- Privacy and data security issues in M&A transactions
- Ask the Decoder: How are algorithms telling our stories for us?
- Smile! Marketing firms are mining your selfies
- Feds press to keep mug shots secret
- Right round: Comparing US and European software patent eligibility
- Codes of conduct database fills an FCPA void
- VPPA claim goes the way of Saturday morning cartoons
- GM's DIY Compliance: #WhatCouldPossiblyGoWrong?
- Would a new crime of "willful refusal to comply with a decryption order" be the best answer to the device decryption puzzle?
- If you don't agree to the new Wii U EULA, Nintendo will kill-switch it
- A 'partial win' for publishers
- Harvard library lifts restrictions on digital reproductions of works in the public domain
- EFF launches updated Know Your Rights guide
- Florida Supreme Court rules warrants a must for real-time cell location tracking
- The number of industries getting classified cyberthreat tips from DHS has doubled since July
- Chinese APT groups targeting Australian lawyers
- After JPMorgan cyberattack, a push to fortify Wall Street banks
- Law firms face cybersecurity audits by banking clients; are they a 'weak link'?
- Cybersecurity: Not just for biglaw and its clients
- US national security prosecutors shift focus from spies to cyber
- New York City court buys NYPD's claims of 'national security,' grants it power to 'Glomar' FOIL requests
- Antitrust experts slam Comcast merger plan, warn of threats to Netflix and Amazon Prime
- Pandora holds out olive branch of data to musicians
- Man convicted for webcam sex with virtual 'underage girl'
- Museums morph digitally
- Leave your passwords at the checkout desk
- New guidance for lawyers on the ethics of social media use
- Competence: Acquire it or hire it!
- Verizon Wireless injects identifiers that link its users to Web requests
- How Facebook is changing the way its users consume journalism
- FCC imposes first cybersecurity fine
- New from AVVO: on-demand, fixed-fee legal advice
- Cyber attacks on US companies in 2014
- NIST: Guide to cyber threat information sharing
Managing the Cybersecurity Threat to Your Law Practice (Polley presentation to the Law Firm Alliance, 25 Oct 2014) - Overview of the ethical and operational issues affecting US law firms' cybersecurity responsibilities. 43 annotated PowerPoint slides.
Privacy and data security issues in M&A transactions (Paul Hastings, 3 Oct 2014) - Because the failure of a target company to meet its privacy and data security obligations can present a significant risk to the acquiring company, compliance with applicable laws should be an important consideration in merger and acquisition transactions. A potential purchaser should seek to understand the nature of the personal information the target collects and the privacy and data security issues relevant to that business. Through due diligence, the purchaser can gain an understanding of the target's rights and obligations regarding the personal information it has collected, retained, used and disclosed. To assist in that process, this alert provides a checklist of potential privacy and data security issues that may be triggered in mergers and acquisitions. * * * [ Polley : the ABA's Cyberspace Law Committee is undertaking a project to develop "best-practices" for security planning during M&A events. Email me if you'd like to be connected with the project co-chairs.]
Ask the Decoder: How are algorithms telling our stories for us? (Al Jazeera, 8 Oct 2014) - Jean Yang went on a big trip through Europe this summer, from Edinburgh, Scotland, to Dubrovnik, Croatia, to Oslo, Norway, and back. Like a good tourist, she took pictures on her phone, an Android, throughout her trip. When she returned home, she found a surprise package in her Google+ notifications: a neatly collated, summarized, annotated digital scrapbook titled "Trip." Jean shared the album with me with this message: " This is equally cool and creepy: Google made this scrapbook of my June travels based on a random selection of photos I took - and also its knowledge of where I was. It's kind of nice to have this information organized automatically, but this is really trusting them with a lot of information. It would be funny if they took quotes from emails I sent during this time and put in quotes relevant to the places. "Oslo is so expensive! My second dinner of wonton soup cost 68 kroner." I'm curious how they decide what to include." When I spoke with Jean later, she was surprised in part because she didn't know this feature existed. She was also a little taken aback by all the location information included, given that she hadn't been using her roaming phone plan or data while abroad. So how did Google pull this together? And why did it leave Jean with mixed feelings? We looked into the program. Google introduced this scrapbooking feature in May, just before Jean's trip. The company calls it Stories : "Your best photos are automatically chosen and arranged in a fun timeline to show the highlights of your trip or event." There's an example scrapbook here . * * *
Smile! Marketing firms are mining your selfies (9 Oct 2014, WSJ) - Most users of popular photo-sharing sites like Instagram, Flickr and Pinterest know that anyone can view their vacation pictures if shared publicly. But they may be surprised to learn that a new crop of digital marketing companies are searching, scanning, storing and repurposing these images to draw insights for big-brand advertisers. Some companies, such as Ditto Labs Inc., use software to scan photos -the image of someone holding a Coca-Cola can, for example-to identify logos, whether the person in the image is smiling, and the scene's context. The data allow marketers to send targeted ads or conduct market research. Others, such as Piqora Inc., store images for months on their own servers to show marketers what is trending in popularity. Some have run afoul of the loose rules on image-storing that the services have in place. The startups' efforts are raising fresh privacy concerns about how photo-sharing sites convey the collection of personal data to users. The trove is startling: Instagram says 20 billion photos have already been shared on its service, and users are adding about 60 million a day. There are no laws forbidding publicly available photos from being analyzed in bulk, because the images were posted by the user for anyone to see and download. The U.S. Federal Trade Commission does require that websites be transparent about how they share user data with third parties, but that rule is open to interpretation, particularly as new business models arise. Authorities have charged companies that omit the scope of their data-sharing from privacy policies with misleading consumers.
- and -
Feds press to keep mug shots secret (NLJ, 30 Oct 2014) - The federal government on Thursday asked a federal appeals court to block the compelled disclosure of mug shots, citing the "substantial" privacy interests of defendants. The U.S. Department of Justice is fighting a Michigan judge's ruling in a suit brought by the Detroit Free Press over access to mugs of four police officers charged in a drug and bribery conspiracy. A provision of the Freedom of Information Act allows the government to withhold mug shots, the department argues in its brief in the U.S. Court of Appeals for the Sixth Circuit. The U.S. Marshals Service denied the Free Press' FOIA request for the officers' mug shots, saying the disclosure "could reasonably be expected to constitute an unwarranted invasion of privacy."
Right round: Comparing US and European software patent eligibility (Patently-O, 10 Oct 2014) - Guest Post by Michael Williams . Williams is a UK and European Patent Attorney and Partner at the London based Cleveland-IP firm. In the book "Through the Looking-Glass", Alice compares her drawing room to the one reflected in the mirror. She notes that everything is the same " only the things go the other way ". In the recent Alice Corp  decision, the US Supreme Court set out a framework for assessing whether claims are patent eligible under 35 U.S.C. § 101. In this article I shall compare this framework with that used by the European Patent Office, and consider the similarities. * * *
Codes of conduct database fills an FCPA void (Corporate Counsel, 13 Oct 2014) - On Monday, in a decision followed closely by global companies who pay for and outside advisors who make a living off of Foreign Corrupt Practice Act (FCPA) compliance, the U.S. Supreme Court declined to review the Eleventh Circuit's ruling in United States v. Esquenazi, et al. , (11th Cir. 2014) on the scope of what constitutes a "foreign official" under the FCPA. * * * The Eleventh Circuit provided a list of nonexhaustive factors to determine whether an entity is an "instrumentality" of a foreign government-including, for example, the government's ability to hire and fire the entity's principals, what functions the entity performs, whether the government subsidizes the costs associated with the entity providing services, and whether the public and government of that foreign country generally perceive the entity to be performing a governmental function. The court's conclusion was consistent with long-standing U.S. Department of Justice interpretation of the FCPA. Although the Supreme Court has bigger fish to fry, the University of Houston Law Center has a free database to help answer in-house counsel's burning instrumentality-related questions by conducting benchmarking of FCPA corporate policies embedded in corporate codes of conduct. The database includes three years' worth of data from corporate codes of conduct that address 42 compliance topics in corporate codes, ranging from data privacy to anticorruption to immigration. Over 2,000 student and lawyer hours have gone into creating and maintaining the database, which can be accessed here . Companies can use this database to research how peer companies are addressing interactions with state-controlled companies, among other issues. When reviewing the dataset, we found that in the past three years, nearly all Fortune 500 companies included an antibribery-related policy, in the form of a gifts and entertainment policy, although not all were FCPA-specific. [ Polley : Spotted by MIRLN reader Gordon Housworth ]
VPPA claim goes the way of Saturday morning cartoons (Steptoe, 16 Oct 2014) - The U.S. District Court for the Northern District of Georgia, in Ellis v. Cartoon Network, Inc., dismissed a claim brought against the Cartoon Network under the Video Privacy Protection Act (VPPA), on the ground that a person's mobile device identifier does not constitute personally identifiable information within the meaning of the Act. Accordingly, the court reasoned, the Cartoon Network's disclosure of users' device IDs along with their video viewing history to a data analytics company did not violate the VPPA.
GM's DIY Compliance: #WhatCouldPossiblyGoWrong? (Corporate Counsel, 16 Oct 2014) - What would it look like if the human resources team woke up one day and suddenly decided it was going to take over the job of the internal audit function? Would managers somehow be asked to incorporate audit activities into their performance reviews? Would audit become 90 percent training? And more importantly, would the organization find itself less capable of identifying and fixing control risks? NO, you say! That could never happen! Because everyone knows Internal Audit has a certain highly developed subject matter expertise, and that's why this must be left to the experts. And you would be right, of course. Which is why so many compliance and ethics authorities are uncomfortable with the prospect of the legal department or the general counsel driving compliance. To paraphrase Sen. Charles Grassley, R-Iowa-You don't have to be a former chief compliance officer and recovered lawyer to see/smell the General Motors-style folly of that arrangement. So to state the blindingly obvious, to this former CCO and recovered in-house lawyer, GM looks like a textbook case of "DIY Compliance." * * * This is also why I have said that any smart or reasonably cautious GC should demand a strong, independent compliance voice in the room when important decisions on compliance are being made. But let's not pick on only poor GM. My second candidate for DIY Compliance poster child? Easy: Wal-Mart Stores Inc., pre-Jay Jorgensen overhaul (separating compliance from legal, and many other important and savvy reforms ). Well-known Foreign Corrupt Practices Act expert and blogger Tom Fox has described Walmart's decision to free its compliance function from its legal master as "the end of discussion" of how these departments should be structured.
Would a new crime of "willful refusal to comply with a decryption order" be the best answer to the device decryption puzzle? (Orin Kerr, 17 Oct 2014) - FBI Director James Comey spoke Thursday at Brookings about the FBI's concerns with how encryption can frustrate search warrants in lawful investigations. The scope of Comey's remarks goes beyond Apple's new iOS8 operating system design, but much of it focused on the question of device encryption raised by Apple's new policy. I wanted to focus on one aspect of Comey's remarks, the question of whether the government can get access to the contents of encrypted devices directly from a suspect in a criminal case. Here's Comey : "Finally, a reasonable person might also ask, "Can't you just compel the owner of the phone to produce the password?" Likely, no. And even if we could compel them as a legal matter, if we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for refusing to comply with a court order to produce his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?" I think Comey is wrong that the Fifth Amendment is a "likely" barrier in the cell phone context, because in most of the typical cases, when the government knows who is the owner of the phone, the Fifth Amendment shouldn't be a problem. But let me put that issue aside for now and focus instead on the rest of Comey's comment, and specifically his concern that the punishment for refusing to comply with a court order to produce a password would be so low that the bad guys will just make a rational decision to take the lesser contempt punishment. * * *
If you don't agree to the new Wii U EULA, Nintendo will kill-switch it (Cory Doctorow on BoingBoing, 18 Oct 2014) - When you bought your Wii U, it came with one set of terms-of-service; now they've changed, and if you don't accept the changes, your Wii seizes up and won't work. That's not exactly what we think of when we hear the word "agreement." Yet this is how Nintendo's update to its end-user license agreement (EULA) for the Wii U works, as described by YouTube user "AMurder0fCrows" in this video. He didn't like the terms of Nintendo's updated EULA and refused to agree. He may have expected that, like users of the original Wii and other gaming consoles, he would have the option to refuse software or EULA updates and continue to use his device as he always had before. He might have to give up online access, or some new functionality, but that would be his choice. That's a natural consumer expectation in the gaming context - but it didn't apply this time. Instead, according to his video, the Wii U provides no option to decline the update, and blocks any attempt to access games or saved information by redirecting the user to the new EULA. The only way to regain the use of the device is to click "Agree."
A 'partial win' for publishers (InsideHigherEd, 20 Oct 2014) - While academic publishers on Friday notched a rare win in the ongoing legal debate about digital access to copyrighted works, proponents of fair use said the opinion in Cambridge v. Patton recognizes that colleges and universities can legally create digital reserves of books in their collections. In a unanimous decision, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit, which covers Alabama, Georgia and Florida, rejected a broad ruling on how to determine fair use. The decision guarantees the case has a long and litigious road ahead of it by reversing the district court's opinion and sending the case back for further deliberations. Rather than strike a decisive blow against fair use, the legal concept that places some limits on the rights of copyright holders, the appeals court instead issued a stern warning against quick-fix, one-size-fits-all solutions to legal disputes -- specifically, the idea that copying less than a chapter or 10 percent of a book automatically protects an institution from a lawsuit. * * * [T]he court also came away "persuaded" that the Copyright Act of 1976 contains specific protections for colleges and universities, noting that Congress "devoted extensive effort to ensure that fair use would allow for educational copying under the proper circumstances." "While it can be worrisome to see a fair use win sent back, in this case, it seems to be mostly for the right reasons," Mike Masnick, founder of the technology blog Techdirt , wrote. "Given these new instructions, it seems like the lower court now has a chance to come to the right answer for the right reasons, and that's always going to be a better result." [ Polley : See also On Cambridge v. Patton (Tracy Mitrano on InsideHigherEd, 19 Oct 2014)]
- and -
Harvard library lifts restrictions on digital reproductions of works in the public domain (Harvard, 20 Oct 2014) - The Harvard Library is pleased to announce a new policy on the use of digital reproductions of works in the public domain. When the Library makes such reproductions and makes them openly available online, it will treat the reproductions themselves as objects in the public domain. It will not try to restrict what users can do with them, nor will it grant or deny permission for any use. For more detail, see the policy FAQ . Said Peter Suber, director of the Harvard Library Office for Scholarly Communication and director of the Harvard Open Access Project , "We were inspired by pioneering policies to this effect at Cornell University Library and Yale University. We were also fortunate to have the prime mover of the Cornell policy, Peter Hirtle, at Harvard. I'm proud that Harvard is removing obstacles to research and education, and taking this extra step to share the wealth of its extraordinary collections with the world." The Harvard Library Board adopted the policy late last month. The Library will update its web sites to reflect the new policy during the remainder of the present academic year.
EFF launches updated Know Your Rights guide (EFF, 20 Oct 2014) - In the U.S., if the police come knocking at your door, the Constitution offers you some protection. But the Constitution is just a piece of paper-if you don't know how to assert your rights. And even if you do assert your rights…what happens next? That answer may seem complicated, but protecting yourself is simple if you know your rights. That's why EFF has launched an updated Know Your Rights Guide that explains your legal rights when law enforcement try to search the data stored on your computer, cell phone, or other electronic device. The guide clarifies when the police can search devices, describes what to do if police do (or don't) have a warrant, and explains what happens if the police can't get into a device because of encryption or other security measures.
- and -
Florida Supreme Court rules warrants a must for real-time cell location tracking (SC Magazine, 20 Oct 2014) - In a ruling that Electronic Frontier Foundation (EFF) staff attorney Hanni Fakhoury believes will be "cited a lot by EFF" and other privacy advocates, the Florida Supreme Court has said that law enforcement agencies must have a warrant to obtain cell phone location information that they need to track a user's location in real time. The decision by Florida's highest court adds to the "growing chorus of courts" finding that location information is private, Fakhoury told SCMagazine.com Monday. The case, Tracey vs. Florida made its way to the Supreme Court after police obtained cell tower data from a provider without a warrant to track the movements in real time of suspected drug dealer Alvin Tracey and used that information to illicit a conviction from a criminal court. Officers "obtained an order authorizing the installation of a 'pen register' and 'trap and trace device' as to Tracey's cell phone," which records outgoing and incoming telephone numbers, respectively, the Florida Supreme Court decision noted. But later, without obtaining a warrant or providing additional "factual allegations," the officers "used information provided by the cell phone service provider" under an earlier order. The information provided "included real time cell site location information given off by cell phones when calls are placed." * * * Citing Fourth Amendment protections as well as Supreme Court precedent in several cases, including Katz v. United States , the Florida Supreme Court quashed the Fourth District Court ruling, noting that many of smartphone "are ubiquitous and have become virtual extensions of many of the people using them for all manner of necessary and personal matters," which makes a "phone's movements its owner's movements, often into clearly protected areas."
The number of industries getting classified cyberthreat tips from DHS has doubled since July (NextGov, 20 Oct 2014) - Firms from half of the nation's 16 key industries, including wastewater and banking, have paid for special technology to join a Department of Homeland Security program that shares classified cyberthreat intelligence, in hopes of protecting society from a catastrophic cyberattack. Participation in the Enhanced Cybersecurity Services initiative has more than doubled during the past few months. Through the voluntary program - previously exclusive to defense contractors - cleared Internet service providers feed nonpublic government information about threats into the anti-malware systems of critical sector networks. As of July, only three industries - energy, communications and defense - were using the service, according to an unfavorable DHS inspector general audit . Now, befitting National Cybersecurity Awareness Month, Homeland Security officials say the financial, water, chemical, information technology and transportation sectors also are receiving the threat indicators. Just two months ago, American Chemistry Council officials said they had never heard of the program . The service has been available since 2013.
Chinese APT groups targeting Australian lawyers (The Register, 21 Oct 2014) - Law firms are among Australian businesses being targeted by at least 13 Chinese advanced malware groups in a bid to steal intelligence from big business, says forensics bod and Mandiant man Mark Goudie. The attacks are well planned and rely on a combination of stealth and persistence in order to extract any and all valuable corporate data. The local Mandiant director presented findings at the Australian Information Security Association conference last week and said one unnamed Aussie firm had been thoroughly owned. "The property manager was used as a way to get the data about a business deal (merger and acquisition)," Goudie told Vulture South . "The law firms are data aggregators and are being targeted too - anything that goes through a lawyer is obviously of interest to a deal. "Law firms tend to operate in verticals as do advanced persistent threat (APT) groups, so it makes a lot of sense when you think about it."
- and -
After JPMorgan cyberattack, a push to fortify Wall Street banks (NYT, 21 Oct 2014) - This summer's huge cyberattack on JPMorgan Chase and a dozen other financial institutions is accelerating efforts by federal and state authorities to push banks and brokerage firms to close some gaping holes in their defenses. Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms , accounting and marketing firms and even janitorial companies, according to several people briefed on the matter. The push by government officials is a stark acknowledgment of the vulnerability of financial institutions - even after they have spent hundreds of millions of dollars to protect themselves - to an attack if one of their vendors is not fully prepared. The problem is causing some security consultants to privately consider whether the sprawling financial firms with operations across the globe may be "too big to secure." And smaller firms, the consultants say, may simply not have the ability to adequately defend customer information. At a dinner in New York on Tuesday evening that is expected to include the general counsels from JPMorgan, Bank of America and Deutsche Bank, New York State's top financial regulator, Benjamin M. Lawsky is expected to emphasize the gathering danger to the financial system when vendors' security is lax, according to one of the people briefed on the matter. The remarks, at the University Club in Midtown Manhattan, come as Mr. Lawsky is considering a new rule that would require banks to "obtain representations and warranties" from vendors about the adequacy of their controls to thwart hackers, the people said. [ Polley : emphasis added.]
- and -
Law firms face cybersecurity audits by banking clients; are they a 'weak link'? (ABA Journal, 27 Oct 2014) - Banks are increasingly scrutinizing their law firms' cybersecurity efforts, including the law firms' protection of confidential information released to vendors such as word-processing firms and print shops. The law firms are increasingly facing on-site technology audits by banks, even as the banks themselves face cybersecurity pressures from regulators, the Wall Street Journal (sub. req.) reports. Just last week, New York's Department of Financial Services sent letters to dozens of banks asking about protections for information sent to third-party vendors such as law firms and accounting firms, according to a separate story by the Wall Street Journal (sub. req.). "Law firms increasingly are seen as potential weak links," the Wall Street Journal says. "Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions." The story cites information from an American Bar Association technology survey that found 14 percent of the respondents had experienced some type of security breach or theft this year. But only 1 percent said the breach resulted in unauthorized access to sensitive client data. The Wall Street Journal spoke with Goodwin Procter's chief information officer, Lorey Hoffman, who works with examiners sent by clients who want to know about data protection. The firm also hires its own auditors to check its cybersecurity. "It's a lot more than just checking a box," Hoffman said of the firm's response to client security questions.
- and -
Cybersecurity: Not just for biglaw and its clients (WSJ, 27 Oct 2014) - Cybersecurity is an increasingly big priority for law firms with big financial institution clients. But it can be a matter of life and death for lawyers doing pro bono work with clients in troubled countries who are battling human trafficking, terrorism and other human rights violations. The interception of sensitive documents by criminals or unfriendly governments can compromise the safety of in-country clients, and in some cases the attorneys with whom they work. "Human rights really is cloak-and-dagger," Christina Storm, a lawyer and founder of the non-profit group Lawyers Without Borders , told Law Blog. "Lawyers put themselves at risk, and every person in-country who reaches out to us puts themselves at risk." Ms. Storm's group focuses on strengthening the rule of law around the world. The organization works with law firms big and small as well as solo practitioners on cases that range from electoral reform to strengthening protections for gay, bisexual and transgender people in African countries. Such work isn't always popular. In some places, government surveillance might involve keyloggers that track communications between dissidents and their lawyers. Confidential documents that fall into the wrong hands can expose both sides to danger, Ms. Storm said, adding, "Their safety is important to us." Lawyers Without Borders takes some of its security cues from the big law firms it works with, such as Reed Smith LLP and Linklaters, whose corporate and financial clients requirement myriad steps to prevent hackers from accessing confidential information. At one point the organization tried using encrypted email, but the program was so cumbersome that people abandoned it because it was hard to use. Another document management system ended up being accessed by authorities in an unfriendly country, and the whole thing had to be scrapped.
US national security prosecutors shift focus from spies to cyber (Reuters, 21 Oct 2014) - The U.S. Justice Department is restructuring its national security prosecution team to deal with cyber attacks and the threat of sensitive technology ending up in the wrong hands, as American business and government agencies face more intrusions. The revamp, led by Assistant Attorney General John Carlin, also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States. As part of the shift, the Justice Department has created a new position in the senior ranks of its national security division to focus on cyber security and recruited an experienced prosecutor, Luke Dembosky, to fill the position. The agency is also renaming its counter-espionage section to reflect its expanding work on cases involving violations of export control laws, Carlin confirmed in an interview. Such laws prohibit the export without appropriate licenses of products or machinery that could be used in weapons or other defense programs, or goods or services to countries sanctioned by the U.S. government.
New York City court buys NYPD's claims of 'national security,' grants it power to 'Glomar' FOIL requests (TechDirt, 21 Oct 2014) - A New York City court has given the NYPD one of the few things separating it from the "big boys" ( CIA, FBI and NSA ): the permission to issue "Glomar responses" (the infamous "we can neither confirm nor deny...") to FOIL (Freedom of Information Law) requests. Like the audacity of the department itself in pursuing this additional method of keeping the public separated from public documents , the decision is unprecedented: The decision appears to be the first time that a court anywhere in the U.S. has upheld the use of such a tactic by a state agency. The Glomar response has historically been used only with regard to requests made to federal agencies that involve sensitive matters of national security.
Antitrust experts slam Comcast merger plan, warn of threats to Netflix and Amazon Prime (GigaOM, 21 Oct 2014) - A letter signed by more than three dozen law and economics professors and submitted to the FCC on Monday makes a withering case against the proposed merger of cable giants Comcast and Time Warner Cable, claiming the deal would harm consumers and violate the antimonopoly provisions of the federal Clayton Act. According to the 16-page submission, the merger will reduce competition by providing Comcast with over 40 percent of the market for broadband internet services, and make it easier for the incumbents to hobble "over-the-top" challengers like Netflix by congesting their internet traffic. The document, signed by antitrust experts from across the country including Columbia's Tim Wu and Stanford's Mark Lemley, comes as the FCC decides whether or not to approve the $45 billion merger, which was announced in February. A decision is expected in 2015.
Pandora holds out olive branch of data to musicians (LA Times, 22 Oct 2014) - Pandora Media, the king of personalized online radio services, pays recording artists, songwriters, record labels and music publishers close to $300 million a year in royalties. That's not nearly enough to satisfy the company's critics in the music industry, who resent how little Pandora pays each time a user plays a track. On Wednesday, the company plans to start offering artists more than just royalties. It's opening a new Artists Marketing Platform that provides detailed analytics for bands and their managers about their songs and their fans. Pandora AMP will be available free to any artist whose music is available on the service. Among other things, artists will be able to see which cities are home to the greatest clusters of their fans, the number of thumbs up (the Pandora equivalent of a Facebook "like") each of their tracks have received from listeners, and some basic demographic information on the users who have created playlists based on their music. * * * Yet AMP has been in the works for some time. Company founder Tim Westergren, a former professional musician himself, revealed plans for the service in a January 2013 speech at the Consumer Electronics Show in Las Vegas. Westergren argued then that Pandora can offer struggling musicians a path into the middle class by making it easier for them to attract, find and connect with fans. He returned to that theme in a blog post Wednesday announcing the service.
Man convicted for webcam sex with virtual 'underage girl' (Mashable, 22 Oct 2014) - A 10-year-old girl from the Philippines, nicknamed Sweetie , has helped authorities convict one Australian on child pornography charges. But Sweetie isn't real - she's a virtual digital avatar created to lure predators as part of a global sting operation. Scott Robert Hansen, a 37-year-old from Australia, is the first person to be convicted as a result of his interactions with Sweetie, according to Agence France Press . Hansen pleaded guilty to three charges related to child sex on Tuesday, including sending obscene pictures of himself to Sweetie, having child porn on his computer, and breaking a sex offenders order, according to Australian media . Sweetie was created last year by the Dutch branch of Terre des Hommes International Federation , a charity that works to protect children. The organization said that a group of its researcher posed as Sweetie during the sting operation, visiting "dozens" of chat rooms. The researchers then passed the chat logs of their conversations with the predators to Europol. During the sting operation, Sweetie was approached by 20,000 people over a 10-week period. Some 1,000 of them have already been identified.
Museums morph digitally (NYT, 23 Oct 2014) - For the Metropolitan Museum of Art, a turning point came in 2011. Down went the signs imploring visitors to stow their cellphones. The Met revamped its website, tailoring it for viewing on smartphone screens. The museum was not only allowing visitors to use their mobile phones while browsing the artworks, but encouraging it. The digital experience was embraced and meant to enhance the physical experience of exploring the museum. The trend has only accelerated since, at the Met and across the museum world. At first glance, it might seem like a capitulation, giving in to the virtual enemy when museums are so essentially physical spaces. Yet listen to museum curators and administrators today and they often sound like executives in media, retailing, consumer goods and other industries. They talk of displaying their wares on "multiple platforms," and the importance of a social media strategy and a "digital first" mind-set. Museums are being redefined for a digital age. The transformation, museum officials say, promises to touch every aspect of what museums do, from how art and objects are presented and experienced to what is defined as art. The museum of the future will come in evolutionary steps. But some steps are already being taken. Digital technologies being deployed or developed include: augmented reality, a sort of smart assistant software that delivers supplemental information or images related to an artwork to a smartphone; high-definition projections of an artwork, a landscape or night sky that offer an immersive experience; and 3-D measurement and printing technology that lets people reproduce, hold and feel an accurate replica of an object. At the Smithsonian Institution , 3-D technology is increasingly used for conservation, research and public education programs. The fine-grained scanning allows a depth of data collection and analysis that was not possible before. The gunboat Philadelphia, built in 1776, is the last surviving cannon-bearing American vessel from the Revolutionary War. The historic boat has been 3-D-scanned so online viewers can see it from angles not possible in person at the National Museum of American History in Washington. But it is also scanned regularly so conservators can get early warnings of deterioration of the old wooden structure. Colleen Stockmann, assistant curator for special projects at the Cantor Arts Center at Stanford University, and Jean-Baptiste Boin, a Ph.D. candidate in electrical engineering at Stanford and an expert in computer vision, are working on taking augmented reality a step further. Their research project, Art++, combines image-recognition technology and computer graphics with art history expertise. With their software, a person would walk into a museum, turn his or her smartphone or tablet toward a photograph, painting or sculpture, and the artwork is surrounded with a digital halo of supplemental information. The Cantor center, Ms. Stockmann said, exhibited the Stanford University Libraries' collection of landscape photographs of California and the Northwest by the 19th-century photographer Carleton Watkins . Capture the image of a Watkins photo of Yosemite Valley, she said, and you can tap on an icon that shows a map of where Watkins walked in the valley to take his photographs. [ Polley : see related Tour a museum from anywhere (NYT, 23 Oct 2014); and Masterworks for one and all (MIRLN 16.08)]
Leave your passwords at the checkout desk (Secure List, 23 Oct 2014) - Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room. To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room. When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device: * * * Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying. Most of sessions were still open, even allowing the posting / sending of messages in the name of the user.
New guidance for lawyers on the ethics of social media use (Attorney At Work, 23 Oct 2014) - Do you need advice about the ethics issues involved in social networking? Chances are your questions will be answered by the Pennsylvania Bar Association's recent Formal Opinion 2014-300. The 18-page opinion addresses issues that are important for lawyers in every state. The Pennsylvania opinion rests on the premise that Rule 1.1 of the Model Rules of Professional Conduct requires lawyers to have "a basic knowledge of how social media websites work," as well as the ability to advise clients about the legal ramifications of using the sites. The Pennsylvania Bar Committee offers conclusions about 10 ethics issues involved in the use of social media for business purposes by lawyers and clients. Also, the committee emphasizes that lawyers should always assume their use of social media may be subject to the rules of professional conduct. The topics addressed in the opinion are well supported with rules and opinions from many states. The bar committee reached the following conclusions * * *
- and -
Competence: Acquire it or hire it! (ABA Journal, Nov 2014) - Lawyer competence, spelled out in the ethics rules in ABA Model Rule 1.1 as "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation" and in the civil context as a standard when evaluating legal malpractice of "ordinary" skill and capacity, or that of the average qualified practitioner, or that which is "normally" exercised by lawyers in similar circumstances. Restatement (Third) of the Law Governing Lawyers §52 (2000). Language linking the competence standard to expertise in technology was addressed in the context of technological advances when the ABA amended the comments to two of the Model Rules following the ABA Ethics 20/20 Commission's final reports. This language can be found in the Comments to two of the ABA Model Rules, Rule 1.1 Competence and Rule 1.6 Confidentiality. * * *
Verizon Wireless injects identifiers that link its users to Web requests (ArsTechnica, 24 Oct 2014) - Cellular communications provider Verizon Wireless is adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users' interests and to help clients tailor advertisements, according to researchers and Verizon's own documentation. The profiling, part of Verizon's Precision Market Insights division, kicked off more than two years ago and expanded to cover all Verizon Wireless subscribers as part of the company's Relevant Mobile Advertising service. It appends a per-device token known as the Unique Identifier Header (UIDH) to each Web request sent through its cellular network from a particular mobile device, allowing Verizon to link a website visitor to its own internal profiles. The service aims to allow client websites to target advertising at specific segments of the consumer market. While the company started piloting the service two years ago, privacy experts only began warning of the issue this week, arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purpose. [ Polley : AT&T, also, apparently - go here to test your own carrier.]
How Facebook is changing the way its users consume journalism (NYT, 26 Oct 2014) - Many of the people who read this article will do so because Greg Marra, 26, a Facebook engineer, calculated that it was the kind of thing they might enjoy. Mr. Marra's team designs the code that drives Facebook's News Feed - the stream of updates, photographs, videos and stories that users see. He is also fast becoming one of the most influential people in the news business. Facebook now has a fifth of the world - about 1.3 billion people - logging on at least monthly. It drives up to 20 percent of traffic to news sites, according to figures from the analytics company SimpleReach . On mobile devices, the fastest-growing source of readers, the percentage is even higher, SimpleReach says, and continues to increase. The social media company is increasingly becoming to the news business what Amazon is to book publishing - a behemoth that provides access to hundreds of millions of consumers and wields enormous power. About 30 percent of adults in the United States get their news on Facebook, according to a study from the Pew Research Center. The fortunes of a news site, in short, can rise or fall depending on how it performs in Facebook's News Feed. Though other services, like Twitter and Google News, can also exert a large influence, Facebook is at the forefront of a fundamental change in how people consume journalism. Most readers now come to it not through the print editions of newspapers and magazines or their home pages online, but through social media and search engines driven by an algorithm, a mathematical formula that predicts what users might want to read. It is a world of fragments, filtered by code and delivered on demand. For news organizations, said Cory Haik, senior editor for digital news at The Washington Post, the shift represents "the great unbundling" of journalism. Just as the music industry has moved largely from selling albums to songs bought instantly online, publishers are increasingly reaching readers through individual pieces rather than complete editions of newspapers or magazines. A publication's home page, said Edward Kim, a co-founder of SimpleReach, will soon be important more as an advertisement of its brand than as a destination for readers. "People won't type in WashingtonPost.com anymore," Ms. Haik said. "It's search and social." [ Polley : see related Harvard podcast below. ]
FCC imposes first cybersecurity fine (Inside Counsel, 27 Oct 2014) - Private customer information has become a business asset in the connected age, and as criminals increasingly target large corporations to extract that information, regulators are being brought to task over how to implement fines for those who leave their data vulnerable . The Federal Communications Commission (FCC) has become the latest to join the ranks of regulators imposing fines for data negligence on companies, announcing on Oct 24 that it will impose its first fine related to data security on phone providers TerraCom Inc and YourTel America Inc. The FCC is asking for $10 million regarding the issue. The Commission alleges that the two companies collected personal information, including contact information and social security numbers, from customers in a manner that exposed its customer base to considerable risk of data theft. The fine was imposed based on the companies' violation of the Communications Act of 1934.
New from AVVO: on-demand, fixed-fee legal advice (Robert Ambrogi, 27 Oct 2014) - Avvo, Inc. - never a company shy about pushing the envelope - has just pushed it a bit further, with the launch of Avvo Advisor , a service that provides on-demand legal advice by phone for a fixed fee of $39 for 15 minutes. The service is available to consumers online or through a free iOS app. To use the service, the consumer first enters his or her zip code and then selects the type of legal matter in which he or she needs help. The consumer is then asked to provide credit card and contact information. The service promises that the consumer will receive a call from an attorney within 15 minutes or else the consumer's fee will be fully refunded. The service covers nine legal categories: small business, divorce, family, immigration, real estate, landlord-tenant, criminal defense, employment and bankruptcy/debt. It is so far available to consumers in 15 states, with more to be added in the coming months: Arizona, California, Colorado, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, New Jersey, New York, Pennsylvania, Texas, Washington and Wisconsin. A separate section of the site provides information for attorneys wishing to enroll in the program. All an attorney needs to participate, it says, is a bank account and a mobile phone. "You control your availability via text, whenever and wherever you want to receive Avvo Advisor sessions." Avvo notifies the attorney via text when someone purchases a session in the attorney's state and practice area. The attorney responds to the text to claim the session, then has 15 minutes to initiate the call. Once the call is finished, the entire fee is deposited to the attorney's account (so there is no fee splitting).
Cyber attacks on US companies in 2014 (The Heritage Foundation, 27 Oct 2014) - The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector's information security. According to FBI Director James Comey, "There are two kinds of big companies in the United States. There are those who've been hacked…and those who don't know they've been hacked." This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data. This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves. The data breaches below are listed chronologically by month of public notice. * * * [ Polley : Spotted by MIRLN reader Andy Jabbour ]
NIST: Guide to cyber threat information sharing (NIST, 28 Oct 2014) - NIST announces the public comment release of Draft Special Publication (SP) 800-150 , Guide to Cyber Threat Information Sharing . The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
Uncovering algorithms: Looking inside the Facebook news feed (Berkman, 22 July 2014; 78 minutes) - Our online lives are organized by computer algorithms that select and recommend advertisements, search results, news, and online social interactions. These algorithms are often closely-guarded secrets kept by Internet companies, but researchers, users, and the public might legitimately need to know how these algorithms operate. In this talk we will use the Facebook news feed as an example to ask: How do we go about knowing these algorithms from the outside? This includes a discussion of potential research designs that investigate algorithms and also research on how users think about these algorithms.
Homeland Security Policy Institute blog (Sept 2014) - The GWU Homeland Security Policy Institute has recently launched a new blog at http://hspi.org as a forum to provide short-form commentary and discussion on significant homeland security and counterterrorism issues, and as a place to highlight its events, reports, and other activities. Contributors to the blog include the full-time senior staff of HSPI and the Institute's senior fellows. Since our launch of the blog in mid-September, there have been more than 50 posts on the site, on topics such as the Secret Service's organizational issues , the implications of the recent JP Morgan Chase cyber incident , and ISIS's fundraising . We have also been posting summaries of our recent policy events on the site.
Just borrowing this story, OK? (MLPB, 14 Oct 2014) - Viva Moffat, University of Denver Sturm College of Law has published Borrowed Fiction and the Rightful Copyright Position at 32 Cardozo Arts & Entertainment Law Journal 389 (2014). Here is the abstract: Works of "borrowed fiction" - unauthorized sequels or retellings of literary works - have long prompted legal, cultural, and social backlash. With respect to copyright disputes, this is because borrowed fiction entails a range of legitimate but conflicting interests. Copyright law has historically elevated the interests of the "original" author over those of other writers and the reading public. Scholars have offered a range of proposals to counter this tendency, but these reforms have focused on the infringement analysis and the fair use doctrine. Each of those, however, involves a binary decision, one that is not amenable to accommodating the conflicting interests at stake. This Article proposes that a better accommodation between and among these interests can be achieved at the remedial stage. By taking seriously both the "rightful position" notion in remedies law and the Supreme Court's admonition against presumptive injunctive relief, courts can reach a more nuanced result in borrowed fiction cases. Under this approach, the full panoply of remedies would remain available, but rarely would anything more than compensatory damages be necessary to put the plaintiff in her rightful copyright position.
Book serves as guide to free and low-cost legal research (Robert Ambrogi, 20 Oct 2014) - I am a cheapskate. I am not ashamed to admit it. That is what first drove me to explore the Internet more than 20 years ago, back when many lawyers still had not even heard of it. Having just gone back into private practice at the time, I was in search of free resources for legal research, hoping to avoid the high cost of a Westlaw or LexisNexis subscription or investment in a library of hard-bound reporters. Fast forward two decades and, well, we've come a long way baby. Every federal and state appellate opinion can be found online at no cost. Federal and state statutes are online, as are growing bodies of other primary legal materials, from federal regulations to municipal ordinances. Traditional law reviews now publish online while legal blogs are creating new forms of legal commentary and analysis. Search technology has become so sophisticated that we forget how difficult search used to be. All of this is available to us wherever we are, in the office or on a mobile device sitting outside a courtroom. All these years later, I am as budget-conscious as ever. That is why I highly recommend the book, Internet Legal Research on a Budget , written by Carole Levitt and Judy Davis and published by the Law Practice Division of the American Bar Association. Together, they have written a book that is a must-have for any lawyer or legal researcher who is as budget-conscious as I - and I am willing to bet that is most of us. They have scoped out the terrain, tested and evaluated a host of free and low-cost legal research sites and identified the best. Not only do they show you the sites, they provide detailed instructions on how to use them.
EU copyright law and private copying (MLPB, 28 Oct 2014) - João Pedro Quintais, University of Amsterdam, Institute for Information Law (IViR), and University of California, Berkeley, School of Law, is publishing Private Copying and Downloading from Unlawful Sources in the International Review of Intellectual Property and Competition Law (2015). Here is the abstract: Private copying is one of the most contested areas of EU copyright law. This paper surveys that nebulous area and examines the issue of copies made from unlawful sources in light of the ECJ's ACI Adam decision. After describing the legal background of copyright levies and the facts of the litigation, the paper scrutinizes the Advocate General's Opinion and the Court's decision. The latter is analyzed against the history of copyright levies, the ECJ's extensive case-law on the private copying limitation and Member States' regulation of unlawful sources. This paper further reflects on the decision's implications for end-users, rights holders, collective management organizations and manufacturers/importers of levied goods. It concludes that, from a legal and economic standpoint, the decision not only fails to be properly justified, but its consequences will likely diverge from those anticipated by the Court. Most worrisome is the Court's stance on the three-step test, which it views as a restrictive, rather than enabling, clause. In its interpretation of the test, the decision fails to strike the necessary balance between competing rights and interests. This is due to multiple factors: overreliance on the principle of strict interpretation; failure to consider the fundamental right of privacy; lack of justification of the normative and empirical elements of the test's second condition; and a disregard for the remuneration element in connection with the test's third condition. To the contrary, it is argued that a flexible construction of the three-step test is more suited to the Infosoc Directive's balancing aims.
LOOKING BACK - MIRLN TEN YEARS AGO
Florida town to use blanket of surveillance cameras (USA Today, 27 April 2004) -- One of the nation's wealthiest towns will soon have cameras and computers running background checks on every car and driver that passes through. Police Chief Clay Walker said cameras will take infrared photos recording a car's tag number, then software will automatically run the numbers through law enforcement databases. A 911 dispatcher is alerted if the car is stolen or is the subject of a "be on the lookout" warning. Next to the tag number, police will have a picture of the driver, taken with another set of cameras - upgraded versions of the standard surveillance cameras already in place. If there is a robbery, police will be able to comb records to determine who drove through town on a given afternoon or evening. "Courts have ruled that in a public area, you have no expectation of privacy," said Walker, one of 11 sworn officers who protects Manalapan's 321 residents. Still, Walker says Manalapan's data will be destroyed every three months.
Ashcroft says surveillance powers should stand (CNET, 29 Jan 2004) -- The Bush administration is warning Congress not to tinker with the Internet surveillance powers that the USA Patriot Act awarded to federal police. In a four-page letter to the Senate on Thursday, Attorney General John Ashcroft said that defanging the controversial law, which has been criticized by every major Democratic presidential contender, would "undermine our ongoing campaign to detect and prevent catastrophic terrorist attacks." Were Congress to vote to amend the USA Patriot Act, Ashcroft indicated, President Bush would veto the bill. Ashcroft was responding to a proposal in the Senate called the Security and Freedom Ensured Act (Safe), which would amend the USA Patriot Act by slapping limits on current police practices relating to surveillance and search warrants. It is sponsored by Republican Sen. Larry Craig of Idaho and has 12 co-sponsors, including two other Republicans. Many portions of the Safe Act affect the ability of federal police to conduct Internet surveillance against not only terrorists but also suspected perpetrators of a broad range of drug-related, computer hacking and white collar crimes. The measure would amend the USA Patriot Act to require, for instance, that electronic-surveillance orders specify either the identity or location of the suspect and that the person be there at the time--a departure from current practice. "This is an overheated attack on a very modest bill," said Tim Edgar, legislative counsel for the American Civil Liberties Union. "It shows that the attorney general is afraid of the bipartisan momentum that is going forward to fix parts of the Patriot Act." Ashcroft identifies no terrorist plots that were thwarted by the existence of the USA Patriot Act, Edgar said. "It doesn't contain a single real example of why passage of the Safe Act would impede antiterrorism efforts. It's based entirely on speculation and misleading, slanted legal analysis." Another section of the Safe Act that Ashcroft criticized would increase privacy protections for library patrons who use public computers for e-mail and Web browsing. "The Safe Act would make it more difficult, in some circumstances, to obtain information about e-mails sent from public computer terminals at libraries than it would be to obtain the same information about e-mails sent from home computers," Ashcroft said. "Ironically, it would extend a greater degree of privacy to activities that occur in a public place than to those taking place in a home." In Bush's State of the Union address earlier this month, the president called on Congress to renew the USA Patriot Act. Some portions--though not all--expire Dec. 31.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top