Saturday, August 29, 2015

MIRLN --- 9-29 August 2015 (v18.12)

MIRLN --- 9-29 August 2015 (v18.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

GCs worry about cybersecurity but feel underprepared (Corporate Counsel 5 August 2015) - General counsel in a recent survey listed data privacy/security as one of their top concerns. But 60 percent said their companies still lack the proper preparation for a cyberbreach. The "General Counsel Data Survey," conducted in June by the Consero Group at one of its forums for Fortune 1000 GCs, showed that data privacy/security was listed a top priority among 21 percent of the GCs, just behind compliance and ethics at 27 percent. "The cybersecurity numbers caught my eye," said Paul Mandell, Consero's chief executive officer, partly because of the high-profile data breaches that have been in the news and partly because "the percentage of general counsel reporting cyberbreaches [in the survey] increased over last year ." "Cyberthreats pose perhaps the most destructive potential risk to these sophisticated global businesses," Mandell told CorpCounsel.com on Tuesday. "But the data indicate an alarming percentage of those huge companies remained unprepared." He said the issue is not a lack of awareness-GCs are very aware of the problem. "The bottom line is we need to speed up the efforts to address it," he said. Part of companies' slow reaction to cyberrisks, he suggested, is that the GCs think they do not have enough resources for the breadth and complexity of the problem.

top

NIST's first cybersecurity practice guide: Securing electronic health records on mobile devices (Ice Miller, 6 August 2015) - The National Institute of Standards and Technology (NIST) has released a draft of Securing Electronic Records on Mobile Devices, the institute's first practice guide in a series designed to help organizations improve cybersecurity. The guide demonstrates how health care providers can more securely share patient information using mobile devices such as tablets and smartphones. While the guide is not a guarantee of compliance, providers can use it to help implement relevant standards and best practices in the NIST Framework for Improving Critical Infrastructure Cybersecurity , and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. * * * To help providers keep pace with practice needs in the current threat landscape, NIST brought cybersecurity experts together with health care providers to create a virtual environment that simulated interaction between mobile devices and an EHR system. Using a hypothetical scenario in which a primary care physician uses her mobile device to perform such tasks as making referrals, adding information to the EHR, and e-prescribing, the team identified commercially available and open-source tools, consistent with cybersecurity standards and best practices, that can increase privacy and security and reduce risk.

top

Citing twin law firm websites (1 real, 1 fake), bar group urges public to beware (ABA Journal, 7 August 2015) - Add another law firm to the growing list of those whose partners have been horrified to discover that they have an Internet twin. For anyone who might happen to see both the Hughes Dowdall website for an actual Scottish law firm and the purported London-based Damian Alden Law Chambers site, the resemblance is striking. Both sites have the identical home page, except for the law firm details. And both show the same three photographs at the beginning of their "Our People" page. (The names are the same or similar for two of the three photos, but Hughes Dowdall senior partner Michael Foster is listed as "Damian Alden" on the fake site.) However, only the Hughes Dowdall website is for an actual law firm, the Law Society of Scotland has warned in a scam alert . On the "Damian Alden" site, "a fraudulent firm of solicitors have copied the website of a genuine firm and are using their names and photographs in an attempt to deceive potential clients," the bar group says. Such misappropriation of real law firms' website format and content is on the rise, bar groups say, and the Law Society of Scotland is urging potential clients to check lawyers' credentials rather than assuming that a seeming online lawyer is the real deal. Michael Foster, the Hughes Dowdall senior partner, told Scottish Legal News that his firm was appalled to learn that its website had been copied. "I am very concerned about this hijacking of our website and our personnel and the potential for damage to our hard-won reputation," he said. "It's horrifying to think an unsuspecting and entirely innocent member of the public could be conned and suffer loss as a result of this."

top

Early adopters take new .law domains (ABA Journal, 10 August 2015) - Some prominent BigLaw firms are among the early adopters of the new .law domain name extension. DLA Piper; Russell and Goldstein; and Skadden, Arps, Slate, Meagher & Flom have each already reserved their domain names. Minds + Machines, the owner of the .law domain extension, started taking orders July 30, the beginning of a 60-day "sunrise period." Firms who have registered their trademarks with the Internet Corporation for Assigned Names and Numbers - the nonprofit responsible for coordinating the monitoring and creation of naming conventions on the Internet-are eligible to participate in the sunrise period. Domain name registration will be available to credentialed members of the legal community Oct. 12. More information on the .law launch program is available at http://nic.law . Minds + Machines has partnered with ALM Media to advertise and market the domains. [ Polley : Seems like a waste of money to me, unless you're registering simply to preempt somebody else from getting "your" domain.law.]

top

The failure of crowdsourcing in law (so far, at least) (Robert Ambrogi, 10 August 2015) - Above are the slides from my July 20 presentation on crowdsourcing to the American Association of Law Libraries annual meeting. When I first suggested the title, I was sure the presentation would be a positive one, demonstrating the ways in which crowdsourcing and collaboration "are changing" legal research. I have long been a believer that crowdsourcing can help democratize legal research and enable free research sites to become more viable alternatives to paid sites. But as I dug deeper into my research for the presentation, my long-held fears about crowdsourcing were increasingly confirmed. It just has not ever worked well within the legal profession. Over the years, site after site has attempted to make a go at crowdsourcing. But they almost always fail. Why is that? I have a quote in one of my slides that may pretty well sum up the answer. It is from Apoorva Mehta , who is now a huge Silicon Valley success story as the founder of grocery-delivery service Instacart , but who, earlier in his career, attempted to start a legal networking and crowdsourcing site called Lawford (later called LegalReach). Asked later why Lawford failed, here is what he said : I didn't know anything about lawyers when we started. Turns out, they don't like technology, and they don't like to share things. Anyone who is considering starting a crowdsourced law site should take Mehta's quote, frame it and hang it above their desks. That said - and perhaps I am ever the optimist - but I do believe there is hope. Three sites, in particular, stand out to me as potential success stories in the small world of crowdsourced legal research. I'll get to those later in this post, but first let me recap some of the history as I presented it at AALL. * * *

top

Iowa to football fans: Please don't tweet at recruits (InsideHigherEd, 11 August 2015) - The University of Iowa on Monday instructed its fans and boosters to stop tweeting at prospective student athletes. "Hawkeye fans and boosters, please do not tweet at Hawkeye recruits," the athletic department's compliance office posted on its Twitter account . "Leave the recruiting to Iowa coaches!" It is against National Collegiate Athletic Association rules for athletic boosters to communicate with recruits over social media. Colleges also discourage fans from using social media to persuade prospective players to join a program, as the interaction can cause confusion or be seen as having received approval from an institution. In 2010, Indiana University fans who hoped to recruit high school basketball star Cody Zeller created a Facebook page that listed two team members as administrators. The university was forced to deny involvement in the campaign, saying the players were added as administrators without their permission. In recent years, several colleges -- including Florida Gulf Coast University , Tulane University and the University of Oklahoma -- have made similar pleas as Iowa's. Responding to Iowa's tweet, one fan questioned why supporters shouldn't contact recruits, tweeting, "Fans are some of the best recruiters out there, especially when the coaches can't, due to the NCAA." The fan has tweeted at several players in the last month, trying to convince them to play for Iowa's football team.

top

In potential job threat to associates, 'artificially intelligent attorney' gets BigLaw gig (ABA Journal, 11 August 2015) - First came the outsourcing of legal work once done by U.S. lawyers to cheaper foreign counterparts. Now, it appears, would-be BigLaw associates may also have to compete with artificial intelligence applications in the foreseeable future. Megafirm Dentons and some major U.S. law firms have agreed to train Ross, a so-called artificially intelligent attorney developed by students at the University of Toronto, in U.S. bankruptcy law, reports the Globe and Mail . Using IBM's Watson computer, which made headlines as a winning contestant on the TV show Jeopardy! in 2011, Ross scans documents and case law and offers answers to legal research questions. Although still under development, "what we are seeing is Ross grasping and understanding legal concepts and learning based on the questions and also getting user feedback. … Just like a human, it's getting its experience in a law firm and being able to learn and get better," Andrew Arruda told the newspaper. One of the U of T students who helped develop Ross, Arruda is now chief executive officer of Ross Intelligence, which is partnering with IBM, Dentons and other companies to take Ross to the next level. Once Ross masters bankruptcy law, the plan is to expand the machine's training into other practice areas. Although the app won't be able to handle the most complex legal problems, it is foreseeable that Ross will be able to perform routine legal research tasks at a lower cost than real attorneys, according to Arruda.

top

Man charged with contempt of court for "liking" ex-girlfriend's Facebook photos (Times Leader, 11 August 2015) - Clicking "Like" on Facebook landed a Jenkins Township man in hot water. Justin Bellanco, 26, of South Main Street, was arraigned Tuesday on a contempt of court charge when he allegedly violated a no-contact restraining order when he "liked" photos on April Holland's Facebook page. Holland, 24, of Pittston, obtained a protection from abuse order against Bellanco on July 28, claiming Bellanco has been stalking and harassing her and her friends, and threatened to shoot her knee cap to watch her suffer, according to her PFA application. Luzerne County Judge Lesa Gelb on Aug. 4 granted a restraining order against Bellanco, prohibiting him from having any contact with Holland for one year. Pittston police arrested Bellanco on Monday after Holland alleged he has been "liking" photos and videos she posted to her Facebook page, according to the criminal complaint.

top

A piece of Internet freedom, in the hands of an appeals court (Public Knowledge, 11 August 2015) - It may seem hard to believe that the future of the Internet is at the forefront of an " extremely boring case about invisible braces." But that's exactly what's happening with a case called ClearCorrect v. International Trade Commission , which was argued this morning before the Court of Appeals for the Federal Circuit. The International Trade Commission has power to stop importation of articles that infringe copyrights, patents, or other intellectual property rights. This case involves allegations of infringement over Invisalign-style plastic braces, but the interesting part is what "articles" are being imported. Not the plastic braces. Not even molds for the braces. The "imported articles" are electronic data files downloaded on the Internet. The ITC decided that its power over "importation of articles" extended to Internet transmissions, because downloading files is apparently an act of importation. Nonetheless, the idea that a little-known federal agency can block Internet data is concerning for open Internet advocates like us-and concerning for everyone else as well. The New York Times opposed the ITC's decision, deeming it "bound to hamper the exchange of ideas and information on the Internet." The Wall Street Journal characterized the case as a "clash over protecting a free-flowing Internet." A letter of twenty-eight organizations and law professors warned against "unintended but troubling possibilities that may result from the decision" comparable to the despised SOPA and PIPA bills.

top

Nine people charged in largest known computer hacking and securities fraud scheme (DoJ press release, 11 August 2015) - Nine people were charged in two indictments unsealed today in Brooklyn, New York, and Newark federal court with an international scheme to hack into three business newswires and steal yet-to-be published press releases containing non-public financial information that was then used to make trades that allegedly generated approximately $30 million in illegal profits. The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies. They then traded ahead of more than 800 stolen press releases before their public release, generating millions of dollars in illegal profits.

top

ACC sees need for better information governance (BloombergBNA, 11 August 2015) - The Association of Corporate Counsel on Tuesday announced the launch of an Information Governance committee to help educate in-house lawyers about data management, marking the first new committee for the legal group in nearly five years. The IG committee will be led by lawyers from Lockheed Martin, Occidental Petroleum, Physicians Insurance, Symantec and other companies and is planning a series of educational programs around data management. Many corporate law departments manage data on a piecemeal basis, if at all, according to committee chair L. Shawn Cheadle, general counsel, military space at Lockheed Martin Space Systems Company. The problem is that eDiscovery, cybersecurity, records retention, and various other data practices are all related, he said. "Information governance is not one of these areas alone," said Cheadle. "It's not privacy, it's not cybersecurity, it's not the EU law - it's all of these things. Often we're not really collaborating on them."

top

- and -

Cyber-security is a hot topic at board meetings (Baseline, 12 August 2015) - The boards of directors of public companies are increasingly making cyber-security a priority at their meetings, according to a study done in partnership between security company Veracode and the NYSE Governance Services. More than 80 percent of the nearly 200 directors of public companies surveyed said that cyber-security was discussed at nearly every board meeting. Some 78 percent of these respondents serve on from one to three executive boards. "I think a lot of other boards said, 'We better do some inspection on our cyber-security program because we don't want to be in the same situation,'" says Chris Wysopal, Veracode co-founder and chief information security officer (CISO). "I talked to a CISO who was told that at the next board meeting, he needed to do a two-hour update on their security program. Boards are feeling that they need to take some responsibility." Overall, the study shows that 66 percent of respondents did not have confidence that their companies were properly secured against cyber-attacks. These board members listed their top three security concerns as brand damage, breach costs and a lost competitive advantage. The study also shows that 70 percent of respondents have high-level concerns about the risks presented by third-party software in their supply chains. Companies are also realizing that attacks are occurring through break-ins at their suppliers. "There is awareness that attackers are finding a quicker way into an organization than attacking them directly," he says.

top

- and -

Companies hope cybersecurity experts in the boardroom can counter hacks (LA Times, 16 August 2015) - The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago. Naturally, they wanted someone with communication and leadership skills. They also needed someone new: an expert to help them battle computer hackers, cyberthieves, electronic spies, digital vandals and anybody else out to wreak havoc in a connected world. The privately held Pasadena firm's latest board member is Suzanne Vautrinot, a retired Air Force major general who helped create the Department of Defense's U.S. Cyber Command and led the Air Force's IT and online battle group. Parsons is at the forefront of a fast-expanding trend in corporate governance: the elevation of cybersecurity experts to the boardroom, a perch traditionally occupied by former CEOs and specialists in marketing and finance. In recent months, AIG, Blackberry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years. Data show that corporate boards have a long way to go. Just 11% of public-company boards queried this year reported a high-level understanding of cybersecurity, the National Assn. of Corporate Directors said. A review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. Yet consulting firm PricewaterhouseCoopers reports that 30% of boards surveyed never talk about cybersecurity at all. David Burg, U.S. cybersecurity leader at PwC, said he's still receiving an "amazing" number of requests from boards for basic education. For example, PwC helps boards compare their company's security approach with competitors'. There's a big problem with the whole trend, though: a shortage of cyber-qualified board candidates. John Pironti, a risk and security advisor for the professional group ISACA, is urging his members to ask for more responsibilities during this "big hump of sensitivity," so they'll be primed for larger advisory roles in the future - including on boards of directors.

top

Judge rules as unconstitutional New Hampshire law banning posting of voted ballots to social media (MLPB, 12 August 2015) - In Rideout v. Gardner, United States District Court Judge Paul Barbadoro has ruled that a New Hampshire statute prohibiting individuals from posting images of their filled-in ballots on social media violates the First Amendment. The state attempted to justify the law as a content neutral restriction. After extensive discussion of the statute's legislative history, the judge examined it under strict scrutiny, noting that it banned posting of executed ballots, not of ballots that had not been filled in, as well as for other reasons. The judge ruled that the state could not meet the required burden. It could not demonstrate that a less restrictive alternative to meet its stated goal--that of preventing vote buying--was available. [ Polley : see related discussion from last year in MIRLN 17.16 here .]

top

Germans are so scared of surveillance they microwave their ID cards (WaPo, 14 August 2015) - When it comes to privacy, Germans can't take a joke. After it was revealed that the U.S. National Security Agency had intercepted calls in Germany, sales of old-school typewriters were reported to have skyrocketed, as some Germans assumed that sending letters might make communications surveillance harder for U.S. officials. It's not only American surveillance that Germans are concerned about, however. On Tuesday, a 29-year old man was arrested at Frankfurt Airport after authorities noticed that he had microwaved his German identification card, reported German news agency dpa. According to a police statement, the man was concerned that his privacy might be violated by the microchip that has been embedded in all German IDs since 2010. The man now faces either a fine or time in jail for the offense of illegally modifying official documents. According to German law, identification documents are state property.

top

FinCEN rules commodity-backed token services are money transmitters (CoinDesk, 14 August 2015) - The Financial Crimes Enforcement Network (FinCEN) has issued a new ruling applicable to US businesses seeking to tokenize commodities for blockchain-based trading. Despite being a response to a specific inquiry by an unnamed company, the letter could be read as broadly applicable to startups seeking to both custody physical assets and issue a digital asset for use in trading. Under such business models, FinCEN suggests startups would need to be licensed in all 50 states. The letter describes the company behind the submission as one that provides an "Internet-based brokerage service" that connects buyers and sellers of precious metals; buys and sells precious metals on its own account; holds precious metals for clients and issues "digital proof of custody" in the form of a token on the bitcoin blockchain. In this specific instance, FinCEN argues the company in question does not fall under an electronic currency or commodities trading exemption as it allows "unrestricted transfer of value from a customer's commodity position to the position of another customer or a third-party". The statement is the latest from FinCEN to clarify which types of US bitcoin services it considers money transmitters following similar declarations for bitcoin processors , escrow services and miners , among other groups.

top

- and -

Research examines blockchain securities under US commercial law (Coindesk, 27 August 2015) - Cryptosecurities and blockchain recordkeeping systems may not be subject to commercial transactions law under the US Uniform Commercial Code (UCC), according to new research from Cardozo Law. Penned by professor Jeanne Schroeder, the 60-page research paper , released this week, provides a wide-ranging overview of how bitcoin transactions, both financial and non-financial, would be governed by laws relating to the exchange of property across US states. The paper is the latest to highlight potential legal issues that could arise in disputes over ownership of cryptographic assets, such as bitcoin, following research by law firm Perkins Coie in January . At issue is that bitcoin does not fit the UCC 's definition of money and challenges conventional notions of custody. While the paper echoes many of Perkin Coie's conclusions, it is perhaps one of the first to speculate on how the UCC would apply to alternative uses of blockchains. For example, Schroeder cites decentralized application platform Ethereum and Overstock's tØ as a platform designed to enable the use of tokens outside of currency and payments.

top

Split works debate raises thorny issues for music companies (TechDirt, 14 August 2015) - Michael Corleone would understand. Just when music companies and their performance-rights organization (PROs) thought they were getting out from under supervision by the U.S. Department of Justice, the DOJ may be about to pull them back in. For some time now, the DOJ's Antitrust Division has been investigating whether to modify the special antitrust consent decrees that govern the two leading PROs: the American Society of Composers And Publishers (ASCAP) and Broadcast Music Inc. (BMI). These broad settlements, originally reached in 1941, were designed to prevent anti-competitive behavior by the music publishers and set the rules for how the PROs can operate. This includes licensing on non-discriminatory terms (preventing the PROs from blocking a radio station or music service from playing their songs). The consent decrees have been modified before; BMI's was amended in 1994 and ASCAP's in 2001. But some music publishers argue these agreements are showing their age. The publishers and the PROs are hoping (and expressly asking) the DOJ to agree with their view that, here in the Internet Era, digital music doesn't need so much government intervention. Some suggest the DOJ's antitrust lawyers have shown sympathy to arguments for a "partial withdrawal" of digital copyrights from the consent-decree framework. But new arrangements to replace that framework ultimately may pull the labels and PROs back in. Billboard reported recently that the DOJ may be considering revisions that impose an even tighter regulatory scheme. According to the report, the Justice Department circulated a letter letting ASCAP and BMI know it is considering allowing any single co-owner of a "split work" - also known as a "fractional, "co-authored" or "co-pub" composition - to issue a license for 100 percent of the work. This is in contrast to the current practice in the music industry, whereby everyone who has a piece of the copyright needs to agree to license the work. The music companies have let their resulting unhappiness be known, albeit only off-the-record.

top

Heightened risk of cyberattacks puts pressure on law firms to bolster defenses (Legaltech News, 14 August 2015) - As pressure to strengthen defenses against security breaches increases, organizations are in a race against the clock to shore up their resistances. Given the likelihood of an impending hack on the treasure trove of sensitive data they handle, this risk is further exaggerated for law firms. On a scale of one to 10, the risks law firms are facing are an 11, according to Daniel Solove, professor at George Washington Law School and organizer of the Privacy + Security Forum. Underscoring this urgency is data from Mandiant, a division of FireEye, which finds that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011 (see infographic on next page.) Law firms have become a bigger target for cybercrime due to two main factors, according to Jeffrey Norris, CISSP, senior director of information security at LexisNexis. * * *

top

- and -

Cybersecurity data sharing is now available to law firms (NY Law Journal, 19 August 2015) - Law firms now have access to a platform that allows them to share data on cybersecurity threats anonymously. The Legal Services Information Sharing and Analysis Organization or LS-ISAO will announce its launch on Wednesday and will alert firms to potential cyber threats and vulnerabilities. The Financial Services Information Sharing and Analysis Center, also known as FS-ISAC, the financial industry's forum for cyber threat discussion, is providing guidance and support to the law firm service. Cindy Donaldson, FS-ISAC's vice president of products and services, said the center has been communicating with more than 180 law firms, and she expects more firms to express interest after the launch. She declined to say which firms or how many have applied and proven eligibility. Davis Polk & Wardwell is among the firms that applied. "Today, law firms are working pretty independently on fighting off the different attacks that are coming toward us," said John Kapp, Davis Polk's global director of information technology. He said the new cyber group "is a force multiplier when we can share information amongst ourselves anonymously and we can be aware of what attacks are happening against other law firms. We protect our law firm and vice versa." To become a member of the law firm forum, firms must submit an application, pay an $8,000 membership fee and meet eligibility criteria. The primary criteria is that a firm have the majority of its lawyers in the U.S., Canada or the United Kingdom, Donaldson said, adding that could change over time. Law firm members within the International Legal Technology Association and its cybersecurity focused component, LegalSEC, also played a significant role in working with FS-ISAC to establish the service. Law firm members of the service will receive email alerts and advisories on cyber threats and vulnerabilities, as well as physical threats such as weather events, for actionable intelligence in the hopes of preventing an attack. Firms will be able to submit information anonymously. [ see also Law firms form their own threat intel-sharing group (Dark Reading, 20 August, 2015)]

top

- and -

Law firms can now share cyber threats. But will they? (BloombergBNA, 21 August 2015) - Foley & Lardner is taking various measures to protect its servers against cyber thieves, including educating everyone at the firm, conducting audits and investing resources in protection, according to Chanley Howell, a partner who sits on the firm's cybersecurity committee. But it's not planning to join an alliance of law firms that plan to share information about cyber threats. "Our plate is pretty full," Howell told Big Law Business. "It's not on our agenda yet - I'll put it that way. If we start hearing clients recommend it, then we'll probably join." Jeremiah Buckley, founding partner of Buckley Sandler who has written about cyber risk with a particular focus on electronic signatures, said as a general rule law firms' efforts to beef up their cybersecurity has come in response to client pressure. In particular, clients in regulated industries, such as the financial services industry, have passed on pressure to protect against cyber risk by auditing their vendors including law firms, Sandler said. Buckley said his firm is not a member of the LS-ISAO. Sharing information about cyber threats opens new risks, namely that rival firms could exploit information about an attack to tarnish another firm's reputation, he explained. Even if shared anonymously, a law firm could do some digging and investigation to determine which of its competitors were subject to attacks, Buckley said.

top

Court provides guidance on how to effectively communicate online terms of service (InternetCases.com, 17 August 2015) - Are online terms of service provided via hyperlink in an email binding on the recipient of that email? The Second Circuit recently addressed that question, and the decision gives guidance on best practices for online providers. Plaintiff booked a trip to the Galapagos Islands using defendant's website. When she purchased her ticket, she got a booking information email, a confirmation invoice and a service voucher. One evening during the trip, a tour guide allegedly assaulted plaintiff. She sued defendant for negligently hiring and training that tour guide. Defendant moved to dismiss, pointing to language in the online terms and conditions that called for disputes to be heard in Canadian court. The district court dismissed the action, and plaintiff sought review with the Second Circuit. On appeal, the court affirmed. It held that defendant had reasonably communicated the forum selection clause to plaintiff by using hyperlinks and the appropriate language in the terms and conditions.

top

Yes, the appeals court got basically everything wrong in deciding API's are covered by copyright (TechDirt, 18 August 2015) - Copyright expert and professor Pam Samuelson, one of the most respected scholars of copyright law, has published a short paper explaining what she calls the "three fundamental flaws in CAFC's Oracle v. Google decision." As you may recall, that ruling was a complete disaster, overturning a lower court decision that noted that application programming interfaces (APIs) are not copyrightable, because Section 102 of the Copyright Act pretty clearly says that: In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work. But CAFC got super confused, and basically ignored 102 while misunderstanding what an API actually is. After the White House itself got confused , the Supreme Court refused to hear the case. This means that the CAFC ruling stays in place, despite it being at odds with lots of other courts. And this might not be a huge problem, since most copyright cases won't go to CAFC. The only reason the Oracle case went to CAFC was because it started out as a patent case, and CAFC gets all patent appeals, even if the appeal has nothing to do with patents. Except... of course, now there's incentive to toss in a bogus patent complaint along with a questionable "interface copyright" complaint just to get it into CAFC's jurisdiction. Samuelson's paper is a good read (and we'll get to it), but I'd actually argue it's a bit too tame, and leaves out the really fundamental flaw in the CAFC ruling and in the White House brief: these non-programmers don't realize that an API is not software. Almost all of the mistakes stem from this simple fact. They assume that an API is software. And this is highlighted very clearly in the CAFC ruling where they quote Pam Samuelson out of context and then completely miss what she's actually saying. Here's from that ruling: * * *

top

How Google could rig the 2016 election (Politico, 19 August 2015) - America's next president could be eased into office not just by TV ads or speeches, but by Google's secret decisions, and no one-except for me and perhaps a few other obscure researchers-would know how this was accomplished. Research I have been directing in recent years suggests that Google, Inc., has amassed far more power to control elections-indeed, to control a wide variety of opinions and beliefs-than any company in history has ever had. Google's search algorithm can easily shift the voting preferences of undecided voters by 20 percent or more-up to 80 percent in some demographic groups-with virtually no one knowing they are being manipulated, according to experiments I conducted recently with Ronald E. Robertson. Given that many elections are won by small margins, this gives Google the power, right now, to flip upwards of 25 percent of the national elections worldwide. In the United States, half of our presidential elections have been won by margins under 7.6 percent, and the 2012 election was won by a margin of only 3.9 percent-well within Google's control. What we call in our research the Search Engine Manipulation Effect (SEME) turns out to be one of the largest behavioral effects ever discovered. Our comprehensive new study , just published in the Proceedings of the National Academy of Sciences (PNAS), includes the results of five experiments we conducted with more than 4,500 participants in two countries. Because SEME is virtually invisible as a form of social influence, because the effect is so large and because there are currently no specific regulations anywhere in the world that would prevent Google from using and abusing this technique, we believe SEME is a serious threat to the democratic system of government.

top

Location, sensors, voice, photos?! Spotify just got real creepy with the data it collects on you (Forbes, 20 August 2015) - Music streaming market leader Spotify has decided that it wants to know a lot more about you. It wants to be able to access the sensor information on your phone so it can determine whether you're walking, running or standing still. It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too. And it may share that information with its partners, so a whole load of companies could know exactly where you are and what you're up to. This has all been made apparent by a rather significant update to the Spotify privacy policy , pushed out to users today. Upon opening the Spotify app up this morning, your reporter was greeted with a request to agree to the new conditions. A quick comparison with the previous privacy policy using the Wayback Machine showed some major changes had been made.

top

- and, a day later -

Spotify tries to put out a privacy fire (ReCode, 21 August 2015) - No, Spotify doesn't want to root around your phone's address book, or your photos. That's the message the music service is sending out today - after clumsily suggesting otherwise earlier this week. "We should have done a better job in communicating what these policies mean and how any information you choose to share will - and will not - be used," the company says in a post attributed to CEO Daniel Ek. "We understand people's concerns about their personal information and are 100 percent committed to protecting our users' privacy and ensuring that you have control over the information you share." Ek's post - titled "Sorry!" - is a reaction to a reaction to new privacy terms Spotify began rolling out this week in different countries around the world. The terms vary a bit depending on the territory, but you can get a good sense of them here .

top

BitTorrent tracker blocks Windows 10 users (ZDnet, 24 August 2015) - Windows 10 is quickly gaining fans. Some of them, however, are growing distrustful of Windows 10's privacy settings . Some BitTorrent sites don't trust Windows 10 at all. So, at least one BitTorrent tracker, iTS, has blocked Windows 10 users from accessing torrents from their site. Others are considering banning Windows 10 users. In a YouTube video, iTS proclaimed that " Windows 10 is nothing more than a spy tool that will keep track of every action, email, conversation, video, picture, or anything else that you do on your computer." iTS based its position largely on Microsoft's new unified services and privacy agreements , specifically the clause which states that, "We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games , or using unauthorized hardware peripheral devices." In addition, the BitTorrent sites administrators are concerned that even if you do lock Windows 10's privacy settings down, Windows 10 will still transmit some data to Microsoft. iTS might have been able to live with that, but it's who Microsoft shares your data with that brought it to the end of its rope. In a Reddit post, iTS states: " Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company [sic] called MarkMonitor . Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures."

top

Why your doctor won't friend you on Facebook (NPR, 25 August 2015) - Doctors' practices are increasingly trying to reach their patients online. But don't expect your doctor to "friend" you on Facebook - at least, not just yet. Physicians generally draw a line: Public professional pages - focused on medicine, similar to those other businesses offer - are catching on. Some might email with patients. But doctors aren't ready to share vacation photos and other more intimate details with patients, or even to advise them on medication or treatment options via private chats. They're hesitant to blur the lines between personal lives and professional work and nervous about the privacy issues that could arise in discussing specific medical concerns on most Internet platforms. Some of that may eventually change. One group, the American College of Obstetricians and Gynecologists, broke new ground this year in its latest social media guidelines . It declined to advise members against becoming Facebook friends, instead leaving it to physicians to decide. But even the use of these professional pages raises questions: How secure are these forums for talking about often sensitive health information? When does using one complicate the doctor-patient relationship? Where should boundaries be drawn? For patients, connecting with a physician's office or group practice on Facebook can be a simple way to keep up with basic health news. It's not unlike following a favorite sports team, your child's middle school or the local grocery store. One Texas-based obstetrics and gynecology practice, for instance, uses a public Facebook page to share tips about pregnancy and childcare, with posts ranging from suggestions on how to stay cool in the summer to new research on effective exercise for post-birth weight gain. Practices have also been known to share healthy recipes, medical research news, and scheduling details for the flu shot season. Historically, professional groups including the American College of Physicians and American Academy of Family Physicians have advised against communicating through personal Facebook pages. The American Medical Association notes social media can be a valuable way to spread health information, but urged doctors in its 2010 guidelines to separate their personal and professional online identities to "maintain professional boundaries." * * *

top

The FTC takes charge -- FTC v. Wyndham (Paul Rosenzweig in Lawfare, 26 August 2015) - As Wells reported Monday, the Third Circuit has issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp . Readers may recall the background of the case. Wyndham was hacked by a Russian criminal gang who stole a host of personally identifiable information maintained by Wyndham for its customers -- everyone, essentially, who ever stayed at the hotel chain. The FTC brought a suit against Wyndham with two allegations -- one (not terribly controversial legally) that Wyndham had misrepresented its cyber security practices. The other (much more controversial legally) alleging that the failure to take adequate cybersecurity measures was an "unfair business practice" subject to regulation by the FTC. Wyndham's principal argument in court was that reading "unfair business practices" to include inadequate or unreasonable cybersecurity measures was a bridge to far and that, as a result, the FTC was acting ultra vires . The Third Circuit decision is a resounding victory for the FTC. The court first determined that there was ample legal authority for the FTC to address cybersecurity practices as unfair. It then held, in a significant portion of the ruling, that the FTC's prior actions in respect of various consent decrees gave Wyndham ample notice of what constituted an inadequate program of cybersecurity (and, by inference, some indication of adequacy). This opinion is likely to be the most consequential cybersecurity opinion of a court this year or for the near future. Here are some of the implications: * * * [ Polley : good analysis of the implications.] * * * All of this means that the FTC now owns cybersecurity in the private sector. Which is an odd result. One would surely have thought that DHS (or DoD or DOJ or even the Department of Commerce) would have had a more salient role in defining standards for the private sector. But somehow, we've converted a consumer protection mandate into a cybersecurity obligation and assigned that role to an independent agency. Candidly, I don't think the FTC is up to the task -- not in terms of staffing nor in terms of expertise -- but we will soon see how that turns out.

top

RESOURCES

Free six-part course on encrypting email and securing your network sessions against snooping (Jeff Reifman on Tut+, July 2015) [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

AI and Free Speech (MLPB, 18 August 2015)- Toni M. Massaro, University of Arizona College of Law and Helen L. Norton, University of Colorado School of Law, are publishing Siri-ously? in volume 110 of the Northwestern University Law Review (2015). Here is the abstract: Computers with communicative artificial intelligence are pushing First Amendment theory and doctrine in profound and novel ways. They are becoming increasingly self-directed and corporal in ways that may one day make it difficult to call the communication "ours" versus "theirs." This, in turn, invites questions about whether the First Amendment ever will (or ever should) protect AI speech or speakers even absent a locatable and accountable human creator. In this Essay, we explain why current free speech theory and doctrine pose surprisingly few barriers to this counterintuitive result; the elasticity of current theory and doctrine suggests that speaker humanness no longer may be a logically essential part of the First Amendment calculus. We further observe, however, that free speech theory and doctrine provide a basis for regulating, as well as protecting, the speech of nonhuman speakers to serve the interests of their human listeners should strong AI ever evolve to this point. Finally, we note that the futurist implications we describe are possible, but not inevitable. Indeed, contemplating these outcomes for AI speech may inspire rethinking of the free speech theory and doctrine that makes them plausible.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Will the UN run the internet? (CNET, 11 July 2005) -- An international political spat is brewing over whether the United Nations will seize control of the heart of the Internet. U.N. bureaucrats and telecommunications ministers from many less-developed nations claim the U.S. government has undue influence over how things run online. Now they want to be the ones in charge. While the formal proposal from a U.N. working group will be released July 18, it's already clear what it will contain. A preliminary summary of governmental views claims there's a "convergence of views" supporting a new organization to oversee crucial Internet functions, most likely under the aegis of the United Nations or the International Telecommunications Union. Beyond the usual levers of diplomatic pressure and public kvetching, Brazil and China could choose what amounts to the nuclear option: a fragmented root. At issue is who decides key questions like adding new top-level domains, assigning chunks of numeric Internet addresses, and operating the root servers that keep the Net humming. Other suggested responsibilities for this new organization include Internet surveillance, "consumer protection," and perhaps even the power to tax domain names to pay for "universal access." This development represents a grave political challenge to the Internet Corporation for Assigned Names and Numbers (ICANN), which was birthed by the U.S. government to handle some of those topics. A recent closed-door meeting in Geneva convened by the U.N.'s Working Group on Internet Governance offers clues about the plot to dethrone ICANN. As these excerpts from a transcript show, dissatisfaction and general-purpose griping is rampant * * *

top

Brit license plates get chipped (Wired, 9 August 2005) -- The British government is preparing to test new high-tech license plates containing microchips capable of transmitting unique vehicle identification numbers and other data to readers more than 300 feet away. Officials in the United States say they'll be closely watching the British trial as they contemplate initiating their own tests of the plates, which incorporate radio frequency identification, or RFID, tags to make vehicles electronically trackable.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 08, 2015

MIRLN --- 19 July – 8 August 2015 (v18.11)

MIRLN --- 19 July - 8 August 2015 (v18.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Troubling trademark ruling over Amazon's internal search results (Eric Goldman, 13 July 2015) - When a consumer asks a retailer for a product the retailer doesn't carry, how should the retailer respond? A recent federal appellate court opinion suggested that Amazon.com gave the wrong answers to consumers searching for a watch brand that it didn't carry. Multi-Time Machine makes high-end military-style watches under brand names including "MTM Special Ops." MTM tightly controls its distribution channels. As a result, Amazon.com doesn't carry MTM's watches. When Amazon consumers searched for "MTM Special Ops Watches" in Amazon's internal search engine, consumers were provided a list of "aesthetically similar, multi-function watches manufactured by MTM's competitors" such as Luminox and Chase-Durer, but the search results page did not expressly say that Amazon doesn't carry MTM watches. Amazon's disclosures on its internal search results page differ from competitors Buy.com and Overstock.com, both of whom "clearly announce that no search results match the 'MTM Special Ops' query and those websites do not route the visitor to a page with both MTM's trademark 'MTM Specials Ops' repeatedly at the top and competitors' watches below. Their pages show the search query playback but then forthrightly state that no results for the 'MTM Special Ops' search query were found, and then list competitors' products." MTM claimed that Amazon's search results constituted trademark infringement. The district court ruled for Amazon , saying that the search results page didn't create actionable consumer confusion. In a split vote, last week the Ninth Circuit Court of Appeals reversed, holding that Amazon's search results presentation might constitute trademark infringement and sending the case to the jury. The majority opinion focuses on a much-criticized trademark doctrine called initial interest confusion. The Ninth Circuit has had a dozen or so cases addressing initial interest confusion, and its handling of the doctrine has vacillated wildly. In 1999, the Ninth Circuit adopted an exceptionally (and, in my opinion, unreasonably ) overbroad definition of the concept. This led to a series of tortured and inconsistent rulings until 2011, when the Ninth Circuit adopted a more constrained definition that virtually killed the doctrine . In this case, the Ninth Circuit bypasses its 2011 definition and instead defines initial interest confusion from a 2004 ruling.

top

Best practices for protecting client information, according to the CFPB (Lawyerist, 18 July 2015) - New federal regulations promulgated by the Consumer Financial Protection Bureau will apply to real estate lawyers. But they are also a pretty solid starting point for any lawyer or law firm. Here's a summary of the best practices , compiled by Law Technology Today's Pegeen Turner: * * *

top

DoJ: Firms should hire cyber-savvy lawyers (eCommerce Times, 20 July 2015) - Hardly a day goes by without a headline about a cyberintrusion. No entity is immune -- international retailers, airlines, hotels, mom and pop stores, cloud providers -- even the U.S. government. However, it seems that few businesses contemplate how important it is for their attorney to know and understand cybersecurity, as well as know what to do when a cyberintrusion occurs. The U.S. government -- itself a cybervictim -- provides the guidance we have been waiting for. The Cybersecurity Unit, part of the Computer Crime & Intellectual Property Section (CCIPS) within the Department of Justice Criminal Division, earlier this year issued its Best Practices for Victim Response and Reporting of Cyber Incidents . The Cybersecurity Unit is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. CCIPS prevents, investigates and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions and foreign counterparts. Of course, many DoJ employees are lawyers who have to assess crimes and help prosecute the bad guys. The CCIPS therefore is actually one of the best sources of information about cyberintrusions. The DoJ report includes 15 pages of best practices. This column focuses on just one of them, but you might want to look at the entire report. It is a best practice for every business is to have "legal counsel that is familiar with legal issues associated with cyber incidents" and with technology and cyberincident management, since "cyber incidents can raise unique legal questions," according to the DoJ: An organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and communications privacy laws). Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice. Many private organizations retain outside counsel who specialize in legal questions associated with data breaches while others find such cyber issues are common enough that they have their own cyber-savvy attorneys on staff in their General Counsel's offices. Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization's decision making and help ensure that a victim organization's incident response activities remain on firm legal footing."

top

- and -

Do you need a cybersecurity attorney on retainer? (CSO, 4 August 2015) - Developing plans to protect your digital information and network while complying with state and federal regulations can be a legal challenge for any corporation. Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer? Having the consultation of a cybersecurity attorney while developing an incident response plan is instrumental. Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents. "A decade ago there was not enough demand in the field of cyber security law to build a practice around it," said JJ Thompson, chief executive officer at Rook Security. Today, entire practices are flourishing in the field of cyber security law. Cybersecurity attorneys play a greater role now than they did five to 10 years ago because they have more specific and more informed expertise than general litigators. Thompson noted, "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identified as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance, and working with government. * * *

top

Constitutional Malware (Stanford's Jonathan Mayer, 20 July 2015) - Abstract: The United States government hacks computer systems, for law enforcement purposes. According to public disclosures, both the Federal Bureau of Investigation and Drug Enforcement Administration are increasingly resorting to computer intrusions as an investigative technique. This article provides the first comprehensive examination of how the Constitution should regulate government malware. When applied to computer systems, the Fourth Amendment safeguards two independent values: the integrity of a device as against government breach, and the privacy properties of data contained in a device. Courts have not yet conceptualized how these theories of privacy should be reconciled. Government malware forces a constitutional privacy reckoning. Investigators can algorithmically constrain the information that they retrieve from a hacked device, ensuring they receive only data that is-in isolation-constitutionally unprotected. According to declassified documents, FBI officials have theorized that the Fourth Amendment does not apply in this scenario.

top

New MSU center aims to improve practice of law (Michigan State U, 20 July 2015) - With fewer students enrolling in law schools and the high expense of legal services, the legal profession needs radical change, says a Michigan State University College of Law professor who hopes to make a difference with a new legal research center. MSU Law's Center for Legal Services Innovation - LegalRnD for short - launched this month, introducing students to leaner, more effective business models and the use of data and technology to improve legal services. Studies show about three out of four people with low to moderate incomes don't receive the legal services they need, said Daniel Linna Jr. , assistant dean for career development and director of LegalRnD. At the same time, businesses often go without legal services because of the expense. But it's important to bring law to everyone who needs it - and that means shaking things up. "We work hard for our clients, but we haven't stepped back and seriously asked ourselves, 'How can we improve legal service delivery for our clients?'" Linna said. "Nor have we invested in legal research and development. As a solution, we intend to engage in the research and development the legal industry hasn't done to develop 21st-century legal practice." LegalRnD classes are interdisciplinary, taught by faculty from other MSU colleges. And in the fall, Ken Grady , a leading expert in the legal industry, will join LegalRnD, teaching legal service delivery. Innovation is a big focus of LegalRnD, Linna said. In June, LegalRnD was the coordinating sponsor of LexHacks, a legal "hackathon" in Chicago. Lawyers, law students, technologists and other professionals competed for $5,250 in prizes to create solutions to improve legal services.

top

Law firm notifies clients after laptop stolen on trolley (DataBreaches.net, 22 July 2015) - The California law firm of Atkinson, Andelson, Loya, Ruud & Romo is notifying clients after a personal laptop belonging to a member of the firm was stolen while the attorney was on the MTS Trolley in downtown San Diego on April 23. Since that time, the firm has been working with law enforcement but, to date, they have been unable to locate or recover the stolen laptop computer. According to the notification letter signed by James H. Palmer, their General Counsel: Working with outside computer forensic experts, we have confirmed that the laptop may have contained confidential information. We believe based on that investigation that the laptop contained personally identifiable information, including names, addresses, telephone numbers and social security numbers. The laptop did not contain driver's license numbers but may have contained certain financial information and/or medical records of individuals. We have no reason to believe that the laptop was stolen for the information it contained. We also have no information indicating that this information has been accessed or used in any way. Those being notified are offered free credit monitoring and protection services with ID Experts service, MyIDCare.

top

California says you must understand e-discovery in order to litigate (Lawyerist, 22 July 2015) - California's proposed ethics opinion on attorney duties in e-discovery has been finalized. The opinion is unsurprising in terms of its analysis of today's technology and long-standing ethics rules, and it highlights that in today's world, discovery is extremely complex and high stakes. In the Committee on Professional Responsibility and Conduct Formal Opinion No. 2015-193, California makes it abundantly clear that a lawyer who does not understand how electronically stored information is managed and retrieved for litigation purposes needs to get assistance before embarking on discovery in just about any matter. While there may not be electronic discovery in every case, every case does need to be evaluated for it, and when e-discovery is going to be conducted by either side, the lawyers involved need to understand (or get help understanding) the way the information is stored, retained, deleted, and mined. The potential for ethics violations is extremely high, and with that potential comes incredible malpractice exposure. Here's the full opinion * * *

top

NACD suggests questions for boards to ask cybersecurity officers (Cooley, 22 July 2015) - As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies' chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of Personnel Management and at a number of private companies. But that's not likely to be effective, the NACD argues. Why not? Because no security system is perfect and all companies are vulnerable to some extent. Instead, the NACD recommends, boards should focus on decreasing the risk of attack as well as understanding the process that is in place to manage a cyberattack should one occur. Copied below are examples the NACD views as more effective questions for boards to ask their heads of cybersecurity: * * * Directors are advised to engage CISOs regularly and, where necessary, encourage the CISO to educate board members about the range of potential security problems: only "11% of board members across industries say they have a ' high level' of knowledge about the topic, according to a recent NACD survey of 1,034 directors." Finally, NACD advocates that CISOs work with board members to develop "a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies…."

top

Law firms see insurance as bulwark against data breach (Bloomberg, 24 July 2015) - David Johnson had just finished meeting with a cybersecurity consultant about beefing up the company's protections when he learned the servers had been hacked. As general counsel of Global Cash Access, a company that manages cash on hand for casinos, Johnson was highly concerned about protecting the company servers: Literally, millions of dollars were at stake. Hiring a consultant to sniff out vulnerabilities had been the first step taken by the company's new senior vice president of IT, and everyone at the meeting had agreed the consultant should take the next few months to see if he could penetrate their computer system. But it didn't even take that long: The consultant walked to his car outside their office, opened his laptop and immediately hacked into their servers. "It was kind of like, 'Oh. This isn't good," said Johnson, now a Duane Morris partner, who said the IT department made several major changes as a result. The incident, which took place in 2013, illustrates how difficult it can be to accurately assess the vulnerability of one's system and why General Counsel consistently rank cybersecurity as a top concern in surveys. And yet even as lawyers position themselves as experts who can advise companies on cybersecurity threats, many law firms are being targeted and experiencing data breaches. "Our law firm clients report being extorted or threatened with denial of service and being held hostage," said Mark Greenwood, managing director with Aon Risk Solutions, which sells cyberinsurance to several dozen law firms. Greenwood declined to disclose which firms had reported a breach, but said the minimum cost of hiring a consultant to identify the hole in a cybersecurity system and to then fix it is $500,000. He further estimated that the largest law firms are paying for $5 million to $40 million in coverage, mid-size firms are purchasing up to $10 million in coverage, and smaller firms are buying up to $5 million in coverage. The insurance provides firms with a "coach" who can take the lead if a breach occurs, crisis communication and PR specialists, as well as online training and support from IT professionals, according to Greenwood. In the last year alone, his group has signed up 30 new law firms for cyber insurance, he said. But most data breach incidents at law firms have not publicly surfaced, although there have been a few incidents - at least one small law firm in Southern California was forced to send letters to clients after a breach and there have been reported incidents of other larger firms being targeted. In May, the New York Times obtained and published an article about an internal report at Citigroup that suggested law firms are likely vulnerable targets for hackers, but that it was difficult to tell if data breaches are on the rise or not because there is no regulatory reporting requirement for the legal industry.

top

Seventh Circuit: data breach victims have standing based on future harm (Venkat Balasubramani, 24 July 2015) - Plaintiffs sued Neiman Marcus on behalf of a putative class alleging claims arising out of a 2013 data breach. Neiman Marcus informed its customers (in 2014) that an attack had occurred and 350,000 cards had been exposed. Neiman Marcus first learned of fraudulent charges in December 2013, but according to plaintiffs, Neiman Marcus kept the information confidential so as to not disrupt the "lucrative holiday shopping season". Neiman Marcus's position was that while card information was compromised, no other sensitive information was exposed. Neiman Marcus also offered one year of free credit monitoring and identity-theft protection to customers that had made card purchases within a certain time period. Plaintiffs asserted a variety of claims, including negligence, breach of implied contract, unjust enrichment, unfair business practices, invasion of privacy, and violations of state data breach laws. The district court granted Neiman Marcus's 12b6 motion to dismiss. On appeal, the Seventh Circuit reverses. Plaintiffs alleged two categories of imminent injuries: (1) increased risk of future fraudulent charges, and (2) greater susceptibility to ID theft. They also alleged present injuries: (1) lost time resolving fraudulent charges; (2) lost time and money protecting themselves against ID theft; (3) loss from having shopped at Neiman Marcus now they made were aware of its shoddy data security practices; and (4) loss of control over their personal information. As to the people who have already seen fraudulent charges and expended the time to "sort things out," the court says that they clearly have standing. The court also says that plaintiffs who are apprehensive about future unreimbursed charges and who take preventative measures likewise satisfy standing. Neiman Marcus argued that the common practice of credit card companies is to reimburse for such fraudulent charges and thus preventative measures are unnecessary, but the court says this places a spin on the facts. Bank reimbursement policies are not definitive and universally applied. While the risk of harm was for something that is likely to occur in the future, this does not preclude standing under Clapper, a recent Supreme Court case. [ see also Change in the prevailing winds in consumer data breach cases? (Mintz Levin, 22 July 2015)]

top

Akamai on broadband: A few surprises and a new (but useless) metric (AEI, 24 July 2015) - Akamai's most recent "State of the Internet" report is 60 pages of insightful data on broadband around the world. The report contains reiterations of many things we already knew (including that the US is not, in fact, falling behind), but also offers some surprising insights into IPv6 adoption and a completely new - albeit somewhat useless - metric. In terms of Internet speeds in different US states, Delaware ranks number one with an average peak (Akamai's measure of broadband capacity) of 85.6 Mbps. If Delaware were a country, it would rank 3rd overall, behind Singapore and Hong Kong. In the overall global ranking, Singapore retains the lead with an average broadband capacity of 98.5 Mbps. * * * While there are few surprises in Akamai's speed rankings, IPv6 adoption rankings is a different ballgame. Belgium is the world leader in IPv6, followed by Germany and then the US. This is surprising since conventional wisdom says China - who didn't even make the top 10 - is the biggest adopter. There may be a lot of IPv6 within China, but none of the external sensors see it. [ Polley : some interesting tables and graphs]

top

Georgia sues Carl Malamud group, calls publishing state's annotated code of laws online unlawful (ABA Journal, 24 July 2015) - A nonprofit founded by Carl Malamud, a 2009 ABA Journal Legal Rebel who was once described by the New York Times as a "self-styled Robin Hood of the information age," has been sued by the state of Georgia. Public.Resource.Org is accused of violating copyright law by distributing the Official Code of Georgia Annotated on the Internet, reports Techdirt . Malamud is president of the group and is known for his campaigns to make statutes, case decisions and government documents freely available to the public. The state is not asserting that it is a copyright violation to publish the text of the statutes themselves, "since the laws of Georgia are and should be free to the public." However, Public.Resource.Org has no right to republish the annotated version of Georgia's code, which is created by a third-party legal publisher as a work for hire under contract with the state legislature, alleges the complaint (PDF). It was filed Tuesday in federal district court in Atlanta. As part of the contract, LexisNexis makes the text of the Georgia statutes freely available online at www.legis.ga.gov , the state notes. But Malamud and his group want more and have downloaded copyrighted material in an effort to push for greater access, the suit contends: "Defendant is employing a deliberate strategy of copying and posting large document archives such as the OCGA (including the copyrighted annotations) in order to force the State of Georgia to provide the OCGA, in an electronic format acceptable to Defendant. Defendant's founder and president, Carl Malamud, has indicated that this type of strategy has been a successful form of 'terrorism' that he has employed in the past to force government entities to publish documents on Malamud's terms." Georgia is seeking a court order prohibiting both copying and use of its copyrighted material in derivative works. The suit also seeks seizure of infringing material and attorney's fees and costs.

top

Twitter is deleting stolen jokes on copyright grounds (The Verge, 25 July 2015) - Let's face it: coming up with a grade-A tweet isn't easy. That's why some people just copy good tweets from other people and act like they came up with the 140-character witticism on their own. This has been going on since the beginning of Twitter. It now appears Twitter is using its legal authority to crack down on these tweet-stealers. A number of tweets have been deleted on copyright grounds for apparently stealing a bad joke. As first spotted by @PlagiarismBad , at least five separate tweets have been deleted by Twitter for copying this joke: * * * [ Polley : I'd have included the joke here notwithstanding possibly copyright infringement liability (I think I'd have had pretty decent affirmative defenses), but just don't get it.] Olga Lexell, who, according to her Twitter bio, is a freelance writer in LA, appears to be the first person to publish the joke on Twitter. In a tweet posted this afternoon , she confirmed that she did file a request to have the tweets removed: I simply explained to Twitter that as a freelance writer I make my living writing jokes (and I use some of my tweets to test out jokes in my other writing). I then explained that as such, the jokes are my intellectual property, and that the users in question did not have my permission to repost them without giving me credit. Twitter, like many companies that host content from users, has an entire system for handling claims of copyright infringement. Under the Digital Millennium Copyright Act (DMCA), Twitter is provided "safe harbor" from copyright claims so long as it does not try to protect infringing material. Typically, claims concern embedded media like photos and videos, or they're for tweets that link to other websites that are illegally hosting copyrighted material, like movies. It's rarer for a DMCA request to involve the actual text of a 140-character tweet.

top

- and -

Radio Berkman 225: Can you copyright a joke? (Harvard's Berkman Center podcast, 31 July 2015; 17 minutes) - With 316 million users posting 500 million tweets a day, someone is bound to write an unoriginal tweet now and then. But there are some Twitter users whose entire existence relies completely on plagiarizing tiny jokes and relatable observations created by other Twitter users. Many plagiarizing accounts have follower numbers ranging from the thousands to the millions. Meaning their exposure can lead to career opportunities and sponsorships built on the creativity of others who are just getting started in their writing careers. So it was not without excitement that Twitter users found out last week that they can report plagiarizing accounts to Twitter under the Digital Millennium Copyright Act, and have these copied tweets removed. But now we're forced to ask the question: are jokes protected under copyright? We asked Andy Sellars of Harvard Law School's Cyberlaw Clinic to weigh in.

top

Patents for startups (Patently-O, 26 July 2015) - Google's cross-licensing program "LOT" continues to grow and apparently now includes more than 300,000 patent properties. LOT Network operates as a poison pill for patent rights. In particular, members agree to license their entire portfolio of patents to all other members. However, the license only becomes effective if the patent is transferred to a non-LOT member, such as a patent assertion entity. For many major operating companies, the most dangerous new patents will likely come from the start-up world and so Google (and others) have been considering how get start-ups to join the network. The company's most recent proposal is its "Patent Starter Program" where Google will give away patent two families to start-up companies who agree to join the LOT Network. http://www.google.com/patents/licensing/ . It will be interesting to watch as this development moves forward.

top

Public confidential information: California weighs in, asks for comments (David Hricik on Patently-O, 27 July 2015) - Suppose you get a call from a third party about a matter you're handling for a client. She tells you that she had written a blog post about a prior dispute she had had with your client, which your client had paid to settle. Per your request, she emails you a link to the blog post. You forward the link to a friend, saying nothing about it other than "this is interesting." Did you do anything wrong? The information you forwarded was not privileged: it came from a third party, so that doctrine doesn't apply. But, lawyers' obligation of confidentiality extends far beyond privileged information, to protecting "confidential" information. Whether information is "confidential" turns on applicable law, and in some states it includes even information that was publicly available when the lawyer was representing the client. Generally, confidential information must be kept confidential if revealing it would be detrimental to the client, or former client, or the client had asked it not be revealed. The California bar association has a proposed bar opinion that would make it clear that, while not privileged, even public information must be accorded protection as confidential information. The California bar has asked for comments, and you can do so here , and find the entire opinion. Now think about patent practice. You learn about a piece of prior art while representing Client A. For whatever reason, it wasn't pertinent to Client A's application, so you didn't disclose it. Patent issues. Matter ends. Now you're representing Client B in prosecution. You remember that piece of prior art, and if you disclose it in Client B's case, it is more likely that Client B will get a patent that, let's say, will aid it compete with former Client A. Can you? Must you? There are a lot of ways this issue comes up in patent practice, and some states like this proposed California opinion take a counterintuitive view of what is confidential. Be careful out there and be sure to think about whether the USPTO rules, or your state rules, would control on that question.

top

NY Public Library's moving image specialist Arlene Yu on dance as 'useful art' (Broadway World.com, 28 July 2015) - " Dear Miss Hutchinson," the letter begins, " ...I was very much interested in an article by John Martin entitled "They Score a Dance as Others Do Music" which appeared in the New York Times Magazine, issue of July 2, 1950. It occurred to me to inquire whether you had at all considered the possibility of copyrighting the scores of new ballets as expressed by the dance notation explained in the article. It seems to me conceivable that by copyrighting such a score, not only could the notation as expressed be protected against unauthorized reproduction but also, and more importantly, the copyright might protect the dance itself against performance except when authorized by the proprietor of the copyright. " The letter, dated July 19, 1950, was from Richard S. MacCarteney, the Chief of the Reference Division of the U.S. Copyright Office . "Miss Hutchinson" was Ann Hutchinson, later Hutchinson Guest, one of the leading authorities on dance notation, and more specifically, Labanotation . Two years later, the choreography by Hanya Holm for the Cole Porter musical Kiss Me, Kate b ecame the first dance work ever accepted for copyright registration in the United States. "Choreography is Copyrighted for the First Time," trumpeted the New York Herald Tribune , calling the registration an "epoch-making event in the dance field." Quoting attorney Arnold Weissberger, the Herald Tribune explained the significance of the Copyright Office's acceptance of Kiss Me, Kate as the first "?recognition of a choreographic work as an independent creation.'" By November 1953, the Copyright Office had issued Circular No. 51, specifically covering the copyright of choreographic works as "dramatic or dramatico-musical compositions." Although choreography would still not be fully recognized as copyrightable - except as a type of dramatic work - until the Copyright Act of 1976, the 1952 registration of Kiss Me, Kate 's choreography marked an important step in the acceptance of dance as a serious art form, separate from theater and music.

top

US likely to scale back planned limits on intrusion-software exports (Reuters, 29 July 2015) - The U.S. Department of Commerce said on Wednesday it will revise regulations intended to restrict the export of software that can used to break into computers and smart phones. An initial draft of the regulations, published in May, attracted hundreds of comments, many of them complaints that the rules were so broad as to bar the easy sale of standard tools used to test electronic security. "All of those comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed," a spokesman for the Commerce Department said in an interview. "A second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn." The spokesman, who declined to give his name, said the process will take months. The step had been expected after the avalanche of objections from major technology companies as well as security specialists. Even some activists who applauded the idea of cracking down on the sale of tools to despotic regimes that spy on dissidents said the draft had been clumsy. Some version of regulation is called for under the latest iteration of the Wassenaar agreement among 41 countries, which limits the movement of "dual-use" technologies sought for both peaceful and military purposes. The U.S. plan had gone further than other countries, for example, in taking aim at tools for finding software flaws. "We're very encouraged," said Joseph Lorenzo Hall, chief technologist at the nonprofit Center for Democracy & Technology. He said he expected the next set of rules to be more narrowly tailored and added that the trade group would keep pushing to deregulate cryptography software and protect security research.

top

Eighth Circuit adds to confusion over when emails are protected by ECPA (Steptoe, 30 July 2015) - The Eighth Circuit has ruled, in Anzaldua v. Northeast Ambulance and Fire Protection District , that copies of emails stored in a "draft" or "sent" folder are not in "electronic storage" and therefore are not protected under the Stored Communications Act (SCA), a part of the Electronic Communications Privacy Act (ECPA). The plaintiff alleged that his ex-girlfriend and employer had accessed, without his permission, a copy of one email he drafted but did not send, and a copy of another that he had already sent. The court held that the emails were not in "electronic storage" when they were accessed because they were not in "temporary, intermediate storage" incident to transmission and also were not being held for purposes of "backup protection." This decision adds to the confusion among courts over how to interpret the statute's definition of electronic storage.

top

OMB mulling cybersecurity guidelines for contractors (Law360, 30 July 2015) - The White House Office of Management and Budget announced on Thursday that it will soon release draft guidance on data security measures for federal contractors. The agency cited a need to protect federal agency data, which is increasingly stored on contractors' and subcontractors' systems, and said that it will review acquisition and information technology policies currently in place for third-party vendors. The draft guidance will be posted and available for comment at policy.cio.gov, the OMB said. "The increase in threats facing federal information systems demand that... (sub. req'd.)

top

Global law firm implements innovative internal messaging system (BeSpacific, 30 July 2015) - "In an idea that has yet to be fully embraced by its staff, DLA Piper has introduced its own internal Twitter for enterprise called Grapevine. Using Greets instead of Tweets, Grapevine is an open security model which is being used to send messages; spread news, information and know-how across the firm; and send automated messages to update fee-earners on areas such as matter status and bill payments. It is envisaged that Grapevine, which is the brainchild of chief information officer Daniel Pollick and his team, will become a replacement for the 'no action required by you' element of email, allowing staff to consume news when they choose."

top

Rise of facial recognition queried by US agency (BBC, 31 July 2015) - A government-related agency in the US has suggested lawmakers consider strengthening privacy laws around facial recognition. Such systems are increasingly being used in public areas, such as shopping centres. The Government Accountability Office (GAO) did not make specific recommendations but suggested the need for a legal review . The report comes a month after privacy campaigners walked out of discussions on creating a code of conduct for private companies wishing to use facial-recognition technology. The GAO report pointed out that there was currently a dearth of relevant legislation in the United States on the issue. "No federal privacy law expressly regulates commercial uses of facial-recognition technology, and laws do not fully address key privacy issues stakeholders have raised," it said.

top

Broken Windows theory (Slate, 3 August 2015) - Windows 10 is the operating system Microsoft needs. In other words, it's not Windows 8, a Frankenstein's monster of a tablet-plus-desktop OS that alienated everyone from PC manufacturers to corporate users. Instead, Windows 10 is an incremental improvement on Windows 7, one that is faster, slicker, and has some new bells and whistles, like virtual desktops and functional tablet support. One of Windows 10's leaps, unfortunately, is straight into your personal data. Apple and Google may have ignited the trend of collecting increasing amounts of their customers' information, but with Windows 10, Microsoft has officially joined that race. By default, Windows 10 gives itself the right to pass loads of your data to Microsoft's servers, use your bandwidth for Microsoft's own purposes, and profile your Windows usage. Despite the accolades Microsoft has earned for finally doing its job, Windows 10 is currently a privacy morass in dire need of reform. The problems start with Microsoft's ominous privacy policy, which is now included in the Windows 10 end-user license agreement so that it applies to everything you do on a Windows PC, not just online. It uses some scary broad strokes: Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary. Apple's and Google's privacy policies both have their own issues of collection and sharing, but Microsoft's is far vaguer when it comes to what the company collects, how it will use it, and who it will share it with-partly because Microsoft's one-size-fits-all privacy policy currently applies to all your data, whether it's on your own machine or in the cloud. As Microsoft puts it: Rather than residing as a static software program on your device, key components of Windows are cloud-based. … In order to provide this computing experience, we collect data about you, your device, and the way you use Windows. In other words, Microsoft won't treat your local data with any more privacy than it treats your data on its servers and may upload your local data to its servers arbitrarily-unless you stop Microsoft from doing so. Microsoft's security story has been far from perfect; this move could make it far worse. For now, it's not easy to restrict what Windows collects, but here's how.

top

Uncovering Echelon: the top-secret NSA/GCHQ program that has been watching you your entire life (Tech Crunch, 3 August 2015) - If history is written by the victors, government surveillance agencies will have an awfully long list of sources to cite. Domestic digital surveillance has often seemed to be a threat endured mostly by the social media generation, but details have continued to emerge that remind us of decades of sophisticated, automated spying from the NSA and others. Before the government was peering through our webcams , tracking our steps through GPS , feeling every keystroke we typed and listening and watching as we built up complex datasets of our entire personhood online, there was still rudimentary data to be collected. Over the last fifty years, Project ECHELON has given the UK and United States (as well as other members of the Five Eyes ) the capacity to track enemies and allies alike within and outside their states. The scope has evolved in that time period from keyword lifts in intercepted faxes to its current all-encompassing data harvesting. In a piece published today in The Intercept , life-long privacy advocate Duncan Campbell describes his past few decades tracking down the elusive Project ECHELON, "the first-ever automated global mass surveillance system. [ Polley : Interesting piece. Echelon has been an open "secret" for a couple decades, but got drowned out by Snowden disclosures; we were discussing Echelon's possible scope in ABA proceedings in the 1990s.]

top

Appeals court says Netflix doesn't violate privacy by displaying viewing history to anyone using that account (TechDirt, 3 August 2015) - The Ninth Circuit Appeals Court has upheld a win for Netflix in yet another privacy class-action lawsuit arising from the publication of then-Supreme Court nominee Robert Bork's rental history oh so many years ago. The Video Privacy Protection Act sprang into being in 1988 and was used to extract a settlement from Netflix over 20 years later. The lawsuit Netflix settled featured one key difference: in that case, rental information -- in the form of "anonymized data" -- was released to third parties working on better suggestion algorithms in hopes of winning $1 million. In this case, no information was released in any form to third parties… at least not in this sense. At the center of this lawsuit were complaints that Netflix exposed viewing history to certain third parties, i.e., anyone who used the same login as the account holder. This would include family, friends and guests at a person's residence. Since Netflix allows any number of devices to be allowed to access the account simultaneously (depending on how much you want to pay per month), one person's viewing history could theoretically be accessed by a great many people. So, while there may be a privacy concern, it isn't a logical one. The information "exposed" to third parties is done so willingly by the account holder by sharing login info/logged-in devices with other viewers. Certainly the original account holder would like immediate access to recently viewed content. But this convenience also allows anyone using that login to see what's been viewed by that account.

top

US authority warns hospitals over use of hackable drug pump (BBC, 3 August 2015) - The US Food and Drug Administration is now "strongly encouraging" hospitals not to use a leading brand of drug pump over hacking fears. Hospira, which made the Symbiq Infusion System pump, had already discontinued the product for business reasons. The devices were previously revealed to be hackable by an independent researcher . The manufacturer told the BBC at the time that it was working with the FDA on a more secure system. The FDA is urging healthcare facilities to switch to alternative infusion systems "as soon as possible". Although no known instances of hacking have occurred, Hospira said in June that vulnerabilities discovered by security researcher Billy Rios were being investigated by the firm, in co-operation with the Department of Homeland Security (DHS) and the FDA. Mr Rios recently published a blog post in which he claimed the security flaw had gone unfixed for over a year. The FDA's statement said that the agency was continuing to investigate the issues but advised hospitals to take action now. In 2007 there were more than 400,000 Hospira pumps in use in hospitals around the world, according to the company's website.

top

What happened when we got subpoenaed over our Tor exit node (Boing Boing, 4 August 2015) - Tor, The Onion Router, is a privacy and anonymity network that bounces traffic around the Internet in nested cryptographic wrappers that make it much harder to tell who its users are and what they're doing. It's especially hated by the NSA and GCHQ. Many people run Tor nodes, but only a few run "exit nodes" through which traffic exits the Tor network and goes out to the public, normal Internet. Having a lot of exit nodes, with high-speed connections, is critical to keeping Tor users safe and secure. We wanted to do our bit for allowing, for example, Bahranian and Chinese dissidents to communicate out of view of their domestic spy agencies, so we turned some of our resources over to Tor in 2012, including access to our blazing-fast Internet connection. The nightmare scenario for Tor exit-node operators is that you'll get blamed for the stuff that people do using your node. In Germany and Austria , prosecutors have actually brought criminal action against Tor exit-node operators. So we were a little freaked out in June when an FBI agent sent us a subpoena ordering us to testify before a federal grand jury in New Jersey, with all our logs for our Tor exit node. We contacted our lawyer, the hard-fightin' cyber-lawyer Lauren Gelman , and she cooled us out. She sent the agent this note: Special Agent XXXXXX. I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached). The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records. I would be happy to discuss this further with you if you have any questions. And that was it. The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury. I'm not saying that everyone who gets a federal subpoena for running a Tor exit node will have this outcome, but the only Tor legal stories that rise to the public's attention are the horrific ones. Here's a counterexample: Fed asks us for our records, we say we don't have any, fed goes away.

top

LOT Polish airlines now accepting Bitcoin (Tech Crunch, 5 August 2015) - I'm not a big fan of the "X accepts bitcoin" type of post but this one is near and dear to my heart - and actually interesting. LOT Polish airlines, the official Polish air carrier, is now accepting bitcoin . What does that mean? It means that you'll soon be able to pay BTC to go to KRK. The transactions are being handled by PSP, a Polish payments platform backed by a number of forward-thinking Polish banks. Interestingly, Poland is a leader in payments with a number of clever smaller banks offering more NFC and bitcoin payment options than anywhere else in Europe. airBaltic and Air Lituanica are also accepting bitcoin but LOT is the first major carrier to do so in Europa Centralna . Hopefully soon we can pay for our Tyskie in Satoshis.

top

CA4: Accessing cell site data without a warrant violates Fourth Amendment (Lawfare, 5 August 2015) - Earlier today, a three-judge panel of the Fourth Circuit handed down its quite important decision in United States v. Graham. The gist of the two-judge majority opinion (penned by Senior Circuit Judge Andre Davis) is to hold, first, that accessing cell site data without a warrant violated the defendants' Fourth Amendment rights; but, second, that the violation did not require suppression, because it resulted from law enforcement's good faith reliance on procedures set forth by the Stored Communications Act. The majority's ruling adds to a circuit split on the Fourth Amendment issue: It tracks a decision of the Third Circuit, but conflicts directly with judgments issued by the Fifth and Eleventh Circuits- the latter of which took up the question en banc and found no constitutional violation.

top

James Comey: Retweets equal material support for terrorism, but don't worry, we'll only prosecute real terrorists (TechDirt, 7 August 2015) - Better add that "RTs ≠ endorsements" line to your Twitter profile. Huffington Post's Ryan J. Reilly's coverage of the FBI's efforts against ISIS notes that FBI head James Comey considers retweeting to be material support of terrorism . But that's OK, because the FBI's crew of mind-readers will make sure that anyone who didn't "mean it" avoids prosecution. "Knowing it was wrong, you provided material support for a terrorist organization or some other offense," Comey said, explaining how the FBI sees these suspects in response to Huffington Post questions during a meeting with reporters last month. "That is the bulwark against prosecuting someone for having an idea or having an interest. You have to manifest a criminal intent to further the aims prohibited by the statute." Asked if reposting materials alone would cross the line, Comey said the answer would be different based on the individual circumstances. "It would depend upon what your mental state is in doing it," the FBI director said. "I can imagine an academic sharing something with someone as part of research would have a very different mental intent than someone who is sharing that in order to try and get others to join an organization or engage in an act of violence. So it's hard to answer in the abstract like that."

top

RESOURCES

Key findings from the 2015 US state of cybercrime survey (PWC, July 2015) - It's no wonder, then, that we found rising concern among the 500 US executives, security experts, and others from the public and private sectors who participated in the 2015 US State of Cybercrime Survey. In fact, 76% of respondents said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59% the year before. Organizations must summon the vision, determination, skills, and resources to build a risk-based cybersecurity program that can quickly detect, respond to, and limit fast-moving threats. The US State of Cybercrime Survey is a collaborative effort with PwC, CSO, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service. Survey is here .

top

Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning (GAO, 23 July 2015) - Department of Defense (DOD) installations have experienced utility disruptions resulting in operational and fiscal impacts due to hazards such as mechanical failure and extreme weather. Threats, such as cyber attacks, also have the potential to cause disruptions. In its June 2014 Annual Energy Management Report (Energy Report) to Congress, DOD reported 180 utility disruptions lasting 8 hours or longer, with an average financial impact of about $220,000 per day, for fiscal year 2013. Installation officials provided specific examples to GAO, such as at Naval Weapons Station Earle, New Jersey, where in 2012, Hurricane Sandy's storm surge destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs. DOD officials also cited examples of physical and cyber threats, such as the "Stuxnet" computer virus that attacked the Iranian nuclear program in 2010 by destroying centrifuges, noting that similar threats could affect DOD installations. * * * Military services have taken actions to mitigate risks posed by utility disruptions and are generally taking steps in response to DOD guidance related to utility resilience. For example, installations have backup generators and have conducted vulnerability assessments of their utility systems. Also, DOD is in the planning stages of implementing new cybersecurity guidance, by March 2018, to protect its industrial control systems (ICS), which are computer-controlled systems that monitor or operate physical utility infrastructure. Each of the military services has working groups in place to plan for implementing this guidance. However, the services face three implementation challenges: inventorying their installations' ICS, ensuring personnel with expertise in both ICS and cybersecurity are trained and in place, and programming and identifying funding for implementation. For example, as of February 2015, none of the services had a complete inventory of ICS on their installations. Without overcoming these challenges, DOD's ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions. Full report here .

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

A&E, National Geographic to send TV over Internet (Reuters, 5 Jan 2005) -- Four cable television channels, including A&E and National Geographic (news - web sites), will use the Internet to broadcast programs in a deal with video-on-demand company Akimbo Systems, Akimbo said on Wednesday. The Biography Channel and the History Channel are also part of the announcements at the Consumer Electronics Show, the largest annual technology trade show in the United States. A major theme at the show this year is the proliferation of lower-priced, larger high-definition television screens, and companies like Akimbo are scrambling to carve out a niche providing content for those big screens. Privately held Akimbo sells a programming service and a television set-top box that uses high-speed Internet connections to gather and store TV shows. It can hold up to 200 hours of video. A&E, Biography Channel and History Channel -- all units of A&E Television Networks, a joint venture of broadcasters ABC and NBC and the Hearst Corp. -- will provide various shows like "American Justice," "Biography," "Growing Up Gotti" and "Dog the Bounty Hunter" to Akimbo. National Geographic will serve up films from programs from its library and films like "Inside the Pentagon (news - web sites)" and "21 Days to Baghdad."

top

Hollywood seeks iTunes for film (CNET, 30 March 2005) -- Sony Pictures Digital Entertainment is trying to develop and own the next iTunes--but for films. "We want to set business models, pricing models, distribution models like (Apple Computer CEO Steve) Jobs did for music, but for the film industry," Michael Arrieta, senior vice president of Sony Pictures, said at the Digital Hollywood conference here. "I'm trying to create the new 'anti-Napster,'" he added. To that end, Arrieta said, his group plans to digitize Sony Pictures' top 500 films and make them available for the first time in various digital environments within the next year. He said the distribution for films like "Spider-Man 2" will go beyond just Movielink, the video-on-demand joint venture of Sony Pictures and several other major studios, which to date has hosted a limited library of Sony's movies. For example, Sony plans to sell and make films available in flash memory for mobile phones in the next year, Arrieta said. It also will further develop its digital stores for downloading and owning films on the PC, he said in an interview. Sony's plans--and similar moves by other studios--are likely to avoid empowering any one technology company--such as Apple in the music equation--and allow studios to pocket more of the profits. The philosophy in Hollywood is "Define your own agenda or someone else will for you."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top