Saturday, July 25, 2009

MIRLN --- 5-25 July 2009 (v12.10)

• Great Wall of Facebook: the Social Network’s Plan to Dominate the Internet — and Keep Google Out
• For Jurors in Michigan, No Tweeting (or Texting, or Googling) Allowed
• Spies Like Us: NSA to Build Huge Facility in Utah
• Another City Caught Lowering Yellow Light Times to Catch More Red Light Runners
• Weitzner to Head NTIA Policy Shop
o Twitter Nabs a Legal Eagle from Google
• Cybersecurity Plan to Involve NSA, Telecoms
• British Spy Chief’s Cover Blown on Facebook
• Court: IP Addresses Are Not ‘Personally Identifiable’ Information
• LinkedIn Reviews Can Come Back to Haunt Employers, Lawyers Say
• New Law Floods California with Medical Data Breach Reports
• Everything Ohio, and Then Some, is on New Web Site
• Easy Cybersecurity -- Publish SSNS
• Accessing Employees’ Private Internet Chatroom Violates Stored Communication & Wiretap Laws
• Prosecutor: Cloud Computing is Security’s Frontier
o Concerns Raised as LA Looks to Google Web Services
• AP Proposes New Article Formatting for the Web
• Employer Violates the National Labor Relations Act by Selectively Targeting Union Related E-Mails
• North Korean Cyberattacks
• 85 Percent of U.S. Businesses Breached
o Data Attacks More Frequent than CEOS Think
• Clearing Rights for Content: Ask First
o Legal Row Over National Portrait Gallery Images Placed on Wikipedia
• Republishing Third Party Ratings in Marketing Material Might be Copyright/Trademark Infringement
• Middle East Blackberry Update Spies on Users
• PCI Council Publishes Wireless Security Guidelines for Payment Cards
• Facebook Violates Canadian Privacy Law
• Amazon Erases Orwell Books From Kindle
• The Future Of Scholarship? Harvard Goes Digital With Scribd
• Social Networks Appeal, But Not to the Firm
• University of Michigan, Amazon Offer 400,000 Titles with Print-On-Demand


NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

**** NEWS ****
GREAT WALL OF FACEBOOK: THE SOCIAL NETWORK’S PLAN TO DOMINATE THE INTERNET — AND KEEP GOOGLE OUT (Wired 17.07, 22 June 2009) - Today, the Google-Facebook rivalry isn’t just going strong, it has evolved into a full-blown battle over the future of the Internet—its structure, design, and utility. For the last decade or so, the Web has been defined by Google’s algorithms—rigorous and efficient equations that parse practically every byte of online activity to build a dispassionate atlas of the online world. Facebook CEO Mark Zuckerberg envisions a more personalized, humanized Web, where our network of friends, colleagues, peers, and family is our primary source of information, just as it is offline. In Zuckerberg’s vision, users will query this “social graph” to find a doctor, the best camera, or someone to hire—rather than tapping the cold mathematics of a Google search. It is a complete rethinking of how we navigate the online world, one that places Facebook right at the center. In other words, right where Google is now. http://www.wired.com/techbiz/it/magazine/17-07/ff_facebookwall [Editor: quite interesting explication of how Facebook could leverage social connections to more-tailored/more-effective “search” and give Google a real run-for-the-money.]

FOR JURORS IN MICHIGAN, NO TWEETING (OR TEXTING, OR GOOGLING) ALLOWED (Nat’l Law Journal, 1 July 2009) - Call it the silencing of the tweets. The Michigan Supreme Court has laid the hammer down on gadget-happy jurors in banning all electronic communications by jurors during trial, including tweets on Twitter, text messages and Google searches. The ruling, which takes effect Sept. 1, will require Michigan judges for the first time to instruct jurors not to use any handheld device, such as iPhones or Blackberrys, while in the jury box or during deliberations. The state’s high court issued the new rule on Tuesday in response to prosecutors’ complaints that jurors were getting distracted by their cell phones, smart phones and PDAs, in some cases texting during trial or digging up their own information about a case and potentially tainting the judicial process. Wouldn’t common sense suggest that’s wrong? “I don’t think jurors go out and Google stuff thinking it’s wrong. Sometimes it just doesn’t click,” said Charles Koop, immediate past president of the Prosecuting Attorneys Association of Michigan, which pushed for the new rule. “I think it brings home to the conscientious jurors -- which most jurors are -- that I’m not supposed to do this.’” The new rule also helps older judges, who might not be tech-savvy, stop jurors from doing things in their courtroom that they are unaware of, said Koop, prosecuting attorney in Antrim County, Mich. “Judges of an older age may not be in tune as much as younger judges as to what’s going on out there,” Koop said, adding the constantly evolving PDAs are especially problematic for the courts. “It’s a new technology. We’re playing catch-up.” http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202431952628&For_jurors_in_Michigan_no_tweeting_or_texting_or_Googling_allowed_&slreturn=1

SPIES LIKE US: NSA TO BUILD HUGE FACILITY IN UTAH (Salt Lake Tribune, 2 July 2009) - Hoping to protect its top-secret operations by decentralizing its massive computer hubs, the National Security Agency will build a 1-million-square-foot data center at Utah’s Camp Williams. The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will be constructed on a 200-acre site near the Utah National Guard facility’s runway. Congressional records show that initial construction -- which may begin this year -- will include tens of millions in electrical work and utility construction, a $9.3 million vehicle inspection facility, and $6.8 million in perimeter security fencing. The budget also allots $6.5 million for the relocation of an existing access road, communications building and training area. Officials familiar with the project say it may bring as many as 1,200 high-tech jobs to Camp Williams, which borders Salt Lake, Utah and Tooele counties. It will also require at least 65 megawatts of power -- about the same amount used by every home in Salt Lake City combined. A separate power substation will have to be built at Camp Williams to sustain that demand, said Col. Scott Olson, the Utah National Guard’s legislative liaison. He noted that there were two significant power corridors that ran though Camp Williams -- a chief factor in the NSA’s desire to build there. http://www.sltrib.com/ci_12735293

ANOTHER CITY CAUGHT LOWERING YELLOW LIGHT TIMES TO CATCH MORE RED LIGHT RUNNERS (TechDirt, 2 July 2009) - It’s been shown repeatedly that redlight cameras don’t appear to make intersections any safer, but they do act as a nice revenue generator for cities. In fact, at times it’s such a tempting revenue generator that city officials cannot resist the urge to tamper with the timing of the lights to get more people running “red” lights that really should have been yellow. The latest such case, as pointed out by Jeff Nolan, happened in Arizona. According to regulations, the yellow light at a certain intersection was required to last 4.3 seconds: 4 seconds for the road being 40 mph and another 0.3 seconds due to the way the road curves. Yet, over 1,000 motorists were ticketed, in part because the traffic light had been adjusted so that the yellow light only lasted 3 seconds, 70% of the required length. Thanks to some enterprising motorists who timed the light and complained, those who were caught are getting back their money and having the citations removed from their record. http://techdirt.com/articles/20090701/1842145429.shtml

WEITZNER TO HEAD NTIA POLICY SHOP (National Journal, 2 July 2009) - Daniel Weitzner will be the next chief of the policy office at the Department of Commerce’s National Telecommunications and Information Administration, according to government sources. Weitzner served as a technology advisor to President Obama’s campaign for president. He has been involved in the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology and co-directs MIT’s Decentralized Information Group with Internet expert Tim Berners-Lee. Weitzner was a founder and deputy director for the Center for Democracy and Technology and has also been a senior staff counsel at the Electronic Frontier Foundation. Weitzner was among the first to advocate user control technologies such as content filtering and rating to protect children and avoid government censorship of the Internet, according to his bio on W3.org, the World Wide Web Consortium. His arguments played a critical role in the 1997 Supreme Court case Reno v. ACLU, awarding strong free speech protections to the Internet. Weitzner successfully advocated for adoption of amendments to the Electronic Communications Privacy Act creating new privacy protections for online transactional information such as Web site access logs. http://techdailydose.nationaljournal.com/2009/07/weitzner-to-head-ntia-policy-s.php

- and -

TWITTER NABS A LEGAL EAGLE FROM GOOGLE (New York Times, 11 July 21, 2009) - Twitter, the popular micro-blogging service, has stolen a prominent Google lawyer. The start-up has hired Alexander Macgillivray, deputy general counsel for products and intellectual property at Google, to be its general counsel, according to a person with knowledge of the hiring. Mr. Macgillivray has been an important member of the Google legal team, spearheading the controversial settlement with authors and book publishers over Google’s scanning of millions of out of-print library books. Mr. Macgillivray, 36, has also represented Google in a wide variety of other matters, including Viacom’s copyright lawsuit against YouTube and complaints from The Associated Press that Google improperly used its content. Before he joined Google, Macgillivray was with Wilson Sonsini Goodrich & Rosati, the prominent Silicon Valley law firm. http://bits.blogs.nytimes.com/2009/07/11/twitter-nabs-a-legal-eagle-from-google/?partner=rss&emc=rss

CYBERSECURITY PLAN TO INVOLVE NSA, TELECOMS (Washington Post, 3 July 2009) - The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials. President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems. But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency’s involvement in warrantless wiretapping during George W. Bush’s presidency would draw controversy. Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network. Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks. Proponents of involving the government said such efforts should harness the NSA’s resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said. “That’s the secret sauce,” one official said. “It’s the stuff they have that the private sector doesn’t.” The pilot program has two goals. The first is to prove that the telecommunications firm can route only traffic destined for federal civilian agencies through the monitoring system. The second is to test whether the technology can work effectively on civilian government networks. The sensor box would scan e-mail messages and other content just before they enter the civilian agency networks. The classified NSA system, known as Tutelage, has the ability to decide how to handle malicious intrusions -- to block them or watch them closely to better assess the threat, sources said. It is currently used to defend military networks. http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771.html?wprss=rss_technology

BRITISH SPY CHIEF’S COVER BLOWN ON FACEBOOK (Reuters, 4 July 2009) - The wife of the new head of Britain’s spy agency has posted pictures of her husband, family and friends on Internet networking site Facebook, details which could compromise security, a newspaper said on Sunday. Sir John Sawers is due to take over as head of the Secret Intelligence Service in November. The SIS, popularly known as MI6, is Britain’s global intelligence-gathering organization. In what the Mail on Sunday called an “extraordinary lapse,” the new spy chief’s wife, Lady Shelley Sawers, posted family pictures and exposed details of where the couple live and take their holidays and who their friends and relatives are. The details could be viewed by any of the many millions of Facebook users around the world, but were swiftly removed once authorities were alerted by the newspaper’s enquiries. http://tech.yahoo.com/news/nm/20090705/wr_nm/us_britain_mi6_1

COURT: IP ADDRESSES ARE NOT ‘PERSONALLY IDENTIFIABLE’ INFORMATION (MediaPost, 6 July 2009) - In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information. “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft’s user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don’t include people’s names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals. Last month, Jones sided with Microsoft and dismissed the case before trial. But some say that Jones’s decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users’ IP addresses as soon as possible. Additionally, a court in New Jersey ruled last year that Internet service providers can’t disclose users’ IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private. Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as “a silly decision.” “The judge didn’t understand the significance of the IP address or the reason that it was collected,” he says. Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable. http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=109242 Ruling here: http://www.steptoe.com/assets/attachments/3869.pdf

LINKEDIN REVIEWS CAN COME BACK TO HAUNT EMPLOYERS, LAWYERS SAY (ABA Journal, 7 July 2009) - Management-side employment lawyers are advising their clients against writing recommendations for current or recent employees on LinkedIn. If an employer writes a positive review for an employee who is later fired, that review could be presented as evidence that discrimination rather than performance brought on the termination, lawyers told the National Law Journal. “Generally, my advice is that I think employers are often better served by merely stating dates of employment, positions with the company and salary, and staying away from much more because there are so many potential ramifications if they say something,” Carolyn Plump, a partner at Philadelphia’s Mitts Milavec told the National Law Journal. “If they say something negative, there could be a lawsuit. If they say something positive, there could be a lawsuit.” The story cites a recent poll from Jump Start Social Media stating that 75 percent of hiring managers use LinkedIn to research candidates. Employee-rights attorney Linda Friedman of Chicago’s Stowell & Friedman said LinkedIn recommendations can also backfire on a plaintiff. If a supervisor makes identical recommendations on LinkedIn or another website of everyone under him or her, that could disprove a discrimination claim, Friedman said. http://www.abajournal.com/weekly/linkedin_reviews_can_come_back_to_haunt_employers_lawyers_say

NEW LAW FLOODS CALIFORNIA WITH MEDICAL DATA BREACH REPORTS (Wired, 9 July 2009) - California officials have received more than 800 reports of health data breaches in the first five months after a new state law went into effect January 1. The law requires health care organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health. The agency, however, says it was surprised by the large number of reports it received in such a short period, according to the Journal of the American Health Information Management Association, and expects that number to increase dramatically as organizations become more familiar with the reporting procedures. Of the cases reported, which also include complaints from patients, officials have conducted full investigations on 122 cases so far and confirmed 116 as actual breaches. The types of breaches run the gamut from unintentionally faxing a patient’s chart or test reports to the wrong phone number to intentional snooping by workers. Most of the breaches reported so far have been unintentional. Officials can fine offending organizations or individuals up to $250,000 for a breach, depending on the nature of the breach and the extent of the harm it caused. Los Angeles-based Kaiser Permanente Bellflower Medical Center was the first to be fined this amount after investigators determined that 23 hospital workers inappropriately accessed the medical records of Nadya Suleman, aka “the Octomom”. http://www.wired.com/threatlevel/2009/07/health-breaches

EVERYTHING OHIO, AND THEN SOME, IS ON NEW WEB SITE (Columbus Dispatch, 9 July 2009) - Ohio Secretary of State Jennifer Brunner fulfilled one of her 2006 campaign pledges yesterday by unveiling an online tool offering access to a plethora of information about Ohioans, their counties and their state. That includes detailed statistics for each county compiled from 18 different state and federal sources about the economy, public safety and other areas affecting quality of life. For example, it’s possible to review and compare poverty statistics, foreclosure rates and other economic indicators over time, plus data for 300 other indicators, even including the number of library visits in each county. The site is designed for researchers, chambers of commerce, nonprofit groups applying for grants, students, and state and local governments considering important public-policy decisions. The idea is to identify areas of strength and help understand challenges. The data will be updated as new information becomes available, and other sources may be added depending on demand, Brunner said. “Essentially, we look at this as a resource that will provide Ohioans with quick and easy access to information about the issues that impact all the communities in the state,” Brunner said of her “Better Lives, Better Ohio” initiative. Pursuing the initiative was one of four major goals Brunner set for the office, including restoring trust in Ohio elections. Her office held community forums to solicit input about what data should be made available on the site, and the computer work to generate it was done in-house, Brunner said. The total cost was about $100,000, mostly to hire Michelle Hussong, who has a doctorate in sociology and previously worked for the Ohio Department of Education, to oversee the effort, Brunner said. The online tool can be found at www.sos.state.oh.us/SOS/betterLives.aspx. http://www.dispatchpolitics.com/live/content/local_news/stories/2009/07/09/copy/brunner_plan.ART_ART_07-09-09_B4_H2EE1MA.html?adsec=politics&sid=101

EASY CYBERSECURITY -- PUBLISH SSNS (Stewart Baker’s blog, 8 July 2009) - Two Carnegie Mellon researchers published a study the other day “Predicting Social Security Numbers from Public Data” in which they demonstrated that it was almost trivially easy to guess the first 5 digits of a person’s social security number based on where and when they were born. Since many (most?) security functions rely on the secrecy of those 5 digits and the public confirmation of the last 4 digits by a user, it is now almost trivially easy to extrapolate a person’s full 9-digit SSN. Any company that continues to use SSNs for security features is well beyond foolish. And any user who voluntarily chooses a partner who uses SSNs as a security feature is simply courting identity theft. Why anyone would do so is beyond me ... but companies and users continue down this benighted path. Is there any way to make them stop this unwise practice? I suppose we could outlaw it and make it a crime or some such heavy handed regulatory solution. But, in keeping with my view that more transparency generally equals greater security, here’s an easier solution -- the US government should simply publish a book (call it the Green Pages, since Yellow and White are already taken) listing everyone who has a social security number and making the SSNs public. That would instantly drain the SSN of all security value and return it to its original function as an accounting identifier. At that point, anyone who continued to use SSNs for security would be so negligent that the tort lawyers would have a field day. http://www.skatingonstilts.com/skating-on-stilts/2009/07/easy-cybersecurity-publish-ssns.html

ACCESSING EMPLOYEES’ PRIVATE INTERNET CHATROOM VIOLATES STORED COMMUNICATION & WIRETAP LAWS (Ogletree Deakins, 10 July 2009) Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (D.N.J., June 16, 2009) – A federal jury in Newark recently imposed compensatory and punitive damages on an employer whose managers surreptitiously monitored employees’ postings on a private Internet chatroom. The managers obtained the chatroom password from a female employee and then terminated the employees responsible for creating the chatroom. The jury found the employer liable for violating both the federal Stored Communications Act and the New Jersey Wiretapping and Electronic Surveillance Control Act, because they obtained the chatroom password by duress. This decision reminds employers that they must remain ever mindful of the employee’s expectation of privacy and the limitations it can impose on their conduct. http://www.ogletreedeakins.com/publications/index.cfm?Fuseaction=PubDetail&publicationid=856#page=1

PROSECUTOR: CLOUD COMPUTING IS SECURITY’S FRONTIER (CNET, 10 July 2009) - As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday. The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies increasingly distribute software and store data online via hosted computing services, Matthew Parrella, an assistant U.S. attorney based in San Jose, Calif., said at Symantec’s Norton Cyber Crime Day. “That model of importation of software is becoming obsolete because we’re seeing on the horizon cloud computing where so many of these operations are pushed from a user’s PC or a user’s computer onto Google Docs or Salesforce.com,” he said. Looking ahead five years, “I’m thinking the attack is going to be on cloud computing centers,” said Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney’s Office. The immediate threat will be attacks to steal data from the servers they are stored on, either remotely or by an insider or someone who gains access to the data center, he said. Later on it’s likely any stolen data could be pirated, he said. FBI agent Donna Peterson said her office had seen a “tremendous uptick in large-scale, fairly devastating data breaches,” with the biggest heist being close to $10 million stolen in 24 hours. Cyberthieves “are getting more organized and their technical sophistication is better,” she said. “They do what they need to get the job done...if they can use a 5-year-old exploit in conjunction with an exploit that they paid a programmer in another country $60,000 to (write), they will do it.” Cybercriminals can spend anywhere from two weeks to six weeks to completely own a corporate target’s computer system so completely that “you won’t even know that they’re there,” she said. Businesses have opened on a Monday morning only to discover that so much money has been stolen since employees went home on Friday that they are no longer solvent and there is no record on their systems of the activity, Peterson said. http://news.cnet.com/8301-1009_3-10284361-83.html?tag=newsEditorsPicksArea.0

- and -

CONCERNS RAISED AS LA LOOKS TO GOOGLE WEB SERVICES (SiliconValley.com, 17 July 2009) - Security and privacy concerns have been raised over a multimillion-dollar proposal by Los Angeles to tap Google’s Internet-based services for government e-mail, police records and other confidential data. At issue is the security of computerized records on everything from police investigations to potholes as the nation’s second-largest city considers dumping its in-house computer network for Google e-mail and office programs that are accessed over the Internet. Paul Weber, president of the Los Angeles Police Protective League, complained Thursday that the union had scant information on the plan or what it would mean for the safety of sensitive records, such as narcotics or gang investigations. The shift toward doing more over the Web could make it much easier for hackers to gain access to corporate or government files. No longer would someone need to try to break through layers of security firewalls. As various personal and work accounts become increasingly linked together, all one needs is a single password to access documents just like a regular employee. If approved, Los Angeles would be the second major city after Washington, D.C., to use Google’s Internet-based services, known as Google Apps. The company has been promoting the package to other government agencies, too, as a way to cut costs and ensure access to Google-developed technical innovations. Google said in a statement that more than 1.75 million businesses use the technology. An unknown number of them pay the Mountain View company $50 per user per year for a premium version designed for businesses, government agencies and other robust needs. In a statement, Google said its services, which can store information at a number of Google-run data centers around the world, are “extremely reliable, safe and secure.” http://www.siliconvalley.com/news/ci_12861716?nclick_check=1 [Editor: Reportedly, Google will not provide legally sufficient security assurances.]

