Saturday, May 18, 2013

MIRLN --- 28 April – 18 May 2013 (v16.07)

MIRLN --- 28 April - 18 May 2013 (v16.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Typosquatting Claims Against Security Researcher Are Legally Complicated (Eric Goldman's blog, 27 April 2013) - Kenzie is a security researcher who has registered numerous domain names that are typographic errors of well-known trademarks (e.g., mastercard, mcdonalds, newscorp, mcafee, macworld, monster, pcworld). He points the domain names to the actual sites in question (e.g., mcdonalds points to mcdonalds.com), but he is looking to demonstrate how these typo domains are used for "social engineering" attacks. Kenzie did not offer the domain names for sale, did not read the emails intended for the subject organization, and generally kept his whole scheme out of the public eye. Upon demand, he also offered to transfer the domain names to the organizations in question. Nevertheless he was sued by Gioconda Law Group for registering Giocondolaw.com (with "o" instead of "a"). In response to Gioconda's complaint, Kenzie, proceeding pro se, asserted a variety of defenses, including a critique of American privacy law. Gioconda moved for judgment on the pleadings. The court struggles with the application of the Anticybersquatting Consumer Protection Act (ACPA) factors to this case. On the one hand, this is clearly not a case where the registrant is trying to profit by selling back the domain name. On the other hand, the court says, all non-commercial uses are not necessarily exempt from the ACPA. [Not a particularly speech friendly position.] Ultimately, the court says that it's not a case that can be resolved on the pleadings: "Defendants's alleged ideological, scholarly, and personal motives for squatting on the [domain name], while perhaps idiosyncratic, do not fall within the sphere of conduct targeted by the ACPA's bad faith requirement, If anything, given that defendant aims to both influence plaintiff's behavior and shape public understanding of what he perceives to be an important vulnerability in cyber security systems, this case arguably falls closer to cases involving parody and consumer complaint sites designated to draw public attention to various social, political, or economic issue." This is an interesting case that highlights the problems faced by security researchers generally. While the risk of liability here is less than what security researchers generally face (e.g., liability under the Computer Fraud and Abuse Act), it still shows a judge reluctant to grant the researcher's conduct full protection as a non-commercial, First Amendment-protected venture. Case is Gioconda Law Group v. Kenzie , 2012 US Dist LEXIS 187801 (S.D.N.Y. Apr. 23, 2013)

top

SO THAT'S WHAT "RAND" MEANS?: A Brief Report on the Findings of Fact and Conclusions of Law in Microsoft v. Motorola (Patently-O, 27 April 2013) - In a meticulous 207-page opinion released on April 25, Judge James Robart in the Western District of Washington has crafted the first-ever judicial determination of a "reasonable and nondiscriminatory" (RAND) royalty rate for patents essential to industry standards. To some observers, the dense opinion (captioned "Findings of Fact and Conclusion of Law") may be nothing more than another bit of procedural arcana in the interminable litigation over smart phone patents ( summarized here ), this time in the battle between Microsoft and Motorola (now owned by Google). But for followers of industry standards, Judge Robart's opinion was a highly-anticipated and desperately-needed attempt to establish basic guidelines for the interpretation of the RAND licensing commitments that pervade industry standardization bodies. Judge Robart's opinion is important, not only because it resolves several highly contentious issues between Microsoft and Motorola, but because if provides a more general framework for analyzing RAND disputes in the future. At its heart, the bulk of Judge Robart's opinion is a fairly conventional Georgia-Pacific analysis of the "reasonable royalty" rates applicable to Motorola's patents. He spends a considerable amount of time analyzing comparable licensing transactions and determining their applicability to a hypothetical licensing negotiation between the parties. But Judge Robart makes significant modifications to the traditional Georgia-Pacific analysis in order to adapt it to the assessment of RAND royalty rates (which are related to, but different than, the "reasonable royalties" that serve as a measure of damages in patent infringement suits) (Para. 87). Here are some of the important observations that Judge Robart makes in this regard * * *

top

Good Morning, Captain: Open IP Ports Let Anyone Track Ships on Internet (Ars Technica, 29 April 2013) - While digging through the data unearthed in an unprecedented census of nearly the entire Internet , Researchers at Rapid7 Labs have discovered a lot of things they didn't expect to find openly responding to port scans. One of the biggest surprises they discovered was the availability of data that allowed them to track the movements of more than 34,000 ships at sea. The data can pinpoint ships down to their precise geographic location through Automated Identification System receivers connected to the Internet. The AIS receivers, many of them connected directly to the Internet via serial port servers, are carried aboard ships, buoys, and other navigation markers. The devices are installed at Coast Guard and other maritime facilities ashore to prevent collisions at sea within coastal waters and to let agencies to track the comings and goings of international shipping. Rapid7 security researcher Claudio Guarnieri wrote in a blog post on Rapid7's Security Street community site that he, Rapid7 Chief Research Officer H.D. Moore, and fellow researcher Mark Schloesser discovered about 160 AIS receivers still active and responding over the Internet. In 12 hours, the trio was able to log more than two gigabytes of data on ships' positions-including military and law enforcement vessels. [Polley: related story: What Happened When One Man Pinged the Whole Internet (MIT Technology Review, 26 April 2013)]

top

EFF Surveys Major Tech Companies' Privacy and Transparency Policies (EFF, 30 April 2013) - Today the Electronic Frontier Foundation (EFF) releases its third annual report, "Who Has Your Back?," which looks at major technology service providers' commitment to users' rights in the face of government data demands. EFF's report examines 18 companies' terms of service, privacy policies, advocacy, and courtroom track records, awarding up to six gold stars for best practices in categories like "require a warrant for content," "tell users about government data demands," and "publish transparency reports." "Transparency reports have become an industry standard practice among major technology companies since we started issuing this report in 2011," said EFF Senior Staff Attorney Marcia Hofmann. "Through those reports, we've learned more about law enforcement requests for user data. We publish this annual report to encourage companies to let users know how data flows to the government, and to encourage companies to stand up for their users." EFF's report shows that more and more Internet companies are formally promising to give users notice about law enforcement requests for information unless prohibited by law or court order. We also found a dramatic increase in the number of companies publishing law enforcement guidelines for making data requests. This year, two companies-Twitter and Sonic.net-received a full six stars, while Verizon and MySpace earned no stars.

top

Newspapers Post Gains in Digital Circulation (NYT, 30 April 2013) - The nation's newspapers suffered a slight decline in total circulation over the last six months compared with the same period the year before, but they benefited from an increase in digital subscriptions, which now make up nearly 20 percent of all daily circulation. "Overall circulation industrywide is flat and digital is growing," said Neal Lulofs, an executive vice president with the Alliance for Audited Media, which released the figures on Tuesday. "Newspapers are engaging with readers in a variety of media types, wherever and whenever." The 593 audited daily newspapers had a 0.7 percent daily circulation decline, the group reported. The Wall Street Journal had the highest circulation, at 2,378,827, a 12.3 percent jump from the same time the year before. The New York Times overtook USA Today for second place with a circulation of 1,865,318, a 17.6 percent rise from a year ago. USA Today's circulation was down 7.9 percent, dropping to 1,674,306. The Los Angeles Times and New York Daily News followed in fourth and fifth places. The figures include both print and digital subscriptions. For the 519 Sunday newspapers audited, total circulation declined 1.4 percent. The New York Times ranked first with an average circulation of 2,322,429, a 15.9 percent increase from the same time the year before. The Houston Chronicle ranked second, despite a 5.8 percent decline to 1,042,389. The Los Angeles Times was third; its circulation remained essentially flat at 954,010.

top

NIST Reworks Cyber Guidelines for the Hacking Era (Nextgov, 30 April 2013) - The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats. The 457-page government computer security bible, officially called " SP (Special Publication) 800-53 ," has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats -- infiltrations that play off human failings to linger in systems until finding sensitive data. Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments. Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by "using blind or filtered buys." Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors. NIST broaches the controversial approach to "restrict purchases from specific suppliers or countries," which U.S. technology firms, even those who have been hacked, say might slow installations. The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls. There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device." Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems. NIST also advises that agencies consult the Office of the General Counsel regarding legal uncertainties, such as "requirements for conducting forensic analyses during investigations after an incident."

top

US Regulators Look at Dealing with Social Media (NBC, 30 April 2013) - A week after hackers broke into The Associated Press' Twitter feed and roiled financial markets, federal regulators say they need to find ways to deal with the impact of social media. Members of the Commodity Futures Trading Commission didn't outline immediate action Tuesday. CFTC Commissioner Bart Chilton suggested they consider imposing tougher cybersecurity rules for investment firms and others that trade. Firms could be held accountable and sanctioned if their security systems were inadequate to prevent a breech. At a meeting of an advisory panel, Commissioner Scott O'Malia said regulators need to begin figuring out how to respond to social media.

top

Washington State Students Save $5.5M With Open Courseware (InsideHigherEd, 1 May 2013) - Students at the state of Washington's 34 community and technical colleges will save hundreds of thousands of dollars a year because of low-cost textbooks produced by the state's Open Course Library, the college system said this week. The library, which received funding from the state legislature and the Bill & Melinda Gates Foundation, spent $1.8 million to develop low-cost course material, including textbooks of no more than $30, for 81 common courses. The effort has already saved students $5.5 million since fall 2011, according to an analysis by The Student Public Interest Research Groups, an advocacy organization.

top

- and -

Major Publishers Go MOOC (InsideHigherEd, 10 May 2013) - Several major publishers will experiment with offering free course materials to Coursera users enrolled in the Silicon Valley-based company's massive open online courses. The partnership, which involves Cengage Learning, Macmillan Higher Education, Oxford University Press, SAGE, and Wiley will deliver material using Chegg, a company that offers an e-book platform. According to Coursera, while professors teaching MOOCs on its platform have been able to assign free high-quality content, they will now be able to work with publishers to "provide an even wider variety of carefully curated teaching and learning materials at no cost to the student." Coursera has, however, generated some revenue from the Amazon.com affiliates program wherein users buy books suggested by professors.

top

Secret Bitcoin Mining Code Added to E-Sports Software Sparks Outrage (Ars Technica, 1 May 2013) - Competitive video gaming community E-Sports Entertainment Association secretly updated its client software with Bitcoin-mining code that tapped players' computers to mint more than $3,600 worth of the digital currency, one of its top officials said Wednesday. The admission by co-founder and league administrator Eric 'lpkane' Thunberg came amid complaints from users that their ESEA-supplied software was generating antivirus warnings, computer crashes, and other problems. On Tuesday, one user reported usage of his power-hungry graphics processor was hovering in the 90-percent range even when his PC was idle. In addition to consuming electricity, the unauthorized Bitcoin code could have placed undue strain on the user's hardware since the mining process causes GPUs to run at high temperatures.

top

ABA Opinion Cautions Judges to Avoid Ethics Pitfalls of Social Media (ABA Journal, 1 May 2013) - Judges don't have to sit by the now-proverbial telephone hoping to make contact with the rest of the world. Instead, they may join the growing numbers of people who participate in electronic social networking. That was the conclusion reached by the ABA Standing Committee on Ethics and Professional Responsibility in its Formal Opinion 462 (Judge's Use of Electronic Social Networking Media), issued on Feb. 21. (ABA ethics opinions are identified by the numeric order in which they are issued, but Opinion 462 (PDF) is the first one since the 1980s that does not also include a two-digit prefix designating the year of issuance.) In its opinion, the ethics committee notes that electronic social media "has become an everyday part of worldwide culture." The opinion describes ESM as Internet-based electronic social networking sites that require an individual to affirmatively join and accept or reject connection with particular individuals. "Social interactions of all kinds, including ESM, can be beneficial to judges to prevent them from being thought of as isolated or out of touch," states the committee, which analyzed the issue in the context of the ABA Model Code of Judicial Conduct. "When used with proper care, judges' use of ESM does not necessarily compromise their duties under the Model Code any more than use of traditional and less public forms of social connection such as U.S. mail, telephone, email or texting." But the opinion also urges judges to enter this particular electronic highway with extreme caution, for two primary reasons. First, while the Model Code of Judicial Conduct does not specifically address a judge's participation in electronic social media, states the opinion, "All of a judge's social contacts, however made and in whatever context, including ESM, are governed by the requirement that judges must at all times act in a manner 'that promotes public confidence in the independence, integrity and impartiality of the judiciary,' and must 'avoid impropriety and the appearance of impropriety.' " Those expectations are set forth in Rule 1.2 of the Model Code. The second reason for caution is the very nature of electronic social media. "Judges must assume that comments posted to an ESM site will not remain within the circle of the judge's connections," states the opinion. "Comments, images or profile information-some of which might prove embarrassing if publicly revealed-may be electronically transmitted without the judge's knowledge or permission to persons unknown to the judge or to other unintended recipients. Such dissemination has the potential to compromise or appear to compromise the independence, integrity and impartiality of the judge, as well as to undermine public confidence in the judiciary."

top

Coursera Enters Teacher Professional Development Market (InsideHigherEd, 1 May 2013) - Coursera, the Silicon Valley-based provider of massive open online courses, is entering the teacher education market. The company is partnering with teachers colleges and other educational institutions to provide online professional development courses for K-12 teachers and parents. The company described the new effort as its first foray into early childhood and K-12 and its first partnerships with non-degree-bearing institutions, including art museums. With this, the company may be eyeing a professional development market that includes about 3.7 million teachers in American plus millions more across the world. "We want to help K-12 students by helping their teachers," Coursera co-founder Andrew Ng said in a statement announcing the new program. "Many schools just don't have the resources to provide teachers and parents the training and support they need. By providing free online courses on how to teach, we hope to improve this." Coursera's partners in the venture are University of Washington's college of education; University of Virginia's school of education; Johns Hopkins University's school of education; Match Education's Sposato Graduate School of Education; Peabody College of education and human development, Vanderbilt University; Relay Graduate School of Education; University of California at Irvine Extension; the American Museum of Natural History; The Commonwealth Education Trust; Exploratorium; The Museum of Modern Art; and New Teacher Center.

top

Colombia's Data Protection Law Takes Effect (Steptoe, 2 May 2013) - Columbia's data protection law, officially published on October 18, 2012, as Statute Law No. 1581, is now in effect. Modeled after the EU Data Protection Directive, the law introduces several requirements for any entity controlling or processing personal data within Colombia (with some exceptions). Colombia is the latest Latin American country to enact personal data protection laws modeled on the EU framework, joining Argentina, Costa Rica, Mexico, Peru, and Uruguay. Notably, the Colombian law (similar to some of the other Latin American laws) lacks a breach notification provision. The Colombian government expects to issue implementing regulations soon.

top

Florida Supreme Court Deepens Lower Court Split on Searching a Cell Phone Incident to Arrest (Volokh Conspiracy, 2 May 2013) - I recently mentioned my new short essay, Foreword: Accounting for Technological Change, 36 Harv. J. L. & Pub. Pol'y 403 (2013), about how the Supreme Court should resolve the lower court division on the Fourth Amendment rule for searching a cell phone incident to arrest. In light of that, I thought I would flag this morning's decision by the Florida Supreme Court deepening the lower court division. In the new case, Smallwood v. State , the court ruled that the police can routinely seize a cell phone incident to arrest, but they generally need a warrant to search it absent a demonstrated risk that evidence on the phone could be destroyed after it had been seized. Here are the two key passages from Smallwood: [W]e . . . conclude that the electronic devices that operate as cell phones of today are materially distinguishable from the static, limited-capacity cigarette packet in Robinson, not only in the ability to hold, import, and export private information, but by the very personal and vast nature of the information that may be stored on them or accessed through the electronic devices. Consistent with this conclusion, we hold that the decision of the United States Supreme Court in Robinson, which governed the search of a static, non-interactive container, cannot be deemed analogous to the search of a modern electronic device cell phone. * * *

top

China's Cyberspies Outwit Model for Bond's Q (Bloomberg, 2 May 2013) - Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East. Former CIA Director George Tenet was a director of the company from 2006 to 2008 and former Pentagon spy chief Stephen Cambone headed a major division. Its U.K. parent was created as a spinoff of a government weapons laboratory that inspired Q's lab in Ian Fleming's James Bond thrillers, a connection QinetiQ (pronounced kin-EH-tic) still touts. QinetiQ's espionage expertise didn't keep Chinese cyber- spies from outwitting the company. In a three-year operation , hackers linked to China 's military infiltrated QinetiQ's computers and compromised most if not all of the company's research. At one point, they logged into the company's network by taking advantage of a security flaw identified months earlier and never fixed. "We found traces of the intruders in many of their divisions and across most of their product lines," said Christopher Day, until February a senior vice president for Verizon Communications Inc. (VZ)'s Terremark security division, which was hired twice by QinetiQ to investigate the break-ins. "There was virtually no place we looked where we didn't find them."

top

ACLU, EFF Sue For License Plate Record Disclosure in Los Angeles (Ars Technica, 6 May 2013) - For months now, we've been following the rapid expansion of license plate readers across America. The growth is fueled by federal law enforcement grants that allow for such data to be instantly shared with federal authorities. We've published stories showing how people crossing the US-Mexico border are routinely subject to license plate scans, which is in turn, shared with insurance companies . An intrepid data scientist claimed to have found the location of Minneapolis' stationary LPRs based on studying public records of the complete log file that he had requested. (Months later, the state law allowing for such access was changed .) As recently as March 2013, Piedmont, a rich Northern California town that is completely surrounded by Oakland, moved toward placing such devices at its entire city border with Oakland . On Monday, two Californian civil liberties groups filed a lawsuit against the Los Angeles Police Department (LAPD) and the Los Angeles Sheriff's Department (LASD) in an attempt to compel these agencies to release a week's worth of automated license plate reader (ALPR, or sometimes, LPR) data from August 2012. The non-profits claim that these agencies are required to do so under the California Public Records Act . In late July 2012, the American Civil Liberties Union and its affiliates sent requests to local police departments and state agencies across 38 states to request information on how LPRs are used.

top

Viewing Cached Copyrighted Content Isn't Infringing, UK Supreme Court Says (IP Watch, 7 May 2013) - Internet users who merely read or view copyright-protected webpages enjoy a temporary copying exception under European Union and United Kingdom law and do not need permission from rights holders, the UK Supreme Court said in a 17 April ruling. The case, Public Relations Consultants Association Limited [PRCA] v. The Newspaper Licensing Agency Limited and others , "raises an important question about the application of copyright law to the technical processes involved in viewing copyright materials on the internet," the court said: Whether looking at a cached copy of protected content, without downloading or printing it, amounts to infringement. Lower courts held that it does, a finding unanimously rejected by the Supreme Court. However, acknowledging that the "issue has a transnational dimension and that the application of copyright law to internet use has important implications for many millions of people across the EU making use of what has become a basic technical facility," the court decided to ask the European Court of Justice for a preliminary ruling "so that "this critical point may be resolved in a manner which will apply uniformly across the European Union." The Supreme Court judgment "is absolutely right in ensuring that acts of end users which were perfectly lawful in the analogue world remain lawful in the digital world," said Baker & McKenzie London Head of Intellectual Property Michael Hart, who represented the PRCA. "Any other decision would have severely restricted perfectly reasonable consumer Internet use," he said in a press release. The decision is available here [pdf].

top

Is the U.S. Government Recording and Saving All Domestic Telephone Calls? (Bruce Schneier, 7 May 2013) - I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here : More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources said. Investigators may be able to recover the conversation, said Tom Clemente, a former counterterrorism agent for the FBI. "We certainly have ways in national security investigations to find out exactly what was said in that conversation," he told CNN's Erin Burnett on Monday, adding that "all of that stuff is being captured as we speak whether we know it or like it or not. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her," he said. I'm very skeptical about Clemente's comments. He left the FBI shortly after 9/11, and he didn't have any special security clearances. My guess is that he is speaking more about what the NSA and FBI could potentially do, and not about what they are doing right now. And I don't believe that the NSA could save every domestic phone call, not at this time. Possibly after the Utah data center is finished, but not now. They could be saving the all the metadata now, but I'm skeptical about that too.

top

When Comments Turn Ugly: Newspaper Websites and Anonymous Speech (DMLP, 7 May 2013) - Dan Kennedy has reported on an interesting anonymous speech issue brewing (or perhaps already boiled over) in the town of Cohasset, Massachusetts. It seems that the board of selectpeople of Cohasset has been concerned recently about ad hominem attacks on their members, delivered through the medium of the comment sections of the websites of the Quincy Patriot Ledger and the Cohasset Mariner . The board has debated issuing a subpoena through the Town Counsel to identify the commenters, allegedly to determine whether the comments were being posted from computers owned by the own in violation of Cohasset's computer usage policy. One can debate whether this stated motivation is a pretext for an attempt to pursue the commenters based on the content of what they wrote; according to the Patriot Ledger , Acting Cohasset Town Manager Michael Milanoski has stated that "there is no indication that any employee was using any town employee computer to blog at all." However, the issue is potentially now moot, because GateHouse Media, owner of the Ledger and Mariner, has complied with subpoenas (see sidebar in linked story) issued in a separate libel suit filed in Quincy District Court by a former selectperson for the e-mail and IP addresses of at least some of these commenters. One imagines that the plaintiff in this suit would be willing to share the results of her subpoenas with the current board. To be sure, GateHouse was within its rights to respond to the subpoenas. The company is bound by nothing other than its own privacy policy in preserving the anonymity of its users; that policy clearly states: "We may disclose information you have provided to us if we have a good faith belief that such disclosure is necessary to ... comply with the law, government action or with legal process served on us[.]" There is no obligation on the part of GateHouse to challenge subpoenas for information about its users, and according to the Quincy District Court Civil Clerk's Office, as of May 7, 2013, there were no documents in the court file (docket no. 13-CV-646) indicating that any attempt to quash a subpoena had been filed. We cannot tell if GateHouse nevertheless made an attempt to inform its users about the subpoenas, and the users simply failed to object. Massachusetts does not have a statute such as Virginia does, which requires an ISP that receives a subpoena for a user's identity to notify the user in a timely manner. Nevertheless, this situation raises serious concerns. The First Amendment protects the right to speak anonymously , and that right should prevent courts from casually compelling the unmasking of anonymous or pseudonymous speakers in online forums. That right would be even more directly implicated if a government body such as a board of selectmen attempted to force disclosure of information that would lead to revelation of the users' identity, on a basis that could easily be a pretext for content-based concerns (and one must wonder why this concern over misuse of town computers did not result in subpoenas in connection with previous comments).

top

Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules (Proskauer, 8 May 2013) - As a growing number of states pass legislation which will protect individuals' social media accounts from employer scrutiny, they have encountered a surprising adversary - FINRA and other securities regulators. To date, at least six states have enacted social media employee privacy laws (which were blogged about here , here , here , and here ) and upwards of thirty-five states have considered legislation since the beginning of 2013. Washington State may soon join the ranks with SB 5211 , a bill unanimously passed by both chambers of Washington legislature on April 27, 2013, which now awaits the Governor's signature. Social media password protection laws, although unique to each state, generally restrict employers from requesting or requiring that employees or applicants provide their social media user names, passwords, and account information. Supporters believe the laws are necessary to protect employee and prospective employee privacy and to prevent against unlawful employer action in response to an employee's social media use. FINRA, the Financial Industry Regulatory Authority, fears that the new employee privacy laws may directly conflict with securities rules and threaten investor protection. With an increasing number of financial firms taking to Facebook and Twitter to interact with investors and give financial advice, FINRA has set forth various guidelines governing social media use. Under FINRA rules, securities firms must "adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised," and broker-dealers must be able to "retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person." FINRA Regulatory Notice 11-39 (August 2011) . According to FINRA, if the employee of a broker-dealer is engaging in business communications over a social networking site, the broker-dealer must have access to the account for general monitoring and for its records. Broker-dealers must also be able to freely follow up on red flags, or misuse of an account. FINRA fears that the adoption of social media employee privacy laws may conflict with monitoring and reporting requirements and could force some employers into a lose-lose situation-violate state law or violate a FINRA rule. FINRA worries that employers who choose the former will increase investor risk and the potential for securities fraud. FINRA has sent letters to lawmakers in approximately ten states seeking carve-outs to social media employee privacy laws for the financial services industry. Many of the laws already include narrow exemptions, which allow for employers to require disclosure if an employee's alleged misconduct has risen to a certain level. FINRA does not appear satisfied with these exemptions, which may be too limited for broker-dealers to be in full compliance with monitoring, recording and supervision requirements. California has rejected FINRA's request for an exception for the financial services industry, but it remains to be seen how the states will react in general.

top

"Newsgathering in Massachusetts" Guide Now Available Online (DMLP, 8 May 2013) - The Digital Media Law Project is pleased to announce the online release of its new legal resource, Newsgathering in Massachusetts , co-produced with the Harvard Law School Cyberlaw Clinic . Our new guide is a PDF document formatted for booklet printing, and provides background legal information on the rights of independent and institutional journalists to collect information in Massachusetts. It covers core topics in Massachusetts newsgathering law, including: open meetings and public records laws; access to courts and courtrooms; recording courtroom proceedings; recording the activities of public officials in public spaces; and protection for anonymous sources.

top

Cybersecurity Remains A Top Concern Facing Corporate Directors and General Counsel (Hogan Lovells, 9 May 2013) - For the second year in a row, corporate directors and general counsel have ranked cybersecurity as a top-of-mind concern. On May 8, Corporate Board Member and FTI Consulting released the results of their 2013 Law in the Boardroom survey of over 550 directors and general counsel. As the report notes, "the newest area of major concern continues a trend noted in last year's study: data security and IT risk is one of the most significant issues for both directors and general counsel." Hogan Lovells partner Harriet Pearson explained why cybersecurity has become a top-of-mind concern as part of her article on " Cybersecurity: the Corporate Counsel's Agenda ," which presented a ten-point agenda for managing cyber risk. The survey found that data security was a close second for both directors and general counsel on the list of issues that will keep them up at night. And more than a quarter of all respondents ranked cyber risk oversight as an area that will require their attention in 2013.

top

Indiana U. Approves Release of Kinsey Sex App (InsideHigherEd, 9 May 2013) - Indiana University last year approved -- and then quickly unapproved -- the release of a sex reporting app by its Kinsey Institute, long famous for cutting-edge sex research. Using the app, individuals could report promptly (and anonymously) on their own sexual activities, potentially giving researchers new information on exactly what people do and when and how they do it. The university denied it was being prudish and said it needed only to review privacy protocols. Following months of review, the university announced Wednesday that the app has again been approved for release -- with only one change. That change is that all reports will be placed on hold for geographically defined areas. Only when enough people from a given area respond so that reports could not be linked to any one individual will that information move into the database where it can be studied.

top

Weakness in Adobe ColdFusion Allowed Court Hackers Access to 160k SSNs (SC Magazine, 10 May 2013) - The Washington state Administrative Office of the Courts (AOC) has confirmed that attackers leveraged a previously repaired Adobe software bug to access its website and make off with hundreds of thousands of Social Security and driver's license numbers. Court officials on Thursday revealed that hackers definitively made off with 94 Social Security numbers, but that as many as 160,000 may have been compromised, alongside one million driver's license numbers. Wendy Ferrell, a spokeswoman for Washington state AOC, told SCMagazine.com that a previously patched vulnerability in Adobe's ColdFusion application server was used to carry out the attack. Adobe fixed the weakness that was exploited in January.

top

U.S. Cyberwar Strategy Stokes Fear of Blowback (Reuters, 10 May 2013) - Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers. The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks. That's because U.S. intelligence and military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems. The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. [Polley: The best voice on the risks here is Chris Soghoian (@csoghoian); catch his Harvard podcast on the issue cited in MIRLN 15.17 ]

top

In Legal Fog, Kim Dotcom Removes 3D Gun Design (Computerworld, 13 May 2013) - Kim Dotcom has ordered the removal from his Mega file-storage service design plans for a controversial one-bullet plastic gun. The decision seems an unlikely one for Dotcom, who has become somewhat of an Internet folk hero for fiercely contesting criminal copyright infringement charges levied by U.S. prosecutors over his former Megaupload service. The legal uncertainty over the distribution of the CAD (computer-aided design) files by Defense Distributed led Dotcom to err on the side of caution while the legal issues around the weapon are discussed, his lawyer, Ira P. Rothken, said Monday. "I think it's fair to say that we don't need to do a very complex legal analysis to understand that we are dealing with an issue of first impression regarding printing plans for 3-D guns," Rothken said. Defense Distributed, based in Austin, Texas, removed links to design files for the plastic gun, dubbed the "Liberator," and other plastic weapon components including silencers from its website after a request from the U.S. State Department. The U.S. government said in a letter to Defense Distributed that it is reviewing if publishing the files violates weapons-export regulations. Defense Distributed's website now carries the notice: "DEFCAD files are being removed from public access at the request of the U.S. Department of Defense Trade Controls. Until further notice, the United States government claims control of the information." The company's website, defcad.org, had linked to the Liberator's CAD files on Mega. Rothken said defcad.org's link included the decryption key in the file's URL, which would allow anyone to view the files. A file uploaded to Mega is encrypted within a person's web browser before it is sent to Mega's servers. A password is required to decrypt files, but a user may choose to make a file public and accessible by including the encryption key within the browser's URL. [Polley: This is interesting on three different levels: (1) the deemed-export argument by the USG over public posting of such unproven designs for an item that might not be a "munition"; (2) the fact that Mega's userside-encryption of uploaded files STILL enabled Mega to find and remove the offending files; and (3) the applicability of US export rules to such content hosted apparently outside of the US. Pretty interesting deep-dive into some of these issues here: The Constitution And The 3D Printed Plastic Pistol (TechCrunch, 15 May 2013) ]

top

E-books Now Make Up 1/5 of U.S. Book Sales (Mashable, 15 May 2013) - E-books are helping fuel overall growth in the publishing industry. According to BookStats figures released Wednesday by the Association of American Publishers (AAP) and the Book Industry Study Group (BISG), trade books generated $15 billion in revenue in 2012, up 6.9% from the year before. Trade publications include fiction and non-fiction books for adults, young adults and children, and do not include higher ed, K-12 and professional/scholarly volumes. Approximately one in five books sold were e-books, which collectively accounted for $3 billion, or also about a fifth, of all trade publishing revenue, up 44.2% from 2011. That growth was fueled in part by a sharp increase in sales of children's and young adult fiction, up 117% to $469 million. Adult fiction is still the dominate seller in the category however, accounting for $1.8 billion in revenue. It turns out that e-books are not cannibalizing hardcover and trade paperback sales, as publishers' once feared, though mass market paperbacks - which are often published much later than their hardback counterparts, and sold mostly in more traditional retail environments like drugstores - have been negatively impacted. Hardcover sales were up 1.3% to $5.1 billion, and paperbacks were up 0.4% to $4.9 billion. BookStats did not have figures to share about mass market paperback sales at time of publication.

top

NOTED PODCASTS

Terminal Risk (ODNI, April 2013) - Interesting and useful 43 minute video from the Director of National Intelligence, NSA, and FBI on security for overseas travel, and other matters. (The iPhone voicemail vulnerability is troubling, and quite hard to solve.)

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Instant Messaging Leaves School for Office (New York Times, 11 March 2003) -- Instant messaging, long associated with teenagers staying up late to chat online with friends, is moving into the workplace with an impact that has started to rival e-mail and the cellphone. Less intrusive than a phone call and more immediate than e-mail, instant messaging is finding users far more quickly than e-mail did when it was first introduced, according to Forrester Research, a technology research firm in Cambridge, Mass. In the last year alone, Forrester said, the number of instant messages has grown by more than 50 percent, so that nearly one-third of American adults are now IM-ing, as it is called, with their children, clients, colleagues and each other. Advertisement. The growth is driven in part by the availability of free IM software on the Internet, as companies like Microsoft, AOL and Yahoo use it to lure customers to their other services. In addition, the first generation to grow up with instant messaging is bringing it with them into the workplace, unable to conceive of life without it. Partly as a result, a technology whose hallmarks have been smiley face icons, willful misspelling and an encyclopedia of acronyms (BEG = big evil grin, POS = parent over shoulder) is being hailed as a new productivity tool by grown-up operations like Wall Street investment banks and the Navy. At the same time, some companies are seeking to clamp down on the technology, which allows employees to message several dozen friends while gazing into their computer screens. Some companies limit IM use to within the enterprise, and keep records of the typed conversations that would otherwise disappear into the ether, casting what some avid IM users see as a pall over the free-wheeling nature of the medium.

top

Check 21 Becomes Law, Allows Speedier Electronic Settlements (Computerworld, 3 Nov 2003) -- In what will be a major technological change for the banking industry, President Bush last week signed into law the Check 21 bill, which allows banks to substitute electronic check images for paper checks for the clearance and settlement process. The bill paves the way for the industry to save billions of dollars and speed the processing of checks. The law calls for the use of "Image Replacement Documents" to be implemented within a year, but does not address the exchange of electronic images between banks in lieu of the original check. Bank IT managers say the success or failure of such systems, which will include branch-based scanning systems, data repositories and automated processing applications, will depend largely on changing customer attitudes. Doug Smith, senior vice president of planning and engineering at Bank of America Corp. in San Francisco, said the industrywide rollout of electronic check clearance and settlement technology will take years. But the rollout at the nation's top eight banks, which are known as the vanguard banks and comprise over half of the electronic clearing volume, will be implemented in the second half of 2004. "It's really a social issue. The check processing environment has been built around the comfort and security of handling a piece of paper," Smith said of the more than 42 billion checks cleared each year. "In a check imaging world, we'd give our customers a picture of that check. The customer's willingness to accept that is a social decision. It's really not a technology constraint." While Bank of America has check imaging systems already in place, allowing customers to view check images online, it does not yet have check clearing and settlement systems to handle the processing of more than 8 billion checks each year.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top