MIRLN --- 19 May – 8 June 2013 (v16.08)

MIRLN --- 19 May - 8 June 2013 (v16.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

• Lawsuit Says IRS Illegally Seized 60 Million Health Records
• EPIC Files Complaint Against Snapchat With FTC
• Judge's Facebook Friendship With Victim's Parent Does Not Taint Proceeding
• AP's Attempt At DRM'ing the News Shuts Down
• Does Law Ratchet Infringe Bloggers' Copyrights?
• Chinese Hackers Who Breached Google Gained Access to Sensitive Data, U.S. Officials Say
• Court Finds Fantasy Stories Obscene
• Do LinkedIn Endorsements Violate Legal Ethics Rules?
• Snow Fail: The New York Times And Its Misunderstanding Of Copyright
• How Does Copyright Work In Space?
• Publicity Rights Aren't Property Rights: Appellate Court Gets It Very Wrong in Hart v. EA
• What Law Firms Should Know About Cyberattacks and the FBI
• The 20 Worst Data Breaches
• Masterworks for One and All
• Art and Copyright in the Age of Compulsive Looking
• In Reversal, Judge Orders Child Porn Suspect to Decrypt Hard Drives
• U.S. District Judge: Forced Decryption of Hard Drives Violates Fifth Amendment
• The Most Important Cybersecurity Case You've Never Heard Of
• Tech Firm Publishes Free Copyright Treatise
• Government Announces New Mobile Security Guidelines
• Skype Does NOT Provide Secure Communications
• New York State Launches Investigation of Top Insurance Companies' Cybersecurity Practices. Who's Next?
• Court Says Copying Journal Articles To Show Prior Art In Patent Proceedings Is Fair Use
• New Cyber Sheriff May Seek Bigger Gun
• N.S.A. Said to Gather Users' Online Data

Lawsuit Says IRS Illegally Seized 60 Million Health Records (NextGov, 15 May 2013) - A lawsuit filed in California accuses the Internal Revenue Service of illegal seizure of 60 million electronic health care records belonging to 10 million Americans. The suit filed in the Superior Court of San Diego by Robert Barnes, a Malibu lawyer representing a corporate client named John Doe Co., charged that IRS agents raided the company on March 11, 2011, in a tax case and seized the medical records. Barnes alleged in the suit -- which was filed March 11, 2013, and surfaced Wednesday -- that the "medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns." The suit said the 15 IRS agents involved in the raid did not have a search warrant or subpoena for the medical records which "may concern the intimate medical records of every state judge in California, every state court employee in California, leading and politically controversial members of the Screen Actors Guild and the Directors Guild, and prominent citizens in the world of entertainment, business and government, from all walks of life." Lawsuit here .

top

EPIC Files Complaint Against Snapchat With FTC (LA Times, 17 May 2013) - A privacy watchdog group is going after Snapchat for deceiving users about self-destructing messages that don't actually self-destruct. The smartphone app has become popular with young people for sending messages that a few seconds later disappear. That clever disappearing act has made the Los Angeles start-up a hit with users and some prominent investors in Silicon Valley. But it turns out that photos sent over Snapchat have a longer shelf life than people think. They don't vanish -- at least not entirely -- and can be retrieved in some cases. The Electronic Privacy Information Center on Friday filed a complaint with the Federal Trade Commission. "Snapchat is the app that promises to delete photos but it doesn't," said Marc Rotenberg, EPIC's executive director. "We have no problem with apps that make photos vanish. But they should work as promised, and if they don't the Federal Trade Commission should investigate." Snapchat does warn users in its privacy statement: "Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient ... we cannot guarantee that the message contents will be deleted in every case."

top

Judge's Facebook Friendship With Victim's Parent Does Not Taint Proceeding (Venkat Balasubramani, 17 May 2013) - Youkers was convicted for tampering with evidence after he was indicted for assaulting his girlfriend who was pregnant with his child. He entered into a plea deal under which his prison sentence would be suspended and he would have to pay a fine. Three months after the deal, the State filed a motion to revoke the suspended sentence (and send Youkers to prison), contending that he violated the terms of his supervision. Younkers entered an "open plea of true" and sought leniency on the basis that while he did not previously have a stable place to live, he did now. The trial judge rejected his contentions and sentenced him to 8 years in prison. The judge also rejected his request for a new trial. Youkers appealed, and raised (among other issues) the fact that (1) the trial judge was Facebook friends with the victim's father and (2) in the context of the initial proceeding, the victim's father sent the trial judge an ex parte communication in the form of a Facebook message. The appeals court says none of this rises to the level of improper bias. Youkers v . Texas, No. 05-11-01407-CR (Tx. Ct. App. May 15, 2013) [ pdf ] [Polley: good discussion - worth reading.]

top

AP's Attempt At DRM'ing the News Shuts Down (TechCrunch, 17 May 2013) - Plenty of people rightly mocked the news a few years ago that the Associated Press was working on a plan to "DRM the news." The idea was to put some sort of licensing mechanism together to get news aggregators to pay to promote their news. This seemed incredibly dumb for a whole host of reasons. It added no value. Its only purpose was to limit the value for everyone in the system by putting a tollbooth where none needed to exist. When it finally launched last year to great fanfare in the newspaper world, under the name "NewsRight," we pointed out that, once again, it made no sense. Basically, the whole focus appeared to be on getting bloggers and aggregators to pay for a license they legally did not need. Since the launch... we heard absolutely nothing about NewsRight. There was a launch, with its newspaper backers claiming it was some huge moment for newspapers, and then nothing. Well, until now, when we find out that NewsRight quietly shut down . Apparently, among its many problems, many of the big name news organization that owned NewsRight wouldn't even include their own works as part of the "license" because they feared cannibalizing revenue from other sources. So, take legacy companies that are backwards looking, combine it with a licensing scheme based on no legal right, a lack of any actual added value and (finally) mix in players who are scared of cannibalizing some cash cow... and it adds up to an easy failure.

top

- and -

Does Law Ratchet Infringe Bloggers' Copyrights? (Robert Ambrogi, 23 May 2013) - Yesterday, I wrote a post here about the debut of Law Ratchet , a site that aggregates legal news and blog posts. Afterwards, a reader emailed me asking a key question my post did not address - that of whether Law Ratchet is violating the copyrights of the publishers and bloggers whose stories it is picking up. For many of the articles Law Ratchet picks up, it is republishing them in full on its own site, complete with images. For example, yesterday Orin Kerr published a post on The Volokh Conspiracy titled, Peering Through A Window Next to A Front Door Held to Be A Fourth Amendment Search . Now compare Kerr's post as it appeared on Law Ratchet . It is there in full text - not a snippet, not a simple link. In some cases, however, Law Ratchet is displaying articles in a different way. For articles from certain "mainstream" news sources, Law Ratchet displays a bifurcated page. The top half of the page shows a summary of the article. The bottom half frames the original source page containing the full story. So is Law Ratchet violating copyright law by republishing these stories on its own site? Is this any different from what Google Reader does? For that matter, is Google Reader (or Google News) violating copyright law? The answer is not as straightforward as you might expect. Just recently, in The Associated Press v. Meltwater , a federal judge in New York ruled that the Meltwater media monitoring service infringed AP's copyright by scraping news stories from the web and providing excerpts to its subscribers. The judge rejected Meltwater's fair use defense, finding that Meltwater was simply capturing and republishing AP's content in order to make money from it. Law Ratchet would have an even weaker fair use defense, given that it is republishing entire articles just as they were originally published elsewhere. But another defense to copyright infringement is that the republisher had an implied license to use the content. In the case of blogs, the argument has long been made that distributing the blog's content through an RSS feed constitutes a license to others to do what they may with the content. Eric Goldman discussed this in a post in 2005 * * *

top

Chinese Hackers Who Breached Google Gained Access to Sensitive Data, U.S. Officials Say (Washington Post, 20 May 2013) - Chinese hackers who breached Google's servers several years ago gained access to a sensitive database with years' worth of information about U.S. surveillance targets, according to current and former government officials. The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies. It's unclear how much the hackers were able to discover. But former U.S. officials familiar with the breach said the Chinese stood to gain valuable intelligence. The database included information about court orders authorizing surveillance - orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google's Gmail service. Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company's servers about the same time that Google's system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by U.S. national security and law enforcement agencies.

top

Court Finds Fantasy Stories Obscene (TechDirt, 20 May 2013) - Obscenity law and the First Amendment tend to run into each other from time to time and the whole "I know it when I see it" concept makes things a bit arbitrary in the best of situations. Still, it's pretty standard for people to assume questions of obscenity revolve around imagery -- still or video -- rather than written works. Text and stories often explore taboo subjects, but still are seen to have legitimate literary value. Stories like Vladimir Nabokov's Lolita involve somewhat horrifying concepts, but generally are still considered legitimate works of literature. In an age of easy creation for user-generated content, fan fiction and the like, it is not uncommon for things like slash fiction or related fan fiction to involve incredibly graphic scenes. Whether or not you see the appeal (and, personally, I don't get it at all), it's difficult to step aside and say that a particular form of storytelling should be judged as obscene and illegal. When it's purely fiction, and no one is being harmed or forced to participate and/or experience the work against their will, it is difficult to see what sort of harm has been caused. That is, perhaps, why it is "very rare" for there to be obscenity prosecutions for purely text-based works of fiction. Rare, but not unknown. Just recently a federal district court in Georgia ruled that a series of stories written or edited by Frank McCoy were obscene, and thus he violated 18 USC 1462 in "transporting" obscene works. McCoy challenged whether or not the stories themselves could be considered obscene. As you might imagine, the subject matter is not mainstream. It is definitely on the extreme. Just reading the descriptions from the court case, which I will not repeat here, made me cringe and feel extremely uncomfortable. We're talking about extremely taboo subjects that are somewhat horrifying even just to read. But, again, one could argue the same sorts of things about Lolita, or any number of other works. Should they, too, be deemed obscene? It seems like a dangerous slippery slope, especially when we're talking about purely written material. In this case, McCoy even had a distinguished English professor testify on his behalf that the works had "serious literary, artistic, political or scientific value."

top

Do LinkedIn Endorsements Violate Legal Ethics Rules? (ABA Journal, 21 May 2013) - Legal blogger Robert Ambrogi received an email alert this morning notifying him that an Internet acquaintance he's never met or spoken to had endorsed his litigation skills on LinkedIn. Ambrogi says that is not uncommon for connections with no firsthand knowledge of his skills to endorse him on LinkedIn, a favorite social media site among business executives. MediaPost noted a recent survey of executives that found nine out of 10 of them said they used LinkedIn "often" or "very often." But Robert Ambrogi's LawSites was prompted to ask the question: Do these endorsements violate legal ethics? The answers he found varied and in some cases contradicted one another. Under the ABA Model Rule 7.1, a lawyer is not to make any false or misleading claims about his or her services. "If a lawyer permits an endorsement to remain on the lawyer's LinkedIn profile that the lawyer knows to be misleading, even if someone else posted the endorsement, that would seem to be a problem under Rule 7.1," Ambrogi wrote. Andrew Perlman, Suffolk University Law School professor and director of its Institute on Law Practice Technology and Innovation, raised the same Rule 7.1 questions as Ambrogi in a January post at Legal Ethics Forum (Perlman was chief reporter for the ABA Commission on Ethics 20/20). However, Michael Downey, former chair of the Illinois State Bar Association Standing Committee on Professional Conduct, said in an interview with Illinois Bar Journal that truthful endorsements are OK. Just because the endorser does not know you directly does not make it a false statement, Downey said. Ambrogi noted both sources in his post. "I am no ethics expert," Ambrogi writes, "However, I think it is significant that LinkedIn provides the ability to "hide" endorsements others have given you." Ambrogi suggests users remove endorsements they believe are false or misleading.

top

Snow Fail: The New York Times And Its Misunderstanding Of Copyright (TechCrunch, 21 May 2013) - You remember Snow Fall , don't you? It was that awesome interactive reporting piece by The New York Times that everyone talked about for a week. The New York Times spent months and had an entire team working on the creation of Snow Fall, and it shows. But what if I told you that you could recreate the same interactive experience in just about an hour? You'd like that, wouldn't you? Well, The New York Times wouldn't. Cody Brown, co-founder of interactive web design tool Scroll Kit, did just that. He recreated the Snow Fall piece using Scroll Kit to show that you didn't need an army of developers or designers to create the same type of interactive storytelling. In fact, the tools exist today to build other compelling narratives that take advantage of the combination of text, and video, and images. To show how easy it was, Brown recorded a video of the process, showing how a user could create the same type of experience in under an hour. And he uploaded it to YouTube, and posted it to the Scroll Kit website. There, he introduced it this way: "The NYT spent hundreds of hours hand-coding 'Snow Fall.' We made a replica in an hour." The video lived there for about a month, Brown tells me, before receiving a letter from The New York Times legal team , demanding that the video be taken down. After consulting with Scroll Kit's legal counsel, the team complied with the takedown request, kind of. They actually set the video to private on YouTube so that no one could see it. But they kept the line about making a replica of Snow Fall on the website. Because, well, it was true . It wasn't long before another C&D nastygram from The New York Times arrived, demanding that they not only delete the video from YouTube - which they eventually did - but that they remove any reference to The New York Times from their website.

top

How Does Copyright Work In Space? (The Economist, 22 May 2013) - Chris Hadfield has captured the world's heart, judging by the 14m YouTube views of his free-fall rendition of David Bowie's "Space Oddity", recorded on the International Space Station (ISS). The Canadian astronaut's clear voice and capable guitar-playing were complemented by his facility in moving around in the microgravity of low-earth orbit. But when the man fell to Earth in a neat and safe descent a few days ago, after a five-month stay in orbit, should he have been greeted by copyright police? Commander Hadfield was only 250 miles (400 km) up, so he was still subject to terrestrial intellectual-property regimes, which would have applied even if he had flown the "100,000 miles" mentioned in the song's lyrics, or millions of kilometres to Mars. His five-minute video had the potential to create a tangled web of intellectual-property issues. How does copyright work in space? The song "Space Oddity" is under copyright protection in most countries, and the rights to it belong to Mr Bowie. But compulsory-licensing rights in many nations mean that any composition that has been released to the public (free or commercially) as an audio recording may be recorded again and sold by others for a statutorily defined fee, although it must be substantively the same music and lyrics as the original. But with the ISS circling the globe, which jurisdiction was Commander Hadfield in when he recorded the song and video? Moreover, compulsory-licensing rights for covers of existing songs do not include permission for broadcast or video distribution. Commander Hadfield's song was loaded onto YouTube, which delivers video on demand to users in many countries around the world. The first time the video was streamed in each country constituted publication in that country, and with it the potential for copyright infringement under local laws. Commander Hadfield could have made matters even more complicated by broadcasting live as he sang to an assembled audience of fellow astronauts for an onboard public performance while floating from segment to segment of the ISS. The song "Space Oddity" is under copyright protection in most countries, and the rights to it belong to Mr Bowie. But compulsory-licensing rights in many nations mean that any composition that has been released to the public (free or commercially) as an audio recording may be recorded again and sold by others for a statutorily defined fee, although it must be substantively the same music and lyrics as the original. But with the ISS circling the globe, which jurisdiction was Commander Hadfield in when he recorded the song and video? Moreover, compulsory-licensing rights for covers of existing songs do not include permission for broadcast or video distribution. Commander Hadfield's song was loaded onto YouTube, which delivers video on demand to users in many countries around the world. The first time the video was streamed in each country constituted publication in that country, and with it the potential for copyright infringement under local laws. Commander Hadfield could have made matters even more complicated by broadcasting live as he sang to an assembled audience of fellow astronauts for an onboard public performance while floating from segment to segment of the ISS. [Polley: Spotted by MIRLN reader Roland Trope .]

top

Publicity Rights Aren't Property Rights: Appellate Court Gets It Very Wrong in Hart v. EA (EFF, 22 May 2013) - Bad facts make bad law: it's legal cliché that is unfortunately based on reality. We saw as much yesterday, in the case of Ryan Hart v. Electronic Arts. Presented with a situation that just seemed unfair, the Third Circuit Court of Appeals proceeded to make a whole bunch of bad law that puts dollars ahead of speech. Here are the facts: Electronic Arts sells a videogame called NCAA Football.; Part of the success of the game is based on its realism and detail-including its realistic digital avatars of college players. One of those players was Ryan Hart, who played for Rutgers University from 2002 to 2005. NCAA Football did not use Hart's name, but the game included an avatar with Hart's Rutgers team jersey number, biographical information, and statistics. Trouble is, no one asked Hart if he wanted to be part of the game. Nor did anyone pay him for it-they couldn't, because college players aren't allowed to accept money for any kind of commercial activity. When Ryan discovered the game, he sued EA based on a lesser-known but pernicious legal doctrine, the right of publicity. The right of publicity a funny offshoot of privacy law that gives a (human) person the right to limit the public use of her name, likeness and/or identity, particularly for commercial purposes like an advertisement. The original idea was that using someone's face to sell soap or gum, for example, might be embarrassing for that person and that she should have the right to prevent it. While that might makes some sense in a narrow context, states have expanded the law well beyond its original boundaries. For example, the right was once understood to be limited to name and likeness, but now it can mean just about anything that "evokes" a person's identity, such as a phrase associated with a celebrity (like " Here's Johnny, ") or even a robot dressed like a celebrity . And in some states, the right can now be invoked by your heirs long after you are dead and, presumably, in no position to be embarrassed by any sordid commercial associations. In other words, it's become a money-making machine. But there has traditionally been at least one limit on publicity claims: the First Amendment. In a nutshell, courts are supposed to balance a person's right to control the use of her identity against others' right to expressive speech - including videogames. Unfortunately, the Third Circuit just threw that balance way out of whack. * * *

top

What Law Firms Should Know About Cyberattacks and the FBI (ABA Journal, 23 May 2013) - The steady rise of cyberattacks against U.S. companies-with damages that include tens of millions of dollars, lost trade secrets and threats to critical infrastructures-has prompted the FBI to even more greatly stress the importance of information-sharing on cyber intrusions. However, the decision to share sensitive data about a company or law firm's network comes with major legal considerations and should include discussions with legal department heads and outside counsel, Corporate Counsel reports. "You have to really figure out what exactly you're going to be willing to do," said DeVore & DeMarco partner Joseph DeMarco at a New York Bar Association event this week covered by Corporate Counsel. DeMarco specialized in cybercrime as an assistant U.S. Attorney. "These are voluntary requests for information. They don't come with immunity." Attackers could be state-sponsored actors, organized criminal groups, individual hackers or "hacktivists," company insiders, or terrorists, according to FBI "cyber cop" Mary Galligan. Many law firms first learn they've been attacked not from internal sources-but from the government, she said at the New York City Bar Association event. "What happens with the FBI is right now, approximately 60 percent of the time, we are going out and telling a company that they have been intruded upon," Galligan said. Although the FBI hasn't always notified companies of an attack, that policy has changed in the past three years in light of several serious attacks against U.S. banks and an executive order mandating information-sharing, she said. "The government is-and especially after the executive order-sharing information as fast as we can get it," Galligan told attendees, according to Corporate Counsel. Despite these efforts, unless general counsel and outside law firms are involved in these security issues from the start and have instituted a recovery plan in the event of a breach, it can be very difficult for the government to help, Galligan noted. "The law has not kept up with the issue," she said, according to Corporate Counsel. "So I've had companies and banks say, 'OK, come on in and help us,' but they can't give us consent for that." Many firms don't even know what their networks look like or what's on their servers, she added. Hogan Lovells partner and former IBM security counsel Harriet Pearson emphasized the complicated legal issues lawyers must be prepared for in the event of a cyberattack and subsequent government involvement. [Polley: Next month the ABA will publish The ABA Cybersecurity Handbook: A Resources for Attorneys, Law Firms and Business Professionals , with chapters on sources of the risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. I've been heavily involved in this, and think it'll be an invaluable tool for US lawyers of all stripes. More to come later.]

top

The 20 Worst Data Breaches (Background Checks, 25 May 2013) - The information technology age has brought with it a new opportunity for the criminally minded. Unfortunately, our government agencies and corporations have not always been as guarded as they could be against those determined to gain access to the vital data they store. Through a combination of hacking and social engineering techniques, digital thieves have made off with identity information, hampered affairs of state, and even stolen millions of dollars. Here are 20 of some of the most damaging, notorious, or notable data breaches presented in chronological order. [Polley: generally useful, chronological summary of big breaches from Card Systems (2005) thru Global Payments (2012).]

top

Masterworks for One and All (NYT, 28 May 2013) - Many museums post their collections online, but the Rijksmuseum here has taken the unusual step of offering downloads of high-resolution images at no cost, encouraging the public to copy and transform its artworks into stationery, T-shirts, tattoos, plates or even toilet paper. The museum, whose collection includes masterpieces by Rembrandt, Vermeer, Mondrian and van Gogh, has already made images of 125,000 of its works available through Rijksstudio , an interactive section of its Web site. The staff's goal is to add 40,000 images a year until the entire collection of one million artworks spanning eight centuries is available, said Taco Dibbits, the director of collections at the Rijksmuseum. "We're a public institution, and so the art and objects we have are, in a way, everyone's property," Mr. Dibbits said in an interview. "'With the Internet, it's so difficult to control your copyright or use of images that we decided we'd rather people use a very good high-resolution image of the 'Milkmaid' from the Rijksmuseum rather than using a very bad reproduction," he said, referring to that Vermeer painting from around 1660. Until recently, museums had been highly protective of good-quality digital versions of their artworks, making them available only upon request to members of the press or to art historians and scholars, with restrictions on how they could be used. The reasons are manifold: protecting copyrights, maintaining control over potentially lucrative museum revenues from posters or souvenirs and preventing thieves or forgers from making convincing copies. In recent years, though, as the Google Art Project has begun to amass a global archive of images with the cooperation of museums and the Internet has made it impossible to stem the tide of low-quality reproductions, institutions are rethinking their strategy. "We've gotten over that hurdle," said Deborah Ziska, a spokeswoman for the National Gallery of Art in Washington. "I don't think anyone thinks we've cheapened the image of the 'Mona Lisa.' People have gotten past that, and they still want to go to the Louvre to see the real thing. It's a new, 21st-century way of respecting images." The National Gallery has so far uploaded about 25,000 works to share with the public. "Basically, this is the wave of the future for museums in the age of digital communications," Ms. Ziska said. "Sharing is what museums need to learn to do." The Rijksmuseum has been able to put its works online more quickly because much of its collection predates Dutch copyright laws and its staff had an opportunity to digitize the collection when museum was closed for renovations. [Polley: Spotted by MIRLN reader Corinne Cooper .]

top

- and -

Art and Copyright in the Age of Compulsive Looking (TechDirt, 31 May 2013) - We wrote recently about how the rise of mobile phones with built-in cameras has led to an irresistible urge to record our experiences everywhere with a digital picture. But what happens when those experiences include works of art, which may still be under copyright? That's the interesting question an article in Art News explores : We're in an age when people take pictures just about everywhere, an act that photography critic Jörg M. Colberg describes as "compulsive looking." The phenomenon has created a unique set of challenges for art museums, many of which have historically had strict limitations on photography -- either for the purpose of protecting light-sensitive works or because of copyright issues. The good news is that some art museums are beginning to revisit their old rules, not least because they themselves are starting to share images through social media. As devices shrink and become always-on -- think Google Glass -- that problem will only grow, as copyright designed for the eighteenth century clashes with technology from the twenty-first century. In a sense, this is the visual equivalent of attempts to stop unauthorized sharing of files online. That's not only futile, but causes copyright companies and governments to obsess about something that is not really a problem, as numerous posts on TechDirt have pointed out. Art museums seem to be learning that it's better to embrace change and turn it to their advantage; it's time others did the same, and started looking at the bigger picture.

top

In Reversal, Judge Orders Child Porn Suspect to Decrypt Hard Drives (Ars Technica, 28 May 2013) - A federal judge who had previously declined to force a Wisconsin suspect to decrypt several hard drives believed to contain child pornography has now changed his mind. After considering new evidence, the judge wrote in an order last week (PDF) that the Milwaukee-area man now must either enter the passwords for the drives without being observed by law enforcement or government counsel or must provide an unencrypted copy of the data. In April 2013, Jeffrey Feldman was ordered by a United States Attorney to help federal authorities execute a search warrant on a collection of his own hard drives. The government claimed that it has probable cause to believe that these drives contain child pornography. Feldman , a computer scientist and software developer at Rockwell Automation Inc., has yet to be charged with a crime. As we reported previously , forcing a defendant to decrypt a hard drive can amount to self-incrimination if the government can't otherwise show that the defendant has the password for the drive. In such a case, forced decryption amounts to a forced confession that the defendant owns the drive. Earlier in this case, Judge William Callahan had ruled that compelling Feldman to provide the passwords for the hard drives would violate his Fifth Amendment right against self-incrimination. According to the order (PDF), after devoting "substantial resources" in the case, FBI agents apparently have been able to decrypt one of the drives. The government argued that because it had found "numerous files which constitute child pornography," "detailed personal financial records and documents belonging to Feldman," and "dozens of personal photographs of Feldman," Feldman therefore has "access to and control over" the set of drives.

top

- but then -

U.S. District Judge: Forced Decryption of Hard Drives Violates Fifth Amendment (Slashdot, 5 June 2013) - hansamurai writes with an update to a story we've been following for a while. Jeffrey Feldman is at the center of an ongoing case about whether or not crime suspects can be forced to decrypt their own hard drives. (Feldman is accused of having child pornography on his hard drives.) After initially having a federal judge say Feldman was protected by the Fifth Amendment, law enforcement officials were able to break the encryption on one of his many seized storage devices. The decrypted contents contained child pornography, so a different judge said the direct evidence of criminal activity meant Feldman was not protected anymore by the Fifth Amendment. Now, a third judge has granted the defense attorney's emergency motion to rescind that decision, saying Feldman is once again (still?) protected by the Fifth Amendment .

top

The Most Important Cybersecurity Case You've Never Heard Of (Lawfare, 29 May 2013) - The case is Federal Trade Commission v. Wyndham Worldwide Corporation , a civil suit brought in the District of Arizona by the FTC relating to a cybersecurity breach at Wyndham. To understand why the case matters quite a bit, we need to step back and understand the FTC. The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception - in other words an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the consuming public that were false. As you may imagine allegations of that sort are often very fact specific and tied to particular circumstances. The second ground for FTC enforcement is a broader one - that a company has engaged in "unfair" business practices. In other words that a company "caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition." The FTC suit against Wyndham is tied to a breach of Wydham's computer systems by a Russian criminal organization that, allegedly, resulted in more $10 million in fraud losses. It seeks a permanent injunction, directing Wyndham to fix its cyber systems so that they are more secure and unspecified damages. The suit asserts both grounds for FTC jurisdiction. It first alleges that Wyndham's privacy policy about how they will maintain the security of information about their customers is deceptive - in other words that Wyndham made cybersecurity promises it couldn't keep. The suit also alleges that, systematically, Wyndham's failure to provide adequate cybersecurity for the personally identifiable information of its customers is an unfair business practice. This type of lawsuit by the FTC is not unusual. These legal theories have been the foundation, for example, of the FTC's investigation of Google , Twitter and HTC, and its investigation of data breaches at large consumer companies like Heartland . In almost all of these cases, the FTC deploys some combination of the argument that a company has misled the public about the nature of its cybersecurity ("deception") or that it has failed to invest adequately in cybersecurity measures ("unfair practices"). Until now, all of these actions have resulted in out-of-court settlements, leaving the validity of the FTC's legal theories untested. But now - in the Wyndham case - the FTC's authority is being questioned. As the Wall Street Journal recently reported , Wyndham is challenging the basic premise of the FTC's suit, arguing that consumer protection statutes cannot be stretched to cover cybersecurity issues. Wyndham has argued that the lawsuit exceeds FTC's enforcement authority - a position supported by the Chamber of Commerce . The principal evidence that the FTC may be acting beyond its authority is its own report from 2000, in which it asked Congress to expand its legal authority to consider security breaches as consumer-protection issues. Congress has never acted on that request, but the FTC has decided to proceed anyway. Indeed, as Wyndham notes, there are a host of more specific data-security laws already on the books (HIPPA; COPPA; Graham-Leach-Bliley; Fair Credit Reporting), suggesting that there has not been a broad, general grand of data-breach security regulatory authority to the FTC.

top

Tech Firm Publishes Free Copyright Treatise (Robert Ambrogi, 30 May 2013) - In the early days of the Web, before law firms discovered blogs, they would sweeten the allure of their websites by filling them with content intended to show off their knowledge and expertise. Law firm websites often included FAQs about specific areas of law and some of the more ambitious firms had what amounted to mini-treatises on legal topics. But as more and more firms decided that blogging was the better way to add content to their sites, these sorts of pages all but disappeared. Now, an IP and technology law firm is reviving that approach, but in a decidedly contemporary way. The law firm Adler Vermillion & Skocilich, which has offices in Brooklyn, N.Y., and Seattle, Wash., is publishing the Copyright Codex: A Free Treatise for Lawyers and Artists . The treatise is described as an attempt "to make copyright law useful and accessible for designers, coders and lawyers," and it does a good job of achieving that. While this is no Nimmer on Copyright in the span of its coverage, it nonetheless goes into a fair degree of detail on many topics. It includes discussion of specific cases and how they flesh out various concepts. The treatise is well organized using drop-down menus from seven main categories: Basics, License, Rights, Infringement, Fair Use, Litigate and Copyright Act. Within the drop-down menus are subtopics and sub-subtopics. The whole thing is searchable, of course.

top

Government Announces New Mobile Security Guidelines (RideTheLightning, 31 May 2013) - Last week, White House officials announced a series of new resources and initiatives, including new mobile security guidelines, designed to help implement the administration's vision of delivering government information securely anytime, anywhere and on any device. A lofty vision, to be sure. U.S. CIO Steven VanRoekel and federal CTO Todd Park announced that the White House Office of Management and Budget has published the first government-wide set of mobile computing security guidelines. The guidelines include a baseline of standard security requirements for mobile computing, a mobile computing decision framework for federal agencies and a mobile security reference architecture . The documents are significant not only in spelling out ways for agencies and industry to develop safer mobile products for use on government networks, but also because of the active roles played by the Department of Homeland Security, the Department of Defense and the National Institute of Standards and Technology in developing them. VanRoekel also announced the implementation of a government-wide digital analytics program across all federal websites. "That means for the first time, we have insight about what information the public is looking for, where they're looking for it and if they're able to find it -- essential to our goal of easing access to government information," he said.

top

Skype Does NOT Provide Secure Communications (RideTheLightning, 3 June 2013) - Over the weekend, I read yet again about how many lawyers are using Skype in their law practice. As a recent Ars Technica article pointed out, there is a widely held misapprehension, even by experts, that Skype provides impenetrable end-to-end encryption. In fact, the Microsoft-owned company regularly scans message contents for signs of fraud, and company managers may log the results indefinitely. And this can only happen if Microsoft can convert the messages into human-readable form at will. Since Microsoft acquired Skype, the network design has been overhauled. Gone are the peer-to-peer "supernodes" made up of users with sufficient amounts of bandwidth and processing power - now there are some 10,000 Linux machines hosted by Microsoft. The decentralization that had been one of Skype's hallmarks was replaced with a much more centralized network, in which messages are easier to monitor. Ars Technica also conducted an experiment proving that Skype does indeed peek into messages. Read the article and determine for yourself whether Skype is an appropriate vehicle for attorney confidential communications.

top

New York State Launches Investigation of Top Insurance Companies' Cybersecurity Practices. Who's Next? (Francoise Gilbert, 4 June 2013) - The State of New York has launched an inquiry into the steps taken by the largest insurance companies to keep their customers and companies safe from cyber threats. This is the second inquiry of this kind. Earlier this year, a similar investigation targeted the cyber security practices of New York based financial institutions. On May 28, 2013, the New York Department of Financial Services (DFS) issued letters pursuant to Section 308 of the New York Insurance Law ("308 Letters") to 31 of the country's largest insurance companies, requesting information on the policies and procedures they have in place to protect health, personal and financial records in their custody against cyber attacks. Among other things, the 308 Letters request:

• Information on any cyber attacks to which the company has been subject in the past three years;
• The cyber security safeguards that the company has put in place;
• The company's information technology management policies;
• The amount of funds and other resources that are dedicated to cyber security;
• The company's governance and internal control policies related to cyber security

[Polley: see also The State of Security (Tripwire, 3 June 2013)]

top

Court Says Copying Journal Articles To Show Prior Art In Patent Proceedings Is Fair Use (TechDirt, 4 June 2013) - Last year, we wrote about how some academic journals were ridiculously claiming that law firms, who made copies of journal articles to submit to the US Patent and Trademark Office to show examples of prior art, were infringing on their copyrights. Yes, they were arguing that you couldn't use their journals as examples of prior art without paying them for the privilege. Thankfully, the USPTO stepped up and issued a memo explaining why they believed such usage was clearly protected as fair use. Still, the American Institute of Physics and Blackwell Publishing decided to sue a law firm, Winstead PC, and patent filers over the matter. The USPTO then stepped in as an "intervening defendant." Over the course of the case, the publishers finally admitted that articles submitted with patent filings themselves probably weren't infringing and dropped that claim. However, they still argued that other copies made "during the process of evaluating and selecting" material to be submitted to the USPTO were infringing (in other words, the clients and the lawyers sharing copies of the articles back and forth -- and later copies of the articles associated with patent files). The USPTO stepped in and argued that this was obviously fair use , noting the benefits to the public, the fact that none of the copying was done for "commercially exploiting" the work, that the copies are a part of a much larger process and, of course, that it doesn't compete with the primary market for the works. Oh yeah, also: "courts routinely hold that copies made in connection with government proceedings is fair use." The district court in the northern district of Texas ruled last week that the defendants are entitled to the fair use defense in a ruling from the bench.

top

New Cyber Sheriff May Seek Bigger Gun (Steptoe, 6 June 2013) - In a letter to Senate Commerce Committee Chairman Jay Rockefeller last month, new Securities and Exchange Commission Chairman Mary Jo White wrote that she had directed her staff to provide her with a briefing on current practices of the SEC for evaluating what, if any, disclosures public companies should make regarding cyberattacks and cybersecurity risks, including the overall level of compliance with the existing guidance issued in late 2011. The Federal Trade Commission and various state attorneys general have already marked their data breach territory by going after companies that have suffered breaches for failing adequately to protect data. But the prospect of the SEC's flexing greater muscle in this area means that companies that suffer a breach may face even more regulatory scrutiny in the aftermath.

top

N.S.A. Said to Gather Users' Online Data (NYT, 6 June 2013) - The federal government has been secretly gathering information on foreigners overseas for nearly six years from the nation's largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, according to documents that emerged Thursday and were confirmed by a senior government official. The disclosure of the classified program came just hours after government officials acknowledged a separate seven-year effort to sweep up records of telephone calls inside the United States. Together, the unfolding revelations opened a window into the growth of government surveillance that began under the Bush administration after the terrorist attacks of Sept. 11, 2001, and has clearly been embraced and even expanded under the Obama administration. Government officials defended the two surveillance initiatives as authorized under law, known to Congress and necessary to guard the country against terrorist threats. But an array of privacy advocates and libertarians said the disclosures provided the most detailed confirmation yet of what has been long suspected about what the critics call an alarming and ever-widening surveillance state. The documents on the Internet surveillance program, first posted by The Washington Post and then The Guardian, indicated that data collected from online providers could include e-mail, chat services, videos, photos, stored data, file transfers, video conferencing and logins. The program, called Prism, is authorized under a foreign intelligence law that was recently renewed by Congress, said the senior official, who added that it minimizes the collection and retention of information "incidentally acquired" about Americans and permanent residents. Several of the Internet companies issued statements strongly denying knowledge of or participation in the program. [Polley: Read the 3-page FISC subpoena . And I'm certain this is the tip of the iceberg. Very disheartening. See the first two stories from " Looking Back " below; see the Washington Post story on Prism: U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program (Washington Post, 7 June 2013) - of particular concern is the excerpt: "Intelligence analysts are typically taught to chain through contacts two "hops" out from their target, which increases "incidental collection" exponentially. The same math explains the aphorism, from the John Guare play, that no one is more than "six degrees of separation" from any other person." So, even if Prism is aimed at non-US persons, the two-hop rule will sweep up the actual contents of millions of US-persons' communications.]

top

RESOURCES

A Superb Source for Global and International Law (Robert Ambrogi, 31 May 2013) - You probably are familiar with the Legal Information Institute at Cornell University Law School, a pioneering publisher of U.S. legal materials online. But did you know that there is an international network of some 22 legal institutes and similar organizations, all devoted to providing free access to the law? While these various LIIs generally focus on the law of their own lands, one, the World Legal Information Institute , provides access to sources and collections of law from various countries, from Afghanistan and Albania to Zambia and Zimbabwe. As of this writing, it includes 1,240 databases from 123 jurisdictions, with more being added on a regular basis. Some of these materials are drawn from the various country-specific LIIs that help support this site and others are unique to the site. They are organized by countries, regions and databases, which you can browse or search. The site's LawCite search allows you to search the materials by citation, party name, jurisdiction, article title, author and other parameters. The World LII also includes the International Law Library , which it says is the most comprehensive free-access international law library on the Internet. Focused on international law, cooperation and trade, it includes decisions of international courts and tribunals, treaties and international agreements, international law journals, and law reform materials.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Ashcroft Proposes Vast New Surveillance Powers (The Register, 10 Feb 2003) -- A sweeping new anti-terrorism bill drafted by the Justice Department would dramatically increase government electronic surveillance and data collection abilities, and impose the first-ever federal criminal penalties for using encryption in the U.S. A draft of the Domestic Security Enhancement Act of 2003 dated January 9th was obtained by the non-partisan Center for Public Integrity and released Friday. The 120-page proposal would further expand many of the surveillance powers Congress granted federal law enforcement in the USA-PATRIOT Act in 2001, while increasing the secrecy surrounding some government functions. One provision in the bill would represent America's first domestic regulation of encryption, though it would apply only to those already attempting to commit a federal crime.

top

Bush Lets U.S. Spy on Callers Without Courts (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible "dirty numbers" linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. "This is really a sea change," said a former senior official who specializes in national security law. "It's almost a mainstay of this country that the N.S.A. only does foreign searches." Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation's legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. [Editor: This is the story-of-the-decade for me; separation of powers and Article II supremacy. I'm astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren't two centuries of statutory, regulatory, and case-law gloss.] Related story at http://www.salon.com/news/feature/2005/12/23/bamford/print.html ; interesting legal analysis/blog at http://balkin.blogspot.com/#113526050457460564 .]

top

UCITA Hits Snag With Lawyer Group (IT World, 12 Feb 2003) -- The future of a proposed law that would standardize software licensing agreements across the U.S. appeared to be in doubt after the American Bar Association (ABA) failed to approve it at its national meeting last week. The National Conference of Commissioners on Uniform State Laws (NCCUSL) has been pitching the Uniform Computer Information Transactions Act (UCITA) to state legislators since 1999. They have called it a "model" law that it would create uniform legislation across the country. Several software companies and groups, including the Business Software Alliance, Microsoft Corp. and IBM Corp., support UCITA, arguing that differing state software licensing laws drive up the cost of selling software. They argue that a uniform law across the United States would reduce vendors' liability costs. NCCUSL approved a series of changes to the proposed law in August 2002 in an effort to answer critics' complaints that UCITA would force restrictive licenses for shrink-wrapped or downloaded software on customers. However, six Sections of the ABA failed to approve UCITA before the ABA's mid-year meeting in Seattle this past week. On Monday, the NCCUSL withdrew a resolution recommending the ABA House of Delegates approve UCITA, according to the American Library Association, an opponent of UCITA.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top