AP PROPOSES NEW ARTICLE FORMATTING FOR THE WEB (Washington Post, 10 July 2009) - The Associated Press is proposing that publishers attach descriptive tags to news articles online in hopes of taming the free-for-all of news and information on the Web and generating more traffic for established media brands. Tags identifying the author, publisher and other information - as well as any usage restrictions publishers hope to place on copyright-protected materials - would be packaged with each news article in a way that search engines can more easily identify. By doing so, the AP hopes to make it easier for readers to find articles from more established news providers amid the ever-expanding pool of content online. That, in turn, could lead to more traffic and more online advertising revenue for a beleaguered news industry. http://www.washingtonpost.com/wp-dyn/content/article/2009/07/10/AR2009071002862.html

EMPLOYER VIOLATES THE NATIONAL LABOR RELATIONS ACT BY SELECTIVELY TARGETING UNION RELATED E-MAILS (Vorys, 10 July 2009) - The United States Court of Appeals in Washington, D.C., recently held that an employer committed an unfair labor practice by selectively enforcing its e-mail usage policy against an employee who sent union-related e-mails. The case, Guard Publishing Company v. National Labor Relations Board, is a reminder that e-mail policies must be carefully drafted and consistently enforced to avoid potential legal pitfalls. The employer, a daily newspaper, claimed that the union-related e-mails violated its policy prohibiting e-mails “used to solicit or proselytize for commercial ventures, religious or political causes, outside organizations, or other non-job-related solicitations.” Despite this policy, the employer routinely allowed e-mails offering tickets for sporting events and requesting services such as dogwalking. When the Union filed its initial charge with the NLRB, it argued that the National Labor Relations Act provided employees with a statutory right to use an employer’s e-mail system for certain union-related purposes. The NLRB disagreed, holding that an employer may limit non-work-related use of its e-mail system so long as it does not discriminate against protected union activity. The NLRB defined discriminatory treatment narrowly as the “unequal treatment of equals.” Applying this standard, the NLRB held that, with the exception of one e-mail that was not a solicitation, the employer did not discriminate against union-related emails. The NLRB based this decision on the theory that the employer made a distinction between personal solicitations (e.g., “My car is for sale”) and group/organization solicitations (e.g., “Girl Scout Cookies for sale”). The outcome would have been different had the employer previously allowed group/organization solicitations, only to take action when those group/ organization solicitations were union related. On appeal, the Court of Appeals held that the employer had in fact discriminated against protected union activity. The Court noted that the personal/group distinction relied on by the NLRB was not contained in the employer’s e-mail policy. Nor was it discussed in the employee’s disciplinary notice. In fact, the notice cautioned the employee against using the e-mail system for union/personal business. http://www.vorys.com/media/publication/148_Employer%20Violates%20Nat%20Labor%20Relations%20Act.pdf#page=1 See also http://faegre.com/showarticle.aspx?Show=9980

NORTH KOREAN CYBERATTACKS (Bruce Schneier essay, 13 July 2009) - To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. “Cyber Blitz hits U.S., Korea” was the headline in Thursday’s Wall Street Journal. North Korea was blamed. Where were you when North Korea attacked America? Did you feel the fury of North Korea’s armies? Were you fearful for your country? Or did your resolve strengthen, knowing that we would defend our homeland bravely and valiantly? My guess is that you didn’t even notice, that -- if you didn’t open a newspaper or read a news website -- you had no idea anything was happening. Sure, a few government websites were knocked out, but that’s not alarming or even uncommon. Other government websites were attacked but defended themselves, the sort of thing that happens all the time. If this is what an international cyberattack looks like, it hardly seems worth worrying about at all. http://www.schneier.com/blog/archives/2009/07/north_korean_cy.html [Editor: thoughtful, useful essay.]

85 PERCENT OF U.S. BUSINESSES BREACHED (InternetNews.com, 13 July 2009) - The fourth annual U.S. Encryption Trends Study was released today by The Ponemon Institute. The study says that 85 percent of surveyed businesses have experienced a data breach in the past year, up from 60 percent in the 2008 study. According to the report, organizations see a need to protect mobile devices. “More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices -- a sign that organizations recognize that valuable data is more mobile than ever,” the report said. Companies are right to be concerned about breaches, the report said, referring to an earlier study by The Ponemon Institute that found that breaches cost businesses, on average, $202 per record and, in total, an average of $6.6 million. http://www.internetnews.com/security/article.php/3829391/Report+73+Percent+of+US+Businesses+Breached.htm

- and -

DATA ATTACKS MORE FREQUENT THAN CEOS THINK (SC Magazine, 15 July 2009) - CEOs often have a rosier view of data protection in their organization than other executives, according to a study released Wednesday by the Ponemon Institute and software security vendor Ounce Labs. In the study of 213 CEOs and other senior executives, 92 percent of respondents said that their company’s data has been attacked in the past six months. But, CEOs are often more confident about their organization’s ability to prevent data breaches than are other executives, the study found. And CEOs are less aware of data breaches that have occurred, the study found. Respondents were asked how often their company’s data is attacked, and 33 percent of C-level executives -- which included COOs, CIOs and division presidents -- replied “hourly or more often,” while just 17 percent of CEOs said the same. Twenty percent of C-level executives said their data is attacked daily, while 15 percent of CEOs said the same. And, 48 percent of CEOs said their data was “rarely” attacked, compared to 32 percent of other C-level executives who said so. http://www.scmagazineus.com/Report-Data-attacks-more-frequent-than-CEOs-think/article/140117/

CLEARING RIGHTS FOR CONTENT: ASK FIRST (Law.com, 13 July 2009) - No one enjoys clearing rights. Checking that you may use content (whether on your Web site, in a publication, or for a performance) and won’t be sued over it takes time and effort. And, for e-commerce counsel clients, that means more money. Yet, applying [the] rules to using content on an e-commerce Web site is even more difficult because “commercial speech” remains an evolving area of the law. The legal rules for online content constantly evolve as copyright and other intellectual property laws struggle to adjust “rights” to the stresses caused since digital technology redefined the many ways to “copy” content. (Editor’s note: For a list of Web sites where one can request permission for a variety of content, see, “Links to Help e-Commerce Players Identify Rights Owners and Clear Rights.” The list is not comprehensive, because there are too many possible rights-owners from whom permission must be sought to cover all entities or people for every instance. A good basic resource on the mechanical process of clearing rights is “Getting Permission: How to License & Clear Copyrighted Materials Online and Off,” by Richard Stim, Esquire (Nolo Press, 2007).) http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202432184507&pos=ataglance [Editor: useful overview of the process.]

- and -

LEGAL ROW OVER NATIONAL PORTRAIT GALLERY IMAGES PLACED ON WIKIPEDIA (The Guardian, 14 July 2009) - The National Portrait Gallery has threatened legal proceedings for breach of copyright against a man who downloaded thousands of high-resolution images from its website, and placed them in an archive of free-to-use images on Wikipedia. There has been no formal response from the internet encyclopedia but Derrick Coetzee, who downloaded the images, promptly uploaded the letter from the London lawyers Farrar and Co, “to enable public discourse on the issue”. He said he was taking legal advice. Photographs of works of art are protected by copyright in the UK, but not in the US, where Coetzee lives. All the creators of the original images are long since dead, but the photographs were only taken for the NPG as part of a £1m digitisation project in the last couple of years. The gallery stressed today that they hoped to avoid taking any further legal action, and said they were not considering suing Wikipedia. It said it would be happy for the online site to use low-resolution images but was “very concerned” about loss of revenue from copyright fees for the high-resolution versions, which form a significant part of its income. http://www.guardian.co.uk/technology/2009/jul/14/national-portrait-gallery-wikipedia-row

REPUBLISHING THIRD PARTY RATINGS IN MARKETING MATERIAL MIGHT BE COPYRIGHT/TRADEMARK INFRINGEMENT (Eric Goldman, 14 July 2009) - A Colorado judge has reached the remarkable conclusion that a hospital publicizing its star ratings and other recognition from a third party rating service in its marketing material might be committing copyright and trademark infringement. This is a little like saying that it could be copyright and trademark infringement for a law school to include its US News rankings in its marketing material or for a book publisher to issue a press release announcing its ranking on the New York Times bestseller list. http://blog.ericgoldman.org/archives/2009/07/republishing_th.htm [Editor: Reminds me of the row a decade ago between Amazon and the NYT over publishing the NYT books bestseller listings. See “Looking Back” below.]

MIDDLE EAST BLACKBERRY UPDATE SPIES ON USERS (Wired, 14 July 2009) - A BlackBerry update that a United Arab Emirates service provider pushed out to its customers contains U.S.-made spyware that would allow the company or others to siphon and read their e-mail and text messages, according to a researcher who examined it. The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers. The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP. Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain. “When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load. The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server. The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software. Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “SS8.com,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world. http://www.wired.com/threatlevel/2009/07/blackberry-spies/ RIM denies involvement, and confirms that it’s spyware: http://www.siliconvalley.com/news/ci_12893364

PCI COUNCIL PUBLISHES WIRELESS SECURITY GUIDELINES FOR PAYMENT CARDS (NetworkWorld, 15 July 2009) - Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council. In the past, the council has issued standards that have become required by Visa, MasterCard, banks and others for secure processing of payment and debit cards. Troy Leach, the council’s technical director, emphasized that the recommendations in the “PCI Data Security Standard (DSS) Wireless Guideline” are not mandatory for businesses handling payment cards and using WLANs. But he adds, “This is probably the way wireless should have been deployed all along.” http://www.networkworld.com/news/2009/071509-pci-wireless-guidelines.html?source=NWWNLE_nlt_security_strategies_2009-07-16

FACEBOOK VIOLATES CANADIAN PRIVACY LAW (The Canadian Press, 16 July 2009) - The writing is on the wall for Facebook, the popular social networking site: do more to protect the privacy of Canadian users or face the threat of court action. Privacy Commissioner Jennifer Stoddart posted that message for all to see Thursday in a report that warns the personal information of Facebook members may be at risk. Facebook, with nearly 12 million Canadian users and some 250 million worldwide, allows people to keep in touch with friends and family by updating their pages with a stream of fresh messages and photos. Stoddart said Facebook breaches federal privacy law by keeping users’ personal information indefinitely - even after members close their accounts. She also raised concerns about the sharing of users’ files with the almost one million third-party developers scattered across the globe who create Facebook applications such as games and quizzes. Stoddart applauded Facebook for making some changes, but urged the site to remedy outstanding privacy shortfalls, raising the possibility of legal proceedings if it doesn’t comply. http://ca.news.yahoo.com/s/capress/090716/national/facebook_privacy

AMAZON ERASES ORWELL BOOKS FROM KINDLE (New York Times, 17 July 2009) - In George Orwell’s “1984,” government censors erase all traces of news articles embarrassing to Big Brother by sending them down an incineration chute called the “memory hole.” On Friday, it was “1984” and another Orwell book, “Animal Farm,” that were dropped down the memory hole — by Amazon.com. In a move that angered customers and generated waves of online pique, Amazon remotely deleted some digital editions of the books from the Kindle devices of readers who had bought them. An Amazon spokesman, Drew Herdener, said in an e-mail message that the books were added to the Kindle store by a company that did not have rights to them, using a self-service function. “When we were notified of this by the rights holder, we removed the illegal copies from our systems and from customers’ devices, and refunded customers,” he said. Digital books bought for the Kindle are sent to it over a wireless network. Amazon can also use that network to synchronize electronic books between devices — and apparently to make them vanish. People who bought the rescinded editions of the books reacted with indignation, while acknowledging the literary ironies involved. “Of all the books to recall,” said Charles Slater, an executive with a sheet-music retailer in Philadelphia, who bought the digital edition of “1984” for 99 cents last month. “I never imagined that Amazon actually had the right, the authority or even the ability to delete something that I had already purchased.” Amazon appears to have deleted other purchased e-books from Kindles recently. Customers commenting on Web forums reported the disappearance of digital editions of the Harry Potter books and the novels of Ayn Rand over similar issues. Amazon’s published terms of service agreement for the Kindle does not appear to give the company the right to delete purchases after they have been made. It says Amazon grants customers the right to keep a “permanent copy of the applicable digital content.” Justin Gawronski, a 17-year-old from the Detroit area, was reading “1984” on his Kindle for a summer assignment and lost all his notes and annotations when the file vanished. “They didn’t just take a book back, they stole my work,” he said. On the Internet, of course, there is no such thing as a memory hole. While the copyright on “1984” will not expire until 2044 in the United States, it has already expired in other countries, including Canada, Australia and Russia. Web sites in those countries offer digital copies of the book free to all comers. http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html?_r=1&ref=business

THE FUTURE OF SCHOLARSHIP? HARVARD GOES DIGITAL WITH SCRIBD (ArsTechnica, 17 July 2009) - Today, with the announcement that Harvard University Press will publish 1,000 digitized books on Scribd, the academic world took one more step in its glacially slow march into the digital age. Over ten years ago, when I first started my graduate work in the humanities, there was already much talk of the looming crisis in academic publishing. Print runs for academic works written by even major scholars in a given discipline are pitifully small—1,000 would be considered decent-sized. The work of junior faculty, who are trying to publish to beef up a CV, means that the runs are smaller still. It’s very hard to make money on such small print runs, which result in books with sky-high cover prices and limited availability. All of this has made it harder for scholars to publish and harder for non-specialists to justify the effort and expense of obtaining good, scholarly work. In sum, the present situation benefits nobody—scholars, the public, or the financially strapped publishing houses. But there’s a bit of a chicken-and-egg problem to moving scholarship online. Scholarly publishers, which are central to the all-important vetting and peer review process, don’t do digital, and they look down on anything published in a digital format. And that attitude pervades the academic community: scholars still pursue the peer-reviewed printed book as the ultimate CV trophy and turn their noses up a digital, giving the publishers little incentive to experiment with digital distribution. But, as HUP’s tiny little 1,000-book foray into the world of digital possibly indicates, academic publishers may be forced into the arms of digital by the same rapidly changing circumstances that are pushing regular book publishers toward outlets like Scribd. http://arstechnica.com/media/news/2009/07/the-future-of-scholarship-harvard-goes-digital-with-scribd.ars

SOCIAL NETWORKS APPEAL, BUT NOT TO THE FIRM (ABA Journal, 22 July 2009) - If the question last year was whether lawyers would ever take to the Internet’s social media, the answer this year has to be a resounding yes—on a personal level. Asked for the ABA’s 2009 Legal Technology Survey Report whether they personally maintain a presence in an online community or social network such as Facebook, LinkedIn, LegallyMinded or Legal OnRamp, 43 percent of respondents answered yes, almost triple the 15 percent positive responses in the 2008 survey. Their law firms also tripled their social network presence, but the percentages were much smaller. When asked whether their firms maintain a presence in an online community or social network, only 12 percent of respondents said yes, up from 4 percent in the 2008 survey. The ABA’s Legal Technology Resource Center has been conducting legal technology surveys since 1990. For the 2009 survey, between 778 and 928 ABA members completed questionnaires for each of the six survey volumes between January and May. Each survey volume begins with a Trend Report that summarizes the notable results and highlights changes from previous years. The Trend Report is followed by detailed charts and tables. http://www.abajournal.com/magazine/getting_personal

UNIVERSITY OF MICHIGAN, AMAZON OFFER 400,000 TITLES WITH PRINT-ON-DEMAND (SiliconValley.com, 21 July 2009) - The University of Michigan said Tuesday it is teaming up with Amazon.com to offer reprints of 400,000 rare, out-of-print and out-of-copyright books from its library. Seattle-based Amazon’s BookSurge unit will print the books on demand in soft cover editions at prices from $10 to $45. http://www.siliconvalley.com/news/ci_12885402

**** NOTED PODCASTS ****
8 THINGS WE HATE ABOUT IT (HBS podcast, 2 June 2008) - You may think that hate is too strong of a word for feelings toward a corporate department. I don’t. Yesterday, I was interviewing an executive on his perceptions of IT and he couldn’t spit his frustration out fast enough. He said, “In the quest of getting things organized, they are introducing a bunch of bureaucracy and, in the process, they’re abdicating their responsibility for making sure the right things get done.” This is completely typical of management’s frustration - no, management’s hatred - of IT. http://blogs.harvardbusiness.org/hbr/cramm/2008/06/8-things-we-hate-about-it.html [15 minute audio, recommended to me by a senior manager with experience inside and outside of IT departments.]

**** RESOURCES ****
CLOUD COMPUTING (NIST, 26 June 2009) - NIST is posting its working definition of cloud computing that serves as a foundation for its upcoming publication on the topic (available below). Computer scientists at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government. NIST’s role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards. To learn more about NIST’s cloud efforts, join the NIST cloud computing announcement mailing list (very low volume) by sending an email to “listproc@nist.gov” with “subscribe cloudlist” in the message body text. http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v14.doc

YAMMER (Wikipedia article) – Yammer is a microblogging service launched in September 2008. Like Twitter, it allows users to post updates of their activities, follow others’ updates, tag content, and create memes. Unlike Twotter, Yammer focuses on businesses, and only individuals with the same email domain can join a given network. http://en.m.wikipedia.org/wiki/Yammer [Editor: if/when critical mass is achieved in a user organization, the company can buy a Yammer instance, and redeploy it inside the company’s security zone.]

**** LOOKING BACK - MIRLN TEN YEARS AGO ****
AMAZON SUES OVER NYT BESTSELLER LIST -- In an effort to settle the question of whether a bestseller list is proprietary and copyrightable, Amazon.com last week sued the New York Times in Seattle federal court. Since May 17, Amazon has featured the Times bestseller list on its Web site, and offered a 50% discount on the books named. On May 28 a lawyer for the Times wrote a letter asking Amazon to stop posting the list, which the Times licenses to rival bookseller BarnesandNoble.com. Amazon claims it’s making “fair use” of the list, similar to the way that a movie might be listed as having won an Academy Award, and added language clarifying that the Times didn’t endorse the Amazon site. The Times termed the modifications “inadequate.” Borders Group, which also uses the list, also has received a letter from the Times, and says it’s not sure how it will respond. (Wall Street Journal 7 Jun 99)

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, July 04, 2009

MIRLN --- 14 June – 4 July 2009 (v12.09)

• Trade Sanctions and Web 2.0: Are US Regulations Hurting Free Speech in Iran?
o Twitter Plays Key Role in DOS Attacks in Iran
• Heartland CEO Says Data Breach was ‘Devastating’
• Privacy Experts Concerned Over Google Cloud Services
• Microsoft Veteran Launches Twitter Search Engine
• Breach Notification Laws to Take Effect in Alaska and South Carolina on July 1
• FTC Action Requires Prominent Notice and Express Consent Before Use of Tracking Software
o Industry Tightens its Standards for Tracking Web Surfers
• Bozeman to Job Seekers: We Won’t Seek Passwords
• FTC Plans to Monitor Blogs for Claims, Payments
• Dunkin’ Donuts iPhone App Makes Coffee More Social
• Court Says Anti-Telemarketing Law Covers Unsolicited Text Messaging
• Email Patterns Can Predict Impending Doom
o The Online Ad that Knows Where Your Friends Shop
• TJX Reaches Settlement with States on Data Theft
• Apple’s Obsession with Secrecy Grows Stronger
• EU Wants Tighter Privacy on Social Networks
• FBI Compounds Mystery with Secret Justification of Gag Order
• ICANN Names New CEO
• Obama Seeks Input on Classification of Records
o Online Tool Will Track U.S. Tech Spending
• High Court Won’t Block Remote Storage DVR System
• Study: Older C-Level Execs Avoid Twitter, Blogs
• Judge Throws Out Conviction in Cyberbullying Case

NEWS | RESOURCES | LOOKING BACK | NOTES

**** NEWS ****
TRADE SANCTIONS AND WEB 2.0: ARE US REGULATIONS HURTING FREE SPEECH IN IRAN? (EFF, 15 June 2009) - For the past few days, Iranians have been taking advantage of US-hosted communication services like Twitter and Facebook to communicate with each other about their contested election, uncover and compare facts, and convey their experiences to the rest of the world. They’ve done that despite apparent attempts to block these sites by the Iranian authorities. For those watching and listening, it’s been a bracing demonstration of the power of the Internet — and the latest Web 2.0 services — to enhance free speech, wherever you live. But EFF has also been watching with concern the blocking of Web 2.0 sites in countries like Iran. This new threat doesn’t come from foreign governments: it appears to be coming from the ambiguity of the United States own exports’ regulations, and how they should be applied to new web sites and services. The problem, as is so often the case in the clash between new technology and the law, lies in the mismatch between the language of the old regulations and the new world of the Internet. The United States’ export law bans much US trade with counties like Cuba, Iran, the Sudan and Syria. [W]e’ve seen evidence that corporate lawyers advising Web 2.0 companies may be acting defensively to protect their Internet clients from prosecution under the export laws. Earlier this year, LinkedIn appeared to deliberately block its Sudanese and Syrian users from its website, presumably out of fear that their site be classed outside of the law’s free speech exceptions. And ComputerWorld last week quoted two export lawyers who thought that websites like Twitter and Facebook would be affected by sanction regulations because they provide “services” rather than simply information materials. “If you ask any lawyer who regularly practices in this area, they would say don’t offer the service [to sanctioned countries],” one lawyer is reported to have said. Iran is, of course, one of those countries currently under stiff sanctions from the U.S. http://www.eff.org/deeplinks/2009/06/sanctions-and-web

- and -

TWITTER PLAYS KEY ROLE IN DOS ATTACKS IN IRAN (ComputerWorld, 18 June 2009) - The unrest in Iran is serving as a warning on how easy it is for individuals and groups to use a social networking tool like Twitter to mobilize a cyber-army against a political or commercial target anywhere in the world. Over the past few days, news media reports have described how Twitter is being used by ordinary Iranians to receive and broadcast real-time information on the political unrest in the country after recent elections. But a still developing and less benign use of Twitter in Iran has been its application in denial-of-service attacks against key government officials, including those affiliated with President Mahmoud Ahmedinejad. Initially, the tweets directed users to online locations with links that users could click on to participate in a DoS attack against a particular Iranian Web site, said Richard Stiennon, founder of IT-Harvest, a Birmingham, Mich.-based consultancy. A Google Doc circulating on the Web, for instance, lists several URLs pointing to Iranian Web sites listed by categories such as “Governmental and HARDLINE NEWS,” “Police, Ministry of Interior,” “Central Bank,” “Commerce Banks” and “Office of Ahmadijenad and Khameneie.” When a user clicks on any of the links, it initiates a continuous stream of page refresh requests to the targeted Web site that will eventually overcome the site if enough people click on the link. More recently, tweets have begun circulating that allows users to achieve the same result by simply clicking on the embedded URL in the message. As soon as a user hits the page, as many as 24 frames open up simultaneously and refresh continuously, causing a DoS attack against the 24 separate Web sites Stiennon said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9134561&source=CTWNLE_nlt_dailyam_2009-06-19

HEARTLAND CEO SAYS DATA BREACH WAS ‘DEVASTATING’ (ComputerWorld, 17 June 2009) - Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. “I wanted to throw up. It was devastating,” says Carr, recalling how he felt upon realizing that one of his worst fears had come true. “People had asked me for years ‘what keeps you awake at night’ and I would keep telling them it was the fear of a data breach,” he told Computerworld. Five months after Heartland announced what some think may be the biggest data breach ever, Carr is working over-time to limit the fallout from the incident, and the damage to the company’s reputation. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9134516&source=CTWNLE_nlt_dailyam_2009-06-18

PRIVACY EXPERTS CONCERNED OVER GOOGLE CLOUD SERVICES (V3.co.uk, 17 June 2009) - A number of high-profile privacy and information security experts have written to Google chief executive Eric Schmidt demanding the search firm change its privacy settings to improve users’ security. They are concerned that Google’s default privacy settings for some of its cloud-based services are not adequate. Unless a user enables specific security options any email, document, spreadsheet, presentation and calendar plan is transferred to Google’s servers without encryption. The letter adds: “We ask you to increase users’ security and privacy protection by enabling by default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar, a technology already enabled by default for Google Voice, Health, AdWords and AdSense.” http://www.v3.co.uk/computing/news/2244306/privacy-experts-concerned Good related Berkman podcast by Chris Soghoian here: http://blogs.law.harvard.edu/mediaberkman/2009/05/27/christopher-soghoian-caught-in-the-cloud-privacy-encryption-and-government-back-doors-in-the-web-20-era/ EFF commentary here: http://www.eff.org/deeplinks/2009/06/more-https-from-google-others

MICROSOFT VETERAN LAUNCHES TWITTER SEARCH ENGINE (CNET, 17 June 2009) - The former head of Microsoft’s search unit may have left Redmond, but he is still very much in the search game. Ken Moss, who led the search engineering team at Microsoft for five years, has spent the last months building CrowdEye, a real-time search engine that aims to allow users to better mine Twitter to get a pulse on hot topics. The service, which is going into public beta on Thursday, offers up not only the latest tweets on a topic, but also a list of the most popular links on a topic and a tag cloud of associated terms. “I think that real-time search is the next big thing in search,” Moss said in a telephone interview. “It’s an area that has been underexploited to date.” Searching Twitter is good for news, he said, but also for things such as finding the latest viral video or a solution to a new software bug. Of course, Moss is not alone in this thinking. Twitter has its own search engine, while others such as Topsy and OneRiot, are also mining the twitterverse. Among its features, CrowdEye has a historical view that allows one to see how the discussion on a topic has evolved. Although, for now, that historical period is only three days. http://news.cnet.com/8301-13860_3-10267393-56.html

BREACH NOTIFICATION LAWS TO TAKE EFFECT IN ALASKA AND SOUTH CAROLINA ON JULY 1 (Steptoe & Johnson’s E-Commerce Law Week, 18 June 2009) - Two more states will soon begin enforcing data breach notification requirements. As we previously reported, Alaska governor Sarah Palin signed a bill in June 2008 that will require any person or business that owns or licenses the personal information of a state resident to notify the resident if this information is breached, subject to a risk of harm threshold. And South Carolina governor Mark Sanford signed a bill in April 2008 that will require any person that does business in the state, “own[s] or licens[es]” data that includes “personal identifying information,” and discovers a breach of this information to notify any affected state residents “whose personal identifying information ... was not rendered unusable through encryption, redaction, or other methods.” The South Carolina law requires notification only if the personal information “was, or is reasonably believed to have been, acquired by an unauthorized person,” and “illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.” Both states’ laws take effect on July 1, 2009. http://www.steptoe.com/publications-6182.html

FTC ACTION REQUIRES PROMINENT NOTICE AND EXPRESS CONSENT BEFORE USE OF TRACKING SOFTWARE (Steptoe & Johnson’s E-Commerce Law Week, 18 June 2009) - Sears Holdings Management Corporation (SHMC) has agreed to settle Federal Trade Commission charges stemming from its alleged failure to “disclose adequately” that software it offered to visitors to sears.com and kmart.com would monitor their Internet use and send this information to SHMC’s servers. As part of the settlement, SHMC agreed to: obtain customers’ express consent to the download or installation of any tracking software; make a prominent post to the SHMC website to inform existing users of the software that it was tracking their Internet use; assist consumers in uninstalling the tracking software; cease collecting data transmitted by any software installed before the agreement; and destroy any information collected by the software. SHMC also agreed to “[c]learly and prominently” notify consumers of the tracking functions in any future SHMC software prior to its installation and outside of any license agreement -- including by disclosing the types of data collected, “how the data may be used,” and “whether the data may be used by a third party.” http://www.steptoe.com/publications-6182.html Settlement agreement here: http://www.ftc.gov/os/caselist/0823099/090604searsagreement.pdf

- and -

INDUSTRY TIGHTENS ITS STANDARDS FOR TRACKING WEB SURFERS (New York Times, 1 July 2009) - IN an effort to fend off federal regulation, major trade groups in the advertising industry have announced stricter guidelines on how their members use and collect online data. In a report to be released Thursday, a consortium of the trade groups intends to address a growing concern in Washington and among consumer advocates that people are being tracked too much online, with information about their Web surfing, shopping habits and overall interests being collected for advertising purposes. Congress held hearings on the subject in June, asking executives from Facebook, Google and Yahoo to testify, and the Federal Trade Commission issued a report in February that urged updated principles for self-regulation. All along, most advertisers, agencies and publishers have been arguing that they can keep an eye on their own practices, and don’t need government intervention. The jump in interest from Washington hastened the report’s release, said Stuart P. Ingis, a partner at the Venable law firm and a lawyer for the trade groups. The report, “Self-Regulatory Principles for Online Behavioral Advertising,” reflects several of the commission’s suggestions from February. The principles are meant to go into effect in 2010, affecting the more than 5,000 companies that belong to the sponsoring organizations, including Google, Microsoft, Yahoo, Disney and Verizon. In one big change, the report instructs members to provide notice, either in an ad or on a Web site (rather than hidden in the privacy policy), that behavioral information is being collected. Mr. Ingis said the exact form of the notice had not been decided on — it could be a link that says “Why did I get this?” or “interest-based advertising,” meaning information on advertising based on Web visits and behaviors, he said. The report also suggests an enforcement process, so that competitors or consumers can bring complaints if a company violates the principles. “Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies,” the report says. It also says consumers must approve the collection of “sensitive data” — mostly on finances or health. Another issue privacy watchdogs have raised is that consumers have no access to the data being collected about them — it is all done behind the scenes. Giving consumers access to the data is “an interesting concept,” Mr. Ingis said, noting that what the companies collect shows up as “a bunch of ones and zeros.” “The data is in computer wording, programming speak, and to the consumer would mean nothing,” he said. (A handful of online companies, including Google, have translated the data, however, and have said they will give consumers access.) http://www.nytimes.com/2009/07/02/business/media/02adco.html?_r=1&ref=business

BOZEMAN TO JOB SEEKERS: WE WON’T SEEK PASSWORDS (CNET, 20 June 2009) - The city of Bozeman, Mont., has rescinded its long-standing policy that job applicants provide user names and passwords to social-networking sites such as Facebook and MySpace. According to a press release issued Friday: “The extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community. We appreciate the concern many citizens have expressed regarding this practice and apologize for the negative impact this issue is having on the City of Bozeman.” The city stopped the practice as of midday Friday, until it “conducts a more comprehensive evaluation of the practice,” the release said. Bozeman, which is about 100 miles north of Yellowstone National Park, found itself in the international spotlight this week when the local media reported that the city government’s background check included evaluating job candidates’ suitability based on their social-networking site postings. The city had been doing so for a few years. The background check form stated: “Please list any and all current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.” Groups, including the Electronic Frontier Foundation, a digital rights organization, derided the practice. “I think it’s indefensibly invasive and likely illegal as a violation of the First Amendment rights of job applicants,” EFF attorney Kevin Bankston told CNET News earlier this week. “Essentially, they’re conditioning your application for employment on your waiving your First Amendment rights...and risking the security of your information by requiring you to share your password with them...Where does it stop? How about a photocopy of your diary?” City Manager Chris Kukulski noted to KBZK TV that information wasn’t sought until “you were conditionally offered the job.” The passwords already received will remain the city’s confidential property, CBS affiliate reported. http://news.cnet.com/8301-13578_3-10269770-38.html?part=rss&subj=news&tag=2547-1_3-0-5

FTC PLANS TO MONITOR BLOGS FOR CLAIMS, PAYMENTS (Washington Post, 21 June 2009) - Savvy consumers often go online for independent consumer reviews of products and services, scouring through comments from everyday Joes and Janes to help them find a gem or shun a lemon. What some fail to realize, though, is that such reviews can be tainted: Many bloggers have accepted perks such as free laptops, trips to Europe, $500 gift cards or even thousands of dollars for a 200-word post. Bloggers vary in how they disclose such freebies, if they do so at all. The practice has grown to the degree that the Federal Trade Commission is paying attention. New guidelines, expected to be approved late this summer with possible modifications, would clarify that the agency can go after bloggers - as well as the companies that compensate them - for any false claims or failure to disclose conflicts of interest. It would be the first time the FTC tries to patrol systematically what bloggers say and do online. The common practice of posting a graphical ad or a link to an online retailer - and getting commissions for any sales from it - would be enough to trigger oversight. http://www.washingtonpost.com/wp-dyn/content/article/2009/06/21/AR2009062101107.html

DUNKIN’ DONUTS IPHONE APP MAKES COFFEE MORE SOCIAL (CNET, 22 June 2009) - Dunkin Run is basically a social game, with a payoff of coffee and baked goods. Users can start a “Dunkin’ Run” from their computer, mobile device, or iPhone, and let everyone know they are hitting the road. This type of application that comes with a tangible payoff would drive membership in a variety of social networks, and would certainly keep me logged into my otherwise useless Facebook profile. Dunkin’ Run brings customers a completely new and unique social online group ordering experience and tools. To begin, “Runners” can initiate a group order on www.DunkinRun.com through their computer or mobile device, or via an iPhone application available for free download at the iTunes online store. Immediately, interactive alerts are sent to the Runner’s list of friends or co-workers, telling them when a trip to Dunkin’ Donuts is planned along with a personal message inviting them to place an order online. Invitees can view the Dunkin’ Donuts menu to place their order, and registered users can select from their own personal list of favorites and/or previous orders. All Dunkin’ Donuts core foods and beverages are presented using interactive product images to make personalizing an order both simple and fun. All of the orders are integrated onto a single page/screen which the Runner either prints or uses their iPhone or mobile device to bring to any Dunkin’ Donuts store. Dunkin’ Donuts crew members will use this checklist to fulfill orders quickly and ensure order accuracy. The Runner can also use this page as a checklist to ensure that everyone in the group gets what he or she ordered. http://news.cnet.com/8301-13846_3-10270431-62.html

COURT SAYS ANTI-TELEMARKETING LAW COVERS UNSOLICITED TEXT MESSAGING (TechDirt, 22 June 2009) - Via Michael Scott we learn that the 9th Circuit Court of Appeals has found that the Telephone Consumer Protection Act (TCPA) also applies to unsolicited text messages. The TCPA covers certain kinds of commercial marketing over telephones, and has a rule against the use of “automatic telephone dialing systems,” but it wasn’t clear if text messaging was an automatic telephone dialing system. The court has now said yes. Separately, the case looked at whether or not agreeing to a basic terms of service also represented “express consent” which is needed under the TCPA. In this case, the woman had purchased a ringtone, but did not believe she had consented to commercial text messages. In buying the ringtone, the woman agreed to an extremely broadly worded terms of service that was probably purposely designed by lawyers to cover a wide swath of potential other things -- such as allowing the company to let others market things to the user. The question was whether or not other companies, who purchased the phone number from the ringtone company, could then market to the woman. The court here finds that dubious as well, noting that “express consent” is “[c]onsent that is clearly and unmistakably stated,” which the court feels was not the case here, since the consent was only for the ringtone company to market messages, not anyone else (even though the marketing company -- in this case Simon & Schuster -- noted that the text message was “powered by” the ringtone company): “Thus, Satterfield’s consent to receive promotional material by Nextones and its affiliates and brands cannot be read as consenting to the receipt of Simon & Schuster’s promotional material.” http://techdirt.com/articles/20090621/1852275302.shtml More on the case—Satterfield v. Simon & Schuster—here: http://spamnotes.com/2009/06/19/9th-circuit-rules-in-favor-of-plaintiff-who-received-unsolicited-text-messages.aspx?ref=rss

EMAIL PATTERNS CAN PREDICT IMPENDING DOOM (NewScientist, 22 June 2009) - Email logs can provide advance warning of an organisation reaching crisis point. That’s the tantalising suggestion to emerge from the pattern of messages exchanged by Enron employees. After US energy giant Enron collapsed in December 2001, federal investigators obtained records of emails sent by around 150 senior staff during the company’s final 18 months. The logs, which record 517,000 emails sent to around 15,000 employees, provide a rare insight into how communication within an organisation changes during stressful times. Ben Collingsworth and Ronaldo Menezes at the Florida Institute of Technology in Melbourne identified key events in Enron’s demise, such as the August 2001 resignation of CEO Jeffrey Skilling. They then examined the number of emails sent, and the groups that exchanged the messages, in the period around these events. They did not look at the emails’ content. Menezes says he expected communication networks to change during moments of crisis. Yet the researchers found that the biggest changes actually happened around a month before. For example, the number of active email cliques, defined as groups in which every member has had direct email contact with every other member, jumped from 100 to almost 800 around a month before the December 2001 collapse. Messages were also increasingly exchanged within these groups and not shared with other employees. Menezes thinks he and Collingsworth may have identified a characteristic change that occurs as stress builds within a company: employees start talking directly to people they feel comfortable with, and stop sharing information more widely. They presented their findings at the International Workshop on Complex Networks, held last month in Catania, Italy. http://www.newscientist.com/article/mg20227135.900-email-patterns-can-predict-impending-doom.html

- and -

THE ONLINE AD THAT KNOWS WHERE YOUR FRIENDS SHOP (New York Times, 25 June 2009) - If a marketer asked people to hand over a list of all their friends so it could show them ads, few would comply. On social-networking sites like Facebook and MySpace, though, friendships are obvious, and advertisers are beginning to examine those connections. Two companies in particular, 33Across and Media6Degrees, are analyzing such connections, and they are not interested in basic friend lists, but in interactions on the sites, taking note when a user visits a friend’s page, sends a video or exchanges an instant message. In turn, they can identify people who are friends with a company’s existing customers, and then advertise to them. “The implications for this are pretty amazing,” said K-Yun Steele, vice president of Zenith Interactive, part of the Zenith Media unit of the Publicis Groupe, which works with clients including JPMorgan Chase, Puma and General Mills. He has tested both 33Across and Media6Degrees. Instead of using research to identify which Web sites are popular with certain demographic targets, these companies let “the consumer do the heavy lifting for you purely because of the proximity of that customer to other customers,” Mr. Steele said. “There’s a certain traction that you get when you target consumers that you know talk to each other, that you don’t get when you advertise like you would in print.” Advertisers, eager for any information that allows them to waste fewer ads and spend less money, are trying Media6Degrees and 33Across to see whether friendships are a better indicator of who might like their products than other indicators like age, gender, geography or interests. “Instead of understanding all these things about people, you could understand who was connected to who,” said Eric Wheeler, the chief executive of 33Across. “The reality is, those people are very similar not only in socioeconomic terms, but in terms of what they click and buy, so it’s very valuable.” Both companies try to link a Web site visitor to his friends (anonymously, they say). Media6Degrees and 33Across begin at an advertiser’s Web site. When someone visits a certain page — something that indicates interest, like a shopping-cart page or a product information page — the companies place a cookie (a tiny bit of text, like an identification number) on her computer. When she visits another site that has been programmed to look for that cookie, the new site can identify her as someone who has already put something in her shopping cart at a certain beauty site. Meanwhile, Media6Degrees and 33Across use data from social-networking sites to map users’ interactions. To see the connections, 33Across receives data on the type of interaction, like an instant message or a shared video link. The companies then extend those connections to build a big audience. If a certain customer most frequently communicates with 30 people, the companies look at who those 30 people interact with the most, and so on. By doing this for all the customers for a certain brand, they can build up a large network for ads. http://www.nytimes.com/2009/06/26/business/media/26adco.html?_r=2&ref=business

TJX REACHES SETTLEMENT WITH STATES ON DATA THEFT (AP, 23 June 2009) - The parent company of retailers T.J. Maxx and Marshall’s will pay $9.75 million in a settlement with multiple states related to a massive data theft that exposed tens of millions of payment card numbers. Framingham, Mass.-based TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations. But TJX stressed that it “firmly believes” that it did not violate any consumer protection or data security laws. TJX said the settlement’s costs are already accounted for in a 2007 reserve it created. According to a filing with the Securities and Exchange Commission filing earlier this month, as of May 2 — before the settlement was announced — the reserve was $39.5 million, the company’s estimate of the total potential costs related to pending litigation, investigations and other costs. The breach — disclosed in January 2007 — and exposed at least 45.7 million credit and debit cards to possible fraud in the computer systems breach that began in July 2005. The breach wasn’t detected until December 2006. Under the settlement with a multistate group of 41 Attorneys General, TJX must also certify that its computer system meets detailed data security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system. In April 2008, TJX Cos. offered to set aside $24 million to reimburse customers who through their MasterCard credit cards were defrauded because of a data breach last year. A similar agreement was made with Visa-card issuing banks the prior November for up to $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges. In January, TJX Cos. offered a 15 percent discount to its customers during a “Customer Appreciation” day to reward customers’ loyalty as the company dealt with the breach. http://tech.yahoo.com/news/ap/20090623/ap_on_hi_te/us_tjx_data_theft_6

APPLE’S OBSESSION WITH SECRECY GROWS STRONGER (New York Times, 23 June 2009) – Apple is one of the world’s coolest companies. But there is one cool-company trend it has rejected: chatting with the world through blogs and dropping tidbits of information about its inner workings. Few companies, indeed, are more secretive than Apple, or as punitive to those who dare violate the company’s rules on keeping tight control over information. Employees have been fired for leaking news tidbits to outsiders, and the company has been known to spread disinformation about product plans to its own workers. “They make everyone super, super paranoid about security,” said Mark Hamblin, who worked on the touch-screen technology for the iPhone and left Apple last year. “I have never seen anything else like it at another company.” Secrecy at Apple is not just the prevailing communications strategy; it is baked into the corporate culture. Employees working on top-secret projects must pass through a maze of security doors, swiping their badges again and again and finally entering a numeric code to reach their offices, according to one former employee who worked in such areas. Work spaces are typically monitored by security cameras, this employee said. Some Apple workers in the most critical product-testing rooms must cover up devices with black cloaks when they are working on them, and turn on a red warning light when devices are unmasked so that everyone knows to be extra-careful, he said. Apple’s decision to severely limit communication with the news media, shareholders and the public is at odds with the approach taken by many other companies, which are embracing online outlets like blogs and Twitter and generally trying to be more open with shareholders and more responsive to customers. “They don’t communicate. It’s a total black box,” said Gene Munster, an analyst at Piper Jaffray who has covered Apple for the last five years. For corporate governance experts, and perhaps federal regulators, the biggest question is whether Mr. Jobs’s approach has led to violating laws that cover what companies must disclose to the public about the well-being of their chief executive. On that key issue, the experts are divided. Most governance experts do seem to agree on one point: that the secrecy that adds surprise and excitement to Apple product announcements is not serving the company well in other areas. http://www.nytimes.com/2009/06/23/technology/23apple.html?partner=rss&emc=rss

EU WANTS TIGHTER PRIVACY ON SOCIAL NETWORKS (Mashable, 24 June 2009) - Are social networks such as Facebook and MySpace doing enough to protect their users’ privacy? In the European Union, they might need to do more. A panel of European regulators has laid out operating guidelines for social networks, which will ensure their compliance with strict – albeit sometimes vague – online privacy laws in the European Union. These laws mostly stem from the European Union Directive on Data Protection of 1995, which, among other regulations, prohibits collection of personal information without consumers’ permission, forbids employers to read workers’ private e-mail, and doesn’t allow companies to share personal information on users without their permission. However, according to data-privacy lawyer Jan Dhont at Lorenz in Brussels, these regulations aren’t always very clear. For example, the companies that collect personal information must use it for “legitimate purposes,” which can be interpreted in many different ways. Nevertheless, the guidelines that were laid out will require quite a bit of effort from sites such as Facebook and MySpace, who cannot neglect their European user base and will therefore surely at least try to comply to avoid clashing with the EU regulators. According to the guidelines, social networks must set security settings to high by default; they must allow users to limit data disclosed to third parties, and they must limit the use of sensitive information (race, religion, political views) in behavioral advertising. Furthermore, social networks must delete accounts that have been inactive for long periods, as well as discard users’ personal information after they delete their accounts; an interesting regulation in view of the recent Facebook scandal, in which Facebook claimed ownership of all the content you’ve ever uploaded even if you quit the service. Facebook later apologized and restored their previous Terms of Service, even letting users be part of the decision process in creating the new ToS. However, it must be noted that even if this sounds like democracy, it’s a frail one, as Facebook still sets up the stage and has the last word on every decision. http://mashable.com/2009/06/24/eu-privacy-social-networks/ Article 29 Working Group paper on the subject is here: http://www.scribd.com/doc/16736099/ARTICLE-29-DATA-PROTECTION-WORKING-PARTY-Opinion-52009-on-online-social-networking (registration required)

FBI COMPOUNDS MYSTERY WITH SECRET JUSTIFICATION OF GAG ORDER (ArsTechnica, 25 June 2009) - When the FBI uses a national security letter (NSL) to force the cooperation of an ISP or phone company in the surveillance of a suspect, the agency typically slaps a gag order on the service provider to prevent it from revealing the existence of the NSL. Civil liberties groups have successfully challenged the DOJ on these gag orders in the ongoing Doe v. Holder, and last month the Obama administration decided not to appeal a federal court ruling that the FBI must justify these gag orders by meeting a relatively high First Amendment standard. The implication of the court’s ruling was that the FBI would finally have to justify the gag order that it had placed on the John Doe in the Doe v. Holder case, so that the plaintiff could talk about the NSL. The FBI has now cooperated, and has given the court a justification of the gag order, in secret. The classified declaration that justifies the gag order can’t even be seen by Doe’s attorneys at the ACLU. In a statement, the ACLU elaborated on the move: “The government did not even file a redacted version of its secret affidavit or even an unclassified summary of what the secret affidavit says. Basically, the government is asking us just to trust that the gag is justified.” The group further explained that its attorneys “obviously can’t respond meaningfully to arguments that we’re not even allowed to see,” so they’re trying to get some form of access to the document. This would come in the form of either limited attorney access, or a summary of the filing’s contents. To add insult to injury, it’s not even clear that the investigation that sparked the five-year legal battle is still going on. The FBI quit asking Doe for records over two years ago, but it still maintains that revealing the identify of the ISP would result in various harms. http://arstechnica.com/tech-policy/news/2009/06/fbi-compounds-mystery-with-secret-justification-of-gag-order.ars

ICANN NAMES NEW CEO (CNET, 26 June 2009) - Former U.S. cybersecurity official Rod Beckstrom has been named the new CEO and president of ICANN. His appointment was announced at the annual meeting Friday in Australia of ICANN, which stands for the Internet Corporation for Assigned Names and Numbers. A global nonprofit, ICANN is responsible for assigning and managing Internet domain names and IP addresses, among other tasks. Beckstrom, who received his MBA from Stanford University, has served on the boards of several nonprofit groups and written four books. But it was his role as director of the U.S. National Cybersecurity Center (NCSC) where he made an impression. As head of the federal center, he oversaw a large, disparate agency spanning civilian, military and intelligence communities. However, Beckstrom resigned his government role in March after complaining of interference from the National Security Agency. In a letter to Department of Homeland Security Secretary Janet Napolitano, he said the NSA dominated most of his agency’s efforts and that he was “unwilling to subjugate the NCSC underneath the NSA.” Beckstrom defended the achievements of the NCSC and said he favored a decentralized approach so that security is not handled by any single organization. Beckstrom’s ICANN appointment triggered favorable statements from many sides. “Rod Beckstrom is strikingly well-prepared to undertake a new role as CEO of ICANN,” Vint Cert, who is considered to be the “father” of the Internet, said in a statement. “His experience in industry and government equip him for this global and very challenging job.” Beckstrom is an “outstanding choice to head ICANN. He understands people, institutions, and technology,” Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), said in a statement. “He recognizes both the potential and the challenges for ICANN. And has stood up for the civil liberties of Internet users with courage and foresight.” http://news.cnet.com/8301-13578_3-10273668-38.html

OBAMA SEEKS INPUT ON CLASSIFICATION OF RECORDS (Washington Post, 27 June 2009) - President Obama wants your advice on how the government should keep its secrets. A month ago, he issued a memorandum directing national security advisers to recommend ways to improve the rules by which records are classified and later opened to the public. Starting Monday, tech-savvy citizens as well as federal officials will be able to weigh in on the complicated debate. Beth Noveck, head of the White House’s open government project, said yesterday that a blog dedicated to suggestions about the classification process will be set up on WhiteHouse.gov, where the open government project has been accepting ideas over the past month for how agencies can be more transparent. Suggestions from the blog will be considered for the final recommendations sent to the president. The Declassification Policy Forum is the latest effort by the White House to include citizens in the policymaking process. Noveck, deputy chief technology officer in the Office of Science and Technology Policy, said “creating an open conversation about secrecy represents an important step in the administration’s commitment to an open dialogue, even in the most difficult areas.” Noveck said she expects to hear from librarians, archivists and other record management experts that government officials would not otherwise consult. The questions posed on the forum will include: How should the government determine what records should be classified? How can the government improve access to digital records once they are declassified? How can technology be used to improve the declassification process? http://www.washingtonpost.com/wp-dyn/content/article/2009/06/26/AR2009062604101.html

- and -

ONLINE TOOL WILL TRACK U.S. TECH SPENDING (New York Times, 30 June 2009) - The Obama administration introduced online tools on Tuesday that will track and analyze the more than $70 billion a year that the federal government spends on information technology. The new Web tools, called IT Dashboard, are part of a Web site set up to monitor government spending, USASpending.gov. Administration officials said the technology-tracking dashboard was a step toward greater openness and accountability in government, and a model for the kinds of tools it would increasingly make available to the public for other kinds of spending, like following the flow of dollars in the economic recovery package. The dashboard was developed quickly, in about six weeks. Mr. Kundra said that the data was not yet complete, and that further features were planned, including a blog so people could contribute ideas and comments. But the goal, he said, was to “democratize the data” as quickly as possible to get the expected benefits of openness — pressure for greater efficiency and innovations contributed by outside experts and the public. The site has graphics showing total spending on computer hardware, software and services by agency. A user can then click to see the particulars on hundreds of technology projects — a description of each, the amount being spent, the government manager responsible and the names of the private sector suppliers (though many of the contractor lists are not yet filled in). Projects are rated for on-schedule performance and color-coded accordingly — green, yellow or red. Users, Mr. Kundra said, will be able to pluck the source data from the Web site and do their own analyses. Much of the raw data on the site has been public information for years. But analysts said it was typically in government forms and available from different agencies, so it was mainly industry experts and consultants who had the knowledge and incentive to collect and cull it. The dashboard will make it easier for companies to track contracts on which rivals are struggling — and compete for the business. http://www.nytimes.com/2009/07/01/technology/01dashboard.html?_r=2&partner=rss&emc=rss

HIGH COURT WON’T BLOCK REMOTE STORAGE DVR SYSTEM (Washington Post, 29 June 2009) - Cable TV operators won a key legal battle against Hollywood studios and television networks on Monday as the Supreme Court declined to block a new digital video recording system that could make it even easier for viewers to bypass commercials. The justices declined to hear arguments on whether Cablevision Systems Corp.’s remote-storage DVR system would violate copyright laws. That allows the Bethpage, N.Y.-based company to proceed with plans to start deploying the technology this summer. With remote storage, TV shows are kept on the cable operator’s servers instead of the DVR inside the customer’s home, as systems offered by TiVo Inc. and cable operators currently do. The distinction is important because a remote system essentially transforms every digital set-top box in the home into a DVR, allowing customers to sign up instantly, without the need to pick up a DVR from the nearest cable office or wait for a technician to visit. Movie studios, TV networks and cable TV channels had argued that the service is more akin to video-on-demand, for which they negotiate licensing fees with cable providers. They claimed a remote-storage DVR service amounts to an unauthorized rebroadcast of their programs. In a statement, the Copyright Alliance, whose members include Hollywood studios and television broadcasters, called the Supreme Court action “unfortunate and potentially harmful to creators and creative enterprises across the spectrum of copyright industries.” Cablevision argued its service was permissible because the control of the recording and playback was in the hands of the consumer. http://www.washingtonpost.com/wp-dyn/content/article/2009/06/29/AR2009062901691.html

STUDY: OLDER C-LEVEL EXECS AVOID TWITTER, BLOGS (ClickZ, 30 June 2009) - Are corporate executives embracing Twitter and blogs? Not if they’ve received an invitation to join the AARP. A survey of top executives at U.S. companies reveals that only 1 percent of those over the age of 50 provide daily contributions to a work-related blog. Forbes Insights performed the study sponsored by Google. Another 4 percent in this age group say they contribute several times a week. In contrast, 35 percent of executives ages 40 to 49 say they maintain a work-related blog daily. That figure increases to 56 percent of the executives under the age of 40. The study featured an interview with Zappos CEO Tony Hsieh, 35, who pointed out that the online retailer has over 400 employees on Twitter. “The world is becoming more and more transparent whether companies choose to accept it or not,” Hsieh told Forbes Insights. Meanwhile, a chief legal officer over the age of 50 said he didn’t see the business value of the interactive tools. Here are [some of] the study’s other findings.
Who’s on Twitter?
The study found a generation gap for those using Twitter and other micro-blogging platforms. Respondents were asked whether they either tweet or generate microfeeds. Here’s the breakdown:
• 3 percent of the executives over 50 participate in Twitter or another microblog.
• 34 percent of the executives ages 40 to 49 participate.
• 56 percent of the executives under 40 participate.
What Information Do Executives Seek?
The top three research topics that C-level executives seek are competitor analysis (53 percent), customer trends (41 percent), and corporate developments (39 percent). However, information priorities vary by job function:
• Of those executives in sales and marketing, 76 percent say they seek customer trends.
• Of those executives in finance, 63 percent said they seek competitor analysis.
• Of those executives in IT, 59 percent seek technology trends.
http://www.clickz.com/3634233 Related ComputerWorld story here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9134860&source=CTWNLE_nlt_dailyam_2009-06-26

JUDGE THROWS OUT CONVICTION IN CYBERBULLYING CASE (New York Times, 2 July 2009) - A federal judge on Thursday threw out the conviction of a Missouri woman on charges of computer fraud for her role in creating a false MySpace account to dupe a teenager, who later committed suicide. The judge, George H. Wu, said that he was tentatively acquitting the woman, Lori Drew, of misdemeanor counts of gaining access to computers without authorization and that the ruling would be final when he issued his written decision. In November, a federal jury here convicted Ms. Drew of three misdemeanor charges under the Computer Fraud and Abuse Act, a federal law intended to combat computer crimes. Legal experts followed the case closely, saying it was the first time the statute had been used to prosecute a patron of a social networking site for abuses of the site. But on Thursday, Judge Wu said the federal statute was too “vague” when applied in this case and that were he to allow Ms. Drew’s conviction to stand, “one could literally prosecute anyone who violates a terms of service agreement” in any way. Some experts in cyberbullying and computer fraud criticized prosecutors for using the computer fraud law against Ms. Drew. “This law was designed to criminalize computer hacking, not people going to a Web site and violating terms of service that can be obscure and frankly arbitrary,” said Matthew L. Levine, a former federal prosecutor and defense lawyer in New York. “This sets a very bad precedent of using this law for that purpose.” http://www.nytimes.com/2009/07/03/us/03bully.html?ref=global-home

**** RESOURCES ****
OBAMA’S TEAM: THE FACE OF DIVERSITY (National Journal, 22 June 2009) – [profile of several dozen “key players” in the Obama Administration] http://www.nationaljournal.com/decisionmakers/

RETURN OF THE MARK OF ZOTERO (InsideHigherEd, 1 July 2009) - Man is, of course, the tool-making animal -- but can’t we maybe give it a rest for a while? Evidently not. At this point we need digital tools to manage all the digital tools we have on hand. One day all of our devices will be able to communicate among themselves (“friending” each other while we aren’t looking) which I’m pretty sure leads to an apocalyptic scenario in which human beings end up living in caves. And yet, damn it, some of the tools are useful. A couple of years ago, this column pointed out an application that seemed a genuinely useful and non-time-wasting addition to the intellectual workbench. This was Zotero, a plug-in for the Firefox browser, Zotero allows you to gather, organize, and annotate material while doing research online. With Zotero, you can build up a collection of digital documents, cataloging and sorting it as you go. You can gloss the material so harvested, attaching your notes as you go. Zotero is particularly useful for gathering bibliographical data, and allows you to export it in a wide range of standard scholarly citation formats. Produced by the Center for New Media History at George Mason University, Zotero was (and remains) free. When I wrote about it in ‘07, enthusiasts were looking forward to Zotero 2.0 -- and not patiently. Various upgrades became available, but the substantially reworked Zotero was only released six weeks ago, in mid-May. At the time, as luck would have it, I was in a clinic being treated for exposure to more than 400 blog feeds per day. The twitchiness having now abated, I’ve been briefed on the latest model of Zotero by an “information-research specialist,” which is what librarians call themselves these days. The distinctive thing about Zotero 2.0, now in its beta version, is that it will allow you to store your collection (i.e., digital document archive, plus notes, plus bibliographical data) on a server, rather than on your hard drive. This has at least two important consequences. The first is that you can add to your Zotero files – or retrieve them – from any computer with web access. The old version stored the data on whatever machine you happened to be using at the time. I have a laptop somewhere in my study, for example, that contains records gathered last year ago, but not available to me at the moment because I am not exactly sure where that laptop is. Once I find it, however, it will be possible to ship this data off into “the cloud.” That means I can synchronize my old laptop, our household desktop computer, and the netbook I do most of my writing on now, so that the same Zotero files are always available on all of them. This was possible with the earlier version, but you had to make a point of transferring the files, which evidently I never got around to doing. The other major development is that Zotero 2.0 allows users to create groups that can share data. Members of a class or a research group are able to transfer files into a common pool. (So far, it is possible to do this with bibliographical references but not with documents, though the Zotero people are working on finding a way to store the latter.) You also have the option of creating a sort of haute Facebook presence. Dan Cohen, the director of the Center, explains: “Zotero users get a personal page with a short biography and the ability to list their discipline and interests, create an online CV (simple to export to other sites), and grant access to their libraries.” Thanks to such profiles, it should be easier to find other researchers who share your particular interests, and so engage in the cooperative exchange of references and ideas -- at least, assuming your notion of the life of the mind is not that of a zero sum game, or indeed of bellum omnia contra omnes. It will be interesting to see how that shakes out, discipline by discipline, sub-field by sub-field. http://www.insidehighered.com/views/mclemee/mclemee248 [Editor: Sounds like an interesting tool. I’d appreciate feedback from any lawyer/users.]

**** LOOKING BACK - MIRLN TEN YEARS AGO ****
Y2K SCARE LEADS TO LARGER ADVANCES -- Experts say the Y2K bug may actually benefit companies and the economy in general, as it forced many firms to completely overhaul their computer systems and re-engineer their business processes to become more efficient. Federal Reserve Governor Alan Greenspan noted in his June 1 congressional testimony that the American economy “is displaying a remarkable run of economic growth that appears to have its roots in ongoing advances in technology,” and many experts say the Y2K bug is to blame. The millennium bug gave senior management an urgent deadline for assessing their computer systems as well as their entire business processes, resulting in “a dramatic surge in buying” of ERP systems, which reorganize and integrate a firm’s accounting and other business practices. Thus many companies’ antiquated business operations have been modernized, merged, and streamlined to prepare for Y2K, producing benefits such as increased productivity, improved customer responsiveness, reduced inventory, and increased efficiency. (Philadelphia Inquirer 07/01/99)

************** NOTES **********************
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.