Saturday, December 20, 2014

MIRLN --- 1-20 December 2014 (v17.17)

MIRLN --- 1-20 December 2014 (v17.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

Home Depot spent $43 million on data breach in just one quarter (Network World, 25 Nov 2014) - Home Depot spent US$43 million in its third quarter dealing with the fallout of one of the largest ever data breaches, highlighting the costly nature of security failures. The retailer said in a regulatory filing on Tuesday that it expects $15 million of that cost will be reimbursed by a $100 million network security and privacy liability insurance policy. The $43 million was spent on investigations, providing identity theft protection services to consumers, increased call center staffing and other legal and professional services. The retailer warned that it expects "to incur significant legal and other professional services expenses associated with the data breach in future periods." Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders. Payment card networks may make claims seeking to recover incremental counterfeit fraud losses and costs for reissuing cards, Home Depot wrote.

top

5 reasons to allow digital devices in your classroom (InsideHigherEd, 30 Nov 2014) - midst reports of Steve Jobs and other Silicon Valley CEOs imposing extremely strict technology rules on their children, the debate around technology use in the classroom has caught fire once again. One of the strongest arguments for banning technology in the classroom came earlier this fall, from media pundit Clay Shirky in a piece titled "Why I Just Asked My Students To Put Their Laptops Away." In principle, I agree with a lot of what Shirky writes-multiple studies confirm the cognitive toll that distractions and multitasking inflict on learning; his argument that social media is designed both in form and content to distract has merit; and as an email-addict myself, I know that feeling of "instant and satisfying gratification" he describes all too well. Suggesting, however, that enforcing a technology ban is the solution to students' lack of engagement strikes me both as insecure and a wee bit simplistic. Surely, learning can take place in the absence of technology. But valuable learning can also take place in the presence of it. In my own experience as a foreign language instructor, I have found that there are many benefits to allowing-and in certain cases encouraging-students to use digital devices in class, five of which are outlined below.

top

Hackers using lingo of Wall St. breach health care companies' email (NYT, 1 Dec 2014) - For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations - most of them publicly traded health care or pharmaceutical companies - apparently in pursuit of information significant enough to affect global financial markets. The group's activities, detailed in a report released Monday morning by FireEye, a Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company's stock price. Starting in mid-2013, FireEye began responding to the group's intrusions at publicly traded companies - two-thirds of them, it said, in the health care and pharmaceutical sector - as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services. The attackers, whom FireEye named "Fin4" because they are one of several groups that hack for financial gain, appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ. Different groups of victims - frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists - are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee's negative rants about the executive in an investment forum. In another case, hackers posed as an adviser to one of two companies in a potential acquisition. In several cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In others, the attackers simply embedded generic investment reports in their emails.

top

BITAG report on interconnection and traffic exchange on the Internet (Benton Foundation, 1 Dec 2014) - The Internet is a complex "network of networks" where individual networks are linked together to form a global network. In order for end users connected to one network to access data and services connected to another network, these networks must "interconnect" with each other, either by directly connecting with each other or by indirectly connecting through intermediate networks. Internet network interconnection, often referred to as "peering" or "transit," is an increasingly important topic as the Internet ecosystem continues to evolve. The term "interconnection" refers to the various means by which network providers attach to and move traffic between one another, and is a collection of business practices and technical mechanisms that allow individually managed networks to connect together for this purpose. There is no central authority that manages Internet interconnection - the overall system arises because of the many bilateral and multilateral decisions that various actors make to interconnect. Interconnection in the United States has evolved significantly since the early days of the Internet. Peering connections, where two networks interconnect without the use of intermediate networks, are increasingly the primary interconnection paths between networks, supplanting the model of hierarchical interconnection via a small group of long-distance network providers. In most cases, two parties seeking to interconnect are able to come to terms. In some cases after an agreement is reached, however, traffic volumes or other factors may change, which in rare cases have led to "de-peering" events. More commonly, such changes lead to a renegotiation of the manner or type of interconnection agreement between the two parties. Although peering disputes over traffic imbalances, and other reasons, are not new, peering disputes in the U.S. have been increasingly publicized in recent years. With this report, BITAG's Technical Working Group (TWG) aims to provide a technical reference on the subject of Internet interconnection, and presents a detailed review on how networks connect, the development and changes in connection models, motivations for connection, how networks manage traffic between each other and some of the challenges that arise as networks evolve. Report here .

top

To follow or not to follow: the brave new world of social media (Justice Barbara Jackson, The Judges' Journal, December 2014) - In recent years, social media sites have become inextricably interwoven within the fabric of society. A 2012 report notes that "[i]n the court community, 2012 will probably be remembered as the year when some courts went from viewing new media as a threat to embracing new media's possibilities as a powerful tool." That same study states that a little over 46 percent of judges surveyed used a social media profile site, with Facebook being the most popular choice of over 86 percent of users. In comparison, the general public is using social media in far higher numbers. * * * In light of these increasing numbers, historic resistance to judges' use of social media needs to be reevaluated and prohibitions against use should be discarded in favor of appropriate guidelines for social media use. * * *

top

A gamified approach to teaching and learning (InsideHigherEd, 2 Dec 2014) - Mark Carnes's "Minds on Fire: How Role Immersion Games Transform College" offers evidence that an immersive gamified pedagogy can significantly increase student engagement and motivation. Higher education is in the midst of seismic shifts in curricular design, pedagogy, delivery modes, and instructional activities and assessments. Models of education that arose in the Industrial Era slowly give way to new paradigms better suited to the Information Age. A more customized, self-paced and adaptive approach to education is gradually replacing the "mass production," "one-size-fits-all" paradigm, which assumed that all students should acquire the same information at the same pace. A "transmission" model, in which content experts deliver a body of information to passive students, is slowly succumbing to more interactive forms of teaching that actively engage students in their own learning. A sink-or-swim model designed to separate the wheat from the chaff, is being succeeded by a new ideal: Helping all students achieve proficiency. An artisanal approach to course design, in which solo practitioners develop courses wholly on their own, is yielding to a more collaborative model involving instructional designers, educational technologists, assessment specialists, and teams of faculty members, sometimes on multiple campuses. At the same time, delivery models - hybrid, fully online, emporium, accelerated, competency-based, low-residence - proliferate, slowly displacing lectures and radically altering the ways that students consume education. Meanwhile, linear paths to a degree, through which students complete all courses at a single institution, are being replaced by more circuitous routes, in which students acquire credits from early college high school programs, AP classes, community colleges, and various online providers. As certificates become more common, the bachelor's degree is no longer the exclusive way students establish credentials. [ Polley : There's quite a bit here; I'm working on the future of CLE at the ABA, and much of this is relevant.]

top

Michigan State Law School rebranding itself through social media (Kevin O'Keefe, 3 Dec 2014) - Michigan State Law School is branding itself, at least in my mind, as one of the more innovative law schools in the country. A school that is recognizing the importance of a sound legal education, while at the same time preparing its students to use technology and social media while in school - and upon graduation. The wild thing is that the public's perception of MSU Law is not changing because of a centralized public relations campaign by the school or via mass mailings to the alumni. The law school's students are rebranding the school through their individual use of social media. And the students are doing it without the direction of the law school. I receive more requests to connect on LinkedIn from MSU law students than from students at any other law school. The same goes for Twitter followers. Not many on Facebook yet, but that mirrors that age group's slower take to Facebook for networking. The students are connecting and engaging on social to learn - as well build word of mouth and network for job opportunities. I had a great discussion with Chelsea Rider, a veteran and MSU Law 3L, two nights ago about the impact of technology and social media. Her inquiry centered on how we could leverage tech and social to make the law more accessible. How many other law students around the country were having such a discussion at one o'clock in the morning? I had no idea who Rider was 48 hours ago. Now I cannot wait to meet her. MSU law students didn't just pick up social and tech from the water in East Lansing. They were exposed to it by professors and guests speaking at the school. It was up to the students to run with the ball. Ellis tells me it was MSU Law's ReInvent Law Laboratory created by professors Renee Knake and Daniel Katz which opened his eyes to the innovative use of tech in the law and the power of social media. Rider blogs she was exposed to ReInvent Law and the thinking of legal futurist, Richard Suskind, who spoke at MSU Law a couple years ago. But it wasn't until Assistant Dean of Career Development and Professor Dan Linna hosted a weekend workshop, "Delivering Innovative Legal Services," lead by Kenneth Grady from Seyfarth Shaw that she realized the legal profession was being reinvented while she was in school - and that she could learn and network via social media.

top

US urges banks to consider cyber risk insurance amid hacking threats (Reuters, 3 Dec 2014) - Banks should consider cyber risk insurance to help deal with the financial fall-out from the growing threat of cyber attacks, a top U.S. regulator said on Wednesday. Bankers and officials have become more vocal lately about concerns that malicious hacks could put customer data and the stability of the financial system at risk. Cyber insurance will not stop hackers, but it can help banks improve their broader cyber controls, Treasury Deputy Secretary Sarah Bloom Raskin told the Texas Banker's Association at a cybersecurity conference. Raskin said more than 50 carriers now offer some form of cyber risk insurance, and Treasury was encouraging companies to develop insurance products that could improve firms' overall cyber protection. "Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board," she said. The insurance broking arm of Marsh & McLennan Companies estimates the U.S cyber insurance market was worth $1 billion last year in gross written premiums and could reach as much as $2 billion this year. But many insurers are still trying to develop their skills in handling hackers and data breaches. Raskin also said Treasury was working on an exercise to test communication among government agencies and financial institutions during a cyber attack.

top

- and -

Defense contractors fighting cyber threats can share information through new ISAC (AL.com, 4 Dec 2014) - The hacking of Sony's computer networks has again focused attention on the growing cyber security problem in America. But a newly-announced cyber information exchange center will grow Huntsville's role in cyber security while combating cyber intrusions among defense contractor nationally. "We're giving smaller defense contractors a way to talk to each other," says Steve Lines, Executive Director of the Defense Industrial Base - Information Sharing and Analysis Center (ISAC) , slated to open in Research Park in February 2015. Lines says the aim is to give companies that the support mission and the infrastructure of the defense industrial base community a way to share information about cyber intrusions, as well as how to respond to both natural and man-made crisis events. They'll also have access to a national group of cyber security experts at the National Council of ISACs in Washington. A former Director of Information Assurance at SAIC, Lines says virtually every company today gets hacked. "It's not a matter of if, but when, a company gets hit with a cyber attack," he said. Sharing of cyber intrusion information helps to detect patterns of cyber attack, so warnings can be provided to all ISAC members, Lines said. [ Polley : The ABA is considering sponsoring an ISAC for law firms; good-idea, or fools-errand?]

top

- and -

I'm from the government, I'm here to help: DOJ announces new cyber-security section (Security Current, 5 Dec 2014) - The Department of Justice is establishing a new unit within the Computer Crime and Intellectual Property Section of the Criminal Division designed to actually help entities prevent cybercrime, instead of just prosecuting it after it happens, according to a speech at Georgetown University at the Cybercrime 2020 Symposium by Assistant Attorney General (AAG) Leslie R. Caldwell. In announcing the role of the new Cybersecurity Unit, AAG Caldwell explained: Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation's computer networks and individual victims from cyber attacks. So, in essence, the Cybersecurity Unit will (1) give legal advice about computer crime and electronic surveillance issues; (2) draft and comment on legislation related to cybersecurity; and (3) engage in outreach with the private sector and the public at large.

top

- and -

NYDFS issues examination guidance to banks outlining new targeted cyber security preparedness assessments (New York State, 10 Dec 2014) - Benjamin M. Lawsky, Superintendent of Financial Services, today issued an industry guidance letter to all New York State Department of Financial Services (DFS)-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of new targeted, DFS cyber security preparedness assessments. These banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues. The new cyber security assessments will become regular, ongoing parts of all DFS bank examinations moving forward. Taking this step will help encourage stronger cyber security practices at banks since regulatory examination ratings can have significant impacts on the operations of financial institutions, including their ability to enter new business lines or make acquisitions. [ Polley : Note the language "the security of their third-party vendors". This includes law firms.]

top

Sites certified as secure often more vulnerable to hacking, scientists find (ArsTechnica, 4 Dec 2014) - Seals certifying the security of e-commerce sites and other online destinations have long aroused suspicions that they're not worth the bits they're made of-much less the hundreds or thousands of dollars they cost in yearly fees. Now, computer scientists have presented evidence that not only supports those doubts but also shows how such seals can in many cases make sites more vulnerable to hacks. The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that's prominently displayed on the homepage. Carrying images of padlocks and slogans such as "HackerProof," the marks are designed to instill trust in users of the site by certifying it's free of vulnerabilities that hackers prey on to steal credit card numbers and other valuable customer data. A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover. Most strikingly, the researchers developed attacks that are enabled by a site's use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn't use the service. "Through a series of automatic and manual experiments, we discovered that third-party security seals are severely lacking in their thoroughness and coverage of vulnerabilities," the paper, titled Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals , concluded. "We uncovered multiple rudimentary vulnerabilities in websites that were certified to be secure and showed that websites that use third-party security seals do not follow security best practices any better than websites that do not use seals. In addition, we proposed a novel attack where seals can be used a vulnerability oracles and describe how an attacker can abuse seal providers to discover the exact exploit for any given vulnerable seal-using website."

top

Operation AURORAGOLD: How the NSA hacks cellphone networks worldwide (The Intercept, 4 Dec 2014) - In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military's Africa Command needed help to hack into Libya's cellphone networks and monitor text messages. For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers' internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks. The NSA's assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program-global in its scope and ramifications-targeted not just at hostile countries. According to documents contained in the archive of material provided to The Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance. The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into-a controversial tactic that security experts say could be exposing the general population to criminal hackers. [ Polley : This story reminded me of the 2007 mysterious Greek cellphone hacking story in MIRLN 10.13 ; the IEEE technical discussion here is still fascinating. What do you bet there's a solid connection?]

top

Comcast makes it more and more difficult to opt-out of Internet sharing (TechCrunch, 7 Dec 2014) - As we learned back in June , Comcast has decided to turn every cable router on its network into a public wi-fi access point. While this may sound like a good idea - free Internet for all Comcast subscribers everywhere is the goal - the reality clashes with the Internet user's sense of freedom and control. And, unfortunately, Comcast is making it harder and harder to opt out of their service. DSLReports has noted that many users have found that even after disabling the sharing updates to the firmware re-enable it automatically. Wrote one user, Moulder3 : So again, my ability to turn WiFi off via the "Users & Preferences" page did not exist. Calling the 800 number and going to internet support gave me someone who only suggested trying to disable & re-enable bridge mode (which didn't eliminate 'xfinitywifi'). He then suggested I (get this!) read up on the Comcast customer forums on their website as "there are constantly updates to the firmware in our modems and this is probably just an update that has an issue at the moment. "When I told him that wasn't acceptable, he transferred me to the WiFi department (who actually seemed to be both U.S. based & knowledgeable!) This rep empathized with me and admitted that although I have the WiFi set to 'off' and I have my gateway in bridge mode, he could apparently see that xfinitiywifi was active on my account. THIS DEPARTMENT SEEMS TO BE THE ONLY ONE ABLE TO DISABLE THE XFINITYWIFI ON GATEWAYS AT THE MOMENT. Their direct # is 855-308-9453 (I'm glad I asked the clueless tier 1 tech for it before being transferred) I can confirm that this person was able to ultimately able to fix the issue. The only solution, according to forum members, is to "buy your own modem/router," a solution that seems quite simple. Sadly, however, there are also complaints of Comcast failing to remove router rental fees even after multiple requests. While most users are obviously fine with Comcast sharing their bandwidth, this Kafkaesque experience for those who dare think a bit different looks quite frustrating.

top

The FCC takes a seat at the cyber-regulation table (Cyber Risk Network, 8 Dec 2014) - The FCC recently slid up its chair to the fiscal feast that is cyber security and data breach regulation and took a hefty piece of the pie. In late October the FCC announced that it charged a record $10 million fine against two telecommunication companies after the telecoms reportedly posted the private information of nearly 300,000 people in a manner making the people eligible for identity theft. Taking a cue from the Federal Trade Commission ("FTC"), the FCC action was not based on any new set of concrete regulations or laws established to give organizations a minimum bar for data protection, but rather on existing FCC powers established under the Communications Act of 1934. The action serves as good warning not only to communications providers that the FCC will be examining data breaches and, more expressly, data storage issues, but also that in the absence of clear cybersecurity regulations, federal agencies will take an expansive view of their existing authority to address cybersecurity-related incidents involving companies subject to their jurisdiction. Similar to the FTC's response, the FCC's first foray into data beach regulation was born from its interpretation of its existing authority under the Communications Act of 1934 (the "Act"). Under the Act, the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, under 503(b)(1) of the Act, the FCC is authorized to impose a forfeiture penalty against "any person who willfully or repeatedly fails to comply with any provision of the Act." As the FCC described in its Notice of Forfeiture, that is exactly what two companies did, YourTel America and TerraCom Inc., when they collected the data of up to 300,000 customers to determine eligibility for the FCC's low-income discount phone program, "Lifeline." In order to enroll, potential participants had to demonstrate eligibility by submitting personal information to the Companies, including the applicant's name, address, date of birth, social security number, and driver's license information. Between September 2012 and April 2013, the FCC alleges that applicants' information was stored on data servers that were publicly accessible via the Internet, a fact made known to the FCC after reporters from the Scripps Howard News Service advised the FCC that they were able to access at least 128,066 confidential records by using a simple Google search. Acting under the authority provided by the Communications Act, as amended by the Telecommunications Act of 1996 , the FCC charged the Companies with violations of Sections 222(a) and 201(b) Under 222(a), a carrier has a duty "to protect the confidentiality of proprietary information of, and relating to . .. customers." Similarly, 201(b) makes it unlawful for a carrier to employ "unjust or unreasonable" data security practices related to its "practices," such as, in this case, holding customers' "proprietary information." [ Polley : Spotted by MIRLN reader Keith Cheresko ]

top

Pointing users to DRM-stripping software isn't copyright infringement, judge rules (EFF, 10 Dec 2014) - Telling users how to strip the DRM from their legally purchased ebooks is not contributory copyright infringement, according to a ruling last month by a federal judge in New York. Judge Denise Cote dismissed two publishers' claims of contributory infringement and inducement in Abbey House Media v. Apple Inc., one of the many cases to come out of the antitrust litigation against Apple and a handful of major publishers. Abbey House Media operated an ebook store for the publishers Penguin and Simon & Schuster from 2010, and was contractually obligated to wrap the ebooks sold in that store with DRM. When Abbey House shut down the ebook store in 2013, it gave its customers a month's notice that they would no longer be able to add new devices to read their purchased books on-and also explained that some customers were using the free software package Calibre to remove the DRM so they would be able to move their library to new hardware. Penguin and Simon & Schuster argued that, by making that announcement and pointing to a specific piece of software, Abbey House was engaging in contributory infringement and inducing people to infringe. Fortunately, Judge Cote recognized the problems with those claims and dismissed them both.

top

Ruling lets work email be used to organize unions (NYT, 11 Dec 2014) - In a decision that could affect millions of workers across the country, the National Labor Relations Board ruled on Thursday that employers could not prohibit employees from using their company's email to communicate and engage in union organizing on their own time. The 3-to-2 ruling overturned a decision made in 2007 , when Republicans held a majority on the board, that had forbidden such use of email. Calling that ruling "clearly incorrect," the current majority noted how technology had transformed daily habits. "The workplace is 'uniquely appropriate' and 'the natural gathering place' for such communications," the board wrote, "and the use of email as a common form of workplace communication has expanded dramatically in recent years." The board did carve out an exception, saying that in special circumstances, employers might be able to create an overall ban on nonwork use of email if they could show it was necessary for productivity or discipline. The board said that as long as workers were allowed to send non-work-related emails, then employers could not bar the messages from being about union organizing. The majority in the ruling on Thursday wrote: "Empirical evidence demonstrates that email has become such a significant conduit for employees' communications with one another that it is effectively a new 'natural gathering place.'"

top

Cell phones exempt from the automobile search exception, Ninth Circuit rules (Orin Kerr, 11 Dec 2014) - With law school exam season finishing up, here's a new Fourth Amendment decision with facts that seem straight from a law school exam: United States v. Camou , authored by Judge Pregerson. In the new decision, the Ninth Circuit suppressed evidence from a 2009 search of a cell phone taken from a car incident to arrest at the border. The new ruling might not be the final word in the case. But the court does decide an important question along the way: The Ninth Circuit rules that if the police have probable cause to search a car under the automobile exception, they can't search cell phones found in the car. In 2009, officers arrested Camou at a border inspection checkpoint for hiding an undocumented immigrant in his truck. Minutes after the arrest, Camou's phone rang several times from a number known to be from one of Camou's co-conspirators. When Camou invoked his right to remain silent, officers decided to search the phone for evidence without a warrant. The phone search occurred 80 minutes after Camou's arrest. The officer who searched the phone first searched through the call logs, then turned to the videos and photos. The officer scrolled through about 170 photos and saw that about 30 to 40 were child pornography. The officer stopped looking through the phone at that point and alerted authorities about the child pornography. Four days later, a warrant was obtained to search the cell phone for images of child pornography, leading to child porn charges against Camou. The issue before the court is whether to suppress the fruits of the initial warrantless phone search as a violation of the Fourth Amendment. The Ninth Circuit rules that the cell phone search violated the Fourth Amendment and that the evidence must be suppressed.

top

Google, on Google News in Spain (Google, 11 Dec 2014) - After 9/11, one of our engineers, Krishna Bharat, realized that results for the query "World Trade Center" returned nothing about the terrorist attacks. And it was also hard to compare the news from different sources or countries because every web site was a silo. That's how Google News was born and today the service is available in more than 70 international editions, covering 35 languages. It's a service that hundreds of millions of users love and trust, including many here in Spain. It's free to use and includes everything from the world's biggest newspapers to small, local publications and bloggers. Publishers can choose whether or not they want their articles to appear in Google News -- and the vast majority choose to be included for very good reason. Google News creates real value for these publications by driving people to their websites, which in turn helps generate advertising revenues. But sadly, as a result of a new Spanish law , we'll shortly have to close Google News in Spain. Let me explain why. This new legislation requires every Spanish publication to charge services like Google News for showing even the smallest snippet from their publications, whether they want to or not. As Google News itself makes no money (we do not show any advertising on the site) this new approach is simply not sustainable. So it's with real sadness that on 16 December (before the new law comes into effect in January) we'll remove Spanish publishers from Google News, and close Google News in Spain. For centuries publishers were limited in how widely they could distribute the printed page. The Internet changed all that -- creating tremendous opportunities but also real challenges for publishers as competition both for readers' attention and for advertising Euros increased. We're committed to helping the news industry meet that challenge and look forward to continuing to work with our thousands of partners globally, as well as in Spain, to help them increase their online readership and revenues.

top

Federal court agrees with EFF, throws out six weeks of warrantless video surveillance (EFF, 12 Dec 2014) - The public got an early holiday gift today when a federal court agreed with us that six weeks of continually video recording the frontyard of someone's home without a search warrant violates the Fourth Amendment. In United States v. Vargas local police in rural Washington suspected Vargas of drug trafficking. In April 2013, police installed a camera on top of a utility pole overlooking his home. Even though police did not have a warrant, they nonetheless pointed the camera at his front door and driveway and began watching every day. A month later, police observed Vargas shoot some beer bottles with a gun and because Vargas was an undocumented immigrant, they had probable cause to believe he was illegally possessing a firearm. They used the video surveillance to obtain a warrant to search his home, which uncovered drugs and guns, leading to a federal indictment against Vargas. Vargas moved to suppress the evidence and Senior U.S. District Court Judge Edward Shea invited us to submit an amicus brief, which we filed late last year. After an evidentiary hearing, the judge wanted more information about the specific surveillance equipment the government was using, details the government was unsuccessful in keeping secret. Today Judge Shea issued this brief minute order: Law enforcement's warrantless and constant covert video surveillance of Defendant's rural front yard is contrary to the public's reasonable expectation of privacy and violates Defendant's Fourth Amendment right to be free from unreasonable search. The video evidence and fruit of the video evidence are suppressed. Looking at these two sentences makes clear the court was convinced with our arguments that the invasiveness of constant video surveillance pointed continuously at one of the most sensitive and private places-the front of a person's home-triggers constitutional protection. Relying on cases decided almost 30 years ago, the government argued that it's unreasonable for people to expect privacy in an area visible to the public. But as we explained in our amicus brief, no one expects their house to be placed under invasive 24/7 video surveillance for a month. And as the U.S. Supreme Court recently reaffirmed in Riley v. California , the ability for technology to reveal a "broad array of private information" means courts must be particularly vigilant in protecting constitutional rights in the 21st Century.

top

Sony's hacking nightmare gets worse: employees medical records revealed (Bloomberg, 12 Dec 2014) - Documents stolen from by hackers include detailed and identifiable health information on more than three dozen employees, their children or spouses -- a sign of how much information employers have on their workers and how easily it can become public. One memo by a human resources executive, addressed to the company's benefits committee, disclosed details on an employee's child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee's appeal of thousands of dollars in medical claims denied by the insurance company. Another document leaked in the hack is a spreadsheet from a human resources folder on Sony's servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The release of the health information could be some of the most damaging material, said Deborah Peel, director of Patient Privacy Rights, a non-profit group. "This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity," Peel said. "This is a thousand times worse than that other stuff," she said, referring to salary information and personal e-mails. "Health information is the most sensitive information about you."

top

- and -

Sony GC's emails leaked in ongoing hacker fallout (Corporate Counsel, 12 Dec 2014) - Sony Pictures Entertainment Inc. general counsel Leah Weil reportedly argued against a company policy of saving all emails and in favor of instituting a regular purge. Ironically, she made the argument in one of the many Weil emails hacked and made public by a group calling itself Guardians of the Peace. Weil, who has been with Sony since 1996 and GC since 2001, also serves as the company's chief compliance officer. She couldn't be reached for comment. On Thursday the hackers reportedly posted emails from the account of Sony's top lawyer. Most of the hackers' posts appear briefly and then disappear. But Gizmodo, a design and technology news site, apparently captured some posts of Weil's emails and revealed them Thursday . Another vague email involving several unnamed executives seems to deal with whether to take a stand on net neutrality, but offers no answer. And another involves what Gizmodo calls a "strategic invitation from Google to start working together."

top

- and -

Can Sony get around the First Amendment to sue the media over the hack? (Eriq Gardner, 15 Dec 2014) - On Sunday night, famed attorney David Boies sent a threatening letter on behalf of Sony Pictures to The Hollywood Reporter , The New York Times and other news organizations demanding destruction of stolen information and warning of consequences for publishing the company's secrets. If Sony does decide to go to court against the media over revelations that keep coming - Channing Tatum and Chris Pratt wish to reboot Ghostbusters , George Clooney lost faith in The Monuments Men , Sony executives weren't thrilled by Leonardo DiCaprio dropping out of a Steve Jobs biopic - the First Amendment stands as a roadblock. But maybe not an impenetrable one. Many attorneys are now carefully reading every word from a 2001 Supreme Court decision, Bartnicki v. Vopper . The case concerned union officials whose intercepted cell phone conversations landed in the hands of a radio commentator who broadcast the contents. At the high court, the media defendants were given a pass from violating a federal wiretap law as they "played no part in the illegal interception," "their access to the information on the tapes was obtained lawfully, even though the information itself was intercepted unlawfully by someone else" and finally, "the subject matter of the conversation was a matter of public concern." That decision offers tremendous hope for news organizations that Sony's threats against the news media are empty. "Unless the media is involved in the hacks themselves, the Bartnicki case puts the law on the side of the media," says Andy Sellars at Harvard University's Berkman Center for Internet & Society. However, some caution might be in order for two reasons. * * * [ Polley : pretty interesting.]

top

Tech firms tussle with DOJ over the right to say 'zero' (WaPo, 16 Dec 2014) - A growing number of technology companies seeking to promote transparency have been testing the limits of new government guidelines on how they can disclose national security orders for their customers' data. Over the past year or so, about a dozen online and communications firms have reported that they have never received such a request, effectively breaching the spirit if not the letter of government guidance issued in January intended to make it more difficult for would-be terrorists or spies to identify services that could be used to evade detection. Their decisions have frustrated U.S. officials, even as they privately acknowledge there is little they have been able to do about it. In October, Twitter sued the government , charging that its First Amendment rights were squelched when the Justice Department blocked it from publishing a transparency report that sought to disclose the specific number of orders it had received and the fact that the number was limited. The firm also alleged that preventing a company from reporting "zero" national security requests is an unconstitutional restraint on speech. The guidelines take the form of an agreement reached with five major tech companies that allowed for reporting of government national security requests in broad ranges, such as 0-999. There is no "zero" option. Some firms began issuing warrant canaries shortly after the first disclosures by former intelligence contractor Edward Snowden, who revealed a National Security Agency program to gather data about millions of Americans' phone calls (though not the content) from phone companies. Wickr, a San Francisco-based company that provides an encrypted text message service to more than 4 million users, planted a warrant canary in its transparency report in the summer of 2013, becoming the first company, it said, to do so. The report said, "If the canary flies the coop, the tone of this report will change as well because things will have shifted."

top

NOTED PODCASTS

Preparing to Recover from Cyber Disruptions of the Grid (Roland Trope at Dartmouth, 21 Nov 2014; 67 minute video) - The North American Bulk Power System ("BPS") is perhaps the most vital of our critical infrastructures. The country's economy and national security depend on the BPS remaining resilient. BPS owners and operators have learned from experience to prepare for, respond to, and recover from "normal" emergency events (such as hurricanes, earthquakes, tornadoes, ice storms). They are, however, much less prepared to respond to and recover from high impact, low frequency events. Geomagnetic disturbances and kinetic cyberattacks may cause damage so catastrophic that afterwards complete restoration of BPS operations might not be possible. If a successful kinetic cyberattack were to damage heavy equipment such as large power transformers, sufficient replacement units might not be available. The long-lead time for these procurements would take at least 8 to 14 months. Meanwhile, the BPS would have to operate at a reduced state of reliability and supply. The electricity industry's capabilities would be stressed far beyond its already robust emergency response capabilities. This "New Normal" would be characterized by "islands" of electrical power, which would be stabilized by load shedding and rolling blackouts. Electricity would have to be rationed to support the highest priority customers. The North American Electric Reliability Corporation (NERC) refers to such occurrences and consequences as "Severe Events." Knowing that disruption of a national grid can produce extraordinary damage to a country's economy and social fabric, how might a cyber adversary exploit the vulnerabilities in the BPS to cause a "Severe Event"? How much of the North American grid might remain seriously degraded for months or years thereafter? What preparations are BPS owners and operators making to be ready to mitigate the damage and manage an orderly and efficient recovery? If commercial companies and critical infrastructure firms are not apprised of the details of such recovery plans, will their own contingency plans leave them ill-prepared to cope with a "Severe Event"?

top

RESOURCES

The Public Performance right after the Aereo decision (MLPB, 3 Dec 2014) - Matthew Sag, Loyola University Chicago School of Law, has published The Uncertain Scope of the Public Performance Right after Aereo. Here is the abstract: The Supreme Court's recent majority decision in American Broadcasting Companies v. Aereo, Inc. 134 S.Ct. 2498 (2014) holds that a service allowing consumers to watch broadcast television programs over the Internet virtually simultaneously with the original over the air broadcast directly infringes the copyright owners the exclusive rights to 'perform the copyrighted work publicly.' The majority overrules the Second Circuit ruling in the same case, and throws into doubt one of the central holdings in the Second Circuit's Cablevision decision. The majority's 'looks like a cable system' approach makes the public performance right almost incomprehensible. This Article considers a number of questions left open by the Aereo decision relating to specific technologies, including remote DVRs, devices that allow the consumer to pause and rewind live television, and cloud computing generally. It also considers whether the Court's decision in Aereo portends the use an effects-based approach to expand other exclusive rights under the Copyright Act in future cases. Finally, this Article concludes with a concise explanation as to why Aereo would not have prevailed under a fair use analysis. Judge Chin's intuition that Aereo's design was a mere 'Rube Goldberg-like contrivance, over-engineered in an attempt to avoid the reach of the Copyright Act,' was spot on; however this technological contrivance should not have been the foundation for the Supreme Court's legal contrivance.

top

DIFFERENT

The Twitter account that unravels time (The Atlantic, 5 Dec 2014) - In the same way that dissecting a joke can render it unfunny, fixating too closely on time can stretch the minutes beyond their usefulness. That's part of what makes the project All The Minutes, and its Twitter incarnation @alltheminutes , so riveting. The bot crawls Twitter and retweets users who refer to the time for every minute of the day. The effect evokes artist Christian Marclay's stunning collage film, The Clock , a 24-hour loop that mashes up scenes from thousands of movies and television shows to refer to the actual time as the film plays. All The Minutes, according to creator Jonathan Puckey's explanation on GitHub, was a way to generate one sprawling story of a single day. The project was originally part of an exhibition at the Van Abbemuseum in the Netherlands, he said. "It interesting to us that these days people choose to speak about exact minutes in relation to their lives," Puckey told me. "Almost as if they could be doing something different every minute. As if every minute counts." You can read the tweets in essay form here . More Marclay-esque is this spinoff website that lets you watch a carousel of @alltheminutes tweets in real time based on your time zone. But on Twitter, @alltheminutes warps the real-time experience. Partly because the experience of reading tweets often means you encounter them minutes or even hours after they were retweeted, but also because people are tweeting from all over the world in different time zones to begin with. For instance, this morning when it was 7:42 a.m. for me, @alltheminutes retweeted someone from six hours in the future and two years in the past, from 1:42 p.m. on a March day in 2012.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

FDIC offers guidance for using open source software (FDIC, October 2004) -- The Federal Deposit Insurance Corp. has released guidance for banks on managing risks associated with the use of free and open source software as part of their overall information technology programs. Although open source software does not pose risks that are fundamentally different from the risks presented by the use of proprietary or self-developed software, the FDIC says, open source software may require banks to establish "unique risk management practices."

top

San Francisco sets goal of free citywide wifi (Reuters, 21 Oct 2004) -- San Francisco Mayor Gavin Newsom set a goal on Thursday of providing free wireless Internet activity in his city that sees itself as a vanguard of the Internet revolution. "We will not stop until every San Franciscan has access to free wireless Internet service," he said in his annual state of the city address. "These technologies will connect our residents to the skills and the jobs of the new economy." "No San Franciscan should be without a computer and a broadband connection." He said the city had already made free WiFi service available at Union Square, a central shopping and tourist hub, and would add access to several other sections of the city including Civic Center around City Hall.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 29, 2014

MIRLN --- 1-29 Nov 2014 (v17.16)

MIRLN --- 1-29 Nov 2014 (v17.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Software companies now on notice that encryption exports may be treated more seriously: $750,000 fine against Intel subsidiary (Goodwin Procter, 15 Oct 2014) - On October 8, 2014, the Department of Commerce's Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List. Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations. We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries ( e.g. , Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS's treatment of violations of the encryption regulations. Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies - a message that BIS seemed intent upon making in its announcement. Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon - e.g. , an acquisition, financing, or initial public offering - will increase the likelihood that violations of these laws will be identified.

top

First person passes the legal tech audit - no lawyers, yet (Lawyerist, 3 Nov 2014) - On the one hand, congrats are in order to Lore Mariano for being the first person to get a passing grade on the Legal Tech Audit . On the other hand, Mariano is not a lawyer. According to her LinkedIn profile, she is an IT consultant who "train[s] Colgate's worldwide legal staff to use legal applications for document and matter management."

Which means not a single lawyer has passed the test. I hope Casey Flaherty will update us when a lawyer finally does.

top

Specialized cyber liability insurance policies proliferate as general liability insurers refuse coverage for data breaches (King & Spalding, 3 Nov 2014) - Travelers Indemnity Company filed an action this month in the United States District Court for the District of Connecticut for a declaratory judgment that it is not obligated to defend or indemnify its policyholder, P.F. Chang's, for losses arising from the restaurant's recent data breach. P.F. Chang's card processing systems were compromised at about 33 restaurant locations from October 2013 through June 2014, resulting in the theft of customer data from credit and debit cards, including names, card numbers and expiration dates. Customers have filed three class actions seeking damages under a variety of contract, tort and consumer fraud claims. Travelers argues that the losses are not covered under the commercial general liability policies it issued to P.F. Chang's in 2013-14 because an electronic data breach does not constitute property damage or bodily injury under their insurance agreement, and the agreement expressly excludes "electronic media and records" from the definition of "property damage." P.F. Chang's is alleged to have a separate cyber liability insurance policy with a self-funded retention requirement. With data breaches becoming more common, the number and variety of specialized cyber insurance policies have proliferated. But these cyber policies may provide substantially less coverage than general liability policies. While cyber policies typically cover costs for customer notification, crisis management, litigation defense and regulatory responses, they do not generally cover intangible losses to reputation, brand or market share. Obtaining adequate coverage is difficult because cyber-related losses are hard to quantify-intangible losses are difficult to estimate, and there may be a lack of information to calculate the probability of a data breach. Even if the federal district court were to determine that P.F. Chang's commercial general liability policy covers its data breach, Travelers urges the court to construe the self-funded retention requirement in the cyber policy as modifying the restaurant's general policy, thus limiting any payouts to the terms of the cyber policy and restricting the more generous payouts of the general liability policy.

top

- and -

Governments eager to help market for cyber insurance develop (Nossaman, 12 Nov 2014) - With e-commerce projected to account for 10% of all retail sales or approximately $370 billion in sales by 2017 in the United States alone, it is easy to see why world governments are concerned with the potential threat to the ever growing and increasingly interconnected online marketplace. Indeed, if you run a simple Google search for "cyber insurance," the first hit is from the U.S. Department of Homeland Security . As recently as July 2014, the DHS published a report, Insurance for Cyber-Related Critical Infrastructure Loss . Not to be outdone by its progeny, the government of the United Kingdom weighed in on the issue, opining that cyber insurance was critical for online businesses and expressing its support for the growth of a cyber insurance market in a joint government and industry statement on the cyber insurance market . Given the projected trends in online retail sales for European countries and the US, it is easy to see why governments might be somewhat anxious to see a cyber insurance marketplace develop. As the joint statement posted by the United Kingdom Cabinet Office put it "[i]nsurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management." The joint statement also noted that beyond helping insureds recover losses following a data breach, cyber insurance may provide insureds "front end risk analysis to gauge the organisation's exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach." That the UK and US governments have expressed an interest in working with insurers to discuss the development of a cyber insurance market bodes well for the healthy and speedy development of such a marketplace. The DHS's report details some of the critical challenges in the development of a cyber insurance market, including "a lack of actuarial data; aggregation concerns; and the unknowable nature of all potential cyber threat vectors." While all insurable events have an inherently "unknowable nature" (otherwise you wouldn't have to ensure against them), the recognition of the challenges to gathering accurate actuarial data is significant.

top

Who's minding best practices: A look at what it takes to secure a network (InsideCounsel, 4 Nov 2014) - Most organizations have good intentions to follow "cybersecurity best practices," but the sticking point comes when deciding what these practices are and how they relate to individual businesses. While lawyers have an ethical duty to protect information under Rule 1.6: Confidentiality of Information and businesses that accept credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements , there is much more to securing a network than following best practices and requirements. Certainly following these practices is important, but following their intent is what makes the difference between protecting a business and performing perfunctory duties. Before the recent spate of breaches on some big-name retailers, you may have thought that with all the rules and regulatory requirements retailers are subject to under the Payment Card Industry Data Security Standards (PCI DSS) that their networks would be secure. However, the problem often lies with what these companies are not doing rather than what they are doing. While these companies may have "followed best practices," they may not have done what would have been best, either because of a lack on their end or on their adviser's end.

top

It's illegal to share photos of your ballot online in many states. Here's why. (Washington Post, 4 Nov 2014) - This Election Day, feel free to tell Facebook you voted. Get that jaunty little voting hat on Tumblr. Tweet it on the #election2014 hashtag. But unless you live in Wyoming, North Dakota or a small handful of other states , do not , for the love of democracy, share a photo of your ballot on social media. "Ballot selfies," as they've been dubbed, are still illegal in most of the country - and punishable by ballot invalidation, if not significant fines or jail time. So, in an age where ceaseless self-documentation has become the cultural norm, why do those laws exist in the first place? "It's a very unusual case," says Jeffrey Hermes, the deputy director of the Media Law Resource Center in New York. "Usually banning political speech would be a violation of the First Amendment. But with photography at polling places, there's an intersection of two fundamental aspects of democracy: freedom of speech and the integrity of the voting process." Hermes breaks it down this way: Suppose you were a nefarious character who wanted to skew the voting process in some way. You could buy votes, but you'd want proof that people actually voted like you told them to. You could mislead people who don't understand the voting process or don't speak English well. You could intimidate other voters into voting like you do. In these cases, photos from inside the voting booth would really help you, the nefarious character, perpetrate election fraud. And so, many states have just banned those photos categorically. In this narrow circumstance, they've indicated, there's something more essential to democracy than free speech.

top

- and -

Internet voting hack alters PDF ballots in transmission (Threat Post, 13 Nov 2014) - Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren't where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called " Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering " that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter's machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.

top

Germany's top publisher bows to Google in news licensing row (Re/Code, 5 Nov 2014) - Germany's biggest news publisher, Axel Springer, has scrapped a bid to block Google from running snippets of articles from its newspapers, saying that the experiment had caused traffic to its sites to plunge. Springer said a two-week-old experiment to restrict access by Google to its news headlines had caused Web traffic to its publications to plunge, leading it to row back and let Google once again showcase Springer news stories in its search results. Chief Executive Mathias Doepfner said on Wednesday that his company would have "shot ourselves out of the market" if it had continued with its demands for the U.S. firm to pay licensing fees. Springer, which publishes Europe's top-selling daily newspaper, Bild, said Google's grip over online audiences was too great to resist, a double-edged compliment meant to ram home the publisher's criticism of what it calls Google's monopoly powers. Publishers in countries from Germany and France to Spain have pushed to pass new national copyright laws that force Google and other web aggregators to pay licensing fees - dubbed the Google Tax - when it publishes snippets of their news articles. Under German legislation that came into effect last year, publishers can prohibit search engines and similar services from using their news articles beyond headlines. Last week, Spain's upper house passed a similar law giving publishers an "inalienable" right to levy such licensing fees on Google.

top

British intelligence spies on lawyer-client communications, government admits (GigaOM, 6 Nov 2014) - After the Snowden leaks, British lawyers expressed fears that the government's mass surveillance efforts could undermine the confidentiality of their conversations with clients, particularly when those clients were engaged in legal battles with the state. Those fears were well-founded. On Thursday the legal charity Reprieve, which provides assistance to people accused of terrorism, U.S. death row prisoners and so on, said it had succeeded in getting the U.K. government to admit that spy agencies tell their staff they may target and use lawyer-client communications "just like any other item of intelligence." This is despite the fact that both English common law and the European Court of Human Rights protect legal professional privilege as a fundamental principle of justice. Reprieve noted that the government had previously claimed three times that it could not disclose the information it has now disclosed (PDF) in heavily redacted form. According to that information, the acceptability of spying on lawyer-client communications is largely backed up by the Regulation of Investigatory Powers Act (RIPA), which was recently revised to allow surveillance of all sorts of online channels , as well as of phone calls and emails.

top

- and -

US government planes collecting phone data, report claims (BBC, 14 Nov 2014) - Devices that gather data from millions of mobile phones are being flown over the US by the government, according to the Wall Street Journal . The "dirtbox" devices mimic mobile phone tower transmissions, and handsets transmit back their location and unique identity data, the report claims. While they are used to track specific suspects, all mobile devices in the area will respond to the signal. The US Justice Department refused to confirm or deny the report. The Wall Street Journal said it had spoken to "sources familiar with the programme" who said Cessna aircraft fitted with dirtboxes were flying from at least five US airports. The department said that it operated within federal law.

top

The FBI impersonates the media: some of the rules governing cyber-subterfuge (Lawfare, 7 Nov 2014) - The developing story of the FBI's impersonation of journalists is, in a way, really the story of Timberline high school in Washington State. In June of 2007 Timberline had received a series of bomb threats, prompting a week of evacuations. The FBI and local law enforcement traced the problem to an anonymous account on the MySpace social media site. But the trail seemed to stop there, as investigators were unable to ascertain the identity of the person or persons behind the account. So the feds resorted to subterfuge. According to a letter sent from FBI Director James Comey to the editor of the New York Times , an undercover agent, relying on "an agency behavioral assessment that the anonymous suspect was a narcissist," "portrayed himself as an employee of The Associated Press" and sent the MySpace account a message via MySpace's internal communications channel. In the message, the agent apparently asked if the suspect would be willing to review a draft AP article about the threats and attacks, to be sure that the anonymous suspect was portrayed fairly. The message then linked to what seemed to be the draft Associated Press story . There was a catch. The AP story and link were fakes, and had been designed by the FBI to mimic the appearance and feel of a genuine AP article. That wasn't all either. The link also contained a particular kind of malware, meant to enable the FBI surreptitiously to uncover the location and IP address of the computer behind the anonymous MySpace account. The ruse worked. Upon receipt, the suspect clicked on the link, thereby unwittingly downloading the malware and revealing case-making investigative information to the FBI. He later pleaded guilty to making the bomb threats to Timberline. * * * Given these fierce reactions to the Timberline episode, an important question has again been raised: What rules apply to this sort of law enforcement trickery? Below, I overview two potentially relevant constraints: policies employed within the FBI itself, as well as Fourth Amendment limits set by courts. (To be clear, I do not mean to canvass every legal issue raised by the episode.) * * *

top

- and -

FBI agents pose as repairmen to bypass warrant process (Bruce Schneier, 26 Nov 2014) - This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress : The next time you call for assistance because the internet service in your home is not working, the "technician" who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- when he shows up at your door, impersonating a technician -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have "consented" to an intrusive search of your home. Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians. More coverage of the case here . This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can't be sure they are not government agents in disguise, then we've lost quite a lot of our freedom and liberty.

top

Efforts to protect US government data against hackers undermined by worker mistakes (The Guardian, 10 Nov 2014) - A $10bn-a-year effort to protect sensitive government data, from military secrets to social security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. Workers scattered across more than a dozen agencies, from the defense and education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records. They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information. One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally, most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government 's collection of phone and email records. At a time when intelligence officials say cybersecurity trumps terrorism as the No1 threat to the US - and when breaches at businesses such as Home Depot and Target focus attention on data security - the federal government isn't required to publicize its own data losses. From 2009 to 2013, the number of reported breaches just on federal computer networks - the .gov and .mils - rose from 26,942 to 46,605, according to the US computer emergency readiness team. Last year, US-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That's more than double the incidents in 2009. And employees are to blame for at least half of the problems. Last year, for example, about 21% of all federal breaches were traced to government workers who violated policies; 16% who lost devices or had them stolen; 12% who improperly handled sensitive information printed from computers; at least 8% who ran or installed malicious software; and 6% who were enticed to share private information, according to an annual White House review.

top

A hacker built a dark net version of the FBI tip line (Motherboard, 11 Nov 2014) - A London-based programmer has set up a new hidden service for anyone using Tor to submit anonymous tips to the FBI. With the new .onion hidden service link ( http://tksgyw4u4t6peema.onion/ ), which accesses the FBI's tips page through a reverse proxy, Mustafa Al-Bassam told me in an IRC chat that he's engineered a "proof-of-concept," demonstrating how the bureau might go about setting up a more secure system for receiving crime tips. "Law enforcement won't be taken seriously in the debate about anonymity if all they show is a binary interest to prosecute criminals at all cost," said Al-Bassam, the youngest-ever-identified former member of the hacking group, LulzSec . "Tor has great utility for law enforcement who wish to receive crime tips from public."

top

ISPs removing their customers' email encryption (EFF, 11 Nov 2014) - Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie . Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag-called STARTTLS-from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1 By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013 , when EFF started rating companies on whether they used it . Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does. [ Polley : Many law firms use "opportunistic TLS" to encrypt email transmissions; this flag-stripping may disable such protections.]

top

Tourists warned they are breaking the law because taking photos of the Eiffel tower at night or sharing images on Facebook is illegal (Daily Mail, 12 Nov 2014) - Lit up at night, the Eiffel Tower is one of the most iconic sights in the world. It's an image that embodies the French capital. But an obscure clause in EU copyright rules means that taking and sharing photos of the tower taken in the evening is actually a violation that could land tourists with a fine. The Eiffel Tower was built in 1889 which means that it falls within the public domain, so tourists can snap away liberally during the day. But the impressive lights that illuminate the attraction at night are technically an art work, so 'reproducing' requires the permission of the artist. It also means that it is technically illegal to share images of the Eiffel Tower on social media sites such as Facebook. While the EU's 2001 information society directive says photographs of architectural works in public spaces can be taken free of charge, the clause is optional. Countries including Italy, Belgium and France opted out of transposing it into national law. 'The lightshow is protected by copyright,' Dimitar Dimitrov, a policy expert for the European Wikimedia chapters in Brussels, said. On its website, the Eiffel Tower confirms that uses of photographs are subject to certain restrictions.

top

DC Court rules that Top-Level Domain not subject to seizure (David Post on the Volokh Conspiracy, 13 Nov 2014) - As I mentioned several months ago , a group of plaintiffs, having obtained judgments in US courts against the government of Iran, has been seeking to satisfy those judgments via writs of attachment - court-ordered seizures - of property belonging to the Iranian government. This can be a relatively straightforward process when applied to bank accounts, real estate, or tangible personal property - the usual targets of seizure orders. But the plaintiffs here sought to seize the .ir top-level domain - the ccTLD ("country-code top level domain," as distinguished from the "generic top-level domains" like .com, .org, and the like) associated with Iran. This is, plaintiffs asserted, property belonging to the Iranian government, held here in the U.S. by ICANN, the US-based administrator of the global Domain Name System (DNS), on whom the writ of attachment was served. * * * On Monday, Judge Lamberth of the DC District Court wisely dismissed the writs of attachment, holding that the ccTLD was not "property subject to attachment in the District of Columbia." This is the right result for many reasons - not least of which is that the DNS is a public resource of enormous value on which a substantial amount of the world's trade and commerce and entertainment and communication now takes place, and the notion that pieces of it are available to satisfy private judgments would wreak havoc on the public Internet. Judge Lamberth didn't feel the need to go into all that - his ruling rests on the narrower (but perhaps more stable) ground that the "property" right in a ccTLD is "inextricably bound to" and "cannot be conceptualized apart from" the services provided by the ccTLD manager and the root zone administrator and the rest of the DNS, and as such can't be attached or seized (under the general rule that services are not attachable or seizable). Good stuff.

top

Homeland Security alerts on end of Windows Server 2003 support (ZDnet, 13 Nov 2014) - An alert from US-CERT (the Computer Emergency Readiness Team) warns of dangerous consequences for organizations that continue to run Windows Server 2003 R2. Microsoft has scheduled the end of support for this operating system on July 14, 2015. This applies to both the initial and R2 editions of Windows Server 2003. Although it was released over 11 years ago, Windows Server 2003 remains popular. Redmond Magazine cites Microsoft as saying that as of July of this year there were 24 million instances of Windows Server 2003 running on 12 million physical servers globally. In North America there are 9.4 million instances and, worldwide, Windows Server 2003 still constitutes 39 percent of the Windows Server installed base. After July 14, 2015 (a Patch Tuesday) these servers will no longer receive security updates or assisted technical support. Microsoft has been conducting their own campaign to get customers to upgrade. As with Windows XP, organizations can pay Microsoft for an extension of support.

top

Info on 8,000 Seattle Schools students improperly released (Seattle Times, 14 Nov 2014) - A law firm contracting with Seattle Public Schools improperly released confidential information about thousands of students as part of a lawsuit over special-education services, prompting an apology from the district and a request for the man who received the records to delete or return them. Sam Morley, the legal guardian of a student, alerted district officials on Tuesday that he had received, via email, documents with information about individual students, including whole special-education plans, disciplinary records, student test scores and transportation records with students' names and home addresses. By Morley's count, he received confidential information about more than 8,000 students, including what appears to be the entire caseload for a special-education manager at Roosevelt High School. The district's lawyer, Ron English, responded to Morley with an email assuring him that his case would no longer be handled by the firm, Preg O'Donnell & Gillett, which has offices in Seattle, Portland and Anchorage. "Protection of student privacy is of critical importance, and the disclosures by our outside law firm are not acceptable," English wrote. "Although I have not had time to confirm the exact details of the disclosure as you describe them below, I have confirmed that disclosures did occur on a broad scale." The law firm did not respond to emails from The Seattle Times seeking comment. The school district is asking for assistance from the U.S. Department of Education to investigate how it happened. [ Polley : This is perhaps the first time a law firm had been publicly tagged for a security problem, but won't be the last. The first firms to suffer this kind of publicity will lose clients-as apparently here-but eventually a "new normal" will emerge.]

top

ABA launches website to aid unaccompanied minors (VOXXI, 14 Nov 2014) - Child advocates have for months voiced concerns about unaccompanied minors not having an attorney by their side in immigration court, and now the American Bar Association is stepping in to help. The group launched a website this week as a resource for attorneys who want to volunteer their time to help unaccompanied minors navigate through the immigration system. The goal is to get more attorneys to provide unaccompanied minors with legal representation on a pro bono basis. "The ABA steps up when justice is at stake," American Bar Association President William C. Hubbard said in a statement. "We support legal representation for unaccompanied children in the U.S. immigration court system. We are acting not only out of concern for the welfare of these children, but also because all parties benefit when vulnerable children are competently represented by counsel in adversarial proceedings." The website is dubbed the Immigrant Child Advocacy Network . It was put together by the American Bar Association's working group on unaccompanied minors in collaboration with partner organizations, like Kids in Need of Defense and the American Immigration Lawyers Association. The website provides links to resources and training materials on issues related to legal representation of children. It also provides a calendar of ongoing pro bono training opportunities and a list of legal providers who are looking for volunteers to assist children.

top

McPeak on social media & civil discovery (Legal Theory Blog, 14 Nov 2014) - Agnieszka McPeak (University of Toledo College of Law) has posted Social Media Snooping and Its Ethical Bounds (Arizona State Law Journal, 2014 Forthcoming) on SSRN. Here is the abstract: Social media has entered the mainstream as a go-to source for personal information about others, and many litigators have taken notice. Yet, despite the increased use of social media in informal civil discovery, little guidance exists as to the ethical duties - and limitations - that govern social media snooping. Even further, the peculiar challenges created by social media amplify ambiguities in the existing framework of ethics rules and highlight the need for additional guidance for the bench and bar. This article offers an in-depth analysis of the soundness and shortcomings of the existing legal ethics framework, including the 2013 revisions to the American Bar Association's model rules, when dealing with novel issues surrounding informal social media discovery. It analyzes three predominant ethics issues that arise: (1) the duty to investigate facts on social media, (2) the no-contact rule and prohibitions against deception, and (3) the duty to preserve social media evidence. While the first two issues can be adequately addressed under the existing framework, the rules fall short in dealing with the third issue, preservation duties. Further, even though the existing ethics rules can suffice for the most part, non-binding, supplemental guidelines, or "best practices," should be created to help practitioners and judges navigate the ethical issues created by new technology like social media.

top

Fitbit data now being used in the courtroom (Forbes, 16 Nov 2014) - Personal injury cases are prime targets for manipulation and conjecture. How do you show that someone who's been in a car accident can't do their job properly, and deserves thousands of dollars in compensation? Till now lawyers have relied on doctors to observe someone for half an hour or so and give their, sometimes-biased opinion. Soon, they might also tap the wealth of quantifiable data provided by fitness trackers. A law firm in Calgary is working on the first known personal injury case that will use activity data from a Fitbit to help show the effects of an accident on their client. The young woman in question was injured in an accident four years ago. Back then, Fitbits weren't even on the market, but given that she was a personal trainer, her lawyers at McLeod Law believe they can say with confidence that she led an active lifestyle. A week from now, they will start processing data from her Fitbit to show that her activity levels are now under a baseline for someone of her age and profession. The lawyers aren't using Fitbit's data directly, but pumping it through analytics platform Vivametrica, which uses public research to compare a person's activity data with that of the general population.

top

New crowdsourced law site is part of larger project to 'annotate the world' (Law Sites, 17 Nov 2014) - There is something very fitting in the fact that a site that started out deciphering rap lyrics is now turning its attention to making sense of the law. The site, Law Genius , is the newest member of the larger Genius network of crowdsourced community sites, all of which grew out of the original site, Rap Genius , which was started in 2009 for the purpose of listing and annotating rap lyrics. Soon, users started using the site to annotate all sorts of other stuff, from the collected works of Shakespeare to the roster of the 1986 New York Mets to the warnings on the back of a Tylenol bottle . Last July, the site officially relaunched as Genius, becoming a hub for a range of communities devoted to topics such as rock, literature, history, sports, screen and tech. All are united by the site's overarching goal, "to annotate the world." Genius breaks down text with line-by-line annotations, added and edited by anyone in the world. It's your interactive guide to human culture. Now law is the latest addition to this ambitious effort at global annotation. It is an effort to crowdsource statutes, case law and other legal news. At the helm of the project, as executive editor of Law Genius, is Christine Clarke, a 2010 graduate of Yale Law School who practiced plaintiff-side employment law in Manhattan before joining Law Genius full time. At Law Genius, any registered user can add text and annotate any text. Other users can vote up or down on annotations, or add their own suggestions to the annotations. As you view text, any portion that is highlighted has an annotation. Click on the highlighted text to view the annotation. To add your own annotation, just highlight a selection of text.

top

TRUSTe settles FTC charges it deceived consumers through its privacy seal program (FTC, 17 Nov 2014)) - TRUSTe, Inc., a major provider of privacy certifications for online businesses, has agreed to settle Federal Trade Commission charges that it deceived consumers about its recertification program for company's privacy practices, as well as perpetuated its misrepresentation as a non-profit entity. TRUSTe provides seals to businesses that meet specific requirements for consumer privacy programs that it administers. TRUSTe seals assure consumers that businesses' privacy practices are in compliance with specific privacy standards like the Children's Online Privacy Protection Act (COPPA) and the U.S.-EU Safe Harbor Framework. The FTC's complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year. In addition, the FTC's complaint alleges that since TRUSTe became a for-profit corporation in 2008, the company has failed to require companies using TRUSTe seals to update references to the organization's non-profit status. Before converting from a non-profit to a for-profit, TRUSTe provided clients model language describing TRUSTe as a non-profit for use in their privacy policies. The proposed order announced today will help ensure that TRUSTe maintains a high standard of consumer protection going forward. Under the terms of its settlement with the FTC, TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.

top

Getting your board's buy-in on cybersecurity (Computerworld, 18 Nov 2014) - You don't want your first discussion about cybersecurity with your company's board of directors to happen post-breach. Start educating the board now. Explain the scope and components of a comprehensive security program, and be clear about how far your company's program falls short of optimal effectiveness. The board members need to understand that, at a minimum, a good cybersecurity program should include processes to manage patches, review logs, force secure passwords and train staff not to open emails from Nigerian princes. They probably also need to be educated about the policies and procedures that have to be put in place just to meet the security regulations and standards of legislation such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley and industry initiatives such as PCI and EMV. They need to know that you recognize the dangers of collecting and storing data that's subject to regulation and will do so only when there is no other option. And they need to see how the procedures controlling all these processes have been thoroughly documented and are regularly tested. But those are just the basics. A truly comprehensive cybersecurity program involves much more, and you need to make your board aware of what those things are, so that it can assure that sufficient resources are allocated. Some of the things to consider undertaking and funding are these: * * * Most importantly, both IT and the board should not delude themselves that a breach won't happen to them. As Joseph Demarest, assistant director of the FBI's cyberdivision, said at a recent cybersecurity conference, "You're going to be hacked. Have a plan."

top

There's a Commerce Department 'SWAT team' opening up government data (Washington Post, 18 Nov 2014) - Launched in 2009, Data.gov was one of the Obama administration's flagship efforts to produce a more open government. But though the site is full of raw data, Secretary of Commerce Penny Pritzker suggests it's not nearly as useful as it could be. Data.gov was supposed to hold heaps of data created by the federal government as it goes about its day-to-day business, boosting government transparency. And it's worked in some cases. National Oceanic and Atmospheric Administration data stored on the site has given birth to scores of weather apps and countless meteorologists' careers, for example. But in a visit to the D.C. start-up hub 1776 on Monday, Pritzker said that one of the surprises of becoming secretary of commerce last year was finding that the department didn't have all that much to show for the great heaps of data it had shoveled onto the site. The Data.gov team housed at the U.S. General Services Administration "called us up and said you haven't been contributing appropriately," Pritzker said. "And so we dumped our 39,000 data sets on Data.gov" -- from lists of people banned from exporting products from the United States to statistics on shark death rates in the Florida commercial fishing industry . But that is not enough, she said. "The point is just dumping data sets out there is not useful," said Pritzker. "What we need to do is to figure out a strategy." Pritzker said the department is pulling together a "SWAT team" with help from U.S. Chief Technology Officer Megan Smith to determine "the most exciting" things they can do with the data stored on the site during what remains of the Obama administration's tenure.

top

- and -

OCDS - Notes on a standard (Berkman's Tim Davies, 19 Nov 2014) - Today sees the launch of the first release of the Open Contracting Data Standard (OCDS) . The standard, as I've written before , brings together concrete guidance on the kinds of documents and data that are needed for increased transparency in processes of public contracting, with a technical specification describing how to represent contract data and meta-data in common ways. The video below provides a brief overview of how it works (or you can read the briefing note ), and you can find full documentation at http://standard.open-contracting.org . * * *

top

- and -

The largest free collection of law reviews on the Web (Law Sites, 24 Nov 2014) - I try to cover sites here soon after they launch, but every so often I miss one. In this case, I missed a big one. Launched in August 2013, Law Review Commons is the largest open-access law review portal on the web. It provides access to more than 200 law reviews containing more than 150,000 articles. The oldest law reviews in its collection date back to 1852. The site currently includes law reviews from law schools such as Berkeley, Boston College, Cornell, Chicago, Pennsylvania, Villanova and Yale. Missing from the collection are several top-tier schools such as Harvard, Stanford and Columbia. A search function enables you to find articles on the site. The search is not full text, but rather searches fields such as title, abstract, subject, author, institution, document type and publication name. You can also browse and find law reviews in several ways. A master list arranges all law reviews by their law school. You can also browse law reviews alphabetically by title, by the subject they cover, or by specific works and authors within a subject area. The actual articles are in PDF format. One other feature of the site is a world map showing readership in real time. As articles are downloaded, the location of the downloader is shown on the map and a text box displays the reader's location in the world and the title of the download.

top

- and -

Gates goes open (InsideHigherEd, 24 Nov 2014) - The Bill & Melinda Gates Foundation will require grant recipients to make their research publicly available online -- a multibillion-dollar boost to the open access movement. The sweeping open access policy, which signals the foundation's full-throated approval for the public availability of research, will go into effect Jan. 1, 2015, and cover all new projects made possible with funding from the foundation. The foundation will ease grant recipients into the policy, allowing them to embargo their work for 12 months, but come 2017, "All publications shall be available immediately upon their publication, without any embargo period." "We believe that our new open access policy is very much in alignment with the open access movement which has gained momentum in recent years, championed by the NIH, PLoS, Research Councils UK, Wellcome Trust, the U.S. government and most recently the WHO," a spokeswoman for the foundation said in an email. "The publishing world is changing rapidly as well, with many prestigious peer-reviewed journals adopting services to support open access. We believe that now is the right time to join the leading funding institutions by requiring the open access publication of our funded research." The foundation explained the broad outlines of the open access policy in a five-point list posted to its website. All reports, along with their underlying data, will be published under a Creative Commons (or equivalent) license, tagged with metadata and placed in repositories to ensure they are discoverable.

top

Lawsuits for HIPAA violations and beyond: a journey down the rabbit hole (Prof. Dan Solove, 18 Nov 2014) - At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don't provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies. But wait! Stop the presses! A recent decision by the Connecticut Supreme Court has concluded that people really can sue for HIPAA violations. As I will explain later, this is not a radical conclusion . . . though the implications of this conclusion could be quite radical and extend far beyond HIPAA. A number of folks have blogged about this case, but not many have explored the depths of this rabbit hole. Let's start with the Connecticut Supreme Court decision, and then follow the White Rabbit. * * * [ Polley : As usual, it's worth reading the rest of Prof. Solove's posting.]

top

New AAA rules (and annual fees) may require you to change your terms of service (Baer Crossey, 19 Nov 2014) - The American Arbitration Association (AAA) now requires businesses to notify the AAA of their intent to use AAA arbitration in standard consumer contracts and to pay fees to review the arbitration agreement; otherwise, the AAA can refuse the arbitration. On September 1, 2014, the AAA released new arbitration rules and supplemental procedures governing standard, business-to-consumer contracts for personal or household products and services (such as terms of service for websites and mobile apps). As part of the new rules, companies that require (or intend to require) AAA arbitration in their standard, consumer agreements must: (1) Notify the AAA at least 30 days before the planned effective date of the contract, and (2) Pay AAA to review and register the arbitration clause to ensure the clause's compliance with the Consumer Due Process Protocol and AAA Consumer Arbitration Rules. The new fees involve nonrefundable upfront and yearly recurring costs. If a company registers its clause in 2014, the fee is $650, which covers 2014 and 2015. Renewal fees for subsequent years are currently $500 per year. If a standard, consumer contract has an un-reviewed (and unpaid) provision providing for AAA arbitration, the company may seek expedited review of the clause upon a demand for arbitration, but the expedited review costs an additional $250. Furthermore, the AAA may refuse to take the arbitration if it determines that clause is not in material compliance with the Consumer Due Process Protocol or the Consumer Arbitration Rules. Given how recently the new rules have been released, there isn't much historical experience to determine how frequently or under what circumstances the AAA will refuse to take arbitrations.

top

Amnesty releases anti-spying program for activists (BBC, 19 Nov 2014) - Amnesty International has released a program that can spot spying software used by governments to monitor activists and political opponents. The Detekt software was needed as standard anti-virus programs often missed spying software, it said. Amnesty said many governments used sophisticated spying tools that could grab images from webcams or listen via microphones to monitor people. "These spying tools are marketed on their ability to get round your bog-standard anti-virus," said Tanya O'Carroll, an adviser on technology and human rights at Amnesty International. The makers of spying software did extensive testing to ensure that the way they infected and lurked on a computer did not trigger security alerts, she added. Detekt has been developed over the past two years to spot the few telltale signs spying programs do leave. The intense scan it carries out on a hard drive means a computer cannot be used while Detekt is running. Four separate rights groups - Amnesty International, the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft - have worked together to create the spyware spotter, which is available free of charge. The first version of Detekt has been written to run on Windows computers because the people most often being monitored use that software, said Ms O'Carroll.

top

Perfect 10 loses copyright suit against Usenet service provider (Eric Goldman, 25 Nov 2014) - Giganews acts as a USENET service provider. Perfect 10 is the litigious pornographer that has helped define Internet copyright law for the last 15 years. It sued Giganews because Perfect 10's copyrighted images are distributed on USENET. After over three years of pointless litigation, the district court finally put a stop to the lawsuit (in an oddly formatted opinion divided into 3 separate memos). The court rejected Giganews' direct infringement for lack of "volition." The question remains: what does "volition" mean in this context? I've always found the term ambiguous. This ruling is perhaps the most explicit I've seen suggesting that volition is really about something like proximate causation * * * I've added this passage to my Internet Law reader because I think it's the most helpful statement of "volition"/"causation" I've seen to date, even though it's still hardly clear. At minimum, it provides a doctrinal hook (however ambiguous) to channel copyright lawsuits against service providers away from direct infringement and into contributory or vicarious infringement. Naturally, a USENET service provider lacks the requisite causation for USENET content-especially content that wasn't originated by the USENET's own subscribers. But I think this language could be read more broadly to apply to web hosting.

top

RESOURCES

Information Security and Cyber Liability Risk Management (report by Zurich, Oct 2014) - If there was any doubt as to the existence of a data security epidemic, 2014 likely changed that. This is the year that it became abundantly clear that no business, government, or individual was immune to the threat of an attack. With massive data breaches affecting some of the nation's largest retailers, nation-states being accused of stealing corporate trade secrets, and private celebrity photos being hacked, 2014 has been chock- full of cyber related headlines. Cybercriminal tactics continued to evolve and the ability to execute attacks became easier. For many companies, being involved in a cyber event went from a question of "if " to "how bad." Small and midsize businesses increasingly realized that they are highly vulnerable. Information security risks have become a risk management focus for more organizations. Thanks largely to a number of high profile retail breaches, 2014 also has been the year that executives and board members began to view cyber risks more seriously. [ Polley : Short, interesting report. Shows high level of concern/attention by C-level executives and by Boards. Suggests that most companies think IT (38%) is responsible for managing the compliance issues, with the GC's office second (21%).]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Online voting canceled for Americans overseas (New York Times, 6 Feb 2004) -- Citing security concerns, the Department of Defense yesterday canceled plans to use an electronic voting system that would have allowed Americans overseas to cast votes over the Internet in this year's elections. The system, the Secure Electronic Registration and Voting Experiment, or Serve, was developed with financing from the Defense Department. The decision was announced in a memorandum from Deputy Defense Secretary Paul D. Wolfowitz to David S. C. Chu, under secretary of defense for personnel and readiness. Paraphrasing the memorandum, a Department of Defense spokeswoman said: "The department has decided not to use Serve in the November 2004 elections. We made this decision in view of the inability to ensure legitimacy of votes, thereby bringing into doubt the integrity of the election results." The memorandum says efforts will continue to find ways to cast ballots electronically for Americans overseas and to use Serve for testing and development. The Defense Department move is a significant setback for proponents of various electronic voting initiatives. Efforts to move the nation beyond the problems with paper ballots and hanging chads in the 2000 presidential election include the increased use of touch-screen voting systems and experiments like Saturday's Democratic caucuses in Michigan, which will allow Internet voting. But those initiatives come at a time of increased public distrust of high-tech voting. Critics of touchscreen voting machines, for example, argue that the technology creates a "black box" that allows no independent verification of votes unless a validation tool like a paper receipt system is used.

top

Reuters defines fair use for bloggers (TechLawAdvisor.com, 1 April 2004) -- Rafat Ali, of PaidContent.org, wondered aloud about what Reuters deal with Fast (to go after copyright infringers online) meant last week for bloggers. Michael Salk, VP at Reuters Media was kind enough to provide a response. Reuters Position on Linking From Blogs: "Infringements of our copyright does not include where bloggers quote from and link back to our original story, or where sites display a headline and link back to reuters.com."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top