Saturday, July 20, 2013

MIRLN --- 30 June – 20 July 2013 (v16.10)

MIRLN --- 30 June - 20 July 2013 (v16.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | FUN | LOOKING BACK | NOTES

ANNOUNCEMENT

Next week the ABA will publish a book I've co-edited: The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals , with chapters on sources of risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. With Jill Rhodes (my co-editor), we've pulled together the analysis and recommendations of nearly thirty lawyers, judges, and technology professionals from across the ABA. This is the first work-product of the year-old ABA Cybersecurity Legal Task Force .

top

NEWS

Six Sigma as Law Redesign (Open Law Lab, 18 June 2013) - law firm Seyfarth Shaw has adapted the business process of Six Sigma into the law firm, and law-client, setting, while also mixing it in with Lean methodology. They call it 'SeyfarthLean'. Their website gives a basic overview of what the method encompasses - much of which overlaps with human centered design. It shares a bias towards visualizing processes, creating feedback loops with quick cycles, and putting the client's needs first in a workflow. The firm also has a Legal Technology and Innovation office, which builds out tools and apps to be used inside the law firm to improve efficiency. Law Technology News has an article that quickly spotlights how Seyfarth Shaw uses process mapping. Developing a project plan - detailing the steps and the staffing for a task (whether to use a senior level associate or a more junior lawyer, for example) can be a complex, time-consuming task. Unfortunately, the start of an engagement or the response period for a request for proposal is typically hectic, rarely offering bountiful free time to develop and perfect detailed case plans. One approach is to develop template "springboard" plans (in other words, process maps) for general matters or transactions that can be modified for specific clients and cases. Essentially, these became a collection of pre-existing starting points that firms can draw on when a new matter comes about. The champion of process mapping is Seyfarth Shaw, which has developed more than 160 maps in the past five years. "The firm identifies an area, a scope of work we do - any kind of transaction - and gets participants together in a room to share processes and best practices, with a project manager facilitating," says Chicago-based Kim Craig, director of Seyfarth's project management office. It can take weeks to create a map, but the result is a template that spells out the various phases of a matter - and an efficient way to do them, she says. This gives the firm a huge head start, notes Andrew Baker, Seyfarth's director of legal technology innovations. "When we sit down with the client we already have the tasks - how much time they should take and what resources they need - and [we] can come up with some pretty solid pricing," says Baker, also based in Chicago. Then, the firm and its potential client discuss any needed modifications, he says. At this point, documents can be linked to tasks - checklists, templates, prior work product, case-specific files, anything that might be helpful. Seyfarth uses TaskMap, from Harvard Computing Group, to create its process maps, and Microsoft Project to create case- specific project plans, complete with timelines.

top

Cybersecurity Guidelines Recently Issued by NIST Set Out Security and Privacy Best Practices for Businesses (Adams & Reese, 26 June 2013) - The National Institute of Standards and Technology (NIST) has issued its latest version of "Security and Privacy Controls for Federal Information Systems and Organizations" (the "Guidelines"). These Guidelines, issued and updated from time to time, contain a number of privacy and security controls designed to protect information, and set out a process for selecting controls to protect against a host of threats to information security, including cyber attacks, natural disasters, structural failures, and human errors. The Guidelines are a valuable security and privacy resource for every business. While designed for use by organizations and systems within the Federal government (and by extension those organizations who do business with the Federal government), the Guidelines may be considered "best practices" for businesses seeking to implement and maintain adequate and appropriate security and privacy controls. The Guidelines are here .

top

Why business is losing the war against cybercrime (CSO Online, 26 June 2013) - The good guys are losing the cybercrime war. One major reason is that they don't understand their enemies, and therefore are not fighting back effectively. Another is that Edward Snowden, currently the world's most famous insider threat, apparently has a lot of company. Those are among the most important, and sobering, conclusions of the 2013 State of Cybercrime Survey from PwC US and CSO magazine, which included responses from 500 U.S. executives, security experts, and others from both private and public sectors. This, the 11th survey of cybercrime trends, released last week, found that while cybercrime threats are increasing, current defenses against them remain ineffective, in large measure because too many executives still do not understand the extent and seriousness of those threats, or have simply become numb to the news about them. "There were no significant changes in C-Suite threat awareness, no spikes in spending on cyber-defense, no breakthroughs in the use of technology to combat cybercrime, and no significant change in the ability of organizations to measure the impact of both cybercrimes committed by insiders and those caused by external cyberattacks," the survey reported. That, according to Dave Burg, PwC Global and US advisory cyber security leader, has been the case for a decade. "(We) have seen virtually no movement by survey respondents in the past 10 years," he said.

top

Historic Milestone for Rights of Readers as UN Negotiators Finalize Treaty for the Blind (EFF, 27 June 2013) - Member states of the United Nations concluded the draft of an international treaty this week that gives people with visual and reading disabilities better access to copyrighted works. The treaty comes as the result of collective efforts to carve out protections for the blind and reading disabled that faced years of resistance from rightsholder industries. Drafting efforts spanned nearly a decade at the UN World Intellectual Property Organization (WIPO) , culminating in a final session in Marrakesh, Morocco running from June 17 until they finalized the treaty on Tuesday. People with reading and visual disabilities have faced a "book famine," in which only 7% of published books are converted into accessible formats in the richest countries of the world. That number is even lower in the poorest regions, where only 1% of books are available. New technologies could have already drastically improved the state of things, but over-restrictive copyright has hindered the production and distribution of books in accessible formats. Only 57 of WIPO's 184 Member States have legal exceptions to copyright for these purposes [pdf] , and even worse, inconsistent policies between countries made it almost impossible to share books between countries. The treaty, called the Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities, carves out robust exceptions to copyright to make it legal for print disabled people and organizations to make copies of published works accessible. In addition, the treaty legalizes the import and export of accessible books without permission from publishers (removing a barrier that threatened to be a big hurdle in many regions of the world). More detailed analyses of its provisions are yet to come, but the final text of the treaty has been posted on the WIPO website .

top

"Heisman Pose" Photographer's Lawsuit Whittled Down (Eric Goldman's blog, 29 June 2013) - Back in February, we blogged about photographer Brian Masck's Shakespearean complaint , asserting copyright infringement claims (and others) against numerous defendants for using his famous "Heisman Pose" photo. Together, the defendants moved to dismiss all non-copyright claims. Defendants Desmond Howard and Amazon also filed motions to dismiss on separate bases. On June 11, a district court in Michigan ruled on the various motions. For each, the court granted in part and denied in part. * * * Case is Masck v. Sports Illustrated, et al. , 2:13-cv-10226-GAD-DRG (E.D. Mich. June 11, 2013)

top

Montana Tells Police: No Location Tracking Without a Warrant (CDT, 2 July 2013) - Montana recently became the first state to enact a comprehensive law requiring law enforcement officials to obtain a search warrant before obtaining location information generated by the operation of electronic devices such as cellular telephones. The bill requires a warrant regardless of whether the location information is generated by GPS or by proximity to one or more cellular towers. It appears to require warrants for such location information no matter how it is obtained. Thus, the bill would require a warrant for, among other things: (i) prospective location tracking; (ii) disclosure from storage of cell site location information by a provider of cellular phone service; (iii) disclosure of location information stored on a mobile device itself (i.e., no warrantless search of a cell phone for location information, including in any search incident to arrest); (iv) location tracking through the use of a cell site simulator such as Triggerfish ; and (v) social networking check-in information.

top

- and -

New Jersey Supreme Court Restricts Police Searches of Phone Data (NYT, 18 July 2013) - Staking out new ground in the noisy debate about technology and privacy in law enforcement, the New Jersey Supreme Court on Thursday ordered that the police will now have to get a search warrant before obtaining tracking information from cellphone providers. The ruling puts the state at the forefront of efforts to define the boundaries around a law enforcement practice that a national survey last year showed was routine, and typically done without court oversight or public awareness. With lower courts divided on the use of cellphone tracking data, legal experts say, the issue is likely to end up before the United States Supreme Court. Several states and Congress are considering legislation to require that warrants based on probable cause be obtained before investigators can get cellphone data. Montana recently became the first state to pass such a measure into law . The California Legislature approved a similar bill in 2012, but Gov. Jerry Brown vetoed it , saying it did not "strike the right balance" between the needs of law enforcement and the rights of citizens. The Florida Supreme Court ruled in May that the police could seize a cellphone without a warrant, but needed a warrant to search it. And a case before the United States Court of Appeals for the Fourth Circuit, in Richmond, Va., is weighing whether investigators acted legally when they got a court order, but not a warrant, to obtain 221 days of cellphone location data for suspects in an armed robbery case in Maryland. In a unanimous decision, the State Supreme Court said that when people entered cellphone contracts, "they can reasonably expect that their personal information will remain private." The justices recognized that this departed somewhat from federal case law. But they relied in part on a United States Supreme Court decision last year that the police could not attach a Global Positioning System to a suspect's car without a warrant. A cellphone, the New Jersey justices said, was like a GPS device. "Using a cellphone to determine the location of its owner can be far more revealing than acquiring toll billing, bank, or Internet subscriber records," said the opinion, written by Chief Justice Stuart Rabner . "Details about the location of a cellphone can provide an intimate picture of one's daily life and reveal not just where people go - which doctors, religious services and stores they visit - but also the people and groups they choose to affiliate with. That information cuts across a broad range of personal ties with family, friends, political groups, health care providers and others."

top

U.S. Postal Service Logging All Mail for Law Enforcement (NYT, 3 July 2013) - Leslie James Pickering noticed something odd in his mail last September: A handwritten card, apparently delivered by mistake, with instructions for postal workers to pay special attention to the letters and packages sent to his home. "Show all mail to supv" - supervisor - "for copying prior to going out on the street," read the card. It included Mr. Pickering's name, address and the type of mail that needed to be monitored. The word "confidential" was highlighted in green. "It was a bit of a shock to see it," said Mr. Pickering, who owns a small bookstore in Buffalo. More than a decade ago, he was a spokesman for the Earth Liberation Front, a radical environmental group labeled eco-terrorists by the Federal Bureau of Investigation. Postal officials subsequently confirmed they were indeed tracking Mr. Pickering's mail but told him nothing else. As the world focuses on the high-tech spying of the National Security Agency, the misplaced card offers a rare glimpse inside the seemingly low-tech but prevalent snooping of the United States Postal Service. Mr. Pickering was targeted by a longtime surveillance system called mail covers, but that is only a forerunner of a vastly more expansive effort, the Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States - about 160 billion pieces last year. It is not known how long the government saves the images. Together, the two programs show that snail mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail. The Mail Isolation Control and Tracking program was created after the anthrax attacks in late 2001 that killed five people, including two postal workers. Highly secret, it seeped into public view last month when the F.B.I. cited it in its investigation of ricin -laced letters sent to President Obama and Mayor Michael R. Bloomberg. "In the past, mail covers were used when you had a reason to suspect someone of a crime," said Mark D. Rasch, the former director of the Justice Department's computer crime unit, who worked on several fraud cases using mail covers. "Now it seems to be 'Let's record everyone's mail so in the future we might go back and see who you were communicating with.' Essentially you've added mail covers on millions of Americans." For mail cover requests, law enforcement agencies simply submit a letter to the Postal Service, which can grant or deny a request without judicial review. Law enforcement officials say the Postal Service rarely denies a request. In other government surveillance program, such as wiretaps, a federal judge must sign off on the requests. The mail cover surveillance requests are granted for about 30 days, and can be extended for up to 120 days. There are two kinds of mail covers: those related to criminal activity and those requested to protect national security. The criminal activity requests average 15,000 to 20,000 per year, said law enforcement officials who spoke on the condition of anonymity because they are prohibited by law from discussing the requests. The number of requests for antiterrorism mail covers has not been made public. [Polley: shall we stop using return-address labels?]

top

- and -

You are being tracked. How license plate readers are being used to record Americans' movements (ACLU, July 2013) - A little noticed surveillance technology, designed to track the movements of every passing driver, is fast proliferating on America's streets. Automatic license plate readers, mounted on police cars or on objects like road signs and bridges, use small, high-speed cameras to photograph thousands of plates per minute. The information captured by the readers - including the license plate number, and the date, time, and location of every scan - is being collected and sometimes pooled into regional sharing systems. As a result, enormous databases of innocent motorists' location information are growing rapidly. This information is often retained for years or even indefinitely, with few or no restrictions to protect privacy rights. * * * Full report here .

top

Court Finds that ECPA Does Not Protect Unauthorized Viewing of Opened Emails (Steptoe, 4 July 2013) - The U.S. District Court for the Northern District of Ohio has held, in Lazette v. Kulmatycki, et al., that emails that the intended recipient has opened and not deleted are not in "electronic storage" within the meaning of the Electronic Communications Privacy Act (ECPA). Accordingly, a private party that views such emails without authorization cannot be sued under the statute. The court also held, however, that the intended recipient can sue someone who viewed unopened emails without authorization. Courts are split on the statute's confusing definition of electronic storage. While proposed amendments to ECPA offered by Sen. Patrick Leahy and Rep. Zoe Lofgren would eliminate the distinction between opened and unopened communications when it comes to government access (i.e., they would require a search warrant for both), they would not address the disparity in treatment when it comes to protection against unauthorized access by private parties. One would think privacy advocates and ECPA "reformists" would be raising a ruckus about this. But they're not. Is it because they want to allow unauthorized access by hackers and "whistleblowers" to confidential communications, or is it because they just haven't noticed?

top

Privacy Protests: Surveillance Evasion and Fourth Amendment Suspicion (Elizabeth Joh, Arizona Law Review) - Abstract: The police tend to think that those who evade surveillance are criminals. Yet the evasion may only be a protest against the surveillance itself. Faced with the growing surveillance capacities of the government, some people object. They buy "burners" (prepaid phones) or "freedom phones" from Asia that have had all tracking devices removed, or they hide their smartphones in ad hoc Faraday cages that block their signals. They use to surf the internet. They identify tracking devices with GPS detectors. They avoid credit cards and choose cash, prepaid debit cards, or bitcoins. They burn their garbage. At the extreme end, some "live off the grid" and cut off all contact with the modern world. These are all examples of what I call privacy protests: actions individuals take to block or to thwart government surveillance for reasons that are unrelated to criminal wrongdoing. Those engaged in privacy protests do so primarily because they object to the presence of perceived or potential government surveillance in their lives. How do we tell the difference between privacy protests and criminal evasions, and why does it matter? Surprisingly scant attention has been given to these questions, in part because Fourth Amendment law makes little distinction between ordinary criminal evasions and privacy protests. This article discusses the importance of these ordinary acts of resistance, their place in constitutional criminal procedure, and their potential social value in the struggle over the meaning of privacy.

top

FTC Updates COPPA Rules (Information Week, 5 July 2013) - The Federal Trade Commission said this week that revised rules for the Children's Online Privacy Protection Act of 1998 (COPPA) have taken effect. Since COPPA was first written, notions of what constitutes an online site or service, as well as data collection practices, have evolved substantially, not least due to the rise of mobile computing and social networking. Also relatively new is behavioral tracking, which can record what users do across multiple sites. On the latter front, the new final rule amendments to COPPA now "make clear that the rule covers an operator of a child-directed site or service where it integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors." The revision also updates the FTC's definition of personal information "to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services," as well as photos, videos and audio recordings. That said, COPPA also relies on children self-reporting their age, and exonerates businesses that don't provide notification or obtain parental consent if a child reports his age is 13 or above. Before the new rules took effect, the FTC already had signaled that COPPA applied not only to websites, but also smartphone apps and the greater mobile and advertising ecosystem.

top

Printing Art at Home with a 3D Printer (KPBS, 9 July 2013) - There's a white bust of Albert Einstein on a table in Cosmo Wenman's studio. The Vista resident picks it up with ease. It's clearly not made of marble. In fact, the bust weighs a mere 2 lbs. Even more jarring, Wenman removes the face from the bust to reveal a hollow interior. The statue has Einstein's wild locks and all-to familiar visage, but the whole thing is composed of plastic. It was made with Wenman's 3D printer. Wenman is using his 3D printer to make copies of famous antiquities and works of art. Case in point: an impressive duo of horse heads on a credenza in Wenman's dining room. They are copies of a piece called "Head of a Horse of Selene." The original is in the British Museum; before that it was on the Parthenon in Athens, Greece (part of the now infamous Elgin Marbles). Wenman's copies are life-size. They have a bronze and brass patina finish. The original is marble. Wenman printed 29 separate pieces of plastic and glued them together to form each horse head. He recently showed one at the massive Consumer Electronics Show in Las Vegas. At one point he noticed a man putting his hands all over the horse head, exploring it. "And I'm thinking oh my god, I hope he doesn't break it or something," said Wenman. "When the guy turned around, I realized he was blind." Wenman copies antiquities because those artists are long dead, so there is no copyright. "If I were his lawyer, I'd tell him that's smart," said Julie Samuels, a staff attorney at the Electronic Frontier Foundation who also holds the title "The Mark Cuban Chair to Eliminate Stupid Patents" (no joke). Wenman's growing archive of documented works for 3D printing puts him ahead of much of the museum world. "Many museums in the world have barely covered their collection with 2D photography," said Tatjana Dzambazova, a senior project manager and technology whisperer (no joke, #2) at Autodesk, Inc. The San Francisco-based company designs software for 3D printing, as well as for other industries like architecture and entertainment. Dzambazova says there are only a handful of museums capturing their collections for 3D digitization and printing.

top

- and -

eBay Dips Toes Into 3-D Printing Market With iOS App (Slashdot, 13 July 2013) - An anonymous reader writes: "eBay has announced a new iOS app called eBay Exact that lets you buy customizable 3D-printed merchandise on the go . You can download the new addition now directly from Apple's App Store . The products in question are available from three leading 3D printing companies, according to eBay: Brooklyn-based MakerBot , France-based Sculpteo , and Toronto, Canada-based Hot Pop Factory . Currently, customers can choose from only about 20 items, ranging from technology accessories to jewelry, but that number is likely to grow fairly quickly." [Polley: another fascinating podcast from the LongNow Foundation on-point: " The Makers Revolution "]

top

Rot at the Court! (Volokh Conspiracy, 10 July 2013) - An interesting new article by Raizel Liebler & June Liebert in the Yale J. of Law and Technology on "link rot" in Supreme Court opinions finds that almost 30% of the Internet URLs cited in Supreme Court opinions since the first such citation in 1996 (!) no longer work. It's not the end of the world, I suppose, but it's a pretty troublesome little problem; citations are the tendons that hold our legal system together, in many ways, and the inability of scholars or others in the future to have access to information that the Court relied on in some way in making a decision is potentially a serious matter. [Polley: What about apparently secret FISC legal rulings, for which there's never been a URL?]

top

Coursera Lands $43M From The World Bank, Yuri Milner & More To Bring Online Education Abroad (TechCrunch, 10 July 2013) - It was just over a year ago that Coursera burst onto the higher education landscape with ambitious plans to throw open the doors to America's top institutions, bring them online and offer an Ivy League-caliber education to the masses for free. Just two months after launch, the Mountain View-based startup put the finishing touches on an impressive $22 million funding round, backed by top venture firms like Kleiner Perkins and NEA as well as two of its university partners, The California Institute of Technology and the University of Pennsylvania. Fast forward to the present, and backed by snowballing interest in online education and massive open online courses (MOOCs), Coursera is showing no signs of slowing down. Since launch, thanks to eager adoption from a growing set of institutions looking to jump on the digital education bandwagon, Coursera has propelled across four continents, with 83 of America's top colleges already on board. With over 400 free college-level courses now in its catalog and four million students in its virtual lecture halls, the startup is adding a huge new chunk of change to its coffers, announcing this morning it has closed a $43 million series B financing round from GSV Capital, the International Finance Corporation (IFC), the investment arm of the World Bank, Laureate Education, Learn Capital and renowned entrepreneur and investor, Yuri Milner, among others. With this new capital in tow, which brings its total to $65 million, Coursera has big plans ahead. Over the last six months, Coursera has been working its way into new territory, taking first steps into the K-12 market and announcing that its first five courses had been approved for "credit equivalency" by the American Council on Education. In other words, with ACE's blessing, any student who completes one of the five courses is now eligible to receive college transfer credit.

top

Are fan translations an infringement of copyright? (Technollama, 11 July 2013) - The Swedish police has raided and taken offline Subtexter, a website where users upload and exchange fan-made files that can be used by a media player to provide subtitles to popular movies and shows before their translations have been made available by the rights holders. The action was taken at the request of the infamous Copyright Alliance, the Swedish arm of the content industries.

top

Anyone Traveling Into The UK Can Have Their Phones Seized And Data Downloaded Without Cause (TechDirt, 16 July 2013) - An independent review of the UK's anti-terrorism laws has found that the British "border patrol" functions much like ours when it comes to electronics. If you're bringing it across the border, it can be seized, searched and the data retained indefinitely . Officers use counter-terrorism laws to remove a mobile phone from any passenger they wish coming through UK air, sea and international rail ports and then scour their data. The blanket power is so broad they do not even have to show reasonable suspicion for seizing the device and can retain the information for "as long as is necessary". Data can include call history, contact books, photos and who the person is texting or emailing, although not the contents of messages. UK police officers are also authorized to do this to UK citizens, although they are limited to seizing the phone and downloading information only after making an arrest. The border control officers have no such limitations. Scotland Yard, which is in charge of the UK's counterterrorism efforts, spells out travelers' rights this way: Under the Terrorism Act 2000 a person may be detained and questioned for up to nine hours to determine if that individual is a person concerned in the commission, preparation or instigation of acts of terrorism as outlined in the Act.

top

Snowfallen (Medium.com, 16 July 2013) - There's a new verb in the journalism business, and it's a doozy: to snowfall . Definition: to publish a whopping great story online that's stuffed full of integrated multimedia elements - in the manner of the New York Times ' Snow Fall , the epic report on a brutal avalanche that was released late last year to much acclaim. Snow Fall wasn't the first of this new wave of online storytelling, and it certainly won't be the last. But it's already become the canonical example. Just look: there are similar treatments happening all over the place - exciting things from Pitchfork , from the Daily Telegraph and the Guardian and many others… all, I suppose, "snowfallen". These beautiful interactive treatments of stories show no signs of slowing down. In fact, the Times liked it so much it has just appointed a "snowfaller-in-chief" to go and roll out this sort of concept again and again.

top

Unitarian Church, Gun Groups Join EFF to Sue NSA Over Illegal Surveillance (EFF, 16 July 2013) - Nineteen organizations including Unitarian church groups, gun ownership advocates, and a broad coalition of membership and political advocacy organizations filed suit against the National Security Agency (NSA) today for violating their First Amendment right of association by illegally collecting their call records. The coalition is represented by the Electronic Frontier Foundation (EFF), a group with years of experience fighting illegal government surveillance in the courts.

"The First Amendment protects the freedom to associate and express political views as a group, but the NSA's mass, untargeted collection of Americans' phone records violates that right by giving the government a dramatically detailed picture into our associational ties," said EFF Legal Director Cindy Cohn. "Who we call, how often we call them, and how long we speak shows the government what groups we belong to or associate with, which political issues concern us, and our religious affiliation. Exposing this information - especially in a massive, untargeted way over a long period of time - violates the Constitution and the basic First Amendment tests that have been in place for over 50 years." For the full complaint in First Unitarian v. NSA:
 https://www.eff.org/node/75009

top

- and -

Intelligence Under Law -- Judiciary Testimony (Stewart Baker, 16 July 2013) - I'll be testifying tomorrow to the full House Judiciary Committee about FISA, NSA, and the Snowden flap. (The full prepared remarks are here: Download Pdf of Baker testimony to House Judiciary Committee on FISA .) I used this opportunity to muse on the resemblance between today and the waning Clinton era: * * * [Polley: Fascinating and thorough. TechDirt's Mike Masnick has a blistering response to Stewart's testimony here .]

top

- and -

Metadata, the NSA, and the Fourth Amendment: A Constitutional Analysis of Collecting and Querying Call Records Databases (Orin Kerr on The Volokh Conspiracy, 17 July 2013) - In his recent Wall Street Journal op-ed, my co-blogger Randy Barnett argues that massive-scale collection of communications metadata by the NSA violates the Fourth Amendment because it is an unreasonable seizure. Randy's colleague Laura K. Donohue recently argued in the Washington Post that such collection violates the Fourth Amendment as an unreasonable search. Jennifer Granick and Chris Sprigman made a similar argument in the New York Times . Are they right? Does obtaining all telephony metadata under Section 215 - and then querying the database - violate the Fourth Amendment? In this post, I'll start with current law, and I'll explain why current law supports the conclusion that massive-scale collection of communications meta-data by the NSA does not violate the Fourth Amendment rights of its customers. I'll then consider alternate views of the Fourth Amendment and explain the prospects and challenges of using the mosaic theory to get to a contrary result. I'll then turn to the argument Randy flags that obtaining this metadata may violate the rights of the communications providers instead of customers. This strikes me as a plausible argument, but not a certain one; I find the issue doctrinally murky, and I don't have a strong view of it. But in this post I'll offer the arguments for the sake of those interested in them.

top

NSA warned to rein in surveillance as agency reveals even greater scope (The Guardian, 17 July 2013) - The National Security Agency revealed to an angry congressional panel on Wednesday that its analysis of phone records and online behavior goes exponentially beyond what it had previously disclosed. John C Inglis, the deputy director of the surveillance agency, told a member of the House judiciary committee that NSA analysts can perform "a second or third hop query" through its collections of telephone data and internet records in order to find connections to terrorist organizations. "Hops" refers to a technical term indicating connections between people. A three-hop query means that the NSA can look at data not only from a suspected terrorist, but from everyone that suspect communicated with, and then from everyone those people communicated with, and then from everyone all of those people communicated with. Inglis did not elaborate, nor did the members of the House panel - many of whom expressed concern and even anger at the NSA - explore the legal and privacy implications of the breadth of "three-hop" analysis. But Inglis and other intelligence and law enforcement officials testifying before the committee said that the NSA's ability to query the data follows rules set by the secret FISA court, although about two dozen NSA officials determine for themselves when those criteria are satisfied. A document published last month by the Guardian detailing the history of the NSA's post-9/11 bulk surveillance on telephone and internet data refer to one- or two-hop analysis performed by NSA. The document, provided by ex-NSA contractor Edward Snowden, does not explicitly mention three-hop analysis, nor does it clearly suggest that such analysis occurs.

top

NLRB General Counsel Keeps Unfriending Employer Social Media Policies (Reed Smith, 17 July 2013) - In a just-released Advice Memorandum found here , the NLRB General Counsel's office ("GC") publicized its position that employers must bargain with their unions before implementing new social media policies. The Memo "casually" notes that work rules, such as social media guidelines, provide an independent basis for discipline and are mandatory subjects of bargaining. According to the GC, even if an employer navigates around the ever-increasing landmines set by the Board and GC in developing a social media policy, employers must also seek union approval before implementing the policy, unless, of course, the underlying collective bargaining agreement contains a clear and unmistakable waiver of the union's right to bargain over such policies. The Memo also reemphasized prior GC social media pronouncements to find that certain provisions of Giant Food's policy - commonly found within employee handbooks - infringed on its employees' National Labor Relations Act ("NLRA") rights. Below are the infringing guidelines and why, according to the GC, they violate federal labor law. * * *

top

Distinguishing Fact from Opinion: The Second Circuit Rules on Scientific Articles (Harvard's DMLP, 19 July 2013) - In a recent case before the Second Circuit, the Court of Appeals held that conclusions in scientific articles are akin to statements of opinion for defamation purposes and cannot give rise to actionable claims of false advertising under the Lanham Act or state statutory equivalents. In the Court's words, "the line between fact and opinion is not always a clear one" - and this recent decision has muddled that divide even more. Although the Court admirably applied opinion doctrine to scientific speech, its merit-based distinctions unnecessarily complicate this doctrine. ONY, Inc. v. Cornerstone Therapeutics, Inc. , No. 12-2414 (2d Cir. 2013), involve s a 2011 article published in the leading journal in neonatology, the Journal of Perinatology , regarding surfactants, compounds whose name comes from "surface acting agents" and which can be produced naturally by the human body. The article detailed a study of "in-hospital mortality in preterm infants with respiratory distress syndrome," examining the relative effectiveness of three surfactants used to treat a condition in which the lungs of infants produce insufficient natural surfactants. The article ultimately suggested that use of the surfactants manufactured by defendant Chiesi led to a lower infant mortality rate than that manufactured by plaintiff ONY. ONY alleged that this article contained many factual errors and selectively included results that favored Chiesi's product in a way that deceived and misled readers. In this case, ONY raised claims arising out of the article's publication and distribution. In particular, ONY sued under the Lanham Act and New York General Business Law § 349 for false advertising, and for injurious falsehood and tortious interference with prospective economic advantage in accordance with New York common law . In its discussion of the false advertising claims and defamation-based free speech concerns, the Second Circuit noted the difficulty in applying the traditional fact-opinion distinction in First Amendment jurisprudence to new scientific discourse. Although we are generally inclined to say that scientific speech is closer to the fact end of that spectrum - it can be empirically proven or disproven - analysis of data and the role of hypotheses in the scientific method complicate this notion.

top

Mind the Gap: Explaining Problems with International Law Where Cybersecurity and Critical Infrastructure Protection Meet (GMU's CIP Report, July 2013) - Critical infrastructure protection (CIP) policy emphasizes the importance of protecting such infrastructure from vulnerabilities associated with information and communication technologies (ICTs) and recognizing that networked ICTs (and the network architecture) constitute critical infrastructure. Similarly, cybersecurity policy identifies CIP as an objective. The CIP-focused and cybersecurity approaches have stressed the need for international cooperation, including the value of developing international legal rules. However, after over a decade of experience, a gap persists between the much- proclaimed need for more effective international law in this area and the international law that exists. Three factors explain the gap's persistence. First, cooperation on CIP and its cyber features developed within existing diplomatic mechanisms without requiring new international law. Second, patterns in cybersecurity policy affect what states seek to achieve and how they use international law. Third, international politics on cybersecurity increasingly reflect geo-political competition-a context that has never proved conducive to international law. These factors create obstacles for developing international law on the cyber aspects of CIP, meaning that the existing gap might go from persistent to permanent. * * *

top

RESOURCES

CRS - NSA Surveillance Leaks: Background and Issues for Congress (BeSpacific, 9 July 2013; authors: Marshall Curtis Erwin, Analyst in Intelligence and National Security; Edward C. Liu, Legislative Attorney. July 2, 2013) - "Recent attention concerning National Security Agency (NSA) surveillance pertains to unauthorized disclosures of two different intelligence collection programs. Since these programs were publicly disclosed over the course of two days in June, there has been confusion about what information is being collected and what authorities the NSA is acting under. This report clarifies the differences between the two programs and identifies potential issues that may help Members of Congress assess legislative proposals pertaining to NSA surveillance authorities. One program collects in bulk the phone record -specifically the number that was dialed from, the number that was dialed to, and the date and duration of the call-of customers of Verizon Wireless and possibly other U.S. telephone service providers. It does not collect the content of the calls or the identity of callers…The other program collects the electronic communications, including content, of foreign targets overseas whose communications flow through American networks. The Director of National Intelligence has acknowledged that data are collected pursuant to Section 702 of FISA. As described, the program may not intentionally target any person known at the time of acquisition to be located in the United States, which is prohibited by Section 702. Beyond that, the scope of the intelligence collection, the type of information collected and companies involved, and the way in which it is collected remain unclear." Paper here .

top

CRS Study - Foreign Surveillance and the Future of Standing to Sue Post-Clapper (BeSpacific, 14 July 2013) - "Recent news accounts (and government responses to those news accounts) have indicated that the government is reportedly engaged in a surveillance program that gathers vast amounts of data, including records regarding the phone calls, emails, and Internet usage of millions of individuals. The disclosures to the media reportedly suggest that specific telecommunication companies have been required to disclose certain data to the government as part of the intelligence community's surveillance efforts. The recent controversy over the reports of government targeting efforts comes months after the Supreme Court ruled in a case called Clapper v. Amnesty International . In Clapper, the Court dismissed a facial constitutional challenge to section 702 of the Foreign Intelligence Surveillance Act on constitutional standing grounds. Specifically, the Clapper court found that the litigants, a group of attorneys and human rights activists who argued that their communications with clients could be the target of foreign intelligence surveillance, could not demonstrate they would suffer a future injury that was "certainly impending," the requirement the majority of the Court found to be necessary to establish constitutional standing when asking a court to prevent a future injury." CRS paper here .

top

FUN

NSA spying; how much does Obama know?
top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Court Rules Against Network Associates' Software Review Policy (New York Times, 18 Jan 2003) -- A New York court has ruled that Network Associates, a maker of popular antivirus and computer security software, may not require people who buy the software to get permission from the company before publishing reviews of its products. The decision, which the company has vowed to appeal, could carry a penalty in the millions of dollars, according to Ken Dreifach, chief of the Internet bureau of the office of the New York State attorney general, Eliot Spitzer. Last spring, Mr. Spitzer sued Network Associates, which has its headquarters in Santa Clara, Calif., asserting that the company's software included an unenforceable clause that effectively violated consumers' free speech. The clause, which appeared on software products and the company's Web site, read: "The customer will not publish reviews of this product without prior consent from Network Associates Inc." In a decision the parties received late Thursday, Justice Marilyn Shafer of State Supreme Court in Manhattan ruled that the clause was deceptive and that it warranted a fine, which she wrote that she would determine in the future. Mr. Dreifach said the decision had implications beyond Network Associates. "These types of clauses are not uncommon," he said. The decision "raises the issue of whether these types of clauses - whether they restrict use, resale or the right to criticize - are enforceable," he added. Indeed, other software makers, including Microsoft, have been criticized by product reviewers for including prohibitions in their users' licenses.

top

Homeland Chief Mulls SEC Cybersecurity Filings (Washington Post, 9 Oct 2003) -- Publicly traded companies could be required to disclose whether they are doing anything to secure information on their computer systems, U.S. Homeland Security Secretary Tom Ridge said on Thursday. Ridge said he had met with William Donaldson, chairman of the Securities and Exchange Commission, to discuss whether companies should be required to disclose cybersecurity efforts in their SEC filings. "I think we need to talk about some kind of public disclosure, what are you doing about your security, physical and cybersecurity. Tell your shareholders, tell your employees, tell your communities within which you operate," Ridge told the Business Software Alliance, a software-industry trade group. The government used a similar approach to encourage companies to fight the "Y2K bug," the worry that data could be lost when computers' internal clocks switched over to the year 2000.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top