Saturday, August 31, 2013

MIRLN --- 11-31 August 2013 (v16.12)

MIRLN --- 11-31 August 2013 (v16.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Live threat intelligence impact report 2013 (Ponemon Institute, 26 July 2013) - This comprehensive study of 708 respondents from 378 enterprises reveals the financial damage that slow, outdated and insufficient threat intelligence is inflicting on global enterprises and how live threat intelligence provides the ability to better defend against compromises, breaches and exploits. Today's headlines and a barrage of marketing content lead many enterprise IT security and risk professionals to conclude that common cybercriminal tactics such as phishing attacks, malware and stolen credentials are responsible for the majority of breaches and compromises taking place. While enterprises certainly need to defend against these attack vectors, this research reveals the connection between thwarting compromises and the need to have access to the most immediate threat intelligence available, or what is becoming known as "live threat intelligence." The research also shows that enterprises experiencing the highest number of compromises and breaches are reliant on slow, outdated and insufficient intelligence. The findings in this report lead to a number of conclusions that will help security and risk professionals reduce the risk of breaches and compromises within the enterprises they are responsible for defending. These conclusions highlight the value of immediate threat intelligence, the current state of threat intelligence, the importance of live threat intelligence and the propensity enterprises have to invest in live intelligence solutions. To access click here . [ Polley : Fascinating! An informative slide presentation summarizing the study is here . Surprising how many companies know they are targets, and what a large percentage of attacks come from within the US (71%). Only 31% of companies have cyber risk insurance. Also, "Legal and compliance requirements" are the primary driver for IT security spending. Press coverage: Despite praising benefits of data breach cyber insurance, most companies remain uninsured (Market Watch, 7 August 2013)]

top

DEA and NSA team up to share intelligence, leading to secret use of surveillance in ordinary investigations (EFF, 6 August 2013) - As the NSA scoops up phone records and other forms of electronic evidence while investigating national security and terrorism leads, they turn over "tips" to a division of the Drug Enforcement Agency ("DEA") known as the Special Operations Division ("SOD"). FISA surveillance was originally supposed to be used only in certain specific, authorized national security investigations, but information sharing rules implemented after 9/11 allows the NSA to hand over information to traditional domestic law-enforcement agencies, without any connection to terrorism or national security investigations. But instead of being truthful with criminal defendants, judges, and even prosecutors about where the information came from, DEA agents are reportedly obscuring the source of these tips. For example, a law enforcement agent could receive a tip from SOD-which SOD, in turn, got from the NSA-to look for a specific car at a certain place. But instead of relying solely on that tip, the agent would be instructed to find his or her own reason to stop and search the car. Agents are directed to keep SOD under wraps and not mention it in "investigative reports, affidavits, discussions with prosecutors and courtroom testimony," according to Reuters . UPDATE: Add the IRS to the list of federal agencies obtaining information from NSA surveillance. Reuters reports that the IRS got intelligence tips from DEA's secret unit (SOD) and were also told to cover up the source of that information by coming up with their own independent leads to recreate the information obtained from SOD. So that makes two levels of deception: SOD hiding the fact it got intelligence from the NSA and the IRS hiding the fact it got information from SOD. Even worse, there's a suggestion that the Justice Department (DOJ) "closely guards the information provided by SOD with strict oversight," shedding doubt into the effectiveness of DOJ earlier announced efforts to investigate the program. [ Polley : Jennifer Granick has a passionate editorial about this here: NSA, DEA, IRS lie about fact that Americans are routinely spied on by our government: time for a special prosecutor (Forbes, 14 August 2013)]

top

51% of U.S. adults bank online (Pew, 7 August 2013) - Fifty-one percent of U.S. adults, or 61% of internet users, bank online. Thirty-two percent of U.S. adults, or 35% of cell phone owners, bank using their mobile phones. These findings are based on nationally representative surveys by the Pew Research Center designed to track an activity that is often held up as a proxy for consumer trust in online transactions and as an example of how one industry has enabled data to flow among different institutions. Both types of digital banking are on the rise. In 2010, 46% of U.S. adults, or 58% of internet users, said they bank online. In 2011, 18% of cell phone owners said they have used their phone to check their balance or transact business with a bank.

top

Legal ethicists are playing catch-up to create social media guidelines for lawyers, judges (ABA Journal, 10 August 2013) - Blogs, Twitter, Facebook, Google+, LinkedIn-there are now many social media platforms which lawyers are urged to use to build business and retain clients. But they also present many opportunities to run afoul of legal ethics rules. In recent years, the states have been putting out a steady stream of ethics opinions and court rulings on how professional conduct rules for lawyers apply to social media. And a year ago, the ABA House of Delegates adopted several revisions to the Model Rules of Professional Conduct to give lawyers further guidance on how to adapt communications technology to how they interact with clients and prospective clients. But panelists at the ABA Annual Meeting program "Things My Ethics Professor Didn't Tell Me: Top Ethical Pitfalls for the Social Media Age" expressed concern that all this effort still may not be keeping up with changes in communications technology. The revisions to the Model Rules, which serve as the basis for binding ethics standards in every state-except California (which uses a different structure for its rules)-were adopted by the House at the 2012 ABA Annual Meeting in Chicago at the recommendation of the Commission on Ethics 20/20, which was created in 2009 to study the impact of technology and globalization on lawyer ethics and regulation. "The Ethics 20/20 Commission did an extraordinary job," said panelist Juliet M. Moringiello , a law professor at Widener University in Harrisburg, Pa., to the audience of the ABA Business Law Section's event in San Francisco. "But so much electronic communications is running so far ahead of ethics rules, and the commission may still have been focused on what was rather than what will be." Another area that is receiving attention is the use of social media by judges. The general consensus developing is that judges should not seek to "friend" lawyers on social media sites who are likely to appear before them, but the specific application often is fuzzy. A 2011 opinion from Oklahoma, for instance, says judges may include lawyers as friends on networks like LinkedIn or Facebook "as long as they [judges] don't otherwise use the networks improperly." Opinions on the issue also urge judges to avoid the "appearance of impropriety" in their contacts with lawyers. But opinions, including ABA Formal Opinion 462, issued earlier this year by the Standing Committee on Ethics and Professional Responsibility, acknowledge that applying the standard can be difficult.

top

- and -

Law firms can't describe 'specialties' on LinkedIn, New York ethics opinion says (ABA Journal, 16 August 2013) - Law firms may not describe their services in a section of LinkedIn devoted to specialties, according to a New York ethics opinion. New York ethics rules allow lawyers, but not law firms, to state that they have been certified as a specialist, according to the June 26 opinion (PDF) by the New York State Bar Association's Committee on Professional Ethics. As a result, only appropriately certified lawyers may list specialties, provided that they comply with disclosure requirements. The ABA/BNA Lawyers' Manual on Professional Conduct has a summary. According to the ethics opinion, a law firm may identify areas of law practice. "But to list those areas under a heading of 'Specialties,' would constitute a claim that the lawyer or law firm 'is a specialist or specializes in a particular field of law,' " the opinion said.

top

Former DHS deputy secretary launches cybersecurity council (Hillicon Valley, 12 August 2013) - The former deputy secretary of the Homeland Security Department announced the launch of a cybersecurity nonprofit organization on Monday that's focused on the dual goals of preserving an open Internet and encouraging the adoption of best practices to secure computer systems against cyberattacks. Jane Holl Lute will serve as the president and chief executive officer of the new nonprofit organization, called the Council on Cybersecurity. Lute stepped down from her role as the second-highest official at the Department of Homeland Security this spring, and her name has been floated as a possible candidate to succeed Homeland Security Secretary Janet Napolitano. In remarks at a cybersecurity conference in Washington, Lute said the council would be focused on spreading the adoption of cybersecurity best practices and equipping the cyber workforce with the skills needed to tackle the evolving challenges that lay ahead in protecting cyberspace. As part of its efforts, the council will encourage the adoption of the critical security controls developed by SANS, as well as work on updating and improving them to better secure the public and private sectors from cyberattacks. [ Polley : SANS describes Lute's goals as " * * * to provide a minimum standard of due care that will allow top executives of corporations and governments to measure their organizations' cybersecurity defenses and skills."]

top

The NSA is commandeering the Internet (Bruce Schneier in The Atlantic, 12 August 2013) - It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose . Others cooperate , either out of patriotism or because they believe it's easier that way. I have one message to the executives of those companies: fight. Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy's life? It's going to be the same way with you. You might think that your friendly relationship with the government means that they're going to protect you, but they won't. The NSA doesn't care about you or your customers, and will burn you the moment it's convenient to do so. We're already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They've lost the trust of their customers, and explaining what they do -- and don't do -- is how to get it back. The government has refused; they don't care. It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they'll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they're sloppy. They'll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn't have a copy, the next whistleblower will. This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users' communications and personal files, what's going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term. * * * You, an executive in one of those companies, can fight. You'll probably lose, but you need to take the stand. And you might win. It's time we called the government's actions what they really are: commandeering. Commandeering is a practice we're used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it's happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state. If this is happening to your company, do what you can to isolate the actions. Do you have employees with security clearances who can't tell you what they're doing? Cut off all automatic lines of communication with them, and make sure that only specific, required, authorized acts are being taken on behalf of government. Only then can you look your customers and the public in the face and say that you don't know what is going on -- that your company has been commandeered. [ Polley : More by Bruce here; the part about Qwest is particularly interesting: More on the NSA Commandeering the Internet (Bruce Schneier, 30 August 2013)]

top

- and -

How the NSA leaks could affect the US cloud computing industry (CS Monitor, 26 August 2013) - A recent report from the Information Technology and Innovation Foundation estimates that the United States ' multibillion-dollar US cloud computing industry stands to lose anywhere from $22 to $35 billion over the next three years because of the NSA revelations. "If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either," said European Commissioner for Digital Affairs Neelie Kroes in an interview with the Guardian in July. "If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now." Industry shifts since the NSA leaks in early June support Mr. Kroes' argument. Amazon Web Services, widely acknowledged as the global market leader in cloud storage, cut some of its prices by 80 percent in July to remain competitive. The writing on the walls seems clear: The NSA leaks will hurt US cloud companies. But to peg an industry shift to June 2013 would overlook a larger trend that has been taking place in the industry since 2001. [ Polley : see also More PRISM fallout: Indian government may ban Gmail use (GigaOM, 30 August 2013)]

top

- and -

Susan Landau on Snowden's revelations (Lawfare, 15 August 2013) - Susan Landau has a new piece at Computing Now called Making Sense from Snowden: What's Significant in the NSA Surveillance Revelations : Did Snowden cause irreparable harm, or did he reveal facts that should be publicly examined? What are the facts, anyhow? This article seeks to put the Snowden revelations in context, explaining what's new, why it matters, and what might happen next.

top

- and -

NSA often broke rules on privacy, audit shows (NYT, 16 August 2013) - The National Security Agency violated privacy rules protecting the communications of Americans and others on domestic soil 2,776 times over a one-year period, according to an internal audit leaked by the former N.S.A. contractor Edward J. Snowden and made public on Thursday night. The violations, according to the May 2012 audit, stemmed largely from operator and system errors like "inadequate or insufficient research" when selecting wiretap targets. The largest number of episodes - 1,904 - appeared to be "roamers," in which a foreigner whose cellphone was being wiretapped without a warrant came to the United States, where individual warrants are required. A spike in such problems in a single quarter, the report said, could be because of Chinese citizens visiting friends and family for the Chinese Lunar New Year holiday. "Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted," the report says. The report and several other documents leaked by Mr. Snowden were published by The Washington Post . They shed new light on the intrusions into Americans' privacy that N.S.A. surveillance can entail, and how the agency handles violations of its rules. Jameel Jaffer of the American Civil Liberties Union said that while some of the compliance violations were more troubling than others, the sheer number of them was "jaw-dropping." Another newly disclosed document included instructions for how N.S.A. analysts should record their rationales for eavesdropping under the FISA Amendments Act, or F.A.A., which allows wiretapping without warrants on domestic networks if the target is a noncitizen abroad. The document said analysts should keep descriptions of why the people they are targeting merit wiretapping to "one short sentence" and avoid details like their names and supporting information. A brief article in an internal N.S.A. newsletter offered hints about a known but little-understood episode in which the Foreign Intelligence Surveillance Court found in 2011 that the N.S.A. had violated the Fourth Amendment . The newsletter said the court issued an 80-page ruling on Oct. 3, 2011, finding that something the N.S.A. was collecting involving "Multiple Communications Transactions" on data flowing through fiber-optic networks on domestic soil was "deficient on statutory and constitutional grounds."

top

40 maps that will help you make sense of the world (Twisted Sifter, 13 August 2013) - If you're a visual learner like myself, then you know maps, charts and infographics can really help bring data and information to life. Maps can make a point resonate with readers and this collection aims to do just that. Hopefully some of these maps will surprise you and you'll learn something new. A few are important to know, some interpret and display data in a beautiful or creative way, and a few may even make you chuckle or shake your head. [ Polley : I especially like the maps "The Only 22 Countries Britain has NOT Invaded", and the dynamic "Global Internet Usage Based on Time of Day".]

top

Topics for law-blogging: 125+ suggestions (Prof. Walter Effross, 14 August 2013) - Below are various suggested topics-some of which overlap, and some of which might be combined-for law-blogging (although they could also be refined into topics for individual law review articles or other publications). They are drawn primarily from the domains of corporate governance, e-commerce, intellectual property, payment systems, and bankruptcy law, and of course are not meant to constitute an exhaustive list even for these areas.

top

America's most profitable company per employee makes your phone work-and it's not Apple (Quartz, 14 April 2013) - You'd be forgiven for not recognizing the name InterDigital , despite the fact that it has been around since 1972 and developed many of the technologies that are critical to our increasingly mobile, wireless world. As a result, per employee, InterDigital is the most profitable company in the US, with a net income of $937,255 per worker, according to Bloomberg's just-released visual compendium of data . And the only thing InterDigital produces is designs for new technology-and the occasional lawsuit . But whatever you do, don't call InterDigital a patent troll-CEO William Merritt hates that term . And it's admittedly not a fair label for InterDigital, in contrast to firms that merely buy up patents in order to then sue other people over them. Like ARM, the Cambridge, UK-based company that designs the chips that are in practically every mobile device on the planet, InterDigital does not manufacture anything itself. Yet the company employs more than 200 engineers who have collectively helped InterDigital amass a trove of patents that could be worth billions. InterDigital also creates working prototypes of all of its technologies, in order to demonstrate them to industry partners like Alcatel-Lucent , who later incorporate them into their products. [ Polley : surprising.]

top

Google: Gmail users shouldn't expect email privacy (The Guardian, 14 August 2013) - Gmail users have no "reasonable expectation" that their emails are confidential, Google has said in a court filing . Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a "stunning admission." It comes as Google and its peers are under pressure to explain their role in the National Security Agency's ( NSA ) mass surveillance of US citizens and foreign nationals. "Google has finally admitted they don't respect privacy ," said John Simpson, Consumer Watchdog's privacy project director. "People should take them at their word; if you care about your email correspondents' privacy, don't use Gmail." Google set out its case last month in an attempt to dismiss a class action lawsuit that accuses the tech giant of breaking wire tap laws when it scans emails in order to target ads to Gmail users. That suit, filed in May, claims Google "unlawfully opens up, reads, and acquires the content of people's private email messages." It quotes Eric Schmidt , Google's executive chairman: "Google policy is to get right up to the creepy line and not cross it." According to Google: "Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS [electronic communications service] provider in the course of delivery."

top

Communications privacy 2.0 (MLPB, 16 August 2013) - Orin S. Kerr, George Washington University Law School, is publishing The Next Generation Communications Privacy Act in the University of Pennsylvania Law Review. Here is the abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress repealed ECPA and enacted a new privacy statute to replace it. The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for non-content records, and no attention to particularity or jurisdiction. Today's Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even United States-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes. The Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for United States-based users and a permissive regime for users located abroad.

top

Prison computer 'glitch' blamed for opening cell doors in maximum-security wing (Wired, 16 August 2013) - Florida prison officials say a computer "glitch" may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons. But a surveillance video released this week (see above) suggests that the doors may have been opened intentionally - either by a staff member or remotely by someone else inside or outside the prison who triggered a "group release" button in the computerized system. The video raises the possibility that some prisoners knew in advance that the doors were going to open. It's the second time in two months that all of the doors in the wing opened at once, officials say, raising questions about whether the first incident was a trial-run to see how long it would take guards to respond.

top

Virtual firms on the decline - why? (MyShingle, 16 August 2013) - According to the 2013 ABA Legal Technology Survey, virtual law practices are on the decline , reports Bob Ambrogi at his Law Sites Blog . The decrease isn't particularly significant; the number of lawyers who describe their practice as virtual declined from 7 to 5 percent between 2012 and 2013, while the number of lawyers providing unbundled legal services (an offering common to many virtual practices) declined from a high of 44 percent in 2012 to 25 percent, in line with 2011. What accounts for the decline in virtual law practices? I think that several factors are at play * * *

top

State police recorded license plates at political events (The Daily Progress, 18 August 2013) - Virginia State Police recorded the license plates of every vehicle arriving from Virginia to attend President Barack Obama's first inauguration in Washington in 2009, as well as those at campaign rallies three months earlier in Leesburg for then-candidate Obama and Republican vice presidential nominee Sarah Palin. The U.S. Secret Service requested that state police use one of its automated license plate readers at the entrance to the Pentagon to capture and store the plate images as an extra level of security for the inauguration, which was attended by an estimated 1.8 million people. The same was requested for the political rallies. The state police license plate readers have been used statewide since 2006, mostly by on-the-road troopers to detect stolen cars and fugitives. But the data collected were also used to solve other crimes after the fact by being able to track a person to a specific place at a certain time. Up until a February legal opinion issued by Virginia Attorney General Ken Cuccinelli on the collection and dissemination of license plate reader data, state police beginning in 2010 had stored the images of roughly 8 million license plates - some for as long as three years - on a server in the department's data center at state police headquarters in Chesterfield County, said state police Sgt. Robert Alessi, the department's statewide coordinator for the program. But the department says all of it was purged in early March, after Cuccinelli advised that collecting and storing such data in a "passive manner" that is not directly related to a criminal investigation would be in violation of the state's Government Data Collection and Dissemination Practices Act.

top

The photocopier: a vulnerability hidden in plain sight (HealthITech Law, 18 August 2013) - The U.S. Department of Health and Human Services ("HHS") announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers. OCR's investigation indicated that Affinity impermissibly disclosed protected health information when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. The HHS press release states that Affinity estimated that up to 344,579 individuals may have been affected by this breach.

top

Cord cliff coming: What happens to TV when Netflix streams live events? (AllThingsD, 19 August 2013) - Netflix has never streamed a live event, and Reed Hastings says it never will. Now, that's a wise comment for a disruptor to put unambiguously on the record - especially since the TV networks could immediately pull their content from Netflix if they ever heard otherwise. But we all know that occasionally CEOs change their minds. So that's why I decided to imagine what would happen if Netflix took on live events. And as soon as I played out the scenario, it became obvious: Sooner or later, it will. Television incumbents wouldn't need to wave off cord cutting if they weren't genuinely scared of it. New data show that 30 percent of U.S. Internet users would consider cutting their expensive and relatively despised cable subscription to watch TV exclusively online. But even with as much content as digital pure-plays like Netflix, iTunes and Hulu now offer, there's one outsized variable that's holding the whole cable bundle together: Live events. Live events are inordinately valuable. They have ultimate scarcity: They happen "right now," they provide a focal point around which hordes of people come together, and they give their viewers an "I was there!" experience beyond just the content itself. They are one of the few must-haves in consumers' media diets. Personally, I can vouch that the Olympics, the Oscars and the Boston Marathon news are the only television in the last year that drew this cord cutter's rabbit ears out of the cabinet. Live events are what cable and broadcast TV have that Netflix doesn't: News, talk shows and - most important - sports. "The biggest question we get from potential cord cutters is how to watch live sports without paying for cable," reports GigaOM. There's still no feasible alternative. At least, not yet.

top

The FTC and the new common law of privacy (Dan Solove, 19 August 2013) - Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States - more so than nearly any privacy statute and any common law tort. In this article, we contend that the FTC's privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC's privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy "common law" demonstrates that the FTC's privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this "common law" into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves a full suite of substantive rules that exist independently from a company's privacy representations.

top

Prominent law site shuts down because editor worries about government reading her emails (Business Insider, 20 August 2013) - The editor of a well-respected legal site, Groklaw, has announced that she's going to stop producing the site because the government might be reading her emails. Groklaw is a collaborative site that explores the nuances of certain cases and legal decisions, including the recent Apple v. Samsung case. The editor of the site, Pamela Jones, says she can't operate the site without email. And the idea that faceless government spooks might be reading any email that she sends outside the U.S. is too much for her: "[T]he conclusion I've reached is that there is no way to continue doing Groklaw, not long term, which is incredibly sad. But it's good to be realistic. And the simple truth is, no matter how good the motives might be for collecting and screening everything we say to one another, and no matter how "clean" we all are ourselves from the standpoint of the screeners, I don't know how to function in such an atmosphere. I don't know how to do Groklaw like this." Jones isn't just worried about being wrongly accused of crimes. For her, there's the ickiness factor of having her personal privacy violated--a feeling that she says is similar to the feeling she had when her apartment in New York was robbed and the burglar went through all of her underwear. [ Polley : Ed Felton has an interesting post about this here . For me, I'm back to using PGP, when appropriate. The open-source Macintosh package is GPGTools, and fairly straightforward to install, yielding two Apple Mail icons: "sign" and "encrypt". Keyserver distribution of public keys (e.g., thru pgp.mit.edu ) is also straightforward - look for mine under "Vincent Polley" - KeyID = AADBBDD7; phone me to confirm key fingerprint.]

top

Free Law Ferret: document-to-cited-cases in a click (CitationStylist, 20 August 2013) - In the past couple of posts, I have been holding forth on the possibilities for browser-based parsing of case citations via a JavaScript port of the new parser offered up by the CourtListener project. Mike Lissner has confirmed that I was indeed off-base with the name. As it turns out, "Juriscraper" actually refers to the library used at CourtListener to scrape court websites, and not the citator that identifies references embedded in individual cases: so I put on my copywriter's hat, and chased up a brand new name. Say hello to the Free Law Ferret , a Firefox plugin that has emerged from the CitationStylist skunkworks with a ferocious curiosity and a full set of tiny adorable bibliographic teeth. * * * The Ferret will scan the document in the browser window (be it law case, legal brief, blog post or whatever), and present a list of citations in a dialog box like that shown to the right. Note that the parser presently supports US case law only: cites to the courts of other countries, to regulations, to statutory law and to international instruments and tribunals will not be recognized. Select cites in the dialog and click OK to search for each case in the CourtListener repository and open each in a separate browser tab. If the search for a case fails, you can either broaden the search terms in the CourtListener page, or search for it (manually) elsewhere. [ Polley : pretty techie, even for me. Send me feedback, please? Carl Malamud tweeted: "The Free Law Ferret searches any web doc, finds the US court cases, grabs a copy."]

top

Website owners can legally block some users, court rules (Computerworld, 20 August 2013) - Public website owners have the right to selectively block users from their sites and anyone who intentionally circumvents those blocks may be violating provisions of the Computer Fraud and Abuse Act (CFAA), a federal judge in California ruled Friday. The ruling involves a dispute between Craigslist and 3Taps Inc., an online ad aggregator that basically copies and republishes online ads. Craigslist claimed that 3Taps scrapes, collects and reposts all of Craigslist's classified advertisements in real time. In 2012, Craigslist sent a cease-and-desist letter asking 3Taps to stop accessing its website. Craigslist also separately configured the site to block access to it from any IP address associated with 3Taps. However, 3Taps used IP rotation technology and proxy servers to bypass the blocks and continued to harvest and repost data gathered from Craigslist. 3Taps admitted that it intentionally circumvented the blocking. But in a motion to dismiss the lawsuit, 3Taps noted that Craigslist, by making its website publicly available, had essentially authorized the entire Internet to access and use its content. The company claimed that allowing owners of publicly accessible websites to selectively block individuals and groups was dangerous and contrary to the notion of a free and open Internet. In a 13-page ruling, District Court Judge Charles Breyer dismissed those arguments and held that 3Taps had accessed Craigslist without specific authorization from the website owner.

top

Flo Rida dodges lawsuit because he was served on Facebook (Huffington Post, 20 August 2013) - Flo Rida is feeling pretty lucky right about now: The rapper, best known for jumping on already popular songs and dishing out generally unmemorable party rap verses over the pre-existing songs, faced a six-figure lawsuit after he was an alleged no-show at the Fat As Butter festival in 2011, despite having been pre-paid for the gig. In an unusual move, the organizers of the festival served Flo Rida on Facebook -- digitally notifying him that he was due in court. Unusual, and not totally kosher, according to a judge who upheld Flo Rida's appeal of the initial ruling that allowed Mothership Music to serve the rapper (born Tramar Dillard) and his management, VIP Entertainment and Concepts, on the social network in the first place. Billboard reports that Justice Robert McFarlan, the judge who sided with Flo Rida, had this to say : "The evidence did not establish, other than by mere assertion, that the Facebook page was in fact that of Flo Rida and did not prove that a posting on it was likely to come to his attention in a timely fashion."

top

A board's legal obligations for the cloud: you have to carry an umbrella (ABA, 22 August 2013) - Every day the news produces yet more articles on the vulnerability of businesses to cyberattacks. A recent Google search returned over 16,000 entries for news articles discussing how cyberspace is the new vector for attacking a company. Information security and privacy concerns are consequently some of the most heavily reported issues in the media today. With this level of coverage and reporting, what pressure is there on a company and its board of directors to mitigate the risks associated with cyberattacks? Can officers and directors of companies continue to relegate information security and data protection to the back burner? Or is data protection becoming as much an immediate responsibility of a board as financial reporting? [ Polley : interesting article by Seyfarth's John Tomaszewski.]

top

Third Circuit: cellphone customers may block robocalls (Legal Intelligencer, 23 August 2013) - Cellphone customers may revoke their consent to receive robocalls on those devices, the Third Circuit has ruled in a case of first impression. Interpreting the Telephone Consumer Protection Act broadly, the U.S. Court of Appeals for the Third Circuit reversed the district court's holding based on rules from the Federal Communications Commission and common-law treatment of consent. By its own reckoning, the Third Circuit is the first circuit to address the issue of whether consumers have a right to withdraw their prior consent to be robocalled on their cellphones and if there would be a time limit on that right. The three-judge panel ruled that the right exists and there is no time limit on it. "Congress passed the TCPA to protect individual consumers from receiving intrusive and unwanted calls," Senior Judge Jane R. Roth wrote on behalf of the panel, which included Judges Julio M. Fuentes and Patty Shwartz. "Notably," Roth said, setting up her discussion, "the statute does not contain any language expressly granting consumers the right to revoke their prior express consent." The court looked to rules from the FCC because Congress gave it the authority to regulate and enforce the TCPA, which was passed in 1991. The FCC issued a declaratory ruling with the most relevant guidance it has yet offered on the issue after the district court dismissed the case. Last November, the FCC offered an analysis that "was directed at the use of an automated dialing system to confirm an opt-out request, rather than whether an opt-out right exists," Roth said, but "the decision indicates that the FCC supports Gager's argument that a consumer may revoke her prior express consent once it is given."

