Saturday, February 21, 2015

MIRLN --- 1-21 February 2015 (v18.03)

MIRLN --- 1-21 February 2015 (v18.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

The cobweb (Jill Lepore in The New Yorker, 26 Jan 2015) - * * * For the law and for the courts, link rot and content drift, which are collectively known as "reference rot," have been disastrous. In providing evidence, legal scholars, lawyers, and judges often cite Web pages in their footnotes; they expect that evidence to remain where they found it as their proof, the way that evidence on paper-in court records and books and law journals-remains where they found it, in libraries and courthouses. But a 2013 survey of law- and policy-related publications found that, at the end of six years, nearly fifty per cent of the URLs cited in those publications no longer worked. According to a 2014 study conducted at Harvard Law School, "more than 70% of the URLs within the Harvard Law Review and other journals, and 50% of the URLs within United States Supreme Court opinions, do not link to the originally cited information." The overwriting, drifting, and rotting of the Web is no less catastrophic for engineers, scientists, and doctors. Last month, a team of digital library researchers based at Los Alamos National Laboratory reported the results of an exacting study of three and a half million scholarly articles published in science, technology, and medical journals between 1997 and 2012: one in five links provided in the notes suffers from reference rot. It's like trying to stand on quicksand. * * * The footnote problem, though, stands a good chance of being fixed. Last year, a tool called Perma.cc was launched. It was developed by the Harvard Library Innovation Lab, and its founding supporters included more than sixty law-school libraries, along with the Harvard Berkman Center for Internet and Society, the Internet Archive, the Legal Information Preservation Alliance, and the Digital Public Library of America. Perma.cc promises "to create citation links that will never break." It works something like the Wayback Machine's "Save Page Now." If you're writing a scholarly paper and want to use a link in your footnotes, you can create an archived version of the page you're linking to, a "permalink," and anyone later reading your footnotes will, when clicking on that link, be brought to the permanently archived version. Perma.cc has already been adopted by law reviews and state courts; it's only a matter of time before it's universally adopted as the standard in legal, scientific, and scholarly citation. [ Polley : Fascinating article. about the WABAC/Wayback machine, etc.]

top

Yelp goes to court to protect identity of anonymous review-writer (Consumerist, 30 Jan 2015) - Once again, a business who is displeased with an anonymous review on Yelp is trying to sue that reviewer and attempting to compel Yelp to reveal that user's actual identity. But this morning, lawyers for Yelp and consumer advocates were in court to argue that there is no justification for unmasking the writer of this review. In June 2013, a Yelp user with the screen name "Lin L." wrote a Yelp review for a real estate firm in Texas. The review stated that the agent she worked with was "by far the worst deceitful and money greedy sales agent you would ever deal with," who "failed to represent us as clients, never explained our contracts to us and not once did he ever ask us what we wanted to keep or take in our home," along with other claims that she was rushed into selling the house so that the agent could make his commission. Then in May 2014, the firm contacted Yelp to request the removal of the review. After looking into Lin L.'s comments, Yelp decided in June 2014 to allow the review to stand "because it appeared to reflect the user's personal experience and opinions, consistent with Yelp's Terms of Service and Content Guidelines." When Aug. 2014 rolled around, the firm's lawyer contacted Yelp, claiming that Lin L. was never a client and that what she describes in the review never occurred. The lawyer warned that if Yelp did not "immediately remove this review and disclose the full identity of this individual," the firm would file a lawsuit seeking damages and attorney fees. Yelp's response defended its decision to keep the review online saying it still believed the write-up reflected the user's opinions and experiences. However, if the real estate firm were able to prove in court that the review is defamatory, Yelp would reconsider. The site also said it would not reveal Lin L.'s identity without a valid subpoena. In Nov. 2014, more than a year after the original review was posted, the real estate firm filed suit [ PDF - complaint begins on p. 9 ] in a county court in Texas, alleging claims for defamation, civil conspiracy, and exemplary damages against defendant Lin L., but did not name Yelp as a defendant. The firm did, however, issue a subpoena to Yelp's registered agent in Delaware, demanding identifying information and "all records and documents in your possession pertaining to LIN L." Last week, Yelp and Paul Alan Levy, attorney for consumer advocacy group Public Citizen, filed an opposition [ PDF ] to the motion to compel, and then appeared before the court this morning to make their case. [ Polley : Spotted by MIRLN reader Elizabeth Polley .]

top

Binding teams in Silicon Valley (Patently-O, 30 Jan 2015) - In a recently published article, I report preliminary evidence supporting a novel view of what patents can do: keep inventive teams together. This evidence suggests that, in addition to their traditional role as incentives for innovation, patents may be doing important work in fostering collaboration in high tech industries. To see how this works, suppose you're the founder of a Silicon Valley start-up. After a few years, you've found modest success-a product launch, a small core of devoted customers. But it seems clear at this point that there's no massive IPO exit on the horizon. Instead, your capital is running low and the venture capitalists who financed your firm are getting impatient. Now Facebook shows up at your door: it wants to hire you and your team of engineers. The catch is that it wants the whole team. Facebook knows how hard it is to find talent that works well together. Plus, both you and Facebook know that if your team doesn't go as a group, any team member that strikes off on her own is likely to soon become a competitor. What do you do? One possibility is that you convince Facebook not only to hire your team, but also to buy the entire start-up. That way, Facebook can acquire the rights to any patents flowing from the work the team did at the start-up. These patents can then bind the team together by raising the costs to members of leaving-a departing team member won't be able to continue working in the path set out by the team's patents. Thus, while intellectual property is traditionally thought to prevent the entire public from freeriding on a creator's investment in producing a public good, it can also regulate relationships among team members, as Robert Merges and Paul Heald have separately argued in the patent context, and as Tony Casey and I have jointly argued in the copyright context. In my most recent article, I support this team-binding view of patents with data from Silicon Valley acqui-hires. Those transactions, illustrated by the founder-Facebook scenario posed above and explored in illuminating detail by John Coyle and Gregg Polsky, are understood to be driven by Silicon Valley norms of cooperation.

top

On FTC's staff report: cybersecurity for the Internet of Things (Lawfare, 31 Jan 2015) - On Tuesday, January 27, 2015, the Federal Trade Commission released a staff report on cybersecurity and the Internet of Things . Although as a staff report, the report has no binding authority on anyone, and the report merely stated that "commission staff encourages companies to consider adopting the best practices highlighted by workshop participants," it was predictable that opposing voices were heard noting that excessive regulation could smother innovation and scare customers away from a promising new technology. (See this , for example.) The best practices mentioned include building security into devices at the outset, rather than as an afterthought; training all employees about good security, and ensuring that security issues are addressed at the appropriate level of responsibility within the organization; using service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers; implementing a defense-in-depth approach to security; limiting the ability of unauthorized persons to access a consumer's device, data, or even the consumer's network; and monitor products throughout their life cycle and, to the extent feasible, patching known vulnerabilities.

top

BMW fixes security flaw that left locks open to hackers (BBC, 2 Feb 2015) - BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers. The flaw affected models fitted with BMW's ConnectedDrive software, which uses an on-board Sim card. The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said. ADAC's researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim. The patch, which would be applied automatically, included making data from the car encrypted via HTTPS.

top

EFF joins coalition to launch Canarywatch.org (EFF, 2 Feb 2015) - "Warrant canary" is a colloquial term for a regularly published statement that an internet service provider (ISP) has not received legal process that it would be prohibited from saying it had received, such as a national security letter. The term "warrant canary" is a reference to the canaries used to provide warnings in coalmines, which would become sick from carbon monoxide poisoning before the miners would-warning of the otherwise-invisible danger. Just like canaries in a coalmine, the canaries on web pages "die" when they are exposed to something toxic-like a secret FISA court order. Warrant canaries rely upon the legal theory of compelled speech. Compelled speech happens when a person is forced by the government to make expressive statements they do not want to make. Fortunately, the First Amendment protects against compelled speech in most circumstances. In fact, we're not aware of any case where a court has upheld compelled false speech. Thus, a service provider could argue that, when its statement about the legal process received is no longer true, it cannot be compelled to reissue the now false statement, and can, instead, remain silent. So far, no court has addressed this issue. But if you're not paying attention to a specific canary, you may never know when it changes. Plenty of providers don't have warrant canaries. Those that do may not make them obvious. And when warrant canaries do change, it's not always immediately obvious what that change means. That's why EFF has joined with a coalition of organizations, including the Berkman Center for Internet and Society, New York University's Technology Law & Policy Clinic , and the Calyx Institute to launch Canarywatch.org. Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about. The page's FAQ explains the mechanics and legal theories underpinning warrant canaries. It also has an anatomy of a canary that, since canaries come in so many different forms, helps anyone understand what they're seeing when they look at a particular canary.

top

Sookasa provides HIPAA-compliant, encrypted cloud storage (Lawyerist, 2 Feb 2015) - Although there are many ways to encrypt your communications, and plenty of storage services that offer HIPAA compliance, most of them come with a price: lack of convenience, and clunkiness. That is probably why a lot of us just end up stashing things in Dropbox. It's easy and there are apps for any device you might have. On your home computer, you can just drag and drop into Dropbox and it lives forever in the cloud. However, Dropbox certainly isn't the most secure solution, and is not HIPAA compliant. Sookasa works with Dropbox and gives you an encrypted (and, if you pay for it, HIPAA- and FERPA-compliant) storage folder. Putting files in Sookasa is as easy as putting them in your Dropbox; it is that ease of use that often gets us to be more aggressive about securing data. There are no extra steps and you do not need to be some sort of Internet-ninja wizard to use the product. HIPAA, of course, governs the security of health data. Briefly, if you are looking for a HIPAA-compliant data storage service, you need to make sure it can do three things: * * * [ Polley : Sounds interesting, but I haven't investigated. Reader comments/experiences welcome.]

top

Court tosses warrant after FBI's Internet 'ruse' (The Hill, 3 Feb 2015) - A federal magistrate judge is dismissing an FBI search warrant that led to the arrest of as many as eight people accused of running an illegal online sports betting operation out of Las Vegas. The warrant raised eyebrows after it was revealed that FBI agents cut the suspects' Internet access, then posed as cable repairmen to enter their luxury hotel rooms and gather evidence that was later used to support the bureau's search warrant. As a result, Magistrate Judge Peggy Leen ruled the warrant was "fatally flawed." When applying for the warrant, investigators failed to disclose that their suspicions were largely founded on a "ruse," Leen said. It doesn't matter that subsequent evidence gathered with the search warrant turned up more incriminating information. The decision must be approved by a district court judge. The men who were charged in the case have filed a lawsuit against the government.

top

Brokerage firms worry about breaches by hackers, not terrorists (NYT, 3 Feb 2015) - The online attack on Sony Pictures Entertainment in the fall that federal authorities linked to the North Korean government raised alarm bells about the hacking threat posed by foreign governments. But brokerage firms based in the United States remain most concerned about an attack carried out by a loose band of hackers or employees with a grudge. A report released on Tuesday by the Financial Industry Regulatory Authority, the industry's self-monitoring organization, said a study of about 20 brokerage firms found the threat of an online intrusion by a nation or a terrorist group ranked near the bottom of the industry's concerns. Worries about state-sponsored breaches were highest at big investment banks. But few of the largest firms questioned by Finra put such attacks at the top of their list. All the firms said they had little concern about a hacking carried out by a competitor. The results of the study were included in a Finra report that focused on best practices that brokerage firms should enact to prevent serious attacks that can compromise a customer's personal and financial information. The organization conducted the survey last year to better understand what brokerage firms, both large and small, are doing to guard against a serious breach. In another sign of just how important the threat of an intrusion has become for the financial services industry, the Securities and Exchange Commission issued its own report on Tuesday that examined how prepared Wall Street investment banks and brokerage firms were to repel hackers bent on gaining access to their digital networks. That examination of more than 100 registered firms found that the overwhelming majority "have been the subject of a cyber-related incident." The Finra report recommended that all brokerage firms assess their security as well as review the safeguards put in place by their vendors. These reviews should focus on things like data encryption, the number of employees who have access to a network, the frequency of software patches and updates, the security of data storage facilities, and measures taken to secure wireless and mobile systems. The report said about 80 percent of firms questioned already conducted some form of periodic security self-assessment. But the regulatory agency said it was "concerned that the remaining firms either had no program in place or were in the nascent stages of establishing a program."

top

GCs play growing role in managing 'super risk' issue of cybersecurity (Legal Intelligencer, 3 Feb 2015) - As general counsel combat the constant threat of data breaches, their companies' information security officers are the most likely colleagues on speed dial. But with breaches viewed as almost inevitable, law firms also play a critical role in helping general counsel navigate a patchwork of state laws and how to handle fallout when information is compromised. "You can almost assume you will get attacked and infiltrated. Everybody does," said a utility company general counsel who wanted to remain anonymous. "The question is how do you recover from that." This general counsel wasn't alone in not wanting to be named or, in some cases, even talk about cybersecurity issues out of fear hackers would want to test the company's proclaimed security measures. While cybersecurity issues began years ago as one of many risks a board of directors had to manage, the issues faced by companies like Sony and Target have turned cybersecurity into a "super risk," the general counsel said. "It's now treated at a governance level with the board of directors not just as another risk, but an issue unto itself," the GC said. "Thwarting and responding to breaches of corporate data is increasingly a reality for today's GCs and CLOs," said Veta T. Richardson, ACC president and CEO. "As attempted data breaches become more sophisticated, the CLO will play a growing role in cybersecurity strategy, risk assessment and prevention." [ Polley : pretty interesting article.]

top

- and -

Cybersecurity in the wake of Sony (WSJ, 10 Feb 2015) - If there was one specter hanging over this year's gathering of The Wall Street Journal's CIO Network, it could be spelled: S-O-N-Y. Conversation during breaks gravitated to the remarkable destruction of Sony Pictures Entertainment's network and files that hackers caused in November. This hack wasn't about stealing intellectual property and slinking away, or pranking a former employer. These hackers broke in and fired up the wrecking ball. The global chief information officers who gathered at the third annual CIO Network in San Diego last week are a chastened crew. When asked who hasn't been hacked, just one hand went up in the audience, and that CIO got a lot of skeptical looks. And when asked if business and the government were making progress against hacking or were losing the battle, the group overwhelmingly said the latter. But the conversation quickly got pragmatic. "Don't go overboard on security," one CIO said. "I still have to address other matters." Company networks need to grow and be flexible, interact with vendors and customers, and accommodate internal innovation. Cybersecurity has become just one more item on the corporate risk-management list-albeit high on the list, several CIOs said.

top

- and -

SEC and FINRA issue cybersecurity publications (Nat'l Law Journal, 6 Feb 2015) - On February 3, the Securities and Exchange Commission and Financial Industry Regulatory Authority issued separate publications on cybersecurity risk. The SEC's risk alert provides summary observations from the SEC's Office of Compliance Inspections and Examinations based on prior examinations of broker-dealers and investment advisers. These examinations focused on how firms (1) identify cybersecurity risks; (2) establish cybersecurity policies, procedures and oversight processes; (3) protect their networks and information; (4) identify and address risks associated with remote access to client information, fund transfer requests and third-party vendors; and (5) detect unauthorized activity. The SEC also released an investor bulletin that provides guidance to help investors safeguard their online investment accounts. Among other things, the SEC recommends using a strong password and a two-step verification process. Separately, FINRA released two publications on cybersecurity. FINRA's cybersecurity report identifies best practices for managing cybersecurity threats based on prior examinations of its member firms. These practices include, among other things, establishing a sound governance framework, utilizing risk assessments and technical controls, developing cyber-incident response plans, and training staff on cybersecurity issues. FINRA also released an investor alert to help investors safeguard their brokerage accounts and financial information. The publications are available here: SEC Risk Alert , SEC Investor Bulletin , FINRA Report and FINRA Investor Alert . [ Polley : see also Proskauer's piece on the FINRA report: FINRA Cybersecurity Report Highlights Risks, Best Practices (7 Feb 2015)]

top

- and -

After high-profile hacks, many companies still nonchalant about cybersecurity (CS Monitor, 19 Feb 2015) - Conventional wisdom suggests that the costly data breaches at Target, Home Depot, JPMorgan, and elsewhere have elevated information security concerns to the highest echelons of corporate America and are driving major improvements in security practices. But the results of two separate surveys highlight a somewhat more nuanced reality. The breaches and resulting losses have made security a higher priority on the corporate agenda. But a disconnect still appears to exist between the security function and senior leadership at many companies. What's more, many corporate boards seem nonchalant about the risks their organizations face from information security failures such as the ones that have hit Sony Pictures, Anthem, and others in recent months. In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization's cybersecurity strategy over the past 12 months. In fact, just a quarter of the respondents said senior management viewed security as a strategic priority while the remaining 75 percent said they viewed it as a necessary cost. The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy while barely 25 percent said their boards were involved in reviewing and privacy risks to the their organizations. [ Polley : !!!!]

top

Cisco makes its annual predictions on mobile data traffic (NYT, 3 Feb 2015) - If everybody has a smartphone, maybe we'll soon just start calling them phones. Cisco Systems on Tuesday released its annual multiyear forecast for global mobile data traffic. This one, covering the years 2014-2019, has what has become the usual projection of tenfold growth in mobile traffic over the period - in this case, to 24.3 exabytes a month. One exabyte is a billion gigabytes. Digging into the numbers, a few significant factors are seen as the causes for that sustained growth. For one, by 2019, 69 percent of the world, or 5.2 billion people, are expected to be mobile users. Among that crowd, there will be 4.6 billion smartphones, compared with 3.1 billion feature phones. Clearly, many people will own more than one phone. The study also covered connected devices like tablets and Wi-Fi-enabled laptops, which Cisco said were likely to regain share from tablets. The growth in smartphones is interesting not just because they will be the majority type of phone sometime around 2018; smart devices tend to use more data, so that 97 percent of overall global traffic will be from smart devices. Video is expected to be a particularly big bandwidth hog: 72 percent of mobile traffic will be video, Cisco said. Another important development is the amount and type of traffic that will be offloaded from conventional cellular systems to Wi-Fi and small cell networks. Cisco said 54 percent of mobile data traffic will be on these systems, which keep carriers from congestion, but also keep them from realizing some profits, since they can't charge for Wi-Fi connections the same way.

top

NSA's chief privacy officer admits that maybe the NSA shouldn't rely on 'cute' interpretations of the law (TechDirt, 4 Feb 2015) - Almost exactly a year ago, the NSA announced the hiring of Rebecca Richards to be its Civil Liberties and Privacy Officer, leading many to exclaim, wait, the NSA has that job? Indeed it does. Though we haven't heard much from Richards since that hiring, she did appear on the latest "Cyberlaw Podcast" with Stewart Baker. During the podcast, Richards admits what many of us have been arguing for years (since even before the Snowden revelations), that the NSA is probably making a mistake in relying on "cute" interpretations of the law to claim that it has legal justifications for its actions: "If the law on it's face does not-if you have to go through too many contorted legal [inaudible], I mean what is legal? That's where we need to, not have perhaps cute legal interpretations."

top

Lawmakers call for 'virtual Congress' (The Hill, 6 Feb 2015) - Reps. Steve Pearce (R-N.M.) and Eric Swalwell (D-Calif.) have introduced a bill urging development of ways for members of Congress to avoid traveling to Washington away from their districts. The resolution offered by Pearce and Swalwell, who both hail from districts on the opposite side of the country as Washington, envisions a Congress allowing members to vote and participate in committee hearings via the Internet. That way, they argue, lawmakers wouldn't have to travel all the way to the Capitol to conduct official duties and jet back to their districts every week. Specifically, their resolution directs the House Administration Committee to identify "best practices" for conducting congressional business virtually. The bipartisan duo argue that a virtual Congress would prevent members and staff from becoming out of touch with their districts. "[M]any congressional staffers do not spend time in the district for which they were hired to work, and are less in touch with the needs of constituents," the resolution states. The measure further cites security concerns of having all 535 members of Congress in one place.

top

IEEE amends its patent (FRAND) policy (Patently-O, 9 Feb 2015) - On February 8, the Board of Directors of the Institute of Electrical and Electronics Engineers (IEEE) voted to approve a set of amendments to the organization's patent policy. The changes largely relate to the commitment of IEEE members to license patents to users of IEEE standards on terms that are "fair, reasonable and nondiscriminatory" (FRAND). As most readers are aware, these commitments have been the subject of recent litigation. IEEE's Wi-Fi standards alone have played prominent roles in Microsoft v. Motorola, Apple v. Motorola, In re. Innovatio and Ericsson v. D-Link, among others. In most of these cases, there has been sharp disagreement over whether the patent holder complied with its FRAND obligations. To decide these cases, judges and juries have been required to speculate regarding the scope and intent of these obligations, choosing between the divergent views advanced by the litigants and their experts. Observers of these disputes have long wondered why standards-setting organizations (SSOs) like IEEE have not simply clarified these issues in their patent policies. Doing so would eliminate much of the uncertainty and debate that currently characterizes disputes over FRAND compliance. In fact, in a 2013 article , the chief economists of the U.S. Department of Justice, Federal Trade Commission and European Commission Directorate-General for Competition jointly urged SSOs to clarify issues surrounding FRAND in their patent policies. Yet few SSOs, if any, did so. Until now. The IEEE amendments do several things. Most notably they makes clear that IEEE members holding patents covering IEEE standards: * * *

top

Gaining access via fake identity to an individual's Facebook page and chats is a "search" requiring a warrant (David Post on Volokh Conspiracy, 10 Feb 2015) - The apparently increasing use of fictitious, sham Facebook accounts by law enforcement officers involved in sexual predator "sting" operations has been the subject of considerable criticism of late (see e.g. here , here , and here ). The pattern seems to be that police officers set up fake FB accounts, posing as underage women, and then "friend" various persons whom they believe, for one reason or another, might be engaged in unlawful sexual conduct with minors. In a recent case in Bozeman, Montana, the State's law enforcement agent posed as a 16-year old girl, arranged to become friends with the defendant, and then exchanged sexually explicit pictures with the defendant and arranged for a meeting (at which point the defendant was arrested for attempted sexual conduct with a minor). Defendant moved to suppress all of the evidence obtained through the FB impersonation, and in its recent decision, the district court in Gallatin County, Montana, agreed , holding that the defendant had a subjectively and objectively reasonable expectation of privacy in the contents of his Facebook page (given that he had chosen to use the highest available privacy settings for the page), and in the "chat" conversations that he had with other FB friends online, and that the State's use of evidence it obtained from his page and from those chats was a "search" requiring the government to obtain a judicial warrant before collecting the evidence. [ Polley : and see Orin Kerr's response post Undercover Facebook investigations and the federal/state divide - a response to David Post (11 Feb 2015)]

top

Florida is the latest state to allow attorneys to advise clients about the removal of social media posts and pictures (Gibbons E-Discovery Law Alert, 10 Feb 2015) - On January 23, 2015, the Professional Ethics Committee of the Florida Bar issued an advisory opinion holding that before litigation commences , and absent any other preservation obligation, an attorney may advise a client to: (1) remove information from social media pages and (2) change privacy settings from public to private, as long as the client retains a record of any deleted information or data. In so holding, the Florida ethics committee joined panels from New York, Pennsylvania, and North Carolina that have issued similar guidance. By way of background, an attorney sought guidance about the ethical implications of advising a client to "clean up" his social media pages before litigation commences to delete "embarrassing" information the attorney deemed immaterial and not directly related to impending litigation. Because the client retained counsel, the ethics committee assumed litigation was "reasonably foreseeable" and, therefore, determined the appropriate inquiry was whether the social media was "relevant," rather than "related directly" to the underlying litigation. The ethics committee held that relevancy is determined on a factual, case-by-case basis. With those parameters in place, the ethics committee then reviewed the opinions of other panels that recently considered this issue, all of which reached similar conclusions, with some nuances: * * * [ Polley : parses opinions from the NY County Lawyers Assn, the Philadelphia Bar Assn, the Pennsylvania Bar Assn, and the NC State Bar.]

top

- and -

When is a blog lawyer advertising? Proposed California state bar opinion offers guidance (ABA Journal, 18 Feb 2015) - Legal ethics rules on advertising should apply to attorneys and law firms that publish blog posts as part of a professional website. Likewise, posts that explicitly or implicitly make clear that the author is available to represent clients also should be covered by legal ethics rules, a California State Bar group says. In a draft opinion (PDF), the Committee on Professional Responsibility and Conduct calls for what the California Bar Journal describes as a bright-line test to determine which legal blogs fall within COPRAC's purview. Another page on the California State Bar website summarizes the draft opinion. Not everyone, however, is a fan of the approach taken by the proposed opinion. In a Socially Awkward blog post, Avvo general counsel Josh King says it is overbroad and infringes on attorneys' First Amendment rights. COPRAC is accepting comments on the proposed opinion until 5 p.m. on March 23. They should be sent to Angela Marlaud at the State Bar of California, 180 Howard St., San Francisco, CA, 94105, or emailed to angela.marlaud@calbar.ca.gov.

top

Facebook launches platform for companies to share security threat data (LA Times, 11 Feb 2015) - You might use Facebook to share Hawaiian vacation pics with your friends and relatives. Now, Dropbox, Bitly, Pinterest, Tumblr, Twitter, Yahoo and other tech companies are using Facebook to share information about threats to their computer systems. Facebook on Wednesday introduced ThreatExchange, a platform where partner companies can query available cybersecurity threat information and publish their own. The incentive to create ThreatExchange came a little more than a year ago, when a group of technology companies came together to discuss automated spam attacks on their servers. "We quickly learned that sharing with one another was key to beating the botnet because parts of it were hosted on our respective services and none of us had the complete picture," Mark Hammell, manager of the threat infrastructure team at Facebook, said in a blog post Wednesday. "During our discussions, it became clear that what we needed was a better model for threat sharing." ThreatExchange includes a set of privacy controls so that participating firms can share only with the group or groups they wish.

top

Private eye is said to face prosecution in a hacking (NYT, 12 Feb 2015) - Private investigators may be the newest front for federal prosecutors in cracking down on the hacker-for-hire business. In the coming weeks, a private investigator in New York is expected to plead guilty to charges of paying a so-called hacker-for-hire firm to steal email passwords and credentials, said three people briefed on the matter, who spoke on the condition of anonymity because no charges had been filed yet. The guilty plea would wrap up a nearly yearlong investigation by the Federal Bureau of Investigation and federal prosecutors in New York. Separately, federal prosecutors in San Francisco on Wednesday announced the indictment of two private investigators and two computer hackers on charges that they illegally entered email and Skype accounts to gather information for matters they were working on for clients. Some of the illegally gathered information was intended to support a lawsuit, authorities said. The identity of the private investigator in New York, who works for a small firm, could not be determined. Law enforcement authorities focused on the investigator because of the clients he has worked for, including some lawyers, the people briefed on the matter said. The investigation, however, has the potential to shed light on a less-than-savory activity that has been the subject of speculation in the legal community: the hiring of private investigators by lawyers to hack into email accounts to learn more about potential witnesses and gather evidence for trial strategies. The notion that lawyers would countenance the hacking of emails appears to flout the legal profession's most basic ethical standards. But security experts and former prosecutors said that investigations over the years had unearthed evidence that some lawyers hire private investigators to obtain information for cases without delving too deeply into how it is gathered.

top

Court allows US law enforcement to evade fourth amendment by piggybacking on foreign searches (Steptoe, 12 Feb 2015) - Like a fullback opening a hole in the line for a following tailback, foreign law enforcement can blast a hole in Fourth Amendment protections by conducting a search of electronic evidence before U.S. law enforcement does. So ruled the Eleventh Circuit in U.S. v. Odoni . The court held that a person has no reasonable expectation of privacy in computer files that were previously searched by foreign law enforcement agents, meaning U.S. law enforcement could subsequently search those files without a warrant. It relied on the "private search" doctrine established by the Supreme Court in United States v. Jacobsen , in which the Court held that individuals do not have a reasonable expectation of privacy in objects that have already been searched by a private party. The Eleventh Circuit found that this principle "applies with equal force" to items searched by foreign government officials.

top

Online court proposed to resolve claims of up to £25,000 (The Guardian, 15 Feb 2015) - The UK justice system should receive a radical overhaul for the digital age with the creation of an online court to expand access to justice and resolve claims of up to £25,000, the official body that oversees civil courts has recommended. In a transformative proposal for largely lawyer-free, virtual courtrooms, the civil justice council is calling for an internet-based dispute resolution system to be available within two years. Backed by Lord Dyson, the master of the rolls, who is head of the civil judiciary in England and Wales, the report says existing services - such as eBay's disagreement negotiation procedure and Cybersettle's blind-bidding operations - provide prototypes worth studying. The online dispute resolution (ODR) model proposed in the report envisages a three-tier process: evaluation through interactive services and information, negotiation with online "facilitators" and finally, if agreement has not been reached, resolution by a trained judge relying on electronic submissions. Only the judge need be legally qualified. If necessary, telephone hearings could be built into the last stage. Rulings by the online judge would be as enforceable as any courtroom judgment. The report's principal author, Prof Richard Susskind, who is president of the Society for Computers and Law, said the UK was falling behind other countries that have begun to incorporate online elements into their judicial systems. His recommendations include "automated negotiation" where differences may be resolved "without the intervention of human experts" by relying on blind bidding processes.

top

The Equation Group's sophisticated hacking and exploitation tools (Bruce Schneier on Lawfare, 17 Feb 2015) - This week, Kaspersky Labs published detailed information on what it calls the Equation Group - almost certainly the NSA - and its abilities to embed spyware deep inside computers, gaining pretty much total control of those computers while maintaining persistence in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested to read the Kaspersky documents, or this very detailed article from Ars Technica. In some ways, this isn't news. We saw examples of these techniques in 2013, when Der Spiegel published details of the NSA's 2008 catalog of implants. (Aside: I don't believe the person who leaked that catalog is Edward Snowden.) In those pages, we saw examples of malware that embedded itself in computers' BIOS and disk drive firmware. We already know about the NSA's infection methods using packet injection and hardware interception . This is targeted surveillance. There's nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It's doing it only to networks it wants to monitor. Reuters again: "Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said." A map of the infections Kaspersky found bears this out. On one hand, it's the sort of thing we want the NSA to do. It's targeted. It's exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure. On the other hand, the NSA's definition of "targeted" can be pretty broad. We know that it's hacked the Belgian telephone company and the Brazilian oil company . We know it's collected every phone call in the Bahamas and Afghanistan . It hacks system administrators worldwide. On the other other hand - can I even have three hands? - I remember a line from my latest book : "Today's top-secret programs become tomorrow's PhD theses and the next day's hacker tools." Today, the Equation Group is "probably the most sophisticated computer attack group in the world," but these techniques aren't magically exclusive to the NSA. We know China uses similar techniques. Companies like Gamma Group sell less sophisticated versions of the same things to Third World governments worldwide. We need to figure out how to maintain security in the face of these sorts of attacks, because we're all going to be subjected to the criminal versions of them in three to five years. [ Polley : As usual with Schneier's articles, it's worth reading the entire piece.]

top

EFF to Supreme Court: the Fourth Amendment covers DNA collection (EFF, 18 Feb 2015) - People have a Fourth Amendment right to privacy when it comes to their genetic material, the Electronic Frontier Foundation (EFF) argues in an amicus brief filed this week with the Supreme Court of the United States. EFF is asking the Supreme Court to hear arguments in Raynor v. State of Maryland, a case that examines whether police should be allowed to collect and analyze "inadvertently shed" DNA without a warrant or consent, such as swabbing cells from a drinking glass or a chair. EFF argues that genetic material contains a vast amount of personal information that should receive the full protection of the Constitution against unreasonable searches and seizures. "As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be," EFF Senior Staff Attorney Jennifer Lynch said. "The court must recognize that allowing police the limitless ability to collect and search genetic material will usher in a future where DNA may be collected from any person at any time, entered into and checked against DNA databases, and used to conduct pervasive surveillance." Glenn Raynor's genetic material was collected and tested without his knowledge or consent after he agreed to an interview at a police station as part of a criminal investigation. The police didn't have probable cause to arrest Raynor, and he refused to provide a DNA sample. After he left the station, police swabbed the armrest of the chair where he had been sitting to collect his skin cells without his knowledge. The police then extracted a DNA profile from the cells and used it to connect him to the crime. The Maryland Court of Appeals ruled that this collection was lawful, and Raynor petitioned the Supreme Court for review. EFF's brief supports Raynor's petition.

top

Researcher discovers Superfish spyware installed on Lenovo PCs (NYT, 19 Feb 2015) - Lenovo, the Chinese tech giant, was shipping PCs with spyware that tracks its customers' every move online, and renders the computers vulnerable to hackers. Lenovo, the world's largest PC manufacturer, was installing Superfish, a particularly pernicious form of adware that siphons data from a user's machine via web browser. Banking and e-commerce sites, or any web page that purports to be secure with the image of a tiny padlock, are made vulnerable. The adware discovery was made early last month by Peter Horne, a 25-year veteran of the financial services technology industry, after he bought a brand-new Lenovo Yoga 2 Notepad at a computer retailer in Sydney, Australia. Even though the PC came with McAfee antivirus software, Mr. Horne said, he installed antivirus software made by Trend Micro. Neither virus scanner picked up any adware on the machine. But Mr. Horne noted that traffic from the PC was being redirected to a website called best-deals-products.com. When he dug further, he found that website's server was making calls to Superfish adware. Superfish's "visual discovery" adware, Mr. Horne and others now say, is far more intrusive than typical adware. It not only drops ads into a user's web browser sessions, it hijacks a secure browsing session and scoops up data as users enter it into secure websites.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

New York Times Mulls Charging Web Readers (Reuters, 7 Jan 2005) -- The New York Times Co. is considering subscription fees to the online version of its flagship newspaper, which now is available for free, but it has no immediate plans to do so, the company said on Friday. One of the paper's biggest rivals, Dow Jones & Co. Inc.'s Wall Street Journal, charges for its online edition. A New York Times spokeswoman said the company is reviewing whether it should make any business changes to the online version but that no shifts were imminent. "We are reviewing the site to see whether or not there would be any areas where we should change the business model," said the spokeswoman, Catherine Mathis, adding: "This is not new. We've been discussing this for some time." According to the upcoming issue of BusinessWeek magazine, whose cover story focuses on The New York Times Co., an internal debate has been raging at the newspaper over whether its online edition, which had about 18.5 million unique monthly visitors as of November, should adopt a subscription fee. N.Y. Times publisher Arthur Sulzberger Jr. was quoted in the article as saying: "It gets to the issue of how comfortable are we training a generation of readers to get quality information for free. That is troubling."

top

More find online encyclopedia is handy (New York Times, 14 Nov 2005) -- By several measures, the user-written online encyclopedia Wikipedia (www.wikipedia.com) has exploded in popularity over the last year. The Internet traffic-measurement firm Nielsen//NetRatings found that Wikipedia had more than tripled its monthly readership in September from the same month in 2004. September may have been a month of especially heavy usage for Wikipedia: the site does better during major news events, and September saw both the aftermath of Hurricane Katrina and the confirmation of John G. Roberts Jr. as chief justice of the United States Supreme Court. But Wikipedia's popularity is not limited to periods of big news. Intelliseek, a marketing-research firm that measures online buzz, has found that the term Wikipedia is consistently used by bloggers - about twice as often as the term "encyclopedia" - and showed up in roughly one out of every 600 blog posts last month; it was one of every 3,300 posts in October 2004. "For bloggers, it's almost like a badge of credibility to embed Wikipedia in their blog references," said Pete Blackshaw, chief marketing officer for Intelliseek. "There's something about Wikipedia that confers a degree of respectability, because multiple Web users have converged on it."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top