Saturday, April 27, 2013

MIRLN --- 7-27 April 2013 (v16.06)

MIRLN --- 7-27 April 2013 (v16.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Payment Card Industry Security Standards Council Publishes Cloud Computing Guidelines for Cardholder Data (Reed Smith, 21 March 2013) - n a bid to help organisations better understand their compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS) when using cloud technology to collect, store or transmit credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement . Formed through a collaboration of more than 100 global organisations representing banks, merchants, security assessors and technology vendors, the guidelines state that the PCI DSS will still apply "if payment card data is stored, processed or transmitted in a cloud environment". According to the PCI SSC, unless the cloud deployment model is truly private (on-site), security is a shared responsibility between the Cloud Service Provider (CSP) and its clients, with the levels of responsibility between the two depending on the type of cloud service model used.

top

Cybersecurity Disclosure: The Risks Of Silence (Dechert LLP, March 2013) - With the rise in targeted, sophisticated, malicious attacks on corporate America's electronic infrastructure, companies are increasingly focused on their cybersecurity disclosure obligations. There is a growing concern that many companies - fearing reputational harm - are sitting silent, but recent disclosures from a number of companies indicate a shifting approach to cybersecurity disclosure. In addition, pronouncements from the Obama Administration and top regulators reinforce the importance of understanding cybersecurity disclosure obligations. Cybersecurity is critically important to regulators and failure to disclose cybersecurity risks or actual breaches will likely draw significant attention. This OnPoint outlines some of the reasons for companies' increased focus on managing their cybersecurity risks. * * *

top

- and -

U.S. Business SEC Filings Suggest Cyber Threats may be Overstated (Network World, 9 April 2013) - Of the 27 largest U.S. companies (by revenue) that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions, according to Bloomberg . Almost half the companies (12)which included Amazon, AT&T and Verizon reported the cyber attacks on their systems "had no material impact" on the companies. Another, Citigroup, reported it suffered "limited losses and expenditures" from Internet bandit activity. Note: corporations have been known to keep their cards close to their vest when it comes to reporting about intrusions into their computer systems. The reports by these companies suggest that much of the controversy being generated in the public debate over American intellectual property being ransacked by foreign powers and cyber criminals may be more steam than flame. "I find it remarkable that only 27 companies disclosed they were targeted," Chris Peteren, founder and CTO of LogRhythm, a network security solutions provider in Boulder, Colo. told PCWorld. "Every piece of evidence that's out there right now points to the fact than 100 out of 100 are certainly being targeted," he maintained. However, he pointed out that what's "material" to these companies could have a high threshold. "A million, two million, three million dollars is in the realm of immaterial for these organizations," he said.

top

- and -

Rockefeller Asks SEC to Step Up Cybersecurity Disclosures (The Hill, 10 April 2013) - Sen. Jay Rockefeller (D-W.Va.) is urging the Securities and Exchange Commission (SEC) to require companies to reveal more information about their ability to defend against attacks on their computer systems. In a letter sent on Tuesday to recently confirmed SEC Chairwoman Mary Jo White, Rockefeller said the agency should issue commission-level guidance to companies on their obligation to disclose cybersecurity information. In response to a request from Rockefeller in 2011, the SEC issued staff-level guidance on cybersecurity disclosures. But Rockefeller, the chairman of the Senate Commerce Committee, argued that the SEC should elevate the guidance to the commission-level.

top

Federal Energy Regulatory Commission (FERC) Imposes a $975,000 Civil Penalty against Entergy for 27 Violations of Reliability Standard (Nat'l Law Review, 6 April 2013) - On March 28, 2013, the Federal Energy Regulatory Commission (FERC) issued an order approving a stipulation and consent agreement between FERC's Office of Enforcement (OE) and Entergy Services, Inc. (Entergy) to settle violations of various North American Electric Reliability Corporation (NERC) Reliability Standards. Although the basic terms of this settlement are largely unremarkable, there are unique aspects of this case to note. In a single paragraph, FERC stated: "The civil penalty amount is consistent with the Penalty Guidelines. Enforcement considered that, given the size and complexity of Entergy's system, its violations posed a high risk that it would be unable to prevent, contain, or control a disturbance that could lead to substantial harm." There are two other items of note about the Entergy settlement. The first is that the settlement explicitly calls out a cybersecurity violation. FERC staff found that Entergy violated Reliability Standard CIP-007-1 R1 because Entergy failed to test a firmware upgrade for a network switch prior to applying it in the production environment and because Entergy could not assess whether significant configuration changes to critical cyber assets would compromise its cybersecurity controls or those assets. Stating this finding in the public settlement departs from FERC's and NERC's typical practice of masking the identity of entities who have committed cybersecurity violations. [Polley: Spotted by MIRLN reader Roland Trope .]

top

Volunteer Opportunities for IP Professionals (Patently-O, 8 April 2013) - One common way in which lawyers give back to their community is via pro bono work. In the pro bono world, a transactional lawyer typically has a general skillset allowing him or her to cover a variety of general corporate areas for a pro bono client even if the specific question at hand does not fall directly in the lawyer's field of practice. Similarly, litigators, who have experience in the courtroom, are equipped to handle a variety of cases brought by pro bono clients, such as small-claims court matters, housing, harassment, or immigration issues. However, patent prosecutors and in-house counsel who might specialize in interacting with the United States Patent and Trademark Office (USPTO), may not feel equipped to meet in the more common litigation or transactional needs of typical pro bono clients. Thus, it may not seem obvious to these attorneys how they can use their skill set to give back to the community. This article identifies a few ways in which intellectual property professionals can use their abilities to enhance their community. One way in which intellectual property (IP) lawyers can fulfill their pro bono hours is by getting involved with local charities and helping them with their IP needs- for example, assisting them with the filing of a trademark for their organization. As patent prosecutors have familiarity with the USPTO, this would be an ideal way to help the community. Alternatively, IP lawyers can volunteer for organizations like Lawyers for the Creative Arts or Springboard for the Arts , which provide pro bono legal assistance to clients working in the areas of art, culture, media, and entertainment, including the visual, literary, and performing arts. Example projects include working with artists on copyright, trademark, or general contract issues. For those IP lawyers interested in writing patents for under-resourced inventors and small businesses pro bono, the USPTO launched a pilot program in Minnesota last year to provide legal services to help such individuals and businesses obtain solid patent protection. Based on the success of the Minnesota program, the USPTO has instituted five new regional pro bono programs in Denver, California, Texas, Washington D.C. and New York City.

top

CRS - Drones in Domestic Surveillance Operations (BeSpacific, 8 April 2013) - Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney. April 3, 2013): "The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm's way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations to protect the homeland, assist in crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation's skies in less than 20 years." CRS report here .

top

Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight (Wired, 9 April 2013) - A legal fight over the government's use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect. Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government's surveillance tool so that he could be located. Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location. Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don't have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI. The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location. In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then "broadcast a very strong signal" to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden's location. To make sure the air card connected to the FBI's simulator, Rigmaiden says that Verizon altered his air card's Preferred Roaming List so that it would accept the FBI's stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI's fake site was at the top of the list. During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden's assertions about Verizon's activities.

top

Want to Read the Law? It'll Cost You (New Republic, 10 April 2013) - Say you live in Rhode Island and want to upgrade the ancient plumbing in your kitchen. You figure you should be able to save some cash and do it yourself, but want to make sure you're on the up-and-up with all applicable codes and regulations. So you head over to the state's website to read the plumbing code . Problem is, the 15-page "code" is actually just a series of modifications to a 156-page volume of standards published by the International Code Council-the 2009 edition of which , according to the introduction to the state regs, "is protected by the copyright that has been issued to the ICC. As a result, the State Building Code is not available in complete form to the public in an electronic format." Your choice: $89 for a printed copy, or $74 for an e-copy. But why should you have to pay to read laws that you must obey? You shouldn't, of course. Neither state nor federal law is copyrightable. Nevertheless, standards development organizations-from the American Society of Sanitary Engineers to the National Wood Window and Door Association-insist otherwise, having poured resources into developing long, technical regulations because the government didn't have the expertise to do so. 1 Now, state and federal laws simply reference these industry codes , and allow non-profits to charge for hefty books. For decades, reading these books for free has required trekking to your state capitol, or if you're lucky, a local library. But the Internet has created an expectation that everything be made available online, searchable, linkable, printable, and free-especially something that seems as rightfully in the public domain as the law of the land. Carl Malamud believes this more strongly than most. The open-government activist, who pushed the Securities and Exchange Commission to post corporate documents online and C-SPAN to make its video archive more widely available , has been either scanning or painstakingly re-typing and posting standards on his website Public.Resource.org for anyone to download. He started back in 2008 with California's codes, and had posted 10,062 standards as of the end of last year. When the standards developers ask him to stop-as six have done so far-he politely refers them to the 2002 decision in Veeck vs. Southern Building Code Congress International , in which a circuit court judge ruled that "as law, the model codes enter the public domain and are not subject to the copyright holder's exclusive prerogatives." Malamud typically doesn't hear back after sending his response. But the Sheet Metal and Air Conditioning Contractors Association, which publishes standards relating to ducts and ventilation, wasn't satisfied. In February, they followed up with a letter protesting that that the 9th Circuit had ruled differently back in 1997, and the decision still holds. Malamud, with the help of the Electronic Frontier Foundation, fought back with a complaint against SMACNA, asking that a judge resolve the legal question once and for all: Does the public have the right to the law, or doesn't it?

top

IRS Tracks Your Digital Footprint (MSN, 10 April 2013) - The Internal Revenue Service is collecting a lot more than taxes this year -- it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it's never gone before. The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using "robo-audits" of tax forms and third-party data the IRS hopes will help close this so-called "tax gap." But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of "big data" will be a key issue when the next IRS chief comes to the Senate for approval. Consumers are already familiar with Internet "cookies" that track their movements and send them targeted ads that follow them to different websites. The IRS has brought in private industry experts to employ similar digital tracking -- but with the added advantage of access to Social Security numbers, health records, credit card transactions and many other privileged forms of information that marketers don't see. The agency declined to comment on how it will use its new technology. But agency officials have been outlining plans at industry conferences, working with IBM, EMC and other private-sector specialists. In presentations, officials have said they may use the big data for:

  • Charting and analyzing social media such as Facebook.
  • Targeting audits by matching tax filings to social media or electronic payments.
  • Tracking individual Internet addresses and emailing patterns.
  • Relationship analysis based on Social Security numbers and other personal identifiers.
U.S. Tax Court records show that information gathered from Facebook and eBay postings have been used by the IRS in defending tax challenges. Under a Freedom of Information Act disclosure obtained by privacy advocates at the Electronic Frontier Foundation, the group published the IRS's 38-page manual used to train auditors to search Internet addresses, Facebook postings and other social media to back audit enforcements.

top

Hay Maker Seeks Cyberheist Bale Out (Krebs on Security, 13 April 2013) - An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime. On Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period. According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hay's checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay's lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days. Oregon, like most states, has adopted the Uniform Commercial Code , which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer. In its complaint, Oregon Hay targets Article 4A of the UCC , alleging that Community Bank's online account security procedures were not commercially reasonable given the sophistication of today's threats, and that the bank did not accept the fraudulent payment orders in good faith. The plaintiffs claim that the bank's security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institution's online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan. According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called "Multifactor Premium with Watermark," which relied on a combination of "device IDs" - a software "cookie" that identifies the user's computer - and "challenge/response" questions, which attempt to verify a user's identity by asking him for answers to questions about his personal or financial history.

top

How Other Companies Manage Social Media (Entrepreneur, 13 April 2013) - Whether your company is just starting to dabble in social media or has a strong strategy it has been implementing for a while, you may want to know how other companies are navigating the social Web. If you've ever wondered how many people companies hire to manage social media, how they measure success or whether you're the only ones getting help from interns, we have the answers you've been looking for. We asked 2,714 communicators how their companies use social media in our Ragan/NASDAQ OMX Corporate Solutions survey , and Go-Gulf.com highlighted some of the findings in an infographic .

top

King & Spalding Blocks Employee Access to Personal Email Accounts, But Offers an Alternative (ABA Journal, 16 April 2013) - Citing security concerns, a major law firm has blocked its workers from accessing their personal email on its computers. In a memo to employees on Monday, King & Spalding said it had been advised by consultants that accessing personal email accounts such as Gmail, Yahoo and Hotmail from the law firm's computers "creates a significant security risk." Hence, as of May 1, workers will be blocked from doing so-and should not do so, even if for some reason they are not blocked from doing so. The ban includes accessing personal email from firm laptops even if they are not using the firm's computer system, the memo notes. However, access to personal email is not lost for those with personal laptops and electronic devices at the office, the memo points out. A special wireless network has been installed in each office that employees can use for this purpose. Some clients do require law firm personnel to use accounts such as Gmail, the memo notes, and says employees should contact the firm for help determining how best to handle such issues.

top

Order and Liberty: The DPLA Launches (InsideHigherEd, 18 April 2013) - I wasn't entirely sure what the Digital Public Library of America (DPLA) would look like when the long-awaited launch date of April 18 approached. The suspense is finally over: it looks great. The DPLA is an effort to unify access to cultural assets of the nation and make them free to all. We are not the first country to try this ; in fact we're a bit behind, perhaps because we have a tradition of local library planning and support and because we don't have a true national library. (The Library of Congress is what its name says: it's Congress's library. We get to use it, and it does lots of work with copyright and cataloging that benefit libraries everywhere, but it is not a national library.) This project has been fascinating to watch as it has evolved out of democratic principles and the potential of digital sharing and collaboration. It raises all kinds of questions: what is a library? Do academic and public libraries, museums, and archives serve a common purpose? Who is it for? What does it mean for culture to be "free"? How can a digital library enable access to culture when so much of it is under copyright and not shareable except as the rights-holder allows? The DPLAs not going to be a digital version of your local public library's collections and services - at least, not yet. It is trying to do three things right now: pull together digital assets from major national and regional digital collections into a well-organized, unified, easily searchable portal; provide digital tools and metadata that others can use to build new applications; and provide national leadership in the effort to encourage open and collective access to our shared cultural record. In other words, it will help us discover cultural assets scattered across websites and in museums, libraries, and archives. It will help us make new things with the pooled metadata. It will promote conversations we need to be having.

top

Fair Use In Comparative Law (MLPB, 18 April 2013) - Martin Senftleben, VU University of Amsterdam Faculty of Law, has published Comparative Approaches to Fair Use: An Important Impulse for Reforms in EU Copyright Law , in G.B. Dinwoodie (ed.), Methods and Perspectives in Intellectual Property (G. B. Dinwoodie, ed., Cheltenham, UK/Northampton, MA, Edward Elgar, (2014, Forthcoming). Here is the abstract. Fair use provisions in the field of copyright limitations, such as the U.S. fair use doctrine, offer several starting points for a comparative analysis of laws. Fair use may be compared with fair dealing. With the evolution of fair use systems outside the U.S., fair use can also be compared across different countries. The analysis may also concern fair use concepts in different domains of intellectual property. Instead of making any of these direct comparisons, the present analysis deals with another aspect of comparative analyses: the study of foreign fair use provisions as a basis for the improvement of domestic legislation. More specifically, the analysis will show that important impulses for necessary reforms in the EU system of copyright exceptions can be derived from a comparison with the flexible approach taken in the U.S. 

For this purpose, the legal traditions underlying the legislation on copyright limitations in the EU (civil law) and the U.S. (common law) will be outlined (section 1) before explaining the need for reforms in the current EU system (section 2). On this basis, strategies for translating lessons to be learned from the U.S. fair use approach (section 3) into the EU system will be discussed. This translation is unlikely to fail because of an inability or reluctance of civil law judges to apply open-ended norms (section 4). Under existing EU norms, however, a degree of flexibility comparable to the flexibility offered in the U.S. cannot be achieved (section 5). To establish a sufficiently flexible system, EU legislation would have to be amended (section 6 and concluding section 7).

top

Mich. Court Backs Anonymity for Former Student Who Trashed Law School Online (Inside Higher Ed, 22 April 2013) - A former student who created a website that harshly criticized Thomas M. Cooley Law School is protected by the First Amendment and should not have his identity revealed, a Michigan state appeals court ruled this month . Cooley, a freestanding law school in Michigan, had sued the former student in state court, saying that the site the ex-student created, Thomas M. Cooley Law School Scam, defamed the institution. Cooley officials obtained a California subpoena compelling the company that hosted the website to reveal his identity, and a lower state court refused to block the subpoena. But the appeals court ruled that Michigan law protects such speech, and sent the case back to the lower court for further review.

top

Verizon's 2013 Data Breach Investigations Report (April 2013) - Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage. But rather than a synchronized chorus making its debut on New Year's Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result-perhaps agitated by ancient Mayan doomsday predictions-a growing segment of the security community adopted an "assume you're breached" mentality. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world. The list of partners is not only lengthy, but also quite diverse, crossing international and public/private lines. It's an interesting mix of law enforcement agencies, incident reporting/handling entities, a research institution, and other incident response (IR)/forensic service firms. What's more, these organizations contributed a huge amount of data to the report. All told, we have the privilege of setting before you our analysis of more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. [Polley: pretty interesting report, suggesting some trends.]

top

Google Scholar Legal Content Star Paginator (FutureLawyer, 23 April 2013) - Chrome Web Store - Google Scholar Legal Content Star Paginator . This free little tool is handy for legal researchers who are used to seeing page numbers inline in Westlaw or Lexis. If you use the free Google Scholar service for basic legal research (why are you paying for legal research?), this will put star pagination into your Scholar results. The first place I go for case finding is Scholar; and, often I need not go anywhere else. I particularly like the "Cited by" command, which works like a poor man's Shepard's Citations. It lists all cases citing your case, and gives a one line reference to the citing case.

top

You Shouldn't Need a Copyright Lawyer to Pick a Dentist (Eric Goldman, 23 April 2013) - In October 2010, Robert Lee needed a dentist, pronto. He didn't realize he needed a copyright lawyer to help him pick a dentist. In search of urgent pain relief, Lee contacted Dr. Stacy Makhnevich (a preferred provider under Lee's insurance plan). Dr. Makhnevich's office required Lee to sign a "Mutual Agreement to Maintain Privacy" before it would treat him. This agreement--based on a form contract sold by a North Carolina company called Medical Justice--prohibits patients from posting online reviews of the dentist; and if the patient does write a review, the agreement says the dentist owns the review's copyright. In exchange, the dentist promises not to ask the patient if it can sell the patient's name to marketers--a worthless promise , as HIPAA already requires the dentist to obtain patients' permission before selling their information to marketers. (Elsewhere, I've explained why I think asking patients to restrict their future reviews is unethical, probably illegal , and a bad business decision ). Lee just wanted dental services, and not surprisingly he wasn't in much of a mood to negotiate the ownership of copyrights in works that Lee hadn't even written yet. So like hundreds of thousands of other Americans, Lee signed a Mutual Agreement to Maintain Privacy so he could get the dental services he urgently needed. Later, Lee became unsatisfied with his interactions with the dentist and posted critical online reviews to Yelp , DoctorBase and other websites. Apparently unhappy with the reviews, the dentist invoked the Mutual Agreement to Maintain Privacy and claimed copyright ownership over those reviews. The dentist sent Lee draft versions of lawsuits claiming $100,000 in copyright infringement damages. The dentist sent Lee invoices claiming copyright damages of $100 per day for his infringement. The dentist also sent takedown notices to Yelp and other websites, threatening to sue them for copyright infringement if they didn't remove Lee's posting. (To its credit, Yelp stood behind its user and declined to remove the review, accepting the risk of being sued for Lee's purported copyright infringement). Lee didn't fold under this pressure; instead, he sued the dentist to void the contract. In a recent ruling, the court rejected the dentist's attempt to dismiss Lee's lawsuit. The court didn't conclude that Lee will win (that question hasn't been raised yet), but the opinion isn't good for the dentist. This ruling is particularly noteworthy because we almost never see legal battles involving the Mutual Agreement to Maintain Privacy. When confronted with a doctor or dentist's threats involving the agreement, most patients quickly back down and remove their online reviews. In the rare situations where the patient doesn't back down, some doctors and dentists acquiesce rather than test the contract's strength in court. This case got to court only because the dentist sought so aggressively to assert the contract rights and Lee decided to fight rather than fold. Though we'll have to see how this case turns out, the dentist probably made the wrong choice. Meanwhile, after a public interest organization (Center for Democracy & Technology) filed a complaint about Medical Justice's practices with the Federal Trade Commission, Medical Justice unilaterally declared that it had "retired" the contract and advised its customers to stop using its form. Indeed, Medical Justice has done a complete reversal on its customers. Having persuaded its customers that patient reviews should be suppressed, Medical Justice (under a new brand, eMerit) is now selling doctors and dentists a service to help them increase the number of online reviews from patients. Medical Justice's customers would have been much better served encouraging patient reviews from the beginning; many of those customers are now woefully behind their competition in generating a credible quantity of patient reviews. Despite Medical Justice's credibility-defying flip, Medical Justice was so effective at persuading doctors/dentists to fear patient reviews that some doctors and dentists are still using the form agreement. Should your doctor or dentist present with such a form, you don't need to call your copyright lawyer. Instead, refuse to sign the form , tell your doctor or dentist that the form agreement is unethical and probably illegal, and send them a copy of the recent ruling. Or, tell the doctor/dentist that you're going to take your business to a healthcare provider with more enlightened views about patient reviews. [Polley: Particularly good post - Eric summarizes several related issues; he's pretty passionate about this stuff.]

top

Fifth Amendment Shields Child Porn Suspect From Decrypting Hard Drives (Ars Technica, 24 April 2013) - A federal judge refused to compel a Wisconsin suspect to decrypt the contents of several hard drives because doing so would violate the man's Fifth Amendment right against self-incrimination. Judge William E. Callahan's Friday ruling ultimately labeled the issue a "close call." Courts have wrestled with how to apply the Fifth Amendment to encrypted hard drives for several years. According to past rulings , forcing a defendant to decrypt a hard drive isn't necessarily self-incriminating, but forcing a defendant to decrypt a hard drive can amount to self-incrimination if the government can't otherwise show that the defendant has the password for the drive. In that case, forced decryption amounts to a forced confession that the defendant owns the drive. For example, in one case a border patrol agent viewed incriminating files on a suspect's laptop during a border crossing. But the official then closed the laptop, causing the portion of the hard drive containing the files to be encrypted automatically and deprive investigators of access. The court ruled that because the government already knew the files existed and the suspect had access to them, compelling their decryption didn't force the suspect to implicitly admit the laptop was his. The circumstances of the Wisconsin case were different. While police officers did find logs on the suspect's PC suggesting that incriminating files had been saved to an encrypted drive, the suspect had multiple encrypted hard drives in his apartment, and the government had no way of proving which specific hard drives, if any, contained the incriminating files in question. In theory, a guest might have used the man's computer to download the files and store them on a hard drive he didn't own. Or the hard drives containing the files might not be among the ones the police seized. "Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with 'reasonably particularity'-namely, that Feldman has personal access to and control over the encrypted storage devices," Judge Callahan wrote. "Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination."

top

FBI Denied Permission to Spy on Hacker Through His Webcam (Ars Technica, 24 April 2013) - A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a "sizeable wire transfer from [John Doe's] local bank [in Texas] to a foreign bank account." Back in March 2013, the FBI asked the judge to grant a month-long " Rule 41 search and seizure warrant " of a suspect's computer "at premises unknown" as a way to find out more about this possible violations of "federal bank fraud, identity theft and computer security laws." In an unusually-public order published this week , Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive. In it, he gives a unique insight as to the government's capabilities for sophisticated digital surveillance on potential targets. According to the judge's description of the spyware, it sounds very similar to the RAT software that many miscreants use to spy on other Internet users without their knowledge. According to the 13-page order, the FBI wanted to "surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer's hard drive, random access memory, and other storage media; to activate the computer's built-in camera; to generate latitude and longitude coordinates for the computer's location; and to transit the extracted data to FBI agents within the district." According to the judge's order (PDF), the FBI has no idea where the suspect actually is, but noted that the "IP address of the computer accessing Doe's account resolves to a foreign country." [Polley: Read the Magistrate's order - fascinating.]

top

Once Under Wraps, Supreme Court Audio Trove Now Online (NPR, 24 April 2013) - On Wednesday, the U.S. Supreme Court heard oral arguments in the final cases of the term, which began last October and is expected to end in late June after high-profile rulings on gay marriage, affirmative action and the Voting Rights Act. Audio from Wednesday's arguments will be available at week's end at the court's website , but that's a relatively new development at an institution that has historically been somewhat shuttered from public view. The court has been releasing audio during the same week as arguments only since 2010. Before that, audio from one term generally wasn't available until the beginning of the next term. But the court has been recording its arguments for nearly 60 years, at first only for the use of the justices and their law clerks, and eventually also for researchers at the National Archives, who could hear - but couldn't duplicate - the tapes. As a result, until the 1990s, few in the public had ever heard recordings of the justices at work. But as of just a few weeks ago, all of the archived historical audio - which dates back to 1955 - has been digitized, and almost all of those cases can now be heard and explored at an online archive called the Oyez Project . The archived cases range from the legally technical to historic, including landmark rulings like Loving v. Virginia , the 1967 decision that a state's ban on interracial marriages was unconstitutional; Roe v. Wade , the 1973 decision declaring a woman's constitutional right to an abortion; and Bush v. Gore , the case that ended vote-counting in Florida and effectively handed the 2000 presidential election to George W. Bush.

top

Sanctions Against Iran Will Hit Samsung Phone Users (Ars Technica, 25 April 2013) - Samsung has informed its mobile phone users in Iran that it will no longer be providing access to the company's app store as of May 22, 2013. The move comes as a result of the ever-increasing sanctions that Western countries are imposing as a punishment for Iran's alleged nuclear weapons program; Tehran has continuously denied the existence of such a program. Samsung is one of the few manufacturers to provide phones to Iranians in the Persian language. Nokia Siemens pulled out of the country last year.

top

Businesses Take a Cautious Approach to Disclosures Using Social Media (NYT, 26 April 2013) - Zynga's latest quarterly earnings report, released on Wednesday, came in the typical format and was accompanied with the usual financial tables investors expect. But the social gaming company that counts FarmVille among its games included a new addition: a 204-word paragraph encouraging investors to check its corporate blog and Facebook and Twitter pages for regular news updates. It was just one of dozens of companies taking advantage of newly clarified rules from the Securities and Exchange Commission that have now blessed the use of social media sites to disclose financial information. Although social networks have proliferated for years and the public more readily turns to Twitter than the S.E.C.'s Edgar Web portal for updates, the agency just a few months ago was still evaluating whether using newer outlets would violate its rules. Even with the updated guidelines, uncertainty over what exactly the commission will allow has meant that many companies, and their legal teams, are playing it safe this earnings season. For instance, when General Electric released its earnings last Friday, the company mentioned its Twitter and Facebook accounts for the first time, noting that they "contain a significant amount of information about G.E., including financial and other information for investors." A quick check showed that G.E. has at least 10 different Facebook pages and 10 different Twitter feeds . A company spokesman, Seth Martin, however, said the conglomerate would continue to rely on news releases to communicate material information. "While we currently have no plans to disseminate material information using social media, we will comply with S.E.C. guidance as it evolves," Mr. Martin said. In practice, corporations are experimenting with a wide variety of policies. In its earnings release last week, AutoNation listed five different places where investors could find information about the company, including the Facebook and Twitter feeds of its chief executive, Mike Jackson. Netflix itself listed in a securities filing five different places where investors should check regularly for more information. Among them: its corporate blog and Twitter feed, as well as the chief executive's personal Facebook page. Glen Ponczak, a vice president for investor relations at the manufacturer Johnson Controls , said that the company had started posting information on Twitter several weeks before the S.E.C. outlined its new policy on social media, but that it was very much in experimental mode. On Twitter, the company posted a link to its earnings call, but did not post any updates from the earnings call.

top

NOTED PODCASTS

"No Time Is There -- The Digital Universe and Why Things Appear To Be Speeding Up" (George Dyson at the Long Now Foundation; 19 March 2013; 91 minutes) - When the digital universe began, in 1951 in New Jersey, it was just 5 kilobytes in size. "That's just half a second of MP3 audio now," said Dyson. The place was the Institute for Advanced Study, Princeton. The builder was engineer Julian Bigelow. The instigator was mathematician John von Neumann. The purpose was to design hydrogen bombs. Bigelow had helped develop signal processing and feedback (cybernetics) with Norbert Wiener. Von Neumann was applying ideas from Alan Turing and Kurt Gödel, along with his own. They were inventing and/or gates, addresses, shift registers, rapid-access memory, stored programs, a serial architecture-all the basics of the modern computer world, all without thought of patents. While recuperating from brain surgery, Stanislaw Ulam invented the Monte Carlo method of analysis as a shortcut to understanding solitaire. Shortly Von Neumann's wife Klári was employing it to model the behavior of neutrons in a fission explosion. By 1953, Nils Barricelli was modeling life itself in the machine-virtual digital beings competed and evolved freely in their 5-kilobyte world * * * [Polley: majestic, sweeping exposition on the evolution of computation, and the people behind the events. Wonderful. Note: NOT aimed at a lawyer-audience.]

top

RESOURCES

Codes of Conduct for Multinational Corporations: An Overview (Congressional Research Service, 16 April 2013) - "The U.S. economy has grown increasingly interconnected with other economies around the world, a phenomenon often referred to as globalization. As U.S. businesses expand globally, however, various groups across the social and economic spectrum have expressed their concerns over the economic, social, and political impact of this activity. Over the past 20 years, multinational corporations and nations have adopted voluntary, legally enforceable, and industry specific codes of conduct, often referred to broadly as corporate social responsibility (CSR), to address many of these concerns. Recent events, primarily the 2008-2009 financial crisis and related work by major international organizations, spurred Congress and governments in Europe to increase their regulation of financial firms. Indeed, the growing presence and influence of multinational corporations in the production of goods and services and in international trade through value chains has prodded governments to adopt measures that enhance the benefits of such activities through codes of conduct. Congress will continue playing a pivotal role in addressing the various issues regarding internationally applied corporate codes of conduct."

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Streisand Sues Web Site, Says Privacy Violated (MercuryNews.com, 30 May 2003) -- Barbra Streisand thinks that people, people who fly past her house with cameras, are the nosiest people in the world. Claiming her privacy was violated, the diva actress and singer has filed a $10 million lawsuit against Silicon Valley millionaire and environmentalist Ken Adelman. The suit demands that he remove an aerial photograph of her oceanfront Malibu mansion from his Web site, www.californiacoastline.org. Adelman, a Watsonville resident who owns four electric cars and the largest collection of solar panels on any home in California, made national news six months ago when he and his wife, Gabrielle, photographed the entire California coastline from a small helicopter -- one picture every 500 feet -- and put it on the site. The site now contains 12,200 photos featuring everything from the Golden Gate Bridge to Hearst Castle. It has won praise from the Sierra Club and other environmental groups as a way to document violations of coastal building laws, as well as erosion and other natural changes. But Streisand, in a lawsuit filed in Los Angeles County Superior Court, says the site violates California's ``anti-paparazzi" law. The suit notes that Adelman did not ask permission to take a photo of her house, which is identified on the Web site. And because he took it from a helicopter with a Nikon digital camera, his photo shows details -- from her swimming pool to lawn furniture -- that cannot be seen from the road or the beach below. ``What Barbra seeks to vindicate is a basic right of privacy," said her attorney, Rex Glensy, of Santa Monica. [Editor in 2013: the origins of the term " The Streisand Effect "]

top

CIA Developing Software to Scour Photos (AP, 3 June 2003) -- The CIA is bankrolling efforts to improve technology designed to scour millions of digital photos or video clips for particular cars or street signs or even, some day, human faces. The innovative software from fledgling PiXlogic LLC of Los Altos, Calif., promises to help analysts make better use of the CIA's enormous electronic archives. Analysts also could be alerted whenever a helicopter or other targeted item appeared in a live video broadcast. PiXlogic plans to announce Wednesday that the CIA's venture-capital organization, In-Q-Tel, has invested an unspecified amount to help the company improve the software. In-Q-Tel - named for "Q," the fictional inventor of fanciful spy gadgetry for James Bond - makes about a dozen such investments annually with roughly $35 million it receives from the CIA's Directorate of Science and Technology. In-Q-Tel was created in February 1999 and has gained favorable reviews from Capitol Hill.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose . top

Saturday, April 06, 2013

MIRLN --- 17 March – 6 April 2013 (v16.05)

MIRLN --- 17 March - 6 April 2013 (v16.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | BOOK REVIEW | LOOKING BACK | NOTES

Investors Demand Cyber Security Transparency (Carlton Fields, 5 March 2013) - Almost daily we hear about a new cyber threat or information security breach. Just last week one of the world's largest cloud services providers, Evernote, fell victim to an attack that resulted in a security breach that potentially compromised more than 50 million user accounts. As corporate America becomes better informed about the cyber threats facing U.S. companies, investors will demand more information and transparency about a company's information security policies and practices. A recent survey conducted by Zogby Analytics raises serious concerns for C-suite managers who are simultaneously facing increased scrutiny from regulators, increased demands from investors, and a need to remain mindful of the damage negative press can have on stock prices. According to the Zogby survey, 70 percent of investors are interested in reviewing company cyber security practices and almost 80 percent would likely not consider investing in a company with a negative history of attacks. Notably, the survey also found that 66 percent of investors said corporate responses to attacks are more noteworthy than the attacks themselves. Additionally, the survey revealed investors are twice as concerned if a company had a breach of customer data (57 percent) as opposed to a theft of intellectual property (29 percent). While consumer-related data breaches grab headlines, the findings on intellectual property theft are particularly alarming. They demonstrate a fundamental misunderstanding of the damage that billions of dollars' worth of intellectual property theft can have on a company's bottom line.

top

Are Governments Ready to be Buyers of Cybersecurity Insurance? (Public CIO, 8 March 2013) - South Carolina is learning the hard way that the costs associated with a data breach can spiral upward in a hurry. Last year, hackers infiltrated a Department of Revenue computer system and swiped millions of unencrypted Social Security numbers and other personally identifiable information. The state reportedly has spent more than $20 million so far cleaning up the mess, including $12 million on credit monitoring services for affected citizens, and millions more on breach notification letters, security improvements, data forensics teams and IT consultants. And South Carolina isn't done opening its wallet - state agencies beyond the revenue department likely will request more funding to make IT security improvements of their own. Although South Carolina's woes are an extreme example - one security expert branded the hacking "the mother of all data breaches" - the incident shows how much an organization should expect to pay out to remediate a large-scale data breach. Other government agencies are dealing with the sticker shock. A separate high-profile breach last year of health-care data in Utah, for example, is costing millions; officials there spent hundreds of thousands of dollars alone on a crisis communications team. These figures aren't outliers: A study conducted last year by the Ponemon Institute found that cybercrime cost the average U.S. organization $8.9 million annually. Some public-sector officials and brokers in the insurance industry think the time has come to apply these same principles in the world of government IT. A small portion of local and state governments already have purchased what's known as "cybersecurity insurance," and at least a few officials think it's time to start talking about the idea more seriously. "The probabilities are such, because your networks and services are so complex and integrated now, that you can't cover up every manhole. Sooner or later someone is going to get through," said Dick Clark, the former CIO of Montana who retired last year, about the state's rationale for buying cyberinsurance. Montana recently joined the few states believed to carry some form of the insurance. Clark said if Montana suffered a South Carolina-style data breach, his state would have a tough time covering the $10 million or $20 million cost. Montana likely would have to raid its general fund to cover the expense, he said. States and cities, Clark said, need to be aware that a data breach can bring a swath of unplanned costs.

top

Which Encryption Apps Are Strong Enough to Help You Take Down a Government? (Gizmodo, 10 March 2013) - It seems like these days I can't eat breakfast without reading about some new encryption app that will (supposedly) revolutionize our communications - while making tyrannical regimes fall like cheap confetti. This is exciting stuff, and I want to believe. After all, I've spent a lot of my professional life working on crypto, and it's nice to imagine that people are actually going to start using it. At the same time, I worry that too much hype can be a bad thing - and could even get people killed. Given what's at stake, it seems worthwhile to sit down and look carefully at some of these new tools. How solid are they? What makes them different/better than what came before? And most importantly: should you trust them with your life? To take a crack at answering these questions, I'm going to look at four apps that seem to be getting a lot of press in this area. In no particular order, these are Cryptocat , Silent Circle [by Phil Zimmerman], RedPhone and Wickr * * *

top

Court Rules That Prosecutors Can Use E-mail Sent by Personal Attorney to Employee's Work Account (Suits By Suits, 18 March 2013) - Employees use their work e-mails for all kinds of communications, from the business-related to the personal and private. When a dispute arises, however, it's getting more difficult to keep those private e-mails from seeing the light of day. For example, last week's Inbox highlighted one recent decision in which a New York federal court ruled that an executive had "no reasonable expectation of confidentiality or privacy" in his work e-mail. United States v. Finazzo , No. 10-CR-457 (E.D.N.Y. Feb. 19, 2013). Finazzo is different from most of the cases we cover on this blog (with the exception of this post last week ) because it is a criminal case. The defendant is Christopher Finazzo, a former executive at Aeropostale , who was indicted on charges of mail fraud and false statements to the SEC. The government based the charges on Finazzo's undisclosed interest in one of Aeropostale's vendors, a company called South Bay. Aeropostale found out about Finazzo's role in South Bay when its investigator uncovered an e-mail that Finazzo's personal attorney sent to his work account, in which the attorney listed assets to be considered for the drafting of Finazzo's will. In the criminal case, Finazzo moved to keep the government from using the e-mail at trial, arguing that it was a privileged attorney-client communication. The court denied his motion, finding that the e-mail was not a confidential or private document. In assessing the privacy of the document, the court weighed a number of factors * * *

top

Who Owns a MOOC? (InsideHigherEd, 19 March 2013) - Faculty union officials in California worry professors who agree to teach free online classes could undermine faculty intellectual property rights and collective bargaining agreements. The union for faculty at the University of California at Santa Cruz said earlier this month it could seek a new round of collective bargaining after several professors agreed to teach classes on Coursera , the Silicon Valley-based provider of popular massive open online classes, or MOOCs. The union said the professors lobbied for a 12-year-old California law to guarantee that faculty -- not universities -- own the intellectual property rights to class lectures and course materials. But before professors can have their courses put on Coursera, they are expected to sign away those rights to the university so the university can give the professors' work to Coursera, the union said in a March 5 letter to a top labor relations official at Santa Cruz. In these waivers, professors "irrevocably grant the university the absolute right and permission to use" their course content, name, image and likeness. The university's own contract with Coursera remains neutral and said only that rights will "remain with the applicable instructor and university." [Polley: implicates the informal "Faculty Exception" to the work-for-hire doctrine (see, e.g., page 30 of this AAUP document ).]

top

Justice Dept. Drops Fight Against Tougher Rules to Access E-Mail (Washington Post, 19 March 2013) - The Justice Department has dropped its long-standing objection to proposed changes that would require law enforcement to get a warrant before obtaining e-mail from service providers, regardless of how old an e-mail is or whether it has been read. "There is no principled basis" to treat e-mail less than 180 days old differently than e-mail more than 180 days old, Elana Tyrangiel, acting assistant attorney general in the department's Office of Legal Policy, said Tuesday. Tyrangiel, testifying before a House Judiciary subcommittee, also said that opened e-mail should have no less protection than unopened e-mail. Current law requires law enforcement to obtain a warrant before gaining access to e-mail that is 180 days old or less if it has not been opened. But prosecutors may obtain e-mail older than 180 days, or any e-mail that has been opened, with a mere subpoena. The department's shift means that legislative efforts to amend the 1986 Electronic Communications Privacy Act stand a better chance at succeeding. Lawmakers have drafted legislation that would impose a warrant requirement for all e-mail held by commercial providers. In practice, since a 2010 ruling by the U.S. Court of Appeals for the 6th Circuit requiring a warrant for stored e-mail, most large commercial e-mail providers, such as Google and Yahoo, have adopted that standard.

top

Minnesota Modifies Liberal Open Records Law to Make Car Location Data Private (ArsTechnica, 19 March 2013) - A Minnesota state agency decreed on Monday that a vehicle's location data as captured by license plate readers , which under existing state law had been completely public, should now be kept private. This comes more than four months after a Minneapolis public committee lobbied to change the state's policy. The new temporary measure will expire in 2015. According to the Minneapolis Star-Tribune : "The Department of Administration ruled Monday that the following data generated by license plate readers would be private: plate numbers; times, dates, and locations of vehicle scans; and vehicle photos." As we reported earlier , Minnesota has a rather liberal open records state law known as the Data Practices Act , which makes all government data public by default. That means that anyone (up until now) could request the entire data set-including license plate data-from any law enforcement agency. In December 2012, Minneapolis mayor R.T. Rybak requested to a state committee that the data be immediately re-classified as "non-public." The new proposal resulted from increased scrutiny of the practice in Minneapolis after a local reporter managed to track the mayor's movements in August 2012 by filing a request with the police.

top

In Depth: The District Court's Remarkable Order Striking Down the NSL Statute (EFF, 19 March 2013) - On Friday, EFF received the long-awaiting ruling on its 2011 petition to set aside a National Security Letter (NSL) issued to a telecommunications company. The petition challenged the constitutionality of one of five national security letter statutes, 18 U.S.C. § 2709 . And what a ruling it was. In a detailed and careful 24-page opinion , Judge Susan Illston of the district court for the Northern District of California methodically addressed the government's attempted justifications for this controversial domestic surveillance tool and found that the statute failed to meet the standards of settled First Amendment law. First, a moment to underscore the importance of this ruling. Over the past decade, since the PATRIOT Act expanded its reach from foreign agents and spies to anyone whose information may be "relevant" to a national security investigation, the FBI has issued hundreds of thousands of NSLs seeking potentially intimate information about Americans. Supporters of NSLs have frequently attempted to discount privacy concerns and have characterized criticism as " hyperbole ," but the reality is very different. As Judge Victor Marrero of the Southern District of New York noted in his 2004 Doe v. Ashcroft NSL decision, the NSL statute grants enormous, unchecked power to pry into the private lives of people within the United States * * *. With Friday's opinion, entitled In Re National Security Letter, not only did the court set aside this particular letter, it barred any NSLs to telecommunications providers, finding that the statute was so inherently flawed that it could not stand. The decision will likely be appealed, and the order has been stayed in order to give the government the time to file an appeal, but the federal district court deserves enormous credit for not shying away from EFF's request and instead tackling most of the difficult issues head on. With this case, EFF follows in the strong footsteps of our friends at the ACLU. In 2008, on behalf of Nicholas Merrill , the ACLU succeeded in convincing both a district court and the Second Circuit Court of Appeals to recognize the acknowledge the serious structural problems with the NSL statute. Unfortunately, despite finding the statute unconstitutional, the Second Circuit in its Doe v. Mukasey opinion approved the continued use of NSLs if the FBI undertook certain voluntary measures aimed at curbing abuse. The district court here found similar constitutional flaws but took those problems to their rightful conclusion. The court flatly rejected the Second Circuit's attempts to rewrite the statute and rely on voluntary FBI actions to fix it, instead striking it down. While the decision rested primarily on failings with the gag provision, the court ruled that that provision was not severable from the rest of the statute and struck the statute in its entirety. As a result, if the decision is upheld, Congress must step in and repair the structural defects to better protect First Amendment rights if it intends to continue to grant similar power to the FBI. The court made five critical findings * * *

top

Supreme Court Sides with Bookseller in Major Copyright Ruling, Says Resale is OK (PaidContent, 19 March 2013) - In a court ruling that has major implications for used good merchants across the country, the Supreme Court overturned a lower court decision that forbid a textbook seller from reselling textbooks that he had purchased from overseas. In a 6-3 ruling , the court rejected publisher John Wiley's interpretation of a rule known as the " first sale doctrine " which prevents copyright owners from exerting rights over a product once it has been purchased legally. This rule is what allows used book and music stores to sell used items without the copyright owners permission. In recent years, copyright owners facing a wave of imported good have argued that the "first sale" only applies to goods manufactured in the United States. Lower courts have till now sided with the copyright owners which has produced considerable uncertainty about whether or not retailers good import and sells goods that they had legally bought from abroad. Writing for the majority, Justice Stephen Breyer rejected John Wiley's argument that the phrase "lawfully made under this act" implied a geographic limitation. He also referred to library associations, used-book dealers, technology companies, consumer-goods retailers, and museums - all of which had urged the court to reject the restricted notion of "first sale." The John Wiley ruling comes three years after the Supreme Court failed to resolve the same issue in a dispute between watch maker Omega and the retailer Costco. In that case, Omega had put little pictures on its watches and then argued that Costco infringed on its copyright when it imported them; that case produced a 4-4 tie which meant the lower ruling against Costco was upheld. The result was different this time with different judges on the bench. The ruling is likely to be a relief for used booksellers and others who feared that geographical limits on first sale would harm their business. In the case before the Supreme Court, the defendant was a college student who had arranged for his family in Asia to buy textbooks and mail them to him in America where he sold them at a profit. Justices Ginsburg, Kennedy and Scalia dissented from the ruling. To learn more about the first sale doctrine, read our background on the Wiley case here . [Polley: Dennis Crouch's Patently-O has an analysis of the case, suggesting that it also has implications for the patent exhaustion doctrine. EFF's take on the case is here .]

top

Courses, Facebook, and Secret Groups (InsideHigherEd, 21 March 2013) - Our students are leveraging the web and mobile apps to collaborate, share information, and study together.

They are sharing online resources such as videos and learning objects Khan Academy, digital textbook resources, YouTube, iTunesU, and other open online education resources.

Students are actively sharing information about study strategies and techniques designed to help each other learn the material and do well on quizzes, tests, and papers.

There is a world of social learning going on, and we (meaning us instructors, educational technologists - basically anyone employed on the instructional or administrative sides of the house), know nothing about what is going on. 

 The reason: Facebook Secret Groups. 

 To quote from the Facebook privacy option description page:

 Secret: Non-members can't find these groups in searches or see anything about the group, including its name and member list. The name of the group will not display on the timelines of members. To join a secret group, you need to be added by a member of the group. 

What is so appealing for students about Facebook Secret Groups is that instructors, or anyone else that works for the school, can't access the group. We can't even know that the group exists. An enormous amount of really high quality is learning going on on our networks and our campuses, but it is completely invisible to all of us. Facebook Secret Groups for classes means that our students are taking control of their learning. Freed from instructor and administrative surveillance and judgment they are able to learn in ways that fit their needs, not ours. They can be critical of our teaching, dismissive of our learning technologies, and disparaging of assignments - all without fear of retribution by grading.

top

Whole Internet Probed for Insecure Devices (BBC, 21 March 2013) - A surreptitious scan of the entire internet has revealed millions of printers, webcams and set-top boxes protected only by default passwords. An anonymous researcher used more than 420,000 of these insecure devices to test the security and responsiveness of other gadgets, in a nine-month survey. Using custom-written code, they sent out more than four trillion messages. The net's current addressing scheme accommodates about 4.2 billion devices. Only 1.3 billion addresses responded. The number of addresses responding was a surprise as the pool of addresses for that scheme has run dry. As a result, the net is currently going through a transition to a new scheme that has a vastly larger pool of addresses available. The scan found half a million printers, more than one million webcams and lots of other devices, including set-top boxes and modems, that still used the password installed in the factory, letting almost anyone take over that piece of hardware. Often the password was an easy to guess word such as "root" or "admin". "Whenever you think, 'That shouldn't be on the internet, but will probably be found a few times,' it's there a few hundred thousand times," wrote the un-named researcher in a paper documenting their work . HD Moore, who carried out a similar survey in 2012, told the Ars Technica news website the results looked "pretty accurate".

top

Michigan's Internet Privacy Protection Act (by MIRLN subscriber Michael Khoury , March 2013) - The tempest in the teapot for 2012 was generated when applicants at educational institutions and those searching for employment were compelled to turn over their user names and passwords for social media and other accounts. According to an April 2012 report by the Council of State Governments, "State Leaders Work to Protect the Privacy of Employees' and Students' Social Media Accounts,"1 the issue became significant in Michigan when a teacher's aide was fired for refusing to provide login credentials to her social media account. Late in the 2012 legislative session, Michigan became the sixth state in the United States to enact legislation addressing the privacy of individual accounts and prohibiting employers and educational institutions from taking actions related to these accounts * * *

top

AP Wins Big: Why a Court Said Clipping Content Is Not Fair Use (PaidContent, 22 March 2013) - A federal court has sided with the Associated Press and the New York Times in a closely-watched case involving a company that scraped news content from the internet without paying for it. The case has important implications for the news industry and for the ongoing debate about what counts as "fair use" under copyright law. Here's a plain English explanation of what the case is all about and what it means for content creators and free speech. The defendant in the case is Norway-based Meltwater, a service that monitors the internet for news about its clients. Its clients, which include companies and governments, pay thousands of dollars a year to receive news alerts and to search Meltwater's database. Meltwater sends its alerts to client in the form of newsletters that include stories from AP and other sources. Meltwater's reports include headlines, the first part of the story known as the "lede," and the sentence in the story in which a relevant keyword first appears. The Associated Press demanded Meltwater buy a license to distribute the story excerpts and, when the service refused, the AP sued it for copyright infringement. Meltwater responded by saying it can use the stories under copyright's "fair use" rules, which creates an exception for certain activities. Specifically, Meltwater said its activities are akin to a search engine - in the same way that it's fair use for Google to show headlines and snippets of text in its search results, Meltwater said it's fair use to clip and display news stories. The case has divided the tech and publishing communities. The influential Electronic Frontier Foundation filed in support of Meltwater, arguing that AP could inhibit innovation and free expression if it succeeds with the copyright claim. On the other side, the New York Times and other news outlets filed to support the AP ; they claim Meltwater was simply free-riding and that the company is undermining the ability to create the sort of journalism on which a free society depends. In a decision published Thursday in New York, U.S. District Judge Denise Cote shot down Meltwater in blunt language. While much of the 90-page ruling covers procedural issues and other defenses put forth by Meltwater, the heart of the decision is about fair use. Judge Cote rejected the fair use claim in large part because she didn't buy Meltwater's claim that it's a "search engine" that makes transformative use of the AP's content. Instead, Cote concluded that Meltwater is more like a business rival to AP: "Instead of driving subscribers to third-party websites, Meltwater News acts as a substitute for news sites operated or licensed by AP." Cote's rejection of Meltwater's search engine argument was based in part on the "click-through" rate of its stories. Whereas Google News users clicked through to 56 percent of excerpted stories, the equivalent rate for Meltwater was 0.08 percent, according to figures cited in the judgment. Cote's point was that Meltwater's service doesn't provide people with a means to discover the AP's stories (like a search engine) - but instead is a way to replace them. [Polley: implications for MIRLN? Fair use, or infringement? Would it be different if I charged for MIRLN? EFF's take on the case is here .]

top

A Libertarian Nightmare: Bitcoin Meets Big Government (Salon, 22 March 2013) - What's not to like about Bitcoin, every libertarian's favorite crypto-currency? For starters, Bitcoins are as cyberpunk as William Gibson's wildest dream: a form of monetary exchange invented in 2009 by a mysterious character who called himself "Satoshi Nakamoto" but then disappeared from view after unleashing his virtual currency upon the world. Bitcoins are undeniably cool: marvelously "mined" from the ore of computer processing power and electricity; more ready for prime time than any previous experiment in purely digital money. And Bitcoins, increasingly, are a success. At a Thursday afternoon all-time-high valuation of $72 per Bitcoin, there were around $700 million worth of Bitcoins in circulation. People are using Bitcoins to buy real goods and services, to hedge against European financial calamity, and to score drugs. That's money. Over the years, Bitcoin has experienced ups and downs; the currency has been targeted by hackers and thieves and botnets and been victim to more than one embarrassing software glitch. But it has persevered, and this week, one can fairly say that Bitcoin came of age. On Monday, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) released its first " guidance " as to how "de-centralized virtual currencies" should fit into the larger regulatory regime under which currencies of all kinds are required to operate. The word "Bitcoin" is never mentioned in FinCEN's release, but that's just a technicality. Everyone in the Bitcoin community knew who the guidance was aimed at. Bitcoin is a big boy now. The State is paying attention. But while some observers have applauded FinCEN's guidance as acknowledgment that Bitcoin isn't illegal or considered a "threat" by the government, not everyone is cheering the news. Because there's a problem here. Bitcoin isn't just an elegant way to create money using peer-to-peer networks and cryptography. Bitcoin is a currency with an ideology. * * * [Polley: Spotted by MIRLN reader Corinne Cooper of Professional Presence ]

top

First Amendment Protects Online Republication of Court Records (Eric Goldman, 23 March 2013) - The court summarizes the facts: Nieman discovered in 2009 that certain legal-search websites (such as Lexis/Nexis.com, Justia.com, Leagle.com, and VersusLaw.com) were linking copies of documents from his prior lawsuit to his name. That litigation involved a former employer and was settled in 2011. When Nieman encountered difficulty obtaining another insurance job, he suspected that potential employers had learned of his prior lawsuit online and "blacklisted" him from employment opportunities. Nieman alleged that in late 2011 he wrote to each of the defendants and asked them to delink his court cases from their online search results. The defendants declined. The court's efficient disposition of the resulting lawsuits (citations omitted): The First Amendment privileges the publication of facts contained in lawfully obtained judicial records, even if reasonable people would want them concealed. We have explained that judicial "[o]pinions are not the litigants' property. They belong to the public, which underwrites the judicial system that produces them." Other legal documents included by the court as part of the public record of the judicial proceedings are also covered by the First Amendment privilege. The forprofit nature of the defendants' aggregation websites does not change the analysis; speech is protected even when "carried in a form that is 'sold' for profit." All of Nieman's claims are based on the defendants' republication of documents contained in the public record, so they fall within and are barred by the First Amendment privilege. The district court also relied on 47 USC 230; the Seventh Circuit doesn't address that issue. Nieman v. VersusLaw, Inc. , 2013 WL 1150277 (7th Cir. March 19, 2013)

top

The Dangers of Surveillance (Harvard Law Review, 25 March 2013) - Abstract: From the Fourth Amendment to George Orwell's Nineteen Eighty-Four, our law and literature are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don't really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with "privacy," we lack an understanding of what "privacy" means in this context, and why it matters. Developments in government and corporate practices, however, have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It is also gives the watcher power over the watched, creating the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance. At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance.

top

US Attorney Asserts Jurisdiction in International Cases Because of Computer Server Location (ABA Journal, 26 March 2013) - U.S. Attorney Neil MacBride of the Eastern District of Virginia is claiming jurisdiction to pursue cases against alleged international copyright pirates and out-of-state securities fraud defendants, citing the location of computer servers in his district. The Associated Press explains. MacBride says he has jurisdiction over most securities fraud cases because the servers for the EDGAR database of the Securities and Exchange Commission are located in Alexandria. He also claimed jurisdiction to bring charges against the Hong Kong file-sharing company Megaupload because many of the servers storing its content were leased from a northern Virginia company. A lawyer for Megaupload, Ira Rothken, has questioned prosecutors' theory that they have jurisdiction in the criminal copyright case because Internet traffic flows through their district. He is claiming a foreign corporation without U.S. offices cannot be prosecuted in this country. Megaupload officials are currently fighting extradition to the United States. [Polley: crazy, the idea of EDGAR-based jurisdiction; wrong, the idea that Megaupload is in HK - try New Zealand.]

top

Leading Library Journal's Editorial Board Resigns Over Publisher's Copyright Policy (MLPB, 26 March 2013) - The Chronicle of Higher Education reports that the editorial board of the Journal of Library Administration , a leading publication in the area of library management, has resigned en masse over the publisher's copyright policy. The now former editor, Damon Jaggers, notes that Taylor and Francis, the publisher of the journal, did negotiate with reluctant authors who objected to its previous policy, but the new policy requires potential authors to ante up $3,000 to publish with the journal.

Science Blogs reproduces the editorial board's resignation announcement here, along with some commentary. Below is the notification from the board: The Board believes that the licensing terms in the Taylor & Francis author agreement are too restrictive and out-of-step with the expectations of authors in the LIS community. A large and growing number of current and potential authors to JLA have pushed back on the licensing terms included in the Taylor & Francis author agreement. Several authors have refused to publish with the journal under the current licensing terms. Authors find the author agreement unclear and too restrictive and have repeatedly requested some form of Creative Commons license in its place. After much discussion, the only alternative presented by Taylor & Francis tied a less restrictive license to a $2995 per article fee to be paid by the
Author. As you know, this is not a viable licensing option for authors from the LIS community who are generally not conducting research under large grants. Thus, the Board came to the conclusion that it is not possible to produce a quality journal under the current licensing terms offered by Taylor & Francis and chose to collectively resign.

top

Public Cloud Service Agreements: What to Expect and What to Negotiate (Cloud Standards Customer Council, 30 March 2013) - For datacenters that have already leveraged outsourced infrastructure, the value of service level objectives and their formal contracts is understood. For datacenters that are using clouds as their first entrée into outsourced infrastructure, service agreements may be totally new. IT managers are not comfortable relying on infrastructure and infrastructure management that are outside their immediate control. Therefore, they are quickly realizing that they cannot guarantee a required level of service without understanding their objectives and formalizing such service level with organizations that are on the critical path of their business services delivery. This paper provides cloud consumers with a pragmatic approach to understand and evaluate public cloud service agreements. The recommendations in this paper are based on a thorough assessment of publicly available agreements from several leading public cloud providers. In addition to this paper, a great deal of research and analysis regarding the landscape of cloud service agreements is available in the CSCC companion paper, the "Practical Guide to Cloud Service Level Agreements". In general, we have found that the current terms proposed by public cloud providers fall short of the commitment that many businesses will require. Of course, these providers have reputations to establish or maintain, therefore they will likely employ all reasonable efforts to correct problems, restore performance, protect security, and so on. But neither the specifics of the measures they will take, nor the remedies they offer if they fall short, are currently expressed well enough in their formal agreements in most cases. Furthermore, the language about service levels is often distributed among several documents that do not follow a common industry-wide terminology. We hope that one impact of this paper will be to improve this state of affairs. [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe IT & Knowledge Management ]

top

When Social Media at Work Don't Create Productivity-Killing Distractions (Bloomberg, 1 April 2013) - Workers who are encouraged to tweet, chat, like, and Skype on the job are among the most productive, new academic research says, shooting yet another hole in the managerial argument that social media in the workplace leads to goofing off and slacking on company time. Far from being a distraction, common social media tools such as Facebook, Twitter, and LinkedIn, plus Skype to chat, enable employees to answer more customer queries, and more quickly, says Joe Nandhakumar, professor of information systems at the Warwick Business School in the United Kingdom. He and his research team attribute this productivity boost to something Nandhakumar calls the "theory of virtual co-presence"-the ability to collaborate with others over long distances in relatively short, productive sessions to resolve problems or accomplish tasks. Plenty of surveys and studies have looked at the benefits of granting employees unfettered social media access in the workplace, often focusing on increased collaboration among co-workers and, at the very least, keeping companies digitally savvy enough to compete for young talent . The Warwick Business School study is unique: Over more than two years, it followed the way a company's policy to encourage social media usage among its employees led to increased customer interaction and, eventually, higher productivity.

top

Toward an International Law of the Internet (BeSpacific, 2 April 2013) - Toward an International Law of the Internet, Molly Land, New York Law School, November 19, 2012, Harvard International Law Journal, Vol. 54, 2013 (Forthcoming) via SSRN : "This Article presents the first and only analysis of Article 19 of the International Covenant on Civil and Political Rights as it applies to new technologies and uses this analysis to develop the foundation for an "international law of the Internet." Although Article 19 does not guarantee a right to the "Internet" per se, it explicitly protects the technologies of connection and access to information, and it limits states' ability to burden content originating abroad. The principles derived from Article 19 provide an important normative reorientation on individual rights for both domestic and international Internet governance debates. Article 19's guarantee of a right to the technologies of connection also fills a critical gap in human rights law. Protecting technology allows advocates to intervene in discussions about technological design that affect, but do not themselves violate, international human rights law. Failure to attend to these choices - to weigh in, ahead of time, on the human rights implications of software code, architecture design, and technological standards - can have significant consequences for human rights that may not be easily undone after the fact."

top

Law Firms Offer Cybersecurity Advice and Attorney-Client Privilege to Hacked Companies (ABA Journal, 2 April 2013) - Law firms are getting involved as companies investigate hacker incidents, providing attorney-client privilege to shield the findings in future lawsuits. The Wall Street Journal has a story on the trend. In one example, Nationwide Insurance hired Ropes & Gray after a hacker obtained personal details about 1 million people from the insurer. In another, Alston & Bird hired a former Justice Department lawyer in January to head its security-incident and management-response team. The lawyer, Kimberly Peretti, was a senior lawyer in the department's Computer Crime and Intellectual Property Section. Mike Dubose, who leads Kroll Advisory Solutions' cyberinvestigations practice, advises clients to hire a law firm before it hires Kroll. He explained that a client who hires Kroll directly probably won't be protected by attorney-client privilege. "What a company does not want is its investigation or due diligence, undertaken with the best of intentions, to be used against it in litigation," Dubose told the Wall Street Journal. [Polley: possibly great for protecting privilege; not-so-great for solving the problem unless the hired lawyer(s) are tech-fluent and already know your business inside-out. Further, almost all such internal investigations would/should have a non-privileged component, designed for ultimate disclosure to regulators or other non-control audiences. It's a real trick to manage a dual-track privileged/non-privileged internal investigation, and all the harder if counsel doesn't "grok" the technology.]

top

Social Media: SEC Issues Reg FD Guidance (In Form of Enforcement Report) (CorporateCounsel.net, 3 April 2013) - Last month, the SEC's Division of Investment Management issued this guidance in an effort to clarify when mutual funds must file social media messaging with the SEC. The guidance provides 5 categories of communications that IM doesn't believe needs to be filed - and examples of communications that do. At the time, I thought Corp Fin might weigh in with its own social media guidance soon - particularly due to widespread criticism in the wake of news that Netflix had received a Wells Notice from the Division of Enforcement (see my own blog on this topic - and Prof. Joe Grundfest's amicus curiae brief ). The answer is "yes, sort of." Yesterday, the SEC issued this Section 21(a) Report of Investigation stating that Enforcement has decided not to go after Netflix - mostly because its 2008 "corporate use of website" guidance may not have been sufficiently clear about how it applies to social media (given that social media exploded onto the scene more recently). More importantly, the Report clarifies that the SEC's '08 framework is sufficiently flexible to accommodate new "push" technologies like Facebook and Twitter - so that companies should continue to apply their own facts against whether they have created a "recognized channel of distribution" using that framework. Even though the SEC's press release touts the new report as a greenlight for companies - the press release's title is "SEC Says Social Media OK for Company Announcements If Investors Are Alerted" - I'm dubious that companies and their advisors will see it that way. For starters, the new guidance comes from an Enforcement report (here's an explanation of what a Section 21(a) report is) - perhaps not the best vehicle to encourage new practices. And it doesn't get into the nitty gritty like IM's new guidance does. Given the slow adoption rate of social media by IR, finance and governance professionals - compared to the rest of the world - I'm not convinced this will be enough to get folks moving (for example, see this blog by Blank Rome's Yelena Barychev and this Cooley news brief from Cydney Posner). [Polley: see also Bloomberg Adds Twitter Feeds to Financial Platform on Heels of New SEC Rules (PaidContent, 4 April 2013)]

top

If You Were 17, It Could Have Been Illegal To Read Seventeen.com Under the CFAA (EFF, 3 April 2013) - If you are 17 or under, a federal prosecutor could have charged you with computer hacking just for reading Seventeen magazine online-until today. It's not because the law got any better. Earlier today, we wrote about news sites that alarmingly prohibit their youth audiences from accessing the news and the potential criminal consequences under the Computer Fraud and Abuse Act . In response, the Hearst Corporation modified the terms of service across its family of publications, including the Hearst Teen Network, which notably includes titles like Seventeen, CosmoGirl, Teen and MisQuince. Seventeen highlights the absurdity of giving terms of service the force of law under the CFAA. It boasts a readership of almost 4.5 million teen readers with an average age of 16 and a half, and yet, until today, the average reader was legally banned from visiting Seventeen.com. That's right, for a magazine dedicated to teen fashion, the publisher's terms explicitly restricted online access to readers 18 and older. What's worse, the Justice Department could choose to bring the might of the government to enforce this contract against a Seventeen reader who may never have even seen the agreement. Federal prosecutors have argued in court that accessing a website in violation of terms of service is a crime. If the website's terms, like Seventeen magazine's previous version , explicitly state that you must be an adult to visit their sites or participate in their interactive features, then teenagers accessing the site "without authorization" under the CFAA and could be doing jail time, according to the DOJ. Hearst removed the following line from the terms for publications ranging from the Houston Chronicle to the San Francisco Chronicle, from Popular Mechanics to Seventeen: "YOU MAY NOT ACCESS OR USE THE COVERED SITES OR ACCEPT THE AGREEMENT IF YOU ARE NOT AT LEAST 18 YEARS OLD." The revisions are dated "April 23, 2013," but presumably they meant April 3. Thank you Hearst, we appreciate your prompt response. But the real problem is the CFAA, which allows prosecutors to use these silly terms to manufacture computer crimes. And prosecutors have plenty of opportunities, as ridiculous terms of service abound throughout the Internet.

top

Law Firm Fell Victim to Phishing Scam, Precipitating $336k Overseas Wire Transfer, Bank Suit Alleges (ABA Journal, 4 April 2013) - A North Carolina bank claims in a lawsuit that it isn't responsible for a $336,600 wire transfer to Russia from a law firm account. The suit by Charlotte-based Park Sterling Bank claims the law firm of Wallace & Pittman fell victim to a phishing scam that began with a click on a link in a fraudulent email, the Charlotte Observer reports. The email claimed to be from an industry group and warned that a banking transaction had failed to clear. Because of the clicked link, hackers were able to track a user's keystrokes and learn banking passwords used by Wallace & Pittman, the suit says. Hackers used the passwords to send $336,600 to a "Konstantin Pomogalove" in Moscow, according to legal documents cited by the newspaper. After receiving notice of the transaction, the law firm immediately sought to stop the transfer. Nevertheless, he call was too late, the story says. Park Sterling Bank initially refunded the money then told the law firm it wanted the funds returned. Before the bank could debit the amount, the law firm obtained a restraining order and closed its account. Park Sterling Bank says the law firm should have opted for a higher security level that requires two approvals for wire transfers, and says the law firm is responsible for the loss under its customer agreement. Wallace & Pittman, on the other hand, claims the international nature of the wire transfer should have raised the bank's suspicions, and the institution should have warned of phishing scams. [Polley: nearly on-point case decided against the bank's customer here .]

top

RESOURCES

Cloud Ethics Opinions (ABA's LTRC, March 2013) - There's a compelling business case for cloud computing, but can lawyers use it ethically? We've compiled these comparison charts to help you make the right decision for your practice. [Polley: clickable State map, with links to opinions and other resources.]

top

The Fair Use/Fair Dealing Handbook (InfoJustice.org, 27 March 2013) - More than 40 countries with over one-third of the world's population have fair use or fair dealing provisions in their copyright laws. These countries are in all regions of the world and at all levels of development. The broad diffusion of fair use and fair dealing indicates that there is no basis for preventing the more widespread adoption of these doctrines, with the benefits their flexibility brings to authors, publishers, consumers, technology companies, libraries, museums, educational institutions, and governments. Fair dealing was first developed by courts in England in the eighteenth century, and was codified in 1911. Fair dealing became incorporated into the copyright laws of the former British Imperial territories, now referred to as the Commonwealth countries. Over the past century, the fair dealing statutes have evolved in many of the Commonwealth countries, and increasingly resemble the fair use statute in the United States. Thus, although fair dealing is generally considered to be less flexible and open-ended than fair use, this is no longer the case in many Commonwealth countries. This handbook contains all the fair use and fair dealing statutes we were able to identify: The Fair Use/Fair Dealing Handbook

top

BOOKS

"Trademark and Deceptive Advertising Surveys" (review by Eric Goldman, 20 March 2013) - I read only a couple of books per year. As very long-form scholarship, books usually require big blocks of time to read (and I rarely have such blocks), and I typically find the payoff isn't worth the time investment. As a result, it's rare that I read a book, rarer when I like a book, and exceptionally rare when I think a book is worth recommending to you. Yet, I can hardly contain my enthusiasm for the 2012 book, "Trademark and Deceptive Advertising Surveys: Law, Science and Design," edited by Shari Seidman Diamond and Jerre B. Swann and published by the ABA's IP Section. It may be the best book I've read in years. Why do I like this book so much? It's the *perfect* legal resource guide. The chapters are written by the leading experts in the field--names you most likely recognize, including William Barber, Jerre Swann, Bruce Keller, Shari Seidman Diamond, Itamar Simonson, Jacob Jacoby and many more. In each chapter, an expert explains how he/she handles an aspect of the consumer survey process and why he/she makes certain professional judgments. It's like having am initial consultation with, or some private coaching from, the leaders in the consumer survey field, except that they aren't billing you by the hour and they give you citations for your deeper investigation if you want. I know I'm a hardcore geek, so my experience may not be representative, but I found this book a page-turner that I couldn't put down. Every page was packed with a golden nugget or two of insight, page after page, chapter after chapter. I'm not exaggerating at all when I say that I found the book gripping.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

FCC to Begin VOIP Inquiry (CNET, 6 Nov 2003) -- The Federal Communications Commission said Thursday that it plans to formally decide whether to regulate Internet telephone companies. The FCC will begin a yearlong inquiry into the "appropriate regulatory environment for these services" on Dec. 1, the commission said in an announcement. "The FCC has been studying VoIP issues for several years, but things have greatly accelerated over the past year, and, thus, so have the FCC's actions to address the complex issues that arise," FCC Chairman Michael Powell wrote in an accompanying letter to Oregon Sen. Ron Wyden, who is sponsoring an Internet tax ban that could affect voice over Internet Protocol services. VoIP is a technology for making phone calls using the Internet Protocol, the world's most popular method for sending data from one computer to another. It requires a network connection and a PC with a speaker and a microphone or a device to convert a telephone's analog signal into IP and vice versa. Pressure has been on the FCC to make its position known on VoIP ever since a U.S. District Court shot down an attempt by regulators in Minnesota to make VoIP provider Vonage follow state telephone rules. In that court case, Vonage argued that its service uses the Internet, which has historically fallen under federal control. Vonage, BellSouth, SBC Communications and Motorola have asked the FCC to draft a nationwide policy instead of a patchwork of possibly different state regulations. States are beginning to try to regulate VoIP services, which provide many of the same functions as the traditional phone system but with different technology and at a lower cost. At stake is a key distinction between voice services, which in the past have used the Public Switched Telephone Network, and data services such as the Internet.

top

Memories in the Corner of My Eye (Wired, 11 Nov 2003) -- Trying to remember a full day's schedule is no mean feat -- especially when it's full of business meetings, grocery shopping, kids' soccer practice and music lessons, and sundry other errands. Help may be on the way from a pair of specs dubbed the memory glasses. The specs have a tiny television screen embedded into one of the lenses and are hooked up to a PDA. The PDA can be programmed to send messages or images to the screen. Each prompt is geared to jog the wearer's memory -- whether it is an image of a soccer ball, the day's calendar or the name of the guy who just said hello. And all of these messages are flashed before the eye at 1/180 of a second, so the wearer isn't even conscious that they have been sent. "The thing that's unique about my work on the memory glasses is the use of subliminal messages," said Richard DeVaul, the glasses' inventor and a doctoral student at the Massachusetts Institute of Technology's Media Lab. DeVaul said subliminal messages aren't powerful enough to stimulate action; rather, they act as prompters -- they fill in the blanks that the wearer is already searching for. The fact that the wearer is unconscious of them is, according to DeVaul, the key to his system. "We can never precisely know what the wearer needs to know, or when he needs to know it, and this is why the fact the messages are subliminal is so important. If the information given is not helpful at that time, it's not important because it isn't noticed," DeVaul said. So rather than producing a barrage of distracting pop-up messages, the system provides a noninvasive wealth of information and memory cues about appointments, shopping-list items, meeting agendas, and the spouse's birthday. And for those awkward chance meetings when you are completely at a loss as to whom you are talking to, the system can flash a name or an image of the last meeting you had with the mystery person to help jog your memory. The system can find these matches by using voice- or face-recognition technologies. DeVaul has been using off-the-shelf PDAs in tests of the glasses. The mini TV screen itself is a few millimeters square and can be integrated into the wearer's own glasses, but for the trial the MIT team has been using a clip-on version.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top