- Montesquieu, come back! (The French police already know where you are)
- A new "target" on their backs: Target's officers and directors face derivative action arising out of data breach
- Target data breach price tag: $200m
- Hulu hoops: standing & damages as threshold issues in privacy cases
- Several cybersecurity initiatives lost after Snowden's NSA leaks
- ALA launches free e-government webinar series
- Proposed patent rules: identify the true owner on pain of abandonment
- Comcast customer surprised to learn new router is also public hotspot
- Wargames test UK banks' resolve against massive cyber-attack
- No Fourth Amendment right in metadata embedded in posted photo, court holds
- Speek makes conference calls better
- Ninth Circuit allows CNN motion to dismiss captioning complaint
- Here's how Twitter might challenge the NSA's gag order
- Cryptolocker scrambles US law firm's entire cache of legal files
- SF Bar Assn Ethics Opinion 2014-1
- Israeli legal expert urges development of ethics code for cyberwarfare
- Judge blocks warrantless searches of Oregon drug database
- Federal Circuit clarifies standard for recovery of eDiscovery costs
- Spying by NSA ally entangled US law firm
- Social networking, anonymity, defamation, and privacy
- Protecting internet intermediaries
- Oklahoma makes its digital decisions the official versions
- Massachusetts court rules that state constitution requires warrant for access to two-week collection of historical cell-site records
- Mass surveillance of all car trips is nearly upon us
- Department of Homeland Security cancels national license-plate tracking plan
- Spy chief: we should've told you we track your calls
Montesquieu, come back! (The French police already know where you are) (Harvard's DMLP, 24 Jan 2014) - On December 19, 2013, the French Loi de Programmation Militaire (the Military Program law, or "LPM"), was enacted. Article 20 of the LPM, which will come into force on January 1, 2015, authorizes the government to require Internet Service Providers (ISPs) and web hosts to provide "information and documents processed or stored," including geolocation data and metadata in real time, without having to first ask for an authorization from a judge. The new law raises serious questions regarding separation of powers and the extent of administrative authority in France * * *
A new "target" on their backs: Target's officers and directors face derivative action arising out of data breach (Global Regulatory Enforcement Law Blog, 30 Jan 2014) - In the wake of its massive data breach, Target now faces a shareholder derivative lawsuit, filed January 29, 2014. The suit alleges that Target's board members and directors breached their fiduciary duties to the company by ignoring warning signs that such a breach could occur, and misleading affected consumers about the scope of the breach after it occurred. Target already faces dozens of consumer class actions filed by those affected by the breach, putative class actions filed by banks, federal and state law enforcement investigations, and congressional inquiries. This derivative action alleges that Target's board members and directors failed to comply with internal processes related to data security and "participated in the maintenance of inadequate cyber-security controls." In addition, the suit alleges that Target was likely not in compliance with the Payment Card Industry's (PCI) Data Security Standards for handling payment card information. The complaint goes on to allege that Target is damaged by having to expend significant resources to: investigate the breach, notify affected customers, provide credit monitoring to affected customers, cooperate with federal and state law enforcement agency investigations, and defend the multitude of class actions. The derivate action also alleges that Target has suffered significant reputational damage that has directly impacted the retailer's revenue.
- and -
Target data breach price tag: $200m (Corporate Counsel, 19 Feb 2014) - Banks and credit unions racked up more than $200 million in expenses from the massive Target Corp. data breach in the last quarter of 2013, trade groups for the financial institutions announced Tuesday . Payment card replacements cost $172 million for banks and $30.6 million for credit unions, according to the Credit Union National Association and Consumer Bankers Association, which has members that include Bank of America Corp., Capital One Financial Corp. and JPMorgan Chase & Co. A majority of the 40 million cardholders Target said the breach affected used cards from the associations' members. The $200 million price tag doesn't include costs from fraudulent activity. But adding in funds devoted to addressing any fraudulent activity would make the total expenses from the data breach "much higher," according to the associations.
Hulu hoops: standing & damages as threshold issues in privacy cases (Paul Hastings, Jan 2014) - Imagine you are in the mall, and you overhear an interaction between a clerk and another shopper. The clerk asks to see a drivers' license to verify their identity. The clerk then remarks, "Your age makes you eligible for our senior discount-you get 10% off on this order!" The shopper, aghast, threatens to sue the store. It's seemingly an empty threat-you can't sue without being hurt, right? According to a California magistrate judge, that's not necessarily true-at least in the context of privacy lawsuits. And as the number of privacy suits continue to skyrocket, that means the cost of doing business is about to go up. That commonsense inkling that someone must be injured in some tangible way to pursue a lawsuit (at least, a lawsuit in federal court) is codified in Article III of US Constitution, in a legal doctrine known as "standing." To show standing, a plaintiff must allege an injury that is (1) "concrete and particularized" and "actual or imminent," (2) traceable to an action by a defendant, and (3) able to be redressed by a decision of the court. This hurdle has been historically difficult to overcome in privacy suits, where the "injuries" are often nebulous concepts like a "violation of privacy" or "slowing down my computer with cookies." See, e.g., In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (rejecting plaintiffs' damages theories under the CFAA, holding that the cost of "remediate" cookies and the alleged decreased value of personal information fail to meet the CFAA damages requirement). But times, they are changing. The Ninth Circuit-a hotbed of innovation and the home jurisdiction for many of the tech companies being sued-has decided that in some cases, simply invoking the name of a federal statute and alleging its violation can provide standing.
Several cybersecurity initiatives lost after Snowden's NSA leaks (LA Times, 1 Feb 2014) - Early last year, as Edward Snowden was preparing to disclose classified documents he had purloined from National Security Agency computers in Hawaii, the NSA director, Gen. Keith Alexander, was gearing up to sell Congress and the public on a proposal for the NSA to defend private U.S. computer networks against cyber attacks. Alexander wanted to use the NSA's powerful tools to scan Internet traffic for malicious software code. He said the NSA could kill the viruses and other digital threats without reading consumers' private emails, texts and Web searches. The NSA normally protects military and other national security computer networks. Alexander also wanted authority to prevent hackers from penetrating U.S. banks, defense industries, telecommunications systems and other institutions to crash their networks or to steal intellectual property worth billions of dollars. But after Snowden, a contractor, began leaking NSA systems for spying in cyberspace that went public in June, Alexander's proposal was a political nonstarter, felled by distrust of his agency's fearsome surveillance powers in the seesawing national debate over privacy and national security. It was one of several Obama administration initiatives, in Congress and in diplomacy, that experts say have been stopped cold or set back by the Snowden affair. As a result, U.S. officials have struggled to respond to the daily onslaught of attacks from Russia, China and elsewhere, a vulnerability that U.S. intelligence agencies now rank as a greater threat to national security than terrorism. "All the things [the NSA] wanted to do are now radioactive, even though they were good ideas," said James Lewis, a cyber security expert at the Center for Strategic and International Studies, a nonpartisan think tank in Washington.
ALA launches free e-government webinar series (ALA, 4 Feb 2014) - The American Library Association (ALA) and the Information Policy & Access Center (iPAC) at the University of Maryland at College Park are pleased to announce the re-launch of Lib2Gov , an online e-government resource for librarians. Over the past few months, both organizations have worked to transition LibEGov-a project supported by the Institute of Museum and Library Services through a National Leadership Grant-into Lib2Gov . The redesigned website Lib2Gov allows libraries and government agencies to come together and collaborate, share resources and build a community of practice. Lib2Gov now provides a dedicated space where librarians can share materials, lesson plans, tutorials, stories, and other e-government content. The website offers a variety of resources from government agencies and organizations, including information on immigration, taxation, social security and healthcare. In a few weeks, both organizations will host a new monthly webinar series, "E-government @ Your Library." The webinars will explore a variety of e-government topics that will be of interest to librarians, including mobile government and emergency preparedness, response and recovery. All webinars are free and will be archived on the Lib2Gov site. The webinar schedule for Winter/Spring 2014 * * *
Proposed patent rules: identify the true owner on pain of abandonment (Patently-O, 5 Feb 2014) - In one of her first acts as de facto USPTO Director, Michelle Lee has proposed a new set of rules associated with patent assignment recordation. The proposal is quite complicated (occupying 18,000 words in the Federal Register) but the general idea is (1) that information regarding who owns which patents should be available to the public; (2) some rights-holders have been taking steps to hide their identity; and therefore (3) the USPTO proposes to require greater transparency. Although the proposal is signed by Deputy Director Lee, it was a White House initiative well before she took office: The Office is proposing … to require that the attributable owner, including the ultimate parent entity, be identified … on filing of an application (or shortly thereafter), when there is a change in the attributable owner during the pendency of an application, at the time of issue fee and maintenance fee payments, and when a patent is involved in supplemental examination, ex parte reexamination, or a trial proceeding before the Patent Trial and Appeal Board (PTAB). The Office is also seeking comments on whether the Office should enable patent applicants and owners to voluntarily report licensing offers and related information to the Office, which the Office will then make available to the public in an accessible online format. See also Whither the USPTO's authority to require ownership recordation (Patently-O, 10 Feb 2014)
Comcast customer surprised to learn new router is also public hotspot (ArsTechnica, 5 Feb 2014) - Comcast customer Ronaldo Boschulte didn't know exactly what he was getting when the company swapped his malfunctioning modem for a new one. The cable modem doubles as a Wi-Fi router-that much he was expecting. But he didn't realize the router would, by default, broadcast a public Wi-Fi network that anyone with a Comcast account could connect to. Comcast started adding the public hotspot to its modems by default in mid-2013, as we reported at the time . Customers can turn the second signal off if they choose, but it's definitely an opt-out program rather than opt-in. In an FAQ , Comcast doesn't provide instructions for turning it off manually. You have to call Comcast for that. "You will always have the ability to disable the XFINITY Wi-Fi feature on your Wireless Gateway by calling 1-800-XFINITY," the company says. Presumably, a customer service representative will try to talk you out of disabling it. The second network won't slow your primary connection down, at least not much. "The broadband connection to your home will be unaffected by the XFINITY Wi-Fi feature," Comcast says. "Your in-home Wi-Fi network, as well as XFINITY Wi-Fi, use shared spectrum, and as with any shared medium there can be some impact as more devices share Wi-Fi. We have provisioned the XFINITY Wi-Fi feature to support robust usage, and therefore, we anticipate minimal impact to the in-home Wi-Fi network."
Wargames test UK banks' resolve against massive cyber-attack (ZDnet, 5 Feb 2014) - The Bank of England has published the findings of a war-gaming exercise that saw banks trying to defend against a theoretical cyber-attack from a hostile nation. The war-gaming exercise, dubbed "Waking Shark II", was held in November last year and was designed to rehearse the response of the banking sector - including investment banks and key financial market infrastructure - to a concerted cyber-attack. The Bank of England's report said the event "successfully demonstrated cross sector communications and coordination", but said it also identified some issues to be addressed. The report noted that the objective was to place the banking sector "under severe stress" and as such it admitted that some of the elements it featured "were extreme relative to the cyber-attacks that have been seen to date". The scenario of Waking Shark II was a concerted cyber-attack against the UK financial sector by a hostile nation state "with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure". It was set over a three-day period, the last day of which happened to coincide with a so-called 'Triple Witching' when contracts for stock index futures, stock index options and stock options all expire on the same day. Bank of England Report on UK Financial Sector Cyberattack Exercise is here .
No Fourth Amendment right in metadata embedded in posted photo, court holds (Volokh Conspiracy, 6 Feb 2014) - I'm guessing we all know that you don't have a reasonable expectation of privacy in photographs that you post on the public Internet. Government investigators don't violate privacy rights by looking at photos posted on the web for all to see. But what about the metadata embedded in those photographs? And what if it's a website only accessible using the TOR browser ? In a case handed down last week, United States v. Post , a district court held that the Fourth Amendment still offers no protection. The decision was authored by Judge Gregg Costa, a recent nominee to the U.S. Court of Appeals for the Fifth Circuit. Post is interesting not just for its holding but also for its facts. Investigators discovered a website devoted to child pornography. The website was viewable only using the TOR browser , much like the Silk Road website that was used to trade illegal narcotics. We don't know the entirety of the investigation, but in at least one instance the agents tried to retrieve the location metadata embedded in an image of child pornography they found on the site. In his suppression motion, Post acknowledges that he had no expectation of privacy in the image that he uploaded to the website, but contends that he did retain a privacy interest in the embedded metadata because he did not realize he was releasing that information and he intended to remain anonymous. In other words, he would split the image into two distinct parts, one of which the government could obtain because it was placed in the public domain and one of which it could not. Judge Costa disagreed: [Post] gave up his right to privacy in that image once he uploaded it to the internet, and that thing he publicly disclosed contained the GPS coordinates that led agents to his home. There is no basis for divvying up the image Post uploaded into portions that are now public and portions in which he retains a privacy interest.
Speek makes conference calls better (InsideHigherEd, 6 Feb 2014) - Earlier this week I was scheduled to be on a conference call. I dialed in, entered in my pin, and was told by an automated voice that I was the first person on the call. After five minutes of elevator music, I hung up and dialed in again. Once again, the system told me that I was the only person on the call. Sensing a glitch in the system, I sent out a few emails to the other individuals on the call. Apparently, they had successfully dialed into the call and I had used a wrong number. It was yet another chapter in my seemingly endless array of unfortunate conference call experiences. Next time a conference call needs to happen, I'm going to recommend that we try using Speek. Speek simplifies the conference call experience by eliminating some of the complicated elements of the genre. Instead of using a unique phone number or pin, users are directed to an easy to remember URL (e.g. speek.com/yourconferencecall). Additionally, the web-based interface allows you to see who is talking at any given time. It's like a visual walkie talkie. Anything that eliminates that awful aspect of talking over someone on a conference call is a huge victory in my book. The free version of Speek has a 5 caller limit. However, let's be honest, do we really need more than 5 people on a conference call? You also get a dedicated conference bridge, the aforementioned visual interface, call history/analytics, message/file sharing, and the option for Speek to call you after you enter your phone number into their website.
Ninth Circuit allows CNN motion to dismiss captioning complaint (Broadcasting & Cable, 7 Feb 2014) - A California court has backed a CNN argument that it did not have to closed-caption online clips. A three-judge panel of the U.S. Court of Appeals for the Ninth Circuit earlier this week vacated a district court's order denying CNN's motion to dismiss a lawsuit by the Greater Los Angeles Agency on Deafness (GLAAD) that sought to force CNN to caption video clips on its Web site, arguing that not to do so violated the state's Disabled Persons Act (DPA). The Court found that the claim of equal access under DPA was trumped by a California statute providing for "for the early dismissal of meritless lawsuits arising from a defendant's conduct in furtherance of its free speech rights." It said the California legislature had made it clear that statute was to be read broadly. The court also found that GLAAD was unlikely to win under invocation of California's Unruh Civil Rights Act because it had not shown an intent to discriminate by CNN based on disability. But the court breathed some life into the GLAAD argument by leaving open the question of whether DPA applied in the case of accessibility via Web captions. CNN said DPA did not apply to virtual locations like the Internet. The Ninth Circuit panel reserved judgment and asked the Supreme Court to weigh in on that question, saying "The final question, whether the DPA applies to websites, is an important question of California law and raises an issue of significant public concern."
Here's how Twitter might challenge the NSA's gag order (Washington Post, 10 Feb 2014; interview with Eugene Volokh) - The United States government limits how much companies can disclose about their cooperation with surveillance by the National Security Agency and other federal agencies. Government officials have insisted that Internet companies such as Google and Microsoft report the number of surveillance requests only in broad numeric ranges. In a Thursday blog post, Twitter wrote that it was unsatisfied with this arrangement, and was "considering legal options we may have to seek to defend our First Amendment rights." The company argues that it has a right to disclose specific details about the extent of its participation in U.S. surveillance programs. Would such a legal challenge succeed? To find out, I asked Eugene Volokh, a prominent First Amendment scholar at the University of California-Los Angeles. His blog, the Volokh Conspiracy , is hosted by the Washington Post. We spoke by phone on Friday. The transcript has been edited for length and clarity * * *
Cryptolocker scrambles US law firm's entire cache of legal files (Computerworld, 10 Feb 2014) - A small US law firm has bravely admitted losing its entire cache of legal documents to the Cryptolocker Trojan despite attempting to pay the $300 (£180) ransom in a bid to have them unscrambled. According to TV reports , Goodson's law firm in the North Carolina's largest city Charlotte became the latest victim of a malware menace that was custom-written to lever ransom money from precisely this type of relatively cash-rich but time-poor firm. The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service. That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson. "The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said. After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired. The only blessing was that the malware had scrambled files and not stolen them, Goodson added. According to the Wsoctv TV channel, local police were aware of at least 30 cases where paying the ransom had resulted in an unlock key being delivered. Balancing this, we should point out that not everyone has reported having this success.
SF Bar Assn Ethics Opinion 2014-1 -- ISSUE : May an attorney respond to a negative online review by a former client alleging incompetence but not disclosing any confidential information where the former client's matter has concluded? If so, may the attorney reveal confidential information in providing such a response? Does the analysis change if the former client's matter has not concluded? DIGEST : An attorney is not ethically barred from responding generally to an online review by a former client where the former client's matter has concluded. However, the duty of confidentiality prevents the attorney from disclosing confidential information about the prior representation absent the former client's informed consent or waiver of confidentiality. This Opinion assumes the former client's posting does not disclose any confidential information and does not constitute a waiver of confidentiality or the attorney-client privilege. While the online review could have an impact on the attorney's reputation, absent a consent or waiver, disclosure of otherwise confidential information is not ethically permitted in California unless there is a formal complaint by the client, or an inquiry from a disciplinary authority based on a complaint by the client. Even in situations where disclosure is permitted, disclosure should occur only in the context of the formal proceeding or inquiry, and should be narrowly tailored to the issues raised by the former client. If the matter previously handled for the former client has not concluded, depending on the circumstances, it may be inappropriate for the attorney to provide any substantive response in the online forum, even one that does not disclose confidential information.
Israeli legal expert urges development of ethics code for cyberwarfare (Homeland Security News Wire, 11 Feb 2014) - Israel is already engaged in a cyber arms race with its adversaries, but some of the cyberattacks Israel has launched, and which have launched against it, may not be permissible in the legal regime which is slowly developing, according to a former IDF's deputy military advocate general. "Israel faces a complex and challenging period in which we can expect both a cyber arms race with the participation of state and non-state entities, and a massive battle between East and West over the character of the future legal regime," writes Col. Sharon Afek in a study crafted as part of his research at the National Defense College . Haaretz reports that Afek presents a number of directions in which cyber law may develop, but he says that it is unlikely that in the near term formal regulations will be drawn up. Only a catastrophic event like "Pearl Harbor or Twin Towers attack in cyberspace" would accelerate developments in this area. Afek notes that existing law already prohibits cyber operations which would directly lead to loss of life, injury, or property damage, such as causing a train to derail or undermining a dam. What do existing norms say about cyber operations which do not cause physical damage but still cause significant harm? "One can create effects in cyberspace that fundamentally undermine the stability of nations through operations that are not kinetic," writes Afek, referring to operations which do not involve conventional weapons. "Cybernetic tools and capabilities that no one thought to forbid are liable to bring results perceived as a pretext for war."
Judge blocks warrantless searches of Oregon drug database (Reuters, 12 Feb 2014) - A federal judge ruled on Tuesday that U.S. government attempts to gather information from an Oregon state database of prescription drug records violates constitutional protections against unreasonable search and seizure. The American Civil Liberties Union hailed the decision, in a case originally brought by the state of Oregon, as the first time a federal judge has ruled that patients have a reasonable expectation of privacy in their prescription records. The Oregon Prescription Drug Monitoring Program database was created by the state legislature in 2009 as a tool for pharmacists and physicians to track prescriptions of certain classes of drugs under the federal Controlled Substances Act. Some seven million prescription records are uploaded to the system every year, according to court documents. The state mandated privacy protections for the data, including a requirement that law enforcement could only obtain information from the network with a warrant. But the DEA claimed federal law allowed the government to access the database using only an "administrative subpoena", which does not require a finding of probable cause for believing a crime has been committed or a judge's approval. U.S. District Judge Ancer Haggerty in Portland ruled that the DEA's efforts to obtain Oregon's prescription records without a warrant violate Fourth Amendment safeguards against searches and seizures of items or places in which a person has a reasonable expectation of privacy.
Federal Circuit clarifies standard for recovery of eDiscovery costs (Today's General Counsel, 12 Feb 2014) - As many recent litigants know, the costs of eDiscovery can be enormous. Therefore, the ability to recover those costs can have a significant impact on a company's bottom line - from tens to hundreds of thousands of dollars. In a recent case, CBT Flint Partners, LLC v. Return Path, Inc., 2013-cv-1036 (Fed. Cir. December 13, 2013), the U.S. Court of Appeals for the Federal Circuit addressed the recoverability of eDiscovery costs. This decision is important because it offers a guideline for making such determinations, and also purports to be "consistent with" other circuits that have interpreted section 1920(4). In CBT Flint, the Federal Circuit analyzed the legislative history of section 1920, and reviewed the Sedona Conference principles and other federal court decisions. The opinion contains a detailed analysis regarding which costs are recoverable under section 1920(4). In a nutshell, the Federal Circuit found that section 1920 applies only to documents produced pursuant to Rule 26 or other discovery rules, and thus does not apply to documents a party creates for its own litigation or other use. The Federal Circuit broadly stated the guideline as follows: " [R]ecoverable costs under section 1920(4) are those costs necessary to duplicate an electronic document in as faithful and complete a manner as required by rule, by court order, by agreement of the parties, or otherwise . . . . But only the costs of creating the produced duplicates are included, not a number of preparatory or ancillary costs commonly incurred leading up to, in conjunction with, or after duplication.
Spying by NSA ally entangled US law firm (NYT, 15 Feb 2014) - The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers. A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance. The government of Indonesia had retained the law firm for help in trade talks, according to the February 2013 document. It reports that the N.S.A.'s Australian counterpart, the Australian Signals Directorate , notified the agency that it was conducting surveillance of the talks, including communications between Indonesian officials and the American law firm, and offered to share the information. The Australians told officials at an N.S.A. liaison office in Canberra, Australia, that "information covered by attorney-client privilege may be included" in the intelligence gathering, according to the document, a monthly bulletin from the Canberra office. The law firm was not identified, but Mayer Brown, a Chicago-based firm with a global practice, was then advising the Indonesian government on trade issues. On behalf of the Australians, the liaison officials asked the N.S.A. general counsel's office for guidance about the spying. The bulletin notes only that the counsel's office "provided clear guidance" and that the Australian agency "has been able to continue to cover the talks, providing highly useful intelligence for interested US customers." [ Polley : There's so much here, I don't know where to start… perhaps, to wonder who are "interested US customers" that benefit from this collection? Is there a terrorism component? Does Australia recognize US attorney/client privilege? Does NSA care? In the meantime, see the related posting below under PODCASTS .]
Social networking, anonymity, defamation, and privacy (MLPB, 18 Feb 2014) - Eva Nagle, National University of Ireland, Maynooth, Department of Law, has published 'Unringing' the Bell that Has Sounded so Loudly: Maintaining Anonymity When Suing for Defamation and Breach of Privacy in the Internet Realm . Here is the abstract: Social networking websites have become a far more potent tool than merely a means of posting photographs of your last holiday online. They can be used to create a "buzz" around a new business, to organise a protest or to assist with some amateur detective work - which was at the centre of the Irish "Internet privacy" case of McKeogh v John Doe 1 (User Name Daithii4u) and others (hereafter, McKeogh). It is axiomatic that these novel uses of social networks such as Twitter, Facebook and YouTube create serious implications for privacy and defamation law in the online world. Some of the contemporary challenges to privacy law that are posed by such websites are encapsulated in the case of McKeogh.
Protecting internet intermediaries (Project Disco, 18 February; by Cathy Gellis) - What would the Internet be without its intermediaries? Nothing, that's what. Intermediaries are what carry, store, and serve every speck of information that makes up the Internet. Every cat picture, every YouTube comment, every Wikipedia article. Every streamed video, every customer review, every online archive. Every blog post, every tweet, every Facebook status. Every e-business, every search engine, every cloud service. No part of what we have come to take the Internet for exists without some site, server, or system intermediating that content so that we all can access it. And yet, if we're not careful, we can easily lose all the benefits these intermediaries bring us. Thankfully, in the United States we have some laws that help ensure they can exist, chief among them 47 U.S.C. Section 230 . As my recent paper on the state of the law regarding intermediary liability explains , this law stands for the proposition that intermediaries are only responsible for what they themselves communicate through their systems - not what others use them to say. For example, newspapers that post articles online are only responsible for the content of the articles they publish, not the comments readers then post to them . Similarly consumer review sites are only responsible for the information they supply to their sites, not the user reviews themselves . This same principle also means that people who link to content ( as search engines do ) are not legally responsible for that content, even if that content should happen to be illegal in some way (like by being potentially defamatory). [ Polley : pretty useful primer on intermediary liability.]
Oklahoma makes its digital decisions the official versions (Geek Law Blog, 18 Feb 2014) - I'm not sure how I missed this big news coming out of the Oklahoma Supreme Court, but it is something that has made me very happy, and very proud to have played a small part over a decade ago. Peter Martin pointed out on his blog that the Oklahoma Supreme Court, as of January 1, 2014, has become the official publisher of the state's appellate court decisions and will distribute those decisions through The Oklahoma State Courts Network ( http://www.oscn.net ). All other publishers, including West Publishing, will be unofficial publishers. This is a big deal, considering that West had been the official publisher for sixty years. Here is a blurb from the Oklahoma Supreme Court decision, 2013 OK 109 * * *
Massachusetts court rules that state constitution requires warrant for access to two-week collection of historical cell-site records (Volokh Conspiracy, 18 Feb 2014) - The Massachusetts Supreme Judicial Court has issued a new decision interpreting the Massachusetts constitution to require a search warrant for access to a two-week span of historical cell-site information. The court divided by a vote of 5-2. Note that the decision did not interpret the Fourth Amendment of the federal constitution, but rather interpreted Article 14 of the Massachusetts Declaration of Rights. This means that the decision is binding on Massachusetts state law enforcement, but it does not apply to federal law enforcement (whether in Massachusetts or outside it). The decision appears to adopt a Asmosaic theory for the state constitution, by which the time of surveillance determines what is a state-constitution search. In this case, the government obtained a court order requiring the cell-phone provider to hand over historical cell-site records covering a two week period. The Massachusetts court concludes that if the court order had covered a short time, it would not have triggered the state constitution. But by ordering the disclosure of records covering a two week period, that was long enough to trigger a warrant requirement under the state constitution.
Mass surveillance of all car trips is nearly upon us (The Atlantic, 19 Feb 2014) - Is the relative anonymity the open road has long afforded something we're ready to give up? In an up or down vote, I'm confident the American people would say, "Hell no." But automatic license-plate readers threaten much of the privacy we've always enjoyed, on the road and at our destinations of choice, as never before. These devices garnered a bit of attention last summer, when the ACLU reported on how many states and localities have installed them on patrol cars, bridges, and highway overpasses, where they capture images of every passing vehicle. The intention is often to find stolen cars or to catch drivers evading warrants for their arrest. Yet in most cases, "these systems are configured to store the photograph, the license plate number, and the date, time, and location where all vehicles are seen-not just the data of vehicles that generate hits," the ACLU explained. "All of this information is being placed into databases, and is sometimes pooled into regional sharing systems .... All too frequently, these data are retained permanently and shared widely with few or no restrictions on how they can be used." The potential for abuse was obvious. Now the federal government intends to build a national license-plate-reader database. A Department of Homeland Security spokesperson told Ars Technica that Immigration and Customs Enforcement (ICE), "is exploring the ability to obtain access to a National License Plate Recognition database-allowing officers and agents to identify subjects of ongoing criminal investigations." The Washington Post got an official response too. "It is important to note that this database would be run by a commercial enterprise," ICE said, "and the data would be collected and stored by the commercial enterprise, not the government." Is that supposed to reassure? A private database that's inaccessible to the government would offer some protections. So would a government database that no private entity could exploit. A database of our movements that is privately held and accessible to the government is the worst possible combination.
- and, a few hours later -
Department of Homeland Security cancels national license-plate tracking plan (Washington Post, 19 Feb 2014) - Homeland Security Secretary Jeh Johnson on Wednesday ordered the cancellation of a plan by the Immigration and Customs Enforcement agency to develop a national license-plate tracking system after privacy advocates raised concern about the initiative. [ Polley : Color me skeptical, again: see posting immediately below.]
Spy chief: we should've told you we track your calls (Daily Beast, 17 Feb 2014) - In an exclusive interview with The Daily Beast, Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. "I probably shouldn't say this, but I will. Had we been transparent about this from the outset right after 9/11-which is the genesis of the 215 program-and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it's going to work, and why we have to do it, and here are the safeguards… We wouldn't have had the problem we had," Clapper said. [ Polley : Nuts. They DID tell us way-back-when - see Markoff's 9 Nov 2002 NYT article in MIRLN 5.15 - part of Admiral Poindexter's swan-song. And when the blow-back was too intense, they said they wouldn't do it - see Wired's 14 July 2003 article in MIRLN 6.10.]
Critical cyber issues affecting you today (ABA Cybersecurity Legal Task Force, 8 February 2014; 90 minutes) - Recent losses that have been reported at Target and Neiman Marcus have brought to the front pages of the news how important cybersecurity is to the private sector. In the wake of the Snowden and Manning revelations, it is increasingly harder for both the government and the private sector to protect their assets and secrets. In short, law firms and government law departments continue to be prime targets due to the valuable client information they hold. The ABA Cybersecurity Legal Task Force and its Sections and Committees have produced a number of books, articles, and pamphlets to help focus the legal community on these issues. The panel discussed current cyber threats, applicable laws, and the ethical standards lawyers need to be aware of in this dangerous arena. Panelists include MIRLN editor Polley .
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
FDIC guidance on instant messaging (FDIC, Sept 2004) - "This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations."
Athens 2004 website restrictions spark legal debate (Globe & Mail.com, 20 August 2004) -- Olympic organizers in Athens seeking to control which websites can link to the official Games site have detailed a procedure that runs roughshod over the free-linking foundation of the Internet, legal observers say. According to the "hyperlink policy" listed on the Athens 2004 site, anyone wanting to post a link must first send a request that includes a description of their site, reason for linking and length of period it will be published. Howard Knopf, a Canadian trademark lawyer who is now director for the Center of Intellectual Property Law at Chicago's John Marshall Law School, said organizers have no legal authority to prevent people from simply linking to the website. "If they leave their website open, it's like a public park, people are free to walk in it, and a link is just the most efficient way to get there," he said. The hyperlink policy, which also strictly regulates the text and graphic of a link, is another example of Olympic organizers aggressively protecting the Olympic trademark. "Of course, normally, you can link wherever you want. We're just asking people to respect the rules," said Christina Fotinopoulou, Internet content manager for Athens 2004.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:firstname.lastname@example.org?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top