- Court holds that online posting of patient medical information constitutes "publication" sufficient to trigger a general liability insurer's duty to defend
- Getting to EDD competency in California
- Texas Supreme Court limits reach of pre-suit discovery
- Law firm Imhoff & Associates suffers data breach
- Viruses are more common at law firms than encryption, ABA survey shows
- Unprepared law firms vulnerable to hackers
- As corporate boards get hip to security, IT execs can't hide behind 'jargon,' says Cisco CSO
- Addressing security with the board: tips for both sides of the table
- A platform for all purposes
- Conversations, clicks, community, and content
- Google settles with photographers over book scanning lawsuit
- Should lawyers look to online dispute resolution to resolve disputes with clients?
- The Potemkinism of privacy pragmatism
- China launches man in the middle attack against Google
- New NIST forensic subcommittee on digital evidence
- Is Bitcoin money?
- Is UCC Article 9 the Achilles heel of Bitcoin?
- Every part of the US government has probably already been hacked
- California law says companies can't punish customers who post negative reviews
- Government push for Yahoo's user data set stage for broad surveillance
- Why FRAND commitments are not (usually) contracts
- NSA/GCHQ/CSEC infecting innocent computers worldwide
- Court blasts US Navy for scanning civilians' computers for child porn
- Survey of online stalking, harassment and violations of privacy
- Apple says iOS 8 update keeps data private, even from the police
- Texas' highest criminal court strikes down 'improper photography' statute
Court holds that online posting of patient medical information constitutes "publication" sufficient to trigger a general liability insurer's duty to defend (Hunton & Williams, August 2014) - On August 7, 2014, the United States District Court for the Eastern District of Virginia held in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online posting of patient medical information constituted "publication," whether or not it was viewed by a third party, and therefore triggered the insurer's duty to defend its insured against a class action seeking damages for breach of privacy claims.
Getting to EDD competency in California (LTN News, 29 August 2014) - The State Bar of California issued Formal Opinion Interim No. 110004 in April, addressing an attorney's ethical duties in handling the discovery of electronically stored information. Getting to the interim opinion has been a long and winding road, to borrow a phrase from Paul McCartney. The comment period closed on June 24. The end of the road is near. Two years ago, at its August annual meeting, the American Bar Association added a technology component to the comments in Model Rule 1.1 in the ABA Model Rules of Professional Conduct. The rule states that a "lawyer shall provide competent representation to a client." The comment added to the obligation that lawyers should keep abreast of changes in the law, "including the benefits and risks associated with relevant technology." (See " ABA Adopts Ethics Policy on Lawyers' Use of Technology .") Achieving competency in technology is fleeting, relative to the complexity of the task and the software used to accomplish it. And just when you think you know the task and the tools, the technology changes, leaving you less than competent-perhaps incapable-and perhaps putting clients at risk. State bar associations have been grappling with how Model Rule 1.1 and its comments will apply, especially in the discovery of electronically stored information in litigation. The State Bar of California recognizes that the ethical duty of competence will evolve, case by case, as new technologies are integrated with law practice. The interim opinion was published in April to gauge its membership on the proposition that competence in litigation includes a basic understanding of electronic data discovery. The interim opinion is advisory only, not binding on courts and members of the bar. But it should serve as a call to arms for California attorneys because the final opinion will interpret Rules 3-100, 3-110 and 3-210 regarding competency in the Rules of Professional Conduct of the State Bar of California and the California Business and Professions Code Section 6068.
- and -
Texas Supreme Court limits reach of pre-suit discovery (Eric Goldman's blog, 16 Sept 2014) - The Texas Rules of Civil Procedure provide potential plaintiffs in Texas courts with the broadest power to conduct pre-suit discovery in the country. Under Rule 202, a Texas court can authorize a pre-suit deposition to investigate a potential claim before an actual lawsuit is filed. Rule 202 has been used in numerous contexts, but plaintiffs increasingly have found Rule 202 to be the preferred path for investigating claims involving on-line activities, as it allows them to notice a deposition of an on-line service provider, hosting company or web site operator in order to gather info on users who are the actual targets of the investigation. In many cases, Rule 202 has been invoked as a weapon by plaintiffs seeking to unmask the identity of anonymous users. Recently, the tide turned. In In re John Doe a/k/a "Trooper ", the Texas Supreme Court limited the reach of Rule 202 pre-suit depositions by holding that the trial court in a Rule 202 proceeding must have personal jurisdiction over not only the respondent (the party whose deposition is sought), but, if applicable, also over the subject(s) of the pre-suit investigation about whom the respondent is expected to be deposed. This important ruling significantly narrows the scope of Rule 202 and substantially decreases the ability for an aggressive plaintiff to use Rule 202 to route around discovery limitations and other procedural safeguards that might protect the target of their investigation in Texas or in the target's home state.
Law firm Imhoff & Associates suffers data breach (Ride The Lightning, 2 Sept 2014) - SC Magazine reported on August 27th that Imhoff & Associates PC , a multi-jurisdictional criminal defense law firm, has sent out data breach notifications to clients after a firm backup hard disk (apparently unencrypted) was stolen from the locked trunk of an employee's vehicle. The theft took place on June 27th and the hard drive has yet to be recovered. The firm is notifying an undisclosed number of individuals that their personal information was stolen including Social Security numbers, names, addresses, phone numbers, birth dates, e-mail addresses and driver's license numbers. The firm noted in its letter that it is strengthening internal processes regarding encryption, and enhancing policies, procedures and staff education on the safeguarding of company property and information. All impacted individuals are being notified and offered a free year of identity theft protection services.
- and -
Viruses are more common at law firms than encryption, ABA survey shows (Robert Ambrogi, 12 Sept 2014) - Nearly half of law firms were infected with viruses, spyware or malware last year, according to the latest ABA Legal Technology Survey Report. At the same time, only a quarter of law firms had any kind of email encryption available for their lawyers to use, the survey found. Also, 14% of law firms experienced a security breach last year in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit. Taken together, these findings paint a sorry picture about the state of law firm security: Viruses are common; encryption is not. In the survey, 45% of respondents said that their law firm technology had been infected with a virus, spyware or malware. That was more or less the same as the two prior years (43% in 2013 and 44% in 2012) and down from 55% in 2011. Firms of 2-9 attorneys were most likely to have had a virus (51%), while firms of 500 or more attorneys were least likely (31%). Another 28% of respondents could not say whether their firm had been infected. On the bright side, of those who reported an infection, 48% said it resulted in no business losses or breaches. The most common negative results from virus infections were downtime/loss of billable hours (42%), consulting fees for repair (37%), and temporary loss of network access (25%).
- and -
Unprepared law firms vulnerable to hackers (Pittsburgh Tribune, 14 Sept 2014) -Computer hackers are targeting top international law firms, including Pittsburgh-based K&L Gates, to steal intellectual property data and trade secrets, the Tribune-Review found. Cyber criminals stepped up attacks against lawyers to get around defenses set up by their corporate clients, who became more protective of their computer systems, legal and cybersecurity experts said. Too often, law firms do not employ the same high level of cybersecurity precautions that many major corporations practice, experts told the Trib. In addition, experts said these hackers increasingly work on behalf of foreign governments - or at least with their implicit protection. "Law firms are a rich target," said Patrick Fallon Jr., the FBI's assistant special agent in charge of the Pittsburgh field office. "They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting." Federal prosecutors in Pittsburgh charged Chinese military hackers this year with stealing attorney-client communications from SolarWorld, an Oregon-based solar panel manufacturer. Computer attacks on law firms happen every day, Fallon said, and the FBI warns attorneys about the threat. Many law firms don't do enough to protect their computer systems, especially against an attack sponsored by a foreign government, agreed Thomas Hibarger, managing director of Stroz Friedberg, a law firm in Washington. "Protecting against state-sponsored hackers is a big undertaking, and many firms have not devoted adequate resources to address this threat," Hibarger said. "Nation-state hackers are very, very sophisticated and targeted in their approach, and it is likely they will succeed." For corporate clients with strong computer defenses, a poorly prepared lawyer can be like an unlocked back door into an otherwise secure operation, said Vincent Polley, a lawyer in Bloomfield Hills, Mich., who co-wrote the American Bar Association's cybersecurity handbook. Because of the high cost of cybersecurity and the hassle of protecting documents, firms often are reluctant to invest in necessary technology. "Lawyers aren't technologically adept. They're not particularly interested in technology, and they're loathe to spend the resources - both time and money - to harden data" protection, Polley said.
As corporate boards get hip to security, IT execs can't hide behind 'jargon,' says Cisco CSO (WSJ, 3 Sept 2014) - Months after the Target Corp. breach, and with reports of a possible Home Depot Inc. breach now on everyone's minds, corporate boards are finally figuring out the right security questions to ask, says John Stewart, chief security officer at Cisco Systems Inc. "Over the past 18 months, I've briefed 12 different boards of directors on what security questions they're supposed to ask executives," Mr. Stewart said, Wednesday, at a conference in San Francisco. Cybersecurity breaches have happened for years, but the Target breach was the "tipping point" for corporate board involvement, said Mr. Stewart. Now, the potential breach at Home Depot underscores the point that cybersecurity is a risk that must be managed at the board level, he added. "After the Target breach happened, one of the first things I was asked by the board was, 'could it happen to us and if no, why not?" said Rich Mason, chief security officer and vice president at Honeywell International, speaking on another panel at the conference sponsored by Box Inc. "The security questions are coming up faster and more frequently," he said. The National Association of Corporate Directors has also stepped up its education efforts after 90% of directors surveyed said they wanted to know more about cybersecurity. In June, the NACD released a Cyber-Risk Oversight Handbook, created with the Internet Security Alliance and American International Group. The handbook covers board composition, liability implications, disclosure issues, access to expertise and risk appetite calibration.
- and -
Addressing security with the board: tips for both sides of the table (CIO, 11 Sept 2014) - In the boardroom, when it comes to addressing the topic of security, there's tension on both sides of the table. It doesn't happen all the time, but when it does, the cause of the friction is usually security executives and board members - each with vastly different areas of expertise and interest - pushing to get what they want out of the discussion while keeping business goals intact. Stephen Boyer, the co-founder and CTO of BitSight Technologies, a company that uses public data to rate the security performance of an organization, shared some thoughts with CSO recently, geared towards moving the discussions forward past the deadlock. Since there are two sides to the issue, Boyer shared two sets of tips; one set for the board and the other set for the executives speaking to them. * * *
A platform for all purposes (InsideHigherEd, 4 Sept 2014) - The online education platform provider EdCast, Silicon Valley's latest contribution to the ed-tech space, wants to be simultaneously massive and intimate, private and public -- and preferably to stay out of the spotlight. In simple terms, EdCast is a service provider built on top of Open edX, the Cambridge, Mass.-based MOOC provider's open-source initiative. The company will help institutions -- and particularly groups of institutions working together -- build their own online education platforms where they can run multiple instances of the same courses, removing the need for institutions to do the coding themselves. On Wednesday, the United Nations-backed Sustainable Development Solutions Network unveiled one example of what an EdCast-powered platform may look like. The network, which has more than 200 university and organizational members, now has its own online education portal: SDSN.edu . Jeffrey D. Sachs, the Columbia University professor of health policy and management who directs the network, will teach the first of three planned courses, titled "The Age of Sustainable Development." The course launched on Coursera this January, and will be offered again on that platform this fall.
Conversations, clicks, community, and content (InsideHigherEd, 4 Sept 2014) - How a school handles its social media endeavors says a lot about the culture on its campus. Some institutions treat their social media channels like virtual billboards. Content is pushed out, conversations rarely take place, and posts get little to no engagement. It's essentially a hallmark of the old ways of doing communications. Think of it as PR 1.0...it's not engaging and it's certainly not adding very much value for the various audiences who like to engage with a school. Contrast that type of social media use with what most agree as being part of the best practices communications mix: conversations, reciprocity, customer service, community-driven content , and a commitment to engagement-oriented missives. Additionally, social media policies at a school can give you insight about the climate of a campus. Some institutional policies are quite restrictive when it comes to how they frame social media use by campus communicators. A quick read of social media guidelines/policies for a school can be quite telling. Oftentimes, if a school's policies read as being fairly restrictive when it comes to social media use, it's due to a lack of understanding of the medium by those in leadership positions. Consistently, those in senior leadership positions at institutions will ask me about the value of social media. The value of something is almost always a bit tricky to measure. Thankfully, there are a number of sites that provide social media metrics. In fact, Twitter has recently opened up access to a fair amount of tweet data. Drilling down into specific data for individual tweets is helpful for figuring out what types of content are working for your account. For example, when I retweeted this tweet from an ed tech event, I had no idea that it would garner so many retweets and favorites. Twitter's analytics provide all sorts of metrics for strategic communicators. You can see how many people have clicked on a hashtag in one of your tweets as well as the number of times viewers have emailed, retweeted, favorited, and clicked on links in your tweet. * * *
Google settles with photographers over book scanning lawsuit (TNW, 5 Sept 2014) - Google has announced a settlement with a coalition of photographers over use of their work in its Google Books scanning project. The photographers first filed suit against Google in 2010. Terms of the deal have not been disclosed, but all parties are said to be "pleased" with the agreement, which includes funding for the PLUS Coalition for better image licensing. Google Books has caused a world of legal trouble for the company. In 2012, Google settled an extended disagreement with book publishers over the project. Last year, it emerged victorious over the Authors Guild, which filed an appeal earlier this year.
Should lawyers look to online dispute resolution to resolve disputes with clients? (Carolyn Elefant, 5 Sept 2014) - Online dispute resolution is rapidly gaining traction. Modria , a leading online dispute resolution (ODR) platform, boasts that its service is used to settle more than 60 million cases annually. Yet even though ABA task forces have studied, and appear to endorse ODR, I've not found much mention of the potential uses of ODR to resolve disputes between lawyers and clients. Currently, in most state ethics codes , lawyers may include binding arbitration clauses in representation agreements resolution of legal malpractice disputes . But should lawyers consider including ODR clauses instead - not necessarily as binding requirements but perhaps as prerequisites to litigation. Consumers are already familiar with the ODR process as its used widely in e-commerce, so they would understand the need to adequately documenting their claims. And while granted, the relative ease of ODR could invite groundless fee disputes from clients, that's probably preferable to posting negative reviews or filing a grievance. Attorneys could benefit from ODR also, using it to attempt to collect debts owed from clients. I realize that going after fees always raises the prospect of malpractice or a grievance, but because ODR is less intimidating than a court process, perhaps clients would be less likely to retaliate. Or not - this may be purely wishful thinking. And even if attorneys don't make the option of ODR available through participation in a third party service, bar associations could offer online fee dispute resolution. Many bars offer this service already but ODR would make it faster and more efficient as well.
The Potemkinism of privacy pragmatism (Chris Hoofnagle, 5 Sept 2014) - A revolution is afoot in privacy regulation. In an assortment of white papers and articles , business leaders-including Microsoft-and scholars argue that instead of regulating privacy through limiting the collection of data, we should focus on how the information is used. It's called "use regulation," and this seemingly obscure issue has tremendous implications for civil liberties and our society. Ultimately, it can help determine how much power companies and governments have. You are probably familiar with privacy laws that regulate the collection of data-for example, the military's famous "don't ask, don't tell, don't pursue." When you interview for a job, the employer should not ask you about your religion, your plans to have children, or whether you are married. There's also the national movement to " ban the box " to stop collection of arrest and old conviction data on job applications. In a use-regulation world, companies may collect any data they wish but would be banned from certain uses of the data. In U.S. law, a good example of use regulation comes from credit reporting. Your credit report can be used only for credit decisions, employment screening, and renting an apartment. Or consider your physician: Her professional norms encourage expansive data collection, but she can use medical records only to advance patient care. Bans on data collection are powerful tools to prevent institutions from using certain knowledge in their decision-making. But advocates of use regulations have some compelling points: Collection rules are too narrow by themselves. They ignore the real-life problem that we just click away our rights for the newest free service. And, increasingly, technologies gather data with no realistic opportunity to give notice to the individual at all. Some of these technologies can be used to infer knowledge about the very issues collection limitations attempt to protect. For instance, consider the Target Corporation's ability to infer that a shopper was pregnant when she went from buying scented to unscented lotion. Use regulations shift the pressure away from notice and choice, making a more universal set of rules for data. * * *
China launches man in the middle attack against Google (InfoSecurity, 5 Sept 2014) - The Chinese authorities have launched a man-in-the-middle attack campaign against users of the country's research and education network CERNET who try to search via Google, in a bid to monitor and censor the HTTPS site. Non-profit anti-censorship body Greatfire.org claimed that the attacks are similar to those believed to have been sanctioned by Beijing in January 2013 against developer site Github . They first came to light when users of CERNET, who unlike regular Chinese netizens are allowed access to usually blocked foreign sites, complained on social media that they'd begun receiving warning messages about invalid SSL certificates. "By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results." Greatfire said it's basing its conclusions on expert advice from network security monitoring firm Netresec, which analyzed the original MITM attacks on Github last year. [ Polley : I know of US companies that are running MITM attacks against their own employee/users, enabling review of traffic to secure against improper disclosures.]
New NIST forensic subcommittee on digital evidence (NIST, 8 Sept 2014) - Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States. Forensic science practitioners, academic researchers and others with expertise in digital evidence are encouraged to apply for one of up to 20 voting positions on the new Digital Evidence Subcommittee by Sept. 30, 2014. Those who previously applied for membership on other subcommittees should reapply if they wish to be considered for the Digital Evidence Subcommittee. The OSAC's Forensic Science Standards Board agreed to add digital evidence as a subcommittee under the IT/Multimedia Scientific Area Committee in a teleconference with NIST staff on Sept. 3. NIST recently finalized membership of all five scientific area committees-IT/Multimedia, Biology/DNA, Chemistry/Instrumental Analysis, Crime Scene/Death Investigation and Physics/Pattern.
Is Bitcoin money? (Anita Ramasastry, 9 Sept 2014) - Bitcoin confounds lawmakers as they try to figure out what it is and how it should be regulated. The Bitcoin Foundation notes that Bitcoin is an innovative payment network and a new kind of money. But is it money? Some call it a new form of virtual currency. Others have lauded it as a new type of payment system. So what is it? And why does it matter? What we call it may not matter much in casual conversation, but how it is categorized does have significant implications when it comes to regulation. If it is "money" or "currency," then existing laws and regulations may apply to businesses and consumers who issue, sell, or transact with Bitcoin. From banking laws to anti-money-laundering laws and tax regulations-whether these laws apply to the use of Bitcoin depends on how Bitcoin is classified. At present there is no consensus as to what we should call Bitcoin or how it should be defined for purposes of applying legal rules. As I will discuss in this column, courts and regulators are coming up with different theories and classifications as a way of figuring out whether this new product/payment vehicle is or is not covered by different laws. As I will also discuss, it appears that lawmakers, at times, restrict the term "money" or "currency" to refer only to government-issued money or legal tender. This conflicts with basic definitions of money, found in both economics texts and in dictionaries. If certain laws are meant only to deal with government-issued currencies, then perhaps we should revise statutory definitions to make such distinctions clearer. In the meantime, we will need to sit back and watch regulators around the globe grapple with whether or not Bitcoin is "money."
- earlier this year -
Is UCC Article 9 the Achilles heel of Bitcoin? (Credit Slips, 10 March 2014) - Last week, Professor Lynn LoPucki called me up and asked a good question. Why hasn't Bitcoin fallen apart because of the operation of Article 9 of the Uniform Commercial Code (UCC)? It is a really good question. With Lynn's permission, I am writing up a blog post about our conversation, but it was Lynn who first identified the issue. As many readers will know, all 50 states have enacted the UCC with only minor variations. Article 9 governs security interests in personal property - that is, movable and intangible property as opposed to land and buildings. The bank that gave you a car loan has an Article 9 security interest in the automobile serving as collateral for the loan, and the bank providing operating capital for your corner bakery similarly may have an Article 9 security interest in the inventory, equipment, and accounts at the store. Article 9 is one of those laws that only specialists tend to know, but it plays an important role in the flow of commerce. The bakery example was deliberate given this news about a Durham, NC, bakery accepting bitcoins. I have no idea about the financial circumstances of this particular bakery, but to understand the point assume it has loan from a bank secured by the bakery's "inventory, goods, equipment, accounts, and general intangibles." Such an arrangement would not be uncommon and would effectively give the bank an Article 9 security interest in all of the bakery's property that is not real estate, sometimes referred to as a "blanket lien."
Every part of the US government has probably already been hacked (Defense One, 10 Sept 2014) - Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists. Consider the testimony today from some of the nation's top cybersecurity experts before the Senate Committee on Homeland Security and Governmental Affairs. Suzanne Spaulding, undersecretary of the Department of Homeland Security's National Protection and Programs Directorate, told lawmakers DHS' National Cybersecurity and Communications Integration Center - or NCCIC - has already responded to more than 600,000 cyber incidents this fiscal year. High-profile cyber breaches - such as those affecting Target, Home Depot and even celebrities' private photos - trickle out on a near daily basis. But it's clear the vulnerabilities aren't relegated to the commercial sector. When committee members asked Robert Anderson, the executive assistant director for the Federal Bureau of Investigation's Criminal, Cyber, Response and Services branch, how much of government hasn't been hacked yet, he offered a stark reply. Despite demurring that he probably couldn't answer the question exactly "off the top of his head," Anderson said any part of government that hasn't been hacked yet probably has been hacked - and hasn't realized it yet.
California law says companies can't punish customers who post negative reviews (GigaOM, 10 Sept 2014) - A swanky hotel in New York caught flak this summer for threatening to fine brides $500 if any of their wedding guests posted a negative review on social media. In that case, the hotel backed down, but that doesn't mean other businesses aren't trying the same trick: stuffing so-called "non-disparagement clauses" into customer contracts in order to muzzle online criticism. This explains why Governor Jerry Brown of California signed a law this week that will turn the tables on such businesses, by fining them up to $10,000 if they use contracts that prevent customers from expressing their opinion about a good or service online. The law is a victory for consumers' free speech rights, and comes after repeated instances of merchants trying to collect penalties of thousands of dollars from customers who criticized them. In one notorious case , a Utah couple received an email from an online retailer saying they would have to pay $3,500 unless they removed a comment they had posted to the review site, RipoffReport.com. The text of the law is straightforward, and says businesses may not impose contract terms "waiving the consumer's right to make any statement regarding the seller or lessor or its employees or agents, or concerning the goods or services." The law, which is the first of its kind in the U.S. and was reported by the LA Times , goes into force in California in 2015. Businesses meanwhile continue to struggle with how to manage review forums and social media tools that empower customers, and that can make or break their reputation. Earlier this month, a federal appeals court threw out a class action that accused review site Yelp of "extorting" small businesses.
Government push for Yahoo's user data set stage for broad surveillance (NYT, 12 Sept 2014) - It's hard to fathom after a year of revelations about widespread government surveillance of Internet users, but in 2007, the government's authority to demand such data from technology companies without a search warrant was very much in doubt. That changed a year later, when crucial precedents establishing the government's right to request emails, phone records and other user data were set in a secret court case in which Yahoo unsuccessfully challenged the constitutionality of the government's demands for information about its foreign users. Documents from that case , which were released by the Foreign Intelligence Surveillance Court this week after much of the file was declassified, paint a vivid portrait of a battle that pitted a leading Internet company against some of the top officials in the Bush administration over what was legitimate gathering of foreign intelligence and what was illegal snooping. At one point, when Yahoo refused to turn over the requested data while it appealed its loss at the first stage of the case, the director of national intelligence, Michael McConnell, submitted an impassioned 16-page affidavit to Reggie B. Walton of Federal District Court, the surveillance court judge who had decided the case, outlining the various threats posed by Al Qaeda and other terrorist groups and the need for Yahoo's cooperation. International terrorists "use Yahoo to communicate over the Internet," Mr. McConnell wrote. "Any further delay in Yahoo's compliance could cause great harm to the United States, as vital foreign intelligence information contained in communications to which only Yahoo has access, will go uncollected." Underscoring that urgency, the government's lawyers asked Judge Walton to declare Yahoo in contempt and impose a fine of $250,000 a day, with the daily fine to double each week that the company continued to drag its feet. The judge took just a few hours to order Yahoo to comply "forthwith" or face "coercive" fines, prompting it to cooperate as it pursued its appeal. The legal decisions in the case, and the reasoning used by both sides, helped set the stage for an updated Foreign Intelligence Surveillance Act that set clearer rules about what types of information the government could seek from technology companies like Yahoo, Google and Facebook, which hold vast quantities of private user information. The lower court and appellate rulings supporting the government also gave encouragement to national security officials as they pushed forward with broad surveillance programs like Prism, XKeyscore and others described in documents leaked last year by Edward J. Snowden, a former National Security Agency contractor. "The specific kind of surveillance the government was seeking was untested," said Stephen I. Vladeck, a professor who studies national security law at the American University Washington College of Law. "This litigation led to the judicial validation of practices that the government was already undertaking." The Protect America Act, a temporary law passed in August 2007 by Congress after the 9/11 attacks, was the first to explicitly authorize bulk surveillance of foreigners suspected of being terrorists or posing other national security threats. Yahoo chose to mount an aggressive challenge to such surveillance, setting itself as a defender of its users' rights. "The broad surveillance authorized by the P.A.A. and the directives is unreasonable because the P.A.A. allows the government to initiate surveillance on an unlimited number of targets, with no prior judicial review, no requirements of particularity and no findings of necessity," the company wrote in its brief urging the appellate panel to allow oral arguments in the case. "The issues at stake in this litigation are the most serious issues this nation faces today - to what extent must the privacy rights guaranteed by the United States Constitution yield to protect our national security." Perhaps coincidentally, as the company waged its secret court fight, its co-founder and chief at the time, Jerry Yang, was being raked over the coals by Congress and human rights advocates for the company's 2007 decision to turn over information on Chinese users that had been demanded by the Chinese government, resulting in the arrest of at least two dissidents. Judge Walton, who heard the initial round of the case, and the three-judge panel of the Foreign Intelligence Surveillance Court of Review that heard the appeal were both acutely aware of the precedents they were setting. In his 98-page ruling , Judge Walton bemoaned the lack of clear guidance to decide the matter, even as he carefully addressed each party's principal arguments. Ultimately, he concluded, deference must be given to the government's claims that it would protect American users' legal rights as it pursued foreign intelligence needed for national security.
Why FRAND commitments are not (usually) contracts (Patently-O, 14 Sept 2014) - There has been a fair amount of controversy recently over commitments that patent holders make to license patents on terms that are "fair, reasonable and non-discriminatory" (FRAND). As I have previously written, FRAND commitments generally arise when a patent holder wishes to assure the marketplace that it will not seek to block implementation of a common technology platform or product interoperability standard. Making such a public commitment encourages widespread adoption of these technologies, which is often beneficial for both the patent holder and the market. As such, it is important that these commitments be enforced. The dominant theory that several U.S. courts and commentators have adopted to justify the enforcement of FRAND commitments is common law contract. The argument goes like this: the patent holder makes a promise to a standards-development organization (SDO) that it will license its essential patents to others on FRAND terms. The SDO accepts this promise as consideration for permitting the patent holder to participate in the relevant standardization effort. Hence, the common law elements of offer, acceptance and consideration are all present. Then, after the relevant standard is adopted and a vendor incorporates it into a product, the vendor can insist that the patent holder grant it a patent license on FRAND terms. Even if the vendor was not a member of the SDO, it can seek to enforce the patent holder's promise as a third party beneficiary. This line of reasoning was accepted by the federal district courts in Microsoft v. Motorola (W.D. Wash. 2012) and Apple v. Motorola (D. Wis. 2012), by the Federal Trade Commission in its settlement with Google/Motorola , and by several commentators. Nevertheless, as I discuss in a forthcoming article , common law contract is a poor fit for the enforcement of most FRAND commitments, and relying too heavily on it is likely to have unwelcome results. Contract law fails as a general-purpose FRAND enforcement theory on several grounds. * * *
NSA/GCHQ/CSEC infecting innocent computers worldwide (Bruce Schneier, 15 Sept 2014) - There's a new story on the C't Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties. The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they've completed port scans of 27 different countries and are prepared to do more. The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: "2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible." They've automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify "a list of 3000+ potential ORBs" in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected. The slides never say how many of the "potential ORBs" CSEC discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected, but they're all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA. Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that.
Court blasts US Navy for scanning civilians' computers for child porn (ArsTechnica, 15 Sept 2014) - A federal appeals court said the US Navy's scanning of the public's computers for images of child pornography constituted "a profound lack of regard for the important limitations on the role of the military in our civilian society." The Naval Criminal Investigative Service (NCIS) practice led the 9th US Circuit Court of Appeals to suppress evidence in the form of images of child pornography that an NCIS agent in Georgia found on a Washington state civilian's computer. The agent was using a law-enforcement computer program called RoundUp to search for hashed images of child pornography on computers running the file-sharing network Gnutella. "...RoundUp surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance," Judge Marsha Berzon wrote for the San Francisco-based appeals court. The court ruled 3-0 Friday that the Obama administration's position on the case would render "meaningless" the Posse Comitatus Act (PCA), which largely prohibits the military from enforcing civilian law. [ Polley : See stories from 2004 below, in " Looking Back ".]
Survey of online stalking, harassment and violations of privacy (Without My Consent, 17 Sept 2014) - We have data to share. Today we are proud to release our Preliminary Report: Without My Consent's Survey of Online Stalking, Harassment and Violations of Privacy. Two years ago, after attending SXSW, we were struck by how little data we could find that would help explain what is going on with online harassment. So we decided to conduct an online survey to see what we could learn ourselves. The output of that effort is now ready to share. Our survey was conducted between July 2013 and February 2014. While the press attention to the "revenge porn" phenomenon has grown dramatically during this time, our survey was broader. It sought to understand the experiences of online harassment victims and survivors of all kinds. We hope the results summarized in this preliminary report are a useful step in understanding the nature of online harassment, the challenges encountered by those who experience it, and the strategies for how to address it. We also hope these results will spur future, larger and more in depth studies (with qualitative interviews, ethnographic studies, funded surveys with random selections of larger numbers of participants, and the like) to provide data to regulators, industry, and the public on the prevalence and impact of online harassment, and to work towards solutions to end it. [Report here ]
Texas' highest criminal court strikes down 'improper photography' statute (Volokh Conspiracy, 18 Sept 2014) - I'm delighted to report that yesterday the Texas Court of Criminal Appeals handed down Ex parte Thompson (Tex. Ct. Crim. App. Sept. 17, 2014) (8-to-1, with Judge Meyers dissenting without opinion). This was a UCLA First Amendment Amicus Brief Clinic case, in which my student Samantha Booth and I wrote an amicus brief on behalf of the Reporters Committee for Freedom of the Press. The court's opinion is a victory for the right to take photographs in public - even when a statute barring such photograph is limited to photography of people without their consent and "with intent to arouse or gratify … sexual desire," but of course equally when the photographs lack such an intention. * * * [ Polley : Pretty interesting case and reasoning.]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Pentagon seeks US Spy powers (Wired, 19 June 2004) -- A Pentagon effort to persuade Congress to allow military intelligence agents to work undercover in the United States met with resistance in the House Wednesday when the provision was left out of the highly secretive intelligence funding bill. However, the Senate's version of the Intelligence Authorization Act of 2005 still includes the provision, which exempts Department of Defense intelligence agents from a portion of the Privacy Act, a 30-year-old law that outlaws secret databases on American citizens and green-card holders. The bill would allow Pentagon intelligence agents to work undercover and question American citizens and legal residents without having to reveal that they are government agents. That exemption currently applies only to law enforcement officials working on criminal cases and to the CIA, which is prohibited from operating in the United States. Pentagon officials say the exemption would not affect civil liberties and is needed so that its agents can obtain information from sources who may be afraid of government agents, such as a green-card-holding professor of nanotechnology who formerly lived under a repressive government. The military has increased its focus on antiterrorism programs within the United States, most notably by reorganizing its command structure in 2002 by creating the Northern Command in Colorado Springs, Colorado. The command is tasked with preventing and defeating threats and aggression aimed at the United States and helping civil authorities in the event of an emergency. Such investigations should be conducted by the FBI, and the Department of Defense should not be engaged in widespread intelligence gathering in the United States, say civil liberties advocates, such as the American Civil Liberties Union's legislative counsel Timothy Edgar.
Spy imagery agency watching inside US (AP, 27 Sept 2004) -- In the name of homeland security, America's spy imagery agency is keeping a close eye, close to home. It's watching America. Since the Sept. 11 attacks, about 100 employees of a little-known branch of the Defense Department called the National Geospatial-Intelligence Agency - and some of the country's most sophisticated aerial imaging equipment - have focused on observing what's going on in the United States. Their work brushes up against the fine line between protecting the public and performing illegal government spying on Americans. Roughly twice a month, the agency is called upon to help with the security of events inside the United States. Even more routinely, it is asked to help prepare imagery and related information to protect against possible attacks on critical sites. For instance, the agency has modified basic maps of the nation's capital to highlight the location of hospitals, linking them to data on the number of beds or the burn unit in each. To secure the Ronald Reagan (news - web sites) funeral procession, the agency merged aerial photographs and 3D images, allowing security planners to virtually walk, drive or fly through the Simi Valley, Calif., route. The agency is especially watchful of big events or targets that might attract terrorists - political conventions, for example, or nuclear power plants. Everyone agrees that the domestic mission of the NGA has increased dramatically in the wake of Sept. 11, even though laws and carefully crafted regulations are in place to prevent government surveillance aimed at Americans.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top