Saturday, February 22, 2014

MIRLN --- 1-22 Feb 2014 (v17.03)

MIRLN --- 1-22 Feb 2014 (v17.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Montesquieu, come back! (The French police already know where you are) (Harvard's DMLP, 24 Jan 2014) - On December 19, 2013, the French Loi de Programmation Militaire (the Military Program law, or "LPM"), was enacted. Article 20 of the LPM, which will come into force on January 1, 2015, authorizes the government to require Internet Service Providers (ISPs) and web hosts to provide "information and documents processed or stored," including geolocation data and metadata in real time, without having to first ask for an authorization from a judge. The new law raises serious questions regarding separation of powers and the extent of administrative authority in France * * *

top

A new "target" on their backs: Target's officers and directors face derivative action arising out of data breach (Global Regulatory Enforcement Law Blog, 30 Jan 2014) - In the wake of its massive data breach, Target now faces a shareholder derivative lawsuit, filed January 29, 2014. The suit alleges that Target's board members and directors breached their fiduciary duties to the company by ignoring warning signs that such a breach could occur, and misleading affected consumers about the scope of the breach after it occurred. Target already faces dozens of consumer class actions filed by those affected by the breach, putative class actions filed by banks, federal and state law enforcement investigations, and congressional inquiries. This derivative action alleges that Target's board members and directors failed to comply with internal processes related to data security and "participated in the maintenance of inadequate cyber-security controls." In addition, the suit alleges that Target was likely not in compliance with the Payment Card Industry's (PCI) Data Security Standards for handling payment card information. The complaint goes on to allege that Target is damaged by having to expend significant resources to: investigate the breach, notify affected customers, provide credit monitoring to affected customers, cooperate with federal and state law enforcement agency investigations, and defend the multitude of class actions. The derivate action also alleges that Target has suffered significant reputational damage that has directly impacted the retailer's revenue.

top

- and -

Target data breach price tag: $200m (Corporate Counsel, 19 Feb 2014) - Banks and credit unions racked up more than $200 million in expenses from the massive Target Corp. data breach in the last quarter of 2013, trade groups for the financial institutions announced Tuesday . Payment card replacements cost $172 million for banks and $30.6 million for credit unions, according to the Credit Union National Association and Consumer Bankers Association, which has members that include Bank of America Corp., Capital One Financial Corp. and JPMorgan Chase & Co. A majority of the 40 million cardholders Target said the breach affected used cards from the associations' members. The $200 million price tag doesn't include costs from fraudulent activity. But adding in funds devoted to addressing any fraudulent activity would make the total expenses from the data breach "much higher," according to the associations.

top

Hulu hoops: standing & damages as threshold issues in privacy cases (Paul Hastings, Jan 2014) - Imagine you are in the mall, and you overhear an interaction between a clerk and another shopper. The clerk asks to see a drivers' license to verify their identity. The clerk then remarks, "Your age makes you eligible for our senior discount-you get 10% off on this order!" The shopper, aghast, threatens to sue the store. It's seemingly an empty threat-you can't sue without being hurt, right? According to a California magistrate judge, that's not necessarily true-at least in the context of privacy lawsuits. And as the number of privacy suits continue to skyrocket, that means the cost of doing business is about to go up. That commonsense inkling that someone must be injured in some tangible way to pursue a lawsuit (at least, a lawsuit in federal court) is codified in Article III of US Constitution, in a legal doctrine known as "standing." To show standing, a plaintiff must allege an injury that is (1) "concrete and particularized" and "actual or imminent," (2) traceable to an action by a defendant, and (3) able to be redressed by a decision of the court. This hurdle has been historically difficult to overcome in privacy suits, where the "injuries" are often nebulous concepts like a "violation of privacy" or "slowing down my computer with cookies." See, e.g., In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (rejecting plaintiffs' damages theories under the CFAA, holding that the cost of "remediate" cookies and the alleged decreased value of personal information fail to meet the CFAA damages requirement). But times, they are changing. The Ninth Circuit-a hotbed of innovation and the home jurisdiction for many of the tech companies being sued-has decided that in some cases, simply invoking the name of a federal statute and alleging its violation can provide standing.

top

Several cybersecurity initiatives lost after Snowden's NSA leaks (LA Times, 1 Feb 2014) - Early last year, as Edward Snowden was preparing to disclose classified documents he had purloined from National Security Agency computers in Hawaii, the NSA director, Gen. Keith Alexander, was gearing up to sell Congress and the public on a proposal for the NSA to defend private U.S. computer networks against cyber attacks. Alexander wanted to use the NSA's powerful tools to scan Internet traffic for malicious software code. He said the NSA could kill the viruses and other digital threats without reading consumers' private emails, texts and Web searches. The NSA normally protects military and other national security computer networks. Alexander also wanted authority to prevent hackers from penetrating U.S. banks, defense industries, telecommunications systems and other institutions to crash their networks or to steal intellectual property worth billions of dollars. But after Snowden, a contractor, began leaking NSA systems for spying in cyberspace that went public in June, Alexander's proposal was a political nonstarter, felled by distrust of his agency's fearsome surveillance powers in the seesawing national debate over privacy and national security. It was one of several Obama administration initiatives, in Congress and in diplomacy, that experts say have been stopped cold or set back by the Snowden affair. As a result, U.S. officials have struggled to respond to the daily onslaught of attacks from Russia, China and elsewhere, a vulnerability that U.S. intelligence agencies now rank as a greater threat to national security than terrorism. "All the things [the NSA] wanted to do are now radioactive, even though they were good ideas," said James Lewis, a cyber security expert at the Center for Strategic and International Studies, a nonpartisan think tank in Washington.

top

ALA launches free e-government webinar series (ALA, 4 Feb 2014) - The American Library Association (ALA) and the Information Policy & Access Center (iPAC) at the University of Maryland at College Park are pleased to announce the re-launch of Lib2Gov , an online e-government resource for librarians. Over the past few months, both organizations have worked to transition LibEGov-a project supported by the Institute of Museum and Library Services through a National Leadership Grant-into Lib2Gov . The redesigned website Lib2Gov allows libraries and government agencies to come together and collaborate, share resources and build a community of practice. Lib2Gov now provides a dedicated space where librarians can share materials, lesson plans, tutorials, stories, and other e-government content. The website offers a variety of resources from government agencies and organizations, including information on immigration, taxation, social security and healthcare. In a few weeks, both organizations will host a new monthly webinar series, "E-government @ Your Library." The webinars will explore a variety of e-government topics that will be of interest to librarians, including mobile government and emergency preparedness, response and recovery. All webinars are free and will be archived on the Lib2Gov site. The webinar schedule for Winter/Spring 2014 * * *

top

Proposed patent rules: identify the true owner on pain of abandonment (Patently-O, 5 Feb 2014) - In one of her first acts as de facto USPTO Director, Michelle Lee has proposed a new set of rules associated with patent assignment recordation. The proposal is quite complicated (occupying 18,000 words in the Federal Register) but the general idea is (1) that information regarding who owns which patents should be available to the public; (2) some rights-holders have been taking steps to hide their identity; and therefore (3) the USPTO proposes to require greater transparency. Although the proposal is signed by Deputy Director Lee, it was a White House initiative well before she took office: The Office is proposing … to require that the attributable owner, including the ultimate parent entity, be identified … on filing of an application (or shortly thereafter), when there is a change in the attributable owner during the pendency of an application, at the time of issue fee and maintenance fee payments, and when a patent is involved in supplemental examination, ex parte reexamination, or a trial proceeding before the Patent Trial and Appeal Board (PTAB). The Office is also seeking comments on whether the Office should enable patent applicants and owners to voluntarily report licensing offers and related information to the Office, which the Office will then make available to the public in an accessible online format. See also Whither the USPTO's authority to require ownership recordation (Patently-O, 10 Feb 2014)

top

Comcast customer surprised to learn new router is also public hotspot (ArsTechnica, 5 Feb 2014) - Comcast customer Ronaldo Boschulte didn't know exactly what he was getting when the company swapped his malfunctioning modem for a new one. The cable modem doubles as a Wi-Fi router-that much he was expecting. But he didn't realize the router would, by default, broadcast a public Wi-Fi network that anyone with a Comcast account could connect to. Comcast started adding the public hotspot to its modems by default in mid-2013, as we reported at the time . Customers can turn the second signal off if they choose, but it's definitely an opt-out program rather than opt-in. In an FAQ , Comcast doesn't provide instructions for turning it off manually. You have to call Comcast for that. "You will always have the ability to disable the XFINITY Wi-Fi feature on your Wireless Gateway by calling 1-800-XFINITY," the company says. Presumably, a customer service representative will try to talk you out of disabling it. The second network won't slow your primary connection down, at least not much. "The broadband connection to your home will be unaffected by the XFINITY Wi-Fi feature," Comcast says. "Your in-home Wi-Fi network, as well as XFINITY Wi-Fi, use shared spectrum, and as with any shared medium there can be some impact as more devices share Wi-Fi. We have provisioned the XFINITY Wi-Fi feature to support robust usage, and therefore, we anticipate minimal impact to the in-home Wi-Fi network."

top

Wargames test UK banks' resolve against massive cyber-attack (ZDnet, 5 Feb 2014) - The Bank of England has published the findings of a war-gaming exercise that saw banks trying to defend against a theoretical cyber-attack from a hostile nation. The war-gaming exercise, dubbed "Waking Shark II", was held in November last year and was designed to rehearse the response of the banking sector - including investment banks and key financial market infrastructure - to a concerted cyber-attack. The Bank of England's report said the event "successfully demonstrated cross sector communications and coordination", but said it also identified some issues to be addressed. The report noted that the objective was to place the banking sector "under severe stress" and as such it admitted that some of the elements it featured "were extreme relative to the cyber-attacks that have been seen to date". The scenario of Waking Shark II was a concerted cyber-attack against the UK financial sector by a hostile nation state "with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure". It was set over a three-day period, the last day of which happened to coincide with a so-called 'Triple Witching' when contracts for stock index futures, stock index options and stock options all expire on the same day. Bank of England Report on UK Financial Sector Cyberattack Exercise is here .

top

No Fourth Amendment right in metadata embedded in posted photo, court holds (Volokh Conspiracy, 6 Feb 2014) - I'm guessing we all know that you don't have a reasonable expectation of privacy in photographs that you post on the public Internet. Government investigators don't violate privacy rights by looking at photos posted on the web for all to see. But what about the metadata embedded in those photographs? And what if it's a website only accessible using the TOR browser ? In a case handed down last week, United States v. Post , a district court held that the Fourth Amendment still offers no protection. The decision was authored by Judge Gregg Costa, a recent nominee to the U.S. Court of Appeals for the Fifth Circuit. Post is interesting not just for its holding but also for its facts. Investigators discovered a website devoted to child pornography. The website was viewable only using the TOR browser , much like the Silk Road website that was used to trade illegal narcotics. We don't know the entirety of the investigation, but in at least one instance the agents tried to retrieve the location metadata embedded in an image of child pornography they found on the site. In his suppression motion, Post acknowledges that he had no expectation of privacy in the image that he uploaded to the website, but contends that he did retain a privacy interest in the embedded metadata because he did not realize he was releasing that information and he intended to remain anonymous. In other words, he would split the image into two distinct parts, one of which the government could obtain because it was placed in the public domain and one of which it could not. Judge Costa disagreed: [Post] gave up his right to privacy in that image once he uploaded it to the internet, and that thing he publicly disclosed contained the GPS coordinates that led agents to his home. There is no basis for divvying up the image Post uploaded into portions that are now public and portions in which he retains a privacy interest.

top

Speek makes conference calls better (InsideHigherEd, 6 Feb 2014) - Earlier this week I was scheduled to be on a conference call. I dialed in, entered in my pin, and was told by an automated voice that I was the first person on the call. After five minutes of elevator music, I hung up and dialed in again. Once again, the system told me that I was the only person on the call. Sensing a glitch in the system, I sent out a few emails to the other individuals on the call. Apparently, they had successfully dialed into the call and I had used a wrong number. It was yet another chapter in my seemingly endless array of unfortunate conference call experiences. Next time a conference call needs to happen, I'm going to recommend that we try using Speek. Speek simplifies the conference call experience by eliminating some of the complicated elements of the genre. Instead of using a unique phone number or pin, users are directed to an easy to remember URL (e.g. speek.com/yourconferencecall). Additionally, the web-based interface allows you to see who is talking at any given time. It's like a visual walkie talkie. Anything that eliminates that awful aspect of talking over someone on a conference call is a huge victory in my book. The free version of Speek has a 5 caller limit. However, let's be honest, do we really need more than 5 people on a conference call? You also get a dedicated conference bridge, the aforementioned visual interface, call history/analytics, message/file sharing, and the option for Speek to call you after you enter your phone number into their website.

top

Ninth Circuit allows CNN motion to dismiss captioning complaint (Broadcasting & Cable, 7 Feb 2014) - A California court has backed a CNN argument that it did not have to closed-caption online clips. A three-judge panel of the U.S. Court of Appeals for the Ninth Circuit earlier this week vacated a district court's order denying CNN's motion to dismiss a lawsuit by the Greater Los Angeles Agency on Deafness (GLAAD) that sought to force CNN to caption video clips on its Web site, arguing that not to do so violated the state's Disabled Persons Act (DPA). The Court found that the claim of equal access under DPA was trumped by a California statute providing for "for the early dismissal of meritless lawsuits arising from a defendant's conduct in furtherance of its free speech rights." It said the California legislature had made it clear that statute was to be read broadly. The court also found that GLAAD was unlikely to win under invocation of California's Unruh Civil Rights Act because it had not shown an intent to discriminate by CNN based on disability. But the court breathed some life into the GLAAD argument by leaving open the question of whether DPA applied in the case of accessibility via Web captions. CNN said DPA did not apply to virtual locations like the Internet. The Ninth Circuit panel reserved judgment and asked the Supreme Court to weigh in on that question, saying "The final question, whether the DPA applies to websites, is an important question of California law and raises an issue of significant public concern."

top

Here's how Twitter might challenge the NSA's gag order (Washington Post, 10 Feb 2014; interview with Eugene Volokh) - The United States government limits how much companies can disclose about their cooperation with surveillance by the National Security Agency and other federal agencies. Government officials have insisted that Internet companies such as Google and Microsoft report the number of surveillance requests only in broad numeric ranges. In a Thursday blog post, Twitter wrote that it was unsatisfied with this arrangement, and was "considering legal options we may have to seek to defend our First Amendment rights." The company argues that it has a right to disclose specific details about the extent of its participation in U.S. surveillance programs. Would such a legal challenge succeed? To find out, I asked Eugene Volokh, a prominent First Amendment scholar at the University of California-Los Angeles. His blog, the Volokh Conspiracy , is hosted by the Washington Post. We spoke by phone on Friday. The transcript has been edited for length and clarity * * *

top

Cryptolocker scrambles US law firm's entire cache of legal files (Computerworld, 10 Feb 2014) - A small US law firm has bravely admitted losing its entire cache of legal documents to the Cryptolocker Trojan despite attempting to pay the $300 (£180) ransom in a bid to have them unscrambled. According to TV reports , Goodson's law firm in the North Carolina's largest city Charlotte became the latest victim of a malware menace that was custom-written to lever ransom money from precisely this type of relatively cash-rich but time-poor firm. The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service. That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson. "The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said. After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired. The only blessing was that the malware had scrambled files and not stolen them, Goodson added. According to the Wsoctv TV channel, local police were aware of at least 30 cases where paying the ransom had resulted in an unlock key being delivered. Balancing this, we should point out that not everyone has reported having this success.

top

SF Bar Assn Ethics Opinion 2014-1 -- ISSUE : May an attorney respond to a negative online review by a former client alleging incompetence but not disclosing any confidential information where the former client's matter has concluded? If so, may the attorney reveal confidential information in providing such a response? Does the analysis change if the former client's matter has not concluded? DIGEST : An attorney is not ethically barred from responding generally to an online review by a former client where the former client's matter has concluded. However, the duty of confidentiality prevents the attorney from disclosing confidential information about the prior representation absent the former client's informed consent or waiver of confidentiality. This Opinion assumes the former client's posting does not disclose any confidential information and does not constitute a waiver of confidentiality or the attorney-client privilege. While the online review could have an impact on the attorney's reputation, absent a consent or waiver, disclosure of otherwise confidential information is not ethically permitted in California unless there is a formal complaint by the client, or an inquiry from a disciplinary authority based on a complaint by the client. Even in situations where disclosure is permitted, disclosure should occur only in the context of the formal proceeding or inquiry, and should be narrowly tailored to the issues raised by the former client. If the matter previously handled for the former client has not concluded, depending on the circumstances, it may be inappropriate for the attorney to provide any substantive response in the online forum, even one that does not disclose confidential information.

top

Israeli legal expert urges development of ethics code for cyberwarfare (Homeland Security News Wire, 11 Feb 2014) - Israel is already engaged in a cyber arms race with its adversaries, but some of the cyberattacks Israel has launched, and which have launched against it, may not be permissible in the legal regime which is slowly developing, according to a former IDF's deputy military advocate general. "Israel faces a complex and challenging period in which we can expect both a cyber arms race with the participation of state and non-state entities, and a massive battle between East and West over the character of the future legal regime," writes Col. Sharon Afek in a study crafted as part of his research at the National Defense College . Haaretz reports that Afek presents a number of directions in which cyber law may develop, but he says that it is unlikely that in the near term formal regulations will be drawn up. Only a catastrophic event like "Pearl Harbor or Twin Towers attack in cyberspace" would accelerate developments in this area. Afek notes that existing law already prohibits cyber operations which would directly lead to loss of life, injury, or property damage, such as causing a train to derail or undermining a dam. What do existing norms say about cyber operations which do not cause physical damage but still cause significant harm? "One can create effects in cyberspace that fundamentally undermine the stability of nations through operations that are not kinetic," writes Afek, referring to operations which do not involve conventional weapons. "Cybernetic tools and capabilities that no one thought to forbid are liable to bring results perceived as a pretext for war."

top

Judge blocks warrantless searches of Oregon drug database (Reuters, 12 Feb 2014) - A federal judge ruled on Tuesday that U.S. government attempts to gather information from an Oregon state database of prescription drug records violates constitutional protections against unreasonable search and seizure. The American Civil Liberties Union hailed the decision, in a case originally brought by the state of Oregon, as the first time a federal judge has ruled that patients have a reasonable expectation of privacy in their prescription records. The Oregon Prescription Drug Monitoring Program database was created by the state legislature in 2009 as a tool for pharmacists and physicians to track prescriptions of certain classes of drugs under the federal Controlled Substances Act. Some seven million prescription records are uploaded to the system every year, according to court documents. The state mandated privacy protections for the data, including a requirement that law enforcement could only obtain information from the network with a warrant. But the DEA claimed federal law allowed the government to access the database using only an "administrative subpoena", which does not require a finding of probable cause for believing a crime has been committed or a judge's approval. U.S. District Judge Ancer Haggerty in Portland ruled that the DEA's efforts to obtain Oregon's prescription records without a warrant violate Fourth Amendment safeguards against searches and seizures of items or places in which a person has a reasonable expectation of privacy.

top

Federal Circuit clarifies standard for recovery of eDiscovery costs (Today's General Counsel, 12 Feb 2014) - As many recent litigants know, the costs of eDiscovery can be enormous. Therefore, the ability to recover those costs can have a significant impact on a company's bottom line - from tens to hundreds of thousands of dollars. In a recent case, CBT Flint Partners, LLC v. Return Path, Inc., 2013-cv-1036 (Fed. Cir. December 13, 2013), the U.S. Court of Appeals for the Federal Circuit addressed the recoverability of eDiscovery costs. This decision is important because it offers a guideline for making such determinations, and also purports to be "consistent with" other circuits that have interpreted section 1920(4). In CBT Flint, the Federal Circuit analyzed the legislative history of section 1920, and reviewed the Sedona Conference principles and other federal court decisions. The opinion contains a detailed analysis regarding which costs are recoverable under section 1920(4). In a nutshell, the Federal Circuit found that section 1920 applies only to documents produced pursuant to Rule 26 or other discovery rules, and thus does not apply to documents a party creates for its own litigation or other use. The Federal Circuit broadly stated the guideline as follows: " [R]ecoverable costs under section 1920(4) are those costs necessary to duplicate an electronic document in as faithful and complete a manner as required by rule, by court order, by agreement of the parties, or otherwise . . . . But only the costs of creating the produced duplicates are included, not a number of preparatory or ancillary costs commonly incurred leading up to, in conjunction with, or after duplication.

top

Spying by NSA ally entangled US law firm (NYT, 15 Feb 2014) - The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers. A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance. The government of Indonesia had retained the law firm for help in trade talks, according to the February 2013 document. It reports that the N.S.A.'s Australian counterpart, the Australian Signals Directorate , notified the agency that it was conducting surveillance of the talks, including communications between Indonesian officials and the American law firm, and offered to share the information. The Australians told officials at an N.S.A. liaison office in Canberra, Australia, that "information covered by attorney-client privilege may be included" in the intelligence gathering, according to the document, a monthly bulletin from the Canberra office. The law firm was not identified, but Mayer Brown, a Chicago-based firm with a global practice, was then advising the Indonesian government on trade issues. On behalf of the Australians, the liaison officials asked the N.S.A. general counsel's office for guidance about the spying. The bulletin notes only that the counsel's office "provided clear guidance" and that the Australian agency "has been able to continue to cover the talks, providing highly useful intelligence for interested US customers." [ Polley : There's so much here, I don't know where to start… perhaps, to wonder who are "interested US customers" that benefit from this collection? Is there a terrorism component? Does Australia recognize US attorney/client privilege? Does NSA care? In the meantime, see the related posting below under PODCASTS .]

top

Social networking, anonymity, defamation, and privacy (MLPB, 18 Feb 2014) - Eva Nagle, National University of Ireland, Maynooth, Department of Law, has published 'Unringing' the Bell that Has Sounded so Loudly: Maintaining Anonymity When Suing for Defamation and Breach of Privacy in the Internet Realm . Here is the abstract: Social networking websites have become a far more potent tool than merely a means of posting photographs of your last holiday online. They can be used to create a "buzz" around a new business, to organise a protest or to assist with some amateur detective work - which was at the centre of the Irish "Internet privacy" case of McKeogh v John Doe 1 (User Name Daithii4u) and others (hereafter, McKeogh).

It is axiomatic that these novel uses of social networks such as Twitter, Facebook and YouTube create serious implications for privacy and defamation law in the online world. Some of the contemporary challenges to privacy law that are posed by such websites are encapsulated in the case of McKeogh.

top

Protecting internet intermediaries (Project Disco, 18 February; by Cathy Gellis) - What would the Internet be without its intermediaries? Nothing, that's what. Intermediaries are what carry, store, and serve every speck of information that makes up the Internet. Every cat picture, every YouTube comment, every Wikipedia article. Every streamed video, every customer review, every online archive. Every blog post, every tweet, every Facebook status. Every e-business, every search engine, every cloud service. No part of what we have come to take the Internet for exists without some site, server, or system intermediating that content so that we all can access it. And yet, if we're not careful, we can easily lose all the benefits these intermediaries bring us. Thankfully, in the United States we have some laws that help ensure they can exist, chief among them 47 U.S.C. Section 230 . As my recent paper on the state of the law regarding intermediary liability explains , this law stands for the proposition that intermediaries are only responsible for what they themselves communicate through their systems - not what others use them to say. For example, newspapers that post articles online are only responsible for the content of the articles they publish, not the comments readers then post to them . Similarly consumer review sites are only responsible for the information they supply to their sites, not the user reviews themselves . This same principle also means that people who link to content ( as search engines do ) are not legally responsible for that content, even if that content should happen to be illegal in some way (like by being potentially defamatory). [ Polley : pretty useful primer on intermediary liability.]

top

Oklahoma makes its digital decisions the official versions (Geek Law Blog, 18 Feb 2014) - I'm not sure how I missed this big news coming out of the Oklahoma Supreme Court, but it is something that has made me very happy, and very proud to have played a small part over a decade ago. Peter Martin pointed out on his blog that the Oklahoma Supreme Court, as of January 1, 2014, has become the official publisher of the state's appellate court decisions and will distribute those decisions through The Oklahoma State Courts Network ( http://www.oscn.net ). All other publishers, including West Publishing, will be unofficial publishers. This is a big deal, considering that West had been the official publisher for sixty years. Here is a blurb from the Oklahoma Supreme Court decision, 2013 OK 109 * * *

top

Massachusetts court rules that state constitution requires warrant for access to two-week collection of historical cell-site records (Volokh Conspiracy, 18 Feb 2014) - The Massachusetts Supreme Judicial Court has issued a new decision interpreting the Massachusetts constitution to require a search warrant for access to a two-week span of historical cell-site information. The court divided by a vote of 5-2. Note that the decision did not interpret the Fourth Amendment of the federal constitution, but rather interpreted Article 14 of the Massachusetts Declaration of Rights. This means that the decision is binding on Massachusetts state law enforcement, but it does not apply to federal law enforcement (whether in Massachusetts or outside it). The decision appears to adopt a Asmosaic theory for the state constitution, by which the time of surveillance determines what is a state-constitution search. In this case, the government obtained a court order requiring the cell-phone provider to hand over historical cell-site records covering a two week period. The Massachusetts court concludes that if the court order had covered a short time, it would not have triggered the state constitution. But by ordering the disclosure of records covering a two week period, that was long enough to trigger a warrant requirement under the state constitution.

top

Mass surveillance of all car trips is nearly upon us (The Atlantic, 19 Feb 2014) - Is the relative anonymity the open road has long afforded something we're ready to give up? In an up or down vote, I'm confident the American people would say, "Hell no." But automatic license-plate readers threaten much of the privacy we've always enjoyed, on the road and at our destinations of choice, as never before. These devices garnered a bit of attention last summer, when the ACLU reported on how many states and localities have installed them on patrol cars, bridges, and highway overpasses, where they capture images of every passing vehicle. The intention is often to find stolen cars or to catch drivers evading warrants for their arrest. Yet in most cases, "these systems are configured to store the photograph, the license plate number, and the date, time, and location where all vehicles are seen-not just the data of vehicles that generate hits," the ACLU explained. "All of this information is being placed into databases, and is sometimes pooled into regional sharing systems .... All too frequently, these data are retained permanently and shared widely with few or no restrictions on how they can be used." The potential for abuse was obvious. Now the federal government intends to build a national license-plate-reader database. A Department of Homeland Security spokesperson told Ars Technica that Immigration and Customs Enforcement (ICE), "is exploring the ability to obtain access to a National License Plate Recognition database-allowing officers and agents to identify subjects of ongoing criminal investigations." The Washington Post got an official response too. "It is important to note that this database would be run by a commercial enterprise," ICE said, "and the data would be collected and stored by the commercial enterprise, not the government." Is that supposed to reassure? A private database that's inaccessible to the government would offer some protections. So would a government database that no private entity could exploit. A database of our movements that is privately held and accessible to the government is the worst possible combination.

top

- and, a few hours later -

Department of Homeland Security cancels national license-plate tracking plan (Washington Post, 19 Feb 2014) - Homeland Security Secretary Jeh Johnson on Wednesday ordered the cancellation of a plan by the Immigration and Customs Enforcement agency to develop a national license-plate tracking system after privacy advocates raised concern about the initiative. [ Polley : Color me skeptical, again: see posting immediately below.]

top

Spy chief: we should've told you we track your calls (Daily Beast, 17 Feb 2014) - In an exclusive interview with The Daily Beast, Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. "I probably shouldn't say this, but I will. Had we been transparent about this from the outset right after 9/11-which is the genesis of the 215 program-and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it's going to work, and why we have to do it, and here are the safeguards… We wouldn't have had the problem we had," Clapper said. [ Polley : Nuts. They DID tell us way-back-when - see Markoff's 9 Nov 2002 NYT article in MIRLN 5.15 - part of Admiral Poindexter's swan-song. And when the blow-back was too intense, they said they wouldn't do it - see Wired's 14 July 2003 article in MIRLN 6.10.]

top

NOTED PODCASTS

Critical cyber issues affecting you today (ABA Cybersecurity Legal Task Force, 8 February 2014; 90 minutes) - Recent losses that have been reported at Target and Neiman Marcus have brought to the front pages of the news how important cybersecurity is to the private sector. In the wake of the Snowden and Manning revelations, it is increasingly harder for both the government and the private sector to protect their assets and secrets. In short, law firms and government law departments continue to be prime targets due to the valuable client information they hold. The ABA Cybersecurity Legal Task Force and its Sections and Committees have produced a number of books, articles, and pamphlets to help focus the legal community on these issues. The panel discussed current cyber threats, applicable laws, and the ethical standards lawyers need to be aware of in this dangerous arena. Panelists include MIRLN editor Polley .

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

FDIC guidance on instant messaging (FDIC, Sept 2004) - "This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations."

top

Athens 2004 website restrictions spark legal debate (Globe & Mail.com, 20 August 2004) -- Olympic organizers in Athens seeking to control which websites can link to the official Games site have detailed a procedure that runs roughshod over the free-linking foundation of the Internet, legal observers say. According to the "hyperlink policy" listed on the Athens 2004 site, anyone wanting to post a link must first send a request that includes a description of their site, reason for linking and length of period it will be published. Howard Knopf, a Canadian trademark lawyer who is now director for the Center of Intellectual Property Law at Chicago's John Marshall Law School, said organizers have no legal authority to prevent people from simply linking to the website. "If they leave their website open, it's like a public park, people are free to walk in it, and a link is just the most efficient way to get there," he said. The hyperlink policy, which also strictly regulates the text and graphic of a link, is another example of Olympic organizers aggressively protecting the Olympic trademark. "Of course, normally, you can link wherever you want. We're just asking people to respect the rules," said Christina Fotinopoulou, Internet content manager for Athens 2004.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, February 01, 2014

MIRLN --- 12-31 Jan 2014 (v17.02)

MIRLN --- 12-31 Jan 2014 (v17.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

CHICAGO PROGRAM ANNOUNCEMENT

Critical cyber issues affecting you today (ABA Cybersecurity Legal Task Force, 8 February 2014) - Recent losses that have been reported at Target and Neiman Marcus have brought to the front pages of the news how important cybersecurity is to the private sector. In the wake of the Snowden and Manning revelations, it is increasingly harder for both the government and the private sector to protect their assets and secrets. In short, law firms and government law departments continue to be prime targets due to the valuable client information they hold. The ABA Cybersecurity Legal Task Force and its Sections and Committees have produced a number of books, articles, and pamphlets to help focus the legal community on these issues. The panel will discuss current cyber threats, applicable laws, and the ethical standards lawyers need to be aware of in this dangerous arena. Panelists include MIRLN editor Polley . ABA midyear meeting, 8 February 2014; 09:00-10:30 - Hyatt Regency Chicago, Plaza Ballroom A, Lobby Level, East Tower.

END ANNOUNCEMENT

Tweets, likes and follows: social media and the fair disclosure (Corporate Counsel, 10 Jan 2014) - Is tweeting considered Fair Disclosure? Have social rules changed the rules? The SEC says yes, but the landscape is new and the dust is still settling. Be careful. In April 2013, the Securities and Exchange Commission (SEC) cleared public companies to use social media outlets such as Twitter® and Facebook® to announce key information in compliance with Regulation Fair Disclosure (Regulation FD), "so long as investors have been alerted about which social media will be used to disseminate such information." However, the SEC's guidance was general, leaving room for error. Some executives may be rightfully worried about those in their organizations with "itchy Twitter fingers," while balancing a desire to communicate with shareholders and potential investors who are eager for information. Indeed, social media are essential channels in today's world, and there is good reason to act prudently when using them to announce financial and other key information to investors. Some law firms, such as Philadelphia-based Pepper Hamilton LLP, recommend some best practices. A commentary posted on the firm's corporate website shortly after the SEC guidance was released includes several key "Pepper Points" that are particularly instructive. For example * * *

top

The law belongs in the public domain (EFF, 14 Jan 2014) - For nearly two centuries it has been a basic precept that the law lives in the public domain. It's simple: in a democratic society, people must have an unrestricted right to read and speak their own laws. Full stop. Of course, that principle means the law can never be subject to copyright restrictions. If any single entity owns a copyright in the law, it can buy, sell or ration the law, and make all sort of rules about when, where, and how we share it. People should never have to pay a fee to review and compare the rules and regulations they must obey, and no private entity should be the gatekeeper to the law. As an appellate court put it : [I]t is hard to see how the public's essential due process right of free access to the law (including a necessary right freely to copy and circulate all or part of a given 
law for various purposes), can be reconciled with the exclusivity afforded a private copyright holder . . . . Fortunately, open access crusaders like Public.Resource.Org (whose founder, Carl Malamud, is testifying before Congress today about this issue), and the Center for Information Technology Policy, have worked hard to correct the situation, by publishing legal and government documents and giving citizens the tools to do so themselves. A private company, Google, has also done its part by including court opinions in the Google Scholar database. Until recently, these folks haven't had to deal with copyright infringement lawsuits as they worked to free the law. No longer. A group of standards-development organizations (SDOs) have banded together to sue Public.Resource.Org, accusing the site of infringing copyright by reproducing and publishing a host of safety codes that those organizations drafted and then lobbied heavily to have incorporated into law. The SDOs argue that they hold a copyright on those laws because the standards began their existence in the private sector, and were only later "incorporated by reference" into the law. That claim conflicts with the public interest, common sense, and the rule of law. The fundamental right to access and share the law does not disappear just because the law in question is a technical standard. And a good thing, too, because these standards are now a significant part of the laws that shape our lives. Once incorporated, they become mandatory requirements, just like any other law. The case involves crucial national standards like the national electrical codes, fire safety codes, and so on. Public access to such codes-meaning not just the ability to read them, but to publish and re-use them-can be crucial when there is an industrial accident, when there is a disaster such as the Moore, Oklahoma tornado, or when a homebuyer wants to know whether her house is code-compliant. Publishing the codes online, in a readily accessible format, makes it possible for reporters and other interested citizens to not only view them easily, but also to search and excerpt and generate new insights.

top

Supreme Court enshrines "reasonable suspicion" for device search at border (ArsTechnica, 14 Jan 2014) - On Monday, the Supreme Court let stand a March 2013 ruling that established-at least in the Ninth Circuit in the western United States -that extended and sophisticated forensic analysis of a digital device requires a reasonable suspicion of wrongdoing. The case, United States v. Cotterman , involves an American man who was driving back into the country from Mexico with his wife in 2007 and had his laptop cursorily searched, with a more advanced search then performed at a government facility 170 miles away. The Supreme Court declined to hear Howard Cotterman's appeal of the legality of the extensive search. As the Ninth Circuit judges wrote: Although courts have long recognized that border searches constitute a "historically recognized exception to the Fourth Amendment's general principle that a warrant be obtained," United States v. Ramsey, 431 U.S. 606, 621 (1977), reasonableness remains the touchstone for a warrantless search. Even at the border, we have rejected an "anything goes" approach. See United States v. Seljan, 547 F.3d 993, 1000 (9th Cir. 2008) (en banc). Mindful of the heavy burden on law enforcement to protect our borders juxtaposed with individual privacy interests in data on portable digital devices, we conclude that, under the circumstances here, reasonable suspicion was required for the forensic examination of Cotterman's laptop. Because border agents had such a reasonable suspicion, we reverse the district court's order granting Cotterman's motion to suppress the evidence of child pornography obtained from his laptop."

top

Federal Court in Virginia court says domain names are not property, but contractual rights (Venkat Balasubramani, 14 Jan 2014) - Following the sex.com case from the Ninth Circuit , it is taken for granted that domain names are property that can be converted, sold, transferred, or subject to a creditor's collection efforts. Interestingly, a federal district court in Virginia took a contrary view. The case arose out of a bankruptcy of Alexandria Surveys International. Two competing Alexandria surveying companies were trying to buy the assets of ASI and ended up with conflicting claims. The first company, Alexandria Surveys, LLC, acquired the telephone number and web address from Cox Communications, the provider, under the theory that these were executory contracts that could be taken over. However, the estate was reopened at the request of a second company (Alexandria Consulting Group) and in the second go around ACG purchased a bunch of assets from the trustee, including the web address and telephone number. The bankruptcy court ordered the ASL to turn over the web address and telephone number (and servers) to ACG. ASL objected, arguing that the web address and telephone numbers were not "property of the bankruptcy estate." The district court agrees with ASL on appeal. The court largely relies on the Virginia Supreme Court's decision in Network Solutions v. Umbro : "a domain name registrant acquires the contractual right to use a unique domain name for a specified period of time . . . 'a domain name is not personal property but rather' the product of a contract for services." ACG tried to distinguish Umbro on the basis that it involved a garnishment proceeding, but the court says that the key part of the holding-that a domain name is a "contractual right"-applies regardless. The court says that because ASI did not have a property interest in the website and phone number at most it had a contractual interest and since the trustee did not assume it, there was nothing to be sold to ACG.

top

Shepardize the Internet! (InsideHigherEd, 16 Jan 2014) - Every law school student knows "shepardizing." It is the process by which one learns how and in what ways to research a legal case that may have been affected by subsequent cases. Shepardizing is a critical process in a legal system based on precedent. Stare decisis notwithstanding, one must know the latest decision on any specific legal question to proceed to the next. In the old days, it was done by hand and rather laborious, requiring not only denoting a case, but also reading those subsequent cases to evaluate the nuances of "modified," "distinguished," or even "overruled." I was in law school during the transition to digitized process. In one of my first jobs as a lawyer, the attorney who gave me the assignment thought me brilliant because I came back within 20 minutes with the up-to-date case that significantly modified the one he asked me to research. His opinion shifted when I explained the automated West Law program that did all the work! Francine Prose's piece in the New York Times "How Have Google and YouTube Changed the Way You Work?" made me think of that legal research process. A fiction author of some note, Francine Prose observes how frequently she is introduced with the mistakes that are embedded in a Wikipedia page about her. With all the knowledge that search engines integrate, some form of updating information, or at least denoting links with metadata that contextualizes it, shouldn't be too difficult to create. I expect that some faculty and research librarians may take that notion to task. One faculty member I know discovered mass academic integrity violation when a homework assignment came back from over 200 of her students with the same mistaken chemical in it, because it was a mistake in her instructor's manual that was posted on-line! More to the point, information literacy 101 instructs students not to accept the first link in a search, to test for validity, to evaluate the source, and to do a researcher's version of shepardizing. In other words, to dive deeper exploring subsequent research. Digitalliteracy.cornell.edu is a go-to site for faculty and students to understand on-line research; one among many such sites. That work is not in conflict with the thought that search engines shift to some form of automated updating of links. Users, especially computer scientists, research faculty, and reference librarians, should already be thinking about how this metadata should operate. Waiting for Google or Bing or any profit-driven search company to meet the needs of our academic community is not a prudent plan. But serving academia is not the principal point. It is that serving the academic community will also serve the public. Responsible "shepardizing" helps citizens as well as students because it prizes transparent, objective, valid and sometimes even peer reviewed or tested information.

top

Writing briefs when judges read on iPads (Volokh Conspiracy, 17 Jan 2014) - I just read a very interesting article, Daniel Sockwell, Writing a Brief for the iPad Judge . The basic problem: [M]ore and more judges are reading briefs primarily on iPads or other tablets…. The Fifth Circuit judiciary reads the majority of their briefs on iPads, and, from conversations with numerous judges and clerks, the other Circuits are not far behind (though I was told that the Third Circuit is "not as iPad heavy as some circuits"). The best way to know how a particular judge typically reads briefs is to ask - the clerks will likely be happy to help. Why do iPads even matter? … Lawyers who care about communicating forcefully and clearly should seek to perfect style and typography in addition to substance. The rules of typography are simply different for a screen than for print… And here are the author's suggestions (reprinted with his permission, some paragraph breaks added): A brief written to be read on an iPad should differ from one written for text in three main ways: it should use fewer footnotes, should use a different font, and should avoid confusing hierarchical organization. Lawyers who expect a brief to be read on an iPad should try to avoid footnotes. One of the advantages of reading on an iPad is that judges can adjust the screen view, zooming in and focusing on the current passage. However, this advantage is lost if footnotes require the reader to constantly scroll to the bottom of the page for citations or substantive material. Worse, the extra scrolling raises the risk that the footnotes won't be read at all, already a concern with substantive footnotes. Next, lawyers should carefully consider what font to use in a brief that may be read on an iPad. Fonts designed for screen reading are significantly different from those designed to be printed. Most importantly, quality printers print at a much higher resolution-even the retina iPad display has only 264 pixels per inch, less than half the dots per inch of a quality laser printer. As a result, some of the best print fonts can become jagged or difficult to read at screen resolutions, especially when readers zoom in. * * *

top

Old applications; new patents (Patently-O, 18 Jan 2014) - Patent applications filed on or after June 8, 1995 have a term of twenty years from the date of application filing. The prior rule offered a term of seventeen years from the issue date. This change was part of the Uruguay Round Agreements Act (URAA) that harmonized US law with that of other countries and also helped to substantially move away from the problem of patent application sandbagging / submarining where patent applicants intentionally delayed prosecution in order to accrue additional end-stage patent term. That problem has arisen again, although to a lesser extent, with the generous patent term adjustment offered for delays in prosecution. Although the change-over was almost twenty-years ago, there are still a number of pre-URAA patents pending at the PTO. When they issue, these patents have the benefit of having 17-more years of patent term remaining. For some fundamental technologies whose market has blossomed over the past two decades, that potential value is enormous. According to the PTO, there are now 450 of these old applications still pending at the USPTO. That is down from about 600 three years ago. The twenty pre-URAA patents issued in 2013 are owned by only seven different entities, and twelve of them are owned by Personalized Media Communications.

top

Why Bitcoin matters (Marc Andreessen in NYT, 21 Jan 2014) - A mysterious new technology emerges, seemingly out of nowhere, but actually the result of two decades of intense research and development by nearly anonymous researchers. Political idealists project visions of liberation and revolution onto it; establishment elites heap contempt and scorn on it. On the other hand, technologists - nerds - are transfixed by it. They see within it enormous potential and spend their nights and weekends tinkering with it. Eventually mainstream products, companies and industries emerge to commercialize it; its effects become profound; and later, many people wonder why its powerful promise wasn't more obvious from the start. What technology am I talking about? Personal computers in 1975, the Internet in 1993, and - I believe - Bitcoin in 2014. * * * [ Polley : very, very interesting. I'm confused though by the Bitcoin mining motivation issues - as Bitcoin transactions increase (possibly thru micropayments), this'll require an explosion in block-ledger verification processing (by so-called "miners"). But, if the Bitcoin algorithm in fact has a finite number of possible coins (21 million), won't miners sometime lose the incentive to do the verification work?] [ Polley : I've decided I should know more about Bitcoin, and so am installing the MultiBit.app on my Mac and creating an account -- #notstraightforward]

top

Tennis's new concern: data harvesting (NYT, 21 Jan 2014) - The strangest story of this Australian Open so far involved a man, a smartphone, a consultant service for online gambling, a tennis match, an arrest, allegations of corruption, a new law and much confusion. Naturally, it unfolded without precedent. This story also brought new attention to the gambling boom around professional tennis and introduced many to the term courtsiding. The accused is Daniel Dobson, 22, of Britain. The police said he came to the tournament last week with an electronic device stitched inside his clothing and linked to a smartphone. They said he used these devices to relay the outcome of points to his employer, Sporting Data, as much as 10 seconds faster than those results could be transmitted through official channels. Dobson was arrested and charged with engaging in conduct to corrupt a betting outcome. The accusation fell under a law passed in the Australian state of Victoria last April called the Integrity in Sports Act, which was supported and promoted by a coalition of sports organizations, including Tennis Australia. At a news conference after the arrest, Graham Ashton, a deputy commissioner with the Victoria Police, described courtsiding as a "type of cheating and betting on sports." He said the advance notice provided by Dobson allowed bets to be placed on particular points after they happened and before agencies could close their betting windows. "Courtsiding is really only one step away from then contacting players and getting engaged in more illicit and sinister types of sports corruption," Ashton said. But many of those who bet on tennis do not agree. They say it is unlikely that Dobson relayed that information so someone else could bet on individual points. Most bookmakers have policies in place to prevent that; some allow bettors only to bet three points ahead; others institute a five-second delay after transactions. On Thursday, Dobson will appear before a judge. His case, to industry insiders, is more about sports results data and who owns them. Among the bullet points in its news release to announce its exclusive data rights for the tournament, the sports data provider Enetpulse listed "exclusive official data service designed for bookmakers," "fastest live scoring service in the market" and "all data direct from the Umpire's Chair." Brendan Poots, the chief executive of the Melbourne-based sports investment fund Priomha Capital, said the value of that rapid data could be seven figures. The question, then, is whether it is against the law for someone other than Enetpulse - like Sporting Data - to try to transmit it faster.

top

Lawyer accused of revealing TMI in response to bad Avvo review is reprimanded (ABA Journal, 21 Jan 2014) - A Chicago lawyer accused of disclosing confidential information about a client in response to his bad Avvo review has been reprimanded partly for the revelation. Employment lawyer Betty Tsamis "exceeded what was necessary to respond to [the client's] accusations," according to stipulated findings of fact. The Legal Profession Blog links to the joint stipulation and reprimand by the Hearing Board of the Illinois Attorney Registration and Disciplinary Commission. Tsamis also bounced a check to a client, partly because she failed to account for credit card fees charged to her client trust account, according to the stipulated facts. She made good on the check with money from her own funds. Tsamis' Avvo revelation occurred as a result of a negative online review by an American Airlines flight attendant who hired Tsamis in an unsuccessful effort to secure unemployment benefits. The attendant had been fired for allegedly assaulting a co-worker. Tsamis asked the former client to remove his first review, posted in February 2013, and he responded that he would do so if Tsamis returned his files and the $1,500 he had paid in attorney fees. Avvo removed the post, spurring a second negative review by the former client. This time, Tsamis responded to the post and revealed confidential information about the case, according to the stipulated facts. The disciplinary complaint had alleged that Tsamis wrote this: "I dislike it very much when my clients lose, but I cannot invent positive facts for clients when they are not there. I feel badly for him, but his own actions in beating up a female co-worker are what caused the consequences he is now so upset about." One of Tsamis' lawyers has said he thinks the client was not identified by last name on the Avvo website when Tsamis responded to his criticism. In mitigation, Tsamis has already taken steps to improve her financial record-keeping, she has no prior disciplinary history, and she has expressed remorse for her conduct, the stipulated facts said. One of Tsamis' lawyers, Kathryne Hayes, gave this statement to the ABA Journal: "While we believe that Ms. Tsamis' conduct was within the [ethics rules], this matter raises an important issue for all lawyers-especially those who are active on attorney-review websites and have the opportunity to comment on client reviews posted to these types of websites.

top

10 tips for avoiding ethical lapses when using social media (ABA's Business Law Today, January 2014) - You may be among the thousands of legal professionals flocking to social media sites like LinkedIn, Facebook, Twitter, or Google+ to expand your professional presence in the emerging digital frontier. If so, have you paused to consider how the ethics rules apply to your online activities? You should. Some of the ethical constraints that apply to your social media usage as a legal professional may surprise you. Moreover, legal ethics regulators across the country are beginning to pay close attention to what legal professionals are doing with social media, how they are doing it, and why they are doing it. The result is a patchwork quilt of ethics opinions and rule changes intended to clarify how the rules of professional conduct apply to social media activities. This article provides 10 tips for avoiding ethical lapses while using social media as a legal professional. The authors cite primarily to the ABA Model Rules of Professional Conduct (RPC) and select ethics opinions from various states. In addition to considering the general information in this article, you should carefully review the ethics rules and ethics opinions adopted by the specific jurisdiction(s) in which you are licensed and in which your law firm maintains an office. * * *

top

- and -

Cybersecurity and the duty of care: a top 10 checklist for board members (DLA Piper, 24 Jan 2014) - Visibility on information security, including cybersecurity as well as physical security aspects, is increasingly permeating corporate life. The relatively new SEC requirements for public disclosure of cybersecurity incidents are just one example. As directors prepare to fulfill their duty of care in an informed way, what are the issues that matter today? The following checklist was created to help outside directors understand the cybersecurity issues that matter to boards today based on information from panel discussions and individual directors * * * [ Polley : mostly these are good, but a couple appear unnecessarily granular.]

top

- and a related piece -

Five things your IT department wants [the GC] to know about data security (Thomson Reuters, 30 Jan 2014) - The year 2013 was pretty terrifying when it comes to data security. Amid the fears created by the breaches at Adobe and Target, plus the knowledge that big brother really has been watching us through the NSA, every corporate counsel ought to be concerned about data security at their organization. However, as the senior manager of IT Operations for Serengeti, a SaaS (software as a service) e-billing and matter management company, Anne-Marie Scollay explains that there is no "silver bullet that provides an impervious layer of security around data." Anne-Marie frequently collaborates with legal departments and their IT teams as they evaluate Serengeti's cloud solution and shares insights regarding data security.

top

Court ruling notes that for-profit, full copy of audio, without commentary can also be fair use, in specific circumstances (TechDirt, 28 Jan 2014) - Back in 2011, we were worried about the implications of a lawsuit between the Swatch Group and Bloomberg, concerning the recording and distribution of an earnings call by Swatch. In short, Swatch claimed a copyright on its own earnings call. Bloomberg, which obtained a copy of the recording done by someone else, made that recording available to its customers. Not only did this have interesting fair use questions, it also opened up the possibility that bizarre copyright claims could be used as an alternative to wiretapping laws to block perfectly legitimate recordings of phone calls. Thankfully, the 2nd Circuit appeals court has issued a clear ruling noting that this use is fair use -- and that's true even though Bloomberg (1) used the whole thing (2) did so for commercial reasons and (3) did not add any commentary. This is important, because we regularly hear from copyright maximalist types who assume that if you do any of the above, it automatically loses the ability to be considered fair use. Here, however, the court clearly shows why that's not true, which should set a useful precedent for other fair use cases (at least within the 2nd circuit), especially when it comes in the context of "reporting." The Court makes a few very useful statements in explaining why all of this is fair use. Take, for example, the issue of it being "commercial" in nature. While that may make it a higher bar to prove fair use, it clearly does not preclude fair use * * *

top

Rockefeller to Target: why haven't you reported data breach to the Securities and Exchange Commission (US Senate, 28 Jan 2014) - Chairman John D. (Jay) Rockefeller IV today sent a letter to Target asking why the company has not yet reported its recent massive data breach to the Securities and Exchange Commission (SEC), as the Commission recommended in an October 2011 guidance. Rockefeller encouraged the SEC to issue this guidance , and is a strong supporter of giving investors more complete and timely information about cyber incidents such as the Target data breach. "A data breach involving the theft of personal information about tens of millions of Target customers is clearly a material cyber attack that has affected how your business operates. I am therefore puzzled why your company has not yet updated its SEC filings to reflect this event. Your failure thus far to provide this information to your investors does not seem consistent with the spirit or the letter of the SEC's financial disclosure rules," Rockefeller wrote. More recently, Rockefeller encouraged SEC Chairman Mary Jo White in April 2013 to issue Commission-level guidance to spur companies to take their cybersecurity efforts seriously. Chairman White recently asked SEC staff to review disclosure rules, saying, "I believe we should rethink not only the type of information we ask companies to disclose, but also how that information is presented, where and how that information is disclosed, and how we can take advantage of technology to facilitate investors' access to information and make it more meaningful to them." Rockefeller and Senator Claire McCaskill (D-Mo.) asked Target on January 14, 2014 for the latest findings on the circumstances that permitted unauthorized access to the financial and personally identifying information of as many as 110 million Americans. [ Polley : see also the earlier To 8-K, or not to 8-K? For Target, that is indeed the question (Mintz Levin, 17 Jan 2014)]

top

US forces Coursera to ban students from Cuba, Iran, Sudan, and Syria (Slashdot, 29 Jan 2014) - "Coursera is an online website that offers free courses from many of the world's top universities. Now, all students from Syria, Sudan, Iran and Cuba will no longer be able to access Coursera . The official blog provides more info regarding the ban: ' Until now the interpretation of export control regulations as they relate to MOOCs has been unclear and Coursera has been operating under the interpretation that MOOCs would not be restricted. We recently received information that has led to the understanding that the services offered on Coursera are not in compliance with the law as it stands ... United States export control regulations prohibit U.S. businesses, such as MOOC providers like Coursera, from offering services to users in sanctioned countries, including Cuba, Iran, Sudan, and Syria. Under the law, certain aspects of Coursera's course offerings are considered services and are therefore subject to restrictions in sanctioned countries, with the exception of Syria.'"

top

Pentagon, GSA tackle cybersecurity through acquisition reform (FedScoop, 29 Jan 2014) - The Defense Department and the General Services Administration on Jan. 23 delivered a joint report to the president recommending a series of wide-ranging changes to the federal acquisition cycle to help improve cybersecurity and critical infrastructure resilience. The report, signed by Secretary of Defense Chuck Hagel and GSA Administrator Dan Tangherlini, is in response to requirements outlined in Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," signed by President Barack Obama last February. The order directed the Pentagon and GSA to come up with a plan to incorporate cybersecurity standards into acquisition planning and contract administration, and to harmonize procurement requirements across the federal government. The report outlines six recommendations that focus on the need for baseline cybersecurity for federal contractors, comprehensive workforce training, consistent cybersecurity terminology for contracts, incorporation of cyber-risk management into federal enterprise risk management, development of more specific and standardized security controls for particular types of acquisitions, limiting purchases to certain sources for higher-risk acquisitions, and increasing government accountability for cybersecurity throughout the acquisition lifecycle

top

Scientific fact or junk science? Tracking a cell phone without GPS (ABA Judge's Journal, Judge Herbert Dixon, 30 Jan 2014) - Increasingly, competing experts are offering opposing opinions on the reliability of determining the approximate location of a cell phone. In this article, Judge Dixon highlights the significant arguments by both sides and discusses the technology on which these arguments are based.

top

Timid about fair use? (InsideHigherEd, 30 Jan 2014) - Visual arts professionals, including art historians, let real and perceived fears about copyright law get in the way of their work, finds a new report from the College Art Association. And while the fundamentally visual nature of their discipline raises particular concerns among scholars of art, artists, editors and museum curators, experts say their fears are shared across academe -- although some disciplines have worked to develop codes to help scholars navigate the murky waters of fair use. "The visual arts communities of practice share a common problem in their confusion about and misunderstanding of the nature of copyright law and the availability of fair use," reads the report, called "Copyright, Permissions, and Fair Use Among Visual Artists and the Academic and Museum Visual Arts Communities." "Their work is constrained and censored, most powerfully by themselves, because of the confusion and the resulting fear and anxiety." In addition to a lack of clarity of about what is fair use -- the section of copyright law allowing for non-licensed use of copyrighted material for commentary and other "transformative" purposes -- arts professionals fear the costs, in time and dollars, of seeking out permission for licensed use, the report says. It calls these anxieties part of a larger "permissions culture," in which there is a presumption that licensed use is necessary -- even when, in reality, there are many uses for which it is not.

top

Does publication on the web give rise to "access" in copyright infringement analysis? (Evan Brown, 30 Jan 2014) - Plaintiff sued defendant for copyright infringement. Defendant moved for judgment on the pleadings (which is essentially the same thing as a motion to dismiss for failure to state a claim except it is after defendant files an answer). Defendant asserted that plaintiff had not pled copyright infringement because under the Seventh Circuit's "substantial similarity" test to demonstrate infringement, plaintiff had not pled defendant had "access" to the allegedly infringed work. In some copyright infringement cases, a plaintiff may not have direct evidence that the defendant committed infringement. In those situations, a finder of fact may infer that infringement has occurred when it is shown that: (a) the defendant had access to the copyrighted work; and (b) the accused work is substantially similar to the copyrighted work. In this case, defendant argued it never had access to plaintiff's designs that it was alleged to have infringed. But the court considered the online publication, 11 years ago, of plaintiff's designs, to find access for purposes of the motion for judgment on the pleadings: " With regard to online publication, in 2003, [plaintiff] first published the [allegedly infringed work] at [its website]. The Internet already was widely used and accessible at that time. Because the non-movant is entitled to reasonable favorable inferences in evaluating a motion for judgment on the pleadings, the online publication is enough to establish access for purposes of denying [defendant's] motion for judgment on the pleadings."

top

IT's losing battle against cloud adoption (ReadWrite, 31 Jan 2014) - Asking IT about emerging trends in enterprise computing is increasingly a fool's errand. Open source pioneer Billy Marshall once quipped that "the CIO is the last to know," because she was too far removed from what open-source code her IT team was downloading or which SaaS services they were accessing. Now this phrase may apply to entire IT organizations, with major lines of business tuning into the cloud and tuning out IT prescriptions. Of course, this has been happening for years. What's striking is just how pervasive the shift away from IT has become. We know cloud computing is big. We also know the cloud is outpacing traditional data center workloads. Cisco, for example, finds that from 2012 to 2017, data center workloads will grow a little more than two-fold while cloud workloads will grow almost four-fold. What we didn't know, however, is just how clueless enterprise IT has been about the state of cloud adoption within their own enterprises. For example, according to a report from Netskope , a cloud analytics and policy company, IT thinks it has a grasp on cloud apps running within the enterprise, but in reality it may not have the foggiest clue. IT underestimates cloud app usage within their organizations by about 10 times. That's a shocking delta between perception and reality, and means that IT has a lot of work to do, given that many of the apps being run are almost certainly not up to IT's security standards. The potential problem is widespread across the enterprise, with different groups turning to the cloud to get stuff done: Marketing (51 cloud apps per enterprise), HR (35), Storage (26), and CRM/SFA and Collaboration (23).

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Adobe users upset about secret anti-counterfeit measure (Houston Chronicle, 19 Jan 2004) -- Adobe Systems acknowledged Friday it quietly added technology to the world's best-known graphics software at the request of government regulators and international bankers to prevent consumers from making copies of the world's major currencies. Adobe, the world's leading vendor for graphics software, said the secretive technology "would have minimal impact on honest customers." It generates a warning message when someone tries to make digital copies of some currencies. The U.S. Federal Reserve and other organizations that worked on the technology said they could not disclose how it works and would not name which other software companies include it in their products. They cited concerns that counterfeiters would try to defeat it. "We sort of knew this would come out eventually," Adobe spokesman Russell Brady said. "We can't really talk about the technology itself." Microsoft spokesman Jim Desler said the technology was not built into versions of its Windows operating system. Rival graphics software by Taiwan-based Ulead Systems also blocks customers from making copies of currency. Experts said the decision by Adobe represents one of the rare occasions when the technology industry has agreed to include third-party software code into products at the request of government and finance officials. Adobe revealed it added the technology after a customer complained in an online support forum about mysterious behavior by the new $649 "Photoshop CS" software when opening an image of a U.S. $20 bill. Kevin Connor, Adobe's product management director, said the company did not disclose the technology at the request of international bankers. He said Adobe may add the detection mechanism to its other products. [Editor's note [2004] : This kind of secret embedding is an extremely serious matter - it has profound security and privacy implications, and affects the credibility of commercial software vendors.]

top

White House releases new infrastructure security directive (Computerworld, 18 Dec 2003) -- The White House yesterday released the long-awaited rewrite of a 1998 document that established critical-infrastructure protection, including cybersecurity, as a core policy of the U.S. government. But two prominent senators from opposite sides of the political aisle disagree on the new policy's direction. Homeland Security Presidential Directive-7 (HSPD-7) replaced Presidential Decision Directive-63, signed on May 22, 1998, by then-President Bill Clinton, as the main document outlining the public/private partnership needed to eliminate major vulnerabilities to the nation's critical physical and cyberinfrastructures. The new document is titled "Critical Infrastructure Identification, Prioritization and Protection." It calls for a concerted public/private effort to identify and catalog the nation's most critical infrastructure facilities and networks using geospatial imaging systems and requests detailed modeling and simulation studies to learn more about the potential effects of terrorist attacks against these infrastructures. The HSPD-7 gives the U.S. Department of Homeland Security (DHS) another year to "outline national goals, objectives, milestones, and key initiatives," even though a cybersecurity plan released in February envisioned that such work would be done much sooner. Senate Governmental Affairs Committee Chairman Susan Collins (R-Maine) praised the administration for the directive. "In the post-9/11 world, we cannot afford weak links in our critical infrastructure protection or gaps in our support for local first responders," she said. But presidential candidate Sen. Joseph Lieberman (D-Conn.), the ranking Democrat on the committee, lambasted Bush for allowing the DHS to take more time to put together yet another plan.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top