Saturday, November 23, 2013

MIRLN --- 3-23 Nov 2013 (v16.16)

MIRLN --- 3-23 Nov 2013 (v16.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Cyber security: lawyers are the weakest link (The Lawyer, 28 Oct 2013) - In space, no one can hear you scream, but cyberspace will soon be alive with the shrieks of lawyer pain as client confidentiality disappears out a gapingly wide-open digital window. Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for the goldmine of sensitive and confidential client data firms hold. And that threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when bank and corporate general counsel - as well as those in charge of family offices - will insist on law firm security audits as part of routine panel reviews. This is not the stuff of science fiction or scaremongering, according to the experts. One cyber security specialist relates that a top 10 City firm chief information officer is convinced of the inevitability of a prominent legal practice going down in flames as a result of a cyber attack breaching client confidentiality and rendering the practice's wider reputation and market position untenable. Some suggest the financial services sector is starting to see law firms as the 'soft underbelly' in the cyber security battle. While they themselves have recognised the threat, upgraded systems and implemented state-of-the-art layers of defence, their lawyers, argue some senior bankers, are a weak link. Firms holding vast quantities of confidential information regarding financial services sector clients are a target for hackers because they are behind the cyber security curve. But while not complacent about the threat, some specialist lawyers are cynical, sensing a whiff of hyperbole behind the jargon. "The technology industry has a fantastic ability to create new terminology for old concepts," comments one City firm data privacy specialist. "You could argue that cyber security is just another aspect of general data protection, and privacy and information management."

top

Fifth amendment prevents compelled decryption (Berkman, 31 Oct 2013) - On Monday, the Cyberlaw Clinic filed an amicus brief in the Supreme Judicial Court on behalf of the American Civil Liberties Union Foundation of Massachusetts, the American Civil Liberties Union Foundation, and the Electronic Frontier Foundation in the case of Commonwealth v. Gelfgatt, SJC No. 11358. In the brief, we argue that the Fifth Amendment and article 12 of the Massachusetts Declaration of Rights prohibit the government from compelling a defendant to decrypt their electronic data for use against them in criminal proceedings because it involves the kind of testimonial acts protected by constitutional protections against self-incrimination. This is the Cyberlaw Clinic's third brief filed in a series of cases before the Supreme Judicial Court addressing updates to constitutional protections in light of new technologies. Prior filings on behalf of the Electronic Frontier Foundation concerned warrant requirements for GPS tracking of suspects ( Commonwealth v. Rousseau ) and historical cell phone location records ( Commonwealth v. Augustine ).

top

Data security: pay it now or pay out later (Squire Sanders, 31 Oct 2013) - The price of compliance may be high, but the price of non-compliance is even higher. Based on its recent $3 million data breach settlement, AvMed, and many other entities that have experienced data breach litigation, would likely agree that paying for security upgrades now, is far superior to paying for data breaches later. In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Last week, AvMed signed a settlement agreement to end the class action litigation that began in 2010. The settlement essentially requires AvMed to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades and updates to security policies and procedures (all of which are set out in HIPAA regulations). Not only does AvMed have to correct its non-compliance, but it must also forfeit the "unjust enrichment" it has received over the years by not spending sufficiently for data security it should have provided. AvMed will reimburse "premium overpayments" of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.

top

Bad Code: the whole series (Lawfare, Jane Chong, 4 Nov 2013) - Over the last month, on our New Republic: Security States newsfeed, we rolled out a series designed to explain why fairly allocating the costs of software deficiencies between software makers and users is so critical to addressing the growing problem of vulnerability-ridden code-and how such a regime will require questioning some of our deep-seated beliefs about the very nature of software security. Below is a consolidation of the five-part series in full. [ Polley : Then read Paul Rosenzweig's Cybersecurity and the Least Cost Avoider , also at Lawfare.]

top

Law firms focus on cybersecurity (SecurityInfoWatch, 4 Nov 2013) - In 2007, cybercriminals took more than 45 million credit and debit card numbers from the network of retailer TJ Maxx's parent company. The cost to the company, TJX Cos., soared above $250 million, and drove the state of Massachusetts, where the company is headquartered, to enact some of the toughest cybersecurity rules in the country. With so much money and potential damage to a company's reputation at stake in the event of a data breach, it's no wonder that law firms are devoting resources to cybersecurity, not only to protect their own firms' data but also as a potentially lucrative practice area. Buchanan Ingersoll & Rooney announced Oct. 23 it was launching a cybersecurity and data protection practice, expanding on its existing data security practice. Pittsburgh-based shareholders Matthew Meade and Sue Friedberg, and Philadelphia-based shareholder Jack Tomarchio, a former intelligence officer with the U.S. Department of Homeland Security, will lead the practice. Buchanan Ingersoll joins the growing list of law firms that have added cybersecurity practices in 2013, said David Bodenheimer, a partner with Washington, D.C.-based firm Crowell & Moring. He is also chairman of the American Bar Association Public Contract Law Section's Cybersecurity Committee. Mr. Bodenheimer said that, in 2013, many law firms expanded existing practice areas that dealt with health care and financial data protection issues. After President Barack Obama signed an executive order Feb. 12 directing federal agencies to develop cybersecurity standards for parts of the private sector, Mr. Bodenheimer said, firms recognized this as a practice area with great potential. "When boards of directors started turning to senior management and asking, 'What is this threat and what are we doing about it?' they started to call their law firms," Mr. Bodenheimer said.

top

EXL loses key client due to breach of confidential data (India's Economic Times, 6 Nov 2013) - Nasdaq-listed outsourcing firm EXL Services has lost a key client due to breach of confidential client data by a few of its employees, a development that will impact its revenues and raise larger questions on data security. EXL, which competes with the likes of Genpact, WNS and Firstsource and gets more half of its revenues from the healthcare and insurance space, told investors that it received a termination notice from The Travelers Indemnity Company on November 1, 2013, scrapping a deal that was signed in 2006. American insurer Travelers accounted for 9.6% of the company's total revenue for the quarter ended September 2013 and the termination is likely impact 2014 revenues by $14 million ( Rs 86 crore) to $28 million ( Rs 172 crore). EXL further said that Travelers was ending the contract because it failed to comply with the provisions of the agreement in handling client information. "The termination arose from an incident where company employees, who have since been terminated, shared a procedural document externally in violation of the company's strict client confidentiality policies. The company and Travelers sought an amendment to the existing agreement but were unable to reach terms mutually acceptable to the parties," the filing said. Under its agreement with Travelers, EXL also needs to provide transition-related services for 18 months from the termination date, at its own cost.

top

Password protection laws (MLPB, 7 Nov 2013) - Sarah O'Donohue, Emory University School of Law, is publishing 'Like' it or Not, Password Protection Laws Could Protect Much More than Passwords in volume 20 of the Journal of Law & Business Ethics 
Emory University School of Law (2014). Here is the abstract: "Employers and schools in several states are now prohibited from requesting access to the social networking accounts of their employees, students, and applicants as a result of the "password protection" laws that are sweeping the nation. These laws take an expansive view of the definition of privacy by implying that viewing content on a user's restricted-access social networking profile without his consent constitutes an invasion of privacy. Courts have consistently held that the information users post on social networking websites is, in fact, not private. Further highlighting the contrast between legislative and judicial interpretations of privacy in the context of these new technologies, the express language in one of the password protection laws declares that all Internet users have a reasonable expectation of privacy in their social networking website communications and affairs. This Article argues that password protection laws should be interpreted narrowly as only prohibiting the invasive methods used by employers and schools to gather information from social networking profiles - not as establishing in all cases that communications to which access has been restricted are private. The reasonableness of a user's expectation of privacy in the content of his social networking profile must be determined by courts on a case-by-case basis, informed by such factors as how many people he invites to view it, the relationship between the user and his chosen audience, the exact calibration of his privacy settings, and the degree to which his digital information is guarded by the website under its privacy and data use policies."

top

Apple issues first transparency report, includes "warrant canary" (EFF, 7 Nov 2013) - On Tuesday, yet another one of the nine companies originally implicated in the PRISM program released its first transparency report . Apple joins the ranks of Google, Yahoo, and Facebook , among others that have issued reports that detail the number of requests the companies receive from governments for user data. EFF has long called on corporations to be transparent about what they do with the data that users entrust to them. Transparency reports have become the industry standard, and we are delighted to be able to award Apple another star in the 2014 edition of our annual Who Has Your Back campaign, where we assess major Internet companies' commitment to standing by the rights of users in the face of government requests for personal information about their customers. This is Apple's first transparency report, and it only looks at the first half of 2013. The report includes information about which countries have asked for user data, the number of requests received and granted, the number of times Apple has objected to information requests, as well as the number of information requests where Apple has not disclosed data. The U.S. is reported to have made the most requests. After the U.S., the top three countries requesting user information are the United Kingdom (127), Spain (102), and Germany (93). In the report, Apple makes an important distinction between government requests for "data" and government requests for "content". Apple defines data as "personal identifiers", such as Apple IDs, email addresses, and telephone and credit card numbers. When Apple hands over user content, however, the company provides governments with more detailed information like iCloud emails, contacts, photos, and calendars. Perhaps the most interesting part of the transparency report are the last two sentences: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Apple's statement is an implementation of the so-called " warrant canary ." Canaries are used to signal that, as of the date published, there have been no law enforcement requests of a particular type received. In Apple's case, the canary is limited to a signal that no secret Section 215 orders have been served on the company. If the canary is removed in the next transparency report, it is safe for users to assume that a Section 215 data request and the accompanying gag order has been issued. We appreciate Apple's implementation in particular, including its six-month delay, because if its use is ever challenged in court, the ample time will allow a judge to coolly and calmly review the constitutionality of any government attempt to compel Apple to lie. We fear that if the first challenge to a warrant canary comes before a court in a more rushed context, a rushed judge could make bad law.

top

Payment card industry gets updated security standard with new requirements (Computerworld, 8 Nov 2013) - The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions and service providers. The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015. The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That's partly because there have been many cases of merchants and payment processors sustaining significant cardholder data breaches despite having passed PCI DSS compliance assessments. The PCI Security Standards Council recognized this problem and included a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments.

top

Do you have coverage to protect against cyber attack risks? (Inside Counsel, 8 Nov 2013) - Exposure to losses from data breaches and loss of personal information continues to rank high on the list of worries for general counsel around the country. GCs have good reason to worry. Marsh, one of the largest insurance brokers in the world, reports that over 600 million confidential personal records have been breached in the last five years. Verizon's 2013 Data Breach Investigations Report is even more telling with its opening line that in 2012 "[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage." The Verizon Report's statistics are even more alarming. Specifically, 37 percent of data breaches affected financial organizations. The next highest segments vulnerable to cyber-attacks include retail businesses and restaurants, followed by manufacturing, transportation and utilities. In response to the growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (CGL). Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for such losses. As companies of all sizes approach the calendar year-end, now is the time to analyze exposure for cyber risks and address insurance needs to close any gaps in coverage. If GCs are as worried about losses as noted in current reports, then they should be leading the charge to address the need for cyber insurance.

top

Amazon to deliver on Sundays using postal service fleet (Washington Post, 11 Nov 2013) - The Internet has been blamed for the death of the mail, but now it's offering hope to the beleaguered U.S. Postal Service. Amazon announced Monday that it will begin Sunday deliveries using the government agency's fleet of foot soldiers, office workers and truck drivers to bring packages to homes seven days a week. To accommodate the online retailing giant, the Postal Service said it will for the first time deliver packages at regular rates on Sundays. Previously, a shipper had to use its pricey Express Mail service and pay an extra fee for Sunday delivery. The initiative will begin immediately in Los Angeles and New York and spread to the Washington area and much of the rest of the nation next year, Postal Service officials said. The partnership should help the turnaround effort underway at the financially strapped Postal Service, they said. The arrangement with Amazon could open the doors to more partnerships with retailers that are eager to use the 500,000 USPS employees and 31,000 post offices across the country to satisfy consumers who want to get what they buy online faster.

top

Samsung, Nokia say they don't know how to track a powered-down phone (ArsTechnica, 11 Nov 2013) - Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to "find cellphones even when they were turned off. JSOC troops called this 'The Find,' and it gave them thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq, according to members of the unit." Many security researchers scratched their heads trying to figure out how this could be so. The British watchdog group Privacy International took it upon itself to ask eight major mobile phone manufacturers if and how this was possible in August 2013. On Monday, the group published replies from the four firms that have responded thus far: Ericsson, Google, Nokia, and Samsung. (Apple, HTC, Microsoft, and BlackBerry have not yet sent in a response.) A research officer at the organization, Richard Tynan , wrote that "two themes stood out among the companies that replied: hardware manufacturers claim that they strive to switch off almost all their components while the phone is powered down, and if tracking occurs it is likely due to the installation of malware onto the phone."

top

PAES under the microscope: an empirical investigation of patent holders as litigants (Patently-O, 12 Nov 2013) - Today, a certain type of patent litigant-the non-practicing entity ("NPE"), also known as a patent assertion entity ("PAE"), patent monetization entity ("PME"), or simply patent troll-is the target of much public debate, if not venom. Indeed, President Obama himself got involved in this debate, with his Council of Economic Advisers preparing a report this summer entitled "Patent Assertion and U.S. Innovation." The Executive Summary of the President's report sounds the following alarm about PAE suits: Suits brought by PAEs have tripled in just the last two years, rising from 29 percent of all infringement suits to 62 percent of all infringement suits. This asserted explosion in PAE-initiated litigation has fed into a wider perception that PAEs are out of control and need reining in by Congress. But is the factual assertion by the President's report an accurate characterization of total PAE litigation activity? We address this important issue in our new article, Patent Assertion Entities (PAEs) Under the Microscope: An Empirical Investigation of Patent Holders as Litigants . To investigate PAE litigation, we personally hand-coded all 7,500+ patent holder litigants in 2010 and 2012. In our coding, we finely classified the nature of the litigants, going beyond the simple PAE / non-PAE label. Specifically, we coded each patent holder as one of the following: (1) a University; (2) an Individual Inventor/Family Trust; (3) a large Patent Aggregator (e.g., Acacia); (4) a Failed Operating Company or Failed Start-up; (5) a Patent Holding Company that appears unaffiliated with the original inventor or owner; (6) an Operating Company; (7) an IP Holding Company affiliated with an operating company; or (8) a Technology Development Company (e.g., Walker Digital). Based on our data, and contrary to the assertions in the President's report, we do not find an explosion in PAE litigation between 2010 and 2012. In particular, the President's report considered only the raw number of lawsuits filed in 2010 and 2012 . By limiting its analysis to numbers of cases filed, rather than the underlying parties involved, the President's report was incomplete and led to an erroneous conclusion.

top

FCC smartphone app gauges speed of user's network (NYT, 14 Nov 2013) - The Federal Communications Commission on Thursday released its first smartphone app, a free program that allows consumers to measure the broadband speed they are getting on their mobile devices and to determine whether it is as fast as wireless companies say. The app provides information on upload and download speeds and on how efficiently data is transmitted, a measure known as packet loss. The app, F.C.C. Speed Test , also will allow the commission to aggregate data about broadband speeds from consumers across the country. It will use the data to create an interactive map, giving consumers a tool to use in comparison shopping rather than relying on wireless companies' promises. The app, available in the Google Play store, will run periodically in the background on a consumer's phone, automatically performing tests when a user is not otherwise using the phone. F.C.C. officials stressed that the software would not collect any personal or uniquely identifiable information, and that it would release information only after the data was analyzed. The app uses open-source code, and the agency details its methodologies and privacy policy on its website. [ Polley : until they release an iPhone version, you might try Speedtest.net's Mobile Speed Test, which I like. It doesn't, however, pass results along to the FCC for the aggregation/mapping project.]

top

Attack ravages power grid (Just a test) (NYT, 14 Nov 2013) - In windowless rooms from here to California, nearly 10,000 electrical engineers, cybersecurity specialists, utility executives and F.B.I. agents furiously grappled over 48 hours with an unseen "enemy" who tried to turn out the lights across America. The enemy injected computer viruses into grid control systems, bombed transformers and substations and knocked out power lines by the dozen. By late Thursday morning, in this unprecedented continental-scale war game to determine how prepared the nation is for a cyberattack, tens of millions of Americans were in simulated darkness. Hundreds of transmission lines and transformers were declared damaged or destroyed, and the engineers were rushing to assess computers that were, for the purposes of the drill, tearing their system apart. "It's going really well," said Gerry W. Cauley, the president and chief executive of the North American Electric Reliability Corporation, which ran the drill. "A bit scary, but really well." The degree of simulation varied, organizers said. Nobody touched actual operating equipment, but some companies sent trucks with linemen aboard to investigate the status of key transformers because the "scenarios" written by Mr. Cauley's group included computer viruses that kept technicians at the control centers from knowing the condition of crucial equipment. The drill also involved "denial of service" attacks, in which hackers flooded a computer connected to the Internet with so many messages that it could not handle the load. In real life, banks and other companies have been hit with such attacks. Drill participants said they would not talk about the specific locations of the simulated attacks, for two reasons: The locations were chosen at points that the insiders knew were vulnerable, and the companies involved were promised that if they participated, their performance would not be held up to public criticism. The purpose, organizers said, was to pose problems that were hard to solve, to expose areas that needed improvement.

top

Forest change mapped by Google Earth (BBC, 14 Nov 2013) - A new high-resolution global map of forest loss and gain has been created with the help of Google Earth. The interactive online tool is publicly available and zooms in to a remarkably high level of local detail - a resolution of 30m. It charts the story of the world's tree canopies from 2000 to 2012, based on 650,000 satellite images by Landsat 7. In that time, the Earth lost a combined "forest" the size of Mongolia, enough trees to cover the UK six times. Brazil's progress in reducing deforestation was more than offset by losses in Indonesia, Malaysia, Paraguay and Angola, according to a study in the journal Science . "This is the first map of forest change that is globally consistent and locally relevant," said Prof Matthew Hansen of the University of Maryland, who led the project team which developed the map. Indonesia's rainforests suffered from intense activity "What would have taken a single computer 15 years to perform was completed in a matter of days using Google Earth Engine computing." Their study reports a number of key findings on forest change from 2000-2012 - based on the satellite imagery. The Earth lost 2.3 million square kilometres of tree cover in that period, due to logging, fire, disease or storms. But the planet also gained 800,000 sq km of new forest, a net loss of 1.5 million sq km in total. Brazil showed the best improvement of any country, cutting annual forest loss in half between 2003-04 and 2010-11. Indonesia had the largest increase in deforestation, more than doubling its annual loss to nearly 20,000 sq km in 2011-12. In the United States, the "disturbance rate" of south-eastern forests was four times that of South American rainforests - more than 31% of forest cover was either lost or regrown. Paraguay, Malaysia and Cambodia had the highest national rates of forest loss. Overall, tropical forest loss is increasing by about 2,100 sq km per year, the researchers said. [Polley: Spotted by MIRLN reader Gordon Housworth .]

top

Court knocks wind out of challenge to FTC's cybersecurity authority (Steptoe, 14 Nov 2013) - The judge hearing the challenge by Wyndham Hotels & Resorts to the Federal Trade Commission's authority to regulate companies' data security practices suggested last week that she is likely to back the FTC. The FTC sued Wyndham after the company suffered three data security breaches, claiming that the company had engaged in "unfair and deceptive acts and practices" by not maintaining "reasonable and appropriate" data security measures. Wyndham moved to dismiss, arguing that the Commission lacks the authority to regulate companies' data security practices, and that the FTC should at least have to establish rules and regulations putting companies on notice as to what practices they needed to implement. At oral argument, Judge Esther Salas of the U.S. district court for New Jersey seemed poised to reject Wyndham's arguments and to uphold the FTC's broad power over data security practices.

top

Siding with Google, judge says book search does not infringe copyright (NYT, 14 Nov 2013) - Google's idea to scan millions of books and make them searchable online seemed audacious when it was announced in 2004. But fast-forward to today, when people expect to find almost anything they want online, and the plan seems like an unsurprising and unavoidable part of today's Internet. So when a judge on Thursday dismissed a lawsuit that authors had filed against Google after countless delays, it had the whiff of inevitability. Even the judge, Denny Chin of the United States Court of Appeals for the Second Circuit, said during a September hearing on the case that his law clerks used Google Books for research. "It advances the progress of the arts and sciences, while maintaining respectful consideration for the rights of authors and other creative individuals, and without adversely impacting the rights of copyright holders," Judge Chin wrote in his ruling . Google and other technology companies often push the limits of regulation and law, and hope that eventually the rest of the world - and the law - will catch up. "What seemed insanely ambitious and this huge effort that seemed very dangerous in 2004 now seems ordinary," said James Grimmelmann, a law professor at the University of Maryland who has followed the case closely. "Technology and media have moved on so much that it's just not a big deal." The ruling examined whether Google's use of copyrighted works counted as so-called fair use under copyright law, which Judge Chin determined it did. The decision opened the door for other companies to also scan books. Google's book search is transformative, he wrote, because "words in books are being used in a way they have not been used before." It does not replace books, he wrote, because Google does not allow people to read entire books online. It takes security measures, like not showing one out of every 10 pages in each book, to prevent people from trying to do so. One potential problem for Google was the notion that using copyrighted material for moneymaking purposes weighs against a finding of fair use. Though the company does not sell the books and stopped running ads alongside them in 2011, it benefits commercially because people are drawn to Google websites to search the books, Judge Chin wrote. But, he added, "Even assuming Google's principal motivation is profit, the fact is that Google Books serves several important educational purposes." [ Polley : potentially a broad expansion of "transformative" use; coupled with the minimal weight given Google's commercial benefits, this may be a very weighty decision with important implications.]

top

Web restrictions not the answer to juror online research (Harvard's DMLP, 15 Nov 2013) - Juror use of the Internet to do research or communicate about trials is a growing and persistent problem. So, what can a judge do? For several years now courts have been giving jurors more detailed admonitions and jury instructions against educating themselves about cases online, to little effect. A few judges have taken a different approach, ordering web sites with information on specific cases to remove the information from the Internet. But in a pair of recent decisions, appeals courts have said this method of limiting juror online research is an unconstitutional prior restraint. * * *

top

Facebook, still dominant, strives to keep cachet (NYT, 17 Nov 2013) - When Evan Spiegel peered into a crystal ball to divine a future for his company, Snapchat, he did not see Facebook. He saw something else, something much bigger - a social network that could exist on its own, outside Facebook. Facebook is still the dominant social media service, and has been an attractive suitor for many start-ups. And Snapchat most likely spurned Facebook partly because it thought it could fetch much more than the billions Facebook was willing to pay. But the snub also foreshadows a possible future where Facebook is no longer the default place on the web where people go to network. The swift rise of upstarts like Snapchat in a shifting social media landscape suggests a change in how and where people like to spend their time. The rebuff also reveals a changing perception of Facebook in the tech industry. As the once scrappy start-up evolves into a sprawling corporation, younger companies who view themselves as disruptive do not find Facebook's size and cushy campus as appealing. Not to mention that a lot of them are trying to provide alternatives to Facebook, which means selling to Facebook would defeat their entire purpose. Despite the site's primacy in the social media market, some numbers suggest that Facebook addiction has given way to Facebook fatigue, at least among some users. A study by the Pew Internet and American Life Project found that the majority of users have at one point or another taken a multiweek break from the service, citing the tedium and irrelevancy of its content. Among the crucial younger demographic - users ages 18 to 29 - that first propelled Facebook into prominence, 38 percent said they expected to spend less time using the site this year. The survey confirmed what some at the company already knew. In its latest quarterly call with investors, it said its youngest users were spending less time on the service, although overall teenage engagement was stable. That fatigue may also have started to trickle down to the developers who build apps on top of Facebook's platform. [ Polley : This is part of why I stayed away from Facebook's IPO. Together with their dizzying, ever-confusing privacy policy(ies), I get the sense that they're destined for oblivion.]

top

Latest release of documents on NSA includes 2004 ruling on email surveillance (NYT, 18 NOV 2013) - The Obama administration released hundreds of pages of newly declassified documents related to National Security Agency surveillance late Monday, including an 87-page ruling in which the Foreign Intelligence Surveillance Court first approved a program to systematically track Americans' emails during the Bush administration. "The raw volume of the proposed collection is enormous," wrote Judge Colleen Kollar-Kotelly, who was then the chief judge on the secret surveillance court. The government censored the date of her ruling in the publicly released document, and many sections - including a description of what she had been told about terrorism threats - were heavily redacted. Many of the documents have historic significance, showing how Bush administration surveillance programs that were initially conducted without court oversight and outside statutory authorization were brought under the authority of the surveillance court and subjected to oversight rules. The documents also included reports to Congress, training slides and regulations issued under President Obama . The Bush administration temporarily shut down its bulk collection of email logs after Justice Department lawyers raised legal concerns in March 2004. Judge Kollar-Kotelly declared the collection lawful in July 2004 , according to documents leaked by Edward J. Snowden, the former N.S.A. contractor. The trove also included the Bush administration's 2006 application for initial approval by the surveillance court to collect bulk logs of all domestic phone calls under a provision of the Patriot Act that allows the collection of business records deemed "relevant" to an investigation, another program it had previously undertaken unilaterally. The call record program is still active.

top

What's in your wallet? Could it be the Department of Homeland Security? (ABA's Business Law Today, Nov 2013; by Stephen Middlebrook) - A hot topic in the financial services industry press is news that the Department of Homeland Security (DHS) has plans to stop certain people at the border and scan the payment cards in their wallets, check the cardholder's balances and, in certain cases, seize the funds on the card. The initiative is related to regulatory changes proposed by the Financial Crimes Enforcement Network (FinCEN), the part of Treasury that oversees anti-money laundering regulations. 76 F.R. 64049 (October 17, 2011). FinCEN requires people crossing the border to declare if they are carrying more than $10,000 in "monetary instruments." Monetary instrument is currently defined to include cash, traveler's checks, certain negotiable instruments, and securities. Because law enforcement has concerns that prepaid cards are being used by criminals to launder money and move it out of the country, FinCEN has proposed adding prepaid cards, but not debit or credit cards, to the list of monetary instruments that must be declared at the border. Assessing the value of paper currency and negotiable instruments is relatively easy because the value appears on the face of the document. This is not true, however, for prepaid and other payment cards. To determine how much money is associated with a card, you must contact the financial institution that issued the card and query the current available balance. Consequently, verifying the value of a prepaid card at the border cannot be done independently by the border agent but requires the government to obtain information from the issuing financial institution. Homeland Security has acknowledged their new program in several documents as well as in meetings with the card networks, but we still don't know much about how it will be implemented. DHS stated in a comment letter it filed regarding the FinCEN proposal that it plans to deploy hand held devices at the border to scan debit, credit, and prepaid cards and report back information about the cardholder's account. In addition to cards, Homeland Security has suggested the FinCEN requirements should also apply to "cell phones, key fobs, or other tangible objects" that might possibly be tied to a prepaid account.

NOTED PODCASTS

Birth of the Global Mind (Long Now, by Tim O'Reilly; 97 minutes; 5 Sept 2012) - "The history of civilization is a story of evolution in our ability to build complex 'multicellular minds,'" says Tim O'Reilly, founder and CEO of O'Reilly Media (books, conferences, foo camps, Maker Faires, Make magazine.) Speech allowed us to communicate and coordinate. Writing allowed that coordination to span time and space. Twentieth century mass communications allowed shared information and culture to blanket the world. In the 21st century, memes spread mind to mind in nearly real time. But that's not all. In one breakthrough computer application after another, we see a new kind of man-machine symbiosis. The Google autonomous vehicle turns out not to be just a triumph of artificial intelligence algorithms. The car is guided by the cloud memory of roads driven before by human Google Streetview drivers augmented by powerful and precise new sensors. In the same way, crowd-sourced data from sensor-enabled humans is leading to smarter cities, breakthroughs in healthcare, and new economies. [ Polley : very, very interesting.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Government Forms Cybersecurity Unit (CNET, 6 June 2003) -- The Department of Homeland Security on Friday said it created a new division to address threats to the nation's technological infrastructure. Called the National Cyber Security Division (NCSD), the 60-person unit is charged with addressing potential security breaches to private-sector and government computer systems. The division was created as part of President George W. Bush's National Strategy to Secure Cyberspace and the Homeland Security Act of 2002, and it will be run under the Department's Information Analysis and Infrastructure Protection Directorate. "Most businesses in this country are unable to segregate the cyberoperations from the physical aspects of their business because they operate interdependently," Department of Homeland Security Secretary Tom Ridge said in a statement. "This new division will be focused on the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure assets," he added. NCSD's chief will be Robert Liscouski, the assistant secretary of Homeland Security for Infrastructure Protection. The division will be organized into three units to: identify risks and reduce vulnerabilities to government and private-sector computer systems; operate a Cyber Security Tracking, Analysis & Response Center to detect attacks to the Internet and alert the public; and develop education programs on security measures. According to the NCSD, the division will build on existing capabilities from the former Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System. Computer industry group Business Software Alliance (BSA) immediately applauded the move. "Study after study indicates we remain ill-prepared to defend against threats to our critical information networks--meaning a major virus or cyberattack could wreak havoc on our communications, transportation, utility, financial or other vital information infrastructure," said Robert Holleyman, CEO of BSA.

top

Time Warner cable dials in phone service (CNET, 21 May 2003) -- Time Warner Cable's "Digital Phone" will cost $40 a month and be available only in the Portland, Maine, area. Time Warner's trial offering is similar to experiments with telephone services from rival cable providers Comcast Cable Communications and Cablevision Systems. Calling plans are the latest weapon cable providers are using as they battle for dominance of U.S. broadband services market. Nearly 60 percent of all U.S. homes get broadband from their cable television provider. The rest of the homes wired for broadband in the United States use digital subscriber line (DSL) connections from telephone companies. Cable and telephone companies use bundles of steeply discounted services to attract and keep customers. Cable companies sell television and broadband access at discounted rates, but only when bought as part of a package of services. Telephone companies offer similar deals on telephone and broadband connections. Until recently, telephone companies didn't worry about cable adding voice services into their bundles. But the growing sophistication of voice over IP, which turns voice calls into digital packets for dispatch over the Internet, allows cable companies to sell cable TV, telephone service and broadband connections on one bill. That's one more service--specifically cable television-- than telephone companies can offer. In their current form, these new cable company phone services pose little threat, more like a novelty act in places like Coatsville, Pa., where Comcast is trialing its telephone service. But if they were to be expanded substantially, "then the best way to describe this would be 'wow,'" said In-Stat/MDR senior analyst Daryl Schooler. "What does any of the major phone companies have on their bundle? Local and long distance and data," Schooler said. "This move by the cable guys gives them local, long distance voice, video and data all over one pipe."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 02, 2013

MIRLN --- 13 Oct - 2 Nov 2013 (v16.15)

MIRLN --- 13 Oct - 2 Nov 2013 (v16.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

The ABA Cybersecurity Legal Handbook -- A Resource for Attorneys, Law Firms, and Business Professionals is now available on Amazon, in hardcopy and Kindle format. Provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyber attack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.

NEWS | PODCASTS | LOOKING BACK | NOTES

The toll of enterprise cybercrime: $11.8 million per year; 122 attacks per week (Network World, 8 Oct 2013) - A survey of 60 companies in the U.S. about the impact of cybercrime indicates that the annualized cost of dealing with cyberattacks of all kinds is now $11.6 million per year on average, up from $8.9 million last year. According to the report, the "2013 Cost of Cyber Crime Study: United States" based on extensive interviews by Ponemon Institute with company personnel, cyberattacks have become "common occurrences" with the companies that participated in the study reporting 122 successful attacks per week (up from 102 per week last year). The 60 companies represented in the Ponemon study were generally larger, with a minimum of 1,000 enterprise seats. Cybercrime costs to each of them were reckoned in terms of direct and indirect costs associated with loss of theft of information, disruption to business operations, revenue loss and destruction of property and equipment. The study also sought to understand costs spent on detection, investigation and incident response, containment and recovery.

top

Directors must act now on cybersecurity (Cadwalader's Ken Wainstein, formerly of DoJ, 11 Oct 2013) - In a 2012 Corporate Board Member/FTI Consulting survey , 48 percent of public company directors and 55 percent of corporate general counsels rated data security as their number one concern. * * * Corporate boards - especially of companies that own and operate critical infrastructure - must understand and account for the implications of these developments. For example, companies must consider their role in the "voluntary program" being developed under the authority of the President's Executive Order and the potential litigation risk if they choose not to meet the resulting voluntary standards. Corporate boards must also be aware of the SEC disclosure obligations with respect to cyber risk and intrusions, not to mention the possibility of an FTC enforcement action if they suffer a data breach. Even more fundamentally, corporate boards must appreciate that they have a fiduciary duty to protect and ensure the integrity of corporate information assets against cyber theft and attack. With the increasing legal obligations and challenges stemming from the cyber threat to corporate America, directors and officers would be wise to take an active role in developing, overseeing, and managing corporate cybersecurity compliance programs within their companies.

top

Google jousts with wired South Korea over quirky Internet rules (NYT, 13 Oct 2013) - South Korea is one of the world's most digitally advanced countries. It has ubiquitous broadband, running at speeds that many Americans can only envy. Its Internet is also one of the most quirky in the world. A curfew restricts school-age children from playing online games at night; adults wanting to do so need to provide their resident registration numbers to prove that they are of age. Until last year, commenters on the Web were legally required to use their real names. A simple Web search in Korean can be a fruitless experience, because the operators of many sites, including some government ministries, bar search engines from indexing their pages. Travelers who want to go from Gimpo International Airport to the Gangnam neighborhood of Seoul cannot rely on Google Maps. Google Maps can provide directions only for public transport, not for driving, to any place in Korea. Anyone crazy enough to try the journey on bicycle or on foot, directions for which Google Maps provides elsewhere, will be similarly stymied. The highly regulated Internet comes as a surprise to many people, Koreans included, because South Korea is a strong democracy with a vibrant economy seemingly ready for the digital information age. South Koreans were early adopters of Internet games and smartphones. It has world-beating electronics companies like Samsung and LG. But here the Internet is just different. The Korean government has its reasons, most of them well-intentioned. The curfew, for example, was put in place to deal with concerns over game addiction among teenagers. South Korean security restrictions that were put in place after the Korean War limit Google's maps, the company says. The export of map data is barred, ostensibly to prevent it from falling into the hands of South Korea's foe to the north, across the world's most heavily fortified border. Google and other foreign Internet companies say the rule also prevents them from providing online mapping services, like navigation, that travelers have come to rely on in much of the rest of the world. Foreign Internet companies say the country's rules prevent them from competing against domestic rivals because they cannot provide the same services they do elsewhere. South Korea is one of the few major markets where Google is not the leading search engine. A South Korean rival, Naver, has the most users.

top

Mississippi the latest state to claim copyright over official compilation of its laws (TechDirt, 14 Oct 2013) - We've written about Carl Malamud and his ongoing crusade to make sure that the law is actually publicly accessible and not locked up by copyright. Just recently, we noted that he'd run into some troubles with Georgia, and it appears now he's facing a similar challenge from Mississippi. The basic story was actually posted as an update to Malamud's ongoing Kickstarter project, which we've already told you about. The issue? Malamud had purchased, formatted and posted Mississippi's Code of Law, Annotated . As with Georgia, the real issue seems to be in the question of whether or not the annotations themselves are covered by copyright, as they're often produced and sold by a private company (usually LexisNexis), but in coordination with the government. That's the case here, as the letter Malamud received from Mississippi's intellectual property counsel , Larry Schemmel, suggests. Schemmel goes to great lengths to point out that the unannotated code is "freely available," but that the "creative work" behind the annotations is covered by copyright, and thus should be taken off of Malamud's site. However, as Malamud notes in his response letter (complete with a bunch of "exhibits"), the State of Mississippi makes it fairly clear that the annotated code is part of the law , and thus he argues it, too, should be freely accessible.

top

New rules restrict telemarketing calls to your mobile (Marketplace, 16 Oct 2013) - New Federal Communications Commission rules on telemarketing take effect today. The rules are designed to cut down on marketing calls -- especially to cell phones. The regulations require telemarketers to get written consent from consumers before calling their cell phones with automatic dialing systems. The new rules also apply to text messages from marketers. Attorney David Klein advises telecom companies. He says the FCC is trying to tip the balance of power toward consumers. Klein also says there are exceptions. Your wireless carrier can still call or message you, as can your doctor's office and political pollsters. But there's a big hole in the rules. They don't apply to international telemarketers.

top

Federal security breaches traced to user noncompliance (CSO Online, 17 Oct 2013) - According to a new study by MeriTalk, federal cybersecurity professionals are so focused on implementing rigid policies to lock down data that they often ignore how those rules will impact end users within their agencies. The result, perhaps predictably, is that many government workers resent the burden that security protocols impose, complaining that they are time-consuming and hinder productivity, while nearly a third say that they regularly use a workaround to circumvent the security roadblocks. Respondents to the MeriTalk survey, which was underwritten by cloud provider Akamai, noted a direct correlation between onerous security policies and a lack of compliance. Small wonder then that security professionals said that nearly half -- 49 percent -- of federal security breaches can be attributed to end users not complying with the policies in place at their agencies. "Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security," Ruff said. The increasing sophistication of cyber threats and the new IT initiatives agency CIOs are pursuing across the government add a sense of urgency to harmonizing security policies with end user behavior. For instance, 74 percent of the cybersecurity professionals polled said that they are unprepared for an international attack, and an equal number said they aren't equipped to adequately secure access to mobile devices. Then 70 percent said that they aren't prepared to secure cloud environments, and 70 percent also said they aren't ready to fend off a denial-of-service attack. At the same time, half of cybersecurity workers polled said that they anticipate that their agency will be the victim of a DoS attack in the coming year.

top

NSA snooping exposed by Snowden breaches international law, experts say (Slate, 17 Oct 2013) - Spy agencies in the United States and the United Kingdom have argued that their recently exposed dragnet surveillance programs are legal and necessary. But international law experts are not so sure. At a hearing in the European Parliament on Monday, the surveillance initiatives operated by the National Security Agency and its British counterpart, the Government Communications Headquarters, were the subject of legal scrutiny as part of an ongoing inquiry prompted by leaks by NSA whistleblower Edward Snowden. Participating in the session was a judge who has served in the European Court of Human Rights for 15 years, a former United Nations special rapporteur on human rights and counterterrorism, and a London-based international law professor. All three agreed that the scope of the surveillance revealed in the Snowden leaks constituted violations of both European and international laws and treaties. Martin Scheinin, the U.N. special rapporteur on human rights and counterterrorism from 2005 to 2011, said that the Snowden leaks showed a "massive interference with the privacy rights of EU citizens and others." The surveillance, he said, amounted to "an unlawful or arbitrary interference with privacy or correspondence, and this conclusion follows independently from multiple grounds." Finland-born Scheinin, who is currently the president of the International Association of Constitutional Law , added that he believed the United Kingdom and the United States "have been involved and continue to be involved" in activities that violate their obligations under the International Covenant on Civil and Political Rights . The ICCPR is a 1966 multilateral treaty that is ratified by more than 160 countries, including the United States and the United Kingdom. Article 17 of the treaty states that citizens should not be "subjected to arbitrary or unlawful interference with [their] privacy, family, home or correspondence."

top

First breach baby grows bigger (Steptoe, 17 Oct 2013) - The granddaddy of data breach notification laws just gave its original offspring longer arms. Governor Jerry Brown of California has signed into law two bills that expand the state's notification law. One (S.B. 46) significantly broadens the scope of covered personal information to include a user name or email address when acquired in combination with a password or security question and answer that permit access to any online account. The other (A.B. 1149) extends the notification requirements to local government agencies. As with California's original notification law, it seems likely that other states will begin to follow suit by expanding the coverage of their own laws. [ Polley : see LOOKING BACK below, for related story.]

top

Illinois high court rejects 'Amazon' sales tax (USA Today, 19 Oct 2013) - The Illinois Supreme Court threw out a state law Friday that taxes certain Internet sales, saying the so-called "Amazon tax" violated federal rules against "discriminatory taxes" on digital transactions. The 6-1 ruling represented the first time a court had invalidated an Internet sales tax law among 18 states that have them. It brought an immediate cry from traditional, store-based retailers for Congress to step into regulating taxes on web sales. The court determined that Illinois' 2011 "Main Street Fairness Act" was superseded by the federal law, which prohibits imposing a tax on "electronic commerce" and obligates collection that's not required of transactions by other means, such as print or television. Illinois' law required out-of-state retailers to collect state taxes on annual sales of more than $10,000 that involve in-state "affiliates," or website operators and bloggers, that draw consumers to the retailers' sites in exchange for a cut of each sale. Illinois' tax collector, the Department of Revenue, said it's considering asking the U.S. Supreme Court to intervene. Amazon.com did just that in August, when it sought a review of the New York Court of Appeals' March ruling upholding the law there. The Empire State was among the first to argue that a business with "affiliates" within its borders gives the company a physical presence there - a must if a state hopes to collect taxes from it, according to a 1992 U.S. Supreme Court ruling.

top

Would you bet on the future of Online Dispute Resolution (ODR)? (Legal Whiteboard, Bill Henderson, 20 Oct 2013) - I would. The best example of ODR I have come across is Modria , who's tagline is "Any issue, resolved." Before dismissing Modria as a trivial Internet parlor game, consider this: The technology and process at work here got its start at Paypal and Ebay. Why did Paypal and Ebay become so good at dispute resolution? Because their goal of becoming mega-volume businesses depended on it. If you have millions of transactions daily, a huge volume of low-stakes complaints is inevitable. If dissatisfied customers stay dissatisfied, they don't come back. Worse, they'll talk to their friends. Now watch [its] video. Note that the target audience is businesses who (a) feel disputes are a drain on their time and energy, and (b) want happy, loyal customers who vouch for them to friends and family. A prompt, fair resolution to a dispute actually deepens the trust relationship. That's not speculation. That's science. And Modria, and it investors, know that. * * *

top

Dubious news hook lets me confirm and blog my pre-existing views (Stewart Baker, 20 Oct 2013) - I'm a much bigger fan of Girl Talk, whom I've blogged about before, than of current copyright law, so it's hard to resist a chance to talk about both. Girl Talk (actually a fellow named Greg Gillis) produces delightful mashups of hip-hop and classic rock that shed new light on both. Since Girl Talk relies on a claim of fair use for his sampling and doesn't seek the original label's authorization, he has trouble selling his albums through the usual channels. Now Michael Schuster, another Girl Talk lawyer-fan, has produced a law-review study of All Day, Girl Talk's latest album , arguing that the songs it samples actually had higher sales in the year after the sampling than in the year before. For those of us who think copyright law is too protective of plaintiffs, the article is comforting. It suggests that current law may actually be hurting the authors it purports to help by discouraging musicians from introducing their fans to our pop-cultural heritage. Actually, though, I think the article is a little too comforting. I am always skeptical of scholarly research that reinforces academic prejudices, since scholars tend adjust their standards of proof to fit their prejudices. Hostility to copyright is pretty much the norm in academic circles, and if you read the article skeptically, it loses much of its persuasiveness. Schuster achieves his results by playing with the sample, dropping nine songs from a sample of about 200 because they completely wreck his argument. His reason for dropping the songs is that they were hits in the 30 months prior to the release of Girl Talk's album, and hits by definition suffer declining sales after topping out. If he didn't drop those songs, Schuster's data would show a 50% drop in sales of the songs that Girl Talk samples. Schuster says he's just correcting for noise in the data, and it isn't appropriate to charge Girl Talk with the natural rhythm of pop music sales. Maybe so, but once you start making big after-the-fact adjustments to a sample of 200, you can prove pretty much anything. At best, Schuster has developed an interesting hypothesis that ought to be tested by a new experiment untainted by data cherry-picking.

top

Can lawyers use Groupon-type marketing? ABA ethics opinion sees problems with prepaid deals (ABA Journal, 21 Oct 2013) - Lawyers who offer prepaid deals through daily deal or group-coupon offers are treading on ethically precarious ground, according to an ABA ethics opinion. The opinion (PDF) doesn't specifically mention Groupon, probably the best-known group coupon website, except in a footnote referencing a state bar opinion. But its description of the typical arrangement has Groupon-like characteristics: Daily deals are advertised on a website, and consumers who want deal notifications can sign up to receive them in emails. After a threshold number of people purchase a deal, the marketing organization and the business share the proceeds. The buyers get a voucher, code or coupon. The ethics opinion says these deals may be structured in two ways. In coupon deals, a lawyer might sell a $25 coupon for a 50 percent discount on up to five hours of legal services, for example. In prepaid deals, a lawyer might charge $500 for up to five hours of legal service, a value of $1,000. The money is collected up front by the marketing organization. It's the latter structure that is particularly troubling to the ABA Standing Committee on Ethics and Professional Responsibility. "The committee believes that coupon deals can be structured to comply with the Model Rules," according to Formal Opinion 465. "The committee has identified numerous difficult issues associated with prepaid deals, especially how to properly manage payment of advance legal fees, and is less certain that prepaid deals can be structured to comply with all ethical and professional obligations under the Model Rules." In coupon deals, the legal opinion says, no legal fees are involved unless and until a lawyer-client relationship is formed, time is spent and the discounted fees are collected. As a result, the aggregate amount collected from coupon sales may be deposited into a lawyer's general account. But the money collected in prepaid deals amounts to advance legal fees that need to be identified by purchaser name and deposited into a trust account, the ABA opinion says. The lawyer will have to obtain sufficient information about deal buyers to comply.

top

Wall Street banks learn how to survive in staged cyber attack (Reuters, 21 Oct 2013) - A few months ago, a group of Wall Street banks fashioned a risk-manager's worst nightmare to determine how they would survive. Luckily, it was all pretend. In a staged simulation called Quantum Dawn 2, bank executives in charge of operations, technology and crisis planning were tasked with detecting how a massive cyber attack was unfolding in the markets - but each one only got to see a tiny red flag waving in a sea of information. In some cases, a blue-chip stock started to plummet inexplicably. Soon, shocking news about the company hit the market, but unbeknownst to the participant, the news was fake. For others, trading systems were on the fritz, or government websites stopped functioning. Even basic technology such as telephones and printers stopped working properly for some. Individually, any of these problems would be reason to worry. The challenge for Quantum Dawn 2's victims was not only spotting a problem, but communicating with rivals, exchanges and government authorities to conclude that markets were in the throes of a systemic crisis and needed to be shut down. "It didn't all happen at once - each attack affected firms differently," said Karl Schimmeck, vice president of Financial Services Operations at the Securities Industry and Financial Markets Association (SIFMA), a Wall Street trade group that oversaw the event. "Some firms would see a problem, some firms wouldn't, and some firms only 'see' it second-hand because they're communicating with each other." The most visible attacks affect customers' access to websites through a distributed denial of service - or "DDOS" - attack. But banks are also worried about more insidious attacks, in which hackers quietly infiltrate systems to swipe valuable data, or lie in wait to plow across the entire industry with a systemic attack - the doomsday scenario Quantum Dawn 2 participants want to avoid. One key lesson from the drill was that the private sector and government authorities must share information more freely and quickly, said Ed Powers, the national managing principal of Deloitte & Touche LLP's security and privacy practice, which was an independent observer of Quantum Dawn 2. While firms have detailed information about individual attacks, authorities can help prevent a crisis by sharing information about broader threats when appropriate, he said.

top

NSA surveillance: the 21st-century panopticon (The Atlantic, Bruce Schneier, 21 Oct 2013) - The basic government defense of the NSA's bulk-collection programs-whether it be the list of all the telephone calls you made, your email address book and IM buddy list, or the messages you send your friends-is that what the agency is doing is perfectly legal, and doesn't really count as surveillance, until a human being looks at the data. It's what Director of National Intelligence James R. Clapper meant when he lied to Congress . When asked, "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" he replied, "No sir, not wittingly." To him, the definition of "collect" requires that a human look at it. So when the NSA collects-using the dictionary definition of the word-data on hundreds of millions of Americans, it's not really collecting it, because only computers process it. The NSA maintains that we shouldn't worry about human processing, either, because it has rules about accessing all that data. General Keith Alexander, director of the NSA, said that in a recent New York Times interview: "The agency is under rules preventing it from investigating that so-called haystack of data unless it has a 'reasonable, articulable' justification, involving communications with terrorists abroad, he added." There are lots of things wrong with this defense. First, it doesn't match up with U.S. law. Wiretapping is legally defined as acquisition by device, with no requirement that a human look at it. This has been the case since 1968 , amended in 1986. Second, it's unconstitutional. The Fourth Amendment prohibits general warrants: warrants that don't describe "the place to be searched, and the persons or things to be seized." The sort of indiscriminate search and seizure the NSA is conducting is exactly the sort of general warrant that the Constitution forbids, in addition to it being a search by any reasonable definition of the term. The NSA has tried to secretly redefine the word "search," but it's forgotten about the seizure part. When it collects data on all of us, it's seizing it. * * * [ Polley : The rest is also worth reading.]

top

Bad Code: Part III (Lawfare, Jane Chong, 22 Oct 2013) - What do software users have in common with Mary Mallon, better known today as Typhoid Mary? A lot-and that's why we shouldn't be leaving the quality of code in the hands of the market. Confused? Connect the rest of the dots over at Security States, where we've just published the latest installment in our series on what it would take to hold software makers liable for the insecurity of their products. Part 1 offered an overview of the problems associated with insecure software; Part 2 argued that the technical challenges associated with minimizing software vulnerabilities weigh in favor of, not against, imposing liability on software makers. Here is an excerpt from Part 3 : Security experts have written tomes on why monthly patch rollouts and steadily proliferating antivirus options do not collectively constitute a viable security solution to the problem of insecure code. But more can be said about the nature of this inadequacy, which traces back to the inadequacy of users. Consumers of "Internet hygiene services" are ultimately as ill-equipped to bear the burden of shaping the market to minimize software security risks as Mallon's employers were in controlling the spread of typhoid. The analogy applies on two levels, for as users we play the role of the victims-the New Yorkers who hired Typhoid Mary-but in important respects we also play the role of Mary herself. Three features make Typhoid Mary a relevant analogy for the modern software user, and shed light on why relying on users to make responsible cyber hygiene decisions cannot make for a responsible national cybersecurity policy.

top

- and -

Bad Code: Part V (Lawfare, Jane Chong, 31 Oct 2013) - Does holding software providers accountable for the insecurity of their code amount to going nuclear on the industry-the equivalent of pushing the big red button? I argue that this is the way critics see it, in the fifth and final installment of our Security States cyberliability series. Meanwhile proponents see liability as a far subtler weapon, along the lines of a many-levered machine. The distinction is a crucial one, one that suggests the two sides are talking past each other. Here's an excerpt from Part 5 : [H]olding software providers accountable for their code need not entail exposing software providers to lawsuits for any and all vulnerabilities found in their products. Liability critics battle a straw man when they make arguments like this one , from computer security authority Roger Grimes: "If all software is imperfect and carries security bugs, that means that all software vendors-from one-person shops to global conglomerate corporations-would be liable for unintentional mistakes." Liability is a weapon far more nuanced than its critics believe. Geer and Grimes see liability as a big red button-a kind of nuclear option, to be avoided at all costs. Meanwhile proponents understand liability as a complex machine ideally outfitted with a number of smart levers. Consider: software's functions range from trivial to critical; security standards can be imposed at the development or testing stage, in the form of responsible patching practices or through obligations for timely disclosure of vulnerabilities or breaches; the code itself might be open-source or proprietary or in any case free. An effective liability regime is one that takes these many factors into account when it comes to designing rules, creating duties or imposing standards.

top

- and -

Toyota's killer firmware (Slashdot, 29 Oct 2013) - "On Thursday, a jury verdict found Toyota's ECU firmware defective , holding it responsible for a crash in which a passenger was killed and the driver injured. What's significant about this is that it's the first time a jury heard about software defects uncovered by a plaintiff's expert witnesses . A summary of the defects discussed at trial is interesting reading, as well the transcript of court testimony . 'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.' Anyone wonder what the impact will be on self-driving cars?"

top

Fon finally launches in the US, inviting consumers to share their Wi-Fi (GigaOM, 23 Oct 2013) - If you thought Fon's recent roaming partnership with AT&T was a first step toward the Spanish Wi-Fi aggregator's launch in the U.S., then you would have been right. The company announced on Wednesday that it has begun selling its Wi-Fi routers to U.S. consumers. Called Foneras, the devices work like any other Wi-Fi access point with one exception: they automatically partition off a portion of their Wi-Fi signals to create a shared broadband network accessible to any Fon member at no cost. Fon has been operating in Europe since 2007 and first expanded internationally to Japan in 2011 through a partnership with Softbank. It actually has a presence in the U.S. of a few thousand members (called Foneros), but they're primarily European expats that have brought their Foneras over the Atlantic. Starting today, Fon will begin recruiting members within the U.S., selling the latest version of its router for $59 on Amazon.com and on its website . Europeans embraced a Wi-Fi-first attitude toward connecting mobile devices like smartphones and tablets, while us Yanks seemed content to use our cellular connections, she said (perhaps a vestigial remnant of our old unlimited data plans). That attitude has shifted in recent years, and U.S. companies are starting to embrace the concept of shared Wi-Fi . The most obvious example of that is Comcast, which recently began opening up all of its customer's home Wi-Fi routers to other Comcast customers .

top

Third Circuit requires warrant for GPS monitoring and limits good-faith exception in United States v. Katzin (Volokh Conspiracy, Orin Kerr, 23 Oct 2013) - Today the Third Circuit handed down United States v. Katzin , an important cases on three related issues of Fourth Amendment law: first, whether the installation of a GPS device requires a warrant; second, the scope of the Davis good-faith exception to the exclusionary rule; and third, who has standing to suppress the evidence from the physical search of a car following a GPS search. The divided court ruled in the defendants' favor on all three issues. First, installation of a GPS device requires a warrant; second, the Davis good-faith exception applies only when there was directly on-point binding appellate precedent allowing the government's acts; and third, every passenger in the car at the time it is stopped has standing to challenge the fruits of the subsequent physical search. There's a lot in the Katzin case, so I thought I would blog on the three issues and offer my perspective on them. * * *

top

Federal prosecutors, in a policy shift, cite warrantless wiretaps as evidence (NYT, 26 Oct 2013) - The Justice Department for the first time has notified a criminal defendant that evidence being used against him came from a warrantless wiretap, a move that is expected to set up a Supreme Court test of whether such eavesdropping is constitutional. Prosecutors filed such a notice late Friday in the case of Jamshid Muhtorov, who was charged in Colorado in January 2012 with providing material support to the Islamic Jihad Union, a designated terrorist organization based in Uzbekistan. Mr. Muhtorov is accused of planning to travel abroad to join the militants and has pleaded not guilty. A criminal complaint against him showed that much of the government's case was based on intercepted e-mails and phone calls. The government's notice allows Mr. Muhtorov's lawyer to ask a court to suppress the evidence by arguing that it derived from unconstitutional surveillance, setting in motion judicial review of the eavesdropping. The New York Times reported on Oct. 17 that the decision by prosecutors to notify a defendant about the wiretapping followed a legal policy debate inside the Justice Department. The debate began in June when Solicitor General Donald B. Verrilli Jr. discovered that the department's National Security Division did not notify criminal defendants when eavesdropping without a warrant was an early link in an investigative chain that led to evidence used in court. As a result, none of the defendants knew that they had the right to challenge the warrantless wiretapping law. The practice contradicted what Mr. Verrilli had told the Supreme Court last year in a case challenging the law, the FISA Amendments Act of 2008.

top

How one small American VPN company is trying to stand up for privacy (ArsTechnica, 27 Oct 2013) - In recent months, I've started to take my own digital security much more seriously. I encrypt my e-mail when possible, I've moved away from Gmail , and I've become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt , I've started to kick the tires of the products that I rely upon on a daily basis. When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use is Private Internet Access (PIA). Why PIA? No particular reason, really. I don't remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak . I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified? Unfortunately, Private Internet Access' website doesn't really make clear who is behind its site. The site's footer points to London Trust Media , which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee-one of the firm's two owners. Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. One of PIA's biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement. "We've never been asked for keys, nor [have we] handed over user data," Lee told Ars. "What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don't have any logs whatsoever. We don't log metadata [or] session data either. We will comply with anything, but we can't comply because we do not provide any logs. We don't log, period." Of course, one of the biggest problems is that there's essentially no way for me to verify PIA's (or anyone else's) practices. Lots of VPN firms claim not to log, and I'd like to believe them, but there's really no way for me to know for sure that Lee can't see that I'm loading Ars about 100 times a day. Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept. "You have to trust the VPN-they have access to your data," Dan Auerbach of the EFF told Ars. "Even if they're really good, the government can come in and say we have a warrant... You have to take it on faith that there will be no CALEA -type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn't require you to trust just one party. That's the basic problem with VPNs." * * * [ Polley : This continues, with interesting discussion about legal issues, including possible use of a " warrant canary ". For many of the reasons stated in this story, I've decided to cancel my VPN account with GetCloak.com; it comes down to my inability to trust any third-party service provider that might log, or steal, my traffic. I'd suggested to GetCloak that they make public security promises that might be enforceable by the FTC, but even those might not be sufficient to enable me to use my financial log-in credentials over their network. So, I'm back to using AT&T, via my iPhone tethering, to secure my sensitive traffic, notwithstanding NSA interception. Better the NSA than somebody I don't know and really cannot trust.]

top

Adobe breach far worse than thought (GigaOM, 30 Oct 2013) - Remember that Adobe source code breach that freaked everyone out? Well, it's worse than we thought. It turns out that it affected not "just" Acrobat, Acrobat Reader and Cold Fusion users, but Photoshop users as well. The number of customers' whose data was filched is not 3 million, as Adobe said early this month, but more like 38 million, as Photoshop is used by millions of people to edit photographs and images. The issue with source code theft is that the bad guys can go through the code, line by line, to find vulnerabilities and start exploiting them long before anyone knows what's going on. [ Polley : I was interviewed about the Adobe hack in this Law360 article .]

top

Antigua preparing to move forward with WTO authorized rejection of US copyrights (Patently-O, 31 Oct 2013) - Over the past several decades, the US has been at the forefront of pushing through low international trade barriers and strong intellectual property rights. The current scheme is organized through the World Trade Organization and the vast majority of nations have signed-on as members. The WTO has a dispute resolution mechanism that allows one country to bring another country to task for failing to abide by their trade-related promises. Most of these cases involve either import restrictions placed on certain goods or the "dumping" of goods. Since around 2003, the US has taken fairly effective measures to destabilize the market for cross-border gambling and betting services. In response to those measures, the country of Antigua and Barbuda filed a WTO dispute complaining that the US action was a trade violation and, the WTO panel agreed with Antigua. The particular findings are that "three US federal laws (the Wire Act, the Travel Act and the Illegal Gambling Business Act) and the provisions of four US state laws (those of Louisiana, Massachusetts, South Dakota and Utah) on their face, prohibit … cross-border supply … contrary to the United States' specific market access commitments for gambling and betting services." [ Link ] The penalty for a WTO violation typically involves the WTO allowing counter-measures by the injured party - typically their own import quota or restriction. In countries with a strong domestic industry, the import quota can provide a strong, be it temporary, boost. However, those quotas also injure local consumers who typically pay more for lower quality goods or services. Antigua's particular situation is also unique because the country does not have much of any domestic industry beyond tourism (including Gambling). As such, a typical quota does not make sense as a penalty against the US. At the end of the day, the WTO authorized Antigua to suspend its TRIPs obligations with respect to U.S. intellectual property at a cost to the US. Antigua is now rapidly moving forward with a monetization scheme that would essentially create a local market for copyrighted work owned by U.S. entities, but where no royalties are paid to the U.S. copyright holders. Antiguan legislation is expected in the upcoming weeks followed by bids from private contractors to build-out the online marketplace.

top

Digital copyright, fair use, and digital rights management (MLPB, 31 Oct 2013) - Nicolo Zingales, Tilburg Law and Economics Center (TILEC), has published Digital Copyright, 'Fair Access' and the Problem of DRM Misuse in the Boston College Intellectual Property & Technology Forum (2012) . Here is the abstract: The advent of the digital age and the wide diffusion of copyrighted works over the Internet have brought about a drastic challenge to the pre-existing rules and legal standards governing the exchange of information. This article points out one of the ways the development of these new technologies has altered the boundaries of copyright, specifically by enabling copyright holders to strategically expand the scope of protection through the strategic use of Digital Rights Management (hereinafter, DRM). After a brief overview of these technologies and their contribution to the development of online markets for copyrighted works, the article discusses the risks of using DRM as a means of stretching the legal protection conferred by Intellectual Property law. As a potential solution to such problem, the article looks at the role of the courts and the approach embraced vis a vis specific cases of abuse of DRM in the copyright context. In carrying out this analysis, some considerations are made on the pro-competitive benefit that may derive from these practices, and thus the different outcome that would result from an application of a pure antitrust scrutiny to the same situation. The article then concludes recommending a two-fold approach to the assessment of the legality of such practices, where antitrust analysis and IP principles are intermingled, proposing a legal test to facilitate this complex assessment.

top

NOTED PODCASTS

Alessandro Acquisti: Why privacy matters (TED talk, June 2013) - The line between public and private has blurred in the past decade, both online and in real life, and Alessandro Acquisti is here to explain what this means and why it matters. In this thought-provoking, slightly chilling talk, he shares details of recent and ongoing research -- including a project that shows how easy it is to match a photograph of a stranger with their sensitive personal information. [ Polley : very interesting - I hadn't appreciated how robust facial-recognition systems have become, and what happens when those systems are applied to Facebook (and the like) photo-uploading systems, and then advertising-push systems.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

California Disclosure Law Has National Reach (SecurityFocus, 6 Jan 2003) -- A new California law requiring companies to notify their customers of computer security breaches applies to any online business that counts Californians as customers, even if the company isn't based in the Golden State. So warned Scott Pink, deputy chair of the American Bar Association's Cybersecurity Task Force, in a conference call Monday organized by an industry trade group and attended by approximately 50 representatives of technology companies and law firms concerned about the scope of the new law, which will take effect on July 1st of this year. "If you are selling products or providing services to residents of California, it would probably be determined that you're conducting business in California under this law," said Pink. "This is something that has captured the attention of many corporate counsel and many IT managers around the United States, as they try to understand what the law requires and how it impacts them." The law, called "SB 1386," is intended to combat identity theft. It passed last September in the wake of a high-profile computer intrusion into a California state government system that housed payroll information on 200,000 state workers, in which the victim employees were not warned that their personal information was stolen until weeks after the incident. The law passed over strong objections from industry groups. To trigger the law, a breach must expose certain type of information: specifically, customers' names in association with their social security number, drivers license number, or a credit card or bank account number. After such an intrusion, the company must notify the affected customers in "the most expedient time possible and without unreasonable delay." Other types of information are not covered, and the disclosure only needs to be made to California residents. But as a practical matter, Pink said, online businesses may find it easier to notify everyone impacted by a breach, rather than trying to cherry-pick Californians for special treatment.

top

Spam Suits Seek Poetic Justice (CNET, 4 April 2003) -- Call it the case of the hijacked haiku. Antispam company Habeas is suing bulk e-mailers, accusing them of using its poetry without permission in an unusual use of trademark law to clamp down on spammers. Habeas, headed by lawyer and antispam activist Anne P. Mitchell, puts a new twist on spam prevention by inserting some trademarked haiku lines into the header of an e-mail. The haiku is supposed to indicate to spam filters that the accompanying message is not spam in an effort to make sure that legitimate messages get through to recipients. Habeas' haikus are recognized by the antispam filters and technology of companies including Spam Assassin, AOL and Juno. When it launched last August, Habeas promised to closely track how its haikus were used and threatened to sue those who ran afoul of its trademarks and copyrights. This week, Habeas followed through on those threats, filing two suits in federal court in San Jose, Calif., accusing some Internet marketers of trademark violation and breach of contract. "The only reason to put our mark in the e-mail is to make sure it gets past spam filters," Mitchell said. "If someone uses our trademark without permission, we are required to go after them."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top