Saturday, April 25, 2015

MIRLN --- 5-25 April 2015 (v18.06)

MIRLN --- 5-25 April 2015 (v18.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Cyber attacks upend attorney-client privilege (Bloomberg, 19 March 2015) - "Dear Clients," began the letter that law firm Ziprick & Cramer sent out in late February. "It is almost a daily occurrence that we read about cyber attacks in the news. Unfortunately, on or around January 25, 2015, our firm was the victim of a single cyber attack, by a relatively new variant of a Cryptolocker-type virus." Cryptolocker is a kind of ransomware used to encrypt files so they're unreadable; hackers then demand money to restore the data. A security breach is one of the last things a lawyer wants to admit to a client. But the small firm in Redlands, Calif., faced it head-on, reporting the attack to the FBI and calling on its IT specialist to assess the damage and install safeguards to thwart future attacks. Partner Robert Ziprick says clients have been sympathetic and understand hacking is a problem for lots of businesses. "A lot of them are trying to figure it out, too," he says. Law firms of all sizes are vulnerable. Cybersecurity firm Mandiant says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. In 2012, Bloomberg reported that the large Washington firm Wiley Rein was targeted by hackers linked to China's military in connection with a trade dispute it was handling for a maker of solar panels. McKenna Long & Aldridge lost Social Security numbers and other employee data last year when one of its vendors was targeted, the firm reported. Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have warned the managing partners of big U.S. firms that their computer files are targets for cyberspies and thieves in China, Russia, and other countries, including the U.S., looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more. "If you're a major law firm, it's safe to say that you've either already been a victim, currently are a victim, or will be a victim," says Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm. "The question is, what are you doing to mitigate it?"

top

- and -

Wall St. is told to tighten digital security of partners (NYT, 8 April 2015) - Wall Street's oversight of cybersecurity measures at outside firms it does business with remains a work in progress, according to a review by New York State's top financial regulator. A survey of 40 banks found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers. Fewer than half the banks surveyed said they conducted regular on-site inspections to make sure the vendors they hire - like data providers, check-processing firms, accounting firms, law firms and even janitorial companies - are using adequate security measures. About half require vendors to provide a warranty that their products and data streams are secure and virus-free. One particular area of concern on Wall Street is the security of large law firms, which not only do regulatory work for banks but also advise on corporate transactions. This year, a cybersecurity team at Citigroup issued an internal report that said law firms were a logical target for hackers because they are rich repositories for confidential data. The report also cautioned bank employees that digital security at many law firms, despite improvements, generally remains below the standards of other industries.

top

- and -

Miscreants rummage in lawyers' silky drawers at will, despite warnings (The Register, 16 April 2015) - A total of 187 incidents were recorded last year, with 173 firms investigated for a variety of DPA-related incidents, of which 29 per cent related to "security" and a similar 26 per cent related to incorrect disclosure of data. The figures come from a Freedom of Information request by encryption services firm Egress Software Technologies. Hackers target solicitors in order to get their hands on the confidential data of their clients for identity fraud or other reasons. Accountants and other professional services firms are also on the front line of attacks, with cyber-spies as well as profit-motivated criminals all having a pop. Information Commissioner Christopher Graham issued a warning to law firms last August, following a string of data breaches, Computing reports . In addition, professional body the Law Society issued a practice note 12 months ago, warning that the use of cloud computing services in law firms could break the Data Protection Act. Evidently this advice was not put into practice by scores of law offices up and down the UK, and the issue of insecure practices in law firms is far from restricted to Blighty. Recently published US research by incident response outfit Mandiant uncovered that at least 80 per cent of the country's 100 biggest firms had been involved in a breach since 2011. Separate US research revealed that 89 per cent of US law firms use unencrypted email as a primary means of communication. Almost half of American law firms use free, cloud-based file-sharing services like Dropbox for "privileged information", according to LexisNexis Legal & Professional .

top

- and -

Law firm cyber security and privacy risks (Dan Solove, 23 April 2015) - Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11. This is not time for firms to keep calm and carry on. The proper response is to freak out. In 2009, the FBI issued an advisory that hackers were targeting law firms. In 2011, the FBI began organizing meetings with the managing partners of top law firms to highlight the risks. In 2013, the FBI repeated its warning : "We have hundreds of law firms that we see increasingly being targeted by hackers." As attorney Simone McCormick notes , recent incidents in the past few years have included ones where "hackers stole all client files of a New York law firm, attacked Canadian law firms for industrial espionage and launched a sophisticated phishing attack against a California firm." Law firms are great targets. For fraudsters, law firms offer a gourmet data feast. Law firms have lots of personal data on employees and clients; they often have health data and protected health information (PHI) under HIPAA; they have tons of financial data; and they have very sensitive information about the corporate strategies, trade secrets, and business transactions of their clients. Law firms have information that could be deeply embarrassing to clients, as well as an array of data that could be used for corporate espionage, or for gaining secret insights into litigation and deals that can be used to buy and sell securities. * * * Law firms have lagged behind other industries when it comes to data protection. Although a number of firms have developed great programs, other law firm privacy and security programs lack all the elements of the programs that many companies in other industries have. A few years ago, the head of the cyber division in the New York City office of the FBI stated : "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it's a much, much easier quarry." Also as cybersecurity law expert Vincent Polley has noted , many law firms might not even realize that they've been hacked.

top

Do employers own LinkedIn groups created by employees? (Venkat Balasubramani, 4 April 2015) - Simms worked for plaintiff CDM Media but switched jobs to work for Box, allegedly one of plaintiff's larger customers. Plaintiff alleges that Simms violated a non-compete and misappropriated its trade secrets. Among other issues, plaintiff sought control of a "LinkedIn group" because both the group's membership and the communications' contents were allegedly its trade secrets. The court declines to grant the motion to dismiss: * * *

top

Online test-takers feel anti-cheating software's uneasy glare (NYT, 5 April 2015) - Before Betsy Chao, a senior here at Rutgers University , could take midterm exams in her online courses this semester, her instructors sent emails directing students to download Proctortrack, a new anti-cheating technology. "You have to put your face up to it and you put your knuckles up to it," Ms. Chao said recently, explaining how the program uses webcams to scan students' features and verify their identities before the test. Once her exam started, Ms. Chao said, a red warning band appeared on the computer screen indicating that Proctortrack was monitoring her computer and recording video of her. To constantly remind her that she was being watched, the program also showed a live image of her in miniature on her screen. As universities and colleges around the country expand their online course offerings, many administrators are introducing new technologies to deter cheating. The oversight, administrators say, is crucial to demonstrating the legitimacy of an online degree to students and their prospective employers. Some schools use software that prevents students from opening apps or web browsers during online exams. Others employ services with live exam proctors who monitor students remotely over webcams. But the rise of Proctortrack and other automated student analysis services like it have raised questions about where to draw the line, and whether the new systems are fair and accurate.

top

Government keeps its eyes on the road with invasive license plate reader program (CDT, 6 April 2015) - On April 2, the Department of Homeland Security (DHS) released a Privacy Impact Assessment (PIA) that describes how the DHS Immigration and Customs Enforcement (ICE) - including ICE's primary investigative offices, Enforcement and Removal Operations and Homeland Security Investigations - will find the present and past location of drivers by accessing a massive private database of vehicle location information. The program raises serious privacy concerns, with the specter of individuals' location data being collected on a mass scale, stored for a prolonged period, and used without effective restrictions. According to the PIA, both fixed and mobile license plate readers record license plate number, a digital image of the license plate, the vehicle's make, model, and state of registration, GPS location, a time stamp, and sometimes "the environment surrounding a vehicle, which may include drivers and passengers." A private company - probably Vigilant Solutions, which has amassed of database of 2.5 billion license plate location records, will hold the data. ICE can then use license plate numbers to query a database, and provide a "hot list" of license plate numbers under surveillance to the private company so that when there is a hit on one of those numbers, ICE will receive immediate notice of the location of the license plate. Queries can uncover all recorded sightings of a license plate for the previous five years, or as far back as the statute of limitations for the crime being investigated. The program raises alarming privacy concerns. For years, CDT, other civil society groups, and a broad range of companies in the private sector have worked in the Digital Due Process coalition to establish a warrant requirement for location information generated by cell phone use. As CDT noted last November in its brief to the 11th Circuit arguing that the government must obtain a warrant to gain access to cell-site location information, location data can be highly revealing of sensitive, personal information. Location data can be used to determine one's political and religious affiliation, medical conditions, work activities, and romantic interactions, as well as map a pattern of one's movements and associations. The program also appears to circumvent an important developing legal norm regarding location privacy. As a result of court rulings and legislative action, 12 states now require a warrant for police to demand location data generated in connection with use of a wireless communication device. This rapid trend as well as the Supreme Court's landmark ruling in U.S. v. Jones indicates the entire country may soon follow this rule. The government's response to such an expansion of Fourth Amendment rights cannot be to evade the requirement of independent review by mining license plate location information maintained by a third party; it should have to obtain a warrant or other judicial authorization in order to do so.

top

Lawyer can use client's Facebook account to serve husband with divorce summons, judge says (ABA Journal, 6 April 2015) - A New York lawyer can use a client's Facebook account to serve her elusive husband with a divorce summons, a judge has ruled. "This transmittal shall be repeated by plaintiff's attorney to defendant once a week for three consecutive weeks or until acknowledged," wrote Manhattan Supreme Court Justice Matthew Cooper. The target of the court paperwork, Victor Sena Blood-Dzraku, lives separately from his wife. Although he is in touch with Ellanora Baidoo by Facebook and telephone, he has refused to provide her with his home or work location or make himself available for service voluntarily, reports the New York Daily News .

top

NY cops used 'Stingray' spy tool 46 times without warrant (Wired, 7 April 2015) - The police department in Erie County, New York fought hard to prevent the New York Civil Liberties Union from obtaining records about its use of a controversial surveillance tool known as a stingray. The reason why may be because of what the records show: that cops in that county, which includes the city of Buffalo, used the devices 47 times since 2010 but only once sought and obtained a court order to do so. That revelation contradicts what the county sheriff said last year when he asserted that the department only used the devices under "judicial review." In the single case in which police sought permission from a court, they asked for a court order rather than a warrant, which carries a higher burden of proof. And in their request, they mischaracterized the true nature of the tool. The records, which the NYCLU published in a blog post today , also show that the county sheriff's office signed a stringent gag order with the FBI to maintain secrecy about their stingray records. The department was told to withhold information about the devices in any documents filed with courts, such as affidavits and other documents describing how they obtained evidence in criminal cases. The department was even told that the FBI maintained the right to intervene in county prosecutions to request criminal cases be dismissed if there was a chance that a case might result in the disclosure of information about law enforcement's use of stingrays.

top

DEA sued for snooping on international phone calls (Computerworld, 8 April 2015) - The U.S. Drug Enforcement Administration's logging of international phone calls made from the U.S. was illegal, advocacy group Human Rights Watch has alleged in a lawsuit filed late Tuesday. The DEA and the U.S. Department of Justice ran the secret snooping program for decades without judicial oversight, logging "virtually all telephone calls" from the U.S. to as many as 116 countries linked to drug trafficking , according to a USA Today report. The program did not record the content of the calls and was used to fight drug trafficking. This is yet another government bulk surveillance program used for untargeted and suspicionless surveillance of U.S. citizens, affecting millions of innocent people, said the Electronic Frontier Foundation (EFF), which represents Human Rights Watch in the legal action. The program, said to have been run by the DEA's special operations division, reportedly began logging phone calls in bulk in 1992 but was suspended in September 2013 after the outrage over the U.S. National Security Agency's surveillance programs. This lawsuit , filed with the U.S. District Court of the Central District of California, seeks to ensure the program is permanently terminated, that it cannot restart, and that all of Human Rights Watch's illegally collected records have been purged from all government systems, the EFF said. According to the suit, the DEA disclosed the existence of the program in January when a federal judge ordered the government to reveal more information about it as part of a criminal case against a man accused of violating export restrictions on goods to Iran. The DEA's disclosure showed that the it relied on administrative subpoenas to amass the database of call records, the EFF said, adding that the records were obtained without judicial oversight or approval.

top

Knowledge Management in mergers and acquisitions (KnoCo, 10 April 2015) - Knowledge management delivers maximum value when applied to high value knowledge, to support high value decisions, and in areas where that knowledge is otherwise at risk of being lost. A typical high value area where major decisions will be made is Mergers and Acquisitions. Mergers and Acquisitions are high cost, complex operations, where crucial decisions need to be made very well, and yet which happen relatively rarely, so it is easy for tacit knowledge to be lost. People caught up in the high pressure activity can easily forget the detail of how the decisions were made, and fail to pass the knowledge on to future mergers and acquisitions teams. This combination of high value decisions made relatively infrequently, so that human memory alone cannot be relied on as a knowledge store, means that there is great value on documenting the learning for use in future mergers and acquisitions. In addition, many mergers and acquisitions are conducted for knowledge reasons, in order to acquire competence and capability. The approach to KM for Mergers, Acquisitions and Divestments would be as follows: * * *

top

Neutrality groups diss government web 'blocking' (Multichannel, 10 April 2015) - The U.S. International Trade Commission has asserted the authority to block Internet transmissions, according to some net-neutrality advocates who are crying foul over the decision. In a letter Friday (April 10) to the ITC, 28 organizations and individuals took issue with a decision by the commission last fall concluding that the ITC's authority to prevent the importation of infringing products extended to digital models, data and treatment plans for dental appliances. The groups were a Who's Who of net-neutrality fans including the ACLU, Free Press, Fight for the Future and Public Knowledge. They said they were concerned about the precedent of finding that transmission of digital data was an importation of articles subject to the ITC's authority to block. Preventing the blocking of content by ISPs was one of the FCC's chief arguments for imposing its new Open Internet rules, but here it is a federal agency that is asserting the authority to block.

top

For art's sake! Photoing neighbors with zoom lens not a privacy invasion (Ars Technica, 13 April 2015) - An artist who hid in his apartment's shadows and deployed a telephoto lens to photograph his neighbors through their glass-walled apartment is not liable for invading their privacy, a New York state appellate court has ruled. The appeals court called it a "technological home invasion" but said the defendant used the pictures for art's sake. Because of that, the First Department of the New York Appellate Division ruled Thursday in favor of artist Arne Svenson, who snapped the pics from his lower Manhattan residence as part of an art exhibit called "The Neighbors." * * * The appeals court said that beginning in 2012, Svenson, whose works have appeared in museums and galleries in the United States and Europe, began "hiding himself in the shadows of his darkened apartment" to snap the pictures of his neighbors. Svenson's exhibit was displayed in galleries in Los Angeles and New York. Some of the subjects' faces were obscured, but some of the children's faces were not. The promotional materials on Svenson's website said that for his subjects, "there is no question of privacy; they are performing behind a transparent scrim on a stage of their own creation with the curtain raised high."

top

Social media arbitration clauses and fairness (MLPB, 14 April 2015) - Thomas H. Koenig, Northeastern University and Michael L Rustad, Suffolk University Law School, have published Fundamentally Unfair: An Empirical Analysis of Social Media Arbitration Clauses at 65 Case Western Reserve Law Review 341 (2014). Here is the abstract: Our systematic examination of 329 of the world's largest social media providers reveals that 29 percent of these providers require users to submit to predispute mandatory arbitration as a condition of using their services. Forced consumer arbitration clauses are principally a U.S. phenomenon. Forty-two percent of the 188 U.S.-based social media providers contain forced arbitration clauses -- in sharp contrast to only 13 percent of the 141 providers headquartered in foreign nations. Forty of the social networking websites (SNS) specify the American Arbitration Association (AAA) as the provider and nineteen specify JAMS, the two largest arbitration companies. We compare the fifty-nine social media terms of use (TOU) against the due process fairness tests that have been adopted by these two providers to mitigate the inevitable power imbalance in consumer arbitration proceedings. Our central finding is that the arbitration clauses of providers that specify the AAA and JAMS clearly fail the majority of the provisions of these two arbitral providers' consumer due process fairness tests. Arbitration clauses employed by social media have numerous "gotcha" provisions such as hard damage caps that place an absolute dollar limit on recovery that is significantly below the cost of filing an arbitral claim with either the AAA or JAMS. Our secondary analysis of AAA and JAMS arbitration reports establishes that consumer arbitration agreements have a deterrent effect, blocking all but a handful of social media users from filing claims. In effect, social media providers, encouraged by the U.S. Supreme Court's endorsement of mandatory consumer arbitration, have constructed a liability-free zone where social media users have rights without remedies if social media providers breach their TOU, invade their privacy, or infringe their intellectual property rights. These aggressive arbitration clauses are unlikely to be enforced in the European Union, or even accepted by the most commonly specified arbitral providers, so social networking sites need to draft more balanced TOU that pass due process fundamental fairness rules.

top

Court shoots down carpet cleaner's demand to unmask Yelp reviewers (Ars Technica, 16 April 2015) - Can users of review sites like Yelp bash a business but remain anonymous? Unless a business can show a court from the outset that they have strong evidence the statements are false and defamatory, the user's identity will usually be protected. Yelp says it gets about six subpoenas a month seeking user identities, often from businesses who want to sue anonymous reviewers. One closely watched Virginia case about reviewer anonymity has now been resolved. The anonymous reviewers won, although not on the grounds free speech advocates had hoped for. In 2012, Joe Hadeed, who runs a carpet-cleaning business in Springfield, Virginia, filed a lawsuit over a set of reviews he believes were fraudulent, perhaps posted by his competitors. Last year, he told The Wall Street Journal he couldn't match the reviews to records he had regarding his actual customers. Hadeed sued three Yelp users, identifying them only as "John Does" and sending Yelp a subpoena asking for the reviewers' identities. Yelp refused and fought it out in court. Both a state circuit court and an appeals court ordered Yelp to hand over the users' information, finding the site in contempt. Last year, Yelp appealed to the state's supreme court, and well-known First Amendment lawyer Paul Levy took the company on as a client. Today, the Virginia Supreme Court issued its ruling (PDF) in favor of Yelp, finding that the company doesn't have to disclose any user information, because the lawsuit shouldn't have been filed in Virginia in the first place. The court's decision to focus solely on the issue of jurisdiction means that the more important public policy argument-whether the Yelp reviewers have a right to anonymous speech in this case-goes unaddressed.

top

With judge analytics, Ravel Law starts to judge the judges (Tech Crunch, 16 April 2015) - From murder and terrorism to patent conflicts and sexual discrimination lawsuits, courtrooms are home to some of the most important dramas in our society. While our top retailers can identify people who are pregnant weeks before even the consumer has realized it themselves, lawyers continue to argue cases before judges with data based on a handful of anecdotes from other attorneys. Ravel Law hopes to bring some big data magic to the courtroom, and perhaps improve our justice system along the way. The startup launched their Judge Analytics platform today. The idea is to provide comprehensive insights on every judge in the country, allowing lawyers to research the best strategies for their client before they file a lawsuit or argue a motion before a judge. Armed with better insights, lawyers can then provide their clients with better services, and at a cheaper cost too. While judges are often popularly conceived as objective arbiters of the truth, the reality is that every judge is a human being, a product of their own experiences and biases. "No two judges are exactly alike," Nicholas Reed, a co-founder and CEE (Chief of Everything Else) of Ravel Law, says. The specific judge and even the specific timing of a trial can have a disproportionate effect on the outcome of a trial. Some general insights are already well-known in the industry. For instance, patent trolls often file their lawsuits in East Texas , since those courts have proven to be quite amenable to those sorts of cases. As another example, a study of Israeli parole hearings found that cases held earlier in the day had a massive advantage of receiving a favorable ruling compared to cases held right before lunch. But these sorts of insights are often too general purpose, and don't provide the kind of granular insights that can really aid in a case. Daniel Lewis, the other co-founder and CEO of Ravel Law, explains that the day-to-day job of a lawyer is often much more focused. "Should we bother to apply to a judge for a particular motion? When would a judge make a favorable decision for people in our shoes?"

top

Cybersecurity: another Verizon report & more (CorporateCounsel.net, 17 April 2015) - Like last year , Verizon has put out a new " 2015 Data Breach Investigations Report ." This year's Verizon report is 69 pages, with a host of useful information as it relies on over 80,000 incidents from 70 organizations for it's analysis. Also check out our checklists related to incident response planning, disclosure practices and risk management - as well as a chart of state laws related to security breaches.

top

FBI can't cut Internet and pose as cable guy to search property, judge says (Ars Technica, 18 April 2015) - A federal judge issued a stern rebuke Friday to the Federal Bureau of Investigation's method for breaking up an illegal online betting ring. The Las Vegas court frowned on the FBI's ruse of disconnecting Internet access to $25,000-per-night villas at Caesar's Palace Hotel and Casino. FBI agents posed as the cable guy and secretly searched the premises. The government claimed the search was legal because the suspects invited the agents into the room to fix the Internet. US District Judge Andrew P. Gordon wasn't buying it. He ruled that if the government could get away with such tactics like those they used to nab gambling kingpin Paul Phua and some of his associates, then the government would have carte blanche power to search just about any property. "Permitting the government to create the need for the occupant to invite a third party into his or her home would effectively allow the government to conduct warrantless searches of the vast majority of residents and hotel rooms in America," Gordon wrote in throwing out evidence the agents collected. "Authorities would need only to disrupt phone, Internet, cable, or other 'non-essential' service and then pose as technicians to gain warrantless entry to the vast majority of homes, hotel rooms, and similarly protected premises across America." The government had urged the court to uphold the search, arguing that it employs " ruses every day in its undercover operations ." (PDF) The government noted that US judges have previously upheld government ruses to gain access into dwellings. In 1966, the Supreme Court authorized an agent to pose as a drug buyer to get consent to go inside a house. In 1980, an agent posing as a drug dealer's chauffeur was upheld. Seven years later, agents posed as real estate investors to access a bedroom and closet of a suspect. And in 1989, an agent posed as a UPS delivery man to get inside a drug house, the government argued. But operatives posing as gas company or water district workers seeking permission to enter the premises to check for leaks were deemed illegal searches. That's because the occupants provided "involuntary" consent to enter because they were duped into believing a life-threatening emergency was afoot, Phua's defense pointed out.

top

'Nonmedia' speakers don't get full First Amendment protection, rules a Texas Court of Appeals panel (Eugene Volokh, 20 April 2015) - Do First Amendment protections - for instance, the various rules that protect libel defendants - apply to all speakers? Or are some of them limited to members of "the media," however that might be defined? As I've explained before , the great majority of precedents say that "the freedom of the press" extends to all who use mass communications, and that freedom of speech offers the same protection to speakers who use non-mass communications. The freedom of the press is the freedom for all who use the printing press and its technological descendants - not just a freedom for a specific industry or profession, such as the media or professional journalists. This was the nearly unanimous view until about 1970; and even since then, it has been the view of the great majority of lower court precedents, and no Supreme Court precedent takes the contrary view. Indeed, the Citizens United decision expressly stresses that "We have consistently rejected the proposition that the institutional press has any constitutional privilege beyond that of other speakers." This having been said, the Supreme Court did flag the question as unresolved in several libel cases from the late 1970s to 1990, and a few lower court precedents do conclude that the Supreme Court's case law protecting libel defendants applies (in whole or in part) only to media defendants. I'm sorry to say that a Texas Court of Appeals panel just joined this small minority, in the April 9 Cummins v. Bat World Sanctuary decision. * * * [ Polley : the rest of the post is quite interesting.]

top

Whose number is this? Facebook launches a new app to combat the mysterious incoming call (Re/code, 22 April 2015) - Facebook probably knows a lot about you - and it probably knows a lot about the mystery people ringing your phone, too. The company launched a new app on Wednesday intended to solve the case of the mysterious incoming call. The app, which is called Hello and is only available on Android, uses data from Facebook to tell you who's blowing up your phone. Of course, the feature will only work if the caller has shared his number with Facebook, and if you would normally be able to see that information. For example, if you share your number publicly, people with Hello downloaded will know it's you calling even if they don't have you as a contact. Conversely, if you only share your number with Friends, those are the only people who will see that it's you when you call. You can also block numbers easily, so if there's a reason you've never shared your phone number with old Facebook Friends from high school, you can still keep them from calling.

top

Man is jailed for refusing to turn over Facebook and Twitter passwords in business bankruptcy case (ABA Journal, 22 April 2015) - Jeremy Alcede personally maintained the Facebook and Twitter accounts for his former Texas gun store and shooting range. He thought of them as his own, and didn't hesitate to inject his political views as he publicized Tactical Firearms in Katy. But a federal bankruptcy judge disagreed, and ordered Alcede to turn over the passwords to the new operator of the gun store, finding the social media accounts to be business assets even though Alcede has removed the Tactical Firearms moniker and substituted his own, according to the Houston Chronicle . Alcede refused and was jailed for contempt. He has been held since April 9 in solitary confinement. "He holds the key to his jail cell," said Chief U.S. Bankruptcy Judge Jeff Bohm during a Friday hearing in the Houston case, noting that Alcede will be released when he tells U.S. Marshals that he will turn over the passwords. "I don't think I'm doing my job as a judge if I don't enforce my own orders." Attorney Leif Olson represents Alcede and says the ruling that the accounts are business assets is mistaken, an earlier Houston Chronicle article reports. Olson also says his client was willing to go to jail to prevent the government from silencing the views that Alcede has been presenting to some 11,000 followers via the Internet. "If Steve Jobs posted on Twitter or would have put on Facebook his political observations, his statements about the state of the world and occasional mentions about things going on at Apple, that would be personal, not corporate," said Olson. The unusual case is one of the first in which a bankruptcy court has classified social media accounts as property of a business, the Chronicle says.

top

The digital future: How museums measure up (NYT, 23 April 2015) - The digital future continues to unfold at American art museums. The best recent innovations have been gathered in a new report, "Next Practices in Digital and Technology," that the Association of Art Museum Directors is set to release on Friday. The report describes 41 museum projects that use digital technology to engage visitors, make collections more accessible and understandable or improve museum operations like ticketing and collections management. The projects cover a wide range. The Nasher Sculpture Center in Dallas is compiling a digital census of French sculpture in the United States that will be available as an internet portal . Working with 280 museums, the center has compiled records of 7,000 works made between 1500 and 1960 that can be found in public collections, museums, historic homes, and public spaces. The center estimates that it will add another 8,000 to 13,000 works before the project is completed in 2019. The Worcester Art Museum in Massachusetts has replaced the traditional wall labels in its renovated Baroque galleries with iPads that present not only traditional curatorial information but also alternative labels written by area college students, religious leaders and educators, with an invitation for visitors to write their own labels. More whimsically, the Peabody Essex Museum in Salem, Mass., designed an interactive web app for its 2014 exhibition "Turner and the Sea." Called "Turner's Apothecary Mood-o-Meter," the app quizzes visitors to gauge their mood, using concepts out of a 19th-century apothecary, and then "prescribes" a specific Turner painting to look at.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Really open source (Inside Higher Ed, 29 July 2005) -- Few projects in academe have attracted the attention and praise in recent years of OpenCourseWare, a program in which the Massachusetts Institute of Technology is making all of its course materials available online - free - for anyone to use. In the four years since MIT launched the effort, use of the courseware has skyrocketed, and several other universities have created similar programs, assembling material from their own courses. With less fanfare than MIT, Rice University has also been promoting a model for free, shared information that could be used by faculty members and students anywhere in the world. But the Rice program - Connexions - is different in key respects. It is assembling material from professors (and high school teachers) from anywhere, it is offering free software tools in addition to course materials, and it is trying to reshape the way academe uses both peer review and publishing. The project also has hopes of becoming a major curricular tool at community colleges.

top

Lloyd's taking on open source IP risk (Register, 12 August 2005) -- Lloyd's of London is close to offering independent insurance protection worldwide against potential IP litigation involving Linux and open source software. The financial services giant has agreed to take on the risk associated with open source, and is finalizing arrangements to work through Open Source Risk Management (OSRM) who will become Lloyd's sole US representative. OSRM will assess both the risk of the software in use and the individual company, before passing on the risk to the appropriate insurance company on the Lloyds market. OSRM expects to announce the first customers this Fall, and will initially charge organizations $60 per server. The partnership between OSRM and Lloyd's will be vendor independent, differing from many of the existing intellectual property (IP) protection programs that are primarily designed to ward off attack from the litigious SCO Group. Red Hat, Hewlett Packard and Novell in January 2004 all announced separate protection for customers using their Linux products. JBoss in April this year announced indemnification for its middleware, including JBoss application sever, Cache and Hibernate object relational mapping technology.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Friday, April 03, 2015

MIRLN --- 15 March – 4 April 2015 (v18.05)

MIRLN --- 15 March - 4 April 2015 (v18.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Turning data into powerful visualizations of Detroit (Zuckerman @ Berkman, 11 March 2015) - What's a "holy shit visualization?" It's a way of looking at data that turns a statistic you might have flipped past in a book or skimmed by on a web page into something that you can't forget. It's a visceral reminder of the power of images and the power of looking at dry numbers in human terms. For Mike Evans , the map below was a holy shit visualization. Properties in yellow are in tax distress. Those in orange are under tax foreclosure. Those in red have been foreclosed. In 2014, 50 percent of properties in the city of Detroit were in danger of foreclosure, being foreclosed, or owned by the city. That's a frightening statistic. But seeing what it looks like on the map makes the scale of the problem more visceral. * * * [ graphic ] Evans knew this was a powerful visualization when he took the map to the county treasurer, who had his own "holy shit" moment seeing the data. Mike asks, "What does it mean when the county treasurer doesn't know this? What does this mean for a homeowner who's far more removed from this information?" Evans is senior developer with Loveland Technologies , a for-profit technology consultancy in Detroit, Mich., that focuses on mapping land ownership in cities, especially in Detroit. He visited Center for Civic Media at the MIT Media Lab to talk about the community mapping work he and his team have taken on in Detroit and around the U.S. Loveland is a project started by Jerry Paffendorf, who had the clever idea of selling distressed properties in Detroit one square inch at a time. Detroit auctions thousands of properties at a time, and properties that don't sell for outstanding taxes begin auctioning for $500 apiece. Paffendorf bought some of these properties and started selling them off via Kickstarter for a dollar per square inch (one of the first Kickstarters ever started), and Loveland Technologies got its start building a map that let people see their property ownership, much as the Million Dollar Homepage allowed advertisers to see their online presence purchased a pixel at a time.

top

To satisfy clients, law firms submit to cybersecurity scrutiny (American Lawyer, 12 March 2015) - In an effort to satisfy clients concerned about possible security breaches, at least 10 Am Law 200 firms and two Magic Circle firms have attained a special certification to demonstrate they're taking steps toward protecting their documents and communication systems, and at least 21 more are in the process of seeking certification, with some consultants speculating that even more will be certified by the end of the year. Businesses of all types can receive the certification, called ISO 27001, if they meet an international cybersecurity standard, but consultants who help companies get certified say that in the past year they've been inundated with inquiries from law firms. "What ISO 27001 represents is the only baseline that corporate trading partners- any business entities exchanging information-have as a reference for what they expect in security execution," says Jeffrey Ritter, a former practicing lawyer who now teaches courses on information technology at the University of Oxford, the University of Georgetown Law Center and Johns Hopkins University Whiting School of Engineering. According to a post on the International Legal Technology Association's website , at least 18 law firms have been certified as of last December, including Magic Circle firms Allen & Overy and Clifford Chance. Ten are Am Law 200 firms, including Paul, Weiss, Rifkind, Wharton & Garrison, Sullivan & Cromwell, Simpson Thacher & Bartlett and White & Case, as well as Milbank, Tweed, Hadley & McCloy and Ropes & Gray, which were expected to be certified by February. Another 23 firms are listed as working towards or investigating certification, 21 of which are Am Law 200 firms, including Cleary Gottlieb Steen & Hamilton, Skadden, Arps, Slate, Meagher & Flom, Debevoise & Plimpton and Davis Polk & Wardwell.

top

- and -

Law firm infected by Cryptolocker variant (Ride the Lightning, 16 March 2015) - California law firm Ziprick and Cramer sent a letter to clients on February 27th advising them that on or around January 25, 2015, the firm was infected by a new variant of the Cryptolocker virus which infected one of their workstations (encrypting its data) and then traveled to the server where data was encrypted on shared folders. The firm indicated that its backup was intact. Though a ransom demand had not yet been made, the firm said it would not pay any ransom "which would only encourage and fund such criminals in their illegal activities." The firm reported the cyberattack to the FBI and offered clients one year of free credit monitoring.

top

- and -

New York Fed forms team focused on cybersecurity threats (Bloomberg, 24 March 2015) - The Federal Reserve Bank of New York has formed a team dedicated to cybersecurity threats, according to the bank's top regulator. "We have elevated our efforts in recent months and have formed a dedicated team focused on further strengthening our overall supervisory approach to cybersecurity," Sarah Dahlgren, the New York Fed's head of supervision, said in prepared remarks delivered to a conference in New York today.

top

- and -

Citigroup report chides law firms for silence on hackings (NYT, 26 March 2015) - Every month it seems another American company reports being a victim of a hacking that results in the theft of internal or customer information. But the legal profession almost never publicly discloses a breach. The unwillingness of most big United States law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years. That frustration bubbled over in a recent internal report from Citigroup 's cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms. "Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise," according to the report, a copy of which was reviewed by The New York Times. The report, issued last month, said it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report said bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries. It said law firms were at "high risk for cyberintrusions" and would "continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications." The Citigroup team issued the report as other Wall Street banks are putting pressure on the legal profession to do more to prevent the theft of confidential client information. For nearly a year, banks and law firms have talked about forging a closer partnership to share some information about hacking incidents. Banks are also demanding more documentation from law firms about online security measures as a condition of retaining them for assignments. In the last several months, Mandiant, the security firm that is a division of the security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity.

top

IU Media School professor's paper was influential in FCC net neutrality decision (Indiana U, 16 March 2015) - After months of public and political debate, the Federal Communications Commission voted on Feb. 26 to regulate the Internet in the same way as it does "telecommunications services" under Title II of the 1934 Communications Act . * * * The FCC's declaratory ruling frequently cites and relies on the analysis of Cherry and Jon Peha, a professor in the departments of engineering and public policy and of electrical and computer engineering at Carnegie Mellon University. This is significant when you consider that more than 4 million comments were filed in this proceeding - the most in the history of the FCC. Cherry and Peha co-authored an influential paper, " The Telecom Act of 1996 Requires the FCC to Classify Commercial Internet Access as a Telecommunications Service ," which was filed with the FCC in late December. The paper was cited and directly quoted 10 times in the ruling. Importantly, Cherry and Peha's analysis integrates technical and legal perspectives to explain how providers offer broadband Internet access services with the commercial and technical functionalities of telecommunications services. Cherry formerly worked for the FCC as senior counsel in the Office of Strategic Planning and Policy Analysis. Peha is a former chief technologist for the FCC. Also actively researching the issue have been Julien Mailland , an assistant professor of telecommunications, and Matt Pierce , a lecturer in The Media School who also serves as state representative.

top

Measuring innovation (Patently-O, 16 March 2015) - A new business article on "measuring innovation" notes that 50% of firms investing in R&D are not patenting the results of their research. The main thrust of the article is that, because so many firms are avoiding the patent system, that patents do not make sense as a broad measure of innovation. Their solution is to use the Research Quotient (Prof Knott's measure of optimal research output based upon various financial outputs) as a better measure. See Cooper, Knott, and Yang, Measuring Innovation (March 2, 2015). Available at SSRN: http://ssrn.com/abstract=2572815 or http://dx.doi.org/10.2139/ssrn.2572815 .

top

The Righthaven debacle, 5 years later (Eric Goldman, 17 March 2015) - You probably recall Righthaven, the now-defunct copyright enforcement entity (some might call it a copyright troll) that purchased newspapers' copyrights so it could sue small-time bloggers who republished articles; after suing, it would demand financial settlements the bloggers couldn't afford. Steve Green, a reporter at the Las Vegas Sun newspaper, tirelessly chronicled Righthaven's waxing and waning. To "celebrate" the five year anniversary of Righthaven's launch, Green has posted a lengthy retrospective (with his now-employer, the Orange County Register). Some of the best tidbits from the article:

(1) Everyone associated with Righthaven avoided discipline by the Nevada bar regulators. Say what? I don't have all of the facts, but based on what I saw, this is incredible. Numerous judges harshly criticized Righthaven's litigation tactics (see, e.g., this benchslap using words like "flagrantly false," "disingenuous," "deceitful," "brazen" and "egregious"), and I thought there was a chance some lawyers would lose their licenses for their involvement in this scheme. Instead, not even a single public reprimand. Wow. Exactly what does it take to violate Nevada's ethics rules? (2) the purported class action of Righthaven victims fizzled out with Righthaven's demise. (3) Steve Gibson, Righthaven's principal, is still practicing law in Nevada. Indeed, he self-describes himself as "one of the premier business and intellectual property attorneys practicing in Las Vegas." This makes me wonder: do his prospective clients not Google him??? (4) The mom of Colleen Lynn, an anti-Righthaven activist, called Righthaven's campaign "legal terrorism."

* * * [Polley : As usual, the rest of Eric's posting is worth reading.]

top

You can now see analytics for US government websites (Mashable, 19 March 2015) - The White House on Thursday introduced a publicly available analytics dashboard that keeps tabs on traffic stats from 3,800 government websites. In the dashboard , website analytics for some of the most-trafficked government sites are available in real time. At any given moment, you can see which websites are most popular - right now the IRS' "Where's My Refund?" page tops the list - and how many people are visiting these pages. The project is open source, and the code for the site and its reporting tool , is available to those who want to take advantage of the data for their own projects. While open-source data may sound like an unexpected move for Uncle Sam, it will be an increasing area of focus for Digital Services as the Obama administration looks to expand the team in 2016, according to Charles Worthington, a developer with the agency.

top

"Open Well-Tempered Clavier" project complete; score and recording online (Slashdot, 19 March 2015) - Open source music notation software MuseScore, and pianist Kimiko Ishizaka, have completed the Open Well-Tempered Clavier project and released a new studio recording and digital score online, under the Creative Commons Zero (CC0, public domain) license. Their previous project, the Open Goldberg Variations (2012) , has shown its cultural significance by greatly enhancing the Wikipedia.org article on J.S. Bach's work , and by making great progress in supplying musical scores that are accessible to the visually impaired and the blind . The recording has also received very positive early reviews by music critics . Over 900 fans of J.S. Bach financed this project on Kickstarter.com , where a total of $44,083 was raised.

top

Corporate culture hinders cyber insurance buy-in (CSO Online, 20 March 2015) - The relatively new field of cyber insurance offers a potentially valuable shield from the financial toll that a data breach can visit on a company, but that market is held back by a lack of information about the threat landscape and a culture in many firms that too often marginalizes cyber issues, a senior government official warns. Tom Finan, senior cybersecurity strategist and counsel at the Department of Homeland Security, has been heading up a review of the cybersecurity insurance industry, looking at ways that the government could help advance the market. In remarks at a recent government IT conference , he suggested that insurance carriers would be more generous in their coverage options with more concrete data about the risks that applicants face. "Perhaps unsurprisingly, companies are not publicly disclosing their own damages from the cyber incidents that they're experiencing. Consequently there's just not enough actuarial data -- yet -- to make these additional categories of first-party coverage more successful," Finan said. "Several of the carriers joining us have told us that big data about cyber incidents could be a potential treasure trove that would aid their efforts immensely." As a result, insurance carriers are commonly underwriting policies based on an assessment of the security culture at the applying company, finding that, despite the steady diet of high-profile breaches, cyber issues remain marginalized within the IT department, rather than being incorporated into a broader enterprise risk management (ERM) framework. And that's a problem, according to Finan. "For many companies, the business case for investing against cyber risk still has not been made. With some exceptions, corporate leaders continue to treat cybersecurity as an IT problem separate and apart from the other business risks that they're addressing as part of their overall corporate risk management strategies," he said.

top

Medical data has become the next cybersecurity target (NextGov, 20 March 2015) - Hackers often carry out massive cyberattacks to gain access to financial data through banks and retail companies , but this week's cybercrime hit a seemingly new target: medical data, taken from the health insurance company Premera Blue Cross. The attack affected 11 million patients, making it the largest cyberattack involving medical information to date . The healthcare industry has been catching hackers' attention lately. In February, the health insurance company Anthem reported a breach in which hackers accessed to about 80 million records , and in 2014, the Tennessee-based hospital operator Community Health Systems saw 4.5 million records accessed, though both companies said no medical data was exposed. Even so, as Pat Calhoun, the senior vice president of network security at Intel Security, puts it, the healthcare industry is just beginning to find itself in cyber-criminals' crosshairs, making it slow to shield people's records. Calhoun points out that healthcare breaches aren't unheard of: In fact, according to Intel Security and the Atlantic Council's latest report on cyber risks , about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Medical data is also becoming a highly lucrative target. "Financial data has always been a priority, because it's low-hanging fruit," Calhoun says. "But over the past couple of years, we've identified that medical information has a higher value on the black market than credit card information."

top

The curious (and vital) power of print (NYT's Public Editor, 21 March 2015) - WHO buys the print edition of the newspaper? Just a few Luddites who wouldn't know a smartphone if their horse-drawn buggy crushed it on the cobblestones? Octogenarians and their older brothers? That seems to be the conventional wisdom. On Twitter, Chris Boutet had a funny line recently. "The following is a list of people who still subscribe to newspapers: Journalists, their parents." There's no doubt about the downward trajectory of print. But where, exactly, are we on that path? And how do younger people fit into that picture? I thought it would be worthwhile to find out, since it's bound to affect The Times and its readers. And some of the answers may be surprising. More than 70 percent of all revenue at The Times came from print last year. The biggest share of that is "consumer revenue" from print - almost exclusively, that's from people who buy the newspaper either with a home-delivery subscription or on the newsstand. But print advertising revenue is very important, too. More than a million people still buy the Sunday paper each week. The number has declined to about 1.1 million from 1.8 million at its height in 1993. And about 645,000 people still pay for the daily paper, which has taken the biggest hit. (The daily numbers fell by about 6 percent last year; on Sunday, the number fell by about 3.5 percent.) A lot of younger people buy and read the paper in print. Of all subscribers, 23 percent are in their 20s, 30s and 40s - that's hundreds of thousands each week. And on the opposite side of the spectrum, the typical digital Times subscriber is decidedly not a millennial, wielding her selfie stick and heading off to Coachella. No, the median age of the digital subscriber is a graying (but no doubt Pilates-practicing) 54, not much younger than the median age of the print subscriber, which is 60. What's more, this substantial print crowd, young and old, loves its Times passionately. Roland Caputo, the Times executive in charge of print ("It's important that somebody carry the torch for the unsexy part of the operation"), describes the readers' passion in simple terms. "Print readers love print," he told me. "The affinity they have for it is astronomical." A major Times research project on readership last summer made that clear. [ Polley : I love the NYT in print, but only read The New Yorker on my iPad and cancelled my 25-year Atlantic subscription because of their mangled e-reader implementation. Color me ambivalent.]

top

- and -

Publishers a la New York Times to publish on Facebook directly (Kevin O'Keefe, 23 March 2015) - The New Times reports today that publishers, including the New York Times itself, are on the verge of publishing directly on Facebook. Rather than users clicking from Facebook to content on third party sites, such as the Times, Facebook would host the content directly on its social network site. Though such a plan may improve the Facebook user's experience with speed to the content (no click through), the idea is not without its problems for publishers. Such a plan would represent a leap of faith for news organizations accustomed to keeping their readers within their own ecosystems, as well as accumulating valuable data on them. Historically, Facebook has not shared advertising revenue with publishers. "We'll send you traffic and you, as the publisher, sell ads based on increased website traffic." With this new plan, Facebook has expressed a willingness to share ad revenue. They'd have to as Facebook would control the entire atmosphere, no one would be leaving Facebook to go to the publisher's site. The whole idea of Facebook doing your publishing has to be scary as heck for publishers. As The New York Times' David Carr (now deceased), wrote on this subject last fall: For publishers, Facebook is a bit like that big dog galloping toward you in the park. More often than not, it's hard to tell whether he wants to play with you or eat you.

top

US customs testing facial recognition at Dulles airport (PCmag, 22 March 2015) - If you're a frequent international traveler, and you find yourself flying into Washington, D.C.'s Dulles airport a lot, then your headshot might start showing up in a government database. You haven't done anything wrong-at least, we hope not-but odds are good that you might be randomly selected for a quick picture. According to Motherboard , U.S. Customs and Border Protection rolled out a new initiative starting March 11, whereby random Americans entering the U.S. might get their headshots taken as part of a new program designed to ferret out potential imposters. "The operational goals of this pilot are to determine the viability of facial recognition as a technology to assist CBPOs in identifying possible imposters using U.S. e-passports to enter the United States and determine if facial recognition technology can be incorporated into current CBP entry processing with acceptable impacts to processing time and the traveling public while effectively providing CBPOs with a tool to counter imposters using valid U.S. travel documents," reads U.S. Customs and Border Protection's official " Privacy Impact Assessment " document. If you're the lucky recipient of a free headshot, a customs officer will run a software analysis of your picture and compare it against the picture of you that's stored on your e-passport's data chip. A score will be generated based on the similarities (and differences)-if you don't match, that might clue in the customs officer that some additional steps could be necessary to confirm that you're really you. It won't give you a green flag through customs if you pass, and it's not necessarily going to be a red flag if your new look doesn't match your passport photo.

top

- and -

The rise of the Cryptopticon (Siva Vaidhyanathan in The Hedgehog Review, Spring 2015) - Consider two American films, twenty-four years apart, both starring Gene Hackman as a reclusive surveillance expert. The difference between the work done by Harry Caul, the naive, emotionally stunted private investigator played by Hackman in Francis Ford Coppola's 1974 film The Conversation , and the work done by Edward Lyle, the disaffected, cynical former spy Hackman portrays in the 1998 Tony Scott film Enemy of the State , is more than a matter of the tools they use. Caul uses audio and video surveillance to investigate private citizens, while Lyle deftly deploys the digital tools and techniques that have come to characterize our era of total surveillance. We learn that before choosing to go "off the grid," Lyle did high-level work for either a government organization like the National Security Agency or a private contractor working for the NSA. (The exact truth is never fully revealed.) Lyle seems to be Caul a quarter century later, with a new name, a deeper sense of nihilism, but the same aversion to sharing information with others. * * * [ Polley : Nice compare-and-contrast use of the 2 films to illuminate the current condition, and the surveillance state. We're so past "1984" , and when these tools are misused we'll be helpless.]

top

QVC can't stop web scraping (Eric Goldman, 24 March 2015) - Although scraping is ubiquitous, it's not clearly legal. A variety of laws may apply to unauthorized scraping, including contract, copyright and trespass to chattels laws. ("Trespass to chattels" protects against unauthorized use of someone's personal property, such as computer servers). The fact that so many laws restrict scraping means it is legally dubious, which makes a scraper's recent courtroom win especially noteworthy. QVC is the well-known TV retailer. Resultly is a start-up shopping app self-described as "Your stylist, personal shopper and inspiration board!" Resultly builds a catalog of items for sale by scraping many online retailers, including QVC. Scraping of retailers' websites isn't unusual; as the court say, "QVC allows many of Resultly's competitors, e.g., Google, Pinterest, The Find, and Wanelo, to crawl its website." Resultly cashes in when users click on affiliate links to QVC products (although Resultly's affiliate arrangement is mediated through two layers of business partners, each of whom takes their own cut of the proceeds). In May 2014, Resultly's automated scraper overloaded QVC's servers, causing outages that allegedly cost QVC $2M in revenue. QVC eventually blocked access to Resultly's scraper. Subsequent discussions were irresolute, and QVC sought a preliminary injunction based on the Computer Fraud & Abuse Act (18 USC 1030(a)(5)(A)). The court concludes that QVC hasn't shown a likelihood of success because Resultly lacked the required intent to damage QVC's system: * * *

top

How the NYCLA's ethics opinion on LinkedIn forces lawyers to act deceptively and violate LinkedIn's user agreement (Carolyn Elefant, 24 March 2015) - By now, in 2015, most of the general public over the age of 21 have been using Google, Facebook and LinkedIn for nearly a decade. During that time, they've acclimated to the culture of each of these online universes, and grown as adept in distinguishing casual informational websites and biographical profiles and chatty personal exchanges from paid advertising as a seasoned world traveler in recognizing an American tourist. Yet while the majority of online users with an IQ over 80 understand the prevailing online social order, apparently bar regulators do not. So like imperialists swooping in to "civilize" native colonies, comes now the 100-year old New York County Bar Association (NYCLA) to inflict its ethics rules on LinkedIn through the issuance of Formal Opinion 748 . As summarized by Allison Shields and Nicole Black , Formal Opinion 748 purports to offer lawyers guidance on when a LinkedIn profile constitutes advertising and when it doesn't. Not surprisingly, this devolves into an exercise in hair-splitting: pure biographical information consisting only of one's education and employment history isn't advertising, but a description of practice areas, skills, endorsements - and even a detailed description of work performed for a former employer is. And of course, as we all know, once the regulators classify something as advertising, we can't disseminate it to the public without first marking it with a big scarlet A, er - disclaimer. And therein lies the problem. Because slapping the phrase "this constitutes lawyer advertising" in the context of the LinkedIn universe causes MORE confusion for the public. When potential clients see a scarlet "A" on a lawyer profile, they're going to assume that the lawyer paid for the ad and that it's inherently less truthful than the other non-advertorial profiles on LinkedIn. Worse, users are likely to draw inaccurate conclusions - either that the lawyer is doing well enough to pay for a spendy ad on LinkedIn, or is so desperate that he can't find clients without paying for social media exposure. Either way, requiring lawyers to include an advertising disclaimer on an otherwise ordinary LinkedIn listing has the effect of "misleading by creating a false appearance" and therefore, is deceptive.

top

Court might enforce a contract ban on consumer reviews (Eric Goldman, 27 March 2015) - Claude and Violaine Galland own an apartment in Paris, France. They offer it for rental through VRBO , an online service for vacation rentals. The Gallands' rental agreement include the following language: "The tenants agree not to use blogs or websites for complaints, anonymously or not." Though clumsily worded, this clause is similar to prior attempts to restrict consumer reviews, such as the provisions used by doctors and dentists , hotels , apartment owners and other vacation rental services . As far as I know, no court has ever enforced any of these clauses purporting to suppress consumer reviews. Two different renters, the Johnstons and Bowdens, rented the Gallands' apartment and subsequently posted critical reviews on VRBO. Mr. Galland allegedly offered $300-unsuccessfully-to the Bowdens to remove their post. Instead, the Gallands sued the Johnstons and Bowdens for defamation, breach of contract and other claims. The judge dismissed the defamation claims-but refused to dismiss the breach of contract claim… Surprisingly, the judge didn't discuss the illegality of the contract clause. In 2003, a New York court instructed a software vendor to stop banning consumer reviews in its contract (the exact restriction: "The customer will not publish reviews of this product without prior consent from Network Associates, Inc."). The court held that using such a clause may be a deceptive practice under New York's consumer protection law. I can't see any reason why the Gallands' clause wouldn't violate the same law. (The Gallands' case is being litigated in a New York federal court applying New York law). Irrespective of the New York law, the contract restriction should be void as a matter of public policy. I'm hoping the court will come to its senses and realize that no trial is needed because the clause should be condemned, not enforced. It's remarkable that anyone had the confidence to litigate such a clause at all. We have seen relatively few courtroom battles over contractual bans on consumer reviews, and we aren't likely to see many such disputes in the future. The Gallands' contract provision clearly violates California's new law against consumer review bans , and I believe a new federal bill will be introduced to make such bans nationwide. Eventually vendors will get the message and stop trying. Until they do, we need more tools to discourage such clauses in the future-and to discourage wasteful litigation intended to suppress renters' rights to express themselves.

top

FCC vs. FTC - a new privacy turf war (Katy on the Hill, 30 March 2015) - The FCC is about to muscle in on the FTC's privacy turf and the FTC is pushing back. Since the 1999 Geocities case, the Federal Trade Commission has been the nation's defacto privacy cop, bringing more than 150 privacy and data security cases. But the net neutrality order could make the Federal Communications Commission a much bigger player in privacy enforcement. When the FCC last month reclassified the Internet as a common carrier service, it expanded Title II's strict privacy regulations that currently govern telephone services to ISPs and mobile providers. A little known provision in FTC law called the common carrier exemption gives the FCC exclusive authority over telephone services. Now that ISPs and mobile providers are common carriers, the FTC could be cut out of a broad swath of privacy enforcement, especially since much of the privacy and data security agita today stems from online and mobile practices. The FTC most recent enforcement actions - TracFone, AT&T, and T-Mobile - may be now out of bounds for the FTC, but fair game for the FCC. The only solution for the FTC is for Congress to change the common carrier exemption and the FTC is advocating that course. Although the details of how the FCC will apply its expanded privacy authority to Internet services need to be worked out, it's high on chairman Wheeler's list. Wheeler said earlier this month during DC's annual Tech Prom, that the commission would hold workshops beginning next month "to deal with broadband privacy issues for the newly classified telecommunications service providers." Depending on how far the FCC goes, the commission's new privacy authority could reach to Do Not Track, data collection and mobile app privacy. "It could divest the FTC of a lot of authority. It's sort of a blank check," said Bob Corn Revere, a partner with Davis Wright Tremaine, who represents the Association of National Advertisers.

top

Pentagon personnel now talking on 'NSA-proof' smartphones (NextGov, 30 March 2015) - The Defense Department has rolled out supersecret smartphones for work and maybe play, made by anti-government-surveillance firm Silent Circle, according to company officials. Silent Circle, founded by a former Navy Seal and the inventor of privacy-minded PGP encryption, is known for decrying federal efforts to bug smartphones . And for its spy-resistant "blackphone. Apparently, troops don't like busybodies either. As part of limited trials, U.S. military personnel are using the device, encrypted with secret code down to its hardware, to communicate "for both unclassified and classified" work, Silent Circle chairman Mike Janke told Nextgov . In 2012, Janke, who served in the Navy's elite special operations force, and Phil Zimmermann, creator of Pretty Good Privacy (PGP, in short), started Silent Circle as a California-based secure communications firm. The company is no longer based in the United States, ostensibly to deter U.S. law enforcement from seeking access to user records. The blackphone's operating system and software options enable customers to essentially log in to the same phone under multiple personas, each with separate security restrictions. Specifically, a feature called "Spaces" insulates data activity in one profile from the actions happening in other compartments. An undisclosed number of blackphones are "out in the field," Janke said. DOD receives a discount off the $629 retail device by purchasing in bulk, just like Silent Circle's corporate customer base, which includes at least one major U.S. oil company, Janke said.

top

PCI Council updates penetration testing guidance for merchants (SC Magazine, 30 March 2015) - The PCI Security Standards Council has released guidance to help merchants improve their system for regularly testing security controls and processes impacting payment card security. On Thursday, the 43-page informational supplement ( PDF ) was published, offering best practices for penetration testing components, qualifications for penetration testers, penetration testing methodology and reporting guidelines, a release from the Council said. "An update to PCI guidance published in 2008, the document also includes three case studies which illustrate the various concepts presented within the document, as well as a quick-reference guide to assist in navigating the penetration testing requirements," the release added. The updated guidance comes after Verizon published its 2015 PCI Compliance Report this month, revealing that Requirement 11 of PCI DSS was a compliance weak point for organizations. Requirement 11 states that organizations should regularly test security systems and processes.

top

Progress on the police-filming front (Lowering the Bar, 2 April 2015) - Two or three pieces of good news here. First, the Texas bill that would have made it illegal for you to film a cop beating you ( see " Texas Bill Would Make It Illegal for You to Film a Cop Beating You " (Mar. 26)) seems to have been withdrawn by its sponsor, the probably-well-meaning-but-not-too-thoughtful Rep. Jason Villella. The legislature's site just says " no action taken in committee " on HB 2918 (the bill was scheduled for a hearing on March 26), but there are reports that Villella decided to drop it completely after the state's largest union of police officers said it would oppose the bill. Villella reportedly insisted that he had only withdrawn the bill temporarily because "it's being amended and the hearing [was going to] run very late," but some (specifically, me) are suggesting that in fact he pulled it because pretty much everybody hates it. Turns out there was already a competing proposal in Texas, HB 1035 , which would not only state that recording officers is legal, it would make it illegal for law enforcement to alter, destroy, or conceal a recording of police operations without the owner's written consent. I don't know what that bill's chances are, but would guess they are approximately infinitely better than those of HB 2918. Second, as Courthouse News reports (also PINAC ), lawmakers in both California and Colorado have also introduced bills aimed at protecting the right to film public servants in public.

top

9th Circuit rules Netflix isn't subject to disability law (Ares Technica, 2 April 2015) - A federal appeals court ruled (PDF) yesterday that the Americans with Disabilities Act (ADA) doesn't apply to Netflix, since the online video provider is "not connected to any actual, physical place." Donald Cullen sued Netflix in March 2011, attempting to kick off a class-action lawsuit on behalf of disabled people who didn't have full use of the videos because they aren't all captioned. A district court judge threw out his lawsuit in 2013, and yesterday's ruling by the US Court of Appeals for the 9th Circuit upholds that decision. The decision is "unpublished," meaning it isn't intended to be used as precedent in other cases. However, it certainly doesn't bode well for any plaintiff thinking about filing a similar case in the 9th Circuit, which covers most of the Western US. At least one other court has come out the other way on this issue. Three months after Cullen filed suit, the National Association for the Deaf (NAD) filed an ADA lawsuit against Netflix in Massachusetts over the same issue. In that case, the judge found that Netflix was a "place of public accommodation" and would have to face the lawsuit against the disability rights group. After the company lost the initial motion, Netflix settled the case with NAD , agreeing to pay $750,000 in legal fees and caption all of its videos by the year 2014. While online captioning may be a done deal for Netflix, NAD has continued to litigate the matter. In February, the group sued Harvard and MIT over their free online course offerings, saying the lack of captions constitutes an ADA violation.

top

RESOURCES

A comparative look at copyright law and fair use exemptions (MLPB, 24 March 2015) - Susanna Monsieur, College of New Jersey, has published Copyright and the Digital Economy: Is It Necessary to Adopt Fair Use? Here is the abstract: This paper reviews recent recommendations for and against the introduction of an open-ended fair use exception for the digital age in the EU, the UK, Ireland and Australia. Law Commissions in Ireland and Australia both recommended introducing an open-ended fair use exception, as well or instead of the list of limited fair dealing exceptions, while reviews of the law in the UK and EU have not recommended such sweeping changes. The paper argues that while the "fair use" exception has many advantages for the digital age, a major legislative overhaul of copyright law is unnecessary to adapt a copyright regime to the digital realm. Balancing technological innovation and content creation depends less on the distinctions between the fair use and fair dealing exemptions and more on ensuring that the law, through both legislation and judicial interpretation, in fact acts to promote the main purpose of copyright law, the benefit of the public. This can be achieved through a focus on fairness and the harmonization of exceptions to be found in the Berne three step test.

top

Adapting copyright law for mashups (MLPB, 25 March 2015) - Peter S. Men ell, University of California, Berkeley, School of Law, is publishing Adapting Copyright for the Mashups Generation in the University of Pennsylvania Law Review. Here is the abstract: Growing out of the rap and hip hop genres as well as advances in digital editing tools, music mashups have emerged as a defining genre for post-Napster generations. Yet the uncertain contours of copyright liability as well as prohibitive transaction costs have pushed this genre underground, stunting its development, limiting remix artists' commercial channels, depriving sampled artists of fair compensation, and further alienating bedizens and new artists from the copyright system. In the real world of transaction costs, subjective legal standards, and market power, no solution to the mashups problem will achieve perfection across all dimensions. The appropriate inquiry is whether an allocation mechanism achieves the best overall resolution of the trade-offs among authors' rights, cumulative creativity, freedom of expression, and overall functioning of the copyright system. By adapting the long-standing cover license for the mashups genre, Congress can support a charismatic new genre while affording fairer compensation to owners of sampled works, engaging the next generations, and channeling disaffected music fans into authorized markets.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Google wins in Glico trademark lawsuit (SiliconValley.com, 15 Dec 2004) -- Google Inc. won a major legal victory Wednesday when a federal judge ruled that the search engine's advertising policy does not violate federal trademark laws. U.S. District Judge Leonie Brinkman rejected a claim by auto insurance giant Glico Corp., which argued that Google should not be allowed to sell ads to rival insurance companies that appear whenever Glico's name is typed into the Google search box. Google derives a major portion of its revenues from selling ad space to businesses that bid on search terms -- both generic words and names protected by trademark -- used by people looking for information online about products and services. Glico, a unit of billionaire Warren Buffett's Berkshire Hathaway Inc., claimed that Google's Ad Words program, which displays the rival ads under a ``Sponsored Links" heading next to a user's search results, confuses consumers and illegally exploits Glico's investment of hundreds of millions of dollars in its brand. ``There is no evidence that that activity alone causes confusion," Brinkman said, in granting Google's motion for summary judgment on that issue. The ruling, on what the parties considered the seminal issue in the case, came just three days after the trial had begun. David Drummond, Google's vice president and general counsel, called the decision a victory for consumers. ``It confirms that our policy complies with the law, particularly the use of trademarks as keywords," Drummond said. ``This is a clear signal to other litigants that our keyword policy is lawful."

top

Momentum is gaining for cellphones as credit cards (New York Times, 10 Jan 2005) - People already use their cellphones to read e-mail messages, take pictures and play video games. Before long, they may use them in place of their wallets. By embedding in the cellphone a computer chip or other type of memory device, a phone can double as a credit card. The chip performs the same function as the magnetic strip on the back of a credit card, storing account information and other data necessary to make a purchase. In Asia, phone makers are already selling phones that users can swipe against credit or debit card readers, in much the same way they would swipe plastic MasterCard or Visa cards. Trials are now under way to bring the technology to America, industry executives said. Ron Brown, executive director of the Infrared Data Association, a trade group representing companies pushing the technology for cellphone credit cards, said that the new handsets could become "a major form of payment, because cellphones are the most ubiquitous device in the world." He added, though, that "cash will never go away." Advocates say that consumers will readily embrace the technology as a way to pay for even small purchases, because it is less bother than taking a credit card out of a purse or parting with cash. The impending changes to the cellphone happen to coincide with major shifts taking place in the banking industry. Since credit cards are still considered somewhat inconvenient, particularly for quick, small purchases, major credit card companies have developed "contactless payment" technologies for checkout counters that allow customers to wave their cards near an electronic reader without having to swipe the card or sign their name. MasterCard, for example, has introduced a system called Pay Pass that lets cardholders wave a card in front of a reader to initiate a payment, much as motorists use E-Zaps and similar systems to pay tolls and ExxonMobil customers use Speed Pass to buy gas. Several major credit card companies issue Pay Pass cards; McDonald's has agreed to accept them at some restaurants. And American Express announced late last year that it would have its system, Express Pay, in more than 5,000 CVS drugstores by the middle of this year. Judy Tenser, a spokeswoman for American Express, said the technology made it more likely that customers would use credit cards to pay for small items.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose.

top