- Turning data into powerful visualizations of Detroit
- To satisfy clients, law firms submit to cybersecurity scrutiny
- Law firm infected by Cryptolocker variant
- New York Fed forms team focused on cybersecurity threats
- Citigroup report chides law firms for silence on hackings
- IU Media School professor's paper was influential in FCC net neutrality decision
- Measuring innovation
- The Righthaven debacle, 5 years later
- You can now see analytics for US government websites
- "Open Well-Tempered Clavier" project complete; score and recording online
- Corporate culture hinders cyber insurance buy-in
- Medical data has become the next cybersecurity target
- The curious (and vital) power of print
- Publishers a la New York Times to publish on Facebook directly
- US customs testing facial recognition at Dulles airport
- The rise of the Cryptopticon
- QVC can't stop web scraping
- How the NYCLA's ethics opinion on LinkedIn forces lawyers to act deceptively and violate LinkedIn's user agreement
- Court might enforce a contract ban on consumer reviews
- FCC vs. FTC - a new privacy turf war
- Pentagon personnel now talking on 'NSA-proof' smartphones
- PCI Council updates penetration testing guidance for merchants
- Progress on the police-filming front
- 9th Circuit rules Netflix isn't subject to disability law
Turning data into powerful visualizations of Detroit (Zuckerman @ Berkman, 11 March 2015) - What's a "holy shit visualization?" It's a way of looking at data that turns a statistic you might have flipped past in a book or skimmed by on a web page into something that you can't forget. It's a visceral reminder of the power of images and the power of looking at dry numbers in human terms. For Mike Evans , the map below was a holy shit visualization. Properties in yellow are in tax distress. Those in orange are under tax foreclosure. Those in red have been foreclosed. In 2014, 50 percent of properties in the city of Detroit were in danger of foreclosure, being foreclosed, or owned by the city. That's a frightening statistic. But seeing what it looks like on the map makes the scale of the problem more visceral. * * * [ graphic ] Evans knew this was a powerful visualization when he took the map to the county treasurer, who had his own "holy shit" moment seeing the data. Mike asks, "What does it mean when the county treasurer doesn't know this? What does this mean for a homeowner who's far more removed from this information?" Evans is senior developer with Loveland Technologies , a for-profit technology consultancy in Detroit, Mich., that focuses on mapping land ownership in cities, especially in Detroit. He visited Center for Civic Media at the MIT Media Lab to talk about the community mapping work he and his team have taken on in Detroit and around the U.S. Loveland is a project started by Jerry Paffendorf, who had the clever idea of selling distressed properties in Detroit one square inch at a time. Detroit auctions thousands of properties at a time, and properties that don't sell for outstanding taxes begin auctioning for $500 apiece. Paffendorf bought some of these properties and started selling them off via Kickstarter for a dollar per square inch (one of the first Kickstarters ever started), and Loveland Technologies got its start building a map that let people see their property ownership, much as the Million Dollar Homepage allowed advertisers to see their online presence purchased a pixel at a time.
To satisfy clients, law firms submit to cybersecurity scrutiny (American Lawyer, 12 March 2015) - In an effort to satisfy clients concerned about possible security breaches, at least 10 Am Law 200 firms and two Magic Circle firms have attained a special certification to demonstrate they're taking steps toward protecting their documents and communication systems, and at least 21 more are in the process of seeking certification, with some consultants speculating that even more will be certified by the end of the year. Businesses of all types can receive the certification, called ISO 27001, if they meet an international cybersecurity standard, but consultants who help companies get certified say that in the past year they've been inundated with inquiries from law firms. "What ISO 27001 represents is the only baseline that corporate trading partners- any business entities exchanging information-have as a reference for what they expect in security execution," says Jeffrey Ritter, a former practicing lawyer who now teaches courses on information technology at the University of Oxford, the University of Georgetown Law Center and Johns Hopkins University Whiting School of Engineering. According to a post on the International Legal Technology Association's website , at least 18 law firms have been certified as of last December, including Magic Circle firms Allen & Overy and Clifford Chance. Ten are Am Law 200 firms, including Paul, Weiss, Rifkind, Wharton & Garrison, Sullivan & Cromwell, Simpson Thacher & Bartlett and White & Case, as well as Milbank, Tweed, Hadley & McCloy and Ropes & Gray, which were expected to be certified by February. Another 23 firms are listed as working towards or investigating certification, 21 of which are Am Law 200 firms, including Cleary Gottlieb Steen & Hamilton, Skadden, Arps, Slate, Meagher & Flom, Debevoise & Plimpton and Davis Polk & Wardwell.
