MIRLN --- 7-27 April 2013 (v16.06)

MIRLN --- 7-27 April 2013 (v16.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

• Payment Card Industry Security Standards Council Publishes Cloud Computing Guidelines for Cardholder Data
• Cybersecurity Disclosure: The Risks Of Silence
• U.S. Business SEC Filings Suggest Cyber Threats may be Overstated
• Rockefeller Asks SEC to Step Up Cybersecurity Disclosures
• Federal Energy Regulatory Commission (FERC) Imposes a $975,000 Civil Penalty against Entergy for 27 Violations of Reliability Standard
• Volunteer Opportunities for IP Professionals
• CRS - Drones in Domestic Surveillance Operations
• Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
• Want to Read the Law? It'll Cost You
• IRS Tracks Your Digital Footprint
• Hay Maker Seeks Cyberheist Bale Out
• How Other Companies Manage Social Media
• King & Spalding Blocks Employee Access to Personal Email Accounts, But Offers an Alternative
• Order and Liberty: The DPLA Launches
• Fair Use In Comparative Law
• Mich. Court Backs Anonymity for Former Student Who Trashed Law School Online
• Verizon's 2013 Data Breach Investigations Report
• Google Scholar Legal Content Star Paginator
• You Shouldn't Need a Copyright Lawyer to Pick a Dentist
• Fifth Amendment Shields Child Porn Suspect From Decrypting Hard Drives
• FBI Denied Permission to Spy on Hacker Through His Webcam
• Once Under Wraps, Supreme Court Audio Trove Now Online
• Sanctions Against Iran Will Hit Samsung Phone Users
• Businesses Take a Cautious Approach to Disclosures Using Social Media

Payment Card Industry Security Standards Council Publishes Cloud Computing Guidelines for Cardholder Data (Reed Smith, 21 March 2013) - n a bid to help organisations better understand their compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS) when using cloud technology to collect, store or transmit credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement . Formed through a collaboration of more than 100 global organisations representing banks, merchants, security assessors and technology vendors, the guidelines state that the PCI DSS will still apply "if payment card data is stored, processed or transmitted in a cloud environment". According to the PCI SSC, unless the cloud deployment model is truly private (on-site), security is a shared responsibility between the Cloud Service Provider (CSP) and its clients, with the levels of responsibility between the two depending on the type of cloud service model used.

top

Cybersecurity Disclosure: The Risks Of Silence (Dechert LLP, March 2013) - With the rise in targeted, sophisticated, malicious attacks on corporate America's electronic infrastructure, companies are increasingly focused on their cybersecurity disclosure obligations. There is a growing concern that many companies - fearing reputational harm - are sitting silent, but recent disclosures from a number of companies indicate a shifting approach to cybersecurity disclosure. In addition, pronouncements from the Obama Administration and top regulators reinforce the importance of understanding cybersecurity disclosure obligations. Cybersecurity is critically important to regulators and failure to disclose cybersecurity risks or actual breaches will likely draw significant attention. This OnPoint outlines some of the reasons for companies' increased focus on managing their cybersecurity risks. * * *

top

- and -

U.S. Business SEC Filings Suggest Cyber Threats may be Overstated (Network World, 9 April 2013) - Of the 27 largest U.S. companies (by revenue) that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions, according to Bloomberg . Almost half the companies (12)which included Amazon, AT&T and Verizon reported the cyber attacks on their systems "had no material impact" on the companies. Another, Citigroup, reported it suffered "limited losses and expenditures" from Internet bandit activity. Note: corporations have been known to keep their cards close to their vest when it comes to reporting about intrusions into their computer systems. The reports by these companies suggest that much of the controversy being generated in the public debate over American intellectual property being ransacked by foreign powers and cyber criminals may be more steam than flame. "I find it remarkable that only 27 companies disclosed they were targeted," Chris Peteren, founder and CTO of LogRhythm, a network security solutions provider in Boulder, Colo. told PCWorld. "Every piece of evidence that's out there right now points to the fact than 100 out of 100 are certainly being targeted," he maintained. However, he pointed out that what's "material" to these companies could have a high threshold. "A million, two million, three million dollars is in the realm of immaterial for these organizations," he said.

top

- and -

Rockefeller Asks SEC to Step Up Cybersecurity Disclosures (The Hill, 10 April 2013) - Sen. Jay Rockefeller (D-W.Va.) is urging the Securities and Exchange Commission (SEC) to require companies to reveal more information about their ability to defend against attacks on their computer systems. In a letter sent on Tuesday to recently confirmed SEC Chairwoman Mary Jo White, Rockefeller said the agency should issue commission-level guidance to companies on their obligation to disclose cybersecurity information. In response to a request from Rockefeller in 2011, the SEC issued staff-level guidance on cybersecurity disclosures. But Rockefeller, the chairman of the Senate Commerce Committee, argued that the SEC should elevate the guidance to the commission-level.

top

Federal Energy Regulatory Commission (FERC) Imposes a $975,000 Civil Penalty against Entergy for 27 Violations of Reliability Standard (Nat'l Law Review, 6 April 2013) - On March 28, 2013, the Federal Energy Regulatory Commission (FERC) issued an order approving a stipulation and consent agreement between FERC's Office of Enforcement (OE) and Entergy Services, Inc. (Entergy) to settle violations of various North American Electric Reliability Corporation (NERC) Reliability Standards. Although the basic terms of this settlement are largely unremarkable, there are unique aspects of this case to note. In a single paragraph, FERC stated: "The civil penalty amount is consistent with the Penalty Guidelines. Enforcement considered that, given the size and complexity of Entergy's system, its violations posed a high risk that it would be unable to prevent, contain, or control a disturbance that could lead to substantial harm." There are two other items of note about the Entergy settlement. The first is that the settlement explicitly calls out a cybersecurity violation. FERC staff found that Entergy violated Reliability Standard CIP-007-1 R1 because Entergy failed to test a firmware upgrade for a network switch prior to applying it in the production environment and because Entergy could not assess whether significant configuration changes to critical cyber assets would compromise its cybersecurity controls or those assets. Stating this finding in the public settlement departs from FERC's and NERC's typical practice of masking the identity of entities who have committed cybersecurity violations. [Polley: Spotted by MIRLN reader Roland Trope .]

top

Volunteer Opportunities for IP Professionals (Patently-O, 8 April 2013) - One common way in which lawyers give back to their community is via pro bono work. In the pro bono world, a transactional lawyer typically has a general skillset allowing him or her to cover a variety of general corporate areas for a pro bono client even if the specific question at hand does not fall directly in the lawyer's field of practice. Similarly, litigators, who have experience in the courtroom, are equipped to handle a variety of cases brought by pro bono clients, such as small-claims court matters, housing, harassment, or immigration issues. However, patent prosecutors and in-house counsel who might specialize in interacting with the United States Patent and Trademark Office (USPTO), may not feel equipped to meet in the more common litigation or transactional needs of typical pro bono clients. Thus, it may not seem obvious to these attorneys how they can use their skill set to give back to the community. This article identifies a few ways in which intellectual property professionals can use their abilities to enhance their community. One way in which intellectual property (IP) lawyers can fulfill their pro bono hours is by getting involved with local charities and helping them with their IP needs- for example, assisting them with the filing of a trademark for their organization. As patent prosecutors have familiarity with the USPTO, this would be an ideal way to help the community. Alternatively, IP lawyers can volunteer for organizations like Lawyers for the Creative Arts or Springboard for the Arts , which provide pro bono legal assistance to clients working in the areas of art, culture, media, and entertainment, including the visual, literary, and performing arts. Example projects include working with artists on copyright, trademark, or general contract issues. For those IP lawyers interested in writing patents for under-resourced inventors and small businesses pro bono, the USPTO launched a pilot program in Minnesota last year to provide legal services to help such individuals and businesses obtain solid patent protection. Based on the success of the Minnesota program, the USPTO has instituted five new regional pro bono programs in Denver, California, Texas, Washington D.C. and New York City.

top

CRS - Drones in Domestic Surveillance Operations (BeSpacific, 8 April 2013) - Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney. April 3, 2013): "The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm's way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations to protect the homeland, assist in crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation's skies in less than 20 years." CRS report here .

top

Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight (Wired, 9 April 2013) - A legal fight over the government's use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect. Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government's surveillance tool so that he could be located. Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location. Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don't have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI. The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location. In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then "broadcast a very strong signal" to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden's location. To make sure the air card connected to the FBI's simulator, Rigmaiden says that Verizon altered his air card's Preferred Roaming List so that it would accept the FBI's stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI's fake site was at the top of the list. During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden's assertions about Verizon's activities.

top

Want to Read the Law? It'll Cost You (New Republic, 10 April 2013) - Say you live in Rhode Island and want to upgrade the ancient plumbing in your kitchen. You figure you should be able to save some cash and do it yourself, but want to make sure you're on the up-and-up with all applicable codes and regulations. So you head over to the state's website to read the plumbing code . Problem is, the 15-page "code" is actually just a series of modifications to a 156-page volume of standards published by the International Code Council-the 2009 edition of which , according to the introduction to the state regs, "is protected by the copyright that has been issued to the ICC. As a result, the State Building Code is not available in complete form to the public in an electronic format." Your choice: $89 for a printed copy, or $74 for an e-copy. But why should you have to pay to read laws that you must obey? You shouldn't, of course. Neither state nor federal law is copyrightable. Nevertheless, standards development organizations-from the American Society of Sanitary Engineers to the National Wood Window and Door Association-insist otherwise, having poured resources into developing long, technical regulations because the government didn't have the expertise to do so. 1 Now, state and federal laws simply reference these industry codes , and allow non-profits to charge for hefty books. For decades, reading these books for free has required trekking to your state capitol, or if you're lucky, a local library. But the Internet has created an expectation that everything be made available online, searchable, linkable, printable, and free-especially something that seems as rightfully in the public domain as the law of the land. Carl Malamud believes this more strongly than most. The open-government activist, who pushed the Securities and Exchange Commission to post corporate documents online and C-SPAN to make its video archive more widely available , has been either scanning or painstakingly re-typing and posting standards on his website Public.Resource.org for anyone to download. He started back in 2008 with California's codes, and had posted 10,062 standards as of the end of last year. When the standards developers ask him to stop-as six have done so far-he politely refers them to the 2002 decision in Veeck vs. Southern Building Code Congress International , in which a circuit court judge ruled that "as law, the model codes enter the public domain and are not subject to the copyright holder's exclusive prerogatives." Malamud typically doesn't hear back after sending his response. But the Sheet Metal and Air Conditioning Contractors Association, which publishes standards relating to ducts and ventilation, wasn't satisfied. In February, they followed up with a letter protesting that that the 9th Circuit had ruled differently back in 1997, and the decision still holds. Malamud, with the help of the Electronic Frontier Foundation, fought back with a complaint against SMACNA, asking that a judge resolve the legal question once and for all: Does the public have the right to the law, or doesn't it?

top

IRS Tracks Your Digital Footprint (MSN, 10 April 2013) - The Internal Revenue Service is collecting a lot more than taxes this year -- it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it's never gone before. The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using "robo-audits" of tax forms and third-party data the IRS hopes will help close this so-called "tax gap." But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of "big data" will be a key issue when the next IRS chief comes to the Senate for approval. Consumers are already familiar with Internet "cookies" that track their movements and send them targeted ads that follow them to different websites. The IRS has brought in private industry experts to employ similar digital tracking -- but with the added advantage of access to Social Security numbers, health records, credit card transactions and many other privileged forms of information that marketers don't see. The agency declined to comment on how it will use its new technology. But agency officials have been outlining plans at industry conferences, working with IBM, EMC and other private-sector specialists. In presentations, officials have said they may use the big data for:

• Charting and analyzing social media such as Facebook.
• Targeting audits by matching tax filings to social media or electronic payments.
• Tracking individual Internet addresses and emailing patterns.
• Relationship analysis based on Social Security numbers and other personal identifiers.

U.S. Tax Court records show that information gathered from Facebook and eBay postings have been used by the IRS in defending tax challenges. Under a Freedom of Information Act disclosure obtained by privacy advocates at the Electronic Frontier Foundation, the group published the IRS's 38-page manual used to train auditors to search Internet addresses, Facebook postings and other social media to back audit enforcements.

top

Hay Maker Seeks Cyberheist Bale Out (Krebs on Security, 13 April 2013) - An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime. On Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period. According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hay's checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay's lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days. Oregon, like most states, has adopted the Uniform Commercial Code , which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer. In its complaint, Oregon Hay targets Article 4A of the UCC , alleging that Community Bank's online account security procedures were not commercially reasonable given the sophistication of today's threats, and that the bank did not accept the fraudulent payment orders in good faith. The plaintiffs claim that the bank's security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institution's online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan. According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called "Multifactor Premium with Watermark," which relied on a combination of "device IDs" - a software "cookie" that identifies the user's computer - and "challenge/response" questions, which attempt to verify a user's identity by asking him for answers to questions about his personal or financial history.

