MIRLN --- 16 March – 5 April 2014 (v17.05)

MIRLN --- 16 March - 5 April 2014 (v17.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

• SeyfarthLean consulting unveils Disclosure Dragon software to "jumpstart" crowdfunding offerings
• A harvest of company details, all in one basket
• Can you sue a robot for defamation?
• Support for Khan Academy's effectiveness in new study
• New French law authorizes the CNIL to conduct online inspections
• When MOOC profs move
• Los Angeles cops argue all cars in LA are under investigation
• Illinois Supreme Court strikes down broad ban on audiorecording conversations
• Treasury Dept. issues license on exchange with Iran
• Revelations of NSA spying cost US tech companies
• Law firm notifies employees after vendor's server accessed
• The tepid NSA-American Bar Association "dialogue" around spying on lawyers
• Lawyer sues to learn whether the FBI accessed his law firm's computers
• US notified 3,000 companies in 2013 about cyberattacks
• Law firms are pressed on security for data
• Cities reluctant to reveal whether they're using fake cell tower devices
• Target missed many warning signs leading to breach: US Senate report
• Cloud-based e-discovery can mean big savings for smaller firms
• Pitfalls and complications in running a new-media promotion
• Ethics rulings tell lawyers to seek security when in the cloud
• Death to "link rot": here's where the Internet goes to live forever
• Nature publishing group requires faculty authors to waive 'moral rights'
• Back in business
• Court rules that kids can be bound by Facebook's member agreement

SeyfarthLean consulting unveils Disclosure Dragon software to "jumpstart" crowdfunding offerings (Seyfarth, 25 Feb 2014) - SeyfarthLean Consulting LLC, a subsidiary of law firm Seyfarth Shaw LLP, announced today its Disclosure Dragon software, designed specifically for the crowdfunding industry. Disclosure Dragon is the first advanced document automation solution that helps companies and online portals efficiently and effectively prepare the necessary legal and financial disclosure to conduct crowdfunding offerings. For small businesses and early stage companies, Disclosure Dragon automates, expedites and standardizes the development of a private placement memorandum (PPM) (or other required disclosure documents depending on the type of offering) and supporting exhibits required to satisfy the U.S. Securities & Exchange Commission's regulations pursuant to the Jumpstart Our Business Startups (JOBS) Act of 2012. Traditionally handled by lawyers, consultants and other advisers, PPM development is typically an expensive and arduous process that proves insurmountable for many small companies. With its advanced user-populated engine, Disclosure Dragon's interactive and adaptive framework auto-generates a draft PPM at a fraction of the cost and time, guiding users step by step through a detailed series of questions related to their businesses. PPM's produced by Disclosure Dragon are expected to reduce the time and cost of preparing legal documentation by up to 80%. Importantly, further legal review will be required by the issuer's counsel to finalize the PPM and is not provided by Disclosure Dragon. Disclosure Dragon will debut on Poliwogg, the leading life sciences funding platform, which expects that many of its funding clients will be attracted to Disclosure Dragon's time and cost savings, as well as the standardization it provides. For these reasons, one such client, Insero Health, a clinical stage healthcare company developing novel therapeutics for the treatment of epilepsy, is already adopting Disclosure Dragon. This also marks one of first collaborations between Poliwogg and the Epilepsy Foundation, which announced in January their partnership to encourage investment and support for new therapies to help people living with recurrent seizures.

top

A harvest of company details, all in one basket (NYT, 15 March 2014) - Trolling government records for juicy details about companies and their executives can be a ponderous task. I often find myself querying the websites of multiple federal agencies, each using its own particular terminology and data forms, just for a glimpse of one company's business. But a few new services aim to reduce that friction not just for reporters, but also for investors and companies that might use the information in making business decisions. One site, rankandfiled.com , is designed to make company filings with the Securities and Exchange Commission more intelligible. It also offers visitors an instant snapshot of industry relationships, in a multicolored "influence" graph that charts the various companies in which a business's officers and directors own shares. According to the site, pooh-bahs at Google, for example, have held shares in Apple, Netflix, LinkedIn, Zynga, Cisco, Amazon and Pixar. Another site, Enigma.io , has obtained, standardized and collated thousands of data sets - including information on companies' lobbying activities and their contributions to state election campaigns - made public by federal and state agencies. Starting this weekend, the public will be able to use it, at no charge, to seek information about a single company across dozens of government sources at once. Five years ago, to encourage research studies and app development, the Obama administration introduced data.gov, a site that catalogs data held by federal agencies. Last May, President Obama issued an executive order requiring agencies to make the information they generate available in computer-readable formats. Publishing and analytics start-ups are now tapping those resources to develop products for consumers and businesses. Among them, Enigma hopes to become what Mr. DaCosta describes as "a Google for public data." Ask Enigma for facts about Lockheed Martin , for example, and here are some of the disparate details that surface: Last year, this military contractor entered into agreements with the government worth about $40.7 billion. Another interesting tidbit about the company is that in 2013, Marillyn A. Hewson , the chief executive, visited the White House five times; on two of those occasions the "visitee" was "POTUS," meaning the president of the United States, the logs indicate. And company employees reported giving about $51,000 to the presidential campaign committees Obama for America and the Obama Victory Fund. Although these details may be unrelated, together they depict a politically influential and connected contractor. In fact, that kind of serendipitous information amalgam is one of Enigma's aims. Mr. DaCosta says he believes that "there's a huge amount you can learn about the world by putting these data sources in conversation with one another."

top

Can you sue a robot for defamation? (Ryan Calo at Forbes, 17 March 2014) - Life moves pretty fast. Especially for journalists. When an earthquake aftershock shakes America's second largest city, news outlets scramble to be the first to cover the story. Today the news itself made news when various outlets picked up on a curious byline over at the Los Angeles Times : "this post was created by an algorithm written by the author." The rise of algorithmically generated content is a great example of a growing reliance on "emergence." Steven Johnson in his book by this title sees the essence of emergence as the movement of low-level rules to tasks of apparently high sophistication. Johnson gives a number of examples, from insects to software programs. As I see it, the text of the earthquake story likewise "emerged" from a set of simple rules and inputs; the "author" in question at the Los Angeles Times, Ken Schwencke, did not simply write the story in advance and cut and paste it. I imagine Schwencke had a pretty good sense of what story the algorithm would come up with were there an earthquake. This is not always the case. Even simple algorithms can create wildly unforeseeable and unwanted results. Thus, for instance, a bidding war between two algorithms led to a $23.6 million dollar book listing on Amazon. And who can forget the sudden "flash crash" of the market caused by high speed trading algorithms in 2010. I explore the challenges emergence can pose for law in my draft article Robotics and the New Cyberlaw . I hope you read it and let me know what you think. I'll give you one example: Imagine that Schwencke's algorithm covered arrests instead of earthquakes and his program "created" a story suggesting a politician had been arrested when in fact she had not been. Can the politician sue Schwencke for defamation? Recall that, in order to overcome the First Amendment, the politician would have to show "actual malice" on the part of the defendant. Which is missing. But, in that case, are we left with a victim with no perpetrator? If this seems far fetched, recall that Stephen Colbert's algorithm @RealHumanPraise -which combines the names of Fox News anchors and shows with movie reviews on Rotten Tomatoes-periodically refers to Sarah Palin as " a party girl for the ages " or has her " wandering the nighttime streets trying to find her lover ." To the initiated, this is obviously satire. But one could readily imagine an autonomously generated statement that, were it said by a human, would be libel per se .

top

Support for Khan Academy's effectiveness in new study (InsideHigherEd, 17 March 2014) - A two-year-long study of Khan Academy's effect on K-12 students' math skills suggests the online lessons may help boost performance and confidence, even if the materials play only a supplemental role. The study , funded by the Bill & Melinda Gates Foundation and developed by SRI International, involved 2,000 students in grades 5 through 10 between 2011 and 2013. The students were scattered across nine different schools, all of which used the materials from Khan Academy to varying degrees. At the end of the study, 85 percent of teachers said they thought Khan Academy had a positive impact on students' learning. Among students, 71 percent said they liked the Khan Academy lessons, while 32 percent said they liked math more as a result of using the materials.

top

New French law authorizes the CNIL to conduct online inspections (Hunton & Williams, 18 March 2014) - On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the "CNIL") by giving the CNIL the ability to conduct online inspections. Currently, the CNIL may conduct three types of investigations: (1) On-site inspections - the CNIL may visit a company's facilities and access anything that stores personal data ( e.g. , servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL; (2) Document reviews - these inspections allow the CNIL to require an entity to disclose documents or files (upon written request); and (3) Hearings - the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information. Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users' prior consent before sending electronic marketing communications. The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.

top

When MOOC profs move (InsideHigherEd, 18 March 2014) - When faculty members move from one institution to the next, so do their courses, but after having spent hundreds of thousands of dollars to prepare those courses to a massive audience, are universities entitled to a share of the rights? The question has so far gone unanswered (though not undiscussed) even at some of the earliest entrants into the massive open online course market, including Harvard University and the Massachusetts Institute of Technology. Since MOOC providers have gotten out of the intellectual property rights debate by saying they will honor whatever policy their institutional partners have in place, it falls on the universities to settle the matter. Almost two years after Harvard and MIT jointly launched the MOOC provider edX, Sanjay E. Sarma, director of digital learning at MIT, said his institution has "figured it out." "Faculty have always had certain expectations and rights, and we want to respect them," Sarma said. "In other words, we don't want any new policy to change any rights they have right now." Instead, Sarma said, MIT will introduce an interpretation of its intellectual property policy -- which appears to support both the faculty members' and the institution's position -- in the coming months.

top

Los Angeles cops argue all cars in LA are under investigation (EFF, 19 March 2014) - Do you drive a car in the greater Los Angeles Metropolitan area? According to the L.A. Police Department and L.A. Sheriff's Department, your car is part of a vast criminal investigation. The agencies took a novel approach in the briefs they filed in EFF and the ACLU of Southern California's California Public Records Act lawsuit seeking a week's worth of Automatic License Plate Reader (ALPR) data. They have argued that " All [license plate] data is investigatory ." The fact that it may never be associated with a specific crime doesn't matter.

top

Illinois Supreme Court strikes down broad ban on audiorecording conversations (Eugene Volokh, 20 March 2014) - Under Illinois law, any person who "knowingly and intentionally uses an eavesdropping device for the purpose of hearing or recording all or any part of any conversation" is committing a crime "unless he does so … with the consent of all of the parties to such conversation or electronic communication." This isn't limited to conversations that the parties reasonably intend to be private: "conversation" is defined as "any oral communication between 2 or more persons regardless of whether one or more of the parties intended their communication to be of a private nature under circumstances justifying that expectation." DeForest Clark was indicted for violating this law; here's how the ACLU of Illinois amicus brief describes the facts: [The] charges arose from a September 17, 2010 child support hearing before Judge Robert Janes in Kane County Circuit Court. Mr. Clark represented himself pro se at the hearing. The hearing was conducted in open court and no court reporter was present. Mr. Clark recorded the hearing in order to preserve a true and accurate record of public proceedings in which he was representing himself without the assistance of counsel and without the benefit of a court reporter. For the same reason, Mr. Clark also allegedly recorded a conversation between himself and opposing counsel, Colleen Thomas, prior to the hearing in a public hallway in the Kane County Judicial Center. Thursday, the Illinois Supreme Court held that the statute violates the First Amendment ( People v. Clark (Ill. Mar. 20, 2014) )

top

Treasury Dept. issues license on exchange with Iran (InsideHigherEd, 21 March 2014) - The U.S. Department of Treasury on Thursday issued a general license allowing accredited U.S. universities to enter into academic exchange agreements with Iranian universities and permitting the export of some educational services, including university entrance examinations. The guidance also permits American universities and their contractors to enroll Iranian students in certain online undergraduate-level courses, including massive open online courses, or MOOCs. In January, Inside Higher Ed reported that the U.S. government had blocked access to the MOOC provider Coursera for individuals in Iran and other economically sanctioned nations.

top

Revelations of NSA spying cost US tech companies (NYT, 21 March 2014) - Microsoft has lost customers, including the government of Brazil. IBM is spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government. And tech companies abroad, from Europe to South America, say they are gaining customers that are shunning United States providers, suspicious because of the revelations by Edward J. Snowden that tied these providers to the National Security Agency 's vast surveillance program. Even as Washington grapples with the diplomatic and political fallout of Mr. Snowden's leaks, the more urgent issue, companies and analysts say, is economic. Tech executives, including Eric E. Schmidt of Google and Mark Zuckerberg of Facebook, are expected to raise the issue when they return to the White House on Friday for a meeting with President Obama. It is impossible to see now the full economic ramifications of the spying revelations - in part because most companies are locked in multiyear contracts - but the pieces are beginning to add up as businesses question the trustworthiness of American technology products. Despite the tech companies' assertions that they provide information on their customers only when required under law - and not knowingly through a back door - the perception that they enabled the spying program has lingered. "It's clear to every single tech company that this is affecting their bottom line," said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who predicted that the United States cloud computing industry could lose $35 billion by 2016 . Forrester Research, a technology research firm, said the losses could be as high as $180 billion , or 25 percent of industry revenue, based on the size of the cloud computing, web hosting and outsourcing markets and the worst-case scenario for damages.

top

Law firm notifies employees after vendor's server accessed (Databreaches.net, 21 March 2014) - So here's another case where a vendor's database was accessed by someone who was able to acquire a client's login credentials. The international law firm of McKenna Long & Aldridge notified the Maryland Attorney General's Office on February 26 that 441 current and former employees' W-2 information and other information were involved: As a result of that investigation and further information provided by the vendor, it appears that some information related to current and former employees was accessed on November 28, 2013 (Thanksgiving Day), December 11, 2013, and December 12, 2013 and that such access was obtained through the malicious and unauthorized access to the user identification and password of an account administrator. MLA has since reset all passwords for each user and asked all users to establish a new password. We are also working with our vendor to ensure that this does not occur again. Regrettably, our investigation appears to show that your personal information was accessed without authorization during this incident, including Federal Wage and Tax Statement Form W-2 name, address, wages, taxes and Social Security number information; date of birth, age, gender, ethnicity; and Visa, Passport or Federal Form I 9 documents numbers.

top

The tepid NSA-American Bar Association "dialogue" around spying on lawyers (EFF, 21 March 2014) - It's another troubling example in a frustrating trend: despite repeated and pointed calls for answers, the NSA is still relying on word games and equivocation to avoid answering recent questions surrounding potential surveillance of privileged attorney-client communications. The New York Times reported in late February that an American law firm's privileged attorney-client communications were monitored by the Australian Signals Directorate and potentially shared with the NSA. A few weeks ago, we wrote about the legal community's response to this issue, highlighting a February 20 letter from the president of the American Bar Association (ABA), James Silkenat, to outgoing NSA director General Keith Alexander and NSA General Counsel Raj De. On March 10, General Alexander wrote back, but the NSA's letter can hardly be called a response. We hope that the conversation is not over, because experience has shown that when the NSA has the last word, civil liberties lose. The ABA has been deferential to the NSA's authority to conduct surveillance, and its letter requested only the information necessary to be able to effectively represent clients. Mr. Silkenat underscored that the ability to communicate without fear of surveillance is essential to the attorney-client relationship, and that without it our legal system cannot function. In order to help avoid this, he asked the NSA to "further clarify the principles and policies" regarding the NSA's handling of potentially privileged information. The NSA's response was underwhelming; of course they're collecting privileged communications but, trust them, they're not peeking (except when they need to). The entire legal community should view the NSA's response as an insult. When the ABA asked for clarification on what procedures are undertaken to uphold the attorney-client privilege, the NSA's answer was the following: Such steps could include requesting that certain collection or reporting be limited; that intelligence reports be written so as to prevent or limit the inclusion of privileged material and to exclude U.S. identities, and that dissemination of such reports be limited and subject to appropriate warnings or restrictions on their use. More disappointing than the NSA's letter, however, is the ABA's response. Mr. Silkenat released a paragraph long response on March 11, in which he stated: The American Bar Association appreciates the NSA's expression of respect for the attorney-client privilege and looks forward to continuing a constructive dialogue with the NSA to ensure that American lawyers and their clients have confidence that their privileged communications are appropriately protected. The attorney-client privilege is fundamental to our system of justice and critical to the work of lawyers, who rely on the candor of their clients. The NSA's letter to the ABA was not an expression of respect, nor was it the beginning of a constructive dialogue. Instead, the ABA meekly accepted the NSA's nonchalant non-denial of unconstitutional behavior by that aggressively unconstitutional spy agency. Mr. Silkenat may look forward to continuing a constructive dialogue, but the rest of us are left asking, "What dialogue?" Will the ABA and Mr. Silkenat be content to quietly accept the NSA's assurances, or will the ABA make a follow-up statement that the NSA must provide more information?

top

- and -

Lawyer sues to learn whether the FBI accessed his law firm's computers (ABA Journal, 26 March 2014) - A Virginia lawyer wants to know whether the FBI obtained access to his law firm's computers as part of an investigation into his possession of three classified documents. Kel McClanahan filed a federal suit last Friday in Washington, D.C., seeking records under the Freedom of Information Act that would answer his questions, McClatchy News reports. McClanahan says his computer and email accounts developed technical problems shortly after he met with FBI agents who asked permission to search his office and to take possession of his computer. McClanahan refused, though he did agree to delete the documents in the presence of FBI officials. The FBI accepted the offer last year. At issue were three documents, the story says. Two were articles in a CIA in-house journal about another FOIA case McClanahan had filed against the CIA. McClanahan says the articles were faxed to him, and he contacted a Justice Department official involved in the case when he realized the articles were not public. The third document was an FBI account of an interview with an American citizen jailed in Yemen for alleged links to al-Qaida. McClanahan is handling FOIA litigation in that case, and he got the unredacted document, filed in a Yemeni court, from lawyers for the suspect in Yemen. McClanahan says he compared the unredacted document with a redacted version he received from the FBI, and he believes information was blacked out to hide FBI misconduct. McClanahan emailed a Justice Department lawyer to ask if he could use the unredacted version in court. "I don't have definitive proof that the FBI read my emails," McClanahn told McClatchy. "I have, however, a large stack of circumstantial evidence that they did, . . . specifically, unexplained problems with my email accounts only days before they showed up unannounced at my door to try to strong-arm me into giving them unrestricted access to my records. … It could be a huge coincidence . . . but it would be a huge coincidence."

top

US notified 3,000 companies in 2013 about cyberattacks (Washington Post, 24 March 2013) - Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions. The alerts went to firms large and small, from local banks to major defense contractors to national retailers such as Target, which suffered a breach last fall that led to the theft of tens of millions of Americans' credit card and personal data, according to government and industry officials. "Three thousand companies is astounding," said James A. Lewis, a senior fellow and cyberpolicy expert at the Center for Strategic and International Studies. "The problem is as big or bigger than we thought." The number reflects only a fraction of the true scale of cyberintrusions into the private sector by criminal groups and foreign governments and their proxies, particularly in China and Eastern Europe. The estimated cost to U.S. companies and consumers is up to $100 billion annually, analysts say. In most cases, the company had no idea it had been breached, officials say. According to Verizon, which compiles an annual data-breach survey, in seven out of 10 cases, companies learn from an external party - usually a government agency - that they've been victimized.

top

- and -

Law firms are pressed on security for data (NYT, 26 March 2014) - A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies. The vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies and intellectual property. One concern is the potential for hackers to access information about potential corporate deals before they get announced. Law enforcement has long worried that law firms are not doing enough to guard against intrusions by hackers. Despite the concern, it's hard to gauge just how vulnerable law firms are to attacks from hackers. There are few rules requiring firms to make public any breaches, and because the firms have little direct interaction with consumers, there is no need for them to publicly report a hacking incident the way a bank or a retailer would. In 2012, Mandiant, a security consulting firm, put out a report estimating that 80 percent of the 100 largest American law firms had some malicious computer breach in 2011. Actual reports of confidential information hacked from a law firm computer system and later winding up on some overseas server are rare, however. Representatives for several large law firms, all of whom declined to discuss the topic publicly, said privately that the threat assessments from the F.B.I. and consulting firms were overstated. The law firm representatives said hacker attacks were usually email "phishing" schemes seeking to access personal information or account passwords, the kind of intrusions that have become commonplace and are easily contained. But Vincent I. Polley, a lawyer and co-author of recent book for the American Bar Association on cybersecurity, said many law firms were not even aware they had been hacked. He said a lot of law firm managers were in denial about the potential threat. "A lot of firms have been hacked, and like most entities that are hacked, they don't know that for some period of time," said Mr. Polley. "Sometimes, it may not be discovered for a minute or months and even years." [ Polley : The referenced book is "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals", available here .]

top

Cities reluctant to reveal whether they're using fake cell tower devices (ArsTechnica, 25 March 2014) - For some time now, the American Civil Liberties Union (ACLU) has been on a quest to better understand the use and legality of "stingrays." These devices, which are also known as international mobile subscriber identity (IMSI) catchers, or fake cell towers, can be used to track phones or, in some cases, intercept calls and text messages. The "Stingray" itself is a trademarked product manufactured by a Florida-based company, the Harris Corporation. (It has since come to be used as a generic term, like Xerox or Kleenex.) Harris is notoriously secretive about the capabilities of its devices and generally won't talk to the press about their capabilities or deployments. Earlier in March, the ACLU filed a motion for public access request , requesting documents and information related to stingray use by nearly 30 Florida police and sheriff's departments. Among the responses published for the first time on Tuesday was the curious reply from the city of Sunrise, Florida, a town of about 88,000 people, just northwest of Miami. Through its lawyers, Sunrise officially denied the request , noting that the city would neither confirm nor deny "whether any records responsive to the Request exist and, if any responsive records do exist, cannot and will not public disclose those records." (In a footnote, the lawyers also cited this Ars story from September 2013 detailing stingrays and other related surveillance devices.) The ACLU published its response to the city's denial on Tuesday. As the ACLU points out in a Tuesday blog post , the city of Sunrise has already published an invoice from Harris on its own website dated March 13, 2013, showing that the city paid over $65,000 for a stingray. That document clearly states, in all-caps on each page, that "disclosure of this document and the information it contains are strictly prohibited by Federal Law."

top

Target missed many warning signs leading to breach: US Senate report (Reuters, 25 March 2014) - Target Corp missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday. There was no indication the No. 3 U.S. retailer responded to warnings that malware was being installed on Target's system. Other automated warnings the company ignored revealed how the attackers would carry data out of Target's network, according to the report. "This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach," according to the Commerce, Science and Transportation Committee report. The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data Breach," looked at previously reported information and used an analytical tool called an "intrusion kill chain" framework used widely by information security field. The staff report said Target "failed to respond to multiple automated warnings from the company's anti-intrusion software" that 1) the attackers were installing malicious software and 2) they were planning escape routes for the information they planned to steal from the retailer's network. It also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices. The report is here .

top

Cloud-based e-discovery can mean big savings for smaller firms (ABA Journal, 26 March 2014) - Smaller law firms may be able to save a significant amount of money by 'renting' e-discovery applications in the cloud rather than bringing a full-fledged hardware and software solution in-house. "Only a few years ago, e-discovery in the cloud wasn't even available," said Gareth Evans, an Irvine, Calif.-based partner at Gibson, Dunn & Crutcher, adding that these days, even the smallest law firms have a wide variety of e-discovery firms they can source. Evans spoke as part of a panel at LegalTech New York 2014 in February. Panelist Alan Winchester, a partner at the New York City firm Harris Beach, agreed: "For firms without robust IT departments, it grants them the experts to manage the technology operations and security." While renting e-discovery services a sliver at a time may cause some firms to worry about the security of their data offsite, the panelists advised that with a good contract, those concerns can be minimized. [ Polley : Interesting story that sounds about right. This might just be a first step.]

top

Pitfalls and complications in running a new-media promotion (Information Law Group, 26 March 2014) - Administering a sweepstakes or contest online can be a great way to attract traffic and engage with consumers. Not surprisingly, many companies routinely utilize sweepstakes and contests (which are referenced collectively in this article as "promotions") as part of their overall online marketing push. Administering promotions, however, can get complicated when operating them on third-party platforms, such as social media sites. Many of you are no doubt familiar with the basic laws applicable to running an online promotion. This article does not discuss those laws, but rather describes some of the more detailed or latent issues and complications that need to be considered and addressed when running a promotion on certain social-media platforms. * * *

top

Ethics rulings tell lawyers to seek security when in the cloud (ABA Journal, 28 March 2014) - New ethics rules require lawyers to be technologically competent and aware of the ethical implications of cloud computing. But what exactly constitutes technological competence? And how far must a lawyer who stores date in the cloud go to protect client confidences from inadvertent or unauthorized access or disclosure? Those two questions were at the heart of an ABA Techshow presentation Thursday on "Ethics 20/20, Security and Cloud Computing." Co-presenters Catherine Sanders Reach, director of law practice management and technology for the Chicago Bar Association, and Kevin A. Thompson, who practices trademark, copyright and Internet law at the Chicago firm Davis McGrath, walked attendees through recent changes in the ethics rules and what state ethics authorities have had to say so far about lawyers' use of the cloud. To date, 18 states have weighed in with ethics opinions on the use of cloud computing by lawyers, either directly or indirectly, according to Reach. And all 18 have said it is OK, as long as the lawyer investigates the products and methods he or she uses and keeps up with any changes made by the provider. A list of those opinions, maintained by the ABA Legal Technology Resource Center, can be found at www.lawtechnology.org .

top

Death to "link rot": here's where the Internet goes to live forever (Fast Company, 28 March 2014) - The phrase "link rot" probably summons many images for you--none of them good. And while clicking on a dead link isn't quite as physically unpleasant as, say, touching a piece of slimy, disintegrating wood, bad links are weakening the web as surely as bad beams can compromise a building. When websites disappear or change, any piece of work--be it a blog post, book, or scholarly dissertation--that linked to those resources no longer makes quite as much sense. And some of these now-moldering links are structurally important to the fragile, enduring edifice of human knowledge: in fact, according to one recent study , half of the links in Supreme Court decisions either lead to pages with substantially altered content or no longer go anywhere, at all. In the face of this decay, the authors of that paper, the legal scholars Jonathan Zittrain, Kendra Albert, and Lawrence Lessig, floated one possible fix: create "a caching solution" that would help worthy links last forever. Now, this idea is being in practice by Perma.cc, a startup based out of the Harvard Law Library. Old-school institutions like law school libraries, it turns out, may be perfectly positioned to fight against the new-school problem of link rot. Libraries, after all, are "really good at archiving things," as Perma's lead developer, Matt Phillips, puts it. "We have quite a history of storing things safely that are important to people for a really long time," says Phillips, a member of Harvard's Library Innovation Lab. "It's a failure if we're not preserving what's being created online." To start with, Perma.cc's small team of developers, librarians, and lawyers has designed an archiving tool that's as easy to use as any link shortener. Stick in a link, and you'll get a new Perma-link--along with an archive of all the information on the page that link leads to. Anyone can sign up as a user, and create links with a shelf life of two years, with an option to renew. A select group of users, though, can "vest" links--committing Perma.cc to store their contents indefinitely. Since launching last fall, the project has grown rapidly, signing up a couple thousand users and recruiting 45 libraries and dozens of law journals as partners. But only a fourth of Perma.cc's users--472 "vesting members" and 113 "vesting managers," at current count--have the power to grant links immortality (or as close to it as Perma.cc can manage). "The problem is, in practice, it's a very serious commitment to say this will be kept forever," says Jack Cushman, who started contributing to Perma.cc as volunteer, before joining formally as a Harvard Law School Library fellow. "It's not something that we can promise to everyone in the world to begin with."

top

Nature publishing group requires faculty authors to waive 'moral rights' (Chronicle of Higher Ed, 31 March 2014) - Faculty authors who contract to write for the publisher of Nature, Scientific American, and many other journals should know that they could be signing away more than just the economic rights to their work, according to the director of the Office of Copyright and Scholarly Communication at Duke University. Kevin Smith, the Duke official, said he stumbled across a clause in the Nature Publishing Group's license agreement last week that states that authors waive or agree not to assert "any and all moral rights they may now or in the future hold" related to their work. In the context of scholarly publishing, "moral rights" include the right of the author always to have his or her name associated with the work and the right to have the integrity of the work protected such that it is not changed in a way that could result in reputational harm. "In many countries, you can't waive them as an author," Mr. Smith said. "But in the Nature publishing agreement you are required to waive them, and if you are in a country where a waiver is not allowed, you have to assert in the contract you won't insist on those rights." Mr. Smith first questioned the details of the Nature Publishing Group's license agreement on his blog on Thursday. Calling the moral-rights stipulation "bizarre" and an attack "on core academic values," he wrote that in some countries authors are forbidden to waive those rights. "The United States is something of an outlier in that we do not have a formal recognition of moral rights in our copyright law, although we always assert that these values are protected by other laws," he wrote. His comments were part of a longer post noting that the powerful scholarly publisher has apparently begun enforcing at Duke a requirement that authors at institutions with open-access policies secure waivers exempting their work from those policies.

top

Back in business (InsideHigherEd, 1 April 2014) - Arizona covers less than 1 percent of the budget for the Maricopa Community College District. The 10-college system, which enrolls 265,000 students, now receives an annual state contribution of $8 million. One upside to Arizona's near-complete disinvestment in its community colleges, Maricopa's leaders say, is that the years of budget cuts have forced the two-year system to get more entrepreneurial. They are particularly excited about the money-making potential of the new Maricopa Corporate College, which landed Marriott International as a client in its first year of existence. One reason for the college's early success, said Rufus Glasper, the district's chancellor, is that corporate CEOs have picked up on a shift at Maricopa. "We're starting to market ourselves as a business," he said. Corporate colleges cater to the training needs of companies, including recent hires and workers who need to learn new skills. Programs are typically non-credit and customized based on the employer's needs. They can be online or in person, and taught either on a college campus or taken directly to a company. Some of the most common programs are in management training, English as a second language, information technology, advanced manufacturing and welding. The training centers can be lucrative, with companies typically footing the bill rather than students. As a result, the corporate-college field is getting more crowded. For-profit chains have long done job training. And Udacity, an online course provider, now wants to get in the game . Several community colleges also have a solid track record with corporate training. Experts said Cuyahoga Community College (Tri-C), located in Ohio, North Carolina's Central Piedmont College and the Lone Star College System in Texas are pioneers of corporate colleges.

top

Court rules that kids can be bound by Facebook's member agreement (Venkat Balasubramani, 4 April 2014) - The status of kids' ability to form contracts via online terms of service was somewhat uncertain over the last several years, with a few Facebook-related rulings raising questions. A group of minor plaintiffs who opted out of the Fraley v. Facebook Sponsored Stories settlement brought suit for violation of their publicity rights under an Illinois statute. A recent ruling shuts out their claims, and gives some clarity to the online contracting landscape for minors. The key question in front of Judge Seeborg was whether the contract at issue between minors and Facebook - essentially granting a publicity rights release -- was one of the narrow types of contracts with minors that were void, or if the contract was merely voidable under California Family Code 6701, et seq. * * * With the caveat that this is just a district court ruling, and plaintiffs will continue to attack these terms in far-flung jurisdictions, this is a very helpful ruling for Facebook in that it removes some uncertainty as to a big category of potentially lucrative users: users who are old enough to not pose COPPA-problems but those who haven't yet reached the age of majority. Networks for the most part took a don't-ask/don't-tell type of approach with this group, but were hesitant to enter into deeper economic and legally uncertain relationships.

top

RESOURCES

Before rolling blackouts begin: briefing Boards on cyber attacks that target and degrade the Grid (by Roland Trope and Stephen Humes, in Wm Mitchell L.R.; April 2014) - "The Electric Power grid makes an attractive target because it is the foundational critical infrastructure that underlies all others. A successful attack on the power grid causing a wide-area long-term outage would have significant national security . . . consequences."

top

Governments and cloud computing: roles, approaches, and policy considerations (Harvard's Berkman Center, 17 March 2014) - Abstract: Governments from Bogota to Beijing are engaging with emerging cloud computing technologies and its industry in a variety of overlapping contexts. Based on a review of a representative number of advanced cloud computing strategies developed by governments from around the world, including the United States, United Kingdom, the European Union, and Japan, we observed that these governments - mostly implicitly - have taken on several different "roles" with respect to their approaches to cloud computing. In particular, we identify six distinguishable but overlapping roles assumed by governments: users, regulators, coordinators, promoters, researchers, and service providers. In this paper, we describe and discuss each of these roles in detail using examples from our review of cloud strategies, and share high-level observations about the roles as well as the contexts in which they arise. The paper concludes with a set of considerations for policymakers to take into account when developing approaches to the rapidly evolving cloud computing technologies and industry.

top

Cloud innovation and the law: issues, approaches, and interplay (Harvard's Berkman Center, 17 March 2014) - Abstract: We live in a quicksilver technological environment where one innovation in information and communication technology (ICT) follows the other. From a user's perspective, the speed of innovation in the Internet age becomes particularly visible when looking at ever-changing hardware devices that enable instant access to information, knowledge, and entertainment, or when navigating the rapidly evolving social media space where new platforms and powerful services emerge periodically, like Instagram, Pinterest, and Quora. Many of today's trends and developments in the ICT space are powered by a less visible and arguably more evolutionary innovation at the lower layers of the ICT infrastructure: cloud computing. It describes a multi-faceted technological phenomenon in which important aspects of computing (such as information processing, communication, networking, data acquisition, storage, and analysis) move from local systems to more efficient, outsourced systems where third parties provide aggregated computational resources and services on an as-needed basis from remote locations. Cloud computing is arguably responsible, at least in part, for the speed at which new social platforms are being developed and brought to market. This paper starts with a brief introduction to and framing of cloud computing as both a technological innovation and innovation-enabling technology - in short: cloud innovation. It then focuses on one particular aspect of the emerging cloud computing ecosystem by describing and discussing the legal and regulatory responses to cloud technology. It ends with general observations regarding the design of interfaces between cloud innovation as an example of an innovative and innovation-enabling technology and the legal and regulatory system. The paper builds upon and aims to synthesize previous contributions by the author and his collaborators on cloud law and policy issues on the one hand and pattern recognition in ICT regulation on the other hand. Against this backdrop, the paper seeks not only to distill and share insights about the interplay between cloud computing technology and the legal and regulatory system, but also contribute to a broader understanding of and emerging analytical framework for technology regulation in digitally networked environments.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

UN wants to slam spam (SiliconValley.com, 6 July 2004) -- The United Nations is aiming to bring a ``modern day epidemic" of junk e-mail under control within two years by standardizing legislation to make it easier to prosecute offenders, a leading expert said Tuesday. ``(We have) an epidemic on our hands that we need to learn how to control," Robert Horton, the acting chief of the Australian communications authority, told reporters. ``International cooperation is the ultimate goal." The International Telecommunications Union is hosting a meeting on spam in Geneva this week that brings together regulators from 60 countries as well as various international organizations, including the Council of Europe and the World Trade Organization. The U.N. agency said it would put forward examples of anti-spam legislation which countries can adopt to make cross-border cooperation easier. Many states currently have no anti-spamming laws in place, making it difficult to prosecute the international phenomenon. Top priority is ``pornographic material ... that may come to the attention of children," said Horton, who is running the meeting. ``I think it's time we did something formally about this. We will have to come to some sort of general understanding." As much as 85 percent of all e-mail may be categorized as spam, the ITU said, compared to an estimated 35 percent just one year ago. The vast majority is generated by a few hundred people, but authorities are not able to prosecute many of them under current legislation. Spam and anti-spam protection cost computer users some $25 billion last year, according to the United Nations.

top

Google unveils service for academics (NewsFactor.com, 18 Nov 2004) -- Google has unveiled a new search service designed specifically for scientists and academic researchers. Currently in beta release, Google Scholar allows users to search specifically for scholarly literature, including peer-reviewed papers, books, technical reports, theses, abstracts and preprints. The resource spans a wide variety of academic disciplines, and includes a large number of professional societies and publishers, according to Google. The search tool also finds scholarly articles that are scattered across the Web. Unique to the Scholar service is a way to handle search of academic citations. The tool automatically analyzes and extracts citations and presents them as separate results, even if the documents they refer to are not online. This gives academics and researchers the ability to peruse citations of older articles that appear only in books or print-only publications. Because the site is in beta, it is likely that other additions and changes will be made as scholars use the service. Google has requested that users send in suggestions, questions and comments. In its information pages, Google notes that additions to its index will be forthcoming, and urges authors to contact their publishers and scholarly societies to expand the available content.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top