- and -
Law firm infected by Cryptolocker variant (Ride the Lightning, 16 March 2015) - California law firm Ziprick and Cramer sent a letter to clients on February 27th advising them that on or around January 25, 2015, the firm was infected by a new variant of the Cryptolocker virus which infected one of their workstations (encrypting its data) and then traveled to the server where data was encrypted on shared folders. The firm indicated that its backup was intact. Though a ransom demand had not yet been made, the firm said it would not pay any ransom "which would only encourage and fund such criminals in their illegal activities." The firm reported the cyberattack to the FBI and offered clients one year of free credit monitoring.
- and -
New York Fed forms team focused on cybersecurity threats (Bloomberg, 24 March 2015) - The Federal Reserve Bank of New York has formed a team dedicated to cybersecurity threats, according to the bank's top regulator. "We have elevated our efforts in recent months and have formed a dedicated team focused on further strengthening our overall supervisory approach to cybersecurity," Sarah Dahlgren, the New York Fed's head of supervision, said in prepared remarks delivered to a conference in New York today.
- and -
Citigroup report chides law firms for silence on hackings (NYT, 26 March 2015) - Every month it seems another American company reports being a victim of a hacking that results in the theft of internal or customer information. But the legal profession almost never publicly discloses a breach. The unwillingness of most big United States law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years. That frustration bubbled over in a recent internal report from Citigroup 's cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms. "Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise," according to the report, a copy of which was reviewed by The New York Times. The report, issued last month, said it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report said bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries. It said law firms were at "high risk for cyberintrusions" and would "continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications." The Citigroup team issued the report as other Wall Street banks are putting pressure on the legal profession to do more to prevent the theft of confidential client information. For nearly a year, banks and law firms have talked about forging a closer partnership to share some information about hacking incidents. Banks are also demanding more documentation from law firms about online security measures as a condition of retaining them for assignments. In the last several months, Mandiant, the security firm that is a division of the security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity.
IU Media School professor's paper was influential in FCC net neutrality decision (Indiana U, 16 March 2015) - After months of public and political debate, the Federal Communications Commission voted on Feb. 26 to regulate the Internet in the same way as it does "telecommunications services" under Title II of the 1934 Communications Act . * * * The FCC's declaratory ruling frequently cites and relies on the analysis of Cherry and Jon Peha, a professor in the departments of engineering and public policy and of electrical and computer engineering at Carnegie Mellon University. This is significant when you consider that more than 4 million comments were filed in this proceeding - the most in the history of the FCC. Cherry and Peha co-authored an influential paper, " The Telecom Act of 1996 Requires the FCC to Classify Commercial Internet Access as a Telecommunications Service ," which was filed with the FCC in late December. The paper was cited and directly quoted 10 times in the ruling. Importantly, Cherry and Peha's analysis integrates technical and legal perspectives to explain how providers offer broadband Internet access services with the commercial and technical functionalities of telecommunications services. Cherry formerly worked for the FCC as senior counsel in the Office of Strategic Planning and Policy Analysis. Peha is a former chief technologist for the FCC. Also actively researching the issue have been Julien Mailland , an assistant professor of telecommunications, and Matt Pierce , a lecturer in The Media School who also serves as state representative.
Measuring innovation (Patently-O, 16 March 2015) - A new business article on "measuring innovation" notes that 50% of firms investing in R&D are not patenting the results of their research. The main thrust of the article is that, because so many firms are avoiding the patent system, that patents do not make sense as a broad measure of innovation. Their solution is to use the Research Quotient (Prof Knott's measure of optimal research output based upon various financial outputs) as a better measure. See Cooper, Knott, and Yang, Measuring Innovation (March 2, 2015). Available at SSRN: http://ssrn.com/abstract=2572815 or http://dx.doi.org/10.2139/ssrn.2572815 .
The Righthaven debacle, 5 years later (Eric Goldman, 17 March 2015) - You probably recall Righthaven, the now-defunct copyright enforcement entity (some might call it a copyright troll) that purchased newspapers' copyrights so it could sue small-time bloggers who republished articles; after suing, it would demand financial settlements the bloggers couldn't afford. Steve Green, a reporter at the Las Vegas Sun newspaper, tirelessly chronicled Righthaven's waxing and waning. To "celebrate" the five year anniversary of Righthaven's launch, Green has posted a lengthy retrospective (with his now-employer, the Orange County Register). Some of the best tidbits from the article:
(1) Everyone associated with Righthaven avoided discipline by the Nevada bar regulators. Say what? I don't have all of the facts, but based on what I saw, this is incredible. Numerous judges harshly criticized Righthaven's litigation tactics (see, e.g., this benchslap using words like "flagrantly false," "disingenuous," "deceitful," "brazen" and "egregious"), and I thought there was a chance some lawyers would lose their licenses for their involvement in this scheme. Instead, not even a single public reprimand. Wow. Exactly what does it take to violate Nevada's ethics rules? (2) the purported class action of Righthaven victims fizzled out with Righthaven's demise. (3) Steve Gibson, Righthaven's principal, is still practicing law in Nevada. Indeed, he self-describes himself as "one of the premier business and intellectual property attorneys practicing in Las Vegas." This makes me wonder: do his prospective clients not Google him??? (4) The mom of Colleen Lynn, an anti-Righthaven activist, called Righthaven's campaign "legal terrorism."
* * * [Polley : As usual, the rest of Eric's posting is worth reading.]
You can now see analytics for US government websites (Mashable, 19 March 2015) - The White House on Thursday introduced a publicly available analytics dashboard that keeps tabs on traffic stats from 3,800 government websites. In the dashboard , website analytics for some of the most-trafficked government sites are available in real time. At any given moment, you can see which websites are most popular - right now the IRS' "Where's My Refund?" page tops the list - and how many people are visiting these pages. The project is open source, and the code for the site and its reporting tool , is available to those who want to take advantage of the data for their own projects. While open-source data may sound like an unexpected move for Uncle Sam, it will be an increasing area of focus for Digital Services as the Obama administration looks to expand the team in 2016, according to Charles Worthington, a developer with the agency.
"Open Well-Tempered Clavier" project complete; score and recording online (Slashdot, 19 March 2015) - Open source music notation software MuseScore, and pianist Kimiko Ishizaka, have completed the Open Well-Tempered Clavier project and released a new studio recording and digital score online, under the Creative Commons Zero (CC0, public domain) license. Their previous project, the Open Goldberg Variations (2012) , has shown its cultural significance by greatly enhancing the Wikipedia.org article on J.S. Bach's work , and by making great progress in supplying musical scores that are accessible to the visually impaired and the blind . The recording has also received very positive early reviews by music critics . Over 900 fans of J.S. Bach financed this project on Kickstarter.com , where a total of $44,083 was raised.
Corporate culture hinders cyber insurance buy-in (CSO Online, 20 March 2015) - The relatively new field of cyber insurance offers a potentially valuable shield from the financial toll that a data breach can visit on a company, but that market is held back by a lack of information about the threat landscape and a culture in many firms that too often marginalizes cyber issues, a senior government official warns. Tom Finan, senior cybersecurity strategist and counsel at the Department of Homeland Security, has been heading up a review of the cybersecurity insurance industry, looking at ways that the government could help advance the market. In remarks at a recent government IT conference , he suggested that insurance carriers would be more generous in their coverage options with more concrete data about the risks that applicants face. "Perhaps unsurprisingly, companies are not publicly disclosing their own damages from the cyber incidents that they're experiencing. Consequently there's just not enough actuarial data -- yet -- to make these additional categories of first-party coverage more successful," Finan said. "Several of the carriers joining us have told us that big data about cyber incidents could be a potential treasure trove that would aid their efforts immensely." As a result, insurance carriers are commonly underwriting policies based on an assessment of the security culture at the applying company, finding that, despite the steady diet of high-profile breaches, cyber issues remain marginalized within the IT department, rather than being incorporated into a broader enterprise risk management (ERM) framework. And that's a problem, according to Finan. "For many companies, the business case for investing against cyber risk still has not been made. With some exceptions, corporate leaders continue to treat cybersecurity as an IT problem separate and apart from the other business risks that they're addressing as part of their overall corporate risk management strategies," he said.
Medical data has become the next cybersecurity target (NextGov, 20 March 2015) - Hackers often carry out massive cyberattacks to gain access to financial data through banks and retail companies , but this week's cybercrime hit a seemingly new target: medical data, taken from the health insurance company Premera Blue Cross. The attack affected 11 million patients, making it the largest cyberattack involving medical information to date . The healthcare industry has been catching hackers' attention lately. In February, the health insurance company Anthem reported a breach in which hackers accessed to about 80 million records , and in 2014, the Tennessee-based hospital operator Community Health Systems saw 4.5 million records accessed, though both companies said no medical data was exposed. Even so, as Pat Calhoun, the senior vice president of network security at Intel Security, puts it, the healthcare industry is just beginning to find itself in cyber-criminals' crosshairs, making it slow to shield people's records. Calhoun points out that healthcare breaches aren't unheard of: In fact, according to Intel Security and the Atlantic Council's latest report on cyber risks , about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Medical data is also becoming a highly lucrative target. "Financial data has always been a priority, because it's low-hanging fruit," Calhoun says. "But over the past couple of years, we've identified that medical information has a higher value on the black market than credit card information."
The curious (and vital) power of print (NYT's Public Editor, 21 March 2015) - WHO buys the print edition of the newspaper? Just a few Luddites who wouldn't know a smartphone if their horse-drawn buggy crushed it on the cobblestones? Octogenarians and their older brothers? That seems to be the conventional wisdom. On Twitter, Chris Boutet had a funny line recently. "The following is a list of people who still subscribe to newspapers: Journalists, their parents." There's no doubt about the downward trajectory of print. But where, exactly, are we on that path? And how do younger people fit into that picture? I thought it would be worthwhile to find out, since it's bound to affect The Times and its readers. And some of the answers may be surprising. More than 70 percent of all revenue at The Times came from print last year. The biggest share of that is "consumer revenue" from print - almost exclusively, that's from people who buy the newspaper either with a home-delivery subscription or on the newsstand. But print advertising revenue is very important, too. More than a million people still buy the Sunday paper each week. The number has declined to about 1.1 million from 1.8 million at its height in 1993. And about 645,000 people still pay for the daily paper, which has taken the biggest hit. (The daily numbers fell by about 6 percent last year; on Sunday, the number fell by about 3.5 percent.) A lot of younger people buy and read the paper in print. Of all subscribers, 23 percent are in their 20s, 30s and 40s - that's hundreds of thousands each week. And on the opposite side of the spectrum, the typical digital Times subscriber is decidedly not a millennial, wielding her selfie stick and heading off to Coachella. No, the median age of the digital subscriber is a graying (but no doubt Pilates-practicing) 54, not much younger than the median age of the print subscriber, which is 60. What's more, this substantial print crowd, young and old, loves its Times passionately. Roland Caputo, the Times executive in charge of print ("It's important that somebody carry the torch for the unsexy part of the operation"), describes the readers' passion in simple terms. "Print readers love print," he told me. "The affinity they have for it is astronomical." A major Times research project on readership last summer made that clear. [ Polley : I love the NYT in print, but only read The New Yorker on my iPad and cancelled my 25-year Atlantic subscription because of their mangled e-reader implementation. Color me ambivalent.]
- and -
Publishers a la New York Times to publish on Facebook directly (Kevin O'Keefe, 23 March 2015) - The New Times reports today that publishers, including the New York Times itself, are on the verge of publishing directly on Facebook. Rather than users clicking from Facebook to content on third party sites, such as the Times, Facebook would host the content directly on its social network site. Though such a plan may improve the Facebook user's experience with speed to the content (no click through), the idea is not without its problems for publishers. Such a plan would represent a leap of faith for news organizations accustomed to keeping their readers within their own ecosystems, as well as accumulating valuable data on them. Historically, Facebook has not shared advertising revenue with publishers. "We'll send you traffic and you, as the publisher, sell ads based on increased website traffic." With this new plan, Facebook has expressed a willingness to share ad revenue. They'd have to as Facebook would control the entire atmosphere, no one would be leaving Facebook to go to the publisher's site. The whole idea of Facebook doing your publishing has to be scary as heck for publishers. As The New York Times' David Carr (now deceased), wrote on this subject last fall: For publishers, Facebook is a bit like that big dog galloping toward you in the park. More often than not, it's hard to tell whether he wants to play with you or eat you.
US customs testing facial recognition at Dulles airport (PCmag, 22 March 2015) - If you're a frequent international traveler, and you find yourself flying into Washington, D.C.'s Dulles airport a lot, then your headshot might start showing up in a government database. You haven't done anything wrong-at least, we hope not-but odds are good that you might be randomly selected for a quick picture. According to Motherboard , U.S. Customs and Border Protection rolled out a new initiative starting March 11, whereby random Americans entering the U.S. might get their headshots taken as part of a new program designed to ferret out potential imposters. "The operational goals of this pilot are to determine the viability of facial recognition as a technology to assist CBPOs in identifying possible imposters using U.S. e-passports to enter the United States and determine if facial recognition technology can be incorporated into current CBP entry processing with acceptable impacts to processing time and the traveling public while effectively providing CBPOs with a tool to counter imposters using valid U.S. travel documents," reads U.S. Customs and Border Protection's official " Privacy Impact Assessment " document. If you're the lucky recipient of a free headshot, a customs officer will run a software analysis of your picture and compare it against the picture of you that's stored on your e-passport's data chip. A score will be generated based on the similarities (and differences)-if you don't match, that might clue in the customs officer that some additional steps could be necessary to confirm that you're really you. It won't give you a green flag through customs if you pass, and it's not necessarily going to be a red flag if your new look doesn't match your passport photo.
- and -
The rise of the Cryptopticon (Siva Vaidhyanathan in The Hedgehog Review, Spring 2015) - Consider two American films, twenty-four years apart, both starring Gene Hackman as a reclusive surveillance expert. The difference between the work done by Harry Caul, the naive, emotionally stunted private investigator played by Hackman in Francis Ford Coppola's 1974 film The Conversation , and the work done by Edward Lyle, the disaffected, cynical former spy Hackman portrays in the 1998 Tony Scott film Enemy of the State , is more than a matter of the tools they use. Caul uses audio and video surveillance to investigate private citizens, while Lyle deftly deploys the digital tools and techniques that have come to characterize our era of total surveillance. We learn that before choosing to go "off the grid," Lyle did high-level work for either a government organization like the National Security Agency or a private contractor working for the NSA. (The exact truth is never fully revealed.) Lyle seems to be Caul a quarter century later, with a new name, a deeper sense of nihilism, but the same aversion to sharing information with others. * * * [ Polley : Nice compare-and-contrast use of the 2 films to illuminate the current condition, and the surveillance state. We're so past "1984" , and when these tools are misused we'll be helpless.]
QVC can't stop web scraping (Eric Goldman, 24 March 2015) - Although scraping is ubiquitous, it's not clearly legal. A variety of laws may apply to unauthorized scraping, including contract, copyright and trespass to chattels laws. ("Trespass to chattels" protects against unauthorized use of someone's personal property, such as computer servers). The fact that so many laws restrict scraping means it is legally dubious, which makes a scraper's recent courtroom win especially noteworthy. QVC is the well-known TV retailer. Resultly is a start-up shopping app self-described as "Your stylist, personal shopper and inspiration board!" Resultly builds a catalog of items for sale by scraping many online retailers, including QVC. Scraping of retailers' websites isn't unusual; as the court say, "QVC allows many of Resultly's competitors, e.g., Google, Pinterest, The Find, and Wanelo, to crawl its website." Resultly cashes in when users click on affiliate links to QVC products (although Resultly's affiliate arrangement is mediated through two layers of business partners, each of whom takes their own cut of the proceeds). In May 2014, Resultly's automated scraper overloaded QVC's servers, causing outages that allegedly cost QVC $2M in revenue. QVC eventually blocked access to Resultly's scraper. Subsequent discussions were irresolute, and QVC sought a preliminary injunction based on the Computer Fraud & Abuse Act (18 USC 1030(a)(5)(A)). The court concludes that QVC hasn't shown a likelihood of success because Resultly lacked the required intent to damage QVC's system: * * *
How the NYCLA's ethics opinion on LinkedIn forces lawyers to act deceptively and violate LinkedIn's user agreement (Carolyn Elefant, 24 March 2015) - By now, in 2015, most of the general public over the age of 21 have been using Google, Facebook and LinkedIn for nearly a decade. During that time, they've acclimated to the culture of each of these online universes, and grown as adept in distinguishing casual informational websites and biographical profiles and chatty personal exchanges from paid advertising as a seasoned world traveler in recognizing an American tourist. Yet while the majority of online users with an IQ over 80 understand the prevailing online social order, apparently bar regulators do not. So like imperialists swooping in to "civilize" native colonies, comes now the 100-year old New York County Bar Association (NYCLA) to inflict its ethics rules on LinkedIn through the issuance of Formal Opinion 748 . As summarized by Allison Shields and Nicole Black , Formal Opinion 748 purports to offer lawyers guidance on when a LinkedIn profile constitutes advertising and when it doesn't. Not surprisingly, this devolves into an exercise in hair-splitting: pure biographical information consisting only of one's education and employment history isn't advertising, but a description of practice areas, skills, endorsements - and even a detailed description of work performed for a former employer is. And of course, as we all know, once the regulators classify something as advertising, we can't disseminate it to the public without first marking it with a big scarlet A, er - disclaimer. And therein lies the problem. Because slapping the phrase "this constitutes lawyer advertising" in the context of the LinkedIn universe causes MORE confusion for the public. When potential clients see a scarlet "A" on a lawyer profile, they're going to assume that the lawyer paid for the ad and that it's inherently less truthful than the other non-advertorial profiles on LinkedIn. Worse, users are likely to draw inaccurate conclusions - either that the lawyer is doing well enough to pay for a spendy ad on LinkedIn, or is so desperate that he can't find clients without paying for social media exposure. Either way, requiring lawyers to include an advertising disclaimer on an otherwise ordinary LinkedIn listing has the effect of "misleading by creating a false appearance" and therefore, is deceptive.
Court might enforce a contract ban on consumer reviews (Eric Goldman, 27 March 2015) - Claude and Violaine Galland own an apartment in Paris, France. They offer it for rental through VRBO , an online service for vacation rentals. The Gallands' rental agreement include the following language: "The tenants agree not to use blogs or websites for complaints, anonymously or not." Though clumsily worded, this clause is similar to prior attempts to restrict consumer reviews, such as the provisions used by doctors and dentists , hotels , apartment owners and other vacation rental services . As far as I know, no court has ever enforced any of these clauses purporting to suppress consumer reviews. Two different renters, the Johnstons and Bowdens, rented the Gallands' apartment and subsequently posted critical reviews on VRBO. Mr. Galland allegedly offered $300-unsuccessfully-to the Bowdens to remove their post. Instead, the Gallands sued the Johnstons and Bowdens for defamation, breach of contract and other claims. The judge dismissed the defamation claims-but refused to dismiss the breach of contract claim… Surprisingly, the judge didn't discuss the illegality of the contract clause. In 2003, a New York court instructed a software vendor to stop banning consumer reviews in its contract (the exact restriction: "The customer will not publish reviews of this product without prior consent from Network Associates, Inc."). The court held that using such a clause may be a deceptive practice under New York's consumer protection law. I can't see any reason why the Gallands' clause wouldn't violate the same law. (The Gallands' case is being litigated in a New York federal court applying New York law). Irrespective of the New York law, the contract restriction should be void as a matter of public policy. I'm hoping the court will come to its senses and realize that no trial is needed because the clause should be condemned, not enforced. It's remarkable that anyone had the confidence to litigate such a clause at all. We have seen relatively few courtroom battles over contractual bans on consumer reviews, and we aren't likely to see many such disputes in the future. The Gallands' contract provision clearly violates California's new law against consumer review bans , and I believe a new federal bill will be introduced to make such bans nationwide. Eventually vendors will get the message and stop trying. Until they do, we need more tools to discourage such clauses in the future-and to discourage wasteful litigation intended to suppress renters' rights to express themselves.
FCC vs. FTC - a new privacy turf war (Katy on the Hill, 30 March 2015) - The FCC is about to muscle in on the FTC's privacy turf and the FTC is pushing back. Since the 1999 Geocities case, the Federal Trade Commission has been the nation's defacto privacy cop, bringing more than 150 privacy and data security cases. But the net neutrality order could make the Federal Communications Commission a much bigger player in privacy enforcement. When the FCC last month reclassified the Internet as a common carrier service, it expanded Title II's strict privacy regulations that currently govern telephone services to ISPs and mobile providers. A little known provision in FTC law called the common carrier exemption gives the FCC exclusive authority over telephone services. Now that ISPs and mobile providers are common carriers, the FTC could be cut out of a broad swath of privacy enforcement, especially since much of the privacy and data security agita today stems from online and mobile practices. The FTC most recent enforcement actions - TracFone, AT&T, and T-Mobile - may be now out of bounds for the FTC, but fair game for the FCC. The only solution for the FTC is for Congress to change the common carrier exemption and the FTC is advocating that course. Although the details of how the FCC will apply its expanded privacy authority to Internet services need to be worked out, it's high on chairman Wheeler's list. Wheeler said earlier this month during DC's annual Tech Prom, that the commission would hold workshops beginning next month "to deal with broadband privacy issues for the newly classified telecommunications service providers." Depending on how far the FCC goes, the commission's new privacy authority could reach to Do Not Track, data collection and mobile app privacy. "It could divest the FTC of a lot of authority. It's sort of a blank check," said Bob Corn Revere, a partner with Davis Wright Tremaine, who represents the Association of National Advertisers.
Pentagon personnel now talking on 'NSA-proof' smartphones (NextGov, 30 March 2015) - The Defense Department has rolled out supersecret smartphones for work and maybe play, made by anti-government-surveillance firm Silent Circle, according to company officials. Silent Circle, founded by a former Navy Seal and the inventor of privacy-minded PGP encryption, is known for decrying federal efforts to bug smartphones . And for its spy-resistant "blackphone. Apparently, troops don't like busybodies either. As part of limited trials, U.S. military personnel are using the device, encrypted with secret code down to its hardware, to communicate "for both unclassified and classified" work, Silent Circle chairman Mike Janke told Nextgov . In 2012, Janke, who served in the Navy's elite special operations force, and Phil Zimmermann, creator of Pretty Good Privacy (PGP, in short), started Silent Circle as a California-based secure communications firm. The company is no longer based in the United States, ostensibly to deter U.S. law enforcement from seeking access to user records. The blackphone's operating system and software options enable customers to essentially log in to the same phone under multiple personas, each with separate security restrictions. Specifically, a feature called "Spaces" insulates data activity in one profile from the actions happening in other compartments. An undisclosed number of blackphones are "out in the field," Janke said. DOD receives a discount off the $629 retail device by purchasing in bulk, just like Silent Circle's corporate customer base, which includes at least one major U.S. oil company, Janke said.
PCI Council updates penetration testing guidance for merchants (SC Magazine, 30 March 2015) - The PCI Security Standards Council has released guidance to help merchants improve their system for regularly testing security controls and processes impacting payment card security. On Thursday, the 43-page informational supplement ( PDF ) was published, offering best practices for penetration testing components, qualifications for penetration testers, penetration testing methodology and reporting guidelines, a release from the Council said. "An update to PCI guidance published in 2008, the document also includes three case studies which illustrate the various concepts presented within the document, as well as a quick-reference guide to assist in navigating the penetration testing requirements," the release added. The updated guidance comes after Verizon published its 2015 PCI Compliance Report this month, revealing that Requirement 11 of PCI DSS was a compliance weak point for organizations. Requirement 11 states that organizations should regularly test security systems and processes.
Progress on the police-filming front (Lowering the Bar, 2 April 2015) - Two or three pieces of good news here. First, the Texas bill that would have made it illegal for you to film a cop beating you ( see " Texas Bill Would Make It Illegal for You to Film a Cop Beating You " (Mar. 26)) seems to have been withdrawn by its sponsor, the probably-well-meaning-but-not-too-thoughtful Rep. Jason Villella. The legislature's site just says " no action taken in committee " on HB 2918 (the bill was scheduled for a hearing on March 26), but there are reports that Villella decided to drop it completely after the state's largest union of police officers said it would oppose the bill. Villella reportedly insisted that he had only withdrawn the bill temporarily because "it's being amended and the hearing [was going to] run very late," but some (specifically, me) are suggesting that in fact he pulled it because pretty much everybody hates it. Turns out there was already a competing proposal in Texas, HB 1035 , which would not only state that recording officers is legal, it would make it illegal for law enforcement to alter, destroy, or conceal a recording of police operations without the owner's written consent. I don't know what that bill's chances are, but would guess they are approximately infinitely better than those of HB 2918. Second, as Courthouse News reports (also PINAC ), lawmakers in both California and Colorado have also introduced bills aimed at protecting the right to film public servants in public.
9th Circuit rules Netflix isn't subject to disability law (Ares Technica, 2 April 2015) - A federal appeals court ruled (PDF) yesterday that the Americans with Disabilities Act (ADA) doesn't apply to Netflix, since the online video provider is "not connected to any actual, physical place." Donald Cullen sued Netflix in March 2011, attempting to kick off a class-action lawsuit on behalf of disabled people who didn't have full use of the videos because they aren't all captioned. A district court judge threw out his lawsuit in 2013, and yesterday's ruling by the US Court of Appeals for the 9th Circuit upholds that decision. The decision is "unpublished," meaning it isn't intended to be used as precedent in other cases. However, it certainly doesn't bode well for any plaintiff thinking about filing a similar case in the 9th Circuit, which covers most of the Western US. At least one other court has come out the other way on this issue. Three months after Cullen filed suit, the National Association for the Deaf (NAD) filed an ADA lawsuit against Netflix in Massachusetts over the same issue. In that case, the judge found that Netflix was a "place of public accommodation" and would have to face the lawsuit against the disability rights group. After the company lost the initial motion, Netflix settled the case with NAD , agreeing to pay $750,000 in legal fees and caption all of its videos by the year 2014. While online captioning may be a done deal for Netflix, NAD has continued to litigate the matter. In February, the group sued Harvard and MIT over their free online course offerings, saying the lack of captions constitutes an ADA violation.
A comparative look at copyright law and fair use exemptions (MLPB, 24 March 2015) - Susanna Monsieur, College of New Jersey, has published Copyright and the Digital Economy: Is It Necessary to Adopt Fair Use? Here is the abstract: This paper reviews recent recommendations for and against the introduction of an open-ended fair use exception for the digital age in the EU, the UK, Ireland and Australia. Law Commissions in Ireland and Australia both recommended introducing an open-ended fair use exception, as well or instead of the list of limited fair dealing exceptions, while reviews of the law in the UK and EU have not recommended such sweeping changes. The paper argues that while the "fair use" exception has many advantages for the digital age, a major legislative overhaul of copyright law is unnecessary to adapt a copyright regime to the digital realm. Balancing technological innovation and content creation depends less on the distinctions between the fair use and fair dealing exemptions and more on ensuring that the law, through both legislation and judicial interpretation, in fact acts to promote the main purpose of copyright law, the benefit of the public. This can be achieved through a focus on fairness and the harmonization of exceptions to be found in the Berne three step test.
Adapting copyright law for mashups (MLPB, 25 March 2015) - Peter S. Men ell, University of California, Berkeley, School of Law, is publishing Adapting Copyright for the Mashups Generation in the University of Pennsylvania Law Review. Here is the abstract: Growing out of the rap and hip hop genres as well as advances in digital editing tools, music mashups have emerged as a defining genre for post-Napster generations. Yet the uncertain contours of copyright liability as well as prohibitive transaction costs have pushed this genre underground, stunting its development, limiting remix artists' commercial channels, depriving sampled artists of fair compensation, and further alienating bedizens and new artists from the copyright system. In the real world of transaction costs, subjective legal standards, and market power, no solution to the mashups problem will achieve perfection across all dimensions. The appropriate inquiry is whether an allocation mechanism achieves the best overall resolution of the trade-offs among authors' rights, cumulative creativity, freedom of expression, and overall functioning of the copyright system. By adapting the long-standing cover license for the mashups genre, Congress can support a charismatic new genre while affording fairer compensation to owners of sampled works, engaging the next generations, and channeling disaffected music fans into authorized markets.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Google wins in Glico trademark lawsuit (SiliconValley.com, 15 Dec 2004) -- Google Inc. won a major legal victory Wednesday when a federal judge ruled that the search engine's advertising policy does not violate federal trademark laws. U.S. District Judge Leonie Brinkman rejected a claim by auto insurance giant Glico Corp., which argued that Google should not be allowed to sell ads to rival insurance companies that appear whenever Glico's name is typed into the Google search box. Google derives a major portion of its revenues from selling ad space to businesses that bid on search terms -- both generic words and names protected by trademark -- used by people looking for information online about products and services. Glico, a unit of billionaire Warren Buffett's Berkshire Hathaway Inc., claimed that Google's Ad Words program, which displays the rival ads under a ``Sponsored Links" heading next to a user's search results, confuses consumers and illegally exploits Glico's investment of hundreds of millions of dollars in its brand. ``There is no evidence that that activity alone causes confusion," Brinkman said, in granting Google's motion for summary judgment on that issue. The ruling, on what the parties considered the seminal issue in the case, came just three days after the trial had begun. David Drummond, Google's vice president and general counsel, called the decision a victory for consumers. ``It confirms that our policy complies with the law, particularly the use of trademarks as keywords," Drummond said. ``This is a clear signal to other litigants that our keyword policy is lawful."
Momentum is gaining for cellphones as credit cards (New York Times, 10 Jan 2005) - People already use their cellphones to read e-mail messages, take pictures and play video games. Before long, they may use them in place of their wallets. By embedding in the cellphone a computer chip or other type of memory device, a phone can double as a credit card. The chip performs the same function as the magnetic strip on the back of a credit card, storing account information and other data necessary to make a purchase. In Asia, phone makers are already selling phones that users can swipe against credit or debit card readers, in much the same way they would swipe plastic MasterCard or Visa cards. Trials are now under way to bring the technology to America, industry executives said. Ron Brown, executive director of the Infrared Data Association, a trade group representing companies pushing the technology for cellphone credit cards, said that the new handsets could become "a major form of payment, because cellphones are the most ubiquitous device in the world." He added, though, that "cash will never go away." Advocates say that consumers will readily embrace the technology as a way to pay for even small purchases, because it is less bother than taking a credit card out of a purse or parting with cash. The impending changes to the cellphone happen to coincide with major shifts taking place in the banking industry. Since credit cards are still considered somewhat inconvenient, particularly for quick, small purchases, major credit card companies have developed "contactless payment" technologies for checkout counters that allow customers to wave their cards near an electronic reader without having to swipe the card or sign their name. MasterCard, for example, has introduced a system called Pay Pass that lets cardholders wave a card in front of a reader to initiate a payment, much as motorists use E-Zaps and similar systems to pay tolls and ExxonMobil customers use Speed Pass to buy gas. Several major credit card companies issue Pay Pass cards; McDonald's has agreed to accept them at some restaurants. And American Express announced late last year that it would have its system, Express Pay, in more than 5,000 CVS drugstores by the middle of this year. Judy Tenser, a spokeswoman for American Express, said the technology made it more likely that customers would use credit cards to pay for small items.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose.