MIRLN --- 11-31 August 2013 (v16.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES
- Live threat intelligence impact report 2013
- DEA and NSA team up to share intelligence, leading to secret use of surveillance in ordinary investigations
- 51% of U.S. adults bank online
- Legal ethicists are playing catch-up to create social media guidelines for lawyers, judges
- Law firms can't describe 'specialties' on LinkedIn, New York ethics opinion says
- Former DHS deputy secretary launches cybersecurity council
- The NSA is commandeering the Internet
- How the NSA leaks could affect the US cloud computing industry
- Susan Landau on Snowden's revelations
- NSA often broke rules on privacy, audit shows
- 40 maps that will help you make sense of the world
- Topics for law-blogging: 125+ suggestions
- America's most profitable company per employee makes your phone work-and it's not Apple
- Google: Gmail users shouldn't expect email privacy
- Communications privacy 2.0
- Prison computer 'glitch' blamed for opening cell doors in maximum-security wing
- Virtual firms on the decline - why?
- State police recorded license plates at political events
- The photocopier: a vulnerability hidden in plain sight
- Cord cliff coming: What happens to TV when Netflix streams live events?
- The FTC and the new common law of privacy
- Prominent law site shuts down because editor worries about government reading her emails
- Free Law Ferret: document-to-cited-cases in a click
- Website owners can legally block some users, court rules
- Flo Rida dodges lawsuit because he was served on Facebook
- A board's legal obligations for the cloud: you have to carry an umbrella
- Third Circuit: cellphone customers may block robocalls
- Facebook friends could change your credit score
- Survey of faculty attitudes on technology
- It's baaaaaack: HavenCo trying once again to bring encrypted computing to the masses (but not hosted on Sealand)
Live threat intelligence impact report 2013 (Ponemon Institute, 26 July 2013) - This comprehensive study of 708 respondents from 378 enterprises reveals the financial damage that slow, outdated and insufficient threat intelligence is inflicting on global enterprises and how live threat intelligence provides the ability to better defend against compromises, breaches and exploits. Today's headlines and a barrage of marketing content lead many enterprise IT security and risk professionals to conclude that common cybercriminal tactics such as phishing attacks, malware and stolen credentials are responsible for the majority of breaches and compromises taking place. While enterprises certainly need to defend against these attack vectors, this research reveals the connection between thwarting compromises and the need to have access to the most immediate threat intelligence available, or what is becoming known as "live threat intelligence." The research also shows that enterprises experiencing the highest number of compromises and breaches are reliant on slow, outdated and insufficient intelligence. The findings in this report lead to a number of conclusions that will help security and risk professionals reduce the risk of breaches and compromises within the enterprises they are responsible for defending. These conclusions highlight the value of immediate threat intelligence, the current state of threat intelligence, the importance of live threat intelligence and the propensity enterprises have to invest in live intelligence solutions. To access click here . [ Polley : Fascinating! An informative slide presentation summarizing the study is here . Surprising how many companies know they are targets, and what a large percentage of attacks come from within the US (71%). Only 31% of companies have cyber risk insurance. Also, "Legal and compliance requirements" are the primary driver for IT security spending. Press coverage: Despite praising benefits of data breach cyber insurance, most companies remain uninsured (Market Watch, 7 August 2013)]
DEA and NSA team up to share intelligence, leading to secret use of surveillance in ordinary investigations (EFF, 6 August 2013) - As the NSA scoops up phone records and other forms of electronic evidence while investigating national security and terrorism leads, they turn over "tips" to a division of the Drug Enforcement Agency ("DEA") known as the Special Operations Division ("SOD"). FISA surveillance was originally supposed to be used only in certain specific, authorized national security investigations, but information sharing rules implemented after 9/11 allows the NSA to hand over information to traditional domestic law-enforcement agencies, without any connection to terrorism or national security investigations. But instead of being truthful with criminal defendants, judges, and even prosecutors about where the information came from, DEA agents are reportedly obscuring the source of these tips. For example, a law enforcement agent could receive a tip from SOD-which SOD, in turn, got from the NSA-to look for a specific car at a certain place. But instead of relying solely on that tip, the agent would be instructed to find his or her own reason to stop and search the car. Agents are directed to keep SOD under wraps and not mention it in "investigative reports, affidavits, discussions with prosecutors and courtroom testimony," according to Reuters . UPDATE: Add the IRS to the list of federal agencies obtaining information from NSA surveillance. Reuters reports that the IRS got intelligence tips from DEA's secret unit (SOD) and were also told to cover up the source of that information by coming up with their own independent leads to recreate the information obtained from SOD. So that makes two levels of deception: SOD hiding the fact it got intelligence from the NSA and the IRS hiding the fact it got information from SOD. Even worse, there's a suggestion that the Justice Department (DOJ) "closely guards the information provided by SOD with strict oversight," shedding doubt into the effectiveness of DOJ earlier announced efforts to investigate the program. [ Polley : Jennifer Granick has a passionate editorial about this here: NSA, DEA, IRS lie about fact that Americans are routinely spied on by our government: time for a special prosecutor (Forbes, 14 August 2013)]
51% of U.S. adults bank online (Pew, 7 August 2013) - Fifty-one percent of U.S. adults, or 61% of internet users, bank online. Thirty-two percent of U.S. adults, or 35% of cell phone owners, bank using their mobile phones. These findings are based on nationally representative surveys by the Pew Research Center designed to track an activity that is often held up as a proxy for consumer trust in online transactions and as an example of how one industry has enabled data to flow among different institutions. Both types of digital banking are on the rise. In 2010, 46% of U.S. adults, or 58% of internet users, said they bank online. In 2011, 18% of cell phone owners said they have used their phone to check their balance or transact business with a bank.
Legal ethicists are playing catch-up to create social media guidelines for lawyers, judges (ABA Journal, 10 August 2013) - Blogs, Twitter, Facebook, Google+, LinkedIn-there are now many social media platforms which lawyers are urged to use to build business and retain clients. But they also present many opportunities to run afoul of legal ethics rules. In recent years, the states have been putting out a steady stream of ethics opinions and court rulings on how professional conduct rules for lawyers apply to social media. And a year ago, the ABA House of Delegates adopted several revisions to the Model Rules of Professional Conduct to give lawyers further guidance on how to adapt communications technology to how they interact with clients and prospective clients. But panelists at the ABA Annual Meeting program "Things My Ethics Professor Didn't Tell Me: Top Ethical Pitfalls for the Social Media Age" expressed concern that all this effort still may not be keeping up with changes in communications technology. The revisions to the Model Rules, which serve as the basis for binding ethics standards in every state-except California (which uses a different structure for its rules)-were adopted by the House at the 2012 ABA Annual Meeting in Chicago at the recommendation of the Commission on Ethics 20/20, which was created in 2009 to study the impact of technology and globalization on lawyer ethics and regulation. "The Ethics 20/20 Commission did an extraordinary job," said panelist Juliet M. Moringiello , a law professor at Widener University in Harrisburg, Pa., to the audience of the ABA Business Law Section's event in San Francisco. "But so much electronic communications is running so far ahead of ethics rules, and the commission may still have been focused on what was rather than what will be." Another area that is receiving attention is the use of social media by judges. The general consensus developing is that judges should not seek to "friend" lawyers on social media sites who are likely to appear before them, but the specific application often is fuzzy. A 2011 opinion from Oklahoma, for instance, says judges may include lawyers as friends on networks like LinkedIn or Facebook "as long as they [judges] don't otherwise use the networks improperly." Opinions on the issue also urge judges to avoid the "appearance of impropriety" in their contacts with lawyers. But opinions, including ABA Formal Opinion 462, issued earlier this year by the Standing Committee on Ethics and Professional Responsibility, acknowledge that applying the standard can be difficult.
- and -
Law firms can't describe 'specialties' on LinkedIn, New York ethics opinion says (ABA Journal, 16 August 2013) - Law firms may not describe their services in a section of LinkedIn devoted to specialties, according to a New York ethics opinion. New York ethics rules allow lawyers, but not law firms, to state that they have been certified as a specialist, according to the June 26 opinion (PDF) by the New York State Bar Association's Committee on Professional Ethics. As a result, only appropriately certified lawyers may list specialties, provided that they comply with disclosure requirements. The ABA/BNA Lawyers' Manual on Professional Conduct has a summary. According to the ethics opinion, a law firm may identify areas of law practice. "But to list those areas under a heading of 'Specialties,' would constitute a claim that the lawyer or law firm 'is a specialist or specializes in a particular field of law,' " the opinion said.
Former DHS deputy secretary launches cybersecurity council (Hillicon Valley, 12 August 2013) - The former deputy secretary of the Homeland Security Department announced the launch of a cybersecurity nonprofit organization on Monday that's focused on the dual goals of preserving an open Internet and encouraging the adoption of best practices to secure computer systems against cyberattacks. Jane Holl Lute will serve as the president and chief executive officer of the new nonprofit organization, called the Council on Cybersecurity. Lute stepped down from her role as the second-highest official at the Department of Homeland Security this spring, and her name has been floated as a possible candidate to succeed Homeland Security Secretary Janet Napolitano. In remarks at a cybersecurity conference in Washington, Lute said the council would be focused on spreading the adoption of cybersecurity best practices and equipping the cyber workforce with the skills needed to tackle the evolving challenges that lay ahead in protecting cyberspace. As part of its efforts, the council will encourage the adoption of the critical security controls developed by SANS, as well as work on updating and improving them to better secure the public and private sectors from cyberattacks. [ Polley : SANS describes Lute's goals as " * * * to provide a minimum standard of due care that will allow top executives of corporations and governments to measure their organizations' cybersecurity defenses and skills."]
The NSA is commandeering the Internet (Bruce Schneier in The Atlantic, 12 August 2013) - It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose . Others cooperate , either out of patriotism or because they believe it's easier that way. I have one message to the executives of those companies: fight. Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy's life? It's going to be the same way with you. You might think that your friendly relationship with the government means that they're going to protect you, but they won't. The NSA doesn't care about you or your customers, and will burn you the moment it's convenient to do so. We're already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They've lost the trust of their customers, and explaining what they do -- and don't do -- is how to get it back. The government has refused; they don't care. It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they'll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they're sloppy. They'll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn't have a copy, the next whistleblower will. This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users' communications and personal files, what's going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term. * * * You, an executive in one of those companies, can fight. You'll probably lose, but you need to take the stand. And you might win. It's time we called the government's actions what they really are: commandeering. Commandeering is a practice we're used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it's happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state. If this is happening to your company, do what you can to isolate the actions. Do you have employees with security clearances who can't tell you what they're doing? Cut off all automatic lines of communication with them, and make sure that only specific, required, authorized acts are being taken on behalf of government. Only then can you look your customers and the public in the face and say that you don't know what is going on -- that your company has been commandeered. [ Polley : More by Bruce here; the part about Qwest is particularly interesting: More on the NSA Commandeering the Internet (Bruce Schneier, 30 August 2013)]
- and -
How the NSA leaks could affect the US cloud computing industry (CS Monitor, 26 August 2013) - A recent report from the Information Technology and Innovation Foundation estimates that the United States ' multibillion-dollar US cloud computing industry stands to lose anywhere from $22 to $35 billion over the next three years because of the NSA revelations. "If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either," said European Commissioner for Digital Affairs Neelie Kroes in an interview with the Guardian in July. "If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now." Industry shifts since the NSA leaks in early June support Mr. Kroes' argument. Amazon Web Services, widely acknowledged as the global market leader in cloud storage, cut some of its prices by 80 percent in July to remain competitive. The writing on the walls seems clear: The NSA leaks will hurt US cloud companies. But to peg an industry shift to June 2013 would overlook a larger trend that has been taking place in the industry since 2001. [ Polley : see also More PRISM fallout: Indian government may ban Gmail use (GigaOM, 30 August 2013)]
- and -
Susan Landau on Snowden's revelations (Lawfare, 15 August 2013) - Susan Landau has a new piece at Computing Now called Making Sense from Snowden: What's Significant in the NSA Surveillance Revelations : Did Snowden cause irreparable harm, or did he reveal facts that should be publicly examined? What are the facts, anyhow? This article seeks to put the Snowden revelations in context, explaining what's new, why it matters, and what might happen next.
- and -
NSA often broke rules on privacy, audit shows (NYT, 16 August 2013) - The National Security Agency violated privacy rules protecting the communications of Americans and others on domestic soil 2,776 times over a one-year period, according to an internal audit leaked by the former N.S.A. contractor Edward J. Snowden and made public on Thursday night. The violations, according to the May 2012 audit, stemmed largely from operator and system errors like "inadequate or insufficient research" when selecting wiretap targets. The largest number of episodes - 1,904 - appeared to be "roamers," in which a foreigner whose cellphone was being wiretapped without a warrant came to the United States, where individual warrants are required. A spike in such problems in a single quarter, the report said, could be because of Chinese citizens visiting friends and family for the Chinese Lunar New Year holiday. "Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted," the report says. The report and several other documents leaked by Mr. Snowden were published by The Washington Post . They shed new light on the intrusions into Americans' privacy that N.S.A. surveillance can entail, and how the agency handles violations of its rules. Jameel Jaffer of the American Civil Liberties Union said that while some of the compliance violations were more troubling than others, the sheer number of them was "jaw-dropping." Another newly disclosed document included instructions for how N.S.A. analysts should record their rationales for eavesdropping under the FISA Amendments Act, or F.A.A., which allows wiretapping without warrants on domestic networks if the target is a noncitizen abroad. The document said analysts should keep descriptions of why the people they are targeting merit wiretapping to "one short sentence" and avoid details like their names and supporting information. A brief article in an internal N.S.A. newsletter offered hints about a known but little-understood episode in which the Foreign Intelligence Surveillance Court found in 2011 that the N.S.A. had violated the Fourth Amendment . The newsletter said the court issued an 80-page ruling on Oct. 3, 2011, finding that something the N.S.A. was collecting involving "Multiple Communications Transactions" on data flowing through fiber-optic networks on domestic soil was "deficient on statutory and constitutional grounds."
40 maps that will help you make sense of the world (Twisted Sifter, 13 August 2013) - If you're a visual learner like myself, then you know maps, charts and infographics can really help bring data and information to life. Maps can make a point resonate with readers and this collection aims to do just that. Hopefully some of these maps will surprise you and you'll learn something new. A few are important to know, some interpret and display data in a beautiful or creative way, and a few may even make you chuckle or shake your head. [ Polley : I especially like the maps "The Only 22 Countries Britain has NOT Invaded", and the dynamic "Global Internet Usage Based on Time of Day".]
Topics for law-blogging: 125+ suggestions (Prof. Walter Effross, 14 August 2013) - Below are various suggested topics-some of which overlap, and some of which might be combined-for law-blogging (although they could also be refined into topics for individual law review articles or other publications). They are drawn primarily from the domains of corporate governance, e-commerce, intellectual property, payment systems, and bankruptcy law, and of course are not meant to constitute an exhaustive list even for these areas.
America's most profitable company per employee makes your phone work-and it's not Apple (Quartz, 14 April 2013) - You'd be forgiven for not recognizing the name InterDigital , despite the fact that it has been around since 1972 and developed many of the technologies that are critical to our increasingly mobile, wireless world. As a result, per employee, InterDigital is the most profitable company in the US, with a net income of $937,255 per worker, according to Bloomberg's just-released visual compendium of data . And the only thing InterDigital produces is designs for new technology-and the occasional lawsuit . But whatever you do, don't call InterDigital a patent troll-CEO William Merritt hates that term . And it's admittedly not a fair label for InterDigital, in contrast to firms that merely buy up patents in order to then sue other people over them. Like ARM, the Cambridge, UK-based company that designs the chips that are in practically every mobile device on the planet, InterDigital does not manufacture anything itself. Yet the company employs more than 200 engineers who have collectively helped InterDigital amass a trove of patents that could be worth billions. InterDigital also creates working prototypes of all of its technologies, in order to demonstrate them to industry partners like Alcatel-Lucent , who later incorporate them into their products. [ Polley : surprising.]
Google: Gmail users shouldn't expect email privacy (The Guardian, 14 August 2013) - Gmail users have no "reasonable expectation" that their emails are confidential, Google has said in a court filing . Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a "stunning admission." It comes as Google and its peers are under pressure to explain their role in the National Security Agency's ( NSA ) mass surveillance of US citizens and foreign nationals. "Google has finally admitted they don't respect privacy ," said John Simpson, Consumer Watchdog's privacy project director. "People should take them at their word; if you care about your email correspondents' privacy, don't use Gmail." Google set out its case last month in an attempt to dismiss a class action lawsuit that accuses the tech giant of breaking wire tap laws when it scans emails in order to target ads to Gmail users. That suit, filed in May, claims Google "unlawfully opens up, reads, and acquires the content of people's private email messages." It quotes Eric Schmidt , Google's executive chairman: "Google policy is to get right up to the creepy line and not cross it." According to Google: "Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS [electronic communications service] provider in the course of delivery."
Communications privacy 2.0 (MLPB, 16 August 2013) - Orin S. Kerr, George Washington University Law School, is publishing The Next Generation Communications Privacy Act in the University of Pennsylvania Law Review. Here is the abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress repealed ECPA and enacted a new privacy statute to replace it. The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for non-content records, and no attention to particularity or jurisdiction. Today's Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even United States-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes. The Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for United States-based users and a permissive regime for users located abroad.
Prison computer 'glitch' blamed for opening cell doors in maximum-security wing (Wired, 16 August 2013) - Florida prison officials say a computer "glitch" may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons. But a surveillance video released this week (see above) suggests that the doors may have been opened intentionally - either by a staff member or remotely by someone else inside or outside the prison who triggered a "group release" button in the computerized system. The video raises the possibility that some prisoners knew in advance that the doors were going to open. It's the second time in two months that all of the doors in the wing opened at once, officials say, raising questions about whether the first incident was a trial-run to see how long it would take guards to respond.
Virtual firms on the decline - why? (MyShingle, 16 August 2013) - According to the 2013 ABA Legal Technology Survey, virtual law practices are on the decline , reports Bob Ambrogi at his Law Sites Blog . The decrease isn't particularly significant; the number of lawyers who describe their practice as virtual declined from 7 to 5 percent between 2012 and 2013, while the number of lawyers providing unbundled legal services (an offering common to many virtual practices) declined from a high of 44 percent in 2012 to 25 percent, in line with 2011. What accounts for the decline in virtual law practices? I think that several factors are at play * * *
State police recorded license plates at political events (The Daily Progress, 18 August 2013) - Virginia State Police recorded the license plates of every vehicle arriving from Virginia to attend President Barack Obama's first inauguration in Washington in 2009, as well as those at campaign rallies three months earlier in Leesburg for then-candidate Obama and Republican vice presidential nominee Sarah Palin. The U.S. Secret Service requested that state police use one of its automated license plate readers at the entrance to the Pentagon to capture and store the plate images as an extra level of security for the inauguration, which was attended by an estimated 1.8 million people. The same was requested for the political rallies. The state police license plate readers have been used statewide since 2006, mostly by on-the-road troopers to detect stolen cars and fugitives. But the data collected were also used to solve other crimes after the fact by being able to track a person to a specific place at a certain time. Up until a February legal opinion issued by Virginia Attorney General Ken Cuccinelli on the collection and dissemination of license plate reader data, state police beginning in 2010 had stored the images of roughly 8 million license plates - some for as long as three years - on a server in the department's data center at state police headquarters in Chesterfield County, said state police Sgt. Robert Alessi, the department's statewide coordinator for the program. But the department says all of it was purged in early March, after Cuccinelli advised that collecting and storing such data in a "passive manner" that is not directly related to a criminal investigation would be in violation of the state's Government Data Collection and Dissemination Practices Act.
The photocopier: a vulnerability hidden in plain sight (HealthITech Law, 18 August 2013) - The U.S. Department of Health and Human Services ("HHS") announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers. OCR's investigation indicated that Affinity impermissibly disclosed protected health information when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. The HHS press release states that Affinity estimated that up to 344,579 individuals may have been affected by this breach.
Cord cliff coming: What happens to TV when Netflix streams live events? (AllThingsD, 19 August 2013) - Netflix has never streamed a live event, and Reed Hastings says it never will. Now, that's a wise comment for a disruptor to put unambiguously on the record - especially since the TV networks could immediately pull their content from Netflix if they ever heard otherwise. But we all know that occasionally CEOs change their minds. So that's why I decided to imagine what would happen if Netflix took on live events. And as soon as I played out the scenario, it became obvious: Sooner or later, it will. Television incumbents wouldn't need to wave off cord cutting if they weren't genuinely scared of it. New data show that 30 percent of U.S. Internet users would consider cutting their expensive and relatively despised cable subscription to watch TV exclusively online. But even with as much content as digital pure-plays like Netflix, iTunes and Hulu now offer, there's one outsized variable that's holding the whole cable bundle together: Live events. Live events are inordinately valuable. They have ultimate scarcity: They happen "right now," they provide a focal point around which hordes of people come together, and they give their viewers an "I was there!" experience beyond just the content itself. They are one of the few must-haves in consumers' media diets. Personally, I can vouch that the Olympics, the Oscars and the Boston Marathon news are the only television in the last year that drew this cord cutter's rabbit ears out of the cabinet. Live events are what cable and broadcast TV have that Netflix doesn't: News, talk shows and - most important - sports. "The biggest question we get from potential cord cutters is how to watch live sports without paying for cable," reports GigaOM. There's still no feasible alternative. At least, not yet.
The FTC and the new common law of privacy (Dan Solove, 19 August 2013) - Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States - more so than nearly any privacy statute and any common law tort. In this article, we contend that the FTC's privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC's privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy "common law" demonstrates that the FTC's privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this "common law" into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves a full suite of substantive rules that exist independently from a company's privacy representations.
Prominent law site shuts down because editor worries about government reading her emails (Business Insider, 20 August 2013) - The editor of a well-respected legal site, Groklaw, has announced that she's going to stop producing the site because the government might be reading her emails. Groklaw is a collaborative site that explores the nuances of certain cases and legal decisions, including the recent Apple v. Samsung case. The editor of the site, Pamela Jones, says she can't operate the site without email. And the idea that faceless government spooks might be reading any email that she sends outside the U.S. is too much for her: "[T]he conclusion I've reached is that there is no way to continue doing Groklaw, not long term, which is incredibly sad. But it's good to be realistic. And the simple truth is, no matter how good the motives might be for collecting and screening everything we say to one another, and no matter how "clean" we all are ourselves from the standpoint of the screeners, I don't know how to function in such an atmosphere. I don't know how to do Groklaw like this." Jones isn't just worried about being wrongly accused of crimes. For her, there's the ickiness factor of having her personal privacy violated--a feeling that she says is similar to the feeling she had when her apartment in New York was robbed and the burglar went through all of her underwear. [ Polley : Ed Felton has an interesting post about this here . For me, I'm back to using PGP, when appropriate. The open-source Macintosh package is GPGTools, and fairly straightforward to install, yielding two Apple Mail icons: "sign" and "encrypt". Keyserver distribution of public keys (e.g., thru pgp.mit.edu ) is also straightforward - look for mine under "Vincent Polley" - KeyID = AADBBDD7; phone me to confirm key fingerprint.]
Free Law Ferret: document-to-cited-cases in a click (CitationStylist, 20 August 2013) - In the past couple of posts, I have been holding forth on the possibilities for browser-based parsing of case citations via a JavaScript port of the new parser offered up by the CourtListener project. Mike Lissner has confirmed that I was indeed off-base with the name. As it turns out, "Juriscraper" actually refers to the library used at CourtListener to scrape court websites, and not the citator that identifies references embedded in individual cases: so I put on my copywriter's hat, and chased up a brand new name. Say hello to the Free Law Ferret , a Firefox plugin that has emerged from the CitationStylist skunkworks with a ferocious curiosity and a full set of tiny adorable bibliographic teeth. * * * The Ferret will scan the document in the browser window (be it law case, legal brief, blog post or whatever), and present a list of citations in a dialog box like that shown to the right. Note that the parser presently supports US case law only: cites to the courts of other countries, to regulations, to statutory law and to international instruments and tribunals will not be recognized. Select cites in the dialog and click OK to search for each case in the CourtListener repository and open each in a separate browser tab. If the search for a case fails, you can either broaden the search terms in the CourtListener page, or search for it (manually) elsewhere. [ Polley : pretty techie, even for me. Send me feedback, please? Carl Malamud tweeted: "The Free Law Ferret searches any web doc, finds the US court cases, grabs a copy."]
Website owners can legally block some users, court rules (Computerworld, 20 August 2013) - Public website owners have the right to selectively block users from their sites and anyone who intentionally circumvents those blocks may be violating provisions of the Computer Fraud and Abuse Act (CFAA), a federal judge in California ruled Friday. The ruling involves a dispute between Craigslist and 3Taps Inc., an online ad aggregator that basically copies and republishes online ads. Craigslist claimed that 3Taps scrapes, collects and reposts all of Craigslist's classified advertisements in real time. In 2012, Craigslist sent a cease-and-desist letter asking 3Taps to stop accessing its website. Craigslist also separately configured the site to block access to it from any IP address associated with 3Taps. However, 3Taps used IP rotation technology and proxy servers to bypass the blocks and continued to harvest and repost data gathered from Craigslist. 3Taps admitted that it intentionally circumvented the blocking. But in a motion to dismiss the lawsuit, 3Taps noted that Craigslist, by making its website publicly available, had essentially authorized the entire Internet to access and use its content. The company claimed that allowing owners of publicly accessible websites to selectively block individuals and groups was dangerous and contrary to the notion of a free and open Internet. In a 13-page ruling, District Court Judge Charles Breyer dismissed those arguments and held that 3Taps had accessed Craigslist without specific authorization from the website owner.
Flo Rida dodges lawsuit because he was served on Facebook (Huffington Post, 20 August 2013) - Flo Rida is feeling pretty lucky right about now: The rapper, best known for jumping on already popular songs and dishing out generally unmemorable party rap verses over the pre-existing songs, faced a six-figure lawsuit after he was an alleged no-show at the Fat As Butter festival in 2011, despite having been pre-paid for the gig. In an unusual move, the organizers of the festival served Flo Rida on Facebook -- digitally notifying him that he was due in court. Unusual, and not totally kosher, according to a judge who upheld Flo Rida's appeal of the initial ruling that allowed Mothership Music to serve the rapper (born Tramar Dillard) and his management, VIP Entertainment and Concepts, on the social network in the first place. Billboard reports that Justice Robert McFarlan, the judge who sided with Flo Rida, had this to say : "The evidence did not establish, other than by mere assertion, that the Facebook page was in fact that of Flo Rida and did not prove that a posting on it was likely to come to his attention in a timely fashion."
A board's legal obligations for the cloud: you have to carry an umbrella (ABA, 22 August 2013) - Every day the news produces yet more articles on the vulnerability of businesses to cyberattacks. A recent Google search returned over 16,000 entries for news articles discussing how cyberspace is the new vector for attacking a company. Information security and privacy concerns are consequently some of the most heavily reported issues in the media today. With this level of coverage and reporting, what pressure is there on a company and its board of directors to mitigate the risks associated with cyberattacks? Can officers and directors of companies continue to relegate information security and data protection to the back burner? Or is data protection becoming as much an immediate responsibility of a board as financial reporting? [ Polley : interesting article by Seyfarth's John Tomaszewski.]
Third Circuit: cellphone customers may block robocalls (Legal Intelligencer, 23 August 2013) - Cellphone customers may revoke their consent to receive robocalls on those devices, the Third Circuit has ruled in a case of first impression. Interpreting the Telephone Consumer Protection Act broadly, the U.S. Court of Appeals for the Third Circuit reversed the district court's holding based on rules from the Federal Communications Commission and common-law treatment of consent. By its own reckoning, the Third Circuit is the first circuit to address the issue of whether consumers have a right to withdraw their prior consent to be robocalled on their cellphones and if there would be a time limit on that right. The three-judge panel ruled that the right exists and there is no time limit on it. "Congress passed the TCPA to protect individual consumers from receiving intrusive and unwanted calls," Senior Judge Jane R. Roth wrote on behalf of the panel, which included Judges Julio M. Fuentes and Patty Shwartz. "Notably," Roth said, setting up her discussion, "the statute does not contain any language expressly granting consumers the right to revoke their prior express consent." The court looked to rules from the FCC because Congress gave it the authority to regulate and enforce the TCPA, which was passed in 1991. The FCC issued a declaratory ruling with the most relevant guidance it has yet offered on the issue after the district court dismissed the case. Last November, the FCC offered an analysis that "was directed at the use of an automated dialing system to confirm an opt-out request, rather than whether an opt-out right exists," Roth said, but "the decision indicates that the FCC supports Gager's argument that a consumer may revoke her prior express consent once it is given."
Facebook friends could change your credit score (CNN, 26 August 2013) - Choose your Facebook friends wisely; they could help you get approved -- or rejected -- for a loan. A handful of tech startups are using social data to determine the risk of lending to people who have a difficult time accessing credit. Traditional lenders rely heavily on credit scores like FICO, which look at payments history. They typically steer clear of the millions of people who don't have credit scores. But some financial lending companies have found that social connections can be a good indicator of a person's creditworthiness. One such company, Lenddo , determines if you're friends on Facebook with someone who was late paying back a loan to Lenddo. If so, that's bad news for you. It's even worse news if the delinquent friend is someone you frequently interact with. A German company called Kreditech says that it uses up to 8,000 data points when assessing an application for a loan. In addition to data from Facebook, eBay or Amazon accounts. Kreditech also gathers information from the manner in which a customer fills out the online application. For example, your chances of getting a loan improve if you spend time reading information about the loan on Kreditech's website. If you fill out the application typing in all-caps (or with no caps), you're knocked down a couple pegs in Kreditech's eyes. Kreditech can determines your location and considers creditworthiness based upon whether your computer is located where you said you live or work.
Survey of faculty attitudes on technology (InsideHigherEd, 27 August 2013) - Online education arguably came of age in the last year, with the explosion of massive open online courses driving the public's (and politicians') interest in digitally delivered courses and contributing to the perception that they represent not only higher education's future, but its present. Faculty members, by and large, still aren't buying -- and they are particularly skeptical about the value of MOOCs, Inside Higher Ed's new Survey of Faculty Attitudes on Technology suggests. The survey of 2,251 professors, which, like Inside Higher Ed's other surveys, was conducted by Gallup, finds significant skepticism among faculty members about the quality of online learning, with only one in five of them agreeing that online courses can achieve learning outcomes equivalent to those of in-person courses, and majorities considering online learning to be of lower quality than in-person courses on several key measures (but not in terms of delivering content to meet learning objectives). But, importantly, appreciation for the quality and effectiveness of online learning grows with instructors' experiences with it. The growing minority of professors who themselves had taught at least one course online (30 percent of respondents, up from 25 percent last year) were far likelier than their peers who had not done so to believe that online courses can produce learning outcomes at least equivalent to those of face-to-face courses; 50 percent of them agree or strongly agree that online courses in their own department or discipline produce equivalent learning outcomes to in-person courses, compared to just 13 percent of professors who have not taught online. [ Polley : see related story about San Jose State University: Boost for Udacity project (InsideHigherEd, 28 August 2013)]
It's baaaaaack: HavenCo trying once again to bring encrypted computing to the masses (but not hosted on Sealand) (TechDirt, 27 August 2013) - If you were into digital and cryptography issues a little over a decade ago, you surely remember the debacle of HavenCo, the attempt at a secure data haven hosted on the "micronation" of Sealand (better known as an abandoned platform off the coast of England that some folks "invaded" and claimed as a sovereign nation, which no government recognizes). HavenCo and Sealand was a story the press loved, and the hype level was astounding, followed by the whole project being a complete disaster. Last year, James Grimmelmann wrote a fantastic look-back/post-mortem of HavenCo and an even more detailed and comprehensive legal review paper all about Sealand and HavenCo. If you want the history of all of this, start there. Or, if you want the fictional account of the mindset that went into HavenCo, pick up a copy of Neal Stephenson's Cryptonomicon . Now, it's being reported that James Bates, grandson of Roy Bates, the "founder" of Sealand, has teamed back up with Avi Freedman, one of the initial funders of HavenCo, to relaunch the project with a focus on bringing data security to the masses. Feel free to insert whatever skepticism you have for this project right now, because you're not alone. To their credit, there are two things that are different this time around. First up, they're not trying to host the data center itself on Sealand, which was a part (just a part!) of the mess the last time around. Instead, they're just using Sealand to host air-gapped machines with encryption keys. The actual data will be encrypted, but hosted elsewhere, including in the US and EU, where they believe it will be safe because of the encryption.
NOTED PODCASTS
Oliver Goodenough on creating a law school e-curriculum (Berkman, 8 July 2013; 71 minutes) - Legal practice and legal education both face disruptive change due to technology. Oliver R. Goodenough -- Berkman Fellow, Professor of Law at the Vermont Law School, and Adjunct Professor at Thayer School of Engineering at Dartmouth College -- discusses how technology is shaping legal practice, and how learning from this phenomenon should be a priority for any school looking to provide a useful education for the lawyers.
RESOURCES
Disclosures, disclaimers, and designs of ethical and effective law blogs and law firm web sites (Walter Effross, 19 August 2013) - Reviews relevant ABA and state bar professional responsibility rules and advisory ethics opinions; identifies a range of issues and statutes that could entangle site operators; provides numerous examples of terms and conditions that some sites have adopted to address these issues; and explores additional practices and procedures to safeguard sites.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Not Your Father's Encyclopedia (Wired, 28 Jan 2003) -- One of the Web's first open-source encyclopedias has reached a milestone, just two years since its inception. Last week, the English-language version of Wikipedia, a free multilingual encyclopedia created entirely by volunteers on the Internet, published its 100,000th article. More than 37,000 articles populate the non-English editions. Unlike traditional encyclopedias, which are written and edited by professionals, Wikipedia is the result of work by thousands of volunteers. Anyone can contribute an article -- or edit an existing one -- at any time. The site runs on Wiki software, a collaborative application that allows users to collectively author Web documents without having to register first. "People from very diverse backgrounds can agree on what can be in an encyclopedia article, even if they can't agree on something else," said Wikipedia co-founder Jimmy Wales. Wikipedia topics range from Internet terms, such as spamming and trolling, to more mundane subjects, such as unicycling. Each page on the site contains an "Edit this page" link, which users can click on to edit, reposition and revise passages created by other writers. Once a user has made an edit, those changes are posted immediately. Users can also view older versions of a page, discuss the page, view links on a page or see related changes. These options allow contributors to constantly refine and comment upon entries. All articles are covered by the Free Software Foundation's GNU Free Documentation License, which allows anyone to reuse the entries for any purpose, including commercially, as long as they preserve that same right to others and provide proper credit to Wikipedia. This open-content license ensures that Wikipedia's content will always remain free.
BBC to give away school syllabus online (Guardian, 10 Jan 2003) -- The government yesterday gave the BBC the green light to spend [ca. $220m] to put the national curriculum on to the internet, sparking anger among firms already manufacturing interactive teaching materials. The project, called the Digital Curriculum, will use licence fee payers' money to make large parts of the school syllabus available online, free of charge, for pupils in school and at home. But commercial rivals, through a pressure group whose members include Channel 4, ITV company Granada and Penguin books owner Pearson, expressed "profound disappointment" at the decision. They claim that by using licence fee money on the project and then giving away teaching aids for free, the BBC's actions could deprive them of [ca. $600m] in revenues. Small software providers fear they could be put out of business. The commercial sector's anger is likely to intensify the debate over how the BBC is regulated. Many argue that the system of giving ministers the final say over big decisions is not working and the corporation should be brought under the full control of the new independent communications regulator, Ofcom.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top