top

How Other Companies Manage Social Media (Entrepreneur, 13 April 2013) - Whether your company is just starting to dabble in social media or has a strong strategy it has been implementing for a while, you may want to know how other companies are navigating the social Web. If you've ever wondered how many people companies hire to manage social media, how they measure success or whether you're the only ones getting help from interns, we have the answers you've been looking for. We asked 2,714 communicators how their companies use social media in our Ragan/NASDAQ OMX Corporate Solutions survey , and Go-Gulf.com highlighted some of the findings in an infographic .

top

King & Spalding Blocks Employee Access to Personal Email Accounts, But Offers an Alternative (ABA Journal, 16 April 2013) - Citing security concerns, a major law firm has blocked its workers from accessing their personal email on its computers. In a memo to employees on Monday, King & Spalding said it had been advised by consultants that accessing personal email accounts such as Gmail, Yahoo and Hotmail from the law firm's computers "creates a significant security risk." Hence, as of May 1, workers will be blocked from doing so-and should not do so, even if for some reason they are not blocked from doing so. The ban includes accessing personal email from firm laptops even if they are not using the firm's computer system, the memo notes. However, access to personal email is not lost for those with personal laptops and electronic devices at the office, the memo points out. A special wireless network has been installed in each office that employees can use for this purpose. Some clients do require law firm personnel to use accounts such as Gmail, the memo notes, and says employees should contact the firm for help determining how best to handle such issues.

top

Order and Liberty: The DPLA Launches (InsideHigherEd, 18 April 2013) - I wasn't entirely sure what the Digital Public Library of America (DPLA) would look like when the long-awaited launch date of April 18 approached. The suspense is finally over: it looks great. The DPLA is an effort to unify access to cultural assets of the nation and make them free to all. We are not the first country to try this ; in fact we're a bit behind, perhaps because we have a tradition of local library planning and support and because we don't have a true national library. (The Library of Congress is what its name says: it's Congress's library. We get to use it, and it does lots of work with copyright and cataloging that benefit libraries everywhere, but it is not a national library.) This project has been fascinating to watch as it has evolved out of democratic principles and the potential of digital sharing and collaboration. It raises all kinds of questions: what is a library? Do academic and public libraries, museums, and archives serve a common purpose? Who is it for? What does it mean for culture to be "free"? How can a digital library enable access to culture when so much of it is under copyright and not shareable except as the rights-holder allows? The DPLAs not going to be a digital version of your local public library's collections and services - at least, not yet. It is trying to do three things right now: pull together digital assets from major national and regional digital collections into a well-organized, unified, easily searchable portal; provide digital tools and metadata that others can use to build new applications; and provide national leadership in the effort to encourage open and collective access to our shared cultural record. In other words, it will help us discover cultural assets scattered across websites and in museums, libraries, and archives. It will help us make new things with the pooled metadata. It will promote conversations we need to be having.

top

Fair Use In Comparative Law (MLPB, 18 April 2013) - Martin Senftleben, VU University of Amsterdam Faculty of Law, has published Comparative Approaches to Fair Use: An Important Impulse for Reforms in EU Copyright Law , in G.B. Dinwoodie (ed.), Methods and Perspectives in Intellectual Property (G. B. Dinwoodie, ed., Cheltenham, UK/Northampton, MA, Edward Elgar, (2014, Forthcoming). Here is the abstract. Fair use provisions in the field of copyright limitations, such as the U.S. fair use doctrine, offer several starting points for a comparative analysis of laws. Fair use may be compared with fair dealing. With the evolution of fair use systems outside the U.S., fair use can also be compared across different countries. The analysis may also concern fair use concepts in different domains of intellectual property. Instead of making any of these direct comparisons, the present analysis deals with another aspect of comparative analyses: the study of foreign fair use provisions as a basis for the improvement of domestic legislation. More specifically, the analysis will show that important impulses for necessary reforms in the EU system of copyright exceptions can be derived from a comparison with the flexible approach taken in the U.S. 

For this purpose, the legal traditions underlying the legislation on copyright limitations in the EU (civil law) and the U.S. (common law) will be outlined (section 1) before explaining the need for reforms in the current EU system (section 2). On this basis, strategies for translating lessons to be learned from the U.S. fair use approach (section 3) into the EU system will be discussed. This translation is unlikely to fail because of an inability or reluctance of civil law judges to apply open-ended norms (section 4). Under existing EU norms, however, a degree of flexibility comparable to the flexibility offered in the U.S. cannot be achieved (section 5). To establish a sufficiently flexible system, EU legislation would have to be amended (section 6 and concluding section 7).

top

Mich. Court Backs Anonymity for Former Student Who Trashed Law School Online (Inside Higher Ed, 22 April 2013) - A former student who created a website that harshly criticized Thomas M. Cooley Law School is protected by the First Amendment and should not have his identity revealed, a Michigan state appeals court ruled this month . Cooley, a freestanding law school in Michigan, had sued the former student in state court, saying that the site the ex-student created, Thomas M. Cooley Law School Scam, defamed the institution. Cooley officials obtained a California subpoena compelling the company that hosted the website to reveal his identity, and a lower state court refused to block the subpoena. But the appeals court ruled that Michigan law protects such speech, and sent the case back to the lower court for further review.

top

Verizon's 2013 Data Breach Investigations Report (April 2013) - Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage. But rather than a synchronized chorus making its debut on New Year's Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result-perhaps agitated by ancient Mayan doomsday predictions-a growing segment of the security community adopted an "assume you're breached" mentality. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world. The list of partners is not only lengthy, but also quite diverse, crossing international and public/private lines. It's an interesting mix of law enforcement agencies, incident reporting/handling entities, a research institution, and other incident response (IR)/forensic service firms. What's more, these organizations contributed a huge amount of data to the report. All told, we have the privilege of setting before you our analysis of more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. [Polley: pretty interesting report, suggesting some trends.]

top

Google Scholar Legal Content Star Paginator (FutureLawyer, 23 April 2013) - Chrome Web Store - Google Scholar Legal Content Star Paginator . This free little tool is handy for legal researchers who are used to seeing page numbers inline in Westlaw or Lexis. If you use the free Google Scholar service for basic legal research (why are you paying for legal research?), this will put star pagination into your Scholar results. The first place I go for case finding is Scholar; and, often I need not go anywhere else. I particularly like the "Cited by" command, which works like a poor man's Shepard's Citations. It lists all cases citing your case, and gives a one line reference to the citing case.

top

You Shouldn't Need a Copyright Lawyer to Pick a Dentist (Eric Goldman, 23 April 2013) - In October 2010, Robert Lee needed a dentist, pronto. He didn't realize he needed a copyright lawyer to help him pick a dentist. In search of urgent pain relief, Lee contacted Dr. Stacy Makhnevich (a preferred provider under Lee's insurance plan). Dr. Makhnevich's office required Lee to sign a "Mutual Agreement to Maintain Privacy" before it would treat him. This agreement--based on a form contract sold by a North Carolina company called Medical Justice--prohibits patients from posting online reviews of the dentist; and if the patient does write a review, the agreement says the dentist owns the review's copyright. In exchange, the dentist promises not to ask the patient if it can sell the patient's name to marketers--a worthless promise , as HIPAA already requires the dentist to obtain patients' permission before selling their information to marketers. (Elsewhere, I've explained why I think asking patients to restrict their future reviews is unethical, probably illegal , and a bad business decision ). Lee just wanted dental services, and not surprisingly he wasn't in much of a mood to negotiate the ownership of copyrights in works that Lee hadn't even written yet. So like hundreds of thousands of other Americans, Lee signed a Mutual Agreement to Maintain Privacy so he could get the dental services he urgently needed. Later, Lee became unsatisfied with his interactions with the dentist and posted critical online reviews to Yelp , DoctorBase and other websites. Apparently unhappy with the reviews, the dentist invoked the Mutual Agreement to Maintain Privacy and claimed copyright ownership over those reviews. The dentist sent Lee draft versions of lawsuits claiming $100,000 in copyright infringement damages. The dentist sent Lee invoices claiming copyright damages of $100 per day for his infringement. The dentist also sent takedown notices to Yelp and other websites, threatening to sue them for copyright infringement if they didn't remove Lee's posting. (To its credit, Yelp stood behind its user and declined to remove the review, accepting the risk of being sued for Lee's purported copyright infringement). Lee didn't fold under this pressure; instead, he sued the dentist to void the contract. In a recent ruling, the court rejected the dentist's attempt to dismiss Lee's lawsuit. The court didn't conclude that Lee will win (that question hasn't been raised yet), but the opinion isn't good for the dentist. This ruling is particularly noteworthy because we almost never see legal battles involving the Mutual Agreement to Maintain Privacy. When confronted with a doctor or dentist's threats involving the agreement, most patients quickly back down and remove their online reviews. In the rare situations where the patient doesn't back down, some doctors and dentists acquiesce rather than test the contract's strength in court. This case got to court only because the dentist sought so aggressively to assert the contract rights and Lee decided to fight rather than fold. Though we'll have to see how this case turns out, the dentist probably made the wrong choice. Meanwhile, after a public interest organization (Center for Democracy & Technology) filed a complaint about Medical Justice's practices with the Federal Trade Commission, Medical Justice unilaterally declared that it had "retired" the contract and advised its customers to stop using its form. Indeed, Medical Justice has done a complete reversal on its customers. Having persuaded its customers that patient reviews should be suppressed, Medical Justice (under a new brand, eMerit) is now selling doctors and dentists a service to help them increase the number of online reviews from patients. Medical Justice's customers would have been much better served encouraging patient reviews from the beginning; many of those customers are now woefully behind their competition in generating a credible quantity of patient reviews. Despite Medical Justice's credibility-defying flip, Medical Justice was so effective at persuading doctors/dentists to fear patient reviews that some doctors and dentists are still using the form agreement. Should your doctor or dentist present with such a form, you don't need to call your copyright lawyer. Instead, refuse to sign the form , tell your doctor or dentist that the form agreement is unethical and probably illegal, and send them a copy of the recent ruling. Or, tell the doctor/dentist that you're going to take your business to a healthcare provider with more enlightened views about patient reviews. [Polley: Particularly good post - Eric summarizes several related issues; he's pretty passionate about this stuff.]

top

Fifth Amendment Shields Child Porn Suspect From Decrypting Hard Drives (Ars Technica, 24 April 2013) - A federal judge refused to compel a Wisconsin suspect to decrypt the contents of several hard drives because doing so would violate the man's Fifth Amendment right against self-incrimination. Judge William E. Callahan's Friday ruling ultimately labeled the issue a "close call." Courts have wrestled with how to apply the Fifth Amendment to encrypted hard drives for several years. According to past rulings , forcing a defendant to decrypt a hard drive isn't necessarily self-incriminating, but forcing a defendant to decrypt a hard drive can amount to self-incrimination if the government can't otherwise show that the defendant has the password for the drive. In that case, forced decryption amounts to a forced confession that the defendant owns the drive. For example, in one case a border patrol agent viewed incriminating files on a suspect's laptop during a border crossing. But the official then closed the laptop, causing the portion of the hard drive containing the files to be encrypted automatically and deprive investigators of access. The court ruled that because the government already knew the files existed and the suspect had access to them, compelling their decryption didn't force the suspect to implicitly admit the laptop was his. The circumstances of the Wisconsin case were different. While police officers did find logs on the suspect's PC suggesting that incriminating files had been saved to an encrypted drive, the suspect had multiple encrypted hard drives in his apartment, and the government had no way of proving which specific hard drives, if any, contained the incriminating files in question. In theory, a guest might have used the man's computer to download the files and store them on a hard drive he didn't own. Or the hard drives containing the files might not be among the ones the police seized. "Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with 'reasonably particularity'-namely, that Feldman has personal access to and control over the encrypted storage devices," Judge Callahan wrote. "Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination."

top

FBI Denied Permission to Spy on Hacker Through His Webcam (Ars Technica, 24 April 2013) - A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a "sizeable wire transfer from [John Doe's] local bank [in Texas] to a foreign bank account." Back in March 2013, the FBI asked the judge to grant a month-long " Rule 41 search and seizure warrant " of a suspect's computer "at premises unknown" as a way to find out more about this possible violations of "federal bank fraud, identity theft and computer security laws." In an unusually-public order published this week , Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive. In it, he gives a unique insight as to the government's capabilities for sophisticated digital surveillance on potential targets. According to the judge's description of the spyware, it sounds very similar to the RAT software that many miscreants use to spy on other Internet users without their knowledge. According to the 13-page order, the FBI wanted to "surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer's hard drive, random access memory, and other storage media; to activate the computer's built-in camera; to generate latitude and longitude coordinates for the computer's location; and to transit the extracted data to FBI agents within the district." According to the judge's order (PDF), the FBI has no idea where the suspect actually is, but noted that the "IP address of the computer accessing Doe's account resolves to a foreign country." [Polley: Read the Magistrate's order - fascinating.]

top

Once Under Wraps, Supreme Court Audio Trove Now Online (NPR, 24 April 2013) - On Wednesday, the U.S. Supreme Court heard oral arguments in the final cases of the term, which began last October and is expected to end in late June after high-profile rulings on gay marriage, affirmative action and the Voting Rights Act. Audio from Wednesday's arguments will be available at week's end at the court's website , but that's a relatively new development at an institution that has historically been somewhat shuttered from public view. The court has been releasing audio during the same week as arguments only since 2010. Before that, audio from one term generally wasn't available until the beginning of the next term. But the court has been recording its arguments for nearly 60 years, at first only for the use of the justices and their law clerks, and eventually also for researchers at the National Archives, who could hear - but couldn't duplicate - the tapes. As a result, until the 1990s, few in the public had ever heard recordings of the justices at work. But as of just a few weeks ago, all of the archived historical audio - which dates back to 1955 - has been digitized, and almost all of those cases can now be heard and explored at an online archive called the Oyez Project . The archived cases range from the legally technical to historic, including landmark rulings like Loving v. Virginia , the 1967 decision that a state's ban on interracial marriages was unconstitutional; Roe v. Wade , the 1973 decision declaring a woman's constitutional right to an abortion; and Bush v. Gore , the case that ended vote-counting in Florida and effectively handed the 2000 presidential election to George W. Bush.

top

Sanctions Against Iran Will Hit Samsung Phone Users (Ars Technica, 25 April 2013) - Samsung has informed its mobile phone users in Iran that it will no longer be providing access to the company's app store as of May 22, 2013. The move comes as a result of the ever-increasing sanctions that Western countries are imposing as a punishment for Iran's alleged nuclear weapons program; Tehran has continuously denied the existence of such a program. Samsung is one of the few manufacturers to provide phones to Iranians in the Persian language. Nokia Siemens pulled out of the country last year.

top

Businesses Take a Cautious Approach to Disclosures Using Social Media (NYT, 26 April 2013) - Zynga's latest quarterly earnings report, released on Wednesday, came in the typical format and was accompanied with the usual financial tables investors expect. But the social gaming company that counts FarmVille among its games included a new addition: a 204-word paragraph encouraging investors to check its corporate blog and Facebook and Twitter pages for regular news updates. It was just one of dozens of companies taking advantage of newly clarified rules from the Securities and Exchange Commission that have now blessed the use of social media sites to disclose financial information. Although social networks have proliferated for years and the public more readily turns to Twitter than the S.E.C.'s Edgar Web portal for updates, the agency just a few months ago was still evaluating whether using newer outlets would violate its rules. Even with the updated guidelines, uncertainty over what exactly the commission will allow has meant that many companies, and their legal teams, are playing it safe this earnings season. For instance, when General Electric released its earnings last Friday, the company mentioned its Twitter and Facebook accounts for the first time, noting that they "contain a significant amount of information about G.E., including financial and other information for investors." A quick check showed that G.E. has at least 10 different Facebook pages and 10 different Twitter feeds . A company spokesman, Seth Martin, however, said the conglomerate would continue to rely on news releases to communicate material information. "While we currently have no plans to disseminate material information using social media, we will comply with S.E.C. guidance as it evolves," Mr. Martin said. In practice, corporations are experimenting with a wide variety of policies. In its earnings release last week, AutoNation listed five different places where investors could find information about the company, including the Facebook and Twitter feeds of its chief executive, Mike Jackson. Netflix itself listed in a securities filing five different places where investors should check regularly for more information. Among them: its corporate blog and Twitter feed, as well as the chief executive's personal Facebook page. Glen Ponczak, a vice president for investor relations at the manufacturer Johnson Controls , said that the company had started posting information on Twitter several weeks before the S.E.C. outlined its new policy on social media, but that it was very much in experimental mode. On Twitter, the company posted a link to its earnings call, but did not post any updates from the earnings call.

top

NOTED PODCASTS

"No Time Is There -- The Digital Universe and Why Things Appear To Be Speeding Up" (George Dyson at the Long Now Foundation; 19 March 2013; 91 minutes) - When the digital universe began, in 1951 in New Jersey, it was just 5 kilobytes in size. "That's just half a second of MP3 audio now," said Dyson. The place was the Institute for Advanced Study, Princeton. The builder was engineer Julian Bigelow. The instigator was mathematician John von Neumann. The purpose was to design hydrogen bombs. Bigelow had helped develop signal processing and feedback (cybernetics) with Norbert Wiener. Von Neumann was applying ideas from Alan Turing and Kurt Gödel, along with his own. They were inventing and/or gates, addresses, shift registers, rapid-access memory, stored programs, a serial architecture-all the basics of the modern computer world, all without thought of patents. While recuperating from brain surgery, Stanislaw Ulam invented the Monte Carlo method of analysis as a shortcut to understanding solitaire. Shortly Von Neumann's wife Klári was employing it to model the behavior of neutrons in a fission explosion. By 1953, Nils Barricelli was modeling life itself in the machine-virtual digital beings competed and evolved freely in their 5-kilobyte world * * * [Polley: majestic, sweeping exposition on the evolution of computation, and the people behind the events. Wonderful. Note: NOT aimed at a lawyer-audience.]

top

RESOURCES

Codes of Conduct for Multinational Corporations: An Overview (Congressional Research Service, 16 April 2013) - "The U.S. economy has grown increasingly interconnected with other economies around the world, a phenomenon often referred to as globalization. As U.S. businesses expand globally, however, various groups across the social and economic spectrum have expressed their concerns over the economic, social, and political impact of this activity. Over the past 20 years, multinational corporations and nations have adopted voluntary, legally enforceable, and industry specific codes of conduct, often referred to broadly as corporate social responsibility (CSR), to address many of these concerns. Recent events, primarily the 2008-2009 financial crisis and related work by major international organizations, spurred Congress and governments in Europe to increase their regulation of financial firms. Indeed, the growing presence and influence of multinational corporations in the production of goods and services and in international trade through value chains has prodded governments to adopt measures that enhance the benefits of such activities through codes of conduct. Congress will continue playing a pivotal role in addressing the various issues regarding internationally applied corporate codes of conduct."

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Streisand Sues Web Site, Says Privacy Violated (MercuryNews.com, 30 May 2003) -- Barbra Streisand thinks that people, people who fly past her house with cameras, are the nosiest people in the world. Claiming her privacy was violated, the diva actress and singer has filed a $10 million lawsuit against Silicon Valley millionaire and environmentalist Ken Adelman. The suit demands that he remove an aerial photograph of her oceanfront Malibu mansion from his Web site, www.californiacoastline.org. Adelman, a Watsonville resident who owns four electric cars and the largest collection of solar panels on any home in California, made national news six months ago when he and his wife, Gabrielle, photographed the entire California coastline from a small helicopter -- one picture every 500 feet -- and put it on the site. The site now contains 12,200 photos featuring everything from the Golden Gate Bridge to Hearst Castle. It has won praise from the Sierra Club and other environmental groups as a way to document violations of coastal building laws, as well as erosion and other natural changes. But Streisand, in a lawsuit filed in Los Angeles County Superior Court, says the site violates California's ``anti-paparazzi" law. The suit notes that Adelman did not ask permission to take a photo of her house, which is identified on the Web site. And because he took it from a helicopter with a Nikon digital camera, his photo shows details -- from her swimming pool to lawn furniture -- that cannot be seen from the road or the beach below. ``What Barbra seeks to vindicate is a basic right of privacy," said her attorney, Rex Glensy, of Santa Monica. [Editor in 2013: the origins of the term " The Streisand Effect "]

top

CIA Developing Software to Scour Photos (AP, 3 June 2003) -- The CIA is bankrolling efforts to improve technology designed to scour millions of digital photos or video clips for particular cars or street signs or even, some day, human faces. The innovative software from fledgling PiXlogic LLC of Los Altos, Calif., promises to help analysts make better use of the CIA's enormous electronic archives. Analysts also could be alerted whenever a helicopter or other targeted item appeared in a live video broadcast. PiXlogic plans to announce Wednesday that the CIA's venture-capital organization, In-Q-Tel, has invested an unspecified amount to help the company improve the software. In-Q-Tel - named for "Q," the fictional inventor of fanciful spy gadgetry for James Bond - makes about a dozen such investments annually with roughly $35 million it receives from the CIA's Directorate of Science and Technology. In-Q-Tel was created in February 1999 and has gained favorable reviews from Capitol Hill.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose . top