Saturday, August 07, 2010

MIRLN --- 18 July – 7 August 2010 (v13.11)


·      TJX Settles Another Data Breach Lawsuit And Puts Itself In Charge Of The Oversight
·      Hedging Cyber Risks
·      Michigan Absentee Voters Can Now Track Ballots Online
·      Cybersecurity Expert Shortage Puts U.S. At Risk
·      Court Rules “No Harm, No Foul” on Data Breach Claims
·      Defense Department Creates Online Hub for Social Media
·      Building an Online Identity Legal Framework: The Proposed National Strategy
·      The Extent of Copyright In Original, Unpublished Material: Raymond Carver’s Stories
·      Buying Local, Online Higher Education
·      Advance Notice of Proposed Rulemaking on Accessibility of Web Information and Services Provided by Entities Covered by the ADA
·      Employees Ignore Social Media Policies, Play “FarmVille” on Company Time
·      Google Apps for Gov Battles Fear of Floating Data
·      Fair Use Legalized, Says EFF
·      Piloting E-Discovery Rules in the 7th Circuit
·      B-Schools All A-Twitter Over Social Media
·      Report: Most Data Breaches Tied to Organized Crime
·      Amazon Friends Facebook to Offer Gift Ideas
·      FTC Leaning Toward Do-Not-Track List for Online Ads
·      Tight-Lipped Apple Fixes Safari Autosnoop Bug
·      E-SIGN Prevents Enforcement of Emailed Contract Terms
o   Electronic Signatures on Utah Nomination Petitions Ruled Valid
·      VA Activist Can Post Officials' Social Security Numbers On Site, Court Rules
·      U.S. Military Cyberwar: What’s Off-Limits?
·      The Web’s New Gold Mine: Your Secrets
·      ABA Technology Survey on Lawyer Websites
·      Bridging the Communication Gap in E-Discovery
·      Why Most Cloud Contracts Shouldn’t Be Negotiable
·      Facebook Privacy Settings: Who Cares?
·      Lawyers, Ethics, Security & The Cloud
·      Google Will Sell Brand Names as Keywords in Europe
·      Washed Up
·      Defining Internet Freedom - eJournal - U.S. Department of State
·      Discovery Rule for Libel Doesn't Apply to Blogs, Says Federal Judge

NEWS | PODCASTS | RESOURCES | DIFFERENT | FUN | LOOKING BACK | NOTES

TJX Settles Another Data Breach Lawsuit And Puts Itself In Charge Of The Oversight StorefrontBacktalk, 11 July 2010) - You have to wonder who is left among the U.S. entities that have not sued—and then settled with—TJX for its infamous data breach of more than 100 million card numbers. The latest to come up to the till: The Louisiana Municipal Police Employees’ Retirement System. But the settlement here—for $595,000—is not the interesting bit. Part of the deal was a change in an IT boss. The settlement specified that IT security efforts need someone to oversee operations. What was agreed? That the job be given to TJX’s own audit committee. The TJX board’s audit committee shall, through Dec. 31, 2015, “oversee security of [TJX’s] computer system with respect to customer data, including [PCI] compliance,” the settlement said. http://www.storefrontbacktalk.com/securityfraud/tjx-settles-another-data-breach-lawsuit-and-puts-itself-in-charge-of-the-oversight/ [Editor: I think this is a pretty big deal, though others have pooh-poohed it as a slap-on-the-wrist. On August 8 I’m moderating a panel discussion about emerging fiduciary duties to protect information security at the ABA annual meeting; former Roberta Karmel and national security expert Harvey Rishikof are on the panel: “Wake Up Call or Snooze Alarm: Are Recent CyberSecurity Regulations Giving Birth to Cyber-Fiduciary Duties?”]

Hedging Cyber Risks (AMEX, 13 July 2010) - When Britney Spears’ medical files were leaked to the press a while back, executives at Momentous Insurance Brokerage realized they had a problem. Momentous didn’t handle Spears, Farrah Fawcett, Nadya “Octomom” Suleman or any other celebrity whose medical or personal information has been leaked in recent years. But the Van Nuys, California, company insures other TV, movie and music stars, as well as production companies and recording studios. The risk of someone breaking into its database of clients’ addresses, Social Security numbers and medical information was too big to keep ignoring. So Momentous did what a lot of other companies that handle sensitive information are doing – it bought cyber insurance. The insurance industry believes the relatively new category of cyber insurance is the answer to these threats, and it’s finding more takers. In 2009, 32 percent of businesses responding to an annual Computer Security Institute computer crime survey carried special insurance to protect against cyber risks, compared to only 25 percent in 2005. “Protecting data is no longer an IT responsibility, says Jeff McCart, president of The McCart Group, an Atlanta insurance broker. “It is the responsibility of the CEO or CFO.” A breach can hit a business where it hurts. In 2009, the average cost of a data breach rose to $202 per customer record from $197 in 2008, according to The Ponemon Institute, a Michigan privacy research center. The average cost of a data breach was $6.6 million, with overall costs ranging from $613,000 to nearly $32 million, the institute found. Most costs were due to lost business. Data thieves don’t care if a business is large or small. In 2008, a digital forensic team at telecommunications giant Verizon analyzed more than 90 data breaches around the world and found 70 percent occurred in mid-size companies with 10,000 or fewer employees. The study also found data breaches occur in many industries, with retail businesses making up one third, followed by financial services firms (30 percent) and food and beverage establishments (14 percent). https://corp.americanexpress.com/gcs/insideedge/articles/hedging-cyber-risks-elizabeth-wasserman.aspx?intsearchct=3%7C1300307e6c7ee1c687216434ce561f3e

Michigan Absentee Voters Can Now Track Ballots Online (Grand Rapids Press, 20 July 2010) - Absentee voters can now track the whereabouts of their ballots online, according to Secretary of State Terri Lynn Land. The new feature on Michigan.gov/vote registers when a request for an absentee ballot is received, when the ballot was sent out and when the election clerk has received the returned ballot. The ballots will be listed on the website as soon as the election clerk enters the ballot on the state’s “qualified voter file,” Secretary of State spokesman Ken Silfven said. While there is no deadline to enter the information, “it’s not something they want to fall behind on,” he said. The website also allows voters to check if they are registered to vote, print a sample ballot and find their local polling site or locate their election clerk. Absentee ballots are available to registered voters 60 years or older or voters who meet one of five conditions for being unable to visit the polls on election day. The ballots can be obtained online or from a local clerk. http://www.mlive.com/politics/index.ssf/2010/07/absentee_voters_can_now_track.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+StatelineorgRss-Technology+(Stateline.org+RSS+-+Technology)

Cybersecurity Expert Shortage Puts U.S. At Risk (Information Week, 21 July 2010) - The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks. So says “A Human Capital Crisis in Cybersecurity,” a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington. The commission also recommends creating better cybersecurity certifications. Interestingly, it found that “the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security,” because certifications focus “on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention.” Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn’t to do with mistakes in designing certification, but simply that the requirements have changed. “Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security,” he said. “But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical.” Unfortunately, certifications haven’t kept up. “If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you’d look at me like I was crazy.” Today, however, the U.S. desperately needs those technical security experts. http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=226100078 [Editor: The most interesting part of this story is the confusion about what “cybersecurity certification” connotes; has implications for expert testimony, and for the value of pre-event assessments.]

Court Rules “No Harm, No Foul” on Data Breach Claims (Steptoe & Johnson’s E-Commerce Law Week, 22 July 2010) - In Ruiz v. Gap, Inc., the Ninth Circuit ruled that an individual had Article III standing to bring claims in federal court arising out of the theft of laptops containing his personal information, despite the absence of actual harm. The court held that the possibility of future injury was enough to satisfy Article III’s requirement of “injury in fact.” But the court affirmed the lower court’s grant of summary judgment to the defendants on the merits of the plaintiff’s various state law claims, finding that present, actual harm was a necessary element of those claims. Still, the court’s decision on Article III standing means that more data breach suits are likely to survive at least past the motion to dismiss stage, increasing the settlement value of those cases. http://www.steptoe.com/publications-7058.html [Editor: Steptoe’s choice of title for this story is interesting; I’d have emphasized the finding of standing, rather than the summary judgment on state claims.]

Defense Department Creates Online Hub for Social Media (FCW, 22 July 2010) -             Social media at the Defense Department has gotten so popular it now has its own Web page “hub” to coordinate it all. DOD today launched an updated Social Media Hub Web page to provide quick links to service-affiliated Facebook, Twitter and YouTube social media sites as well as policy documents, training manuals and other information and to provide a forum for discussion. The military services have been active participants in social media. For example, as of today, the U.S. Marine Corps’ Facebook page counted more than 435,000 fans; the Army’s, 344,000; the Navy’s, 162,000; Air Force’s, 95,000; Defense Department’s, 38,000; Coast Guard’s, 19,000; and National Guard’s, 10,000. Each service has a page on the hub that contains links to various social media sites and resources. “Our goal is to create a ‘hub’ in every essence of the word — a place where anyone interested in learning more about social media practices amongst the services, as well helpful social media tips and tricks, could come to find everything they might need right at their fingertips,” said Joelle Zarcone, public affairs specialist on the social media team in the Office of the Assistant Secretary of Defense for Public Affairs. The hub includes policy and guidelines for social media use, links to social media registry and registration pages for each service and a discussion board now under construction. http://fcw.com/articles/2010/07/22/defense-creates-online-hub-for-social-media.aspx

Building an Online Identity Legal Framework: The Proposed National Strategy (Tom Smedinghoff, BNA, 22 July 2010) - Declaring that “the Federal Government must ad- dress the recent and alarming rise in online fraud, identity theft, and misuse of information online,” the White House released for public comment its draft National Strategy for Trusted Identities in Cyberspace June 25. Through this document, the Administration has begun the process of tackling the difficult issue of facilitating a trustworthy and interoperable online identity management capability. In essence, after many years of both public and private efforts to address the problem of online identity, the White House has effectively concluded that secure, interoperable, and easy-to-use online identity management capabilities won’t become a reality until the federal government provides the incentives and addresses the barriers (legal and otherwise) to the development of what it refers to as a trustworthy Identity Ecosystem. The critical importance of online identity management in facilitating trustworthy e-commerce and ensuring national security is now well-recognized. Several other governments and inter-governmental forums are already actively working to address the applicable technical and legal issues. These include Australia, Canada, Scotland, the European Union, and the Organization for Economic Cooperation and Development (OECD). And now the United States has formally taken on this key issue, noting that cyberspace is a vital part of the nation’s critical infrastructure, and concluding that “a secure cyberspace is critical to the health of our economy and to the security of our Nation”. http://privacylaw.wildman.com/article/National_Strategy_for_Trusted_Identities.pdf

The Extent of Copyright In Original, Unpublished Material: Raymond Carver’s Stories (Media Law Prof Blog, 22 July 2010) - Matthew J. Weldon, Benjamin N. Cardozo School of Law, has published Publishing Raymond Carver’s ‘Original’ Stories as ‘Fair Use’ in volume 7 of the Cardozo Public Law, Policy and Ethics Journal (2008/2009). Here is the abstract: “This is a paper on copyright law as it relates the controversy of publishing Raymond Carver’s stories in their unedited form.

 The controversy arose when Raymond Carver’s widow, Tess Gallagher, expressed her desire to publish these stories because Carver’s editor, Gordon Lish, had dramatically changed their character and style. Indeed, she claimed that these unedited stories represented the “real” Caver, whom she wished to reveal to the world. However, Carver’s estate no longer owned the copyrights to these stories.

 The issue is particularly interesting because the “original” versions of the stories are considerably different from the published versions as edited by Lish. Thus, there is some ambiguity as to whether they are covered by the copyright of the published stories - in essence, they are the building blocks of the published versions, and thus it is unclear whether they would be considered derivative works.
 
These questions aside, this papers explores the role of an editors and various ways that editors receive recognition for their efforts. It then explores joint authorship under American law, and how the Carver situation would be different in a jurisdiction where moral rights are recognized. Finally, “fair use” is applied to the particular facts to allow the revelation of Carver’s unedited oeuvre.” http://lawprofessors.typepad.com/media_law_prof_blog/2010/07/the-extent-of-copyright-in-original-unpublished-material-raymond-carvers-stories.html

Buying Local, Online Higher Education (InsideHigherEd, 23 July 2010) - That online education knows no geographical limitations is considered one of the platform’s more disruptive qualities. To entrepreneurs, it means that for-profit educational companies, such as the University of Phoenix or Kaplan University, can grow very large and make a lot of money, very quickly. To regulators, it means headaches. To highly visible traditional universities, such as Pennsylvania State University or the University of Massachusetts, it means an opportunity to take cues from the for-profits and create new revenue streams. To smaller universities with less national cachet, it might mean an opportunity to grow the brand and enroll students from across the country, even the globe. But it also might mean they need to fight for their lives. Online education has been seen as a godsend by many students, particularly adult learners, who need more college in order to boost their professional prospects but whose many responsibilities -- to jobs, families, etc. -- make it difficult to enroll in courses at a brick-and-mortar institution, even a nearby one. “You could be three blocks from the campus,” says Carol Aslanian, a senior vice president of market research at EducationDynamics, a consulting firm, “but because of work and children, you could [feel] barred from the campus.” These days, those students are likely to enroll in an online program. And because online education knows no geographic bounds, the move to the Web could pose serious challenges for institutions that until now have been able to draw reliably from their local and regional populations. These institutions do, however, have something working for them: Students like online learning, but they also like the tangibility of having a “real campus” nearby. A 2008 study by the Sloan Consortium noted that 85 percent of online students were taking courses through universities located within 50 miles of their homes. “Institutions believe that online will open up their enrollments to more students from outside of their normal service area,” the study said. “However, the reality is that this has not yet occurred in any large numbers.” Richard Garrett, managing director of Eduventures, says that in routine surveys his firm has done over the last three years, roughly 65 percent of online learners have said they prefer an institution with a physical presence within 50 miles. http://www.insidehighered.com/news/2010/07/23/online

Advance Notice of Proposed Rulemaking on Accessibility of Web Information and Services Provided by Entities Covered by the ADA (DOJ, 23 July 2010) - The Department is providing advance notice that it is considering revising the regulations implementing title II and III of the ADA to establish specific requirements for State and local governments and public accommodations to make their websites accessible to individuals with disabilities. The purpose of the Department’s proposal is to solicit public comment on various issues relating to the establishment of any such Web accessibility requirements and to determine the costs and benefits of any requirements that the Department might adopt. In its advance notice, the Department is seeking information regarding what standards, if any, it should adopt for website accessibility, whether the Department should adopt coverage limitations for certain entities, like small businesses, and what resources and services are available to make existing websites accessible to individuals with disabilities.  The Department is also soliciting comments on the costs of making websites accessible, whether there are effective and reasonable alternatives to make websites accessible that the Department should consider permitting, and when any Web accessibility requirements adopted by the Department should become effective. http://www.ada.gov/anprm2010/factsht_web_anrpm_2010.htm

Employees Ignore Social Media Policies, Play “FarmVille” on Company Time (Mashable, 23 July 2010) - Cisco’s 2010 Midyear Security Report found that workers in the enterprise are accessing their favorite social networking sites on company-issued equipment even when corporate policies prohibit them from doing so. In fact, 50% of surveyed employees confessed to ignoring company social media policies at least once per week. 27% of respondents went the extra mile to reconfigure the settings on corporate devices so as to access forbidden content or applications. The Cisco report primarily focuses on network security. On that front, it concludes, “Social networking, virtualization, cloud computing and a heavy reliance on mobile devices continue to have a dramatic impact on the ability of information technology departments to maintain effective network security.” The social networking side of the report is especially interesting. The research sheds light on how the popularity of games like FarmVille is contributing to lost productivity during the workday and introducing new security risks. 7% of the sample who access Facebook at work, “spend an average of 68 minutes per day” playing FarmVille. Mafia Wars and Cafe World also proved to be extremely distracting; the former is played by 5% of survey participants for an average of 52 minutes per day, while the latter (4 % of the sample) spend 36 minutes each day on game play. Social networking at work is not all fun and games. On the issue of new security risks, Cisco warns, “Social networks remain a playground for cybercriminals, with an increasing number of attacks. New threats are now emerging from a more dangerous criminal element: terrorists.” http://mashable.com/2010/07/23/cisco-security-report/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_content=Google+Reader

Google Apps for Gov Battles Fear of Floating Data (The Register, 26 July 2010) - Google Apps for Government is designed to meet the information-security laws that bind federal agencies. But it’s also meant to provide a kind of comfort blanket for any government agency — from the federal level down to the local — that’s wary of moving their data onto third-party servers in the so-called cloud. “There is a fundamental trust question about turning over services and data to a third party,” Google president of enterprise Dave Girouard said when announcing the service this morning at the company’s headquarters in Mountain View. “Some people are very comfortable with it. Others find it intrinsically scary. This is just a step down that road...to develop procedures and processes to bring credibility to the cloud.” Google has tweaked the security controls used by its existing Google Apps online suite in an effort to gain FISMA (Federal Information Security Management Act) certification, and last Thursday, a FISMA rubber-stamp was applied by the federal government’s General Services Administration. But the new service also segregates Gmail and Google Calendar data into their own US-only portion of Google’s back-end infrastructure — a move that goes beyond FISMA and that, as Google freely admits, doesn’t necessarily mean added security. “I don’t think data location and security are synonymous,” Girouard said. “I think there is a government question, which is: ‘I want to know where my data is and I want to have some say over that.’ And I think that’s a fair and reasonable request. We’re trying to accommodate that in the cloud computing model, which operates at a fairly massive scale, in a reasonable way.” Google says that Gmail and Calendar data have been placed into sections of various existing US data centers that are physically separate from other parts of Google’s infrastructure. http://www.theregister.co.uk/2010/07/26/google_apps_for_government/ [Editor: other commentators have focused on the grant of FISMA certification as hugely significant.]

Fair Use Legalized, Says EFF (ReadWriteWeb, 26 July 2010) - New exemptions have been added to the Digital Millennium Copyright Act (DMCA), a U.S. copyright law that criminalized attempts to bypass copyright, access control technologies or digital rights management (DRM) measures. The exemptions now provide protections for “fair use” in several different circumstances, the most notable of which is the (now legalized!) process of jailbreaking a phone, a popular activity among iPhone owners in particular. The term jailbreaking refers to hacking a smartphone in order to gain access to additional features or install unapproved applications. However, it is only one of the many new protections announced today. Also included are protections that would allow owners to use their mobile devices on different wireless networks - a practice known as “unlocking” a phone - plus exemptions that allow breaking of copyright protection mechanisms on both videos and games, exemptions that make e-books more accessible, and finally, exemptions that allow bypassing external security measures on computers in specific circumstances involving dongles. The advocacy group EFF has been lobbying for these changes for some time due to the overly broad language used previously in the DMCA legislation, which seemingly requires an ongoing list of “exceptions“ for so-called fair use activities in order to stay current with the rapidly-changing technology of the Internet era. “The Copyright Office and Librarian of Congress have taken three important steps today to mitigate some of the harms caused by the DMCA,” said Jennifer Granick, EFF’s civil liberties director, in regard to today’s changes. “We are thrilled to have helped free jailbreakers, unlockers and vidders from this law’s overbroad reach.” (We believe she means “video creators” there - “vidders” is a new one for us, too.) Specifically, today’s exemptions include the following:
·      Permission for cell phone owners to break access controls on their phones in order to switch wireless carriers or “jailbreak” their device
·      Permission to break technical protections on video games to investigate or correct security flaws
·      Permission for college professors, film students and documentary filmmakers to break copy-protection measures on DVDs so they can embed clips for educational purposes, criticism, commentary and noncommercial videos
·      Permission to enable an e-book’s read-aloud function or use a screen reader with the e-book, even when built-in access controls prevent this
·      Permission for computer owners to bypass the need for external security devices called dongles if the dongle no longer works and cannot be replaced. http://www.readwriteweb.com/archives/fair_use_legalized_says_eff.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+readwriteweb+%28ReadWriteWeb%29&utm_content=Google+Reader

Piloting E-Discovery Rules in the 7th Circuit (Law.com, 26 July 2010) - Magistrate Judge Nan Nolan of the U.S. District Court for the Northern District of Illinois had a long background as a criminal defense attorney before becoming a judge. She says that her background left her unprepared for the battles over discovery of electronic evidence she has encountered in the world of civil litigation. “I was not able to get my arms around all of the fighting over discovery,” she says. “I know that some people have snickered about this idea that you can get lawyers to make nice and cooperate on discovery. But I believe it is possible.” Under the leadership of Chief Judge James F. Holderman, Nolan has helped launch a pilot program to address electronic discovery issues: 7th Circuit E-Discovery Pilot Program. Taking their cues from, among other sources, the Sedona Conference Cooperation Proclamation, the 7th Circuit E-Discovery Committee is attempting to fix some of the most intractable discovery problems in litigation. The 7th Circuit, which covers the states of Illinois, Indiana and Wisconsin, launched the E-Discovery Committee in May of 2009 to take action to reduce what was perceived to be the rising burden and cost of discovery. They produced a set of principles, which provide discovery guidance for lawyers in cases that parties agree to litigate as part of this project. Nolan says that since the project has been implemented there has been very little conflict over discovery. “I think it is working, because of every case I have heard in this project, I have not had one [discovery] motion,” she says. However, the court has only just concluded phase one of the project and a new, two-year phase two should begin this fall. http://www.law.com/jsp/article.jsp?id=1202463869031&rss=newswire [Editor: the InformationLawGroup has a series of related, useful articles: http://www.infolawgroup.com/2010/07/articles/digital-evidence-and-ediscover/legal-implications-of-cloud-computing-part-45-extending-the-discussion-of-ediscovery-in-the-cloud/]

B-Schools All A-Twitter Over Social Media (Bloomberg, 26 July 2010) - Harvard Business School and Columbia Business School have joined a growing list of business schools that are adding courses on social media to their MBA curricula, addressing the corporate demand for social-network-savvy employees. The two schools are among at least six that have added courses in the past year that allow students to learn about Internet marketing and social media strategy, according to course syllabi and faculty associated with the classes. With Twitter’s social networking site claiming 190 million users tweeting 65 million times a day and Facebook reporting 500 million active members, companies including Sears Holdings (SHLD), Panasonic (PC), Citigroup (C), and AT&T (T) have begun hiring social media directors to develop and manage marketing strategies that address the nuances of the online world. Business schools in the last three years have seen a drop in graduate placement rates—to an average of 84 percent in 2009 among Bloomberg Businessweek’s top 30 full-time MBA programs, from 96 percent in 2007. Social media classes are one way of preparing students for careers in a promising field, says John Gallaugher, associate professor of information systems at Boston College’s Carroll School of Management (Carroll Full-Time MBA Profile), where “Social Media & Web 2.0 for Managers” is being offered in the fall. http://www.businessweek.com/bschools/content/jul2010/bs20100726_143420.htm

Report: Most Data Breaches Tied to Organized Crime (CNET, 27 July 2010) - Organized criminals were responsible for 85 percent of all stolen data last year and of the unauthorized access incidents, 38 percent of the data breaches took advantage of stolen login credentials, according to the 2010 Verizon Data Breach Investigations report to be released on Wednesday. While external agents were behind 70 percent of the breaches, nearly 50 percent were caused by insiders and only 11 percent were attributed to business partners, concluded the report, which focused on data breaches that took place in 2009. The study combined data from investigations and statistics worldwide compiled by Verizon and the U.S. Secret Service in which 141 cases were analyzed involving more than 143 million compromised data records, compared with the more than 360 million records compromised in 2008. Most of the externally originated breaches came from Eastern Europe, North America, and East Asia, the data shows. Nearly 50 percent of breaches involved misuse of user privileges, while 40 percent resulted from hacking, 38 percent used malware, 28 percent used social engineering tactics, and about 15 percent were physical attacks. There was not one single confirmed intrusion that exploited a patchable vulnerability, reflecting that fact that many of the most common hacking methods--SQL injection, stolen credentials, and backdoors--exploit problems that can’t be readily patched. “Attackers really do seem to be not so much concerned with finding software vulnerabilities as much as finding types of misconfigurations that let them in the door,” Wade Baker, director of risk intelligence for Verizon Business. http://news.cnet.com/8301-27080_3-20011871-245.html

Amazon Friends Facebook to Offer Gift Ideas (CNET, 28 July 2010) - Looking for the right gift for your favorite Facebook friend? A new service from the team of Amazon and Facebook can recommend the right products for shoppers by peeking at their Facebook profiles. Launched as a beta on Monday, the new opt-in service will suggest gifts for your friends by checking out their favorite movies, music, books, and other items derived from their Facebook accounts. And if you’re in the mood to buy something for yourself, Amazon also looks at your own Facebook profile to suggest products that might interest you. You can try out the service by browsing to Amazon’s recommendations page where you’ll see the “Tap into Your Facebook Network” pane on the right. Click on the Sign in and Connect button. After you confirm your Amazon credentials, a window pops up describing the service and asking you to connect with Facebook. A Facebook page warns you what content you’ll be sharing with Amazon, including your basic profile information, your friends’ lists, and your friends’ profile information. If you opt in, Amazon then fills the recommendations page with products popular among your Facebook friends and items you may want to buy for yourself based on your own interests. The page also displays a list of friends with upcoming birthdays so you know who to put on your immediate shopping list. You can also see a list of all your friends. Clicking on the name of any friend displays that person’s interests and favorite items from Facebook to help you pick out the right gift, and of course buy it on Amazon. http://news.cnet.com/8301-1023_3-20011934-93.html?tag=nl.e703

FTC Leaning Toward Do-Not-Track List for Online Ads (E-Commerce Guide, 28 July 2010) - As it prepares a major report with guidelines for protecting consumer privacy online, the Federal Trade Commission is mulling a simple mechanism that would allow users to opt out of behavioral tracking across the Web, the head of the agency told a Senate panel on Tuesday. FTC Chairman Jon Leibowitz said the system would be similar to the Do-Not-Call registry that enables consumers to shield their phone numbers from telemarketers. Industry coalitions involving some of the largest Internet players have developed tools for consumers to opt out of behavioral tracking across their sites and ad networks, but Leibowitz suggested a browser-based tool that would give users the option of blocking data collection across the Web. But he acknowledged, with some disappointment, that the FTC is limited in the extent to which it can exercise oversight authority over the online advertising industry. Leibowitz and Commerce Committee Chairman John Rockefeller had fought to include provisions in the recent financial reform bill that would give the FTC broad rulemaking authority, but that language was stripped out of the final version, thanks, in part, to a concerted lobbying effort by the advertising industry. That defeat preserved the status quo at the FTC, leaving it with very limited rulemaking powers outside of authorities specifically granted by an act of Congress, such as its ability to police abuses of the Do-Not-Call registry. Since no such authority has been established in online advertising, the recommendations the commission produces this fall will almost certainly advance its position of urging the industry to unite in a broad-based self-regulatory framework that would protect consumers and punish -- or at least shun -- bad actors. http://www.ecommerce-guide.com/article.php/3895466

Tight-Lipped Apple Fixes Safari Autosnoop Bug (The Register, 28 July 2010) - Apple has fixed a flaw in Safari that exposed user names, email addresses, and other sensitive information when the browser visited booby-trapped websites. The update, which included an unrelated fix for a separate information disclosure vulnerability in Safari, comes a day before security researcher Jeremiah Grossman is scheduled to show attendees of the Black Hat Security conference in Las Vegas how to trick the AutoFill feature in the Apple browser into turning over detailed user information with no user input except visiting a particular website. Grossman said previously he had brought it to Apple’s attention privately but received no response from the company. In a bulletin published Tuesday, Apple said it had squashed the bug by prohibiting AutoFill from using user information without user action. The vulnerability allowed webmasters to add simple code to their sites that siphoned highly personal information stored in a user’s Mac or Windows address book. By default, the user’s full name, email address, location, employer, and other information were free for the taking, and all that was required is that the information already be entered in the “My Card” record of address books included in OS X, Windows, or Outlook address books. Apple’s prompt action is testament to the power of full disclosure, which argues users are best protected when detailed information about vulnerabilities are widely disclosed. Many companies argue details should be shared only privately with the software maker until a patch is issued. Apple didn’t publicly acknowledge the flaw until mainstream publications such as The New York Times and The Wall Street Journal published articles about the flaw, calling into question of the wisdom of so-called responsible disclosure. http://www.theregister.co.uk/2010/07/28/apple_safari_bug_patch/

E-SIGN Prevents Enforcement of Emailed Contract Terms (John Ottaviani, writing on Eric Goldman’s blog, 28 July 2010) - It has been about 10 years now since Congress adopted the federal Electronic Signatures in Global and National Commerce Act (commonly known as “E-Sign”). Cases interpreting E-Sign have been relatively rare. A Colorado federal court judge last week purported to decide whether an e-mail could constitute an enforceable contract under E-Sign, and concluded that the e-mail in question could not be enforced as a contract. Unfortunately, the Court (and the parties briefing the motion) did not realize that this was not an E-Sign case. The Court should have analyzed the case under the Colorado Uniform Electronic Transactions Act. Had it done so, the result may have been different. Buckles Management, LLC v. Investordigs, LLC, No. 10-cv-00508-LTB-BNB (D. Colo. July 23, 2010). http://blog.ericgoldman.org/archives/2010/07/colorado_court.htm [Editor: this contains a useful analysis of e-Sign vs. UETA.]

- and -

Electronic Signatures on Utah Nomination Petitions Ruled Valid (Proskauer, 30 July 2010) - Under Utah law, electronic signatures used to execute petitions to nominate independent political candidates are valid, the Utah Supreme Court ruled. The court first looked to the general provisions of the Utah Code, which broadly defines a “signature” as including a “name, mark, or sign written with the intent to authenticate any instrument or writing,” and further specifies that a “writing” includes “printing,” “handwriting,” and “information stored in an electronic or other medium if the information is retrievable in a perceivable format.” The court also concluded that the Utah enactment of the Uniform Electronic Transactions Act applies to the Utah Election Code, and noted that the UETA provides that “[i]f a law requires a signature, an electronic signature satisfies the law.” Anderson v. Bell, 2010 UT 47 (Utah June 22, 2010). http://www.proskauer.com/publications/newsletters/new-media-technology-and-the-law-july-2010/#_Toc267564305 Opinion here: PDF

VA Activist Can Post Officials' Social Security Numbers On Site, Court Rules (Washington Post, 29 July 2010) - Betty "B.J." Ostergren wanted to persuade Virginia to take sensitive personal data off state Web sites. To make her point, she created her own site and then posted public records that included the Social Security numbers of government officials. This week, a federal appellate court in Virginia ruled that Ostergren can keep those records on her site, The Virginia Watchdog. The court found that a 2008 law that prohibits publishing Social Security numbers violates Ostergren's constitutional right to free speech. Ostergren has made it her mission to argue that the government is too lax with personal data posted online, making residents vulnerable to identity theft. She's free to use deeds and tax liens from lawmakers and court clerks to send her message, the court said. "The unredacted SSNs on Virginia land records that Ostergren has posted online are integral to her message. Indeed, they are her message," Judge Allyson K. Duncan wrote for the panel of the U.S. Court of Appeals for the 4th Circuit. "Displaying them proves Virginia's failure to safeguard private information and powerfully demonstrates why Virginia citizens should be concerned." http://www.washingtonpost.com/wp-dyn/content/article/2010/07/28/AR2010072805887.html?wpisrc=nl_tech

U.S. Military Cyberwar: What’s Off-Limits? (CNET, 29 July 2010) - The United States should decide on rules for attacking other nations’ networks in advance of an actual cyberwar, which could include an international agreement not to disable banks and electrical grids, the former head of the CIA and National Security Agency said Thursday. Michael Hayden, who was the principal deputy director of national intelligence and retired last year, said the rules of engagement for electronic battlefields are still too murky, even after the Defense Department created the U.S. Cyber Command last spring. The new organization is charged with allowing the U.S. armed forces to conduct "full-spectrum military cyberspace operations in order to enable actions in all domains," which includes destroying electronic infrastructure as thoroughly as a B-2 bomber would level a power plant. Even a formal cyberwar may have rules different from those applying to traditional warfare, Hayden suggested. One option would be for the larger G8 or G20 nations to declare that "cyberpenetration of any (financial) grid is so harmful to the international financial system that this is like chemical weapons: none of us should use them," he said at the Black Hat computer security conference here. Another option would be for those nations to declare that "outside of actual physical attacks in declared conflicts, denial of service attacks are never allowed and are absolutely forbidden and never excused," and a consensus would "stigmatize their use," said Hayden, who’s now a principal at the Chertoff Group. Nations "do not do it and they do not allow it to happen from their sovereign space." http://news.cnet.com/8301-31921_3-20012121-281.html
top

The Web’s New Gold Mine: Your Secrets (WSJ, 30 July 2010) - One of the fastest-growing businesses on the Internet, a Wall Street Journal investigation has found, is the business of spying on Internet users. The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.
• The study found that the nation’s 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. A dozen sites each installed more than a hundred. The nonprofit Wikipedia installed none.
• Tracking technology is getting smarter and more intrusive. Monitoring used to be limited mainly to “cookie” files that record websites people visit. But the Journal found new tools that scan in real time what people are doing on a Web page, then instantly assess location, income, shopping interests and even medical conditions. Some tools surreptitiously re-spawn themselves even after users try to delete them.
• These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months.
The new technologies are transforming the Internet economy. Advertisers once primarily bought ads on specific Web pages—a car ad on a car site. Now, advertisers are paying a premium to follow people around the Internet, wherever they go, with highly specific marketing messages. In between the Internet user and the advertiser, the Journal identified more than 100 middlemen—tracking companies, data brokers and advertising networks—competing to meet the growing demand for data on individual behavior and interests. http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html?mod=WSJ_hpp_LEFTTopStories#printMode

ABA Technology Survey on Lawyer Websites (Robert Ambrogi, 30 July 2010) - n a post here last week, I wrote about findings on social networking from the 2010 Legal Technology Survey Report of the ABA Legal Technology Resource Center. The six-volume survey looks at legal-technology trends in various aspects of law practice. Volume IV of the survey covers Web and communication technology. In this post, I’ll review some of the survey’s findings with regard to lawyer and law firm websites. http://www.lawsitesblog.com/2010/07/aba-technology-survey-on-lawyer-websites.html [The survey is available here: http://www.abanet.org/tech/ltrc/survstat.html. Full disclosure: I chair the ABA Standing Committee involved in producing this report.]

Bridging the Communication Gap in E-Discovery (Law.com, 30 July 2010) - Several years ago, I was the technical lead for a mission-critical application at a Fortune 100 insurance company. The application quoted and issued policies for the company’s largest commercial line of business, booking revenues upward of $28,000 per minute of scheduled uptime. One day, I received a request from the chief litigator to stop automatic deletion from the system. Simple enough, right? Wrong. Complying with this request -- which, translated into IT terms, meant suspending the purge process -- would have locked the database in 11 hours, crashing the application, crippling the company’s ability to sell a policy, and suspending 30 percent of the company’s revenue stream. This was my first experience with e-discovery, and a classic example of the process disconnects I see at the companies for which I now consult. E-discovery, like litigation, can be a frenzy. Most companies are simply not set up with the streamlined channels of communication they need to respond effectively. I’ve learned a lot since that fire drill. Once I clarified what the legal department needed -- in this case, an attorney general’s office investigation required that purged data be saved -- I got approval to determine the impact of the request, which was unknown at the time. I assembled a team of experts -- anyone who had their hands on the system -- and by the end of the day we had discovered the proposed suspension’s alarming impact on the bottom line. I proposed an alternative solution: Run a tape exporting everything that would normally be purged, and report from that data. This met the legal team’s needs, did not significantly affect IT’s processes, and didn’t affect the bottom line of the company. Communication gaps are a persistent problem in IT, and here, “soft skills” deliver hard results. It’s no secret that IT and legal speak different languages. No one is doing paper-only litigation anymore, so legal and IT working together is simply a fact of life. Clear communication goes a long way toward getting them to work together and can effectively bridge e-discovery gaps. http://www.law.com/jsp/article.jsp?id=1202464050253&rss=newswire [It’s a rare lawyer who speaks “tech”, too.]

Why Most Cloud Contracts Shouldn’t Be Negotiable (GigaOM, 1 August 2010) - This week brought news that pharmaceutical giant Eli Lilly has ended its use of Amazon EC2 because of an inability to negotiate contractual liability with Amazon Web Services in the case of outages or data breaches. Though subsequently retracted in this particular case, these negotiations will become more common as large enterprises think about moving more workloads to the cloud. However, as I explain in my weekly column at GigaOM Pro, what’s not so certain is whether cloud computing providers will have to budge. Cloud computing terms of service — not just from AWS, but from every provider — uniformly deny all liability for outages or data losses, disclaim all warranties of any type, and limit damages to those outlined in the SLA. Although these terms might sound unfair, courts have, in similar circumstances, (i.e., Google AdWords and clickwrap contracts) been quite willing to let those terms stand as they are. This is especially true in cases like that of AWS and Eli Lilly, where both parties are commercial entities perfectly capable of understanding contractual terms and obligating themselves however they please. When viewed in light of the cloud computing model, there’s even better reason to see why such terms are allowed to persist. The multitenant and anonymous natures of cloud offerings like Amazon Web Services mean that a single failure could result in untold numbers of customers filing lawsuits, even if the cloud provider might not have known they were customers in the first place. That’s a lot of risk for a low-margin business like selling bare VMs. If self-service cloud providers, such as AWS, really want enterprise customers, they must consider how far they’re willing to bend to earn that business. In some cases, negotiation might be an option. Enterprises, in turn, need to figure out what they actually want from the cloud, because with most cloud providers, they can’t have their cake and eat it too. There are plenty of cloud options offering negotiable contracts, meaningful SLAs and even dedicated resources, but they don’t accept American Express. http://gigaom.com/2010/08/01/why-most-cloud-contracts-shouldnt-be-negotiable/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OmMalik+%28GigaOM%29&utm_content=Google+Reader [Editor: Interesting perspective; but, where’s then the incentive to innovate and develop advanced security assurance systems, if contracts don’t require them and all providers coalesce on similar exclusions? This was fine to protecting the emerging software development business, but arguable has outlived its time there; here, too? For a related discussion about USG dependence on Microsoft products—and the implications of BSOD crashes for military assets—see blog posting by GW’s Prof. Amitai Etzioni, referenced Richard Clark’s bookon CyberWar: http://blog.amitaietzioni.org/2010/06/shameless.html]

Facebook Privacy Settings: Who Cares? (First Monday article by Danah Boyd and Eszter Hargittai, 2 August 2010) – ABSTRACT: With over 500 million users, the decisions that Facebook makes about its privacy settings have the potential to influence many people. While its changes in this domain have often prompted privacy advocates and news media to critique the company, Facebook has continued to attract more users to its service. This raises a question about whether or not Facebook’s changes in privacy approaches matter and, if so, to whom. This paper examines the attitudes and practices of a cohort of 18– and 19–year–olds surveyed in 2009 and again in 2010 about Facebook’s privacy settings. Our results challenge widespread assumptions that youth do not care about and are not engaged with navigating privacy. We find that, while not universal, modifications to privacy settings have increased during a year in which Facebook’s approach to privacy was hotly contested. We also find that both frequency and type of Facebook use as well as Internet skill are correlated with making modifications to privacy settings. In contrast, we observe few gender differences in how young adults approach their Facebook privacy settings, which is notable given that gender differences exist in so many other domains online. We discuss the possible reasons for our findings and their implications. http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3086/2589

Lawyers, Ethics, Security & The Cloud (Michael Power’s blog, 2 August 2010) - The regulatory bodies governing lawyers have long recognized the benefits and the risks of information technology in modern legal practices. However, with “Cloud computing” seemingly (and finally) “catching on”, one can’t help but wonder when the ethical guidance provided lawyers will be amended to address its possible use by the legal community in Canada. As for existing guidance for lawyers in Ontario, one need only refer to the Law Society of Upper Canada’s Technology Guideline and it’s 2001 Ethical Considerations and Technology. The Canadian Bar Association, in 2008, produced a very useful document with its Guidelines for Practising Ethically with New Information Technologies. I’ve actually had one American lawyer, active in the American Bar Association leadership, make very positive comments about the CBA Guidelines, suggesting that the ABA should produce a similar document. It is to be noted though, not unexpectedly given their dates of publication, that none of these documents expressly address the subject of cloud computing. In pondering the juxtaposition of Cloud computing, ethics and law practice management (since that is the purpose of lawyers and law firms using the Cloud), I recently had the benefit of a conversation with a good friend and colleague, Roland Trope, who practices in New York and serves as an Adjunct Professor at West Point. Roland’s presenting in a session at the 2010 ABA annual meeting in San Francisco on the ethical issues facing lawyers in their use of the Cloud. He’s co-written a very interesting paper with Claudia Ray outlining the issues about Cloud computing, and how, through an over-reliance on Cloud service providers, it may affect the ability of lawyers to provide competent representation. Some of the issues facing the legal profession (or anyone with sensitive data for that matter) that they have identified in their paper include:
·      Program, operating system and upgrade instability;
·      The ability to locate fault (i.e. whose network has the problem – the law firm’s or the cloud provider’s);
·      Reduced or lack of control over (or even knowledge of) software changes;
·      Diminished knowledge of data breaches;
·      Reduced knowledge of, or control over, the movement/location of personal information or client confidential information; and
·      Reduced ability to prevent government searches and seizures.
As might be expected, the issue of using the Cloud has already come up. North Carolina has a proposed ethics opinion on the subject of lawyers’ use of “software as a service” that permits such use, provided a long list of questions is addressed. A lawyer or law firm would have to obtain sufficient answers to permit a conclusion that the risk to the confidentiality and security of client file information is minimal. I’m not quite sure whether North Carolina’s opinion addresses all the issues – just as I’m not quite sure I agree with it – but to see what’s proposed go here and look for Proposed 2010 Opinion # 7 (about two-thirds of the way down the page). The technology guidance issued by the Law Society of Upper Canada and the CBA appear to be written from a perspective of the law firm having ownership or certainly a greater degree of control over the technology on which client data is stored. That’s not a criticism but it’s likely time for regulators of the legal profession in Canada to update the guidance provided to lawyers to address the use of the Cloud. http://michaelpower.ca/2010/08/lawyers-ethics-security-the-cloud/

Google Will Sell Brand Names as Keywords in Europe (NYT, 5 August 2010) - The Internet giant Google said on Wednesday that it would change its search policy for most of Europe to allow advertisers to buy and use as keywords terms that have been trademarked by others. Previously, brand owners could file a trademark complaint with Google to prevent third-party ads from being returned alongside the results of a search of a trademarked name, like Louis Vuitton or Prada. The decision will be effective Sept. 14 and extends to the rest of Europe changes that were made in Britain and Ireland in 2008. In the United States and Canada, Google has been using the policy since 2004. Google’s move stems from a decision by the European Court of Justice in March. The court broadly ruled that Google had respected trademark law by allowing advertisers to bid for keywords corresponding to third-party trademarks. Brand owners, led by the French luxury goods company LVMH Moët Hennessy Louis Vuitton, had argued that only they or authorized sites should be able to buy and use such trademarked terms in searches, so as to protect their brand value. They now face the prospect of having the ads of third-parties offering their products being displayed in search results. Trademark owners who feel that third-party ads confuse users as to the origin of the goods and services will still be able to file complaints with Google, and the search company said it would take down the ads if it agreed that they were confusing. http://www.nytimes.com/2010/08/05/technology/05google.html?_r=1

Washed Up (InsideHigherEd, 6 August 2010) - Google Wave was supposed to make class discussions richer and more coherent. It was supposed to make research collaborations easier. It was supposed to break down walls between offices, disciplines, countries. It was even supposed to give learning-management systems such as Blackboard a run for their money. Instead, it is kaput. Just over a year after being rolled out, the much-hyped Wave has crashed on the shores of indifference and is now set to recede into obscurity. Google said Thursday that it will stop selling Wave as a product and close the host website by the end of the year, citing a dearth of users. http://www.insidehighered.com/news/2010/08/06/google [Editor: interesting discussion of what went wrong. I was struck by Wave's potential for conference/symposium capture, but think it failed here, too.]

Defining Internet Freedom - eJournal - U.S. Department of State (BeSpacific, 6 August 2010) - The first part of this journal addresses the difficulty agreeing on a universally applicable definition of Internet freedom. Nations impose many different kinds of restrictions. Some represent the efforts of authoritarian regimes to repress their opponents, but others instead reflect diverse political traditions and cultural norms. Other materials survey the current state of ‘net freedom in different parts of the world. Freedom House, a leading nongovernmental organization, has studied government efforts to control, regulate, and censor different forms of electronic social communication. Its findings are explained here. We also explore a number of issues that help define the contours of Internet freedom. The term “intermediary liability” may not pique one’s interest, but it assumes new relevance phrased as whether YouTube is liable for an offensive video posted by a third party. From dancing babies to public libraries, the issues that will delimit global citizens’ access to information are being contested every day. http://www.bespacific.com/mt/archives/024886.html

Discovery Rule for Libel Doesn't Apply to Blogs, Says Federal Judge (Law.com, 6 August 2010) - Aviation lawyer and seasoned pilot Arthur Alan Wolk knows quite a bit about the stratosphere and the troposphere, but he may have learned something new this week about the blogosphere when a federal judge tossed out his libel suit against the bloggers at Overlawyered.com. As U.S. District Judge Mary A. McLaughlin sees it, a blog is legally the same as any other "mass media," meaning that any libel lawsuit filed against a blog in Pennsylvania must make its way to court within one year. Wolk was hoping for a break on the strict time limit. His lawyers -- Paul R. Rosen and Andrew J. DeFalco of Spector Gadon & Rosen -- argued that the "discovery rule" should apply to toll the statute of limitations until the target of an allegedly libelous blog entry discovers it. But McLaughlin found that blogs, by virtue of publishing on the Internet, qualify as mass media that simply cannot be subjected to the discovery rule. "The court is not aware of any case in which the discovery rule has been applied to postpone the accrual of a cause of action based upon the publication of a defamatory statement contained in a book or newspaper or other mass medium," McLaughlin wrote in her nine-page opinion in Wolk v. Olson. McLaughlin said she followed the lead of several of her colleagues on the Eastern District of Pennsylvania bench, as well as numerous courts around the country, in holding that "as a matter of law, the discovery rule does not apply to toll the statute of limitations for mass-media defamation." In court papers, Wolk said he first learned of the existence of the allegedly defamatory article on Overlawyered when he was advised at a seminar on client relations in early 2009 to perform a Google search of his own name. It was only then, Wolk claims, that he found the April 2007 blog entry by Overlawyered's Theodore Frank that allegedly included false allegations about Wolk's handling of a case in Georgia. http://www.law.com/jsp/article.jsp?id=1202464319845&rss=newswire

**** NOTED PODCASTS ****
Spare a Cycle? (Berkman Center, 22 July 2010; 30 minute podcast) - What are you doing with your spare cycles? You know, the bits of time you spend on the web when you’re not really being productive? Maybe you’re waiting for a file to download. Maybe you’re playing a game. Maybe you’re even filling out a form. All of these little moments could in fact be put to good use. In some cases, they are. And you might not even know it. For instance, when you type out a Captcha — those little squiggly words on a web form you transcribe to prove you’re human — you are in fact transcribing a word from a scanned book. A word that is illegible to a computer’s eye. Here, you’re simultaneously proving you are a human being, not a robot, and also doing a good deed, helping to transcribe text. You can thank today’s guest for that little innovation. Luis von Ahn — professor of computer science at Carnegie Mellon University and expert in the field of human computation — explores the little innovations on the web that are harnessing the power of millions to change the world. Not always for the good. http://cyber.law.harvard.edu/node/6267

**** RESOURCES ****
United States Faces Challenges in Addressing Global Cybersecurity and Governance (GAO, July 2010) - There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus- based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy (see table). Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. http://www.gao.gov/new.items/d10606.pdf

**** DIFFERENT ****
Sneaky New App Avoids Awkward Chats, Sends You Straight to Voicemail (Mashable, 30 July 2010) - Quick Pitch: slydial is a free voice messaging service which connects you directly to someone’s mobile voicemail. Genius Idea: If you’ve ever dreaded making a phone call and anxiously wished for a voicemail greeting as you dialed, you know exactly why this app is a genius idea. It strips away the awkwardness of a voice-to-voice call while still letting you claim to have attempted direct communication. To use slydial, which is free and audio-add supported, just dial 267-SLYDIAL (267-759-3425) and enter the mobile number of the person you want to leave a voicemail. You can also try slydial’s mobile apps, which include offerings for iPhone, Android, BlackBerry and Windows Mobile. We gave slydial a try, and it worked just as promised; the other person’s phone didn’t so much as twitch while slydial connected me to the voicemail box in question. http://mashable.com/2010/07/30/slydial/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_content=Google+Reader

**** FUN ****
Kramer Telecom Law Firm, P.C. website disclaimers and privacy policy -- http://www.telecomlawfirm.com/disclaimer/. [Editor: very, very inventive stuff. Possibly a bar association ethics committee or two would express some concerns, but I love it.]

**** LOOKING BACK - MIRLN TEN YEARS AGO ****
CRYSTAL BALL ON 2020 -- At the recent “Next 20 Years” gathering in San Francisco, futurist Paul Saffo warned participants about the threat of cyburbia -- a scenario in which “any fool with a double-wide trailer and a satellite dish can tow it onto a piece of unoccupied land in the middle of the Nevada desert and have enough power to compute.” Making it all possible will be a washing-machine-sized device capable of generating electricity with only fresh water as a by-product. Meanwhile, Hewlett-Packard’s Stanley Williams predicted a future where sports fans could experience the game from anywhere on the field, and visual entertainment in which the “viewer” could insert him- or herself anywhere in the scene, or even participate as one of the characters. And Benchmark Capital General Partner Bill Gurley envisioned browsable desktop economies, fueled by a Napster-style computer architecture in which every PC is connected to its peers, rather than the client-server model now common. Users will be able to log on and “play” the economy: “The economy is a game as well. So all of a sudden -- with everyone connected to the Web and an easy way to transfer money, and the ability to compete for your time or expertise -- I think you’ll see a world evolve literally within the next 20 years very similar to what’s described in Neal Stephenson’s ‘Snow Crash’... The notion that you might wake up one day, take a shower, walk into your office, put on a headphone, and sit down to a keyboard, and literally jack into an entire different economy is very possible.” (Wired News 5 Jul 2000) http://www.wired.com/news/technology/0,1282,37360,00.html

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley)

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. BNA’s Internet Law News, http://ecommercecenter.bna.com
7. McGuire Wood’s Technology & Business Articles of Note
8. Steptoe & Johnson’s E-Commerce Law Week
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. Law.com
11. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: