Saturday, August 30, 2014

MIRLN --- 10-30 August 2014 (v17.12)

MIRLN --- 10-30 August 2014 (v17.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

L.A. county fire department links dispatch system to PulsePoint CPR app (LA Times, 6 August 2014) - Hoping to turn regular cellphone-toting Angelenos into rapid responders, the Los Angeles County Fire Department has linked its dispatch system to a cellphone app that will notify CPR-trained good Samaritans when someone in a public place nearby is having a cardiac arrest. The app, called PulsePoint, sends Fire Department alerts to mobile phone users at the same time that dispatchers send the official messages to emergency crews - increasing the possibility that a cardiac arrest victim could get lifesaving cardiopulmonary resuscitation from a bystander while medical responders are still on the way, department officials said Wednesday. The program also provides CPR instruction and the location of defibrillators nearby.

top

Cybersecurity: What Directors need to know in an era of increased scrutiny (Alston & Bird, 6 August 2014) - "[B]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril." SEC Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus , Speech at the New York Stock Exchange (June 10, 2014). Since the financial crisis, corporate governance has increased the focus on risk management. And, in recent years, cybersecurity has increasingly become a key issue in risk management due in large part to the growing realization that most companies' assets are digital, and that most systems are networked and connected to the Internet, leaving such assets subject to any number of targeted cyberattacks from increasingly sophisticated threat actors, including state actors with unlimited resources to conduct such attacks. In this era of increased cybersecurity scrutiny and litigation, it is imperative that directors educate themselves on the risks the company may face related to cybersecurity, as well as those risks that any director may face individually. Board members must also involve themselves in the company's cybersecurity strategy before and after a data breach. This advisory will discuss the developing cyber risk landscape, the increased regulator interest in cybersecurity, particularly from the SEC, and the impact on potential director liability for cybersecurity deficiencies (or perceived deficiencies). This advisory will conclude with practical guidance to help board members navigate the all-too-unfamiliar cyber risk and cybersecurity landscape. * * * [ Polley : Useful and actionable.]

top

- and -

Cybersecurity in M&A (Freshfields, July 2014) - A survey of global deal-makers by Freshfields Bruckhaus Deringer reveals a growing awareness of the cyber threat. But it also shows respondents are yet to evaluate it in the same way as other risks that can undermine corporate value. Freshfields surveyed 214 global deal-makers from corporates, financial institutions, investors and legal services providers (63 per cent from North America, 34 per cent from Europe and 3 per cent from the rest of the world) on their awareness of cyber risk and how it affects their working practices. The results show that 78 per cent of respondents believe cyber security is not analysed in great depth or specifically quantified as part of
the M&A due diligence process, despite 83 per cent saying they believe a deal could be abandoned if previous cyber security breaches were identified and 90 per cent saying such breaches could reduce the value of a deal. Cyber security in the M&A process is about more than just keeping sensitive data safe. Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyse its financial position. A thorough knowledge of a business's cyber security is equally important during the integration phase; as a former deputy assistant attorney general at the US Department of Justice who supervised cyber crime investigations has said: 'when you buy a company, you're buying its data - and you could be buying its data security problems'.

top

Study: government blocks specific journalists from accessing information (International Business Times, 7 August 2014) - As states move to hide details of government deals with Wall Street and as politicians come up with new arguments to defend secrecy, it was revealed this week that many government information officers block specific journalists they don't like from accessing information. The news comes as 47 federal inspectors general sent a letter to lawmakers criticizing "serious limitations on access to records" that they say have "impeded" their oversight work. The data about public information officers was compiled over the past few years by Kennesaw State University professor Carolyn Carlson. Her surveys found that 4 in 10 public information officers say "there are specific reporters they will not allow their staff to talk to due to problems with their stories in the past." Carlson has conducted surveys of journalists and public information officers since 2012 . In her most recent survey of 445 working journalists, four out of five reported that "their interviews must be approved" by government information officers, and "more than half of the reporters said they had actually been prohibited from interviewing [government] employees at least some of the time by public information officers." Those revelations foreshadowed this week's letter from more than half of the federal government's inspectors general saying that government agencies' move to hide information from them represents a "potentially serious challenge to the authority of every Inspector General and our ability to conduct our work thoroughly, independently, and in a timely manner."

top

UK's Information Commissioner Voices Concerns About Data Security in Legal Profession (August 5, 2014) - The UK Information Commissioner's Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients' data would face fines of up to GBP 500,000 (US $840,000). - http://www.v3.co.uk/v3-uk/news/2358882/ico-sounds-the-alarm-over-legal-professions-shoddy-data-handling [SANS Editor's Note (Paller): I have first hand evidence that US law firms have lost huge troves of their clients' data; the FBI disclosed that US law firms were targets of nation-state attacks in 2009; and the head of MI5 made it clear that the same was happening in the UK in a disclosure the year before. Nation states (as well as economic competitors) have figured out that organizations run by lawyers (as well as the consulting companies run by ex Federal officials) are the most cost-effective way to steal intellectual property from companies seeking to do business in their countries because those companies share the crown jewels with their lawyers and consultants and think they will protect the information. ]

top

- and -

ABA House urges all organizations to develop cybersecurity programs (ABA Journal, 12 August 2014) - The ABA House of Delegates has adopted a policy encouraging private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program. Such programs would need to comply with applicable ethical and legal obligations. They would also need to be tailored to the nature and scope of the organization, and to the data systems which need protecting. The threat of cyberattacks on law firms is fast growing, and Resolution 109 was drafted to allow flexibility for small businesses, small law firms and solo practitioners. Last year the association published the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals. It presents practical guidance and strategies and addresses the relationship and legal obligations between lawyers and clients when cyberattacks occur.

top

- and -

ABA: Throwing stones in glass houses? (CorporateCounsel.net, 26 August 2014) - At the ABA's 2014 annual meeting earlier this month, delegates approved a resolution that "encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program." When you consider that some pundits characterize lawyers as technology Luddites and law firms as "the soft underbelly" of data security in corporate America, it may seem odd for the legal industry to be lecturing other organizations about getting their cyber houses in order. The ABA Cybersecurity Legal Task Force report accompanying the draft resolution warns that "the threat of cyber attacks against law firms is growing." It notes that law firms collect and store large amounts of critical, highly valuable corporate records. The report points out that "lawyers and law offices have a responsibility to protect confidential records from unauthorized access and disclosure, whether malicious or unintentional, by both insiders and hackers." Unfortunately, many lawyers don't fully appreciate the scope of that responsibility, particularly as it applies to data transmitted via the internet or stored in the Cloud. A survey conducted in March 2014 by LexisNexis found that 89% of law firms use email daily for business purposes, but only 22% of law firms are encrypting email. A recent post in Law Technology News urges that It's Time to Secure Privileged Communications . The post notes that "attorneys should be concerned about the general uncertainty of privacy expectations for email." Those risks to email confidentiality are not merely a theoretical concern. For example, in February the New York Times reported that a foreign spy agency intercepted email messages between a large U.S. law firm and its foreign government client and then shared the information with the U.S. National Security Agency. In a carefully worded statement , the law firm said: "There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm." The statement misses the point, because unencrypted email is intercepted, undetectably, while it is being transmitted or stored outside the firm's internal network. That news report prompted the ABA to ask the NSA to explain how the agency deals with attorney-client privileged communications. As discussed in the post, Law Firm Email Security Questions The ABA Should Be Asking , the ABA was conflating legal privilege with client confidentiality and asking the wrong questions of the wrong organization. The fundamental question is whether the firm's lawyers were taking reasonable steps in the circumstances in order to secure sensitive email communications. The ABA report acknowledges that "law firms are businesses and should take special care to ensure that they have a strong security posture and a well-implemented security program." Many lawyers say the NIST Cybersecurity Framework can serve as a general guide for information security oversight and risk assessments, in order to establish that reasonable care was taken. The NIST Cybersecurity Framework includes an assessment of whether "data-in-transit is protected." Email fundamentally is a convenient but unsecure method of transmitting and storing data in the Cloud. There are many simple steps that lawyers can take to protect sensitive data that they exchange with clients and third parties, including email encryption. State bar associations, however, continue to draw an unfounded distinction between the data security measures required when transmitting and storing data "in the Cloud" versus those required for email.

top

Google opens Classroom to all apps for education users (InsideHigherEd, 13 August 2014) - Google Classroom , the search giant's lightweight learning management system, is now available to any institution that uses the company's Apps for Education. Classroom launched as a limited preview in May and adds a layer of course management on top of Google's productivity suite, which includes apps such as Gmail and Docs.

top

Judge bans live tweets by opposing counsel during deposition (ABA Journal, 13 August 2013) - Convicted for his role in a money-laundering conspiracy involving election contributions from a drug trafficker, a former South Texas sheriff got five years in federal prison. After his sentencing last month, KGBT reported on tweets of what disgraced ex-Hidalgo County Sheriff Lupe Treviño was saying during the federal court hearing. But an attempt to share with the public what Treviño said during a recent deposition in one of the civil suits the former sheriff is now facing was soon shut down. In a Wednesday hearing in Edinburg, a state-court judge banned further tweets by attorney Javier Peña, reports another KGBT article. Peña represents a former candidate for the sheriff's job in a lawsuit against Treviño. Judge Rudy Delgado rejected an attempt by Treviño's lawyer, Preston Henrichson, to limit the scope of Peña's questioning in the ongoing 93rd State District Court deposition but nixed live updates from Peña's Twitter account, the station reports. "Our technology is far outpacing ability to formulate rules," the judge commented.

top

Get the GC plugged in to cybersecurity (Corporate Counsel, 13 August 2014) - As more countries try to create rules to deal with cybersecurity and data privacy, general counsel need to become more engaged participants in the conversation, said Kaye Scholer partner Adam Golodner, because those rules will affect future business. Recent incidents, including the massive hacking of data by a Russian gang revealed last week and the theft of customer financial data from Target Corp. in December, only accelerate the process. So GCs should "engage in those discussions now," Golodner told CorpCounsel.com this week. Cybersecurity is a fundamental issue for general counsel and corporate counsel, Golodner said, and it now has escalated to a board of directors' issue. "We've seen significant change over the past three years where it has matured to a top-level risk management issue," he explained. Proposed legislation in the EU, he noted, will set cybersecurity standards for all enterprises. The proposal affects network and information security separate from the EU's data privacy directive. Before these standards become final, Golodner said, there's still a chance for multinational companies to participate in what the rules will look like.

top

Military companies brace for rules on monitoring hackers (Bloomberg, 13 August 2014) - Companies that do business with the Defense Department are bracing for new U.S. rules requiring them to report computer breaches to the Pentagon and give the government access to their networks to analyze the attacks. Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cybersecurity protections needed to comply. A report that was to be released today on the rules has been pushed back until Sept. 24, according to a person familiar with the matter who isn't authorized to speak publicly. The pending rule change marks an escalation of efforts to understand the scale of hacking as the Defense Department plans to spend $23 billion through fiscal year 2018 on cybersecurity. The crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks. The effort "has the potential to become too onerous" if it requires contractors to report minor breaches and allows the Pentagon access to trade secrets or personal information on their networks, said Mike Hettinger, senior vice president for the public sector at TechAmerica, a trade association based in Arlington, Virginia, that represents Lockheed Martin Corp. (LMT), Northrop Grumman Corp. (NOC) and other defense contractors.

top

Cyber risk and the captive market (AON, August 2014) - The associated costs of cyber threats are increasing for entities in every industry sector. The legal exposure, reputational harm and business interruptions that may result can wreak havoc on a company's bottom line. This was made clear in Aon's 2014 Underrated Threats Report, where 83% of respondents (Captive Directors) felt that the ranking of #18 in Aon's Global Risk Management Survey 2013 for cyber risks (computer crimes/hacking /viruses/malicious codes) was severely underrated, a finding that was consistent along regional and revenue categories. In Aon's Global Risk Management Survey 2013 , 7% of respondents (Captive Owners) indicated interest in underwriting cyber risk in a captive over the subsequent five years. Most cited the lack of appropriate cover in the commercial market place as the reason. However, in Aon's 2014 Captive Benchmarking Tool , which captured data from over 1,000 Aon managed captive clients, the number of captives writing cyber currently, is reported at 1%, a number which has remained static since 2012. The reluctance for many organisations appears to derive from the challenge of gaining an estimation of the cyber risk exposure and quantification of consequences of cyber events, a challenge equally reflected in the reluctance of organisations to purchase cyber insurance from the insurance market.

top

Court says search results and suggested search terms protected by CDA immunity (Steptoe, 14 August 2014) - The U.S. District Court for the District of New Jersey has found that search engines are immune from liability for publishing search results and suggesting search terms that contain allegedly defamatory information. In Obado v. Magedson, the court held that Google, Yahoo!, and other sites were protected by Section 230 of the Communications Decency Act for publishing content provided by third parties. Even though the search engines themselves determine what is displayed on their pages, and in that sense "create" the content, the court appeared to reason that the search engines did not create the content because the results and search terms were determined by an algorithm based on the content contained on third-party sites, and not by some purposeful act of the search engines to create the content. While other U.S. courts have reached similar conclusions, the decision is in stark contrast to foreign court rulings holding Google liable for search results or "autocomplete" search suggestions. For example, a Hong Kong court recently ruled that a corporate executive could sue Google for defamation because its suggested search terms linked his name to organized crime. And last year, Germany's highest civil court ruled that once Google becomes aware that its suggested search terms are defamatory, it is obligated to remove them.

top

Box announces new alliances in legal (Bob Ambrogi, 14 August 2014) - In two posts last year, I wrote about Box , the file sharing and collaboration platform, making a push into the legal industry through integrations with several mobile and web legal platforms ( here and here ). Today, two weeks before its major BoxWorks2014 user conference in San Francisco and just a few days before the International Legal Technology Association conference in Nashville, the company announced major new clients in the legal field and new law-related partnerships and integrations. In today's announcement, Box said that the law firms DLA Piper, Hinshaw & Culbertson, Perkins Coie and Stoel Rives have chosen Box to manage, access and share information for various purposes. Box also announced a new relationship with HBR Consulting , a firm that provides strategic, technology and information management consulting services to the legal sector. Through the relationship, Box and HBR Consulting will work together to offer custom-built cloud-based storage and collaboration tools for law firms.

top

Cell phone guide for US protesters, updated 2014 edition (EFF, 15 August 2014) - With major protests in the news again, we decided it's time to update our cell phone guide for protestors . A lot has changed since we last published this report in 2011, for better and for worse. On the one hand, we've learned more about the massive volume of law enforcement requests for cell phone-ranging from location information to actual content-and widespread use of dedicated cell phone surveillance technologies. On the other hand, strong Supreme Court opinions have eliminated any ambiguity about the unconstitutionality of warrantless searches of phones incident to arrest, and a growing national consensus says location data, too, is private. Protesters want to be able to communicate, to document the protests, and to share photos and video with the world. So they'll be carrying phones, and they'll face a complex set of considerations about the privacy of the data those phones hold. We hope this guide can help answer some questions about how to best protect that data, and what rights protesters have in the face of police demands. See also, the ACLU's Know Your Rights: Photographers (updated July 2014).

top

Lower your car insurance bill, at the price of some privacy (NYT, 15 August 2014) - An increasing number of the nation's auto insurance companies have a new proposition: Let them track every second of your driving in exchange for an annual discount that can reach into the hundreds of dollars if you behave yourself on the road. In theory, everyone wins here. Progressive, Allstate and State Farm - among the most aggressive of the larger companies that are pursuing this strategy - attract better drivers who crash less often. Customers who sign up for the optional programs can pay premiums based more on how they drive and less on their age, gender or credit history. But usage-based insurance , as the program is known, generates vast amounts of data. While insurance companies are pledging to keep it to themselves for now, some experts believe that we're only a few years away from companies' contributing complete driver histories into a central industry database. Then, we'd all have driver scores like the numbers that FICO helps creditors calculate, which would follow us around whenever we shopped for a new auto insurance policy.

top

Can pseudonyms make better online citizens? (Harvard Magazine, Sept 2014) - People socialize online more than ever: posting photos on Instagram, job-hunting on LinkedIn, joking about politics on Twitter, and sharing reviews of everything from hotels to running shoes. Judith Donath, a fellow at Harvard's Berkman Center for Internet and Society , argues against using real names for most of these Internet interactions and relying instead on pseudonyms. A made-up handle is essential to maintain privacy and manage one's online identity, she says. Her new book, The Social Machine: Designs for Living Online (MIT Press, 2014), also contends that well-managed pseudonyms can strengthen online communities, an idea that contradicts the conventional wisdom that fake names bring out the worst in people, allowing "trolls" to bully others or post hateful, destructive comments without consequences. Real names, such thinking goes, keep online conversations civil. But Donath often uses a pseudonym online, not because she wants to "anonymously harass people or post incendiary comments unscathed," as she explained in a commentary published on Wired.com this spring, but because she prefers to separate certain aspects of her life. In the age of Google, a quick search of a person's name gathers everything he or she has posted under that name, from résumés to college party photos. As a public figure who studies how people communicate online, Donath's academic writing can be found online under her real name. But when she writes product reviews on shopping sites such as Drugstore.com, or restaurant reviews on Yelp, she might use a pseudonym. [ Polley : Interesting ideas - this related to the podcast recommended below .]

top

Cybersecurity is hard to ensure or insure (Houston Chronicle, 17 August 2014) - A massive data breach into Target's computer systems last year claimed millions of customer credit card numbers, a CEO's job and $148 million so far to clean up the mess. If hackers ever manage to hit an oil and gas company with a major cyberattack -- compromising key systems at a deep-water platform or an oil refinery -- losses could dwarf the retailer's tab. Yet most U.S. energy companies have to scrape together a collection of insurance policies to protect themselves against property, environmental and other damages from cyber-attacks that could run into the billions of dollars. "Imagine what could happen if a large refinery or petrochemical facility's safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it," Legge said. "As we've all seen from Deepwater Horizon, those risks and damages can be astronomical. It requires an immediate response." That deadly 2010 blowout and oil spill in the Gulf of Mexico was an accident, but London-based insurer Aon says energy companies are at particular risk for cyberattacks because hackers only began targeting them in recent years, so many are just beginning to develop effective security. ABI Research forecasts that the oil industry will pay $1.9 billion on cybersecurity defense systems by 2018. But less than a fifth of U.S. companies over all are covered for cyberdamages.

top

Law firm leaders - value of outside perspective (Layse LLC, 19 August 2014) - Quality decision-making has a great deal to do with shaping the fate of all law firms. Today's post focuses on the value of today's law firm leader engaging the insight and decision-making acumen of seasoned outside business professionals. * * * Edward Drummond is a UK based executive search firm that recently released the results of a study of the top 100 UK law firms over the last four years. It is telling that this study reports that about a quarter of the UK top 100 use a non-firm member to assist with decision making; and that the firms that utilized this approach realized a growth rate of about a third more than other firms. The author of the study suggests "To get someone in just for a few days a year often works well for both parties. Having someone with strong commercial experience - sometimes within the FTSE 100 - can really drive growth through commercial experience."

top

2014 ABA Tech Survey shows more attorneys using iPhones, but iPad use holds steady (iPhone JD, 20 August 2014) - Every year, the ABA Legal Technology Resource Center conducts a survey to gauge the use of legal technology by attorneys in the United States. My thoughts on the prior reports are located here: 2013 , 2012 , 2011 , 2010 . No survey is perfect, but the ABA tries hard to ensure that its survey has statistical significance, and every year this is one of the best sources of information on how attorneys use technology. Yesterday, the ABA released Volume VI of the report titled Mobile Lawyers. This year's report once again shows that a large number of attorneys are using iPhones and iPads. For those nine out of every ten attorneys who are using smartphones, 74% reported in 2014 that they were using a personally owned smartphone, and 28% used a smartphone permanently assigned by their law firm. Those numbers were closer to 66% and 36% in the prior three years, so it seems that in 2014, fewer law firms are buying smartphones for their attorneys and more attorneys are buying their own smartphones. Whether they buy it themselves or it is purchased by their law firm, what smartphones are those nine out of ten attorneys using in 2014? Last year, the big news was that over half of all attorneys were using an iPhone. This year, that number increases even more: 60.8% of all attorneys are using an iPhone (66.8% of the 91% of attorneys who use a smartphone). So if you can imagine a row of ten attorneys, this year one of them doesn't use a smartphone at all, and six of them use an iPhone. What about the other three? Two of them are likely using an Android phone (24.5% of the 91% of attorneys who use a smartphone report using an Android phone in 2014, a small increase from 22% in 2013.) and that last attorney is probably using a Windows phone. Last year, based on the 2013 survey, I concluded that over 400,000 attorneys were using an iPad based on the survey numbers and the assumption that there are about one million attorneys in the U.S. This year, I still believe that there are over 400,000 attorneys using an iPad, but the 2014 survey results on lawyer tablet use were surprising to me in two respects. First, lawyer tablet use is not growing nearly as much as I had expected. In 2011, 15% of attorneys reported that they used a tablet device. In 2012, that more than doubled to 33%. In 2013, it increased to 48%. Thus, I would have guessed that more than half of attorneys would be using tablets in 2014. But that didn't happen. The number instead increased only from 48% to 49%. Have we reached the point where most attorneys who want to use a tablet already have one? After all, as useful as an iPad is, I often hear attorneys tell me that laptops such as the MacBook Air are so thin and light that they carry theirs almost everywhere, and when you always have a laptop with you there is less of a need for an iPad. Is it possible that even though almost half of all attorneys now use a tablet, the other half will never see the need to do so?

top

Big win for Amazon: First provider authorized to handle sensitive DoD workloads in Cloud (NextGov, 21 August 2014) - Amazon Web Services has become the first commercial cloud provider authorized to handle the Defense Department's most sensitive unclassified data. Today's announcement that AWS has achieved a provisional authority to operate under DOD's cloud security model at impact levels 3-5 is a major win for the company, as it allows DOD customers to provision commercial cloud services for the largest chunks of their data. In technical speak, the provisional ATO granted by the Defense Information Systems Agency means DOD customers can use AWS' GovCloud - an isolated region entirely for U.S. government customers - through a private connection routed to DOD's network. DOD customers can now secure AWS cloud services through a variety of contract vehicles. In layman's terms, AWS is the first company with the ability to take any and all of DOD's unclassified data to the cloud. AWS recently launched a private cloud for the Central Intelligence Agency to service the intelligence community , and other cloud providers have been busy picking up new business in the civilian government where billions of dollars are up for grabs. AWS was one of the first cloud providers to meet the Federal Risk and Authorization Management Program, the government's baseline security standards for cloud computing. The company was also one of three firms to meet DISA's cloud security requirements at impact levels 1-2, which govern the agency's least sensitive data. DISA's cloud security model includes many additional requirements on top of what is required by FedRAMP.

top

Taking a selfie inside the National Gallery: a copyright infringement? (IPKat, 21 August 2014) - A few days ago a number of UK newspapers reported that, following similar moves by a number of other UK institutions, also the National Gallery in London has changed its strict no-photos-(please) policy " after staff realised they were fighting a losing battle against mobile phones ", The Telegraph explains . In particular, this decision has been motivated by the difficulties that have arisen to distinguish between visitors using the free wi-fi provided by the Gallery " to research paintings " [of course, what else?] " and those trying to take pictures with mobile phones ." Since late July the new photography policy of this glorious cultural institution has quietly replaced the old one: visitors may now take photos of the Gallery's permanent collection on their own devices for personal, non-commercial purposes. Tripods remain off limits, and visitors will also be "discouraged" from blocking other people's views while taking pictures. In any case, similarly to the National Portrait Gallery and the Tate , the National Gallery "will maintain restrictions on members of the public photographing their temporary exhibitions, for reasons of copyright " [as well as, presumably, in some other cases for reasons of security or conservation]. So, would the taking of a picture of temporary exhibitions or displays with loans be really a potential copyright infringement? It might well be, provided of course that the particular work photographed is still protected by copyright [which might be the case also for works in the permanent collection, although for those paintings it is likely that the Gallery also owns the copyright]. The conclusion above is because the so called freedom of panorama under UK copyright does not apply to paintings. Section 62 ( Representation of certain artistic works on public display ) of the Copyright, Designs and Patents Act 1988 ('CDPA') states * * *

top

US universities at greater risk for security breaches than retail and healthcare (ZDnet, 21 August 2014) - The back-to-school season is a busy time for many, even hackers. According to a new report by the security rankings provider BitSight Technologies, higher education institutions experience an influx in malicious cyberattacks during the school year. But what's worse is that most of those universities are ill-equipped to prevent and handle such attacks, which, according to the report, results in cybersecurity rankings below that of retail and healthcare - two sectors plagued by near-constant security attacks that often result in successful breaches. The majority of attacks experienced by higher education institutions come from malware infections, with the most prevalent being Flashback, which targets Apple computers. Other prominent malware include Ad-ware and Conficker. BitSight said universities are the targets of so many attacks because they harbor a trove of sensitive and personal data, ranging from addresses and social security numbers to credit card numbers and intellectual property - and hackers are quick to notice the weak IT infrastructure in place to keep that data protected.

top

Giving email a holiday (NYT Editorial, 23 August 2014) - Daimler, the German automaker, has given new meaning to the escape command on workers' computers this summer by instituting an automatic program to delete incoming emails to employees on vacation, so they are not tempted to peek at business traffic at the seashore and can start with a clean slate when they return to work. The idea is to encourage a healthier balance in life and to cut down on workers' burnout - a condition that Daimler has concluded can't be good for business in the long run. The program, called Mail on Holiday, politely informs senders that their messages were instantly deleted, but they can contact a designated alternate worker if necessary. The email blackout is optional for the company's 100,000 workers, but "the response is basically 99 percent positive," a Daimler spokesman, Oliver Wihofszki, told BBC Radio. "Everybody says, 'That's a real nice thing.' " Well, of course it is. The new freedom - or is it basically a stroke of virtual mercy? - grows out of research by Daimler with psychologists at the University of Heidelberg. It is part of a "data detox" trend in European corporate life. Volkswagen and Deutsche Telekom have programs to cut back on evening and weekend emails to workers. Even Germany's Labor Ministry is pushing the go-easy button, encouraging managers to stop emailing workers outside of work hours. In France, employers and unions are pursuing an agreement so contract workers on long days might disconnect at given times from their babbling brooks of email. At Daimler, officials say they intend nothing more than emotional relief - a virtual sabbatical for their workers in what is proving to be a relentless digital age. And they issued assurances that no one was keeping lists of which vacationers did or did not resist the temptation of the inbox. [ Polley : Reminds me of the seminal email article by Amitai Etzioni in the NYT on 23 Nov 1997, " Some Privacy, Please, for E-Mail "]

top

'Hackcess to Justice' winners look to increase the reach of their apps (ABA Journal, 25 August 2014) - Award winners from the recent Hackcess to Justice legal hackathon are working hard to fulfill the main goal of the event: Improving access for all Americans to effective legal assistance. In the two weeks since the inaugural hackathon-in conjunction with the ABA Annual Meeting-took place at Suffolk University Law School in Boston, the programmers and lawyers behind the three winning entries have hardly sat back and rested on their laurels. Instead, they have all taken steps to try and increase the reach of their apps. For instance, all three apps are now available for the general public to use, and in some cases, the prize winners are speaking to nonprofit and state agencies to figure out ways their apps can be used to provide legal assistance to many more individuals. William Palin, a Somerville, Massachusetts, attorney who won first place with his health care proxy and living will generator PaperHealth , tells the ABA Journal that the app has already been approved by Apple and is now available in the App Store . He says that he is currently talking to a nonprofit legal network in Vermont in the hopes of increasing awareness of his app. "What I'm proposing is that, if the state will provide an attorney to review the legality of the app, then I'll adjust and customize it for the state, and then provide it for free, as long as they promote it," says Palin, who hopes to do this with every state in the country. The second-place winning app, disastr , which was created by Matthew Burnett, director of the Immigration Advocates Network, and Adam Friedl, program and special initiatives manager at Pro Bono Net, has been officially released for Android. The app provides information, resources, real-time news and alerts and legal representation forms for people affected by natural disasters Meanwhile, David Colarusso, staff attorney for the Massachusetts Committee for Public Counsel Services, has been busy talking to state officials about potential uses for his team's app, Due Processr . The app, which took third place and was developed by Colarusso and his teammates, David Zvenyach, a general counsel in Washington, D.C. and William Li, a computer science PhD student at the Massachusetts Institute of Technology, Hotmail.is an interactive tool that allows users to determine their eligibility for indigent legal services in Massachusetts, and for criminal defendants to calculate their state prison sentences.

top

Surveillance Law (Stanford MOOC, Fall 2014) - This website hosts content for Surveillance Law , a free online course offered by Stanford Law School . We encourage you to join the interactive course on Coursera. If you would like heightened privacy protection, you can view noninteractive material on this website. The server is configured to not log requests, and can be accessed using HTTPS ( details ) or as a Tor hidden service ( 7vrl523532rjjznj.onion ). It's easy to be cynical about government surveillance. In recent years, a parade of Orwellian disclosures have been making headlines. The FBI, for example, is hacking into computers that run anonymizing software. The NSA is vacuuming up domestic phone records. Even local police departments are getting in on the act, tracking cellphone location history and intercepting signals in realtime. Perhaps 2014 is not quite 1984, though. This course explores how American law facilitates electronic surveillance-but also substantially constrains it. You will learn the legal procedures that police and intelligence agencies have at their disposal, as well as the security and privacy safeguards built into those procedures. The material also provides brief, not-too-geeky technical explanations of some common surveillance methods. [ Polley : I love how they're using TOR, and giving out .onion addresses.]

top

NIH tells genomic researchers: 'You must share data' (Chronicle of Higher Ed, 28 August 2014) - Scientists who use government money to conduct genomic research will now be required to quickly share the data they gather under a policy announced on Wednesday by the National Institutes of Health. The data-sharing policy, which will take effect with grants awarded in January, will give agency-financed researchers six months to load any genomic data they collect-from human or nonhuman subjects-into a government-established database or a recognized alternative. NIH officials described the move as the latest in a series of efforts by the federal government to improve the efficiency of taxpayer-financed research by ensuring that scientific findings are shared as widely as possible. "We've gone from a circumstance of saying, 'Everybody should share data,' to now saying, in the case of genomic data, 'You must share data,'" said Eric D. Green, director of the National Human Genome Research Institute at the NIH. The NIH's plan to require data-sharing hasn't been entirely popular with the researchers themselves, at least not in the early stages. When it appeared last year, the initial version of the NIH's policy proposal drew criticism from the Federation of American Societies for Experimental Biology, the nation's largest coalition of biomedical researchers, and the Association of American Medical Colleges, whose members include all 141 accredited U.S. medical schools.

top

NOTED PODCASTS

Judith Donath on The Social Machine (Berkman, 26 May 2014; 71 minutes) - Online, interface designs fashion people's appearance, shape their communication and influence their behavior. Can we see another's face or do we know each other only by name? Do our words disappear forever once they leave the screen or are they permanently archived, amassing a history of our views and reactions? Are we aware of how public or private our surroundings are? In this talk Judith Donath - Berkman Faculty Fellow and former director of the MIT Media Lab's Sociable Media Group - discusses some of these questions and more from her new book "The Social Machine." [ Polley : I'm particularly interested in online meetings vs. IRL meetings; Ms. Donath has some interesting observations about how online meetings should be different , and can be richer.]

top

RESOURCES

Open Intellectual Property Casebook (Duke, August 2014) - Duke's Center for the Study of the Public Domain is announcing the publication of Intellectual Property: Law & the Information Society-Cases and Materials by James Boyle and Jennifer Jenkins. This book, the first in a series of Duke Open Coursebooks, is available for free download under a Creative Commons license. It can also be purchased in a glossy paperback print edition for $29.99, $130 cheaper than other intellectual property casebooks. * * * The book is intended to be a textbook for the basic Intellectual Property class, but because it is an open coursebook, which can be freely edited and customized, it is also suitable for an undergraduate class, or for a business, library studies, communications or other graduate school class. Each chapter contains cases and secondary readings and a set of problems or role-playing exercises involving the material. The problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court's new rulings on gene patents.

top

The 9 most useful Bitcoin data resources (Coindesk, 10 August 2014) - The days of pencil-pushing to gather and analyse data are numbered, and new tools have made gathering, sorting, analysing and visualising enormous amounts of data easier than ever. Bitcoin, of course, lends itself perfectly to these quantitatively-focused metric tools. Few things about the digital currency are subjective, and even though nobody knows for certain what drives bitcoin's price changes , plenty of people have tried their hand at using technical analysis to predict price trends. Luckily for us, there's no shortage of companies working with data to paint a picture of the ever-changing bitcoin ecosystem. These websites provide information on pricing, trading, market capitalisations, blockchain statistics and more. Here are nine of the most helpful bitcoin data resources * * * [ Polley : I'm still experimenting with my BTC wallets.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Controversial government data-mining research lives on (Information Week, 23 Feb 2004) -- The government is still financing research to create powerful tools that could mine millions of public and private records for information about terrorists despite an uproar last year over fears it might ensnare innocent Americans. Congress eliminated a Pentagon office developing the terrorist tracking technology because of the outcry over privacy implications. But some of those projects from retired Adm. John Poindexter's Total Information Awareness effort were transferred to U.S. intelligence offices, congressional, federal and research officials told The Associated Press. In addition, Congress left undisturbed a separate but similar $64 million research program run by a little-known office called the Advanced Research and Development Activity (ARDA) that has used some of the same researchers as Poindexter's program. ``The whole congressional action looks like a shell game,'' said Steve Aftergood of the Federation of American Scientists, which tracks work by U.S. intelligence agencies. ``There may be enough of a difference for them to claim TIA was terminated while for all practical purposes the identical work is continuing.''

top

NSA plots software center (FCW, 15 Oct 2004) -- The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project. Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software. Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years. NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 09, 2014

MIRLN --- 20 July – 9 August 2014 (v17.11)

MIRLN --- 20 July - 9 August 2014 (v17.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | DIFFERENT | LOOKING BACK | NOTES

Law firms respond to security risks in client data (LTN, 7 July 2014) - In February 2013, Joe Patrice wrote in Above The Law that law firms were the " soft underbelly of American cybersecurity ." Today, it is safe to say that many law firms across the U.S., Canada and Europe take exception to that characterization. Why? In part due to the efforts of individual firms to adopt ISO 27001 security standards or implement more robust security programs, including information security education. Also in February 2013 the former special agent in charge of cyber and special operations with the FBI's New York office, Mary Galligan, stated " We have hundreds of law firms that we see increasingly being targeted by hackers ." There isn't one single law firm CIO or IT director who doesn't understand the weight of these statements. Many large law firms have actively engaged in internal and external initiatives to fight security threats. * * * Law firm clients in the financial services industry heavily scrutinize their outside counsel with vendor security audits. Governed by the Office of the Comptroller of Currency and the Federal Financial Institutions Examination Council in compliance with the Gramm-Leach-Bliley Act, all law firms who have financial institution clients are required to respond to a comprehensive security audit. The audit process is detailed, and in many cases includes questionnaires with several hundred questions, on-site interviews and or on-site physical security assessments covering everything from hard-copy file security to data center security.

top

Former hospital worker faces HIPAA charges (HealthcareInfoSec, 16 July 2014) - Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data. The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.

top

Meet Executive Order 12333: the Reagan rule that lets the NSA spy on Americans (Washington Post, 18 July 2014) - Even after all the reforms President Obama has announced, some intelligence practices remain so secret, even from members of Congress, that there is no opportunity for our democracy to change them. Public debate about the bulk collection of U.S. citizens' data by the NSA has focused largely on Section 215 of the Patriot Act, through which the government obtains court orders to compel American telecommunications companies to turn over phone data. But Section 215 is a small part of the picture and does not include the universe of collection and storage of communications by U.S. persons authorized under Executive Order 12333. From 2011 until April of this year, I worked on global Internet freedom policy as a civil servant at the State Department. In that capacity, I was cleared to receive top-secret and "sensitive compartmented" information. Based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215. Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata - lists of incoming and outgoing phone numbers - but not audio of the calls. Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select Committee on Intelligence, has said that the committee has not been able to "sufficiently" oversee activities conducted under 12333. Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person's communications are "incidentally" collected (an NSA term of art ) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

top

2014 Intelligence Authorization Act requires contractors to report cybersecurity breaches (Hogan Lovells, 18 July 2014) - [T]he president signed into law the Intelligence Authorization Act for Fiscal Year (FY) 2014 ( Pub. L. 113-126 ), which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense (DoD) contractors under the National Defense Authorization Act (NDAA) for FY 2013. * * *

top

Net neutrality a key battleground in growing fight over encryption (InfoWorld, 21 July 2014) - Plans to favor some Internet packets over others threaten consumers' hard-won right to use encryption, a digital privacy advocate says. Activists and tech companies fended off efforts in the U.S. in the 1990s to ban Internet encryption or give the government ways around it, but an even bigger battle over cryptography is brewing now, according to Sascha Meinrath, director of X-Lab, a digital civil-rights think tank launched earlier this year. One of the most contested issues in that battle will be Net neutrality, Meinrath said. The new fight will be even more fierce than the last one, because Internet service providers now see dollars and cents in the details of packets traversing their networks. They want to charge content providers for priority delivery of their packets across the network, something that a controversial Federal Communications Commission proposal could allow under certain conditions. Encrypted traffic can't be given special treatment because it can't be identified, Meinrath said. That could eliminate a major revenue source for ISPs, giving them a strong reason to oppose the use of encrypted services and potentially an indirect way to degrade their performance, he said. Meinrath laid out parts of this argument in a recent essay in the June issue of Critical Studies in Media Communication , called "Crypto War II" and written with tech policy activist Sean Vitka. [ Polley : Others have reported seeing their Netflix speeds INCREASE when using VPN connections (which block your home ISP from seeing what kind of traffic you're running). Me, too. Interesting.]

top

What the Internet can see from your cat pictures (NYT, 22 July 2014) - Your cat may never give up your secrets. But your cat photos might. Using cat pictures - that essential building block of the Internet - and a supercomputer, a Florida State University professor has built a site that shows the locations of the cats (at least at some point in time, given their nature) and, presumably, of their owners. Owen Mundy, an assistant professor of art who studies the relationship between data and the public, created "I Know Where Your Cat Lives" as a way of demonstrating "the status quo of personal data usage by startups and international megacorps who are riding the wave of decreased privacy for all," Mr. Mundy wrote in a post about the site . Using images of cats uploaded to photosharing services, including Flickr, Twitpic and Instagram, Mr. Mundy extracted latitude and longitude coordinates that many modern cameras, especially those in smartphones, attach to each image. His site displays random images from a sample of one million of the many millions of pictures tagged with the word "cat" online. The images are displayed on a map using satellite imagery, with nearby cat photos also visible. Specific street addresses are not displayed, but the geographic information can leave few details to the imagination in rural areas .

top

Prosecutors are reading emails from inmates to lawyers (NYT, 22 July 2014) - The extortion case against Thomas DiFiore, a reputed boss in the Bonanno crime family, encompassed thousands of pages of evidence, including surveillance photographs, cellphone and property records, and hundreds of hours of audio recordings. But even as Mr. DiFiore sat in a jail cell, sending nearly daily emails to his lawyers on his case and his deteriorating health, federal prosecutors in Brooklyn sought to add another layer of evidence: those very emails. The prosecutors informed Mr. DiFiore last month that they would be reading the emails sent to his lawyers from jail, potentially using his own words against him. Jailhouse conversations have been many a defendant's downfall through incriminating words spoken to inmates or visitors, or in phone calls to friends or relatives. Inmates' calls to or from lawyers, however, are generally exempt from such monitoring. But across the country, federal prosecutors have begun reading prisoners' emails to lawyers - a practice wholly embraced in Brooklyn, where prosecutors have said they intend to read such emails in almost every case. The issue has spurred court battles over whether inmates have a right to confidential email communications with their lawyers - a question on which federal judges have been divided. [ Polley : This is only mildly nefarious - the jail/prison email systems carry ToS that abrogate confidentiality. Still. And, there have been cases involving private employers who've been prohibited from accessing/using emails between an employee and the employee's counsel, generally on the basis of superseding policy protecting attorney-client privilege.]

top

A plan to untangle our digital lives after we're gone (NPR, 23 July 2014) - Ancient peoples sent their dead to the grave with their prized possessions - precious stones, gilded weapons and terracotta armies. But unlike these treasures, our digital property won't get buried with us. Our archived Facebook messages, old email chains and even Tinder exchanges will hover untouched in the online cloud when we die. Or maybe not. Last week, the Uniform Law Commission drafted the Uniform Fiduciary Access to Digital Assets Act , a model law that would let relatives access the social media accounts of the deceased. A national lawyers' group, the ULC aims to standardize law across the country by recommending legislation for states to adopt, particularly when it comes to timely, fast-evolving issues. "Where you used to have a shoebox full of family photos, now those photos are often posted to a website," notes Ben Orzeske, legislative counsel at the ULC. That shoebox used to go to the executor of the deceased's will, who would open it and distribute its contents to family members. The will's author could decide what she wanted to give and to whom. The Uniform Fiduciary Access to Digital Assets Act aims to make the digital shoebox equally accessible. "This is the concept of 'media neutrality,' " Orzeske explained. "The law gives the executor of your estate access to digital assets in the same way he had access to your tangible assets in the old world. It doesn't matter if they're on paper or on a website." It turns out those terms-of-service agreements Internet users usually click through without reading include some strict rules: The small print on sites like Facebook and Google specifies that the user alone can access his or her account. But the ULC's proposed law would override those contracts, Orzeske said. [see also Tech seeks life after death for accounts (The Hill, 24 July 2014)]

top

After spoliation decision, businesses should reconsider limited-duration retention policies (Texas Lawyer, 23 July 2014) - In theory, businesses use limited-duration retention policies to minimize the financial burden associated with retaining and managing electronic data generated in the normal course of business. With respect to litigation, these businesses assume the risk that their retention policies comply with their duties to preserve evidence that may be material and relevant to a claim or defense. A recent decision by the Supreme Court of Texas may cause these businesses to reconsider this risk. The court's July 3 decision in Brookshire Brothers, Ltd. v. Aldridge changes the spoliation landscape under Texas law. According to Justice Debra Lehrmann's majority opinion, in a slip-and-fall case, the grocery store's surveillance camera captured the plaintiff's fall. At the time, the grocery store had a standard 30 day retention policy for surveillance footage. After learning of the plaintiff's injury, the grocery store recorded over all but an eight minute segment of the video, starting just before the plaintiff entered the store and concluding shortly after the fall. The trial court allowed the jury to hear evidence about the grocery store's failure to preserve a longer portion of the video, and the court ultimately provided a spoliation instruction to the jury. The Twelfth Court of Appeals in Tyler held that these decisions did not constitute an abuse of discretion. The Supreme Court of Texas disagreed and essentially adopted Justice James Baker's fourteen-year-old proposed spoliation framework from his concurring opinion in Trevino v. Ortega (1998). Trial courts will now be responsible for resolving spoliation issues because the court believes that such issues distract juries from the merits and unfairly prejudice juries towards alleged spoliators. Along these same lines, the general rule is that a trial court may no longer give a spoliation instruction, which is "tantamount to a death-penalty sanction," unless there is evidence of intentional spoliation. While these developments will change the manner in which spoliation issues are tried, the court's clarification of what constitutes "intentional" spoliation may have the furthest reaching consequences for corporate litigants. All nine justices agreed that intentional spoliation not only occurs when a party acts with the subjective purpose to conceal or destroy discoverable evidence, but also occurs when a party acts with "willful blindness" by allowing for the destruction of evidence without knowing whether it will be relevant and discoverable.

top

How should the law handle privacy and data security harms? (Dan Solove, 23 July 2014) - In three earlier posts, I've been exploring the nature of privacy and data security harms. In the first post, Privacy and Data Security Violations: What's The Harm? , I explored how the law often fails to recognize harm for privacy violations and data breaches. In the second post, Why the Law Often Doesn't Recognize Privacy and Data Security Harms , I examined why the law has struggled in recognizing harm for privacy violations and data breaches. In particular, I pointed out the "collective harm problem" -- that data harms are often caused by the combination of many actions by different actors over a long period of time, which makes it hard to pin the harm to a single wrongdoer. I also discussed the "multiplier problem" - that companies have data on so many people these days that an incident can affect millions of people yet cause each one only a small amount of harm. Adding it all up, however, could lead to catastrophic damages for a company. In the third post, Do Privacy Violations and Data Breaches Cause Harm? , I examined why the future risk of harm, often ignored by courts, really is harmful. I also pointed out that privacy violations and data breaches often cause harm not just to individuals, but also to society. In this post, I will discuss how the law should handle privacy and security harms. * * *

top

Cloud computing stymies digital forensics investigations (Nextgov, 24 July 2014) - In recent years, cloud computing has made the leap from an emerging technology to government mainstay, allowing agencies an IT avenue to share services, save money and increase efficiency. However, cloud computing still presents some major technical challenges in government, as illustrated by a recent draft report issued by the National Institute of Standards and Technology. Prepared by the NIST Cloud Computing Forensic Science Working Group, the report summarizes a staggering 65 challenges cloud computing presents to forensics investigators who sift through bits and bytes of digital evidence to solve crimes. The challenges are technical, legal and organizational, according to NIST's Martin Herman, co-chair of the working group. They can be further classified among nine categories, including architecture, data collection, analysis, standards, training and "anti-forensics" such as data hiding and malware. With cloud computing becoming more popular - many agencies, for example, now use cloud computing for email - scenarios in which the cloud might muck up an investigation are plentiful. For example, in a typical computer system, when a user deletes a file, the user isn't actually deleting the information -- only the digital "pointers" to the file, according to Herman. Data isn't really deleted until the physical hard drive or storage disk is overwritten with other data. Traditional forensics teams routinely recover files - including deleted files - using fairly well-known tools. Because the cloud can be a shared, multitenant environment, servers and storage devices can be shared among many different customers. That means, Herman said, there is a higher likelihood deleted data will be overwritten.

top

Court allows use of "stingray" cell tracking device in murder case (ArsTechnica, 24 July 2014) - The Supreme Court of Wisconsin has upheld the warrantless use of cell phone tracking devices, better known as "stingrays." In a narrow decision published on Thursday, the court found that while the Milwaukee police did not specifically have a warrant to use the stingray to locate a murder suspect, it did have a related judicial order that essentially served the same purpose. * * * Earlier this year, Wisconsin passed a new law that specifically requires a probable cause warrant in order to track someone's phone. That law was not in effect at the time of the 2009 murder.

top

Corporate firms not so spooked by NSA snoops (Corporate Counsel, 28 July 2014) - Corporate lawyers appear less troubled by former National Security Agency contractor Edward Snowden's government surveillance leaks, especially when compared with their colleagues who focus more on terrorism and criminal cases, according to a new report from leading civil liberties groups. At least some of this disparity seems to stem from the confidence major corporate law firms have in systems they've developed to protect their information from government spies, according to "With Liberty to Monitor All: How Large-Scale U.S. Surveillance Is Harming Journalism, Law and American Democracy," which Human Rights Watch and the American Civil Liberties Union released Monday. These firms have long feared government surveillance and have had the money to take steps intended to secure their info, the report said. An information security officer at an unnamed "major international firm" and a partner in the litigation department of an unidentified "large firm" reported that the U.S. government's extensive electronic surveillance doesn't change how their firms already defend against hackers or spying by foreign governments. For the report, Human Rights Watch interviewed 42 lawyers who represent clients on a variety of criminal and civil matters.

top

- but -

C-level execs concerned about cybersecurity, but not investing in it (InfoSecurity Magazine, 28 July 2014) - Cybersecurity concerns C-level execs more than concerns over their companies' reputations. However, many are unwilling to invest to assuage the worries; and many don't realize that a data breach could be the most costly reputational issue that a company can face. According to the Fifth Annual Board of Directors Survey from EisnerAmper, there is an ever-increasing concern over cyber-attacks among board members, particularly for public companies and not-for-profit organizations. However, both private companies and organizations with more than $1 billion in revenue felt they were more at risk from cybersecurity/IT than reputation issues. However, the survey also showed a lack of willingness and resources to address the fears. "Many respondents wrote in that they had no plans - or relatively unsophisticated plans - to protect their reputations [in a cyber-crisis]," the firm said. "Overwhelmingly, C-suite executives and the board were referenced as the go-to resources to execute a plan to preserve a company's reputation during a crisis." Crisis management, which could include plans on how to avert a substantial impact on an organization's reputation (including social media showdowns developing from any issue and risk listed - and then some), generated concern from only 31% of respondents - garnering a rank even lower than last year, when it included disaster recovery.

top

- and -

Homeland Security wants corporate board of directors more involved in cyber-security (Network World, 29 July 2014) - Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level. Andrew Ozment, assistant secretary, Office of Cybersecurity and Communications at DHS, today said DHS endorsed the principles spelled out in the "NACD Directors' Handbook on Cyber-Risk Oversight" published by the National Association of Corporate Directors , which has over 14,000 members who are directors for public, private and non-profit organizations. The DHS will include the NACD's handbook on the U.S. CERT website as a source of information for businesses. In any organization, the board of directors is there to oversee its general direction, including how well upper management is performing. With the news headlines pouring out about data breaches and cyber-espionage on a daily basis these days, "directors are very much aware of cyber-security," said Daly, but they struggle to know how to confront it in detail. The "Handbook on Cyber-Risk Oversight" insists that they should and must play a bigger role, spelling out five basic principles (see graphic, above) that first involve gaining in-depth understanding, then helping set an "enterprise-wide cyber-risk management framework" while also considering cyber-insurance might be worthwhile in order to cover the considerable costs that a data breach might entail.

top

- and -

SEC investigations spur debate over "materiality" of cyberattacks (WeComply, 30 July 2014) - Following a record year for data breach incidents - with eight breaches exposing over 10 million identities - the U.S. Securities and Exchange Commission (SEC) is closely scrutinizing how those breaches were handled. Multiple recently-opened SEC investigations are focusing on the data security processes companies had in place when the breaches occurred and how much they disclosed - or failed to disclose - to investors about them. Such investigatory actions are new for the SEC, which has previously focused on guiding public companies on how to defend against cyberthreats and disclose those risks to their investors. Now, however, the SEC is looking into events related to the data breaches, including how they occurred, the consequences, how each organization responded and - where asset values may have been affected by a breach - closely reviewing companies' internal controls. Enforcement action would not be unwarranted if the agency finds company disclosures were incomplete or misleading. One potential roadblock for regulators is that, while public companies are required to tell investors of any material events that may affect the investors' decision to buy or sell shares, there is no explicit requirement that they disclose cyberattacks. Previous SEC guidance addressed this issue by urging companies to disclose any material information on cyberattacks or risks, such as breaches that lead to stolen intellectual property or a significant increase in the amount spent to defend company information. However, "materiality" is often a matter of interpretation that varies according to the situation and parties involved. Consequently, whether companies should disclose such information, and what type of information should be disclosed remains a topic of debate among corporate attorneys, regulators and other interested parties. Many companies avoid disclosing breaches for fear of lawsuits. However, according to a recent study by security firm HBGary Inc., more than 70% of investors are interested in receiving more information about company cybersecurity practices. This pressure, together with an increase in the volume and frequency of cyberattacks and heightened regulatory scrutiny, may force many companies to change their disclosure policies if they wish to remain competitive and retain the public's trust.

top

Report says backlash from NSA's surveillance programs will cost private sector billions of dollars (TechDirt, 29 July 2014) - The Open Technology Institute has put together a thorough paper detailing the many adverse effects the NSA disclosures have had, both on American businesses inside and outside of the tech sector, as well as on Americans themselves. So, how much will the NSA leaks cost American businesses? It's tough to say. Although the OTI has done an incredible amount of research, it's difficult to pin down exact losses. Any time an American company has its bid denied by a foreign country, the NSA's actions have likely played some role. But this will very rarely be stated explicitly. This leads to a rather open-ended estimate of lost sales: Nearly 50 percent of worldwide cloud computing revenue comes from the United States, and the domestic market more than tripled in value from 2008 to 2014. However, within weeks of the first revelation, reports began to emerge that American cloud computing companies like Dropbox and Amazon Web Services were losing business to overseas competitors. The NSA's PRISM program is predicted to cost the cloud computing industry from $22 to $180 billion over the next three years.

top

- and -

US: surveillance harming journalism, law, democracy (Human Rights Watch, 28 July 2014) - Large-scale US surveillance is seriously hampering US-based journalists and lawyers in their work, Human Rights Watch and the American Civil Liberties Union said in a joint report released today. Surveillance is undermining media freedom and the right to counsel, and ultimately obstructing the American people's ability to hold their government to account, the groups said. The 120-page report, " With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law, and American Democracy ," is based on extensive interviews with dozens of journalists, lawyers, and senior US government officials. It documents how national security journalists and lawyers are adopting elaborate steps or otherwise modifying their practices to keep communications, sources, and other confidential information secure in light of revelations of unprecedented US government surveillance of electronic communications and transactions. The report finds that government surveillance and secrecy are undermining press freedom, the public's right to information, and the right to counsel, all human rights essential to a healthy democracy.

top

Great privacy essay: Fourth Amendment doctrine in the era of total surveillance (NetworkWorld, 30 July 2014) - When you signed up with your ISP, or with a wireless carrier for mobile devices, if you gave it any thought at all when you signed your name on the contract, you likely didn't expect your activities to be a secret, or to be anonymous, but how about at least some degree of private? Is that reasonable? No, as the law currently suggests that as a subscriber, you "volunteer" your personal information to be shared with third-parties. Perhaps not the content of your communications, but the transactional information that tells things like times, places, phone numbers, or addresses; transactional data that paints a very clear picture of your life and for which no warrant is required. I'd like to direct your attention to an essay titled "Failing Expectations: Fourth Amendment Doctrine in the Era of Total Surveillance" by Olivier Sylvain , Associate Professor of Law at Fordham University School of Law. He said, "Today's reasonable expectation test and the third-party doctrine have little to nothing to offer by way of privacy protection if users today are at least conflicted about whether transactional noncontent data should be shared with third parties, including law enforcement officials." * * * Sylvain argues that "the reasonable expectation standard is particularly flawed if it has the effect of encouraging judges to seek guidance from legislatures on constitutional norms and principles. Judicial review is the vital antimajoritarian check against excessive government intrusions on individual liberty under our constitutional scheme. This is a responsibility that courts cannot pass off to the political branches when, as is the case today, most people expect that the cost of network connection is total surveillance."

top

Encrypt your phone calls with Signal for iPhone and RedPhone for Android (Lawyerist, 30 July 2014) - Security is getting simpler and easier, thanks to companies like Open Whisper Systems , which now has encrypted calling apps for both iPhone and Android. RedPhone for Android has been out for a while, and Signal is a brand-new encrypted calling app and service for iPhone . Both are free to download and use. Both apps are also open-source (you can find the code on Github ) so that anyone can audit the code to ensure it does what it is supposed to do. What they do is encrypt phone calls between Signal or RedPhone users. If someone were to gain access to your phone meta data, for example, all they would be able to see is that you called Whisper System's servers, which do not keep any logs. The call itself is encrypted and decrypted locally on your phone, which makes it extremely difficult for anyone to figure out how to listen in. Signal is a good-looking app that blends in well with iOS 7. (RedPhone just uses the default Android system dialer, so it does not change the look and feel of calls other than to add a RedPhone Call label to secure calls.) Signing up is as simple as providing your phone number, then confirming it with a code sent by text message. It's a convenient signup method that does away with usernames and passwords. After that, Signal works a lot like the regular iPhone phone app. You just have to launch Signal, instead, in order to make secure calls. The only real downside to Signal and RedPhone is that your friends need to have the app in order for you to call them securely. If you try to call someone who is not already registered with Signal, it will offer to invite them to Signal via text message. RedPhone works a bit differently, since it integrates with the Android dialer. RedPhone will let you call anyone, and it uses encryption whenever the person you call has RedPhone installed. [ Polley : I've installed Signal, and see that a few of my friends & colleagues already have it on their iPhones. Give it a try; give me a call.]

top

Port Authority claims ownership of NYC skyline (ArtNet News, 31 July 2014) - The Port Authority of New York and New Jersey (PA) is asserting its supposed right to images of the New York City skyline, issuing a cease-and-desist order against a china pattern from home goods store Fishs Eddy , reports the New York Times . "Your use of the Port Authority's assets on dinnerware and other items is of great concern to the Port Authority," wrote Veronica Rodriguez, a lawyer representing the PA, to the store on July 24. That kind of serious language certainly implies a greater threat than salt shakers and coffee mugs, and yet here we are, in a world where a government agency is seeking to prevent the artistic representation of the city's most iconic buildings. According to Rodriguez, the depiction of the new 1 World Trade Center building on the playful black-and-white " 212 New York Skyline " line of dinnerware could "evoke thoughts of the Port Authority, the twin towers, W.T.C. and the September 11th terrorist attacks." Fishs Eddy's " Bridge and Tunnel " collection of mugs, coasters, dish towels, and tote bags, which features the Lincoln and Holland Tunnels, has also been targeted by the PA. The sale of the goods, claims Rodriguez, "interferes with the Port Authority's control of its own reputation." The store has been ordered to stop selling the dishware in question and to "destroy all materials, documents and other items bearing the assets." Thanks to the sale of the 212 line, Rodriguez argues, Fishs Eddy is "unfairly reaping a benefit from an association with the Port Authority and the [9/11] attacks." It seems a fairly preposterous claim, especially considering that the only place in New York that artnet News associates with the Port Authority is that terrible bus terminal in Times Square.

top

Senate bill would offer tax incentives for sharing cyber-threat info (FCW, 31 July 2014) - Sen. Kirsten Gillibrand (D-N.Y.) introduced a bill July 31 that would provide tax credits for companies that join organizations dedicated to sharing cyber-threat information. The bill would encourage "businesses of all sizes" to join Information Sharing and Analysis Centers, Gillibrand's office said. ISACs are common mechanisms for information sharing and are often broken down by sector. Energy firms have the Electricity Sector ISAC, for example, while banks have the Financial Services ISAC. The bill has drawn early support from the National Health ISAC, NSS Labs and IBM, among other stakeholders. IBM Vice President of Governmental Programs Christopher Padilla said in a supportive letter to Gillibrand that the legislation would "help lower the costs of participating in sector-specific" ISACs. [ Polley : MIRLN normally doesn't run stories about potential laws (with this Congress, too much happens 'twixt cup and lip), but a potential explosion of sector-specific ISACs is starting, and probably would benefit from such encouragement.]

top

3D printing: Overcoming the legal and intellectual property issues (ZDnet, 1 August 2014) - When discussing 3D printing, few words are thrown around as frequently and casually as "disruptive." And while the term is widely overused in the startup world, when it comes to 3D printing and manufacturing this is an instance where the term actually applies. As far as the relationship between 3D printing and intellectual property rights, though, this might just be another developing chapter in the uneasy story of technology and IP. As it stands, there are numerous ways to violate intellectual property rights - be they copyrights, patents or trademarks. But the territory is so new, not much has been established regarding the repercussions of using a 3D printer for nefarious purposes. It's not even clear who might be liable. If someone starts printing and selling Mickey Mouse figurines, does Disney go after the person who printed one, the maker of the printer, the designer, the supplier of the material? According to Mark Schonfeld, attorney at the Boston-based firm Burns & Levinson, looking to similar technologies of the past might help determine what happens going forward. * * *

top

Are Internet domain names "property"? (David Post in the Washington Post, 1 August 2014) - An interesting lawsuit - Ben Haim et al. v Islamic Republic of Iran et al. - has been percolating through the federal system for the last few years, involving a group of plaintiffs who have received money judgments against the governments of Iran, Syria, and North Korea for injuries suffered in state-sponsored terror episodes. To satisfy the judgments, the plaintiffs have been on a campaign to seize assets - bank accounts, real property, etc. - located in the US belonging to those governments (with, apparently, some limited success). In the latest round, they requested, and the DC District Court issued, a series of "writs of attachment" against ICANN, the US-based manager of the global domain name system, ordering it to "hold" property in its control belonging to the defendant governments - specifically, the "country-code top-level domains" (ccTLDs) .IR (Iran), . SY (Syria), and .KP (North Korea) - pending final adjudication of plaintiffs' claims (so that the property would be available to satisfy the plaintiffs' previous judgments, should the court order its seizure and liquidation or transfer for that purpose). * * * [I] also agree with the somewhat narrower legal arguments that ICANN makes in its (very well-written) Motion to Quash the Writs of Attachment . A ccTLD is not "property"; even if you think its property, it's not property "belonging to" the defendant governments; even if you think it's property belonging to the defendant governments, it's not within ICANN's control; and even if you think it's property belonging to the defendant governments that is within ICANN's control, it's not "located in the United States" and therefore not subject to seizure by a US federal court.

top

More online publishers let readers fill the space (NYT, 1 August 2014) - To most English speakers, "platform" is a noun. But among news organizations, it is quickly becoming a verb. For publishers, the new meaning of "to platform" is something akin to: Take a traditional media company and add technology that allows readers to upload digital content as varied as links, text, video and other media. The result is a "publish first" model in which a lightly filtered, or unfiltered, stream of material moves from reader to reader, with the publication acting as a host and directing conversation but not controlling it. If it does not quite eliminate the middleman, it goes a long way toward reducing his role, and some media companies view it as a way to enhance their relationship with readers while increasing content production at minimal cost. Condé Nast Publications, for example, plans to allow a select group of writers to start posting on its Traveler website in mid-August as part of a series of experiments involving its magazines. At Time Inc., Entertainment Weekly has television fans posting updates on their favorite shows, and at Gawker, readers can engage with each other as well as with writers, completely uncensored. * * * [A]llowing readers to post their own description of a college sports game or a favorite recipe for chocolate cake is widely believed to make them more loyal and keep them on the site longer - something advertisers very much like to see. Yet knowing these advantages, established publications, particularly those specializing in news, have flinched at making it possible for outsiders to upload raw content for fear that the publications' reputations for reliability - which took decades to build - could be undermined easily. Sites that are pure platforms have certainly faced such missteps; Reddit found itself in trouble after the Boston Marathon bombing when some of its users pointed a suspicious finger at someone who turned out to be the wrong man. Longtime publishers have also feared the kind of uncensored vitriol that frequently develops on sites without monitors. The New York Times, for example, screens every comment on news stories for appropriate language before it is posted, but this is costly and time-consuming. * * * [T]echnology is improving and can increasingly be used to police commenting; algorithms, for example, can flag particularly pungent words. Moreover, established platforms have shown that there are ways to police comments that are fairly basic. Amanda Hesser, the co-founder of Food52, and a former New York Times reporter, said her site had successfully employed the simple tools of "likes" to ensure that better-quality content was seen by more readers. At SBNation, a sports fan site run by Vox, readers are encouraged to report commentators who are out of line. This and the increasingly tight budgets at publishers have left many feeling that they have little to lose.

top

Latest legal victory has LegalZoom poised for growth (ABA Journal, 1 August 2014) - In recent years, LegalZoom has faced lawsuits in eight states seeking to shut it down for violating state laws barring the unauthorized practice of law. But with a notable recent victory in South Carolina, and having fended off all but one of the other lawsuits, LegalZoom is anything but shutting down. To the contrary, LegalZoom, which began offering legal forms online in 2001, is poised to significantly broaden the range of services it offers consumers and small businesses. Already it has expanded into prepaid legal services, operating plans in 41 states and the District of Columbia. Now it is looking ahead to offering a continuum of products and services, from simple forms to full-fledged legal advice, with both lawyers and nonlawyers in the mix. The nub of complaints against LegalZoom is not the self-help documents it provides, but the way it provides them. At its website, customers buy documents to form a business, register a trademark, create a will and address other common legal needs. Questionnaires guide customers through creation of the document, after which LegalZoom employees review the answers for spelling, consistency and completeness. Some, including the North Carolina State Bar, maintain that these elements of guidance and review transform LegalZoom from simple document provider to legal adviser. In 2008 the North Carolina bar issued LegalZoom a cease-and-desist letter. The matter made its way to North Carolina business court where, last March, a judge put off deciding the UPL issue, saying he required additional evidence to fully understand LegalZoom's process for preparing complex documents. Two weeks earlier, the high court in neighboring South Carolina gave LegalZoom a green light to operate. Adopting the findings of a special referee it appointed to investigate the company, the court held that LegalZoom's practices "do not constitute the unauthorized practice of law." The referee compared the functionality of LegalZoom's software to a scrivener who transcribes information without giving advice or consultation: "LegalZoom's software acts at the specific instruction of the customer and records the customer's original information verbatim, exactly as it is provided by the customer. The software does not exercise any judgment or discretion, but operates automatically in the same fashion as a 'mail merge' program." Previously, LegalZoom settled UPL suits in California, Missouri and Washington. Lawsuits in Alabama and Ohio were dismissed. Besides North Carolina, the company still faces a challenge in Arkansas, where the matter is in arbitration.

top

Socrates takes a back seat to business and tech (NYT, 1 August 2014) - The students are pitching. On a spring afternoon at Michigan State University, 15 law students are presenting start-up proposals to a panel of legal scholars and entrepreneurs and an audience of fellow students. The end-of-semester event is one part seminar and one part " Shark Tank " reality show. The companies the students are describing would be very different from the mega-firms that many law students have traditionally aspired to work for, and to grow wealthy from. Instead, these young people are proposing businesses more nimble and offbeat: small, quick mammals scrambling underfoot in the land of dinosaurs. A few of them talk of outsourced services for larger law firms. Karen Francis-McWhite pitches one to help homesteaders claim properties for their own. Another would help immigrants file their taxes, an essential but frightening step to gaining citizenship. The tagline, delivered by its advocate, Giavanna Reeves: "Filing taxes should not make you feel blue when you've got a green card in line." The Entrepreneurial Lawyering Startup Competition, a showcase of the university's Reinvent Law Laboratory, is not an activity many practicing lawyers would recognize. But it might be the kind of broadened curriculum many of today's students need. "Legal education has been stronger on tradition than innovation," said Joan W. Howarth, dean of the Michigan State law school. "What we're trying to do is educate lawyers for the future, not the past." Like a number of law schools looking to the future of a challenging profession, this school is pushing its students to understand business and technology so that they can advise entrepreneurs in coming fields. The school wants them to think of themselves as potential founders of start-ups as well, and to operate fluidly in a legal environment that is being transformed by technology. Michigan State professors don't just teach torts, contracts and the intricacies of constitutional law. They also delve into software and services that sift through thousands of cases to help predict whether a client's case might be successful or what arguments could be most effective. They introduce their students to programs that search through mountains of depositions and filings, automating tasks like the dreary "document review" that was once the baptism of fire and boredom for young associates.

top

Google spotted explicit images of a child in a man's email and tipped off the authorities (Business Insider, 3 August 2014) - A Houston man has been arrested after Google sent a tip to the National Center for Missing and Exploited Children saying the man had explicit images of a child in his email, according to Houston police. The man was a registered sex offender, convicted of sexually assaulting a child in 1994, reports Tim Wetzel at KHOU Channel 11 News in Houston. "He was keeping it inside of his email. I can't see that information, I can't see that photo, but Google can," Detective David Nettles of the Houston Metro Internet Crimes Against Children Taskforce told Channel 11. After Google reportedly tipped off the National Center for Missing and Exploited Children, the center alerted police, who used the information to get a warrant.

top

Extracting audio from visual information (MIT News, 4 August 2014) - Researchers at MIT, Microsoft, and Adobe have developed an algorithm that can reconstruct an audio signal by analyzing minute vibrations of objects depicted in video. In one set of experiments, they were able to recover intelligible speech from the vibrations of a potato-chip bag photographed from 15 feet away through soundproof glass. In other experiments, they extracted useful audio signals from videos of aluminum foil, the surface of a glass of water, and even the leaves of a potted plant. The researchers will present their findings in a paper at this year's Siggraph, the premier computer graphics conference. Reconstructing audio from video requires that the frequency of the video samples - the number of frames of video captured per second - be higher than the frequency of the audio signal. In some of their experiments, the researchers used a high-speed camera that captured 2,000 to 6,000 frames per second. That's much faster than the 60 frames per second possible with some smartphones, but well below the frame rates of the best commercial high-speed cameras, which can top 100,000 frames per second. In other experiments, however, they used an ordinary digital camera. Because of a quirk in the design of most cameras' sensors, the researchers were able to infer information about high-frequency vibrations even from video recorded at a standard 60 frames per second. While this audio reconstruction wasn't as faithful as it was with the high-speed camera, it may still be good enough to identify the gender of a speaker in a room; the number of speakers; and even, given accurate enough information about the acoustic properties of speakers' voices, their identities. [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

Parents can now choose baby names based on domain availability (Business Insider, 5 August 2014) - When naming a child, parents may turn to all sorts of places for inspiration. But as of Monday, they can tap into a valuable new tool called Awesome Baby Name that will suggest names based on domain availability.

top

NOTED PODCASTS

The Soft Underbelly of Corporate America? Law Firms and the Cybersecurity Threat Matrix (ILTA LegalSec Keynote, June 2014, by Chris Pearson; 63 mins) - Each day we hear about another data breach in the news. More personally identifiable information (PII) and account information is being siphoned out of respected companies. What about our intellectual property, our trade secrets and other business capital? Oftentimes, the easiest place to attack is when the data is outside the walls of the owner - in many cases at their law firm. During our keynote, we will walk through the cybersecurity threat matrix and its evolution, discuss how various state and federal laws drive forward controls that may or may not help protect our data, and the role of active defense and intelligence. Attendees will learn what programs and controls will position their firms for success in assurance reviews, certifications and competing for business. Together we will explore this topic - as you hear from someone who has worn the hats of law firm counsel, chief privacy officer, chief security officer and chief compliance officer - so we can operationalize against this threat. [ Polley : Toward the end, Pearson avers that hackers are targeting law firms that give advice to clients in the oil/gas business; I'm not surprised.]

top

National Security Agency Surveillance Programs (CSPAN, 18 July 2014; 73mins) - Former National Security Agency general Counsel Stewart Baker and open Internet advocates talked about the impact of NSA surveillance programs on U.S. commercial interests and global credibility. Other topics included legislative proposals such as the USA Freedom Act and the effects of NSA disclosure on the Internet, the technology sector, and Internet privacy. [ Polley : Stewart Baker is, I think, too single-minded about these issues, and I've come to disagree with him on almost all of them; Kevin Bankston articulates positions much closer to my views. Chris Hopfensperger rounds out the panel. At time-marker 69m17s Kevin crisply defines the current problem uncovered by Snowden disclosures; he's responding to Stewart's argument that "all's-well" with USG surveillance.]

top

-and -

Inside the NSA (The Long Now, 6 August 2014) - The NSA's failures are public headlines. Its successes are secret. These days America's National Security Agency lives at the intersection of two paranoias-governmental fears of attack and citizen fears about loss of privacy. Both paranoias were exacerbated by a pair of devastating attacks-9/11 and Edward Snowden. The agency now has to evolve rapidly while managing its normal heavy traffic of threats and staying ahead of the ever-accelerating frontier of cyber capabilities. In the emerging era of transparency, and in the thick of transition, what does the NSA look like from inside? Threats are daily, but governance is long term. At the heart of handling that balance is Anne Neuberger, Special Assistant to NSA Director Michael Rogers and Director of the Commercial Solutions Center. (Before this assignment she was Special Advisor to the Secretary of Navy; before that, in 02007, a White House Fellow.) She is exceptionally smart, articulate, and outspoken.

top

DIFFERENT

Jill Abramson's sad admission: "I don't think the press, in general, did publish any stories that upset the Bush White House" (Salon, 30 July 2014) - There are some singular features of our time - truly the time of the assassins, to take Henry Miller's phrase. The consolidated surveillance state confronts us. We recommit to honoring will above intelligence at the very moment history offers us an extraordinary chance to turn away from our 20th century lust for power. Another of these features - or a function of them, maybe - is the assassination of journalism as the essential infrastructure of our public space. I am not much for the "golden age" of anything, however often people get lost in such notions, but we have now not much more than the desiccated remains of whatever our press may once have been. Prompting these admittedly grim thoughts is a speech Jill Abramson recently gave . Abramson, the executive editor at the New York Times, was canned a couple of months ago and now takes to the lecture circuit before assuming duties as an adjunct in nonfiction at Harvard. Creative writing would have been the more sensible appointment. [ Polley : Off-topic for MIRLN, but I highly recommend this thoughtful, important piece. Spot-on, I think.]

top

The privatization of compliance (Bryan Cave, May 2014) - Achieving consistent legal compliance in today's regulatory environment is a challenge severe enough to keep compliance officers awake at night and one at which even well-managed companies regularly fail. But besides coping with governmental oversight and legal enforcement, companies now face a growing array of both substantive and process-oriented compliance obligations imposed by trading partners and other private organizations, sometimes but not always instigated by the government. Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral. * * * Private compliance pressures may originate from any point in the value chain: suppliers, customers, capital markets, insurers. Compliance officers may find themselves caught in the middle between demanding customers and reluctant suppliers, or, in the other direction, between manufacturers vitally interested in how their products reach market and resellers seeking the shortest route to revenue.3 They may be simultaneously pitted against their own colleagues in charge of operations, procurement, business acquisition and contracting. And unlike the Sentencing Guidelines and most other government leniency programs, many of the privatized compliance requirements are truly mandatory - at least if you want to do business with the other party. From Apple4 to Zoetis,5 major corporations are requiring their business associates to commit to third-party codes of conduct (P2P Codes) and related contract clauses. This trend signals a growing appreciation that enterprises across the value chain share one another's reputational and compliance risks, and that compliance processes play an important role in translating legal commands into lawful conduct. It reflects an awareness that if you are dependent on a business partner to keep you out of legal trouble, it might pay to take an interest in how they intend to accomplish that. * * * [ Polley : Spotted by MIRLN reader Gordon Housworth ]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

US anti-spam law fails to bite (BBC, 9 Feb 2004) -- US legislation designed to stem the tide of junk e-mails has had little impact on spam, say experts. US e-mail filtering firm Postini said the Can-Spam Act had only made a slight dent in the amount of unwanted mail. It found spam accounted for 79% of all e-mails it processed in January, down from 80% in December 2003. Critics of the US law had predicted it would do little to stop spam and may even encourage some businesses to start sending unsolicited messages.

top

Dreaming of a wireless world (ABA Journal, 4 June 2004) -- Go into just about any coffee shop, airport lounge or office building in a major city, and chances are you'll see people working online without wires. However, lawyers constitute one group of professionals that has not gotten on board with wireless technology. According to the ABA 2003 Legal Technology Survey, only 7 percent of respondents in the legal profession reported using any kind of wireless network. That includes wireless fidelity, or Wi-Fi, a popular technology that lets anyone with a properly configured laptop connect to the Internet through a wireless signal.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top