Saturday, March 15, 2014

MIRLN --- 23 Feb – 15 March 2014 (v17.04)

MIRLN --- 23 Feb - 15 March 2014 (v17.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Data governance plans: many companies don't have one (Information Week, 3 Feb 2014) - Forty-four percent of companies don't have a formal data governance policy, and 22% of firms without a data policy have no plans to implement one. That's one of the key findings of a newly released data governance survey conducted by Rand Secure Data, a division of Rand Worldwide. Rand's 2013 Data Governance Survey included responses from 454 organizations regarding the state of their in-house data governance policies. Survey respondents included representatives from well-known private and public-sector enterprises, including Disney, Motorola, Shell, the City of Los Angeles, and the University of Virginia. The report makes it clear that data governance, such as a set of enterprise-wide processes for managing data archiving, backup, and e-discovery, isn't new to large organizations. But the number of respondents who said their company lacks a formal data governance policy is surprisingly high. Some survey respondents said this lack of planning could have unwanted consequences. "If we don't get a decent data governance strategy and acceptable data governance statutes in place over the next two years, we will face the risk of losing data, losing control and track of data, and lawsuits," one respondent wrote. The survey also found a strong link between the participation of C-level executives in creating a data governance policy and the success of data management within the enterprise. In fact, when the C-suite is either "very" or "extremely" involved, the organization is three times less likely to "experience complete data loss or a data audit failure," the survey found. The report concludes with four recommendations: * * *

top

US takes the gold in doling out privacy fines (Computerworld, 17 Feb 2014) - The European Union is threatening to suspend the U.S.-EU Safe Harbor agreement that U.S. companies depend on to do business with Europe, claiming that America doesn't enforce its side of the bargain. Any way you cut the data, however, the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.

top

SEC pays close attention to cybersecurity issues (Blank Rome, 19 Feb 2014) - On February 14, 2014, the SEC announced that it will hold a cybersecurity roundtable on March 26 to discuss the issues and challenges cybersecurity raises for investors and public companies. The SEC's roundtable comes on the heels of recent widely publicized security breaches at Target and Neiman Marcus. As the SEC stated in its press release, "[c]ybersecurity breaches have focused public attention on how public companies disclose cybersecurity threats and incidents." The most recent SEC guidance on cybersecurity disclosures was issued in October 2011 ( CF Disclosure Guidance: Topic No. 2, Cybersecurity ). Without creating new obligations, the SEC clarified how its existing rules and regulations provided framework for public company's disclosure relating to cybersecurity risks and cyber incidents. After this guidance, cybersecurity related disclosures became mainstream in an annual report on Form 10-K, especially a cybersecurity risk factor. For example, last year's Annual Report on Form 10-K of Target Corporation included the following risk factor disclosures: "… if Target.com and our other guest-facing technology systems do not reliably function as designed, we may experience a loss of guest confidence, data security breaches, lost sales or be exposed to fraudulent purchases, which, if significant, could adversely affect our reputation and results of operations."

top

Traditional insurance policies may cover cyber risks (Hunton & Williams, 19 Feb 2014) - Insurers often contend that traditional policies do not cover cyber risks, such as malware attacks and data breach events. They argue that these risks are not "physical risks" or "physical injury to tangible property." A recent cyber attack involving ATMs, however, calls this line of reasoning into question. The attack involved breaking open ATMs and inserting USB sticks containing a dynamic-link library ("DLL") exploit. These types of attacks generally work by "tricking" a Windows application to load a malicious file with the same name as a required DLL . In this case, when the ATMs were rebooted they loaded the malicious code onto the machines. The perpetrators later entered a code into the ATMs that triggered the malware and enabled the withdrawal of all cash in the ATM. These attacks demonstrate how a cyber risk can, in fact, be a risk of physical injury. To upload the malware, the attackers had to physically break open the ATMs to insert a foreign device (the USB stick), plainly causing a physical injury to tangible property. Indeed, injecting malware generally requires physical access to a device, whether over a wireless or wired network or through actual contact, and a physical rearrangement of memory. That said, the risk of physical injury associated with cyber crimes does not mean that policyholders should not buy appropriate cyber insurance. Insurers have incorporated exclusions in many traditional policies that may exclude coverage for damage caused by malicious code. But where those exclusions are limited, or absent, policyholders should check their traditional policies for coverage. Those polices may offer protection, even without a separate cyber insurance policy.

top

- OTOH -

First Judicial ruling says no CGL coverage for data breaches (Wiley Rein, 26 Feb 2014) - Policyholder efforts to shoehorn coverage for data breach liability into the personal and advertising liability coverage of Commercial General Liability (CGL) policies suffered a setback this week. A New York trial court has held that the theft of information by third-party hackers breaking into a computer system does not qualify as "oral or written publication in any manner of material that violates a person's right of privacy" for purposes of personal and advertising injury coverage (Coverage B) in a CGL policy. Zurich Am. Ins. Co. v. Sony Corp. of Am. , 651982/2011 (N.Y. Sup. Ct., N.Y. Cnty. Feb. 21, 2014). Describing the case before it as the only "data breach case of this magnitude involving" CGL policies, the court agreed with insurer arguments concerning the scope and intent of coverage for "oral or written publication in any manner of material that violates a person's right to privacy." This provision, the court concluded, requires "an act by or some kind of act or conduct by the policyholder in order for coverage to be present."

top

Fair Use may be headed down under (EFF, 19 Feb 2014) - The Australian government may soon introduce major copyright reforms, including the possibility of adding a fair use doctrine similar to that of the United States. Fair use was central among the 30 recommendations to come out of a nearly two-year study by the Australian Law Reform Commission published late last week. As the report states, "Australia is ready for, and needs, a fair use exception now." Australia, like most Commonwealth countries, has a list of specific copyright exceptions known as "fair dealing." While fair use provides a general set of factors to consider when evaluating a use-and can thus accommodate new uses that haven't yet been imagined-fair dealing provisions in each country outline an exhaustive list of acceptable uses. Australia's fair dealing laws currently allow research or study, review or criticism, news reporting, legal advice, and since 2006 , parody or satire.

top

ABA asks NSA how it handles attorney-client privileged information in intelligence work (ABA Journal, 21 Feb 2014) - The American Bar Association sent a letter to the National Security Agency on Feb. 20 expressing concerns over recent allegations of possible foreign government surveillance of American lawyers' confidential communications with their overseas clients and the subsequent sharing of the privileged information with the NSA. The ABA also requested clarification on the agency's current policies and practices designed to protect the attorney-client privileged information that it intercepts or receives and whether those directives were followed in connection with the alleged incident. An article in The New York Times alleges that the Australian Signals Directorate intercepted privileged communications between the government of Indonesia and an American law firm and then shared the information with the NSA. Citing that allegation, ABA President James R. Silkenat expressed concern that if confidential information was intercepted and shared with the NSA, it could be improperly utilized by the U.S. government or third parties.

"The attorney-client privilege is a bedrock legal principle of our free society and is important in both the civil and criminal contexts," Silkenat wrote. "It enables both individual and organizational clients to communicate with their lawyers in confidence, which is essential to preserving all clients' fundamental rights to effective counsel."

The ABA further urged the NSA not to actively seek confidential communications between U.S. law firms and their clients. If confidential information is obtained by the NSA inadvertently or from a foreign intelligence service, Silkenat wrote that the NSA should respect attorney-client privilege and take all appropriate steps to ensure that any such information is not further disseminated to other agencies or third parties. Silkenat's letter to NSA Director Gen. Keith B. Alexander and NSA General Counsel Rajesh De is available here . [ Polley : thorough EFF posting on the subject is here: Legal community disturbed about recent allegations of spying on privileged communications (EFF, 22 Feb 2014). The ABA receives an essentially contentless response from the NSA on March 10 - NSA tells ABA it is 'firmly committed' to rule of law and 'bedrock' attorney-client privilege (ABA Journal, 11 March 2014).]

top

- and -

FBI alerts judges and prosecutors that their courthouse calls and texts were monitored (ABA Journal, 24 Feb 2014) - Judges, prosecutors, defense lawyers and others in Texas who conduct business at the Bexar County Courthouse got letters from the FBI recently telling them that their phone calls and text conversations had been monitored. At the center of the eavesdropping is a lawyer who is cooperating in a judicial corruption investigation. He told Fox 29 News that he has worn a wire but is not facing any charges. The San Antonio Express-News provides details about the letters, at least one of which was shown to the newspaper.

top

- and -

International Court of Justice bans Australian spying on East Timor and its lawyers (Lawfare, Benjamin Wittes, 4 March 2014) - Speaking of Australian spying on its regional neighbors and its lawyers, which we were the other day , the International Court of Justice has handed down a decision in a dispute between Australia and East Timor. Here's the Brisbane Times on the decision , which I have not read yet: Australia has been ordered to cease spying on East Timor and its legal advisers, in a landmark decision by the International Court of Justice relating to a bitter dispute between the two countries over $40 billion of oil and gas reserves in the Timor Sea. The court also ruled that the Australian government must seal documents and data seized in an ASIO raid in December. The ICJ is the United Nations' top court, and its decisions are binding on members. The decision is a major setback for Attorney-General George Brandis, who authorised the raid on East Timor's Australian lawyer Bernard Collaery, where about a dozen agents swooped on his office and took reams of material, including legal documents, electronic files and a statement by a former Australian Secret Intelligence Service agent alleging an eavesdropping operation on the tiny half island nation by Australia.

top

- and -

Canadians beat US hockey teams; NSA next (Steptoe, 6 March 2014) - After defeating the U.S. men's and women's hockey teams in Sochi, Canada is now setting its sight on the NSA. Last month, in In the Matter of the Extradition Act, the Supreme Court of British Columbia ordered a hearing on assertions that the NSA spied on participants in the Canadian legal system, and on whether Canadian intelligence has any evidence regarding such actions. The case highlights the concrete problems that NSA revelations could cause for U.S. interests abroad.

top

HHS wants to mine social media during health emergencies (NextGov, 21 Feb 2014) - The Health and Human Services Department's emergency management office is considering buying a social media mining tool to help it assess public health threats during natural disasters, terrorist attacks and other health emergencies, contracting documents show. The proposed tool would complement traditional data analysis the office already uses to spot, analyze and respond to health emergencies, according to the sources sought notice posted on Tuesday. The department is asking possible vendors to show their tools' value by demonstrating how they could have alerted officials to which hospitals were being evacuated during Superstorm Sandy or how they could spot a change in the social media conversation that might suggest an outbreak of Avian Flu or Middle East Respiratory Syndrome, known as MERS . Academic researchers have used Twitter mining to produce more timely data on flu outbreaks and the spread of flu than the Centers for Disease Control's flu reports. "Social media and open source data analytics play an important role in filling gaps in traditional data collection and help our office provide insights to decision makers to aid them in making informed decisions to protect the health and welfare of impacted populations during emergencies," the document states. A sources sought notice means the department is merely assessing the quality of available technology and hasn't committed to buying any new technology or services. The proposed tool would include access to Twitter's full "firehose," meaning the department would have near-real time access to 100 percent of tweets that fall into certain pre-selected categories. It would also include five years of historical tweets and the ability to monitor tweets about selected public health issues and be alerted to any changes in their tone or frequency. It would also include the ability to parse tweets geographically to at least the state level and to export analysis into graphs and charts.

top

Cool or creepy? A clip-on camera can capture every moment (NPR, 24 Feb 2014) - With digital cameras and camera phones everywhere, there are few moments we don't document. But some designers still think we're missing the opportunity to capture some important, simple moments. The solution: the Narrative Clip, a wearable camera that automatically and silently snaps an image every 30 seconds. "The dream of a photographic memory has come true," reads the box. The Narrative is now on the market and sells for $279 . The Narrative Clip is a lightweight square only a smidge larger than a postage stamp. A tiny lens is in the corner, capable of shooting 5-megapixel images. You clip it to your lapel and it starts shooting two photos a minute. Later, you can simply connect it to your computer to store the photo stream. A Narrative app then organizes what it thinks are the best shots of the day. "I don't even have to try to remember anything. Great. I'm just gonna turn my brain off now. This is crazy," Claire said. Or is it? Narrative's founder, a Swedish designer named Martin Kallstrom, says his wearable camera reacts to a real need: We don't often capture simple or serendipitous moments because we don't know they're significant until later.

top

A simpler [university] IP process (InsideHigherEd, 25 Feb 2014) - In an attempt to make it easier for researchers to commercialize their work, officials at Cornell University's New York City campus are reconsidering how they make money off intellectual property. Instead of going through a laborious revenue-sharing negotiation with researchers who believe they have a valuable idea, an institute at Cornell Tech is going to let a set of postdocs keep exclusive license to their IP and take a fixed dollar amount of equity if the researchers create a spinoff company. Officials believe this simple deal will cut through red tape that discourages both inventors and investors from working with academic software developers. The institution's experiment comes at a time of much debate about how universities take new technologies from collegiate laboratories to the commercial marketplace. The Joan and Irwin Jacobs Technion-Cornell Innovation Institute -- a joint nonprofit created by Cornell and Technion, an Israeli-based technology institute, and temporarily housed in Google's Manhattan office -- is modeling its role after that of angel investors, which typically invest up to $200,000 in companies just getting off the ground. The institute is considering postdocs' salary and time on campus as an angel investment worth $150,000. If the postdoc decides to create a spinoff, that $150,000 would be converted to equity in the resulting startup company -- roughly 5 percent for a startup that got a few million dollars in initial funding. But unlike other universities that ask for equity, the institute's stake would automatically shrink as new investors put in money, said the institute's director, Adam Shwartz.

top

Netflix deal shows peril of Comcast-Time Warner plan (San Jose Mercury News editorial, 25 Feb 2014) - Netflix's agreement to pay Comcast for smoother streaming of movies and TV shows marks the end of an era for the Internet. It should send shivers down the spines of anybody who relies on online information. It also should galvanize the FCC and Department of Justice to reject the $45 billion merger of Comcast and Time Warner, which would compound the potential for limiting the flow of knowledge. The deal marks the first time an Internet content provider has agreed to pay for direct access to a broadband provider's customers. It's a direct hit on the concept of an open, free Internet, a principle that helped unleash the Information Age and transformed the world. * * * The FCC and advocates of a free, open Internet have a huge challenge ahead. Access suffered a big setback last month when a federal appellate court threw out regulations aimed at keeping Internet providers from playing favorites with traffic on their networks. Many believe the Comcast-Netflix deal means that net neutrality is officially dead. [ Polley : Susan Crawford writes a related piece in Introducing the Comcast tax (Bloomberg, 24 Feb 2014)]

top

Energy firm cyber-defence is 'too weak', insurers say (BBC, 26 Feb 2014) - Power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak, the BBC has learned. Underwriters at Lloyd's of London say they have seen a "huge increase" in demand for cover from energy firms. But surveyor assessments of the cyber-defences in place concluded that protections were inadequate. Energy industry veterans said they were "not surprised" the companies were being refused cover.

top

- and -

Power grid preparedness falls short, report says (NYT, 12 March 2014) - Nearly all the utilities that participated in two-day exercise last November to test the preparedness of the power grid for online and physical attacks said that their planning was not good enough, according to a report by the North American Electric Reliability Corporation, which organized the drill. But the participants, more than 2,000 of them from across the United States, Canada and Mexico, said the exercise taught them lessons about whom they would need to communicate with in an attack, and where their vulnerabilities were. The report had few details, because organizers said they did not want to provide a road map about the shortcomings and because they had promised to limit the scope of their evaluation to induce utilities to participate. But the reliability group is communicating with the utilities individually about their performances.

top

US government seeks to hold phone data beyond five-year limit (IT World, 27 Feb 2014) - The U.S. government has asked a secret surveillance court to allow it to hold telephone metadata for a period beyond the current five-year limit, for use as potential evidence in civil lawsuits regarding the collection of the data. In June last year, former National Security Agency contractor, Edward Snowden, revealed that the agency was collecting bulk phone records of Verizon customers in the U.S. The government subsequently confirmed that it had a program for the bulk collection of phone metadata, which triggered a number of privacy law suits in various courts challenging the legality of the NSA program under section 215 of the Patriot Act. When litigation is pending against a party, or is reasonably anticipated, the party has a duty to preserve relevant information that may be evidence in the case, the Department of Justice stated in a filing Tuesday before the Foreign Intelligence Surveillance Court that was made public Wednesday. "A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve," it wrote, while pointing out that it hasn't received a specific preservation order so far in any of the civil lawsuits. The American Civil Liberties Union, U.S. Senator Rand Paul and the First Unitarian Church of Los Angeles are among those who have filed lawsuits challenging the phone records program.

top

- and -

District Court in California contradicts FISC, orders government to preserve metadata (Lawfare, 10 March 2014) - Earlier today, U.S. District Judge Jeffrey S. White of the Northern District of California issued a temporary restraining order prohibiting the government from destroying call record metadata in the 215 program. "It is undisputed," he wrote, "that the Court would be unable to afford effective relief once the records are destroyed, and therefore the harm to Plaintiffs would be irreparable." Judge White's brief order-as well as its underlying logic-directly conflicts with FISC Judge Reggie B. Walton's March 7 order which required that the government destroy the telephony metadata. The government had requested that it be permitted not to destroy data after the normal five year period to preserve it for evidence in civil litigation. Judge Walton, as we reported the other day, had refused. In other words, at least for now, the government is under order both to destroy the data and to preserve the very same data.

top

- and -

New FISC order on retention of metadata (Lawfare, 12 March 2014) - On Monday, we reported on the temporary restraining order (TRO) issued by Judge Jeffrey S. White of the Northern District of California, which prohibited the government from destroying telephone metadata collected by the NSA, pursuant to Section 215 of the Patriot Act. The idea was to preserve the metadata, as evidence for potential use in pending civil suits against the government. That TRO conflicted with a March 7 Foreign Intelligence Surveillance Court (FISC) order , the minimization provisions of which had required disposal of metadata after five years. Consequently, the government approached the FISC yesterday , both to notify the FISC of the TRO and to again seek relief-FISC Presiding Judge Reggie B. Walton had refused an earlier request in this respect-=from the metadata destruction requirement. The government explained that it desired to retain the metadata "solely for non-analytic purposes pending resolution of [evidence] preservation issues." Shortly after receiving this most recent request, Judge Walton granted it . By issuing the TRO, he wrote, "the District Court [in California] has directly prohibited NSA from doing what the FISC has ordered it to do;" the incompatible directives "put the government in an untenable position and are likely to lead to uncertainty and confusion among all concerned." The FISC therefore authorized the government to retain the metadata pending resolution of the evidence preservation issues currently being litigated in the Northern District of California. [ Polley : this is a VERY interesting jurisdictional tennis match, and probably isn't over.]

top

Protester's hidden camera captures Supreme Court for first time (Mashable, 27 Feb 2014) - In an unprecedented act, a protester appears to have smuggled a video camera into the U.S. Supreme Court, captured footage of proceedings and posted it to YouTube. The two-minute video ends with a plug for the website of a campaign finance reform activist group called 99Rise. The video's climactic moment shows a man rising and shouting at the court before being grabbed by guards. * * * The hidden camera video seems to show two separate hearings. First, it shows oral arguments in the McCutcheon case from last October. Then, it shows a Wednesday hearing in patent case unrelated to campaign finance, during which Newkirk stages his protest. Spectators are required to check all electronic devices at the door before entering the Supreme Court. It's unclear how the person who filmed the hearings was able to smuggle his camera into the court.

top

Texas appeals court says police can't search your phone after you're jailed (ArsTechnica, 27 Feb 2014) - On Wednesday, the Texas Court of Criminal Appeals ruled that law enforcement officials do need a warrant to search an arrested person's cell phone after they've been jailed. The ruling did not decide whether it is legal or not for police to search a suspect's phone at the incidence of arrest, which is currently a hotly contested subject. The Supreme Court is set to decide that matter later this year. For now, however, seven Texas appeals court judges have ruled that a person has a legitimate expectation of privacy over the contents of their cell phone while the phone is being stored in the jail property room. An eighth judge wrote a dissenting opinion. The case, Texas v. Granville , involved Anthony Granville, a student who was arrested for causing a disturbance on a school bus. After Granville was arrested, his cell phone was placed in the booking room. Later, a "School Resources Officer" was told that Granville had taken a photo of another student urinating in the boys' bathroom prior to his arrest. The officer, who had not been involved in the arrest of Granville, went down to the booking room, obtained Granville's phone, turned it on, found the photo, and printed out a copy of it. The officer then kept the phone as evidence and charged Granville with Improper Photography, a state felony. Granville's lawyers moved to suppress the evidence against him, but the prosecution maintained that an officer can search anything in the jail's booking room if there is probable cause. The trial judge disagreed, and the state appealed. But Texas authorities did not find much more support in the Court of Appeals either. Although the ruling does not prohibit all warrantless searches of cell phones, the ruling is still very important, perhaps for less obvious reasons. "[T]he court recognizes that just because you've surrendered something to someone else (especially when that surrender is involuntary), that you can still maintain an expectation of privacy in the data and the item," wrote Hanni Fakhoury, an attorney for the Electronic Frontier Foundation. "That has implications beyond this case and really is the heart of the issue in the NSA litigation (which the court itself acknowledges toward the end of the opinion, even citing from Klayman v. Obama) as well as other issues surrounding law enforcement use of new technologies like cell site data."

top

- and -

Washington state text message privacy cases (EFF, February 2014) - EFF urged the Washington State Supreme Court to recognize that text messages are "the 21st Century phone call" and require that law enforcement obtain a warrant before reading texts on someone's phone. In this case, police seized a cell phone during a drug investigation, and monitored incoming messages. Officers responded to several texts, setting up meetings that resulted in two arrests. Prosecutors have argued that there should be no expectation of privacy in text messages, as anyone can pick up someone else's phone and read what's stored there. But in two related amicus briefs, EFF argues that searching the phone for the texts clearly violates the Constitution. In February 2014, the Washington Supreme Court agreed with us in both cases, ruling the search of the text messages was unlawful.

top

Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ (Guardian, 28 Feb 2014) - Britain's surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal. GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month period in 2008 alone, the agency collected webcam imagery - including substantial quantities of sexually explicit communications - from more than 1.8 million Yahoo user accounts globally. Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of "a whole new level of violation of our users' privacy". GCHQ does not have the technical means to make sure no images of UK or US citizens are collected and stored by the system, and there are no restrictions under UK law to prevent Americans' images being accessed by British analysts without an individual warrant.

top

California appellate court allows looking at your smartphone while driving (Volokh Conspiracy, Orin Kerr, 28 Feb 2014) - Last year , I blogged about a California trial court opinion holding that a driver who looked at his cell phone's map application while on the road violated a California law against driving while "using a wireless telephone." I didn't find the decision persuasive. Fortunately, reason has prevailed: In a decision handed down Thursday, the Court of Appeals reversed the trial court in People v. Spriggs . From the introduction: Spriggs contends he did not violate the statute because he was not talking on the telephone. We agree. Based on the statute's language, its legislative history, and subsequent legislative enactments, we conclude that the statute means what it says - it prohibits a driver only from holding a wireless telephone while conversing on it. Consequently, we reverse his conviction.

top

Florida cops' secret weapon: warrantless cellphone tracking (Wired, 3 March 2014) - Police in Florida have offered a startling excuse for having used a controversial "stingray" cellphone tracking gadget 200 times without ever telling a judge: the device's manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts. The shocking revelation came during an appeal over a 2008 sexual battery case in Tallahassee in which the suspect also stole the victim's cellphone. Using the stingray - which simulates a cellphone tower in order to trick nearby mobile devices into connecting to it and revealing their location - police were able to track him to an apartment. During recent proceedings in the case, authorities revealed that they had used the equipment at least 200 additional times since 2010 without disclosing this to courts and obtaining a warrant. Although the specific device and manufacturer are identified in neither the one court document available for the 2008 case, nor in a video of a court proceeding, the ACLU says in a blog post today that the device is "likely a stingray made by the Florida-based Harris Corporation."

top

A vast hidden surveillance network runs across America, powered by the repo industry (BetaBoston, 4 March 2014) - Few notice the "spotter car" from Manny Sousa's repo company as it scours Massachusetts parking lots, looking for vehicles whose owners have defaulted on their loans. Sousa's unmarked car is part of a technological revolution that goes well beyond the repossession business, transforming any ­industry that wants to check on the whereabouts of ordinary people. An automated reader attached to the spotter car takes a picture of every license plate it passes and sends it to a company in Texas that already has more than 1.8 billion plate scans from vehicles across the country. These scans mean big money for Sousa - typically $200 to $400 every time the spotter finds a vehicle that's stolen or in default - so he runs his spotter around the clock, typically adding 8,000 plate scans to the database in Texas each day. "Honestly, we've found random apartment complexes and shopping ­plazas that are sweet spots" where the company can impound multiple vehicles, explains Sousa, the president of New England Associates Inc. in Bridgewater. But the most significant impact of Sousa's business is far bigger than locating cars whose owners have defaulted on loans: It is the growing database of snapshots showing where Americans were at specific times, information that everyone from private detectives to ­insurers are willing to pay for. While public debate about the license reading technology has centered on how police should use it, business has eagerly adopted the $10,000 to $17,000 scanners with remarkably few limits. At least 10 repossession companies in Massachusetts say they mount the scanners on spotter cars or tow trucks, and Digital Recognition Network of Fort Worth, Texas, claims to collect plate scans of 40 percent of all US vehicles annually.

top

Target CIO resigns following massive data breach (TechCrunch, 5 March 2014) -Target Corp.'s Chief Information Officer Beth Jacob is resigning, effective immediately, in the wake of the massive data breach during the holiday 2013 shopping season during which as many as 70 million customers had their personal information stolen, including 40 million debit and credit card accounts. The retailer also said it would be overhauling its information security practices and compliance division, and would be looking for external candidates to serve as interim CIO. "While we are still in the process of an ongoing investigation, we recognize that the information-security environment is evolving rapidly," Target Chairman, President and CEO Gregg Steinhafel said in a brief statement released this morning. "To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information-security and compliance structure and practices at Target." This also includes elevating the role of the Chief Information Security Officer - another position that Target will hire externally, along with a Chief Compliance Officer. [ Polley : Data security & governance are appropriate subjects for C-level attention, everywhere. This is what happens when they are given short shrift.]

top

4 accused in law firm fraud ignored a maxim: don't email (NYT, 6 March 2014) - Several former leaders of the once-high-flying law firm Dewey & LeBoeuf apparently violated a cardinal rule that lawyers always tell their clients: Don't put anything incriminating into an email. Four men, who were charged by New York prosecutors on Thursday with orchestrating a nearly four-year scheme to manipulate the firm's books to keep it afloat during the financial crisis, talked openly in emails about "fake income," "accounting tricks" and their ability to fool the firm's "clueless auditor," the prosecutors said. One of the men even used the phrase "cooking the books" to describe what they were doing to mislead the firm's lenders and creditors in setting the stage for a $150 million debt offering that was supposed to solve the firm's financial woes, according to the messages.

top

Navy hacking blamed on Iran tied to HP contract (WSJ, 6 March 2014) - A major infiltration of a military network blamed on Iran was facilitated by a poorly written contract with computer-services provider Hewlett-Packard Co., said people familiar with the matter. H-P's contract with the military didn't require it to provide specific security for a set of Navy Department databases, and as a result, no one regularly maintained security for them. That eased access for hackers, who used the opening to penetrate deep into the Navy Marine Corps Intranet network, said people familiar with the matter. The findings of the Navy's investigation are being closely watched by lawmakers on Capitol Hill, who next week are set to evaluate the nomination of Vice Adm. Michael Rogers as National Security Agency director. Adm. Rogers was the Navy cyber chief who oversaw the response. The intrusion, which officials said didn't compromise classified information or email, took about four months to clean up. The Navy has been working to address lapses revealed by the hack and other security efforts under what it calls Operation Rolling Tide. The infiltration is the only publicly known penetration of a military network blamed on Iranian hackers. The hacking "is a contracting failure and not a technology failure," said one cybersecurity specialist familiar with the situation. "This is a Dilbert cartoon." One of the biggest flaws uncovered, said the cybersecurity specialist, was the absence of provisions to maintain security for a set of Microsoft Corp. databases that use Structured Query Language, which help store and retrieve data. With no security provision in the contract, no one was charged with making sure the database security systems were up-to-date. [ Polley : Spotted by MIRLN reader Roland Trope .]

top

Court blesses Instagram's right to unilaterally amend its user agreement (Eric Goldman, 6 March 2014) - Instagram revised its terms of service in December 2012. The revisions (1) stated that Instagram was disclaiming "ownership of content" posted by users, as opposed to disclaiming "any ownership rights in content" posted by users; (2) broadened the scope of the license granted by users to allow Instagram to sublicense user content and do so without restrictions; (3) added a liability waiver; and (4) added an arbitration provision. Instagram provided users with advance notice of the changes, letting users know on December 18, 2012 that the new terms would go into effect in a month (on January 19, 2013). Rodriguez (the plaintiff), continued to use Instagram following January 2013, although she opted out of the arbitration provision. Her predecessor plaintiff (for whom she later substituted in) filed a lawsuit in federal court, but Judge Alsup dismissed that lawsuit for lack of federal jurisdiction. Judge Alsup's dismissal was without prejudice to plaintiff's attempt to file in state court, and Ms. Rodriguez pursued that avenue. She asserted claims for breach of the duty of good faith and fair dealing and violations of California's unfair competition law. Her claims failed. Instagram's unilateral change does not violate the duty of good faith: In resolving Rodriguez's breach of duty of good faith claim, the court and the parties focused on a case involving a bank's attempt to add an arbitration clause into a customer agreement by providing notice in a mailer with the monthly bill. A California appeals court held (in Badie v. Bank of America) that because the bank tried to exercise a unilateral right to modify an agreement on a topic that wasn't addressed in the original agreement, its attempt to modify the contract breached the duty of good faith. That court also held that waivers by the bank's customers of the right to a jury trial were ambiguous, and therefore ineffective, because the bank did not provide conspicuous notice. Citing to other federal courts that distinguished Badie on the basis of customers' realistic ability to review the revised agreement and exercise a meaningful opt-out, the court says that the revised Instagram terms were not foisted on plaintiff. In fact, Rodriguez could have simply stopped using the service but chose to continue to use it. (Although the court does not mention it, I think her act of opting-out of the arbitration clause was also persuasive evidence of her choice in the matter.) * * *

top

Do you have this declassified document? Give it back! (MLPB, 12 March 2014) - Jonathan Abel, Stanford Law School Constitutional Law Center, is publishing o You Have to Keep the Government's Secrets?: Retroactively Classified Documents, the First Amendment, and the Power To Make Secrets Out of the Public Record in volume 163 (2015) of the University of Pennsylvania Law Review. Here is the abstract: Retroactive classification is a little-known national security power that allows the government to declassify a document, release it to the public, and then classify it later on - even if the document remains accessible in the public domain. This means you could receive a document today and be prosecuted tomorrow for not giving it back. Drawing on original interviews, historical documents, and other primary sources, this Article provides the first in-depth account of this phenomenon, which threatens the freedom of speech, the freedom of the press, and the separation of powers, but has received only glancing scholarly attention. The Article begins with examples of retroactive classification, which has targeted material ranging from congressional testimony on the missile-defense system to half-century-old documents at the National Archives. It then examines how the rules that are supposed to limit retroactive classification's sweep are incapable of doing so in the Internet Age. The Article next asks: Can the government punish someone for disregarding a retroactive classification order? Despite significant statutory and First Amendment concerns, the Article concludes that the answer is yes. Retroactive classification can be enforced by criminal prosecution. The Article also situates the phenomenon of retroactive classification in the broader debate about the government's ability to control information in the public domain. As the Article shows, retroactive classification of sorts occurs in many contexts outside of national security law, such as when the government attempts to prevent the publication of social security numbers, police officers' home addresses, and other sensitive information it has made available in the public record.

top

The history of eBooks from 1930′s "readies" to today's GPO ebook services (Government BookTalk, 13 March 2014) - To some it might seem strange that the Government Printing Office, the printer of Federal publications for over 150 years, is blogging about eBooks for "Read an eBook" Week and the 25th anniversary of the World Wide Web . However, GPO has been working with digital publications for years and is fully immersed in eBooks. While many know that the paperback book came to us in the 1930s, few know that the concept for electronic books arose at the same time. According to Wikipedia, the idea of the e-reader came to writer and impresario Bob Brown after watching his first "talkie" (movies with sound). In 1930, he wrote an entire book on this invention and titled it "The Readies" [/reed-eeze/] playing off the name of the "talkie." (Read about Brown in this New York Times article .)

top

Court gives legal "Oscar" to actors, rotten tomatoes to Google (Steptoe, 13 March 2014) - Last month, in Garcia v. Google, Inc., the U.S. Court of Appeals for the Ninth Circuit issued a preliminary injunction ordering Google to take down an anti-Islamic film from YouTube and to prevent further uploads of the film. The court concluded that the plaintiff, an actress who appears in the film, likely has a valid copyright interest in her performance in the film and that leaving the film on YouTube could cause the most irreparable sort of harm - the plaintiff's death. The key part of the decision is the court's conclusion that an actor can retain an independent copyright interest in her performance in a film, even if she is not a "joint author" of the entire film. This is an issue that is of concern not just to Google and other operators of video platforms - since it will broaden the range of parties entitled to require such operators to remove videos based on alleged copyright infringement - but also to the producers and other "joint authors" of films, who might have thought that they had the exclusive copyright interests in their work. Google has indicated it will petition for rehearing en banc. [ Polley : This is such an odd result that there's been some outcry, and may be a rehearing. Still Judge Kozinski seems intent.]

top

NOTED PODCASTS

Steptoe Cyberblog (begun 2014) - The Steptoe Cyberblog, with its sometimes contrasting insights, serves up opinionated and provocative thoughts on the issues - especially cybersecurity and privacy - that arise at the intersection of law, information technology, and security. This weekly podcast includes commentary on recent developments, followed by a 20-30 minute interview with a prominent player in the field. [ Polley : worthwhile; usually has commentary from Michael Vatis and Stewart Baker, et al.]

top

Margot Kaminski on robotic surveillance: authorship or intrusion? (Berkman, 28 Jan 2014; 76 minutes) - As the use of robotic technology expands private third-party surveillance will also expand to new locations and scenarios. Is it possible - or desirable - to craft meaningful laws or guidelines before widespread private adoption of robots? In this talk Margot E. Kaminski - Research Scholar in Law, Executive Director of the Information Society Project, and Lecturer in Law at Yale Law School - explores how the pending increase in robotic surveillance poses new questions for U.S. privacy law, and the extents to which robotic surveillance will be necessary, superfluous, or deliberately intrusive. [ Polley : I follow Margot on Twitter: @MargotKaminski]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Big Four accounting firms join in cyber-risk index to gauge firms' preparedness (Computerworld, 22 March 2004) -- A consortium of companies that includes the Big Four accounting firms and at least one large insurer is quietly working on a cybersecurity risk measurement framework for large enterprises, Computerworld has learned. The Risk Preparedness Index is being developed by the newly formed Global Security Consortium, which so far includes PricewaterhouseCoopers, Ernst & Young LLP, Deloitte & Touche LLP, KPMG International and insurance giant AIG International Inc. The RPI was originally being developed to provide a risk measurement model for use within the insurance and accounting industries. But the goal now is for the index to provide the basis for a much more broadly applicable system for measuring and rating organizational risk preparedness, according to a source close to the GSC. The GSC has been in active discussions with several industry groups, including The Open Group standards body, for several months in a bid to gain endorsements and wider support for the effort to build the framework. "[The RPI] will allow third-party auditors to come in and make a judgment as to whether or not you are complying with established cybersecurity practices," explained Larry Clinton, chief operating officer at the Internet Security Alliance. ISA members that score above a certain level on the RPI could qualify for lower insurance rates.

top

College facebook mugs go online (Wired, 9 June 2004) -- Maya Chard-Yaron, 19, was poked about 10 times last week. But rather than getting annoyed at the unsolicited jabs, Chard-Yaron kind of enjoyed it -- especially since friends and acquaintances were doing the poking through a social-networking website, Thefacebook. On Thefacebook, poking is a way of saying "hi" to would-be contacts, a method to strike up a conversation without adding the person as a friend. And there's quite a bit of poking going on. Chard-Yaron, a Southern Californian who will be a junior at Columbia University in the fall, is one of about 250,000 students at 34 colleges across the United States intrigued by Thefacebook. Unlike social websites like Friendster and orkut, Thefacebook is meant only for college students and alums. "I know it sounds stupid but when I log onto Thefacebook and I see this person poked me I think, 'Aww,' 'cause I miss them," she said. Thefacebook is modeled after schools' traditional facebooks -- booklets with names, photos, interests and other information about students. The site started in February and is expanding rapidly. Engineered and initially intended just for students at Harvard University, Thefacebook's creators -- all five of them Harvard students -- hope to have their site available to about 200 American colleges by fall. By registering on Thefacebook, students can compile lists of friends, send messages, list their classes and summer vacation plans, and divulge as much -- or as little -- personal contact information as they like.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: