully taped 35 years of TV news with the hope that one day it would prove to be valuable, searchable historical material did not live to see her dream realized. But the vision of Philadelphia resident Marion Stokes, who died last year at 83, will become a reality now that her 140,000 video cassettes are being archived in an online library. The trove, which totals about a million hours of newscasts, is expected to arrive in the Bay Area Tuesday at the Internet Archive in Richmond where it will be digitized and made available to the public, The Philadelphia Inquirer reported. "We were awestruck by two things," said Roger Macdonald, the virtual library's director of TV archives. "One, the size of the collection. And two, the human story behind it, that one person could create so extensive a collection." The massive collection, which was first reported last month by Fast Company magazine, include local news shows from Philadelphia between 1986 and 2012, and broadcasts from Boston, where she once lived, from 1977 to 1986. All the while, she also recorded national news and cable channels, leading to her to run several VCRs simultaneously 24 hours a day. Her son, Michael Metelits, described Stokes as "searingly intelligent" and said her passion was rooted in the belief that a well-informed public was essential to good governance. Shrewd investments funded the project. "My mother had a keen sense of the uniqueness of her mission," said Metelits, 53. "She would resist, forcefully, anybody who told us this was useless or a waste of time." The cassettes might include rare material. During the 1960s and '70s, local TV stations routinely wiped clean their tapes and reused them; it cost too much and required too much space to maintain an archive.

top

Google catches French govt spoofing its domain certificates (ZDnet, 9 Dec 2013) - France's cyberdefence division, Agence nationale de la sécurité des systèmes d'information (ANSSI), has been detected creating unauthorised digital certificates for several Google domains. Google states on its own security blog that an intermediate certificate authority (CA) issued the certificate, which links back to ANSSI. "Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," Google wrote. In a statement by ANSSI , the cyberdefence organisation revealed that this intermediate CA is actually its own infrastructure management trust administration, or "L'infrastructure de gestion de la confiance de l'administration" (IGC/A). ANSSI itself is the cyber response and detection division of the French republic. ANSSI states that the fraudulent certificates were a result of "human error, which was made during a process aimed at strengthening overall IT security". Google states that the certificate was used in a commercial device, on a private network, to inspect encrypted traffic. According to the web giant, users on that network were aware that this was occurring, but the practice was in violation of ANSSI's procedures. Google used the incident to highlight the need for its Certificate Transparency project , aimed at fixing flaws in the SSL certificate system that could result in man-in-the-middle attacks and website spoofing. Google's answer to these flaws is for CAs to adopt a framework that monitors and audits these certificates, thus outing rogue CAs or when certificates are illegitimately issued. This is not the first time that the flaws of SSL certificates have been exposed. The US National Security Agency is alleged to have used man-in-the-middle attacks through unauthorised certificates against Google in the past. Additionally, in August 2011, a breach at DigiNotar , another CA, found that an Iranian hacker had created rogue certificates for Google domains, intercepting user passwords for Gmail.

top

Coursera releases iPhone app for MOOCs (GigaOM, 10 Dec 2013) - Coursera has built a name for itself by providing MOOCs (massive open online courses) in a variety of subjects to practically any student willing to learn. Now, the company will offer those lessons on the go with a new free app - a boon for students who want to take in lectures during commutes or trips. The first edition of the app, available today in the iTunes store, offers users the ability to browse through the hundreds of courses offered in 20 different subjects on Coursera. Lectures for those courses are offered via live streaming, and also available to download for offline viewing. Coursera's iPhone app not only fills a vacuum that has been otherwise filled with expensive third-party apps, but also jumps on the mobile learning bandwagon. For example, Codecademy created its first iPhone app in honor of "Hour of Code," earlier this week. While it seems like Coursera's iPhone app is more of a bare-bones version of its browser offerings, rather than a complete experience tailored to learning on mobile, it's a great start for those interested in using their phones and tablets to get a little extra learning done. [ Polley : Critical stories about MOOC issues, generally: After setbacks, online courses are rethought (NYT, 11 Dec 2013); and Year of the backlash (InsideHigherEd, 13 Dec 2013)]

top

Financial regulators issue final guidance on social media (FFEIC, 11 Dec 2013) - The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance is effective immediately. The guidance does not impose any new requirements on financial institutions. Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks, associated with the use of social media, along with expectations for managing those risks. The guidance provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media. The FFIEC published the guidance in proposed form in January 2013 and invited public comments through March 25, 2013. The agencies received 81 comments through that process and took those comments into account in making certain revisions to the guidance. Guidance here .

Firms will need cyber "badge" to win some British govt business (Reuters, 12 Dec 2013) - Britain will announce on Thursday that firms wishing to bid for certain areas of government procurement will have to meet a new standard demonstrating basic levels of cyber security. The scheme forms part of the latest plank of Britain's attempt to counter a growth in hostile cyber assaults, which has been earmarked as a top national security issue but whose progress has come in for severe criticism from lawmakers. The plans will include creation of a government-backed cyber standard for businesses which would be adopted for future procurement, while also designed to give insurers, investors and auditors something "they can bite on" when they weigh how good companies are at managing risks.

top

NOTED PODCASTS

Why care about the NSA? (NYT, 5min video, 26 Nov 2013) - A short film explores whether ordinary Americans should be concerned about online surveillance.

top

Software Patents as a Barrier to Scientific Transparency: An Unexpected Consequence of Bayh-Dole (Stanford's CIS; 30 Oct 2013; 56 minutes) - Interview with Columbia Prof. Victoria Stodden, parsing issues associated with open research, transparency, and some of the still-emerging university policies on Bayh-Dole implementation (a third of a century on).

top

RESOURCES

2013 Techno-Gift Guide (Jeff Allen and Ashley Hallene, ABA, Dec 2013) - Over the years, people have come to regard technology as a desirable gift (among our favorites). For certain occasions within specific relationships, you may find it necessary to get your spouse or significant other a more personal gift, but for most holidays, and many relationships, technology offers highly suitable gifting opportunities. GPSolo magazine has published an annual technology gift guide in connection with the holiday season for many years. This year marks a change in that long-standing tradition. No, we have not canceled the guide; we have given it a perspective shift. For most of its existence, the gift guide reflected my (Jeffrey Allen's) personal views and opinions. Recently, I found an excellent writing partner in Ashley Hallene, and we have just completed writing two books on technology (both of which would, of course, make excellent gift choices): Technology Solutions for Today's Lawyer (ABA, 2013) and iPad for Lawyers (Thomson Reuters, 2013). Ashley and I have greatly enjoyed writing together. As a result, we decided to co-author the gift guide and, in so doing, share with you our joint perspectives on the best techno- gifts as well as give you the viewpoints of both a male and a female author.

top

DIFFERENT

82 years before Edward Snowden, there was Herbert Yardley (The Atlantic, 4 Dec 2013) - On the National Security Agency's site, there is a timeline dedicated to the most significant events in cryptologic history. Among its many entries: November 4, 1952, the day the NSA itself was created; December 7, 1941, when the Japanese attacked Pearl Harbor; and the earliest event that is commemorated, the U.S. State Department's decision to hire a 23-year-old Indiana native, Herbert O. Yardley, on November 16, 1912, just prior to the outbreak of World War I. An ambitious young man with a background as a railroad telegraph operator, Yardley quickly showed a talent for breaking codes. After proving himself able to decipher an ostensibly secret message to President Woodrow Wilson, he decided to spend his career improving the security of U.S. government communications. Soon after, he began breaking the codes of other governments in anticipation of war. He would ultimately spy on the communications of foreigners and U.S. citizens in peacetime, and head a secret surveillance agency headquartered in a New York City brownstone. But Yardley wasn't just the progenitor of the trade practiced at the NSA today. He was also the surveillance state's first betrayer, as loathed by insiders in his day as Edward Snowden is in ours. His 1931 book The American Black Chamber spilled secrets on a scale that a pre-Snowden-leak NSA described as follows: In today's terms, it would be as if an NSA employee had publicly revealed the complete communications intelligence operations of the Agency for the past 12 years-all its techniques and major successes, its organizational structure and budget-and had, for good measure, included actual intercepts, decrypts, and translations of communications not only of our adversaries but of our allies as well. [ Polley : quite interesting.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

IBM rents out supercomputer brawn (CNET, 8 Jan 2003) -- IBM has begun a new program to rent out processing power on its own supercomputers, signing up a petrochemical company as a first customer. Petroleum Geo-Services (PGS) is renting more than one-third of its computing capacity from IBM, a move that lets the company deal better with surges in demand for computing services used to find oil and gas deposits. PGS has about 1,000 of its own dual-processor Linux computers interconnected into a single computing resource, but the company is also using about 400 more from IBM, said Chris Semple, manager of developing technologies at PGS. Eventually, IBM expects other petrochemical companies and life-sciences companies to become customers. The service "is a precursor of what should be a broad push into petroleum industry or life sciences," said David Turek, vice president of IBM's Linux clusters and grid products. The project is a specific example of IBM's on-demand computing effort and of the larger "utility computing" concept, under which those who need varying amounts of computing power pay for it as they use it. It's intended to be less expensive alternative to buying equipment for moments of peak usage such as end-of-month account balancing or holiday shopping seasons then letting it sit comparatively idle the rest of the time.

top

Encryption backers brace for new threats (CNN, 1 April 2003) -- Cheating on income taxes or neglecting to pay sales taxes on online shopping could get you five extra years in prison if the government succeeds in restricting data-scrambling technology, encryption-rights advocates fear. Such a measure, they worry, might also discourage human rights workers in, say, Sri Lanka from encrypting the names and addresses of their confidants, in case they fall into the wrong hands. Draft legislation circulating in the Justice Department would extend prison sentences for scrambling data in the commission of a crime, something encryption advocates fear would achieve little in catching terrorists -- and only hurt legitimate uses of cryptography. "Why should the fact that you use encryption have anything to do with how guilty you are and what the punishment should be?" asks Stanton McCandlish of the CryptoRights Foundation, which teaches human rights workers to use encryption. "Should we have enhanced penalties because someone wore an overcoat?"

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 23, 2013

MIRLN --- 3-23 Nov 2013 (v16.16)

MIRLN --- 3-23 Nov 2013 (v16.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Cyber security: lawyers are the weakest link (The Lawyer, 28 Oct 2013) - In space, no one can hear you scream, but cyberspace will soon be alive with the shrieks of lawyer pain as client confidentiality disappears out a gapingly wide-open digital window. Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for the goldmine of sensitive and confidential client data firms hold. And that threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when bank and corporate general counsel - as well as those in charge of family offices - will insist on law firm security audits as part of routine panel reviews. This is not the stuff of science fiction or scaremongering, according to the experts. One cyber security specialist relates that a top 10 City firm chief information officer is convinced of the inevitability of a prominent legal practice going down in flames as a result of a cyber attack breaching client confidentiality and rendering the practice's wider reputation and market position untenable. Some suggest the financial services sector is starting to see law firms as the 'soft underbelly' in the cyber security battle. While they themselves have recognised the threat, upgraded systems and implemented state-of-the-art layers of defence, their lawyers, argue some senior bankers, are a weak link. Firms holding vast quantities of confidential information regarding financial services sector clients are a target for hackers because they are behind the cyber security curve. But while not complacent about the threat, some specialist lawyers are cynical, sensing a whiff of hyperbole behind the jargon. "The technology industry has a fantastic ability to create new terminology for old concepts," comments one City firm data privacy specialist. "You could argue that cyber security is just another aspect of general data protection, and privacy and information management."

top

Fifth amendment prevents compelled decryption (Berkman, 31 Oct 2013) - On Monday, the Cyberlaw Clinic filed an amicus brief in the Supreme Judicial Court on behalf of the American Civil Liberties Union Foundation of Massachusetts, the American Civil Liberties Union Foundation, and the Electronic Frontier Foundation in the case of Commonwealth v. Gelfgatt, SJC No. 11358. In the brief, we argue that the Fifth Amendment and article 12 of the Massachusetts Declaration of Rights prohibit the government from compelling a defendant to decrypt their electronic data for use against them in criminal proceedings because it involves the kind of testimonial acts protected by constitutional protections against self-incrimination. This is the Cyberlaw Clinic's third brief filed in a series of cases before the Supreme Judicial Court addressing updates to constitutional protections in light of new technologies. Prior filings on behalf of the Electronic Frontier Foundation concerned warrant requirements for GPS tracking of suspects ( Commonwealth v. Rousseau ) and historical cell phone location records ( Commonwealth v. Augustine ).

top

Data security: pay it now or pay out later (Squire Sanders, 31 Oct 2013) - The price of compliance may be high, but the price of non-compliance is even higher. Based on its recent $3 million data breach settlement, AvMed, and many other entities that have experienced data breach litigation, would likely agree that paying for security upgrades now, is far superior to paying for data breaches later. In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Last week, AvMed signed a settlement agreement to end the class action litigation that began in 2010. The settlement essentially requires AvMed to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades and updates to security policies and procedures (all of which are set out in HIPAA regulations). Not only does AvMed have to correct its non-compliance, but it must also forfeit the "unjust enrichment" it has received over the years by not spending sufficiently for data security it should have provided. AvMed will reimburse "premium overpayments" of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.

top

Bad Code: the whole series (Lawfare, Jane Chong, 4 Nov 2013) - Over the last month, on our New Republic: Security States newsfeed, we rolled out a series designed to explain why fairly allocating the costs of software deficiencies between software makers and users is so critical to addressing the growing problem of vulnerability-ridden code-and how such a regime will require questioning some of our deep-seated beliefs about the very nature of software security. Below is a consolidation of the five-part series in full. [ Polley : Then read Paul Rosenzweig's Cybersecurity and the Least Cost Avoider , also at Lawfare.]

top

Law firms focus on cybersecurity (SecurityInfoWatch, 4 Nov 2013) - In 2007, cybercriminals took more than 45 million credit and debit card numbers from the network of retailer TJ Maxx's parent company. The cost to the company, TJX Cos., soared above $250 million, and drove the state of Massachusetts, where the company is headquartered, to enact some of the toughest cybersecurity rules in the country. With so much money and potential damage to a company's reputation at stake in the event of a data breach, it's no wonder that law firms are devoting resources to cybersecurity, not only to protect their own firms' data but also as a potentially lucrative practice area. Buchanan Ingersoll & Rooney announced Oct. 23 it was launching a cybersecurity and data protection practice, expanding on its existing data security practice. Pittsburgh-based shareholders Matthew Meade and Sue Friedberg, and Philadelphia-based shareholder Jack Tomarchio, a former intelligence officer with the U.S. Department of Homeland Security, will lead the practice. Buchanan Ingersoll joins the growing list of law firms that have added cybersecurity practices in 2013, said David Bodenheimer, a partner with Washington, D.C.-based firm Crowell & Moring. He is also chairman of the American Bar Association Public Contract Law Section's Cybersecurity Committee. Mr. Bodenheimer said that, in 2013, many law firms expanded existing practice areas that dealt with health care and financial data protection issues. After President Barack Obama signed an executive order Feb. 12 directing federal agencies to develop cybersecurity standards for parts of the private sector, Mr. Bodenheimer said, firms recognized this as a practice area with great potential. "When boards of directors started turning to senior management and asking, 'What is this threat and what are we doing about it?' they started to call their law firms," Mr. Bodenheimer said.

top

EXL loses key client due to breach of confidential data (India's Economic Times, 6 Nov 2013) - Nasdaq-listed outsourcing firm EXL Services has lost a key client due to breach of confidential client data by a few of its employees, a development that will impact its revenues and raise larger questions on data security. EXL, which competes with the likes of Genpact, WNS and Firstsource and gets more half of its revenues from the healthcare and insurance space, told investors that it received a termination notice from The Travelers Indemnity Company on November 1, 2013, scrapping a deal that was signed in 2006. American insurer Travelers accounted for 9.6% of the company's total revenue for the quarter ended September 2013 and the termination is likely impact 2014 revenues by $14 million ( Rs 86 crore) to $28 million ( Rs 172 crore). EXL further said that Travelers was ending the contract because it failed to comply with the provisions of the agreement in handling client information. "The termination arose from an incident where company employees, who have since been terminated, shared a procedural document externally in violation of the company's strict client confidentiality policies. The company and Travelers sought an amendment to the existing agreement but were unable to reach terms mutually acceptable to the parties," the filing said. Under its agreement with Travelers, EXL also needs to provide transition-related services for 18 months from the termination date, at its own cost.

top

Password protection laws (MLPB, 7 Nov 2013) - Sarah O'Donohue, Emory University School of Law, is publishing 'Like' it or Not, Password Protection Laws Could Protect Much More than Passwords in volume 20 of the Journal of Law & Business Ethics 
Emory University School of Law (2014). Here is the abstract: "Employers and schools in several states are now prohibited from requesting access to the social networking accounts of their employees, students, and applicants as a result of the "password protection" laws that are sweeping the nation. These laws take an expansive view of the definition of privacy by implying that viewing content on a user's restricted-access social networking profile without his consent constitutes an invasion of privacy. Courts have consistently held that the information users post on social networking websites is, in fact, not private. Further highlighting the contrast between legislative and judicial interpretations of privacy in the context of these new technologies, the express language in one of the password protection laws declares that all Internet users have a reasonable expectation of privacy in their social networking website communications and affairs. This Article argues that password protection laws should be interpreted narrowly as only prohibiting the invasive methods used by employers and schools to gather information from social networking profiles - not as establishing in all cases that communications to which access has been restricted are private. The reasonableness of a user's expectation of privacy in the content of his social networking profile must be determined by courts on a case-by-case basis, informed by such factors as how many people he invites to view it, the relationship between the user and his chosen audience, the exact calibration of his privacy settings, and the degree to which his digital information is guarded by the website under its privacy and data use policies."

top

Apple issues first transparency report, includes "warrant canary" (EFF, 7 Nov 2013) - On Tuesday, yet another one of the nine companies originally implicated in the PRISM program released its first transparency report . Apple joins the ranks of Google, Yahoo, and Facebook , among others that have issued reports that detail the number of requests the companies receive from governments for user data. EFF has long called on corporations to be transparent about what they do with the data that users entrust to them. Transparency reports have become the industry standard, and we are delighted to be able to award Apple another star in the 2014 edition of our annual Who Has Your Back campaign, where we assess major Internet companies' commitment to standing by the rights of users in the face of government requests for personal information about their customers. This is Apple's first transparency report, and it only looks at the first half of 2013. The report includes information about which countries have asked for user data, the number of requests received and granted, the number of times Apple has objected to information requests, as well as the number of information requests where Apple has not disclosed data. The U.S. is reported to have made the most requests. After the U.S., the top three countries requesting user information are the United Kingdom (127), Spain (102), and Germany (93). In the report, Apple makes an important distinction between government requests for "data" and government requests for "content". Apple defines data as "personal identifiers", such as Apple IDs, email addresses, and telephone and credit card numbers. When Apple hands over user content, however, the company provides governments with more detailed information like iCloud emails, contacts, photos, and calendars. Perhaps the most interesting part of the transparency report are the last two sentences: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Apple's statement is an implementation of the so-called " warrant canary ." Canaries are used to signal that, as of the date published, there have been no law enforcement requests of a particular type received. In Apple's case, the canary is limited to a signal that no secret Section 215 orders have been served on the company. If the canary is removed in the next transparency report, it is safe for users to assume that a Section 215 data request and the accompanying gag order has been issued. We appreciate Apple's implementation in particular, including its six-month delay, because if its use is ever challenged in court, the ample time will allow a judge to coolly and calmly review the constitutionality of any government attempt to compel Apple to lie. We fear that if the first challenge to a warrant canary comes before a court in a more rushed context, a rushed judge could make bad law.

top

Payment card industry gets updated security standard with new requirements (Computerworld, 8 Nov 2013) - The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions and service providers. The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015. The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That's partly because there have been many cases of merchants and payment processors sustaining significant cardholder data breaches despite having passed PCI DSS compliance assessments. The PCI Security Standards Council recognized this problem and included a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments.

top

Do you have coverage to protect against cyber attack risks? (Inside Counsel, 8 Nov 2013) - Exposure to losses from data breaches and loss of personal information continues to rank high on the list of worries for general counsel around the country. GCs have good reason to worry. Marsh, one of the largest insurance brokers in the world, reports that over 600 million confidential personal records have been breached in the last five years. Verizon's 2013 Data Breach Investigations Report is even more telling with its opening line that in 2012 "[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage." The Verizon Report's statistics are even more alarming. Specifically, 37 percent of data breaches affected financial organizations. The next highest segments vulnerable to cyber-attacks include retail businesses and restaurants, followed by manufacturing, transportation and utilities. In response to the growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (CGL). Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for such losses. As companies of all sizes approach the calendar year-end, now is the time to analyze exposure for cyber risks and address insurance needs to close any gaps in coverage. If GCs are as worried about losses as noted in current reports, then they should be leading the charge to address the need for cyber insurance.

top

Amazon to deliver on Sundays using postal service fleet (Washington Post, 11 Nov 2013) - The Internet has been blamed for the death of the mail, but now it's offering hope to the beleaguered U.S. Postal Service. Amazon announced Monday that it will begin Sunday deliveries using the government agency's fleet of foot soldiers, office workers and truck drivers to bring packages to homes seven days a week. To accommodate the online retailing giant, the Postal Service said it will for the first time deliver packages at regular rates on Sundays. Previously, a shipper had to use its pricey Express Mail service and pay an extra fee for Sunday delivery. The initiative will begin immediately in Los Angeles and New York and spread to the Washington area and much of the rest of the nation next year, Postal Service officials said. The partnership should help the turnaround effort underway at the financially strapped Postal Service, they said. The arrangement with Amazon could open the doors to more partnerships with retailers that are eager to use the 500,000 USPS employees and 31,000 post offices across the country to satisfy consumers who want to get what they buy online faster.

top

Samsung, Nokia say they don't know how to track a powered-down phone (ArsTechnica, 11 Nov 2013) - Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to "find cellphones even when they were turned off. JSOC troops called this 'The Find,' and it gave them thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq, according to members of the unit." Many security researchers scratched their heads trying to figure out how this could be so. The British watchdog group Privacy International took it upon itself to ask eight major mobile phone manufacturers if and how this was possible in August 2013. On Monday, the group published replies from the four firms that have responded thus far: Ericsson, Google, Nokia, and Samsung. (Apple, HTC, Microsoft, and BlackBerry have not yet sent in a response.) A research officer at the organization, Richard Tynan , wrote that "two themes stood out among the companies that replied: hardware manufacturers claim that they strive to switch off almost all their components while the phone is powered down, and if tracking occurs it is likely due to the installation of malware onto the phone."

top

PAES under the microscope: an empirical investigation of patent holders as litigants (Patently-O, 12 Nov 2013) - Today, a certain type of patent litigant-the non-practicing entity ("NPE"), also known as a patent assertion entity ("PAE"), patent monetization entity ("PME"), or simply patent troll-is the target of much public debate, if not venom. Indeed, President Obama himself got involved in this debate, with his Council of Economic Advisers preparing a report this summer entitled "Patent Assertion and U.S. Innovation." The Executive Summary of the President's report sounds the following alarm about PAE suits: Suits brought by PAEs have tripled in just the last two years, rising from 29 percent of all infringement suits to 62 percent of all infringement suits. This asserted explosion in PAE-initiated litigation has fed into a wider perception that PAEs are out of control and need reining in by Congress. But is the factual assertion by the President's report an accurate characterization of total PAE litigation activity? We address this important issue in our new article, Patent Assertion Entities (PAEs) Under the Microscope: An Empirical Investigation of Patent Holders as Litigants . To investigate PAE litigation, we personally hand-coded all 7,500+ patent holder litigants in 2010 and 2012. In our coding, we finely classified the nature of the litigants, going beyond the simple PAE / non-PAE label. Specifically, we coded each patent holder as one of the following: (1) a University; (2) an Individual Inventor/Family Trust; (3) a large Patent Aggregator (e.g., Acacia); (4) a Failed Operating Company or Failed Start-up; (5) a Patent Holding Company that appears unaffiliated with the original inventor or owner; (6) an Operating Company; (7) an IP Holding Company affiliated with an operating company; or (8) a Technology Development Company (e.g., Walker Digital). Based on our data, and contrary to the assertions in the President's report, we do not find an explosion in PAE litigation between 2010 and 2012. In particular, the President's report considered only the raw number of lawsuits filed in 2010 and 2012 . By limiting its analysis to numbers of cases filed, rather than the underlying parties involved, the President's report was incomplete and led to an erroneous conclusion.

top

FCC smartphone app gauges speed of user's network (NYT, 14 Nov 2013) - The Federal Communications Commission on Thursday released its first smartphone app, a free program that allows consumers to measure the broadband speed they are getting on their mobile devices and to determine whether it is as fast as wireless companies say. The app provides information on upload and download speeds and on how efficiently data is transmitted, a measure known as packet loss. The app, F.C.C. Speed Test , also will allow the commission to aggregate data about broadband speeds from consumers across the country. It will use the data to create an interactive map, giving consumers a tool to use in comparison shopping rather than relying on wireless companies' promises. The app, available in the Google Play store, will run periodically in the background on a consumer's phone, automatically performing tests when a user is not otherwise using the phone. F.C.C. officials stressed that the software would not collect any personal or uniquely identifiable information, and that it would release information only after the data was analyzed. The app uses open-source code, and the agency details its methodologies and privacy policy on its website. [ Polley : until they release an iPhone version, you might try Speedtest.net's Mobile Speed Test, which I like. It doesn't, however, pass results along to the FCC for the aggregation/mapping project.]

top

Attack ravages power grid (Just a test) (NYT, 14 Nov 2013) - In windowless rooms from here to California, nearly 10,000 electrical engineers, cybersecurity specialists, utility executives and F.B.I. agents furiously grappled over 48 hours with an unseen "enemy" who tried to turn out the lights across America. The enemy injected computer viruses into grid control systems, bombed transformers and substations and knocked out power lines by the dozen. By late Thursday morning, in this unprecedented continental-scale war game to determine how prepared the nation is for a cyberattack, tens of millions of Americans were in simulated darkness. Hundreds of transmission lines and transformers were declared damaged or destroyed, and the engineers were rushing to assess computers that were, for the purposes of the drill, tearing their system apart. "It's going really well," said Gerry W. Cauley, the president and chief executive of the North American Electric Reliability Corporation, which ran the drill. "A bit scary, but really well." The degree of simulation varied, organizers said. Nobody touched actual operating equipment, but some companies sent trucks with linemen aboard to investigate the status of key transformers because the "scenarios" written by Mr. Cauley's group included computer viruses that kept technicians at the control centers from knowing the condition of crucial equipment. The drill also involved "denial of service" attacks, in which hackers flooded a computer connected to the Internet with so many messages that it could not handle the load. In real life, banks and other companies have been hit with such attacks. Drill participants said they would not talk about the specific locations of the simulated attacks, for two reasons: The locations were chosen at points that the insiders knew were vulnerable, and the companies involved were promised that if they participated, their performance would not be held up to public criticism. The purpose, organizers said, was to pose problems that were hard to solve, to expose areas that needed improvement.

top

Forest change mapped by Google Earth (BBC, 14 Nov 2013) - A new high-resolution global map of forest loss and gain has been created with the help of Google Earth. The interactive online tool is publicly available and zooms in to a remarkably high level of local detail - a resolution of 30m. It charts the story of the world's tree canopies from 2000 to 2012, based on 650,000 satellite images by Landsat 7. In that time, the Earth lost a combined "forest" the size of Mongolia, enough trees to cover the UK six times. Brazil's progress in reducing deforestation was more than offset by losses in Indonesia, Malaysia, Paraguay and Angola, according to a study in the journal Science . "This is the first map of forest change that is globally consistent and locally relevant," said Prof Matthew Hansen of the University of Maryland, who led the project team which developed the map. Indonesia's rainforests suffered from intense activity "What would have taken a single computer 15 years to perform was completed in a matter of days using Google Earth Engine computing." Their study reports a number of key findings on forest change from 2000-2012 - based on the satellite imagery. The Earth lost 2.3 million square kilometres of tree cover in that period, due to logging, fire, disease or storms. But the planet also gained 800,000 sq km of new forest, a net loss of 1.5 million sq km in total. Brazil showed the best improvement of any country, cutting annual forest loss in half between 2003-04 and 2010-11. Indonesia had the largest increase in deforestation, more than doubling its annual loss to nearly 20,000 sq km in 2011-12. In the United States, the "disturbance rate" of south-eastern forests was four times that of South American rainforests - more than 31% of forest cover was either lost or regrown. Paraguay, Malaysia and Cambodia had the highest national rates of forest loss. Overall, tropical forest loss is increasing by about 2,100 sq km per year, the researchers said. [Polley: Spotted by MIRLN reader Gordon Housworth .]

top

Court knocks wind out of challenge to FTC's cybersecurity authority (Steptoe, 14 Nov 2013) - The judge hearing the challenge by Wyndham Hotels & Resorts to the Federal Trade Commission's authority to regulate companies' data security practices suggested last week that she is likely to back the FTC. The FTC sued Wyndham after the company suffered three data security breaches, claiming that the company had engaged in "unfair and deceptive acts and practices" by not maintaining "reasonable and appropriate" data security measures. Wyndham moved to dismiss, arguing that the Commission lacks the authority to regulate companies' data security practices, and that the FTC should at least have to establish rules and regulations putting companies on notice as to what practices they needed to implement. At oral argument, Judge Esther Salas of the U.S. district court for New Jersey seemed poised to reject Wyndham's arguments and to uphold the FTC's broad power over data security practices.

top

Siding with Google, judge says book search does not infringe copyright (NYT, 14 Nov 2013) - Google's idea to scan millions of books and make them searchable online seemed audacious when it was announced in 2004. But fast-forward to today, when people expect to find almost anything they want online, and the plan seems like an unsurprising and unavoidable part of today's Internet. So when a judge on Thursday dismissed a lawsuit that authors had filed against Google after countless delays, it had the whiff of inevitability. Even the judge, Denny Chin of the United States Court of Appeals for the Second Circuit, said during a September hearing on the case that his law clerks used Google Books for research. "It advances the progress of the arts and sciences, while maintaining respectful consideration for the rights of authors and other creative individuals, and without adversely impacting the rights of copyright holders," Judge Chin wrote in his ruling . Google and other technology companies often push the limits of regulation and law, and hope that eventually the rest of the world - and the law - will catch up. "What seemed insanely ambitious and this huge effort that seemed very dangerous in 2004 now seems ordinary," said James Grimmelmann, a law professor at the University of Maryland who has followed the case closely. "Technology and media have moved on so much that it's just not a big deal." The ruling examined whether Google's use of copyrighted works counted as so-called fair use under copyright law, which Judge Chin determined it did. The decision opened the door for other companies to also scan books. Google's book search is transformative, he wrote, because "words in books are being used in a way they have not been used before." It does not replace books, he wrote, because Google does not allow people to read entire books online. It takes security measures, like not showing one out of every 10 pages in each book, to prevent people from trying to do so. One potential problem for Google was the notion that using copyrighted material for moneymaking purposes weighs against a finding of fair use. Though the company does not sell the books and stopped running ads alongside them in 2011, it benefits commercially because people are drawn to Google websites to search the books, Judge Chin wrote. But, he added, "Even assuming Google's principal motivation is profit, the fact is that Google Books serves several important educational purposes." [ Polley : potentially a broad expansion of "transformative" use; coupled with the minimal weight given Google's commercial benefits, this may be a very weighty decision with important implications.]

top

Web restrictions not the answer to juror online research (Harvard's DMLP, 15 Nov 2013) - Juror use of the Internet to do research or communicate about trials is a growing and persistent problem. So, what can a judge do? For several years now courts have been giving jurors more detailed admonitions and jury instructions against educating themselves about cases online, to little effect. A few judges have taken a different approach, ordering web sites with information on specific cases to remove the information from the Internet. But in a pair of recent decisions, appeals courts have said this method of limiting juror online research is an unconstitutional prior restraint. * * *

top

Facebook, still dominant, strives to keep cachet (NYT, 17 Nov 2013) - When Evan Spiegel peered into a crystal ball to divine a future for his company, Snapchat, he did not see Facebook. He saw something else, something much bigger - a social network that could exist on its own, outside Facebook. Facebook is still the dominant social media service, and has been an attractive suitor for many start-ups. And Snapchat most likely spurned Facebook partly because it thought it could fetch much more than the billions Facebook was willing to pay. But the snub also foreshadows a possible future where Facebook is no longer the default place on the web where people go to network. The swift rise of upstarts like Snapchat in a shifting social media landscape suggests a change in how and where people like to spend their time. The rebuff also reveals a changing perception of Facebook in the tech industry. As the once scrappy start-up evolves into a sprawling corporation, younger companies who view themselves as disruptive do not find Facebook's size and cushy campus as appealing. Not to mention that a lot of them are trying to provide alternatives to Facebook, which means selling to Facebook would defeat their entire purpose. Despite the site's primacy in the social media market, some numbers suggest that Facebook addiction has given way to Facebook fatigue, at least among some users. A study by the Pew Internet and American Life Project found that the majority of users have at one point or another taken a multiweek break from the service, citing the tedium and irrelevancy of its content. Among the crucial younger demographic - users ages 18 to 29 - that first propelled Facebook into prominence, 38 percent said they expected to spend less time using the site this year. The survey confirmed what some at the company already knew. In its latest quarterly call with investors, it said its youngest users were spending less time on the service, although overall teenage engagement was stable. That fatigue may also have started to trickle down to the developers who build apps on top of Facebook's platform. [ Polley : This is part of why I stayed away from Facebook's IPO. Together with their dizzying, ever-confusing privacy policy(ies), I get the sense that they're destined for oblivion.]

top

Latest release of documents on NSA includes 2004 ruling on email surveillance (NYT, 18 NOV 2013) - The Obama administration released hundreds of pages of newly declassified documents related to National Security Agency surveillance late Monday, including an 87-page ruling in which the Foreign Intelligence Surveillance Court first approved a program to systematically track Americans' emails during the Bush administration. "The raw volume of the proposed collection is enormous," wrote Judge Colleen Kollar-Kotelly, who was then the chief judge on the secret surveillance court. The government censored the date of her ruling in the publicly released document, and many sections - including a description of what she had been told about terrorism threats - were heavily redacted. Many of the documents have historic significance, showing how Bush administration surveillance programs that were initially conducted without court oversight and outside statutory authorization were brought under the authority of the surveillance court and subjected to oversight rules. The documents also included reports to Congress, training slides and regulations issued under President Obama . The Bush administration temporarily shut down its bulk collection of email logs after Justice Department lawyers raised legal concerns in March 2004. Judge Kollar-Kotelly declared the collection lawful in July 2004 , according to documents leaked by Edward J. Snowden, the former N.S.A. contractor. The trove also included the Bush administration's 2006 application for initial approval by the surveillance court to collect bulk logs of all domestic phone calls under a provision of the Patriot Act that allows the collection of business records deemed "relevant" to an investigation, another program it had previously undertaken unilaterally. The call record program is still active.

top

What's in your wallet? Could it be the Department of Homeland Security? (ABA's Business Law Today, Nov 2013; by Stephen Middlebrook) - A hot topic in the financial services industry press is news that the Department of Homeland Security (DHS) has plans to stop certain people at the border and scan the payment cards in their wallets, check the cardholder's balances and, in certain cases, seize the funds on the card. The initiative is related to regulatory changes proposed by the Financial Crimes Enforcement Network (FinCEN), the part of Treasury that oversees anti-money laundering regulations. 76 F.R. 64049 (October 17, 2011). FinCEN requires people crossing the border to declare if they are carrying more than $10,000 in "monetary instruments." Monetary instrument is currently defined to include cash, traveler's checks, certain negotiable instruments, and securities. Because law enforcement has concerns that prepaid cards are being used by criminals to launder money and move it out of the country, FinCEN has proposed adding prepaid cards, but not debit or credit cards, to the list of monetary instruments that must be declared at the border. Assessing the value of paper currency and negotiable instruments is relatively easy because the value appears on the face of the document. This is not true, however, for prepaid and other payment cards. To determine how much money is associated with a card, you must contact the financial institution that issued the card and query the current available balance. Consequently, verifying the value of a prepaid card at the border cannot be done independently by the border agent but requires the government to obtain information from the issuing financial institution. Homeland Security has acknowledged their new program in several documents as well as in meetings with the card networks, but we still don't know much about how it will be implemented. DHS stated in a comment letter it filed regarding the FinCEN proposal that it plans to deploy hand held devices at the border to scan debit, credit, and prepaid cards and report back information about the cardholder's account. In addition to cards, Homeland Security has suggested the FinCEN requirements should also apply to "cell phones, key fobs, or other tangible objects" that might possibly be tied to a prepaid account.

NOTED PODCASTS

Birth of the Global Mind (Long Now, by Tim O'Reilly; 97 minutes; 5 Sept 2012) - "The history of civilization is a story of evolution in our ability to build complex 'multicellular minds,'" says Tim O'Reilly, founder and CEO of O'Reilly Media (books, conferences, foo camps, Maker Faires, Make magazine.) Speech allowed us to communicate and coordinate. Writing allowed that coordination to span time and space. Twentieth century mass communications allowed shared information and culture to blanket the world. In the 21st century, memes spread mind to mind in nearly real time. But that's not all. In one breakthrough computer application after another, we see a new kind of man-machine symbiosis. The Google autonomous vehicle turns out not to be just a triumph of artificial intelligence algorithms. The car is guided by the cloud memory of roads driven before by human Google Streetview drivers augmented by powerful and precise new sensors. In the same way, crowd-sourced data from sensor-enabled humans is leading to smarter cities, breakthroughs in healthcare, and new economies. [ Polley : very, very interesting.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Government Forms Cybersecurity Unit (CNET, 6 June 2003) -- The Department of Homeland Security on Friday said it created a new division to address threats to the nation's technological infrastructure. Called the National Cyber Security Division (NCSD), the 60-person unit is charged with addressing potential security breaches to private-sector and government computer systems. The division was created as part of President George W. Bush's National Strategy to Secure Cyberspace and the Homeland Security Act of 2002, and it will be run under the Department's Information Analysis and Infrastructure Protection Directorate. "Most businesses in this country are unable to segregate the cyberoperations from the physical aspects of their business because they operate interdependently," Department of Homeland Security Secretary Tom Ridge said in a statement. "This new division will be focused on the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure assets," he added. NCSD's chief will be Robert Liscouski, the assistant secretary of Homeland Security for Infrastructure Protection. The division will be organized into three units to: identify risks and reduce vulnerabilities to government and private-sector computer systems; operate a Cyber Security Tracking, Analysis & Response Center to detect attacks to the Internet and alert the public; and develop education programs on security measures. According to the NCSD, the division will build on existing capabilities from the former Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System. Computer industry group Business Software Alliance (BSA) immediately applauded the move. "Study after study indicates we remain ill-prepared to defend against threats to our critical information networks--meaning a major virus or cyberattack could wreak havoc on our communications, transportation, utility, financial or other vital information infrastructure," said Robert Holleyman, CEO of BSA.

top

Time Warner cable dials in phone service (CNET, 21 May 2003) -- Time Warner Cable's "Digital Phone" will cost $40 a month and be available only in the Portland, Maine, area. Time Warner's trial offering is similar to experiments with telephone services from rival cable providers Comcast Cable Communications and Cablevision Systems. Calling plans are the latest weapon cable providers are using as they battle for dominance of U.S. broadband services market. Nearly 60 percent of all U.S. homes get broadband from their cable television provider. The rest of the homes wired for broadband in the United States use digital subscriber line (DSL) connections from telephone companies. Cable and telephone companies use bundles of steeply discounted services to attract and keep customers. Cable companies sell television and broadband access at discounted rates, but only when bought as part of a package of services. Telephone companies offer similar deals on telephone and broadband connections. Until recently, telephone companies didn't worry about cable adding voice services into their bundles. But the growing sophistication of voice over IP, which turns voice calls into digital packets for dispatch over the Internet, allows cable companies to sell cable TV, telephone service and broadband connections on one bill. That's one more service--specifically cable television-- than telephone companies can offer. In their current form, these new cable company phone services pose little threat, more like a novelty act in places like Coatsville, Pa., where Comcast is trialing its telephone service. But if they were to be expanded substantially, "then the best way to describe this would be 'wow,'" said In-Stat/MDR senior analyst Daryl Schooler. "What does any of the major phone companies have on their bundle? Local and long distance and data," Schooler said. "This move by the cable guys gives them local, long distance voice, video and data all over one pipe."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top