top

Facebook friends could change your credit score (CNN, 26 August 2013) - Choose your Facebook friends wisely; they could help you get approved -- or rejected -- for a loan. A handful of tech startups are using social data to determine the risk of lending to people who have a difficult time accessing credit. Traditional lenders rely heavily on credit scores like FICO, which look at payments history. They typically steer clear of the millions of people who don't have credit scores. But some financial lending companies have found that social connections can be a good indicator of a person's creditworthiness. One such company, Lenddo , determines if you're friends on Facebook with someone who was late paying back a loan to Lenddo. If so, that's bad news for you. It's even worse news if the delinquent friend is someone you frequently interact with. A German company called Kreditech says that it uses up to 8,000 data points when assessing an application for a loan. In addition to data from Facebook, eBay or Amazon accounts. Kreditech also gathers information from the manner in which a customer fills out the online application. For example, your chances of getting a loan improve if you spend time reading information about the loan on Kreditech's website. If you fill out the application typing in all-caps (or with no caps), you're knocked down a couple pegs in Kreditech's eyes. Kreditech can determines your location and considers creditworthiness based upon whether your computer is located where you said you live or work.

top

Survey of faculty attitudes on technology (InsideHigherEd, 27 August 2013) - Online education arguably came of age in the last year, with the explosion of massive open online courses driving the public's (and politicians') interest in digitally delivered courses and contributing to the perception that they represent not only higher education's future, but its present. Faculty members, by and large, still aren't buying -- and they are particularly skeptical about the value of MOOCs, Inside Higher Ed's new Survey of Faculty Attitudes on Technology suggests. The survey of 2,251 professors, which, like Inside Higher Ed's other surveys, was conducted by Gallup, finds significant skepticism among faculty members about the quality of online learning, with only one in five of them agreeing that online courses can achieve learning outcomes equivalent to those of in-person courses, and majorities considering online learning to be of lower quality than in-person courses on several key measures (but not in terms of delivering content to meet learning objectives). But, importantly, appreciation for the quality and effectiveness of online learning grows with instructors' experiences with it. The growing minority of professors who themselves had taught at least one course online (30 percent of respondents, up from 25 percent last year) were far likelier than their peers who had not done so to believe that online courses can produce learning outcomes at least equivalent to those of face-to-face courses; 50 percent of them agree or strongly agree that online courses in their own department or discipline produce equivalent learning outcomes to in-person courses, compared to just 13 percent of professors who have not taught online. [ Polley : see related story about San Jose State University: Boost for Udacity project (InsideHigherEd, 28 August 2013)]

top

It's baaaaaack: HavenCo trying once again to bring encrypted computing to the masses (but not hosted on Sealand) (TechDirt, 27 August 2013) - If you were into digital and cryptography issues a little over a decade ago, you surely remember the debacle of HavenCo, the attempt at a secure data haven hosted on the "micronation" of Sealand (better known as an abandoned platform off the coast of England that some folks "invaded" and claimed as a sovereign nation, which no government recognizes). HavenCo and Sealand was a story the press loved, and the hype level was astounding, followed by the whole project being a complete disaster. Last year, James Grimmelmann wrote a fantastic look-back/post-mortem of HavenCo and an even more detailed and comprehensive legal review paper all about Sealand and HavenCo. If you want the history of all of this, start there. Or, if you want the fictional account of the mindset that went into HavenCo, pick up a copy of Neal Stephenson's Cryptonomicon . Now, it's being reported that James Bates, grandson of Roy Bates, the "founder" of Sealand, has teamed back up with Avi Freedman, one of the initial funders of HavenCo, to relaunch the project with a focus on bringing data security to the masses. Feel free to insert whatever skepticism you have for this project right now, because you're not alone. To their credit, there are two things that are different this time around. First up, they're not trying to host the data center itself on Sealand, which was a part (just a part!) of the mess the last time around. Instead, they're just using Sealand to host air-gapped machines with encryption keys. The actual data will be encrypted, but hosted elsewhere, including in the US and EU, where they believe it will be safe because of the encryption.

top

NOTED PODCASTS

Oliver Goodenough on creating a law school e-curriculum (Berkman, 8 July 2013; 71 minutes) - Legal practice and legal education both face disruptive change due to technology. Oliver R. Goodenough -- Berkman Fellow, Professor of Law at the Vermont Law School, and Adjunct Professor at Thayer School of Engineering at Dartmouth College -- discusses how technology is shaping legal practice, and how learning from this phenomenon should be a priority for any school looking to provide a useful education for the lawyers.

top

RESOURCES

Disclosures, disclaimers, and designs of ethical and effective law blogs and law firm web sites (Walter Effross, 19 August 2013) - Reviews relevant ABA and state bar professional responsibility rules and advisory ethics opinions; identifies a range of issues and statutes that could entangle site operators; provides numerous examples of terms and conditions that some sites have adopted to address these issues; and explores additional practices and procedures to safeguard sites.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Not Your Father's Encyclopedia (Wired, 28 Jan 2003) -- One of the Web's first open-source encyclopedias has reached a milestone, just two years since its inception. Last week, the English-language version of Wikipedia, a free multilingual encyclopedia created entirely by volunteers on the Internet, published its 100,000th article. More than 37,000 articles populate the non-English editions. Unlike traditional encyclopedias, which are written and edited by professionals, Wikipedia is the result of work by thousands of volunteers. Anyone can contribute an article -- or edit an existing one -- at any time. The site runs on Wiki software, a collaborative application that allows users to collectively author Web documents without having to register first. "People from very diverse backgrounds can agree on what can be in an encyclopedia article, even if they can't agree on something else," said Wikipedia co-founder Jimmy Wales. Wikipedia topics range from Internet terms, such as spamming and trolling, to more mundane subjects, such as unicycling. Each page on the site contains an "Edit this page" link, which users can click on to edit, reposition and revise passages created by other writers. Once a user has made an edit, those changes are posted immediately. Users can also view older versions of a page, discuss the page, view links on a page or see related changes. These options allow contributors to constantly refine and comment upon entries. All articles are covered by the Free Software Foundation's GNU Free Documentation License, which allows anyone to reuse the entries for any purpose, including commercially, as long as they preserve that same right to others and provide proper credit to Wikipedia. This open-content license ensures that Wikipedia's content will always remain free.

top

BBC to give away school syllabus online (Guardian, 10 Jan 2003) -- The government yesterday gave the BBC the green light to spend [ca. $220m] to put the national curriculum on to the internet, sparking anger among firms already manufacturing interactive teaching materials. The project, called the Digital Curriculum, will use licence fee payers' money to make large parts of the school syllabus available online, free of charge, for pupils in school and at home. But commercial rivals, through a pressure group whose members include Channel 4, ITV company Granada and Penguin books owner Pearson, expressed "profound disappointment" at the decision. They claim that by using licence fee money on the project and then giving away teaching aids for free, the BBC's actions could deprive them of [ca. $600m] in revenues. Small software providers fear they could be put out of business. The commercial sector's anger is likely to intensify the debate over how the BBC is regulated. Many argue that the system of giving ministers the final say over big decisions is not working and the corporation should be brought under the full control of the new independent communications regulator, Ofcom.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 10, 2013

MIRLN --- 21 July – 10 August 2013 (v16.11)

MIRLN --- 21 July - 10 August 2013 (v16.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENT

The ABA has just published a book I've co-edited: The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals , with chapters on sources of risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. With Jill Rhodes (my co-editor), we've pulled together the analysis and recommendations of nearly thirty lawyers, judges, and technology professionals from across the ABA. This is the first work-product of the year-old ABA Cybersecurity Legal Task Force . Tip: buy the e-version-URLs will link to updated resources. MIRLN READER DISCOUNT: enter MIRLN15 for a 15% discount, good thru the end of August 2013. Press and discussion:

top

NEWS

Traveling to China? Don't take a laptop computer, universities warn academics (ABA Journal, 17 July 2013) - Colleges and universities in the U.S. are a prime target for hackers, who are outstripping efforts to prevent, or even detect, their cyber attacks, experts tell the New York Times (reg. req.) "We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system," said Bill Mellon, the associate dean for research policy at the University of Wisconsin. "There are also a lot from Russia, and recently a lot from Vietnam, but it's primarily China." Although the nation's educational institutions don't want to eliminate their teaching mission by creating impenetrable virtual walls around their computer systems, many are imposing new security measures, such as a rule against taking a laptop computer to certain countries. "There are some countries, including China, where the minute you connect to a network, everything will be copied, or something will be planted on your computer in hopes that you'll take that computer back home and connect to your home network, and then they're in there," senior fellow James A. Lewis of the Center for Strategic and International Studies told the newspaper. "Academics aren't used to thinking that way." [Polley: I've written a related how-to piece on cellphone planning/security while abroad - see Your Cell Phone Abroad: Stay on Budget, Stay Secure .]

top

High-end stores use facial recognition tools to spot VIPs (NPR, 21 July 2013) - When a young Indian-American woman walked into the funky L.A. jewelry boutique Tarina Tarantino, store manager Lauren Twisselman thought she was just like any other customer. She didn't realize the woman was actress and writer Mindy Kaling. "I hadn't watched The Office ," Twisselman says. Kaling both wrote and appeared in the NBC hit. This lack of recognition is precisely what the VIP-identification technology designed by NEC IT Solutions is supposed to prevent. The U.K.-based company already supplies similar software to security services to help identify terrorists and criminals. The ID technology works by analyzing footage of people's faces as they walk through a door, taking measurements to create a numerical code known as a "face template," and checking it against a database. In the retail setting, the database of customers' faces is comprised of celebrities and valued customers, according to London's Sunday Times . If a face is a match, the program sends an alert to staff via computer, iPad or smartphone, providing details like dress size, favorite buys or shopping history. The software works even when people are wearing sunglasses, hats and scarves. Recent tests have found that facial hair, aging, or changes in weight or hair color do not affect the accuracy of the system.

top

A black box for car crashes (NYT, 21 July 2013) - When Timothy P. Murray crashed his government-issued Ford Crown Victoria in 2011, he was fortunate, as car accidents go. Mr. Murray, then the lieutenant governor of Massachusetts, was not seriously hurt, and he told the police he was wearing a seat belt and was not speeding. But a different story soon emerged. Mr. Murray was driving over 100 miles an hour and was not wearing a seat belt, according to the computer in his car that tracks certain actions. He was given a $555 ticket; he later said he had fallen asleep . The case put Mr. Murray at the center of a growing debate over a little-known but increasingly important piece of equipment buried deep inside a car: the event data recorder, more commonly known as the black box. About 96 percent of all new vehicles sold in the United States have the boxes, and in September 2014, if the National Highway Traffic Safety Administration has its way, all will have them. The boxes have long been used by car companies to assess the performance of their vehicles. But data stored in the devices is increasingly being used to identify safety problems in cars and as evidence in traffic accidents and criminal cases. And the trove of data inside the boxes has raised privacy concerns, including questions about who owns the information, and what it can be used for, even as critics have raised questions about its reliability.

top

Cyber-sabotage is easy; so why aren't hackers crashing the grid? (FP, 23 July 2013) - Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation's asset owners -- the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door -- to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into. * * * So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America's critical infrastructure -- not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defense Department doing more to protect the grid? [Polley: Spotted by MIRLN reader Gordon Housworth .]

top

- and -

Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure (Network World, 5 August 2013) - If about 55 million people were to suddenly lose power and be plunged into darkness because malware attacked the smart grid, would you rank that as a large-scale cyberattack? It happened a decade ago, according to Eugene Kaspersky of Kaspersky Lab. At the AFCEA Global Intelligence Forum, he said a worm designed to attack Windows systems unexpectedly attacked Unix servers instead, and that malware was responsible for the infamous Northeast blackout of 2003 . However, "power companies do not admit that the blackout was caused by malware." The official public statement, Kaspersky said, is "that a control room software bug allowed an outage to cascade throughout the grid." * * * [W]e've been warned for years about SCADA, ICS, PLC and how vulnerable U.S. critical infrastructure is to attack. So when the Chinese army hackers "Comment Crew" infiltrated a water control system, it was a good thing their target turned out to be a decoy set up by Trend Micro's Kyle Wilhoit . He deployed 12 honeypots that attackers mistook for actual industrial control systems (ICS) at water plants, with about half of the 74 critical attacks being credited to China. Ten of those attacks were "sophisticated enough to wrest complete control of the dummy control system." He described [ pdf ] many attackers as "opportunists" and only "one appeared to be the work of Comment Crew." Wilhoit said, "These attacks are happening and the engineers likely don't know." At Black Hat, Cimation engineers Eric Forner and Brian Meixell took remote control of the programmable logic controller (PLC) on a simulation oil rig, turned the pumps on and off so it sprayed liquid - which would have been an oil pipeline rupture in real life - while sending data that made it appear as if nothing happened. Forner said , "We only had a 24-volt pump in the demo, but this [attack] could cause a complete environmental catastrophe." Also at Black Hat, during a presentation called Compromising Industrial Facilities From 40 Miles Away , security researchers from IOActive shared their findings about industrial automation and control systems (IACS) that use wireless sensors to collect data. Critical decisions are made from the remote sensor measurements, so sending false data could have disastrous consequences. Lucas Apa and Carlos Penagos showed a live demo of "temperature injection," reporting [ pdf slides] that the cost of the attack was a mere $40.

top

Firms fortify fraud defenses (WSJ, 23 July 2013) - Thousands of companies world-wide are planning to update systems and policies that act as their first line of defense against fraud and other hidden risks, following a sweeping overhaul of the most widely used guidelines for those safeguards. The new guidelines, which many companies expect to adopt by the end of next year, are for so-called internal controls, which the government has required U.S. public companies to have in place for the past decade, as part of an effort to protect investors. Companies might, for example, establish procedures to make sure that only employees responsible for certain types of inventory can access it, or require a particular method for inputting purchase orders. Having these systems helps companies monitor the transactions for errors, impropriety or fraud. Until now, internal controls have been based on a 20-year-old framework that didn't take into account the new risks posed by mobile technology and cloud computing, as well as the rise of outsourcing and shifts in corporate governance. Such controls haven't always been high on the corporate agenda. Lack of them has been blamed for past accounting scandals at big companies like Tyco International and Satyam Computer Services Ltd. Large companies spend upward of $1 million a year on internal-controls systems, according to consulting firm Protiviti, but some investors consider it money well spent. The effort to develop effective internal controls dates back decades. The updated guidelines, released in May, come from a group of five accounting associations known as the Committee of Sponsoring Organizations of the Treadway Commission. It is the offspring of a national commission on fraudulent financial reporting in the 1980s led by then-Securities and Exchange Commissioner James C. Treadway Jr. The group published its first guidelines in 1992, but they were little used until the Sarbanes-Oxley Act of 2002 essentially forced most U.S. public companies to adopt them. The new guidelines officially replace the existing ones in December 2014. Although companies face no penalty if they don't embrace them, ignoring them could put off investors who value tight management. [Polley: Spotted by MIRLN reader Roland Trope .]

top

EFF to court: forced decryption unconstitutional (EFF, 23 July 2013) - You shouldn't have to surrender your constitutional rights in order to safeguard your electronic privacy. In a new amicus brief we filed today, we told a federal court in Wisconsin that ordering a man to decrypt the contents of computers seized from his apartment would violate the Fifth Amendment privilege against self-incrimination. The case involves the FBI's attempts to decrypt the contents of more than ten storage devices and hard drives found in the apartment of Jeffrey Feldman in the course of a child pornography investigation. After spending months trying to decrypt the drives, the government applied for a court order forcing Feldman to provide the government with the decrypted contents of the drives. The Fifth Amendment protects a person from being "compelled in any criminal case to be a witness against himself." The question here is whether forcing Feldman to decrypt the contents of the computer drives is "testimony" that is protected by the Constitution. The issue ultimately boils down to whether the government is forcing him to reveal the contents of his mind and communicate a fact to the government it doesn't already know. If so, then the Fifth Amendment applies and the only way the government can compel Feldman to decrypt or "testify" is to offer that person immunity from the testimony. A magistrate judge initially denied the government's request, finding the act of decryption was protected by the Fifth Amendment. The court found the government hadn't sufficiently proven that the drives in question were accessed and controlled by Feldman. That would tell the government something it didn't necessarily know: that the drives -- and their contents -- belonged to and were controlled by Feldman. That testimony would incriminate him and therefore triggered the Fifth Amendment privilege. A month later, after the government was able to decrypt a portion of one of the drives and found personal files belonging to Feldman, the magistrate reversed its earlier decision, and found that since the government had sufficiently proven access and control to one drive, Feldman could now be compelled to provide the decrypted contents of all the drives. That was because the fact the government would learn -- that the drives belonged to and were accessed and controlled by Feldman -- was essentially a "foregone conclusion" and thus the government would learn no new facts as a result of Feldman's testimony. After Feldman objected, the district court stayed the magistrate's order, agreed to review the order, and asked for new briefing on the issue. Our brief supports Feldman's argument against decryption, explaining that the act of decryption triggers the Fifth Amendment privilege. The government failed to show Feldman's access and control of the remaining unencrypted devices is a "foregone conclusion" since they were only able to decrypt a portion of one drive -- that fact alone says nothing about the remaining drives. In the absence of any additional information that shows Feldman had access and control of the drives and the content inside, the Fifth Amendment protects him from decrypting. Ultimately, if the government wants Feldman's testimony it must give him immunity that is "coextensive" with the privilege. That means the government can't use the fact Feldman decrypted the drives against him. But it also means they can't use any evidence it derives from the decryption against Feldman in a later criminal case. Last year, we scored a major victory before the Eleventh Circuit Court of Appeals which found the act of decrypting a computer was protected by the Fifth Amendment privilege and reversed a contempt of court finding and released a man from jail who refused to decrypt. We hope the court here will follow the Eleventh Circuit's lead and understand that prohibiting the government from forcing Feldman to decrypt the devices preserves Fifth Amendment protections in our digitized world.

top

In search of the missing link (InsideHigherEd, 24 July 2013) - Among the duties of the Judicial Conference -- an august body consisting of federal judges, overseen by the Chief Justice of the Supreme Court -- is the fostering of "uniformity of management procedures and the expeditious conduct of court business." And so it was that, four year ago this month, the Conference issued guidelines for citing Internet materials in judicial opinions. A brief statement regarding the new policy was posted to the Web, as you do. Not long ago Raizel Liebler and June Liebert, two librarians at the John Marshall Law School in Chicago, needed to refer to the Conference's announcement in their pape r "Something Rotten in the State of Legal Citation: The Life Span of a United States Supreme Court Citation Containing an Internet Link (1996-2010)," which appeared a couple of weeks ago in the Yale Journal of Law and Technology. But the link for it they had filed away while doing their research was now dead. In the meantime, the document had migrated to another URL, so no damage done. In a footnote, the authors said, "The irony of being unable to access a website we wanted to cite in an article about the ephemeral nature of websites, including discussion of reasons to avoid citing websites, was not lost on us." It's a nuisance, certainly, but link rot also looms as a serious problem for the disciplinary production of knowledge, which relies, in part, on the existence of stable and documentable sources of information. Citation allows others to examine those sources -- whether to verify them or assess how accurately an author has used them, or as a basis for further research. Broken links in the bibliography are, in effect, broken links in an argument. That is particularly true given the role of law blogs, a.k.a. " blawgs ," as a source of real-time legal analysis and commentary -- something the traditional, rather slow-moving law review can't do. Around the time the Commission put forward its suggested practices for citing online materials, John Doyle published an article with the wonderfully sonorous title "The Law Reviews: Do Their Paths of Glory Lead but to the Grave?" Doyle, an associate law librarian at the Washington & Lee University School of Law, concluded that the survival of the review format (let alone the chance of having any effect beyond building ambitious students' résumés) depended on making articles available online with almost blawgish rapidity.

top

Survey says: Fortune 500 disclosing cyber risks (Mintz Levin, 24 July 2013) - Ever since our 2013 prediction , an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings. We previously analyzed how the nation's largest banks have begun disclosing their cybersecurity risks. Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance . The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the "Report"), analyzes cybersecurity disclosure by Fortune 500 public companies. The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures. Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was "material", "serious" or used a similar term, and only 2% of the companies used a stronger term, such as "critical". Following the SEC's recommendation in its guidance, 95% of the disclosing companies mentioned specific cyber risks that they face. Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks. The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks. This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance. For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

top

- and -

Good cyber security starts at board level, not IT (Guardian, 25 July 2013) - When people hear cyber security they automatically think of IT. So when organisations hear the words "cyber security breach" there is often a tendency to leave it with the IT department, not only to deal with the breach but to ensure the breach doesn't happen again. If I told you human error (and systems glitches) caused nearly two-thirds of data breaches globally in 2012, would you quantify that as an IT issue? Currently, what tends to happen is at the first mention of poor cyber security, all eyes turn to look at the chief information officer - but are organisations right to single him or her out? They are not. Examples of true incidents that have been labelled cyber security breaches are as follows: a mis-sent email (a strategy document sent to a competitor); commercial papers lost on a train; a former employee that was not legally prevented from taking bid information to a competitor; a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company). So what can we learn from these breaches? The majority of the above examples could have been prevented with a holistic, organisation-wide approach to cyber security. It turns out that people, the most valuable resource, are invariably also the weakest link. So every company needs to invest in its people and this starts with the board. Interestingly, especially in large engineering, manufacturing or service-based organisations, there is quite often a flourishing, vibrant and effective health and safety culture - clearly understood and rigorously adhered to by management and employees alike. But when it comes to the life blood of an organisation, its critical business information, there is often a distinct lack of collective education, training and focus to support a company's business objectives, as well as suitable ICT products to use. Moreover, effective business processes, and the governance structures necessary to foster the correct pervasive culture of information risk management are also missing. To make the necessary changes to value and exploit an organisation's information better, the board needs to be fully engaged; the cultural change needed to successfully introduce an effective health and safety regime is not too dissimilar to that of holistic cyber security and this has to start at the top; board members need to lead by example.

top

Leaders of the 9/11 commission say NSA surveillance has gone too far (TechDirt, 25 July 2013) - One of the key talking points from defenders of the NSA surveillance program is that they had to implement it after the 9/11 Commission revealed "holes" in information gathering that resulted in 9/11. This is a misstatement of what that report actually indicated -- in that it showed that more than enough data had actually been collected, it's just that the intelligence community didn't do anything with it. Either way, it seems that the leadership of the 9/11 Commission -- Thomas Kean and Lee Hamilton, who were the chair and vice chair of the committee respectively -- have now spoken out against the NSA surveillance efforts . And they don't hold back: The NSA's metadata program was put into place with virtually no public debate, a worrisome precedent made worse by erecting unnecessary barriers to public understanding via denials and misleading statements from senior administration officials. When the Congress and the courts work in secret; when massive amounts of data are collected from Americans and enterprises; when government's power of intrusion into the lives of ordinary citizens, augmented by the awesome power of advanced technologies, is hugely expanded without public debate or discussion over seven years, then our sense of constitutional process and accountability is deeply offended. Officials insist that the right balance has been struck between security and privacy. But how would we know, when all the decisions have been made in secret, with almost no oversight?

top

Feds tell Web firms to turn over user account passwords (CNET, 25 July 2013) - The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed. If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused. "I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back." A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts. A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

top

Major US bank offers online legal services in business hub (Virtual Law Practice, 26 July 2013) - An exciting breakthrough in online delivery is occurring through the new offering that Suntrust Bank is launching. They have partnered with a third party to create an online Business Hub which provides legal services in addition to assistance with planning, websites, data backup and finances. From the website: "This online portal helps you create legal documents, develop business plans and generate invoices and financial reports." It appears to be a one-stop shop for small business owners who need accounting and planning software, and even some marketing services. The service also claims to provide risk assessment services for businesses through the legal services tools. The online legal services are provide through a product called Legal Document Builder. According to the site, this lets the business owner handle the following: (1) Create legal documents for your business from a wide range of templates using a straight forward question and answer process; (2) Templates include: website terms and conditions, privacy policy, tenancy agreement, debt recovery letters, shareholders agreement and many more; (3) Avoid risks and disputes that could financially weaken your business and comply with Health & Safety legislation by performing risk assessments and more.

top

Spy agencies ban Lenovo PCs on security grounds (Financial Review, 26 July 2013) - Computers manufactured by the world's biggest personal computer maker, Lenovo, have been banned from the "secret" and "top secret" ­networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked. Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company being used in "classified" networks. The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented "back-door" hardware and "firmware" vulnerabilities in Lenovo chips. A Department of Defence spokesman confirmed Lenovo ­products have never been accredited for Australia's secret or top secret ­networks. The classified ban highlights concerns about security threats posed by "malicious circuits" and insecure firmware in chips produced in China by companies with close government ties. Firmware is the interface be­tween a computer's hardware and its operating system. Lenovo, which is headquartered in Beijing, acquired IBM's PC business in 2005. Members of the British and ­Australian defence and intelligence communities say that malicious modifications to ­Lenovo's circuitry - beyond more typical vulnerabilities or "zero-days" in its software - were discovered that could allow people to remotely access devices without the users' knowledge. The alleged presence of these hardware "back doors" remains highly classified. A security analyst at tech research firm IBRS, James Turner, said hardware back doors are very hard to detect if well designed. They were often created to look like a minor design or manufacturing fault, he said. To avoid detection, they are left latent until activated by a remote transmission.

top

New legal research site combines case law with crowdsourcing (Robert Ambrogi, 26 July 2013) - Imagine if you could combine a full-text case law library for research with crowdsourced editing and annotating in the style of Wikipedia and user rankings of annotations and references in the style of a site such as Digg? That, roughly speaking, is the idea behind Casetext , an innovative legal research site launched this week that provides free access to court opinions together with a platform for crowdsourcing references and annotations. At its core, Casetext is simply a case law research database. Presently, it includes all Supreme Court cases, all federal circuit cases starting from volume one of the F.2d series, all federal district court cases published in F.Supp. and F.Supp. 2d since 1980, and Delaware cases published since Volume 30 of the Atlantic reporter. But what makes the site unique is the ability of its users to add descriptions and annotations to the cases. When you view a case, the screen is divided in half. On the left side, what you first see is a section of "Quick Facts" about the case - its holding, citation, court, judges, docket number and the like. After that comes a section called "Case Wiki" with a more narrative description of the case. Following those two sections comes the case itself. Both of those first two sections - Quick Facts and Case Wiki - are fully editable by registered users. Simply click the "edit" button and revise or supplement any of the text. Click the "revisions" button to see the full history of edits by all users. Similarly, the right side of the screen contains sections for "tags," "cases," "sources," "analysis," and "record." Users can create and edit any of these items.

top

Multiple listing service gets favorable appellate ruling in scraping lawsuit (Eric Goldman's blog, 27 July 2013) - This is a follow-up to our massive post on anti-scraping lawsuits in the real estate industry from New Year's Eve 2012 (Note: the portion on MRIS is about halfway through the post, labeled "Same Writ, Different Plaintiff").

AHRN is a California real estate broker that owns and operates NeighborCity.com . The site gets its data in part by scraping from MLS databases--in this case, MRIS. As part of the scraping, however, AHRN had collected and displayed copyrighted photographs among the bits and pieces of general textual information about the properties. MRIS sent a cease and desist letter to AHRN, and filed suit alleging various copyright claims after the parties failed to agree on a license to use the photographs. Ultimately, a district court in Maryland granted a motion made by MRIS for a preliminary injunction.

When we last left off, the district court had revised its preliminary injunction order to enjoin only AHRN's use of MRIS's photographs--not the compilation itself or any textual elements that may be considered a part of it. Since then, AHRN appealed the injunction. On July 18th, the Fourth Circuit Court of Appeals affirmed. Case is Metropolitan Regional Information Systems, Inc. v. American Home Realty Network, Inc. , 2013 WL 3722365 (4th Cir. July 17, 2013)

top

Software experts attack cars, to release code as hackers meet (Reuters, 28 July 2013) - Car hacking is not a new field, but its secrets have long been closely guarded. That is about to change, thanks to two well-known computer software hackers who got bored finding bugs in software from Microsoft and Apple. Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government. The two "white hats" - hackers who try to uncover software vulnerabilities before criminals can exploit them - will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week. They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

top

AT&T's latest home broadband service isn't DSL or fiber. It's LTE (GigaOM, 29 July 2013) - AT&T has found another use for its LTE and HSPA networks besides connecting iPhones and Android devices to the internet. It's connecting homes. Ma Bell has started offering a residential broadband and voice service that relies on a 3G/4G modem for its link back to the network rather than traditional wireline access technologies. FierceWireless first spotted the new service on AT&T's website, which shows that that its is now available in Delaware; Maryland; New Jersey; Pennsylvania; Virginia; West Virginia, Washington, D.C.; and parts of eastern Kentucky on the West Virginia border. If those locations sound a bit odd, that's because they're all - with the exception of Kentucky - outside of AT&T's traditional wireline operating territory. In fact, they're squarely in the middle in of Verizon Communications' turf.

top

Massachusetts enacts 6.25% sales tax on "prewritten" software consulting (Slashdot, 29 July 2013) - Technical Information Release TIR 13-10 becomes effective in Massachusetts on July 31st, 2013. It requires software consultants to collect a 6.25% sales tax from their clients if they perform 'computer system design services and the modification, integration, enhancement, installation or configuration of standardized software.' TIR 13-10 was published to mass.gov on July 25th, 2013 to provide the public a few working days to review the release and make comments.

top

Metadata surveillance, secrecy, and political liberty (part one) (Harvard's DMLP, 29 July 2013) - As much of the world is now undoubtedly aware, the National Security Administration (NSA), and many other signals intelligence agencies around the world, have been conducting sophisticated electronic surveillance for quite some time. Many might have expected that such extensive surveillance was occurring, both domestically and globally, prior to Edward Snowden's release of classified information in June 2013. Indeed, we've known about the existence of government driven metadata surveillance and international intelligence cooperation and data-sharing for years. The UKUSA Agreement, which links intelligence agencies in the United States, United Kingdom, Canada, Australia and New Zealand, was declassified by the NSA in 2011, but its existence was reported much earlier. What we haven't known, perhaps, are some of the specifics (e.g., here and here ) brought to light by the recent revelations - or much about the legal analysis and oversight to which such surveillance activities are subjected to in practice. The fallout from Snowden's disclosures has not been limited to the U.S. either. News media in both Canada and the U.K. have released documents indicating that agencies in these countries are also conducting similar programs. Much of this surveillance appears limited to the metadata - information about information - associated with telephone calls, emails, and other forms of electronic communications. Officials are claiming that metadata is less revealing than the actual contents of our communications - although who hasn't sent or received an email that included all of its content in the subject line? However, as our landline-initiated telephone calls of the past have been largely supplanted by cellular phone, wireless, and Internet-based communication, the amount of metadata - and its ability to ascribe revealing attributes about us - has grown tremendously. Correspondingly, much more can be done with this data to reveal personal information. * * * This is not to say that eye-opening things could not be done with very simple sets of metadata about us in the past, as shown by this fascinating post by Professor Kieran Healy about using basic social network analysis to identify networks of people suspected of anti-government activities (in that case, Paul Revere and the rebellious colonists in America). Imagine what sophisticated statistical and social network analysis can do when we add large amounts of additional information and dramatically increase the number of subjects under study and the resources available to study them. The David Petraeus scandal has also shown us that metadata, like IP addresses indicating the locations where Petraeus and Paula Broadwell logged into their anonymous shared email account, can be enormously helpful in identifying people and telling stories about their lives. * * * [Polley: part two was published on 30 July, and is here .]

top

Again, Federal Court finds cops don't need a warrant for cellphone location data (ArsTechnica, 30 July 2013) - In a new 2-1 decision published (PDF) Tuesday, the Fifth Circuit Court of Appeals has held that law enforcement does not need a warrant to obtain cell-site location information (CSLI) from a mobile phone, falling in line with other recent high-level federal court decisions. The Fifth Circuit's majority judges cited the Stored Communications Act (also known as a 2703(d) order) as grounds to allow CSLI to law enforcement. Under that federal statute, authorities can't retrieve the contents of electronic communication, but they can find out where and to whom electronic communication was sent. In contemporary cases within the last decade, law enforcement and judges have increasingly used this reasoning to obtain extensive location data that can effectively turn the phone into a tracking device. Such information previously would have required a much higher legal threshold like a probable cause-driven warrant. In the majority decision, the judges wrote (PDF) that cell site information was nothing more than a business record, which "the Government has neither 'required [n]or persuaded' providers to keep." "In the case of such historical cell site information, the Government merely comes in after the fact and asks a provider to turn over records the provider has already created," the judges continued. "Moreover, these are the providers' own records of transactions to which it is a party. The caller is not conveying location information to anyone other than his service provider. He is sending information so that the provider can perform the service for which he pays it: to connect his call."

top

Announcer-free TV? Detroit's baseball fans say yes, please (NPR, 31 July 2013) - Baseball fans often declare their love of the game's rhythm, its quiet pauses and bursts of action. For such people, watching a game on TV can be a struggle, particularly if they're annoyed by the chatter of announcers. Fans in Detroit had another option last night: watching a TV broadcast that included only the natural sounds of the ballpark. On its "Plus" channel, Fox Sports Detroit offered fans a feed of Tuesday night's game pitting the Tigers against the Washington Nationals, titled "Natural Sounds at Comerica Park." The program's only voices came from the field and the stands. The broadcast was enhanced by "extra microphones around the park so viewers can hear more of the sounds of baseball - the bat cracks, ball popping in the mitt, vendors chiming in from the stands and the crowd's reaction to every play on the field," said Fox Sports Detroit's general manager, Greg Hammaren. As the Awful Announcing site notes, the move was a hit with many viewers, who took to Twitter to call the broadcast "awesome." Others said, "Wish it was like this every game." The experiment by Fox Sports Detroit follows in the footsteps of the famous NBC broadcast from 1980, when an NFL game between the New York Jets and the Miami Dolphins was aired without announcers providing play-by-play commentary or analysis.

top

The NSA's overreach and lack of transparency is hurting American businesses (TechDirt, 31 July 2013) - One major negative side effect of the NSA leaks is the problem it's causing for US-based tech companies. Not only have they been forbidden to discuss the details and scope of their interactions with American intelligence agencies, they've also been put in the worst possible light by some of the revelations. Very simply put, the actions of the NSA harm American businesses. The NSA's control of the narrative only makes it worse as existing and potential customers have no way of knowing the full extent of the protection (or lack thereof) surrounding their data. Under the current law, companies can't even acknowledge they've received FISA court orders, much less provide statistics on frequency and compliance. Pointing to the potential fallout from the disclosures about the scale of NSA operations in Europe, [Neelie] Kroes, the European commissioner for digital matters, predicted that US internet providers of cloud services could suffer major business losses. "If businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?" she said. "It is often American providers that will miss out, because they are often the leaders in cloud services. If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either. If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now."

top

France cuts back further on employee privacy (Steptoe, 1 August 2013) - France's highest appeals court (Cour de cassation) has ruled, in Monsieur X v. Young & Rubicam France, that any content found on work-issued equipment is presumed to be work-related unless marked otherwise. Accordingly, employers can legally search all emails and files found in such equipment unless they are explicitly marked as "personal." The ruling applies even to employees' personal, non-work related email accounts, as long as those accounts are accessed from workplace computers. Since the Cour de cassation first established, in Nikon France SA v. Frédéric O., an employee's right to privacy in personal messages transmitted using a workplace computer, French courts have continually narrowed the scope of these protections.

top

Judge says patent lawyers have right to science articles under 'fair use' (GigaOM, 1 August 2013) - In a sign of the times for America's intellectual property regime, a federal judge had to break up a squabble between patent lawyers and copyright lawyers over the scientific articles that are submitted as part of most patent applications. This week, US Magistrate Judge Jeffrey Keyes sided with the patent lawyers, ruling that the reason they made unlicensed copies of the articles was to comply with the law for submitting applications to the patent office - and not to compete within the market for scientific journals. Publisher John Wiley had argued that Minnesota law firm, Schwegman Lundberg & Woessner, had assembled a private research library and that they should pay a license fee for doing so. The judge disagreed, saying the patent lawyers' qualified for "fair use" - an exception to copyright law that applies certain activities. "These are not the acts of a 'chiseler,'" Keyes ruled at the conclusion of a four-part fair-use analysis, noting that the patent lawyers' use of the work was transformative and did not impinge on the original market for scholarly journals. He also wrote that the lawyers' copying of the work did not prevent a fair-use finding (an argument that could help Google in its long-running fight over book-scanning). The case initially turned on the journal copies that the lawyers submitted to the patent office. John Wiley, however, withdrew this claim after the Patent Office took the unusual step of issuing a public menu stating that the practice was fair use (under patent law, applicants have to submit scientific articles and other so-called prior art to show an invention is new). The publisher then chose instead to focus on the copies that the law firm used internally. In the case of Schwegman, the firm downloaded copies of the articles from the patent office or obtained them by email or on public websites. (For one article, the firm paid for a license from the American Institute of Physics but the publishers still wanted them to pay again for the internal copies they made.)

top

Cloud computing and information privacy (MLPB, 5 August 2013) - Paul M. Schwartz, of the University of California, Berkeley, Law School, has published Information Privacy In the Cloud, in volume 161 of the University of Pennsylvania Law Review (2013). Here is the abstract: Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions - and on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are sensitive to technological changes. This Article examines three areas of change in personal data processing due to the cloud. The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing. A second legal issue concerns the multi-directional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of "personal information" and the meaning of "automated processing" have become problematic. There is also no international harmonization of these concepts. As a result, European Union and U.S. officials may differ on whether certain activities in the cloud implicate privacy law. A final change relates to a shift to a process-oriented management approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in "The Nature of the Firm." New technologies and accompanying business models now allow firms to approach "make or buy" decisions in innovative ways. Yet, privacy law's approach to liability for privacy violations and data losses in the new "make or buy" world of the cloud may not create adequate incentives for the multiple parties who handle personal data.

top

Photographer who spied on Tribeca 'neighbors,' wins legal battle in privacy court case (Int'l Business Times, 6 August 2013) -The Tribeca artist who secretly snapped photos of his across-the-street neighbors won a decisive victory last week when a Manhattan judge dismissed a legal complaint filed by the parents of two of his underage subjects. In a court decision on Friday, State Supreme Court Judge Eileen Rakower ruled in favor of Arne Svenson, whose controversial exhibit "The Neighbors" featured photos of New York apartment-dwellers taken without their consent. Using a telephoto lens, Svenson took pictures through his neighbors' windows at the Zinc building, a luxury Tribeca condo with floor-to-ceiling glass windows. Svenson lives across the street from the building. In a blog post Monday, Mickey Osterreicher, general counsel for the National Press Photographers Association, posted the judge's decision.

top

DEA and NSA team up to share intelligence, leading to secret use of surveillance in ordinary investigations (EFF, 6 August 2013) - A startling new Reuters story shows one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA's trove of information by other law enforcement agencies. As the NSA scoops up phone records and other forms of electronic evidence while investigating national security and terrorism leads, they turn over "tips" to a division of the Drug Enforcement Agency ("DEA") known as the Special Operations Division ("SOD"). FISA surveillance was originally supposed to be used only in certain specific, authorized national security investigations, but information sharing rules implemented after 9/11 allows the NSA to hand over information to traditional domestic law-enforcement agencies, without any connection to terrorism or national security investigations. But instead of being truthful with criminal defendants, judges, and even prosecutors about where the information came from, DEA agents are reportedly obscuring the source of these tips. For example, a aw enforcement agent could receive a tip from SOD-which SOD, in turn, got from the NSA-to look for a specific car at a certain place. But instead of relying solely on that tip, the agent would be instructed to find his or her own reason to stop and search the car. Agents are directed to keep SOD under wraps and not mention it in "investigative reports, affidavits, discussions with prosecutors and courtroom testimony," according to Reuters . The government calls the practice "parallel construction," but deciphering their double speak , the practice should really be known as "intelligence laundering." This deception and dishonesty raises a host of serious legal problems. First, the SOD's insulation from even judges and prosecutors stops federal courts from assessing the constitutionality of the government's surveillance practices. Last year, Solicitor General Donald Verrilli told the Supreme Court that a group of lawyers, journalists and human rights advocates who regularly communicate with targets of NSA wiretapping under the FISA Amendments Act (FAA) had no standing to challenge the constitutionality of that surveillance. But Verrilli said that if the government wanted to use FAA evidence in a criminal prosecution, the source of the information would have to be disclosed. When the Supreme Court eventually ruled in the government's favor, finding the plaintiffs had no standing, it justified its holding by noting the government's concession that it would inform litigants when FAA evidence was being used against them.

top

Lawyers' use of cloud shows big jump in ABA tech survey (Robert Ambrogi, 6 August 2013) - The percentage of lawyers who say they use cloud-based software and services jumped from 21 percent in 2012 to 31 percent this year, according to the 2013 ABA Legal Technology Survey Report . Given that the percentage had held somewhat steady for three years - 20 percent in 2010, 16 percent in 2011 and 21 percent in 2012 - this year's increase of 10 percentage points reflects a significant move into cloud computing by the legal profession. Not surprisingly, the smaller the firm, the more likely its lawyers are to use the cloud, the survey indicates. Forty percent of solo lawyers now use the cloud, compared to 29 percent in 2012 and 23 percent in 2011. Of lawyers at firms of 2-9 members, 36 percent use the cloud, followed by 30 percent at firms of 10-49 attorneys and 19 percent at firms of 100 or more attorneys. When asked which cloud services they had used, lawyers' most common answer was Dropbox, cited by 58 percent of those who had used a cloud service. Of legal-specific cloud services, the most commonly mentioned was the practice-management platform Clio , cited by 13 percent of lawyers who had used a cloud service.

top

Federal Court doesn't 'Like' service of process via Facebook (Eric Goldman's blog, 7 August 2013) - People have mused about the inevitability of service of process via Facebook, but a recent decision shows that it may not be so quick to happen. Joe Hand sued Carrette for unlawful broadcasting. After several unsuccessful attempts at service, it sought permission to serve via Facebook. The court says Rule 4(e) and (h) of the Federal Rules of Civil Procedure contemplate various methods of service, but alternate service via means not listed in Rule 4 is all about due process. Email has been allowed in cases but only where the plaintiff demonstrates that service via email is likely to reach the defendant. The court says that no US court has allowed service via Facebook only. (In one FTC case the FTC sought to serve via email and Facebook; the court allowed the request but noted that if the FTC sought to serve only via Facebook it may not have been amenable.) The court overall has concerns regarding the reliability of Facebook for notice: Anyone with an e-mail address can access Facebook and create a profile 'using real, fake or incomplete information.' As a practical matter, the court cannot verify that the Facebook profile supposedly belonging to a defendant is real unless the movant presents the court with adequate evidence proving its authenticity. Case is Joe Hand Promotions, Inc. v. Carrette , 12-2633-CM (D. Kan. July 9, 2013)

top

N.S.A. said to search content of messages to and from U.S. (NYT, 8 August 2013) - The National Security Agency is searching the contents of vast amounts of Americans' e-mail and text communications into and out of the country, hunting for people who mention information about foreigners under surveillance, according to intelligence officials. The N.S.A. is not just intercepting the communications of Americans who are in direct contact with foreigners targeted overseas, a practice that government officials have openly acknowledged. It is also casting a far wider net for people who cite information linked to those foreigners, like a little used e-mail address, according to a senior intelligence official. While it has long been known that the agency conducts extensive computer searches of data it vacuums up overseas, that it is systematically searching - without warrants - through the contents of Americans' communications that cross the border reveals more about the scale of its secret operations. Government officials say the cross-border surveillance was authorized by a 2008 law, the FISA Amendments Act, in which Congress approved eavesdropping on domestic soil without warrants as long as the "target" was a noncitizen abroad. To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. [Polley: and, what does "that cross the border" mean?]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The Wired 40 (Wired, June 2003) -- Meet the masters of innovation, technology, and strategic vision - 40 companies that are reshaping the global economy. Much has changed since 1998, when we launched our list of the 40 most wired companies. The tech boom and bust unleashed a wave of creative destruction that proved far more tempestuous than anyone had imagined. Our list, too, has seen its share of turmoil. Only 10 of the original 40 companies remain. This year's 13 new entries include inspired upstarts like Netflix and reinventions like BP. The growing power of Linux is reflected by the selection of open source-friendly IBM and the removal of Sun. Topping the list is Google, a private firm so compelling we bent our public-only rule to include it. We've also changed the name of the list from the Wired Index to the Wired 40. This reaffirms the original mission to highlight companies driven by innovative thinking, not marketplace brawn. Name aside, the selection criteria remain unaltered. This remarkable roster has demonstrated mastery of today's business essentials: innovation, technology, strategic vision, global reach, and networked communication. We've ranked them accordingly. [Editor in 2003: Schlumberger, AOL and Sun have fallen off the list for the first time; BP has been added. Editor in 2013: interesting to see which of these top-40 are still around, still leaders.]

top

Disney to Slip DVDs a Mickey (CNET, 16 May 2003) -- This disc will self-destruct in 48 hours. That is the warning Walt Disney will issue this August when it begins to "rent" DVDs that are set to become unplayable after two days and that therefore do not have to be returned. Disney home video unit Buena Vista Home Entertainment will launch a pilot movie "rental" program in August that uses self-destruction technology, the company said Friday. The discs stop working when a process similar to rusting makes them unreadable. The discs start off red, but when they are taken out of the package, exposure to oxygen eventually turns the coating black and makes it impenetrable by a DVD laser. Buena Vista hopes the technology will let it crack a wider rental market, since it can sell the DVDs in stores, or almost anywhere, without setting up a system to get the discs back. The discs work perfectly for the two-day viewing window, said Flexplay Technologies, the private company that developed the technology using material from General Electric. The technology cannot be hacked by programmers who would want to view the disc longer, because the mechanism that closes the viewing window is chemical and has nothing to do with computer technology. However, the disc can be copied within 48 hours, since it works like any other DVD during that window.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top