Saturday, November 29, 2014

MIRLN --- 1-29 Nov 2014 (v17.16)

MIRLN --- 1-29 Nov 2014 (v17.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Software companies now on notice that encryption exports may be treated more seriously: $750,000 fine against Intel subsidiary (Goodwin Procter, 15 Oct 2014) - On October 8, 2014, the Department of Commerce's Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List. Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations. We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries ( e.g. , Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS's treatment of violations of the encryption regulations. Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies - a message that BIS seemed intent upon making in its announcement. Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon - e.g. , an acquisition, financing, or initial public offering - will increase the likelihood that violations of these laws will be identified.

top

First person passes the legal tech audit - no lawyers, yet (Lawyerist, 3 Nov 2014) - On the one hand, congrats are in order to Lore Mariano for being the first person to get a passing grade on the Legal Tech Audit . On the other hand, Mariano is not a lawyer. According to her LinkedIn profile, she is an IT consultant who "train[s] Colgate's worldwide legal staff to use legal applications for document and matter management."

Which means not a single lawyer has passed the test. I hope Casey Flaherty will update us when a lawyer finally does.

top

Specialized cyber liability insurance policies proliferate as general liability insurers refuse coverage for data breaches (King & Spalding, 3 Nov 2014) - Travelers Indemnity Company filed an action this month in the United States District Court for the District of Connecticut for a declaratory judgment that it is not obligated to defend or indemnify its policyholder, P.F. Chang's, for losses arising from the restaurant's recent data breach. P.F. Chang's card processing systems were compromised at about 33 restaurant locations from October 2013 through June 2014, resulting in the theft of customer data from credit and debit cards, including names, card numbers and expiration dates. Customers have filed three class actions seeking damages under a variety of contract, tort and consumer fraud claims. Travelers argues that the losses are not covered under the commercial general liability policies it issued to P.F. Chang's in 2013-14 because an electronic data breach does not constitute property damage or bodily injury under their insurance agreement, and the agreement expressly excludes "electronic media and records" from the definition of "property damage." P.F. Chang's is alleged to have a separate cyber liability insurance policy with a self-funded retention requirement. With data breaches becoming more common, the number and variety of specialized cyber insurance policies have proliferated. But these cyber policies may provide substantially less coverage than general liability policies. While cyber policies typically cover costs for customer notification, crisis management, litigation defense and regulatory responses, they do not generally cover intangible losses to reputation, brand or market share. Obtaining adequate coverage is difficult because cyber-related losses are hard to quantify-intangible losses are difficult to estimate, and there may be a lack of information to calculate the probability of a data breach. Even if the federal district court were to determine that P.F. Chang's commercial general liability policy covers its data breach, Travelers urges the court to construe the self-funded retention requirement in the cyber policy as modifying the restaurant's general policy, thus limiting any payouts to the terms of the cyber policy and restricting the more generous payouts of the general liability policy.

top

- and -

Governments eager to help market for cyber insurance develop (Nossaman, 12 Nov 2014) - With e-commerce projected to account for 10% of all retail sales or approximately $370 billion in sales by 2017 in the United States alone, it is easy to see why world governments are concerned with the potential threat to the ever growing and increasingly interconnected online marketplace. Indeed, if you run a simple Google search for "cyber insurance," the first hit is from the U.S. Department of Homeland Security . As recently as July 2014, the DHS published a report, Insurance for Cyber-Related Critical Infrastructure Loss . Not to be outdone by its progeny, the government of the United Kingdom weighed in on the issue, opining that cyber insurance was critical for online businesses and expressing its support for the growth of a cyber insurance market in a joint government and industry statement on the cyber insurance market . Given the projected trends in online retail sales for European countries and the US, it is easy to see why governments might be somewhat anxious to see a cyber insurance marketplace develop. As the joint statement posted by the United Kingdom Cabinet Office put it "[i]nsurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management." The joint statement also noted that beyond helping insureds recover losses following a data breach, cyber insurance may provide insureds "front end risk analysis to gauge the organisation's exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach." That the UK and US governments have expressed an interest in working with insurers to discuss the development of a cyber insurance market bodes well for the healthy and speedy development of such a marketplace. The DHS's report details some of the critical challenges in the development of a cyber insurance market, including "a lack of actuarial data; aggregation concerns; and the unknowable nature of all potential cyber threat vectors." While all insurable events have an inherently "unknowable nature" (otherwise you wouldn't have to ensure against them), the recognition of the challenges to gathering accurate actuarial data is significant.

top

Who's minding best practices: A look at what it takes to secure a network (InsideCounsel, 4 Nov 2014) - Most organizations have good intentions to follow "cybersecurity best practices," but the sticking point comes when deciding what these practices are and how they relate to individual businesses. While lawyers have an ethical duty to protect information under Rule 1.6: Confidentiality of Information and businesses that accept credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements , there is much more to securing a network than following best practices and requirements. Certainly following these practices is important, but following their intent is what makes the difference between protecting a business and performing perfunctory duties. Before the recent spate of breaches on some big-name retailers, you may have thought that with all the rules and regulatory requirements retailers are subject to under the Payment Card Industry Data Security Standards (PCI DSS) that their networks would be secure. However, the problem often lies with what these companies are not doing rather than what they are doing. While these companies may have "followed best practices," they may not have done what would have been best, either because of a lack on their end or on their adviser's end.

top

It's illegal to share photos of your ballot online in many states. Here's why. (Washington Post, 4 Nov 2014) - This Election Day, feel free to tell Facebook you voted. Get that jaunty little voting hat on Tumblr. Tweet it on the #election2014 hashtag. But unless you live in Wyoming, North Dakota or a small handful of other states , do not , for the love of democracy, share a photo of your ballot on social media. "Ballot selfies," as they've been dubbed, are still illegal in most of the country - and punishable by ballot invalidation, if not significant fines or jail time. So, in an age where ceaseless self-documentation has become the cultural norm, why do those laws exist in the first place? "It's a very unusual case," says Jeffrey Hermes, the deputy director of the Media Law Resource Center in New York. "Usually banning political speech would be a violation of the First Amendment. But with photography at polling places, there's an intersection of two fundamental aspects of democracy: freedom of speech and the integrity of the voting process." Hermes breaks it down this way: Suppose you were a nefarious character who wanted to skew the voting process in some way. You could buy votes, but you'd want proof that people actually voted like you told them to. You could mislead people who don't understand the voting process or don't speak English well. You could intimidate other voters into voting like you do. In these cases, photos from inside the voting booth would really help you, the nefarious character, perpetrate election fraud. And so, many states have just banned those photos categorically. In this narrow circumstance, they've indicated, there's something more essential to democracy than free speech.

top

- and -

Internet voting hack alters PDF ballots in transmission (Threat Post, 13 Nov 2014) - Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren't where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called " Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering " that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter's machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.

top

Germany's top publisher bows to Google in news licensing row (Re/Code, 5 Nov 2014) - Germany's biggest news publisher, Axel Springer, has scrapped a bid to block Google from running snippets of articles from its newspapers, saying that the experiment had caused traffic to its sites to plunge. Springer said a two-week-old experiment to restrict access by Google to its news headlines had caused Web traffic to its publications to plunge, leading it to row back and let Google once again showcase Springer news stories in its search results. Chief Executive Mathias Doepfner said on Wednesday that his company would have "shot ourselves out of the market" if it had continued with its demands for the U.S. firm to pay licensing fees. Springer, which publishes Europe's top-selling daily newspaper, Bild, said Google's grip over online audiences was too great to resist, a double-edged compliment meant to ram home the publisher's criticism of what it calls Google's monopoly powers. Publishers in countries from Germany and France to Spain have pushed to pass new national copyright laws that force Google and other web aggregators to pay licensing fees - dubbed the Google Tax - when it publishes snippets of their news articles. Under German legislation that came into effect last year, publishers can prohibit search engines and similar services from using their news articles beyond headlines. Last week, Spain's upper house passed a similar law giving publishers an "inalienable" right to levy such licensing fees on Google.

top

British intelligence spies on lawyer-client communications, government admits (GigaOM, 6 Nov 2014) - After the Snowden leaks, British lawyers expressed fears that the government's mass surveillance efforts could undermine the confidentiality of their conversations with clients, particularly when those clients were engaged in legal battles with the state. Those fears were well-founded. On Thursday the legal charity Reprieve, which provides assistance to people accused of terrorism, U.S. death row prisoners and so on, said it had succeeded in getting the U.K. government to admit that spy agencies tell their staff they may target and use lawyer-client communications "just like any other item of intelligence." This is despite the fact that both English common law and the European Court of Human Rights protect legal professional privilege as a fundamental principle of justice. Reprieve noted that the government had previously claimed three times that it could not disclose the information it has now disclosed (PDF) in heavily redacted form. According to that information, the acceptability of spying on lawyer-client communications is largely backed up by the Regulation of Investigatory Powers Act (RIPA), which was recently revised to allow surveillance of all sorts of online channels , as well as of phone calls and emails.

top

- and -

US government planes collecting phone data, report claims (BBC, 14 Nov 2014) - Devices that gather data from millions of mobile phones are being flown over the US by the government, according to the Wall Street Journal . The "dirtbox" devices mimic mobile phone tower transmissions, and handsets transmit back their location and unique identity data, the report claims. While they are used to track specific suspects, all mobile devices in the area will respond to the signal. The US Justice Department refused to confirm or deny the report. The Wall Street Journal said it had spoken to "sources familiar with the programme" who said Cessna aircraft fitted with dirtboxes were flying from at least five US airports. The department said that it operated within federal law.

top

The FBI impersonates the media: some of the rules governing cyber-subterfuge (Lawfare, 7 Nov 2014) - The developing story of the FBI's impersonation of journalists is, in a way, really the story of Timberline high school in Washington State. In June of 2007 Timberline had received a series of bomb threats, prompting a week of evacuations. The FBI and local law enforcement traced the problem to an anonymous account on the MySpace social media site. But the trail seemed to stop there, as investigators were unable to ascertain the identity of the person or persons behind the account. So the feds resorted to subterfuge. According to a letter sent from FBI Director James Comey to the editor of the New York Times , an undercover agent, relying on "an agency behavioral assessment that the anonymous suspect was a narcissist," "portrayed himself as an employee of The Associated Press" and sent the MySpace account a message via MySpace's internal communications channel. In the message, the agent apparently asked if the suspect would be willing to review a draft AP article about the threats and attacks, to be sure that the anonymous suspect was portrayed fairly. The message then linked to what seemed to be the draft Associated Press story . There was a catch. The AP story and link were fakes, and had been designed by the FBI to mimic the appearance and feel of a genuine AP article. That wasn't all either. The link also contained a particular kind of malware, meant to enable the FBI surreptitiously to uncover the location and IP address of the computer behind the anonymous MySpace account. The ruse worked. Upon receipt, the suspect clicked on the link, thereby unwittingly downloading the malware and revealing case-making investigative information to the FBI. He later pleaded guilty to making the bomb threats to Timberline. * * * Given these fierce reactions to the Timberline episode, an important question has again been raised: What rules apply to this sort of law enforcement trickery? Below, I overview two potentially relevant constraints: policies employed within the FBI itself, as well as Fourth Amendment limits set by courts. (To be clear, I do not mean to canvass every legal issue raised by the episode.) * * *

top

- and -

FBI agents pose as repairmen to bypass warrant process (Bruce Schneier, 26 Nov 2014) - This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress : The next time you call for assistance because the internet service in your home is not working, the "technician" who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- when he shows up at your door, impersonating a technician -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have "consented" to an intrusive search of your home. Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians. More coverage of the case here . This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can't be sure they are not government agents in disguise, then we've lost quite a lot of our freedom and liberty.

top

Efforts to protect US government data against hackers undermined by worker mistakes (The Guardian, 10 Nov 2014) - A $10bn-a-year effort to protect sensitive government data, from military secrets to social security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. Workers scattered across more than a dozen agencies, from the defense and education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records. They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information. One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally, most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government 's collection of phone and email records. At a time when intelligence officials say cybersecurity trumps terrorism as the No1 threat to the US - and when breaches at businesses such as Home Depot and Target focus attention on data security - the federal government isn't required to publicize its own data losses. From 2009 to 2013, the number of reported breaches just on federal computer networks - the .gov and .mils - rose from 26,942 to 46,605, according to the US computer emergency readiness team. Last year, US-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That's more than double the incidents in 2009. And employees are to blame for at least half of the problems. Last year, for example, about 21% of all federal breaches were traced to government workers who violated policies; 16% who lost devices or had them stolen; 12% who improperly handled sensitive information printed from computers; at least 8% who ran or installed malicious software; and 6% who were enticed to share private information, according to an annual White House review.

top

A hacker built a dark net version of the FBI tip line (Motherboard, 11 Nov 2014) - A London-based programmer has set up a new hidden service for anyone using Tor to submit anonymous tips to the FBI. With the new .onion hidden service link ( http://tksgyw4u4t6peema.onion/ ), which accesses the FBI's tips page through a reverse proxy, Mustafa Al-Bassam told me in an IRC chat that he's engineered a "proof-of-concept," demonstrating how the bureau might go about setting up a more secure system for receiving crime tips. "Law enforcement won't be taken seriously in the debate about anonymity if all they show is a binary interest to prosecute criminals at all cost," said Al-Bassam, the youngest-ever-identified former member of the hacking group, LulzSec . "Tor has great utility for law enforcement who wish to receive crime tips from public."

top

ISPs removing their customers' email encryption (EFF, 11 Nov 2014) - Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie . Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag-called STARTTLS-from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1 By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013 , when EFF started rating companies on whether they used it . Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does. [ Polley : Many law firms use "opportunistic TLS" to encrypt email transmissions; this flag-stripping may disable such protections.]

top

Tourists warned they are breaking the law because taking photos of the Eiffel tower at night or sharing images on Facebook is illegal (Daily Mail, 12 Nov 2014) - Lit up at night, the Eiffel Tower is one of the most iconic sights in the world. It's an image that embodies the French capital. But an obscure clause in EU copyright rules means that taking and sharing photos of the tower taken in the evening is actually a violation that could land tourists with a fine. The Eiffel Tower was built in 1889 which means that it falls within the public domain, so tourists can snap away liberally during the day. But the impressive lights that illuminate the attraction at night are technically an art work, so 'reproducing' requires the permission of the artist. It also means that it is technically illegal to share images of the Eiffel Tower on social media sites such as Facebook. While the EU's 2001 information society directive says photographs of architectural works in public spaces can be taken free of charge, the clause is optional. Countries including Italy, Belgium and France opted out of transposing it into national law. 'The lightshow is protected by copyright,' Dimitar Dimitrov, a policy expert for the European Wikimedia chapters in Brussels, said. On its website, the Eiffel Tower confirms that uses of photographs are subject to certain restrictions.

top

DC Court rules that Top-Level Domain not subject to seizure (David Post on the Volokh Conspiracy, 13 Nov 2014) - As I mentioned several months ago , a group of plaintiffs, having obtained judgments in US courts against the government of Iran, has been seeking to satisfy those judgments via writs of attachment - court-ordered seizures - of property belonging to the Iranian government. This can be a relatively straightforward process when applied to bank accounts, real estate, or tangible personal property - the usual targets of seizure orders. But the plaintiffs here sought to seize the .ir top-level domain - the ccTLD ("country-code top level domain," as distinguished from the "generic top-level domains" like .com, .org, and the like) associated with Iran. This is, plaintiffs asserted, property belonging to the Iranian government, held here in the U.S. by ICANN, the US-based administrator of the global Domain Name System (DNS), on whom the writ of attachment was served. * * * On Monday, Judge Lamberth of the DC District Court wisely dismissed the writs of attachment, holding that the ccTLD was not "property subject to attachment in the District of Columbia." This is the right result for many reasons - not least of which is that the DNS is a public resource of enormous value on which a substantial amount of the world's trade and commerce and entertainment and communication now takes place, and the notion that pieces of it are available to satisfy private judgments would wreak havoc on the public Internet. Judge Lamberth didn't feel the need to go into all that - his ruling rests on the narrower (but perhaps more stable) ground that the "property" right in a ccTLD is "inextricably bound to" and "cannot be conceptualized apart from" the services provided by the ccTLD manager and the root zone administrator and the rest of the DNS, and as such can't be attached or seized (under the general rule that services are not attachable or seizable). Good stuff.

top

Homeland Security alerts on end of Windows Server 2003 support (ZDnet, 13 Nov 2014) - An alert from US-CERT (the Computer Emergency Readiness Team) warns of dangerous consequences for organizations that continue to run Windows Server 2003 R2. Microsoft has scheduled the end of support for this operating system on July 14, 2015. This applies to both the initial and R2 editions of Windows Server 2003. Although it was released over 11 years ago, Windows Server 2003 remains popular. Redmond Magazine cites Microsoft as saying that as of July of this year there were 24 million instances of Windows Server 2003 running on 12 million physical servers globally. In North America there are 9.4 million instances and, worldwide, Windows Server 2003 still constitutes 39 percent of the Windows Server installed base. After July 14, 2015 (a Patch Tuesday) these servers will no longer receive security updates or assisted technical support. Microsoft has been conducting their own campaign to get customers to upgrade. As with Windows XP, organizations can pay Microsoft for an extension of support.

top

Info on 8,000 Seattle Schools students improperly released (Seattle Times, 14 Nov 2014) - A law firm contracting with Seattle Public Schools improperly released confidential information about thousands of students as part of a lawsuit over special-education services, prompting an apology from the district and a request for the man who received the records to delete or return them. Sam Morley, the legal guardian of a student, alerted district officials on Tuesday that he had received, via email, documents with information about individual students, including whole special-education plans, disciplinary records, student test scores and transportation records with students' names and home addresses. By Morley's count, he received confidential information about more than 8,000 students, including what appears to be the entire caseload for a special-education manager at Roosevelt High School. The district's lawyer, Ron English, responded to Morley with an email assuring him that his case would no longer be handled by the firm, Preg O'Donnell & Gillett, which has offices in Seattle, Portland and Anchorage. "Protection of student privacy is of critical importance, and the disclosures by our outside law firm are not acceptable," English wrote. "Although I have not had time to confirm the exact details of the disclosure as you describe them below, I have confirmed that disclosures did occur on a broad scale." The law firm did not respond to emails from The Seattle Times seeking comment. The school district is asking for assistance from the U.S. Department of Education to investigate how it happened. [ Polley : This is perhaps the first time a law firm had been publicly tagged for a security problem, but won't be the last. The first firms to suffer this kind of publicity will lose clients-as apparently here-but eventually a "new normal" will emerge.]

top

ABA launches website to aid unaccompanied minors (VOXXI, 14 Nov 2014) - Child advocates have for months voiced concerns about unaccompanied minors not having an attorney by their side in immigration court, and now the American Bar Association is stepping in to help. The group launched a website this week as a resource for attorneys who want to volunteer their time to help unaccompanied minors navigate through the immigration system. The goal is to get more attorneys to provide unaccompanied minors with legal representation on a pro bono basis. "The ABA steps up when justice is at stake," American Bar Association President William C. Hubbard said in a statement. "We support legal representation for unaccompanied children in the U.S. immigration court system. We are acting not only out of concern for the welfare of these children, but also because all parties benefit when vulnerable children are competently represented by counsel in adversarial proceedings." The website is dubbed the Immigrant Child Advocacy Network . It was put together by the American Bar Association's working group on unaccompanied minors in collaboration with partner organizations, like Kids in Need of Defense and the American Immigration Lawyers Association. The website provides links to resources and training materials on issues related to legal representation of children. It also provides a calendar of ongoing pro bono training opportunities and a list of legal providers who are looking for volunteers to assist children.

top

McPeak on social media & civil discovery (Legal Theory Blog, 14 Nov 2014) - Agnieszka McPeak (University of Toledo College of Law) has posted Social Media Snooping and Its Ethical Bounds (Arizona State Law Journal, 2014 Forthcoming) on SSRN. Here is the abstract: Social media has entered the mainstream as a go-to source for personal information about others, and many litigators have taken notice. Yet, despite the increased use of social media in informal civil discovery, little guidance exists as to the ethical duties - and limitations - that govern social media snooping. Even further, the peculiar challenges created by social media amplify ambiguities in the existing framework of ethics rules and highlight the need for additional guidance for the bench and bar. This article offers an in-depth analysis of the soundness and shortcomings of the existing legal ethics framework, including the 2013 revisions to the American Bar Association's model rules, when dealing with novel issues surrounding informal social media discovery. It analyzes three predominant ethics issues that arise: (1) the duty to investigate facts on social media, (2) the no-contact rule and prohibitions against deception, and (3) the duty to preserve social media evidence. While the first two issues can be adequately addressed under the existing framework, the rules fall short in dealing with the third issue, preservation duties. Further, even though the existing ethics rules can suffice for the most part, non-binding, supplemental guidelines, or "best practices," should be created to help practitioners and judges navigate the ethical issues created by new technology like social media.

top

Fitbit data now being used in the courtroom (Forbes, 16 Nov 2014) - Personal injury cases are prime targets for manipulation and conjecture. How do you show that someone who's been in a car accident can't do their job properly, and deserves thousands of dollars in compensation? Till now lawyers have relied on doctors to observe someone for half an hour or so and give their, sometimes-biased opinion. Soon, they might also tap the wealth of quantifiable data provided by fitness trackers. A law firm in Calgary is working on the first known personal injury case that will use activity data from a Fitbit to help show the effects of an accident on their client. The young woman in question was injured in an accident four years ago. Back then, Fitbits weren't even on the market, but given that she was a personal trainer, her lawyers at McLeod Law believe they can say with confidence that she led an active lifestyle. A week from now, they will start processing data from her Fitbit to show that her activity levels are now under a baseline for someone of her age and profession. The lawyers aren't using Fitbit's data directly, but pumping it through analytics platform Vivametrica, which uses public research to compare a person's activity data with that of the general population.

top

New crowdsourced law site is part of larger project to 'annotate the world' (Law Sites, 17 Nov 2014) - There is something very fitting in the fact that a site that started out deciphering rap lyrics is now turning its attention to making sense of the law. The site, Law Genius , is the newest member of the larger Genius network of crowdsourced community sites, all of which grew out of the original site, Rap Genius , which was started in 2009 for the purpose of listing and annotating rap lyrics. Soon, users started using the site to annotate all sorts of other stuff, from the collected works of Shakespeare to the roster of the 1986 New York Mets to the warnings on the back of a Tylenol bottle . Last July, the site officially relaunched as Genius, becoming a hub for a range of communities devoted to topics such as rock, literature, history, sports, screen and tech. All are united by the site's overarching goal, "to annotate the world." Genius breaks down text with line-by-line annotations, added and edited by anyone in the world. It's your interactive guide to human culture. Now law is the latest addition to this ambitious effort at global annotation. It is an effort to crowdsource statutes, case law and other legal news. At the helm of the project, as executive editor of Law Genius, is Christine Clarke, a 2010 graduate of Yale Law School who practiced plaintiff-side employment law in Manhattan before joining Law Genius full time. At Law Genius, any registered user can add text and annotate any text. Other users can vote up or down on annotations, or add their own suggestions to the annotations. As you view text, any portion that is highlighted has an annotation. Click on the highlighted text to view the annotation. To add your own annotation, just highlight a selection of text.

top

TRUSTe settles FTC charges it deceived consumers through its privacy seal program (FTC, 17 Nov 2014)) - TRUSTe, Inc., a major provider of privacy certifications for online businesses, has agreed to settle Federal Trade Commission charges that it deceived consumers about its recertification program for company's privacy practices, as well as perpetuated its misrepresentation as a non-profit entity. TRUSTe provides seals to businesses that meet specific requirements for consumer privacy programs that it administers. TRUSTe seals assure consumers that businesses' privacy practices are in compliance with specific privacy standards like the Children's Online Privacy Protection Act (COPPA) and the U.S.-EU Safe Harbor Framework. The FTC's complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year. In addition, the FTC's complaint alleges that since TRUSTe became a for-profit corporation in 2008, the company has failed to require companies using TRUSTe seals to update references to the organization's non-profit status. Before converting from a non-profit to a for-profit, TRUSTe provided clients model language describing TRUSTe as a non-profit for use in their privacy policies. The proposed order announced today will help ensure that TRUSTe maintains a high standard of consumer protection going forward. Under the terms of its settlement with the FTC, TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.

top

Getting your board's buy-in on cybersecurity (Computerworld, 18 Nov 2014) - You don't want your first discussion about cybersecurity with your company's board of directors to happen post-breach. Start educating the board now. Explain the scope and components of a comprehensive security program, and be clear about how far your company's program falls short of optimal effectiveness. The board members need to understand that, at a minimum, a good cybersecurity program should include processes to manage patches, review logs, force secure passwords and train staff not to open emails from Nigerian princes. They probably also need to be educated about the policies and procedures that have to be put in place just to meet the security regulations and standards of legislation such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley and industry initiatives such as PCI and EMV. They need to know that you recognize the dangers of collecting and storing data that's subject to regulation and will do so only when there is no other option. And they need to see how the procedures controlling all these processes have been thoroughly documented and are regularly tested. But those are just the basics. A truly comprehensive cybersecurity program involves much more, and you need to make your board aware of what those things are, so that it can assure that sufficient resources are allocated. Some of the things to consider undertaking and funding are these: * * * Most importantly, both IT and the board should not delude themselves that a breach won't happen to them. As Joseph Demarest, assistant director of the FBI's cyberdivision, said at a recent cybersecurity conference, "You're going to be hacked. Have a plan."

top

There's a Commerce Department 'SWAT team' opening up government data (Washington Post, 18 Nov 2014) - Launched in 2009, Data.gov was one of the Obama administration's flagship efforts to produce a more open government. But though the site is full of raw data, Secretary of Commerce Penny Pritzker suggests it's not nearly as useful as it could be. Data.gov was supposed to hold heaps of data created by the federal government as it goes about its day-to-day business, boosting government transparency. And it's worked in some cases. National Oceanic and Atmospheric Administration data stored on the site has given birth to scores of weather apps and countless meteorologists' careers, for example. But in a visit to the D.C. start-up hub 1776 on Monday, Pritzker said that one of the surprises of becoming secretary of commerce last year was finding that the department didn't have all that much to show for the great heaps of data it had shoveled onto the site. The Data.gov team housed at the U.S. General Services Administration "called us up and said you haven't been contributing appropriately," Pritzker said. "And so we dumped our 39,000 data sets on Data.gov" -- from lists of people banned from exporting products from the United States to statistics on shark death rates in the Florida commercial fishing industry . But that is not enough, she said. "The point is just dumping data sets out there is not useful," said Pritzker. "What we need to do is to figure out a strategy." Pritzker said the department is pulling together a "SWAT team" with help from U.S. Chief Technology Officer Megan Smith to determine "the most exciting" things they can do with the data stored on the site during what remains of the Obama administration's tenure.

top

- and -

OCDS - Notes on a standard (Berkman's Tim Davies, 19 Nov 2014) - Today sees the launch of the first release of the Open Contracting Data Standard (OCDS) . The standard, as I've written before , brings together concrete guidance on the kinds of documents and data that are needed for increased transparency in processes of public contracting, with a technical specification describing how to represent contract data and meta-data in common ways. The video below provides a brief overview of how it works (or you can read the briefing note ), and you can find full documentation at http://standard.open-contracting.org . * * *

top

- and -

The largest free collection of law reviews on the Web (Law Sites, 24 Nov 2014) - I try to cover sites here soon after they launch, but every so often I miss one. In this case, I missed a big one. Launched in August 2013, Law Review Commons is the largest open-access law review portal on the web. It provides access to more than 200 law reviews containing more than 150,000 articles. The oldest law reviews in its collection date back to 1852. The site currently includes law reviews from law schools such as Berkeley, Boston College, Cornell, Chicago, Pennsylvania, Villanova and Yale. Missing from the collection are several top-tier schools such as Harvard, Stanford and Columbia. A search function enables you to find articles on the site. The search is not full text, but rather searches fields such as title, abstract, subject, author, institution, document type and publication name. You can also browse and find law reviews in several ways. A master list arranges all law reviews by their law school. You can also browse law reviews alphabetically by title, by the subject they cover, or by specific works and authors within a subject area. The actual articles are in PDF format. One other feature of the site is a world map showing readership in real time. As articles are downloaded, the location of the downloader is shown on the map and a text box displays the reader's location in the world and the title of the download.

top

- and -

Gates goes open (InsideHigherEd, 24 Nov 2014) - The Bill & Melinda Gates Foundation will require grant recipients to make their research publicly available online -- a multibillion-dollar boost to the open access movement. The sweeping open access policy, which signals the foundation's full-throated approval for the public availability of research, will go into effect Jan. 1, 2015, and cover all new projects made possible with funding from the foundation. The foundation will ease grant recipients into the policy, allowing them to embargo their work for 12 months, but come 2017, "All publications shall be available immediately upon their publication, without any embargo period." "We believe that our new open access policy is very much in alignment with the open access movement which has gained momentum in recent years, championed by the NIH, PLoS, Research Councils UK, Wellcome Trust, the U.S. government and most recently the WHO," a spokeswoman for the foundation said in an email. "The publishing world is changing rapidly as well, with many prestigious peer-reviewed journals adopting services to support open access. We believe that now is the right time to join the leading funding institutions by requiring the open access publication of our funded research." The foundation explained the broad outlines of the open access policy in a five-point list posted to its website. All reports, along with their underlying data, will be published under a Creative Commons (or equivalent) license, tagged with metadata and placed in repositories to ensure they are discoverable.

top

Lawsuits for HIPAA violations and beyond: a journey down the rabbit hole (Prof. Dan Solove, 18 Nov 2014) - At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don't provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies. But wait! Stop the presses! A recent decision by the Connecticut Supreme Court has concluded that people really can sue for HIPAA violations. As I will explain later, this is not a radical conclusion . . . though the implications of this conclusion could be quite radical and extend far beyond HIPAA. A number of folks have blogged about this case, but not many have explored the depths of this rabbit hole. Let's start with the Connecticut Supreme Court decision, and then follow the White Rabbit. * * * [ Polley : As usual, it's worth reading the rest of Prof. Solove's posting.]

top

New AAA rules (and annual fees) may require you to change your terms of service (Baer Crossey, 19 Nov 2014) - The American Arbitration Association (AAA) now requires businesses to notify the AAA of their intent to use AAA arbitration in standard consumer contracts and to pay fees to review the arbitration agreement; otherwise, the AAA can refuse the arbitration. On September 1, 2014, the AAA released new arbitration rules and supplemental procedures governing standard, business-to-consumer contracts for personal or household products and services (such as terms of service for websites and mobile apps). As part of the new rules, companies that require (or intend to require) AAA arbitration in their standard, consumer agreements must: (1) Notify the AAA at least 30 days before the planned effective date of the contract, and (2) Pay AAA to review and register the arbitration clause to ensure the clause's compliance with the Consumer Due Process Protocol and AAA Consumer Arbitration Rules. The new fees involve nonrefundable upfront and yearly recurring costs. If a company registers its clause in 2014, the fee is $650, which covers 2014 and 2015. Renewal fees for subsequent years are currently $500 per year. If a standard, consumer contract has an un-reviewed (and unpaid) provision providing for AAA arbitration, the company may seek expedited review of the clause upon a demand for arbitration, but the expedited review costs an additional $250. Furthermore, the AAA may refuse to take the arbitration if it determines that clause is not in material compliance with the Consumer Due Process Protocol or the Consumer Arbitration Rules. Given how recently the new rules have been released, there isn't much historical experience to determine how frequently or under what circumstances the AAA will refuse to take arbitrations.

top

Amnesty releases anti-spying program for activists (BBC, 19 Nov 2014) - Amnesty International has released a program that can spot spying software used by governments to monitor activists and political opponents. The Detekt software was needed as standard anti-virus programs often missed spying software, it said. Amnesty said many governments used sophisticated spying tools that could grab images from webcams or listen via microphones to monitor people. "These spying tools are marketed on their ability to get round your bog-standard anti-virus," said Tanya O'Carroll, an adviser on technology and human rights at Amnesty International. The makers of spying software did extensive testing to ensure that the way they infected and lurked on a computer did not trigger security alerts, she added. Detekt has been developed over the past two years to spot the few telltale signs spying programs do leave. The intense scan it carries out on a hard drive means a computer cannot be used while Detekt is running. Four separate rights groups - Amnesty International, the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft - have worked together to create the spyware spotter, which is available free of charge. The first version of Detekt has been written to run on Windows computers because the people most often being monitored use that software, said Ms O'Carroll.

top

Perfect 10 loses copyright suit against Usenet service provider (Eric Goldman, 25 Nov 2014) - Giganews acts as a USENET service provider. Perfect 10 is the litigious pornographer that has helped define Internet copyright law for the last 15 years. It sued Giganews because Perfect 10's copyrighted images are distributed on USENET. After over three years of pointless litigation, the district court finally put a stop to the lawsuit (in an oddly formatted opinion divided into 3 separate memos). The court rejected Giganews' direct infringement for lack of "volition." The question remains: what does "volition" mean in this context? I've always found the term ambiguous. This ruling is perhaps the most explicit I've seen suggesting that volition is really about something like proximate causation * * * I've added this passage to my Internet Law reader because I think it's the most helpful statement of "volition"/"causation" I've seen to date, even though it's still hardly clear. At minimum, it provides a doctrinal hook (however ambiguous) to channel copyright lawsuits against service providers away from direct infringement and into contributory or vicarious infringement. Naturally, a USENET service provider lacks the requisite causation for USENET content-especially content that wasn't originated by the USENET's own subscribers. But I think this language could be read more broadly to apply to web hosting.

top

RESOURCES

Information Security and Cyber Liability Risk Management (report by Zurich, Oct 2014) - If there was any doubt as to the existence of a data security epidemic, 2014 likely changed that. This is the year that it became abundantly clear that no business, government, or individual was immune to the threat of an attack. With massive data breaches affecting some of the nation's largest retailers, nation-states being accused of stealing corporate trade secrets, and private celebrity photos being hacked, 2014 has been chock- full of cyber related headlines. Cybercriminal tactics continued to evolve and the ability to execute attacks became easier. For many companies, being involved in a cyber event went from a question of "if " to "how bad." Small and midsize businesses increasingly realized that they are highly vulnerable. Information security risks have become a risk management focus for more organizations. Thanks largely to a number of high profile retail breaches, 2014 also has been the year that executives and board members began to view cyber risks more seriously. [ Polley : Short, interesting report. Shows high level of concern/attention by C-level executives and by Boards. Suggests that most companies think IT (38%) is responsible for managing the compliance issues, with the GC's office second (21%).]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Online voting canceled for Americans overseas (New York Times, 6 Feb 2004) -- Citing security concerns, the Department of Defense yesterday canceled plans to use an electronic voting system that would have allowed Americans overseas to cast votes over the Internet in this year's elections. The system, the Secure Electronic Registration and Voting Experiment, or Serve, was developed with financing from the Defense Department. The decision was announced in a memorandum from Deputy Defense Secretary Paul D. Wolfowitz to David S. C. Chu, under secretary of defense for personnel and readiness. Paraphrasing the memorandum, a Department of Defense spokeswoman said: "The department has decided not to use Serve in the November 2004 elections. We made this decision in view of the inability to ensure legitimacy of votes, thereby bringing into doubt the integrity of the election results." The memorandum says efforts will continue to find ways to cast ballots electronically for Americans overseas and to use Serve for testing and development. The Defense Department move is a significant setback for proponents of various electronic voting initiatives. Efforts to move the nation beyond the problems with paper ballots and hanging chads in the 2000 presidential election include the increased use of touch-screen voting systems and experiments like Saturday's Democratic caucuses in Michigan, which will allow Internet voting. But those initiatives come at a time of increased public distrust of high-tech voting. Critics of touchscreen voting machines, for example, argue that the technology creates a "black box" that allows no independent verification of votes unless a validation tool like a paper receipt system is used.

top

Reuters defines fair use for bloggers (TechLawAdvisor.com, 1 April 2004) -- Rafat Ali, of PaidContent.org, wondered aloud about what Reuters deal with Fast (to go after copyright infringers online) meant last week for bloggers. Michael Salk, VP at Reuters Media was kind enough to provide a response. Reuters Position on Linking From Blogs: "Infringements of our copyright does not include where bloggers quote from and link back to our original story, or where sites display a headline and link back to reuters.com."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 01, 2014

MIRLN --- 12-31 October 2014 (v17.15)

MIRLN --- 12-31 October 2014 (v17.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PRESENTATION | NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

PRESENTATION

Managing the Cybersecurity Threat to Your Law Practice (Polley presentation to the Law Firm Alliance, 25 Oct 2014) - Overview of the ethical and operational issues affecting US law firms' cybersecurity responsibilities. 43 annotated PowerPoint slides.

top

NEWS

Privacy and data security issues in M&A transactions (Paul Hastings, 3 Oct 2014) - Because the failure of a target company to meet its privacy and data security obligations can present a significant risk to the acquiring company, compliance with applicable laws should be an important consideration in merger and acquisition transactions. A potential purchaser should seek to understand the nature of the personal information the target collects and the privacy and data security issues relevant to that business. Through due diligence, the purchaser can gain an understanding of the target's rights and obligations regarding the personal information it has collected, retained, used and disclosed. To assist in that process, this alert provides a checklist of potential privacy and data security issues that may be triggered in mergers and acquisitions. * * * [ Polley : the ABA's Cyberspace Law Committee is undertaking a project to develop "best-practices" for security planning during M&A events. Email me if you'd like to be connected with the project co-chairs.]

top

Ask the Decoder: How are algorithms telling our stories for us? (Al Jazeera, 8 Oct 2014) - Jean Yang went on a big trip through Europe this summer, from Edinburgh, Scotland, to Dubrovnik, Croatia, to Oslo, Norway, and back. Like a good tourist, she took pictures on her phone, an Android, throughout her trip. When she returned home, she found a surprise package in her Google+ notifications: a neatly collated, summarized, annotated digital scrapbook titled "Trip." Jean shared the album with me with this message: " This is equally cool and creepy: Google made this scrapbook of my June travels based on a random selection of photos I took - and also its knowledge of where I was. It's kind of nice to have this information organized automatically, but this is really trusting them with a lot of information. It would be funny if they took quotes from emails I sent during this time and put in quotes relevant to the places. "Oslo is so expensive! My second dinner of wonton soup cost 68 kroner." I'm curious how they decide what to include." When I spoke with Jean later, she was surprised in part because she didn't know this feature existed. She was also a little taken aback by all the location information included, given that she hadn't been using her roaming phone plan or data while abroad. So how did Google pull this together? And why did it leave Jean with mixed feelings? We looked into the program. Google introduced this scrapbooking feature in May, just before Jean's trip. The company calls it Stories : "Your best photos are automatically chosen and arranged in a fun timeline to show the highlights of your trip or event." There's an example scrapbook here . * * *

top

Smile! Marketing firms are mining your selfies (9 Oct 2014, WSJ) - Most users of popular photo-sharing sites like Instagram, Flickr and Pinterest know that anyone can view their vacation pictures if shared publicly. But they may be surprised to learn that a new crop of digital marketing companies are searching, scanning, storing and repurposing these images to draw insights for big-brand advertisers. Some companies, such as Ditto Labs Inc., use software to scan photos -the image of someone holding a Coca-Cola can, for example-to identify logos, whether the person in the image is smiling, and the scene's context. The data allow marketers to send targeted ads or conduct market research. Others, such as Piqora Inc., store images for months on their own servers to show marketers what is trending in popularity. Some have run afoul of the loose rules on image-storing that the services have in place. The startups' efforts are raising fresh privacy concerns about how photo-sharing sites convey the collection of personal data to users. The trove is startling: Instagram says 20 billion photos have already been shared on its service, and users are adding about 60 million a day. There are no laws forbidding publicly available photos from being analyzed in bulk, because the images were posted by the user for anyone to see and download. The U.S. Federal Trade Commission does require that websites be transparent about how they share user data with third parties, but that rule is open to interpretation, particularly as new business models arise. Authorities have charged companies that omit the scope of their data-sharing from privacy policies with misleading consumers.

top

- and -

Feds press to keep mug shots secret (NLJ, 30 Oct 2014) - The federal government on Thursday asked a federal appeals court to block the compelled disclosure of mug shots, citing the "substantial" privacy interests of defendants. The U.S. Department of Justice is fighting a Michigan judge's ruling in a suit brought by the Detroit Free Press over access to mugs of four police officers charged in a drug and bribery conspiracy. A provision of the Freedom of Information Act allows the government to withhold mug shots, the department argues in its brief in the U.S. Court of Appeals for the Sixth Circuit. The U.S. Marshals Service denied the Free Press' FOIA request for the officers' mug shots, saying the disclosure "could reasonably be expected to constitute an unwarranted invasion of privacy."

top

Right round: Comparing US and European software patent eligibility (Patently-O, 10 Oct 2014) - Guest Post by Michael Williams . Williams is a UK and European Patent Attorney and Partner at the London based Cleveland-IP firm. In the book "Through the Looking-Glass", Alice compares her drawing room to the one reflected in the mirror. She notes that everything is the same " only the things go the other way ". In the recent Alice Corp [1] decision, the US Supreme Court set out a framework for assessing whether claims are patent eligible under 35 U.S.C. § 101. In this article I shall compare this framework with that used by the European Patent Office, and consider the similarities. * * *

top

Codes of conduct database fills an FCPA void (Corporate Counsel, 13 Oct 2014) - On Monday, in a decision followed closely by global companies who pay for and outside advisors who make a living off of Foreign Corrupt Practice Act (FCPA) compliance, the U.S. Supreme Court declined to review the Eleventh Circuit's ruling in United States v. Esquenazi, et al. , (11th Cir. 2014) on the scope of what constitutes a "foreign official" under the FCPA. * * * The Eleventh Circuit provided a list of nonexhaustive factors to determine whether an entity is an "instrumentality" of a foreign government-including, for example, the government's ability to hire and fire the entity's principals, what functions the entity performs, whether the government subsidizes the costs associated with the entity providing services, and whether the public and government of that foreign country generally perceive the entity to be performing a governmental function. The court's conclusion was consistent with long-standing U.S. Department of Justice interpretation of the FCPA. Although the Supreme Court has bigger fish to fry, the University of Houston Law Center has a free database to help answer in-house counsel's burning instrumentality-related questions by conducting benchmarking of FCPA corporate policies embedded in corporate codes of conduct. The database includes three years' worth of data from corporate codes of conduct that address 42 compliance topics in corporate codes, ranging from data privacy to anticorruption to immigration. Over 2,000 student and lawyer hours have gone into creating and maintaining the database, which can be accessed here . Companies can use this database to research how peer companies are addressing interactions with state-controlled companies, among other issues. When reviewing the dataset, we found that in the past three years, nearly all Fortune 500 companies included an antibribery-related policy, in the form of a gifts and entertainment policy, although not all were FCPA-specific. [ Polley : Spotted by MIRLN reader Gordon Housworth ]

top

VPPA claim goes the way of Saturday morning cartoons (Steptoe, 16 Oct 2014) - The U.S. District Court for the Northern District of Georgia, in Ellis v. Cartoon Network, Inc., dismissed a claim brought against the Cartoon Network under the Video Privacy Protection Act (VPPA), on the ground that a person's mobile device identifier does not constitute personally identifiable information within the meaning of the Act. Accordingly, the court reasoned, the Cartoon Network's disclosure of users' device IDs along with their video viewing history to a data analytics company did not violate the VPPA.

top

GM's DIY Compliance: #WhatCouldPossiblyGoWrong? (Corporate Counsel, 16 Oct 2014) - What would it look like if the human resources team woke up one day and suddenly decided it was going to take over the job of the internal audit function? Would managers somehow be asked to incorporate audit activities into their performance reviews? Would audit become 90 percent training? And more importantly, would the organization find itself less capable of identifying and fixing control risks? NO, you say! That could never happen! Because everyone knows Internal Audit has a certain highly developed subject matter expertise, and that's why this must be left to the experts. And you would be right, of course. Which is why so many compliance and ethics authorities are uncomfortable with the prospect of the legal department or the general counsel driving compliance. To paraphrase Sen. Charles Grassley, R-Iowa-You don't have to be a former chief compliance officer and recovered lawyer to see/smell the General Motors-style folly of that arrangement. So to state the blindingly obvious, to this former CCO and recovered in-house lawyer, GM looks like a textbook case of "DIY Compliance." * * * This is also why I have said that any smart or reasonably cautious GC should demand a strong, independent compliance voice in the room when important decisions on compliance are being made. But let's not pick on only poor GM. My second candidate for DIY Compliance poster child? Easy: Wal-Mart Stores Inc., pre-Jay Jorgensen overhaul (separating compliance from legal, and many other important and savvy reforms ). Well-known Foreign Corrupt Practices Act expert and blogger Tom Fox has described Walmart's decision to free its compliance function from its legal master as "the end of discussion" of how these departments should be structured.

top

Would a new crime of "willful refusal to comply with a decryption order" be the best answer to the device decryption puzzle? (Orin Kerr, 17 Oct 2014) - FBI Director James Comey spoke Thursday at Brookings about the FBI's concerns with how encryption can frustrate search warrants in lawful investigations. The scope of Comey's remarks goes beyond Apple's new iOS8 operating system design, but much of it focused on the question of device encryption raised by Apple's new policy. I wanted to focus on one aspect of Comey's remarks, the question of whether the government can get access to the contents of encrypted devices directly from a suspect in a criminal case. Here's Comey : "Finally, a reasonable person might also ask, "Can't you just compel the owner of the phone to produce the password?" Likely, no. And even if we could compel them as a legal matter, if we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for refusing to comply with a court order to produce his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?" I think Comey is wrong that the Fifth Amendment is a "likely" barrier in the cell phone context, because in most of the typical cases, when the government knows who is the owner of the phone, the Fifth Amendment shouldn't be a problem. But let me put that issue aside for now and focus instead on the rest of Comey's comment, and specifically his concern that the punishment for refusing to comply with a court order to produce a password would be so low that the bad guys will just make a rational decision to take the lesser contempt punishment. * * *

top

If you don't agree to the new Wii U EULA, Nintendo will kill-switch it (Cory Doctorow on BoingBoing, 18 Oct 2014) - When you bought your Wii U, it came with one set of terms-of-service; now they've changed, and if you don't accept the changes, your Wii seizes up and won't work. That's not exactly what we think of when we hear the word "agreement." Yet this is how Nintendo's update to its end-user license agreement (EULA) for the Wii U works, as described by YouTube user "AMurder0fCrows" in this video. He didn't like the terms of Nintendo's updated EULA and refused to agree. He may have expected that, like users of the original Wii and other gaming consoles, he would have the option to refuse software or EULA updates and continue to use his device as he always had before. He might have to give up online access, or some new functionality, but that would be his choice. That's a natural consumer expectation in the gaming context - but it didn't apply this time. Instead, according to his video, the Wii U provides no option to decline the update, and blocks any attempt to access games or saved information by redirecting the user to the new EULA. The only way to regain the use of the device is to click "Agree."

top

A 'partial win' for publishers (InsideHigherEd, 20 Oct 2014) - While academic publishers on Friday notched a rare win in the ongoing legal debate about digital access to copyrighted works, proponents of fair use said the opinion in Cambridge v. Patton recognizes that colleges and universities can legally create digital reserves of books in their collections. In a unanimous decision, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit, which covers Alabama, Georgia and Florida, rejected a broad ruling on how to determine fair use. The decision guarantees the case has a long and litigious road ahead of it by reversing the district court's opinion and sending the case back for further deliberations. Rather than strike a decisive blow against fair use, the legal concept that places some limits on the rights of copyright holders, the appeals court instead issued a stern warning against quick-fix, one-size-fits-all solutions to legal disputes -- specifically, the idea that copying less than a chapter or 10 percent of a book automatically protects an institution from a lawsuit. * * * [T]he court also came away "persuaded" that the Copyright Act of 1976 contains specific protections for colleges and universities, noting that Congress "devoted extensive effort to ensure that fair use would allow for educational copying under the proper circumstances." "While it can be worrisome to see a fair use win sent back, in this case, it seems to be mostly for the right reasons," Mike Masnick, founder of the technology blog Techdirt , wrote. "Given these new instructions, it seems like the lower court now has a chance to come to the right answer for the right reasons, and that's always going to be a better result." [ Polley : See also On Cambridge v. Patton (Tracy Mitrano on InsideHigherEd, 19 Oct 2014)]

top

- and -

Harvard library lifts restrictions on digital reproductions of works in the public domain (Harvard, 20 Oct 2014) - The Harvard Library is pleased to announce a new policy on the use of digital reproductions of works in the public domain. When the Library makes such reproductions and makes them openly available online, it will treat the reproductions themselves as objects in the public domain. It will not try to restrict what users can do with them, nor will it grant or deny permission for any use. For more detail, see the policy FAQ . Said Peter Suber, director of the Harvard Library Office for Scholarly Communication and director of the Harvard Open Access Project , "We were inspired by pioneering policies to this effect at Cornell University Library and Yale University. We were also fortunate to have the prime mover of the Cornell policy, Peter Hirtle, at Harvard. I'm proud that Harvard is removing obstacles to research and education, and taking this extra step to share the wealth of its extraordinary collections with the world." The Harvard Library Board adopted the policy late last month. The Library will update its web sites to reflect the new policy during the remainder of the present academic year.

top

EFF launches updated Know Your Rights guide (EFF, 20 Oct 2014) - In the U.S., if the police come knocking at your door, the Constitution offers you some protection. But the Constitution is just a piece of paper-if you don't know how to assert your rights. And even if you do assert your rights…what happens next? That answer may seem complicated, but protecting yourself is simple if you know your rights. That's why EFF has launched an updated Know Your Rights Guide that explains your legal rights when law enforcement try to search the data stored on your computer, cell phone, or other electronic device. The guide clarifies when the police can search devices, describes what to do if police do (or don't) have a warrant, and explains what happens if the police can't get into a device because of encryption or other security measures.

top

- and -

Florida Supreme Court rules warrants a must for real-time cell location tracking (SC Magazine, 20 Oct 2014) - In a ruling that Electronic Frontier Foundation (EFF) staff attorney Hanni Fakhoury believes will be "cited a lot by EFF" and other privacy advocates, the Florida Supreme Court has said that law enforcement agencies must have a warrant to obtain cell phone location information that they need to track a user's location in real time. The decision by Florida's highest court adds to the "growing chorus of courts" finding that location information is private, Fakhoury told SCMagazine.com Monday. The case, Tracey vs. Florida made its way to the Supreme Court after police obtained cell tower data from a provider without a warrant to track the movements in real time of suspected drug dealer Alvin Tracey and used that information to illicit a conviction from a criminal court. Officers "obtained an order authorizing the installation of a 'pen register' and 'trap and trace device' as to Tracey's cell phone," which records outgoing and incoming telephone numbers, respectively, the Florida Supreme Court decision noted. But later, without obtaining a warrant or providing additional "factual allegations," the officers "used information provided by the cell phone service provider" under an earlier order. The information provided "included real time cell site location information given off by cell phones when calls are placed." * * * Citing Fourth Amendment protections as well as Supreme Court precedent in several cases, including Katz v. United States , the Florida Supreme Court quashed the Fourth District Court ruling, noting that many of smartphone "are ubiquitous and have become virtual extensions of many of the people using them for all manner of necessary and personal matters," which makes a "phone's movements its owner's movements, often into clearly protected areas."

top

The number of industries getting classified cyberthreat tips from DHS has doubled since July (NextGov, 20 Oct 2014) - Firms from half of the nation's 16 key industries, including wastewater and banking, have paid for special technology to join a Department of Homeland Security program that shares classified cyberthreat intelligence, in hopes of protecting society from a catastrophic cyberattack. Participation in the Enhanced Cybersecurity Services initiative has more than doubled during the past few months. Through the voluntary program - previously exclusive to defense contractors - cleared Internet service providers feed nonpublic government information about threats into the anti-malware systems of critical sector networks. As of July, only three industries - energy, communications and defense - were using the service, according to an unfavorable DHS inspector general audit . Now, befitting National Cybersecurity Awareness Month, Homeland Security officials say the financial, water, chemical, information technology and transportation sectors also are receiving the threat indicators. Just two months ago, American Chemistry Council officials said they had never heard of the program . The service has been available since 2013.

top

Chinese APT groups targeting Australian lawyers (The Register, 21 Oct 2014) - Law firms are among Australian businesses being targeted by at least 13 Chinese advanced malware groups in a bid to steal intelligence from big business, says forensics bod and Mandiant man Mark Goudie. The attacks are well planned and rely on a combination of stealth and persistence in order to extract any and all valuable corporate data. The local Mandiant director presented findings at the Australian Information Security Association conference last week and said one unnamed Aussie firm had been thoroughly owned. "The property manager was used as a way to get the data about a business deal (merger and acquisition)," Goudie told Vulture South . "The law firms are data aggregators and are being targeted too - anything that goes through a lawyer is obviously of interest to a deal. "Law firms tend to operate in verticals as do advanced persistent threat (APT) groups, so it makes a lot of sense when you think about it."

top

- and -

After JPMorgan cyberattack, a push to fortify Wall Street banks (NYT, 21 Oct 2014) - This summer's huge cyberattack on JPMorgan Chase and a dozen other financial institutions is accelerating efforts by federal and state authorities to push banks and brokerage firms to close some gaping holes in their defenses. Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms , accounting and marketing firms and even janitorial companies, according to several people briefed on the matter. The push by government officials is a stark acknowledgment of the vulnerability of financial institutions - even after they have spent hundreds of millions of dollars to protect themselves - to an attack if one of their vendors is not fully prepared. The problem is causing some security consultants to privately consider whether the sprawling financial firms with operations across the globe may be "too big to secure." And smaller firms, the consultants say, may simply not have the ability to adequately defend customer information. At a dinner in New York on Tuesday evening that is expected to include the general counsels from JPMorgan, Bank of America and Deutsche Bank, New York State's top financial regulator, Benjamin M. Lawsky is expected to emphasize the gathering danger to the financial system when vendors' security is lax, according to one of the people briefed on the matter. The remarks, at the University Club in Midtown Manhattan, come as Mr. Lawsky is considering a new rule that would require banks to "obtain representations and warranties" from vendors about the adequacy of their controls to thwart hackers, the people said. [ Polley : emphasis added.]

top

- and -

Law firms face cybersecurity audits by banking clients; are they a 'weak link'? (ABA Journal, 27 Oct 2014) - Banks are increasingly scrutinizing their law firms' cybersecurity efforts, including the law firms' protection of confidential information released to vendors such as word-processing firms and print shops. The law firms are increasingly facing on-site technology audits by banks, even as the banks themselves face cybersecurity pressures from regulators, the Wall Street Journal (sub. req.) reports. Just last week, New York's Department of Financial Services sent letters to dozens of banks asking about protections for information sent to third-party vendors such as law firms and accounting firms, according to a separate story by the Wall Street Journal (sub. req.). "Law firms increasingly are seen as potential weak links," the Wall Street Journal says. "Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions." The story cites information from an American Bar Association technology survey that found 14 percent of the respondents had experienced some type of security breach or theft this year. But only 1 percent said the breach resulted in unauthorized access to sensitive client data. The Wall Street Journal spoke with Goodwin Procter's chief information officer, Lorey Hoffman, who works with examiners sent by clients who want to know about data protection. The firm also hires its own auditors to check its cybersecurity. "It's a lot more than just checking a box," Hoffman said of the firm's response to client security questions.

top

- and -

Cybersecurity: Not just for biglaw and its clients (WSJ, 27 Oct 2014) - Cybersecurity is an increasingly big priority for law firms with big financial institution clients. But it can be a matter of life and death for lawyers doing pro bono work with clients in troubled countries who are battling human trafficking, terrorism and other human rights violations. The interception of sensitive documents by criminals or unfriendly governments can compromise the safety of in-country clients, and in some cases the attorneys with whom they work. "Human rights really is cloak-and-dagger," Christina Storm, a lawyer and founder of the non-profit group Lawyers Without Borders , told Law Blog. "Lawyers put themselves at risk, and every person in-country who reaches out to us puts themselves at risk." Ms. Storm's group focuses on strengthening the rule of law around the world. The organization works with law firms big and small as well as solo practitioners on cases that range from electoral reform to strengthening protections for gay, bisexual and transgender people in African countries. Such work isn't always popular. In some places, government surveillance might involve keyloggers that track communications between dissidents and their lawyers. Confidential documents that fall into the wrong hands can expose both sides to danger, Ms. Storm said, adding, "Their safety is important to us." Lawyers Without Borders takes some of its security cues from the big law firms it works with, such as Reed Smith LLP and Linklaters, whose corporate and financial clients requirement myriad steps to prevent hackers from accessing confidential information. At one point the organization tried using encrypted email, but the program was so cumbersome that people abandoned it because it was hard to use. Another document management system ended up being accessed by authorities in an unfriendly country, and the whole thing had to be scrapped.

top

US national security prosecutors shift focus from spies to cyber (Reuters, 21 Oct 2014) - The U.S. Justice Department is restructuring its national security prosecution team to deal with cyber attacks and the threat of sensitive technology ending up in the wrong hands, as American business and government agencies face more intrusions. The revamp, led by Assistant Attorney General John Carlin, also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States. As part of the shift, the Justice Department has created a new position in the senior ranks of its national security division to focus on cyber security and recruited an experienced prosecutor, Luke Dembosky, to fill the position. The agency is also renaming its counter-espionage section to reflect its expanding work on cases involving violations of export control laws, Carlin confirmed in an interview. Such laws prohibit the export without appropriate licenses of products or machinery that could be used in weapons or other defense programs, or goods or services to countries sanctioned by the U.S. government.

top

New York City court buys NYPD's claims of 'national security,' grants it power to 'Glomar' FOIL requests (TechDirt, 21 Oct 2014) - A New York City court has given the NYPD one of the few things separating it from the "big boys" ( CIA, FBI and NSA ): the permission to issue "Glomar responses" (the infamous "we can neither confirm nor deny...") to FOIL (Freedom of Information Law) requests. Like the audacity of the department itself in pursuing this additional method of keeping the public separated from public documents , the decision is unprecedented: The decision appears to be the first time that a court anywhere in the U.S. has upheld the use of such a tactic by a state agency. The Glomar response has historically been used only with regard to requests made to federal agencies that involve sensitive matters of national security.

top

Antitrust experts slam Comcast merger plan, warn of threats to Netflix and Amazon Prime (GigaOM, 21 Oct 2014) - A letter signed by more than three dozen law and economics professors and submitted to the FCC on Monday makes a withering case against the proposed merger of cable giants Comcast and Time Warner Cable, claiming the deal would harm consumers and violate the antimonopoly provisions of the federal Clayton Act. According to the 16-page submission, the merger will reduce competition by providing Comcast with over 40 percent of the market for broadband internet services, and make it easier for the incumbents to hobble "over-the-top" challengers like Netflix by congesting their internet traffic. The document, signed by antitrust experts from across the country including Columbia's Tim Wu and Stanford's Mark Lemley, comes as the FCC decides whether or not to approve the $45 billion merger, which was announced in February. A decision is expected in 2015.

top

Pandora holds out olive branch of data to musicians (LA Times, 22 Oct 2014) - Pandora Media, the king of personalized online radio services, pays recording artists, songwriters, record labels and music publishers close to $300 million a year in royalties. That's not nearly enough to satisfy the company's critics in the music industry, who resent how little Pandora pays each time a user plays a track. On Wednesday, the company plans to start offering artists more than just royalties. It's opening a new Artists Marketing Platform that provides detailed analytics for bands and their managers about their songs and their fans. Pandora AMP will be available free to any artist whose music is available on the service. Among other things, artists will be able to see which cities are home to the greatest clusters of their fans, the number of thumbs up (the Pandora equivalent of a Facebook "like") each of their tracks have received from listeners, and some basic demographic information on the users who have created playlists based on their music. * * * Yet AMP has been in the works for some time. Company founder Tim Westergren, a former professional musician himself, revealed plans for the service in a January 2013 speech at the Consumer Electronics Show in Las Vegas. Westergren argued then that Pandora can offer struggling musicians a path into the middle class by making it easier for them to attract, find and connect with fans. He returned to that theme in a blog post Wednesday announcing the service.

top

Man convicted for webcam sex with virtual 'underage girl' (Mashable, 22 Oct 2014) - A 10-year-old girl from the Philippines, nicknamed Sweetie , has helped authorities convict one Australian on child pornography charges. But Sweetie isn't real - she's a virtual digital avatar created to lure predators as part of a global sting operation. Scott Robert Hansen, a 37-year-old from Australia, is the first person to be convicted as a result of his interactions with Sweetie, according to Agence France Press . Hansen pleaded guilty to three charges related to child sex on Tuesday, including sending obscene pictures of himself to Sweetie, having child porn on his computer, and breaking a sex offenders order, according to Australian media . Sweetie was created last year by the Dutch branch of Terre des Hommes International Federation , a charity that works to protect children. The organization said that a group of its researcher posed as Sweetie during the sting operation, visiting "dozens" of chat rooms. The researchers then passed the chat logs of their conversations with the predators to Europol. During the sting operation, Sweetie was approached by 20,000 people over a 10-week period. Some 1,000 of them have already been identified.

top

Museums morph digitally (NYT, 23 Oct 2014) - For the Metropolitan Museum of Art, a turning point came in 2011. Down went the signs imploring visitors to stow their cellphones. The Met revamped its website, tailoring it for viewing on smartphone screens. The museum was not only allowing visitors to use their mobile phones while browsing the artworks, but encouraging it. The digital experience was embraced and meant to enhance the physical experience of exploring the museum. The trend has only accelerated since, at the Met and across the museum world. At first glance, it might seem like a capitulation, giving in to the virtual enemy when museums are so essentially physical spaces. Yet listen to museum curators and administrators today and they often sound like executives in media, retailing, consumer goods and other industries. They talk of displaying their wares on "multiple platforms," and the importance of a social media strategy and a "digital first" mind-set. Museums are being redefined for a digital age. The transformation, museum officials say, promises to touch every aspect of what museums do, from how art and objects are presented and experienced to what is defined as art. The museum of the future will come in evolutionary steps. But some steps are already being taken. Digital technologies being deployed or developed include: augmented reality, a sort of smart assistant software that delivers supplemental information or images related to an artwork to a smartphone; high-definition projections of an artwork, a landscape or night sky that offer an immersive experience; and 3-D measurement and printing technology that lets people reproduce, hold and feel an accurate replica of an object. At the Smithsonian Institution , 3-D technology is increasingly used for conservation, research and public education programs. The fine-grained scanning allows a depth of data collection and analysis that was not possible before. The gunboat Philadelphia, built in 1776, is the last surviving cannon-bearing American vessel from the Revolutionary War. The historic boat has been 3-D-scanned so online viewers can see it from angles not possible in person at the National Museum of American History in Washington. But it is also scanned regularly so conservators can get early warnings of deterioration of the old wooden structure. Colleen Stockmann, assistant curator for special projects at the Cantor Arts Center at Stanford University, and Jean-Baptiste Boin, a Ph.D. candidate in electrical engineering at Stanford and an expert in computer vision, are working on taking augmented reality a step further. Their research project, Art++, combines image-recognition technology and computer graphics with art history expertise. With their software, a person would walk into a museum, turn his or her smartphone or tablet toward a photograph, painting or sculpture, and the artwork is surrounded with a digital halo of supplemental information. The Cantor center, Ms. Stockmann said, exhibited the Stanford University Libraries' collection of landscape photographs of California and the Northwest by the 19th-century photographer Carleton Watkins . Capture the image of a Watkins photo of Yosemite Valley, she said, and you can tap on an icon that shows a map of where Watkins walked in the valley to take his photographs. [ Polley : see related Tour a museum from anywhere (NYT, 23 Oct 2014); and Masterworks for one and all (MIRLN 16.08)]

top

Leave your passwords at the checkout desk (Secure List, 23 Oct 2014) - Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room. To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room. When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device: * * * Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying. Most of sessions were still open, even allowing the posting / sending of messages in the name of the user.

top

New guidance for lawyers on the ethics of social media use (Attorney At Work, 23 Oct 2014) - Do you need advice about the ethics issues involved in social networking? Chances are your questions will be answered by the Pennsylvania Bar Association's recent Formal Opinion 2014-300. The 18-page opinion addresses issues that are important for lawyers in every state. The Pennsylvania opinion rests on the premise that Rule 1.1 of the Model Rules of Professional Conduct requires lawyers to have "a basic knowledge of how social media websites work," as well as the ability to advise clients about the legal ramifications of using the sites. The Pennsylvania Bar Committee offers conclusions about 10 ethics issues involved in the use of social media for business purposes by lawyers and clients. Also, the committee emphasizes that lawyers should always assume their use of social media may be subject to the rules of professional conduct. The topics addressed in the opinion are well supported with rules and opinions from many states. The bar committee reached the following conclusions * * *

top

- and -

Competence: Acquire it or hire it! (ABA Journal, Nov 2014) - Lawyer competence, spelled out in the ethics rules in ABA Model Rule 1.1 as "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation" and in the civil context as a standard when evaluating legal malpractice of "ordinary" skill and capacity, or that of the average qualified practitioner, or that which is "normally" exercised by lawyers in similar circumstances. Restatement (Third) of the Law Governing Lawyers §52 (2000). Language linking the competence standard to expertise in technology was addressed in the context of technological advances when the ABA amended the comments to two of the Model Rules following the ABA Ethics 20/20 Commission's final reports. This language can be found in the Comments to two of the ABA Model Rules, Rule 1.1 Competence and Rule 1.6 Confidentiality. * * *

top

Verizon Wireless injects identifiers that link its users to Web requests (ArsTechnica, 24 Oct 2014) - Cellular communications provider Verizon Wireless is adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users' interests and to help clients tailor advertisements, according to researchers and Verizon's own documentation. The profiling, part of Verizon's Precision Market Insights division, kicked off more than two years ago and expanded to cover all Verizon Wireless subscribers as part of the company's Relevant Mobile Advertising service. It appends a per-device token known as the Unique Identifier Header (UIDH) to each Web request sent through its cellular network from a particular mobile device, allowing Verizon to link a website visitor to its own internal profiles. The service aims to allow client websites to target advertising at specific segments of the consumer market. While the company started piloting the service two years ago, privacy experts only began warning of the issue this week, arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purpose. [ Polley : AT&T, also, apparently - go here to test your own carrier.]

top

How Facebook is changing the way its users consume journalism (NYT, 26 Oct 2014) - Many of the people who read this article will do so because Greg Marra, 26, a Facebook engineer, calculated that it was the kind of thing they might enjoy. Mr. Marra's team designs the code that drives Facebook's News Feed - the stream of updates, photographs, videos and stories that users see. He is also fast becoming one of the most influential people in the news business. Facebook now has a fifth of the world - about 1.3 billion people - logging on at least monthly. It drives up to 20 percent of traffic to news sites, according to figures from the analytics company SimpleReach . On mobile devices, the fastest-growing source of readers, the percentage is even higher, SimpleReach says, and continues to increase. The social media company is increasingly becoming to the news business what Amazon is to book publishing - a behemoth that provides access to hundreds of millions of consumers and wields enormous power. About 30 percent of adults in the United States get their news on Facebook, according to a study from the Pew Research Center. The fortunes of a news site, in short, can rise or fall depending on how it performs in Facebook's News Feed. Though other services, like Twitter and Google News, can also exert a large influence, Facebook is at the forefront of a fundamental change in how people consume journalism. Most readers now come to it not through the print editions of newspapers and magazines or their home pages online, but through social media and search engines driven by an algorithm, a mathematical formula that predicts what users might want to read. It is a world of fragments, filtered by code and delivered on demand. For news organizations, said Cory Haik, senior editor for digital news at The Washington Post, the shift represents "the great unbundling" of journalism. Just as the music industry has moved largely from selling albums to songs bought instantly online, publishers are increasingly reaching readers through individual pieces rather than complete editions of newspapers or magazines. A publication's home page, said Edward Kim, a co-founder of SimpleReach, will soon be important more as an advertisement of its brand than as a destination for readers. "People won't type in WashingtonPost.com anymore," Ms. Haik said. "It's search and social." [ Polley : see related Harvard podcast below. ]

top

FCC imposes first cybersecurity fine (Inside Counsel, 27 Oct 2014) - Private customer information has become a business asset in the connected age, and as criminals increasingly target large corporations to extract that information, regulators are being brought to task over how to implement fines for those who leave their data vulnerable . The Federal Communications Commission (FCC) has become the latest to join the ranks of regulators imposing fines for data negligence on companies, announcing on Oct 24 that it will impose its first fine related to data security on phone providers TerraCom Inc and YourTel America Inc. The FCC is asking for $10 million regarding the issue. The Commission alleges that the two companies collected personal information, including contact information and social security numbers, from customers in a manner that exposed its customer base to considerable risk of data theft. The fine was imposed based on the companies' violation of the Communications Act of 1934.

top

New from AVVO: on-demand, fixed-fee legal advice (Robert Ambrogi, 27 Oct 2014) - Avvo, Inc. - never a company shy about pushing the envelope - has just pushed it a bit further, with the launch of Avvo Advisor , a service that provides on-demand legal advice by phone for a fixed fee of $39 for 15 minutes. The service is available to consumers online or through a free iOS app. To use the service, the consumer first enters his or her zip code and then selects the type of legal matter in which he or she needs help. The consumer is then asked to provide credit card and contact information. The service promises that the consumer will receive a call from an attorney within 15 minutes or else the consumer's fee will be fully refunded. The service covers nine legal categories: small business, divorce, family, immigration, real estate, landlord-tenant, criminal defense, employment and bankruptcy/debt. It is so far available to consumers in 15 states, with more to be added in the coming months: Arizona, California, Colorado, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, New Jersey, New York, Pennsylvania, Texas, Washington and Wisconsin. A separate section of the site provides information for attorneys wishing to enroll in the program. All an attorney needs to participate, it says, is a bank account and a mobile phone. "You control your availability via text, whenever and wherever you want to receive Avvo Advisor sessions." Avvo notifies the attorney via text when someone purchases a session in the attorney's state and practice area. The attorney responds to the text to claim the session, then has 15 minutes to initiate the call. Once the call is finished, the entire fee is deposited to the attorney's account (so there is no fee splitting).

top

Cyber attacks on US companies in 2014 (The Heritage Foundation, 27 Oct 2014) - The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector's information security. According to FBI Director James Comey, "There are two kinds of big companies in the United States. There are those who've been hacked…and those who don't know they've been hacked." This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data. This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves. The data breaches below are listed chronologically by month of public notice. * * * [ Polley : Spotted by MIRLN reader Andy Jabbour ]

top

NIST: Guide to cyber threat information sharing (NIST, 28 Oct 2014) - NIST announces the public comment release of Draft Special Publication (SP) 800-150 , Guide to Cyber Threat Information Sharing . The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.

top

NOTED PODCASTS

Uncovering algorithms: Looking inside the Facebook news feed (Berkman, 22 July 2014; 78 minutes) - Our online lives are organized by computer algorithms that select and recommend advertisements, search results, news, and online social interactions. These algorithms are often closely-guarded secrets kept by Internet companies, but researchers, users, and the public might legitimately need to know how these algorithms operate. In this talk we will use the Facebook news feed as an example to ask: How do we go about knowing these algorithms from the outside? This includes a discussion of potential research designs that investigate algorithms and also research on how users think about these algorithms.

top

RESOURCES

Homeland Security Policy Institute blog (Sept 2014) - The GWU Homeland Security Policy Institute has recently launched a new blog at http://hspi.org as a forum to provide short-form commentary and discussion on significant homeland security and counterterrorism issues, and as a place to highlight its events, reports, and other activities. Contributors to the blog include the full-time senior staff of HSPI and the Institute's senior fellows. Since our launch of the blog in mid-September, there have been more than 50 posts on the site, on topics such as the Secret Service's organizational issues , the implications of the recent JP Morgan Chase cyber incident , and ISIS's fundraising . We have also been posting summaries of our recent policy events on the site.

top

Just borrowing this story, OK? (MLPB, 14 Oct 2014) - Viva Moffat, University of Denver Sturm College of Law has published Borrowed Fiction and the Rightful Copyright Position at 32 Cardozo Arts & Entertainment Law Journal 389 (2014). Here is the abstract: Works of "borrowed fiction" - unauthorized sequels or retellings of literary works - have long prompted legal, cultural, and social backlash. With respect to copyright disputes, this is because borrowed fiction entails a range of legitimate but conflicting interests. Copyright law has historically elevated the interests of the "original" author over those of other writers and the reading public. Scholars have offered a range of proposals to counter this tendency, but these reforms have focused on the infringement analysis and the fair use doctrine. Each of those, however, involves a binary decision, one that is not amenable to accommodating the conflicting interests at stake. This Article proposes that a better accommodation between and among these interests can be achieved at the remedial stage. By taking seriously both the "rightful position" notion in remedies law and the Supreme Court's admonition against presumptive injunctive relief, courts can reach a more nuanced result in borrowed fiction cases. Under this approach, the full panoply of remedies would remain available, but rarely would anything more than compensatory damages be necessary to put the plaintiff in her rightful copyright position.

top

Book serves as guide to free and low-cost legal research (Robert Ambrogi, 20 Oct 2014) - I am a cheapskate. I am not ashamed to admit it. That is what first drove me to explore the Internet more than 20 years ago, back when many lawyers still had not even heard of it. Having just gone back into private practice at the time, I was in search of free resources for legal research, hoping to avoid the high cost of a Westlaw or LexisNexis subscription or investment in a library of hard-bound reporters. Fast forward two decades and, well, we've come a long way baby. Every federal and state appellate opinion can be found online at no cost. Federal and state statutes are online, as are growing bodies of other primary legal materials, from federal regulations to municipal ordinances. Traditional law reviews now publish online while legal blogs are creating new forms of legal commentary and analysis. Search technology has become so sophisticated that we forget how difficult search used to be. All of this is available to us wherever we are, in the office or on a mobile device sitting outside a courtroom. All these years later, I am as budget-conscious as ever. That is why I highly recommend the book, Internet Legal Research on a Budget , written by Carole Levitt and Judy Davis and published by the Law Practice Division of the American Bar Association. Together, they have written a book that is a must-have for any lawyer or legal researcher who is as budget-conscious as I - and I am willing to bet that is most of us. They have scoped out the terrain, tested and evaluated a host of free and low-cost legal research sites and identified the best. Not only do they show you the sites, they provide detailed instructions on how to use them.

top

EU copyright law and private copying (MLPB, 28 Oct 2014) - João Pedro Quintais, University of Amsterdam, Institute for Information Law (IViR), and University of California, Berkeley, School of Law, is publishing Private Copying and Downloading from Unlawful Sources in the International Review of Intellectual Property and Competition Law (2015). Here is the abstract: Private copying is one of the most contested areas of EU copyright law. This paper surveys that nebulous area and examines the issue of copies made from unlawful sources in light of the ECJ's ACI Adam decision. After describing the legal background of copyright levies and the facts of the litigation, the paper scrutinizes the Advocate General's Opinion and the Court's decision. The latter is analyzed against the history of copyright levies, the ECJ's extensive case-law on the private copying limitation and Member States' regulation of unlawful sources. This paper further reflects on the decision's implications for end-users, rights holders, collective management organizations and manufacturers/importers of levied goods. It concludes that, from a legal and economic standpoint, the decision not only fails to be properly justified, but its consequences will likely diverge from those anticipated by the Court. Most worrisome is the Court's stance on the three-step test, which it views as a restrictive, rather than enabling, clause. In its interpretation of the test, the decision fails to strike the necessary balance between competing rights and interests. This is due to multiple factors: overreliance on the principle of strict interpretation; failure to consider the fundamental right of privacy; lack of justification of the normative and empirical elements of the test's second condition; and a disregard for the remuneration element in connection with the test's third condition. To the contrary, it is argued that a flexible construction of the three-step test is more suited to the Infosoc Directive's balancing aims.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Florida town to use blanket of surveillance cameras (USA Today, 27 April 2004) -- One of the nation's wealthiest towns will soon have cameras and computers running background checks on every car and driver that passes through. Police Chief Clay Walker said cameras will take infrared photos recording a car's tag number, then software will automatically run the numbers through law enforcement databases. A 911 dispatcher is alerted if the car is stolen or is the subject of a "be on the lookout" warning. Next to the tag number, police will have a picture of the driver, taken with another set of cameras - upgraded versions of the standard surveillance cameras already in place. If there is a robbery, police will be able to comb records to determine who drove through town on a given afternoon or evening. "Courts have ruled that in a public area, you have no expectation of privacy," said Walker, one of 11 sworn officers who protects Manalapan's 321 residents. Still, Walker says Manalapan's data will be destroyed every three months.

top

Ashcroft says surveillance powers should stand (CNET, 29 Jan 2004) -- The Bush administration is warning Congress not to tinker with the Internet surveillance powers that the USA Patriot Act awarded to federal police. In a four-page letter to the Senate on Thursday, Attorney General John Ashcroft said that defanging the controversial law, which has been criticized by every major Democratic presidential contender, would "undermine our ongoing campaign to detect and prevent catastrophic terrorist attacks." Were Congress to vote to amend the USA Patriot Act, Ashcroft indicated, President Bush would veto the bill. Ashcroft was responding to a proposal in the Senate called the Security and Freedom Ensured Act (Safe), which would amend the USA Patriot Act by slapping limits on current police practices relating to surveillance and search warrants. It is sponsored by Republican Sen. Larry Craig of Idaho and has 12 co-sponsors, including two other Republicans. Many portions of the Safe Act affect the ability of federal police to conduct Internet surveillance against not only terrorists but also suspected perpetrators of a broad range of drug-related, computer hacking and white collar crimes. The measure would amend the USA Patriot Act to require, for instance, that electronic-surveillance orders specify either the identity or location of the suspect and that the person be there at the time--a departure from current practice. "This is an overheated attack on a very modest bill," said Tim Edgar, legislative counsel for the American Civil Liberties Union. "It shows that the attorney general is afraid of the bipartisan momentum that is going forward to fix parts of the Patriot Act." Ashcroft identifies no terrorist plots that were thwarted by the existence of the USA Patriot Act, Edgar said. "It doesn't contain a single real example of why passage of the Safe Act would impede antiterrorism efforts. It's based entirely on speculation and misleading, slanted legal analysis." Another section of the Safe Act that Ashcroft criticized would increase privacy protections for library patrons who use public computers for e-mail and Web browsing. "The Safe Act would make it more difficult, in some circumstances, to obtain information about e-mails sent from public computer terminals at libraries than it would be to obtain the same information about e-mails sent from home computers," Ashcroft said. "Ironically, it would extend a greater degree of privacy to activities that occur in a public place than to those taking place in a home." In Bush's State of the Union address earlier this month, the president called on Congress to renew the USA Patriot Act. Some portions--though not all--expire Dec. 31.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top