Saturday, June 18, 2011

MIRLN --- 29 May - 18 June 2011 (v14.08)

MIRLN --- 29 May - 18 June 2011 (v14.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | RESOUCRES | LOOKING BACK | NOTES

Chronicle of Higher Education Issue Focuses On Copyright (Media Law Prof Blog, 31 May 2011) - In this week's issue of the Chronicle of Higher Education, "The Copyright Rebellion: A Special Report." The issue includes two articles by Marc Parry, " Supreme Court Takes Up Scholars Rights ," and " Out of Fear, Colleges Lock Books and Images Away From Scholars ," and Jeffrey R. Young's " Pushing Back Against Legal Threats By Pushing Fair Use Forward. " (Subscription may be required).

top

HHS Proposes Changes To HIPAA Privacy Rule (Information Week, 31 May 2011) - The U.S. Dept. of Health and Human Services has proposed changes to the Health Insurance Portability and Accountability Act privacy rule that would provide individuals with more details about who accessed their electronic health information and disclosures of the e-health data. The changes to the HIPAA privacy rule are being proposed by HHS' Office for Civil Rights in accordance with accounting disclosure requirements mandated by the HITECH Act. The proposed changes would revise HIPAA's privacy rule by dividing it into two separate rights for individuals: "an individual's right to an accounting of disclosures" and "individual's right to an access report, which would include electronic access by both workforce members and persons outside the covered entity." The proposed rule said "the purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record," said the proposed rule.

top

NYT Learns of Goldman Trader's Legal Defense from Discarded Laptop (ABA Journal, 1 June 2011) - The New York Times has learned about the legal defenses for a Goldman Sachs trader from a discarded laptop discovered in a garbage area of a New York apartment building. An artist and filmmaker gave legal materials from the laptop to the newspaper, saying a friend had discovered the computer in the garbage and given it to her in 2006, the New York Times reports. Even after artist Nancy Cohen obtained the laptop, email messages for the defendant, Fabrice Tourre, continued streaming into the computer, the story says. The documents include draft replies by Allen & Overy to a Securities and Exchange Commission lawsuit against Tourre, a midlevel executive at Goldman. The replies point the finger at other Goldman employees, including two lawyers, who worked on the same targeted deal as Tourre. Cohen said she ignored the streaming messages until she heard news reports about Tourre and decided to turn over the materials to the Times. The Times cited the documents in a story that questioned why Tourre was the only individual at Goldman and across Wall Street sued by the SEC for selling a mortgage securities investment. "How Mr. Tourre alone came to be the face of mortgage-securities fraud has raised questions among former prosecutors and congressional officials about how aggressive and thorough the government's investigations have been into Wall Street's role in the mortgage crisis," the newspaper says.

top

Yahoo! Entitled to Immunity for Disclosing User Information in Response to Subpoena (Eric Goldman's blog, 1 June 2011) - Sams v. Yahoo!, Inc. , CV-10-5897-JF(HRL) (N.D. Cal.; May 18, 2011) -- Fayelynn Sams sued Yahoo!, contending that Yahoo! improperly produced information in response to a subpoena which requested information regarding Sams's account. She brought a putative class action asserting a variety of claims, including a state law privacy claim, breach of contract, breach of the duty of good faith and fair dealing, and claims under the Electronic Communications Privacy Act. The court finds that Yahoo! is entitled to immunity under the Electronic Communications Privacy Act's immunity provisions and dismisses the case.

top

How the Library Of Congress is Building the Twitter Archive (O'Reilly Radar, 2 June 2011) - In April 2010, Twitter announced it was donating its entire archive of public tweets to the Library of Congress. Every tweet since Twitter's inception in 2006 would be preserved. The donation of the archive to the Library of Congress may have been in part a symbolic act, a recognition of the cultural significance of Twitter. Although several important historical moments had already been captured on Twitter when the announcement was made last year (the first tweet from space , for example, Barack Obama's first tweet as President, or news of Michael Jackson's death), since then our awareness of the significance of the communication channel has certainly grown. That's led to a flood of inquiries to the Library of Congress about how and when researchers will be able to gain access to the Twitter archive. These research requests were perhaps heightened by some of the changes that Twitter has made to its API and firehose access . But creating a Twitter archive is a major undertaking for the Library of Congress, and the process isn't as simple as merely cracking open a file for researchers to peruse. I spoke with Martha Anderson, the head of the library's National Digital Information Infrastructure and Preservation Program (NDIIP), and Leslie Johnston, the manager of the NDIIP's Technical Architecture Initiatives, about the challenges and opportunities of archiving digital data of this kind.

top

Is Social Networking Destroying Restrictive Covenants? (Roetzel & Andress, 2 June 2011) - A year ago, a lawsuit filed in the U.S. District Court for the District of Minnesota by a staffing firm against a former employee hired by a competitor brought to the forefront the potential pitfalls of social networking sites in the context of restrictive covenants. In that case, TEKsystems, Inc. v. Hammernick, the employer alleged that its former employee violated the noncompete and nonsolicitation covenants in her employment contract by utilizing LinkedIn to connect with her former co-workers and clients. In particular, the employer claimed that the former employee used LinkedIn to connect with a current employee of the staffing firm to see if he was "still looking for opportunities," and to invite him to visit her new office at the rival staffing firm.

top

Corporate Lawyer Creates Wiki to Share Legal Forms (Robert Ambrogi, 3 June 2011) - A new legal wiki, Standardforms.org , has been launched to provide a free depository of sophisticated legal documents. Notably, the site is not intended to serve as a cache of ready-to-use legal forms. Instead, its founder hopes that the wiki feature - which allows anyone to add and edit forms - will provide a vehicle for lawyers to improve the forms and lead to a consensus of what they should say. Here is how the site's founder describes it: : This wiki is a simulation of what lawyers call "the market". It is a sandbox in which you can draft legal agreements the way you think they should look like. Others can disagree either by further revising the wording or by leaving comments. That same process happens every time a legal agreement is being negotiated. Here it is done in the open - for everyone to see and participate. The goal is find a consensus of what should and what should not be in legal agreements." The wiki has fewer than 10 forms posted so far. They include a mutual nondisclosure agreement, Series A term sheet, certificate of incorporation, Series A preferred stock purchase agreement, merger agreement and credit agreement. The wiki's developer, Florian Feder , is assistant vice president and counsel at Brown Brothers Harriman. He describes himself as "interested in the art (science?) of contract drafting and in ways of making this process more efficient with the help of new technologies."

top

LawPivot Expands Reach to Spread Knowledge as a Service (GigaOM, 3 June 2011) - LawPivot, a Google Ventures-funded legal Q&A startup targeting small companies, is broadening its reach by becoming part of partnering with Microsoft's BizSpark program. BizSpark aims to connect startups with technology, investors and other resources to help get their businesses off the ground. Last month, LawPivot expanded beyond its Silicon Valley roots into major metropolitan areas across the country. As LawPivot - which is similar in design to crowdsourcing services such as Quora or LinkedIn Answers but focused on legal advice - continues to grow, it could help lead a movement toward true Knowledge as a Service.

top

GSA's Apps.gov Offers Info and Links to Free Social Media Applications for Government Agencies (BeSpacific, 4 June 2011) - Via GSA's Apps.gov : "Social media apps make it easier to create and distribute content and discuss the things we care about and help us get the job done. Social media includes various online technology tools that enable people to communicate easily and share information. Social media includes text, audio, video, images, podcasts, and other multimedia communications." This site lists, and links to, 55 free apps in categories including: Analytics and Search Tools, Blogs and microblogs, Bookmarking/Sharing, Display of Multimedia, Data, Maps, Document Sharing on Websites, Idea Generation/General Discussion, In-depth Discussion Tools, Social Networks, Video, Photo, Audio Hosting/Sharing, and Wikis.

top

Inciting a Revolution: The Investor Spring (NYT, 5 June 2011) - The Arab Spring gave Joseph W. O'Donnell an idea about, of all things, his investments. Mr. O'Donnell, a retired chief executive of the J. Walter Thompson Company, and a man who picks his own stocks, figured that if Twitter, Facebook and other social media could help oppressed citizens in Tunisia and Egypt rally for change, they could help disenfranchised individual investors too. You know, the folks who own shares in publicly traded companies but rarely get a say in how those companies are run. Mr. O'Donnell found a group of like-minded people at the InvestorVillage Web site. All of them own shares in the Celgene Corporation, a bio-pharmaceutical company based in Summit, N.J., and all of them have been dismayed by what they see as outsize executive pay at the company, whose stock price has returned little over the last five years. Celgene shares were trading at about $59 on Friday - roughly where they were at the end of 2006. Given that this is a drug stock, there have been many ups and downs over that time, of course. But returns have been slim for shareholders who held on throughout that period. While Celgene's executive pay was relatively stable from 2007 to 2009, last year it ramped up considerably, according to company filings. The top four executives received a total of $24.6 million in 2010, up 30 percent from the amount paid to the four highest-paid executives during the previous year. The company's stock price, by comparison, rose a mere 5 percent last year. With last year's Dodd-Frank legislation and regulatory rules requiring that companies put their pay practices to an advisory vote of shareholders at least once every three years, Mr. O'Donnell thought 2011 could be the moment to rally investors on the issue. An Investor Spring, as it were, just in time for Celgene's annual meeting on June 15. Reaching out to fellow holders, Mr. O'Donnell quickly hit pay dirt. David Sobek, an associate professor of political science at Louisiana State University, agreed to develop a Web site, www.sobekanalytics.com/celgshareholders, to attract other dissatisfied Celgene investors. To keep the group from being hijacked by gadflies, the organizers specifically asked those interested in joining to refrain from "personally directed or emotional attacks" because they would "detract from the possibility that our concerns will be seriously considered by existing directors and/or institutions." After several months of outreach, Mr. O'Donnell and Mr. Sobek say that they received commitments from investors holding 2.7 million shares. These investors have promised to vote against Celgene's pay practices and all directors up for re-election who have sat on the board's compensation committee. http://www.nytimes.com/2011/06/05/business/05gret.html?scp=2&sq=Celgene&st=cse

top

- and -

SEC Cans Web Campaign to Buy Beer Company (AP, 9 June 2011) - It seemed like an innovative way to buy a beer company: Start an online campaign to purchase the iconic Pabst Brewing Co. and sell shares on Facebook and Twitter to cover the $300 million cost. Michael Migliozzi II and Brian William Flatow found 5 million people who said they would invest a total of $200 million. But the federal government halted the venture after it informed the two men of one major oversight - they neglected to register the public offering with the Securities and Exchange Commission, a violation of federal law. The SEC said Wednesday that it reached a settlement with the two advertising executives. The men, who never collected any money, agreed to stop selling shares to the public. The case spotlights a growing challenge for regulators, who must patrol business online ventures and ferret out scams disguised as stock offerings. The SEC has an entire enforcement unit devoted to Internet surveillance with a staff of more than 200 people. The CyberForce has flagged numerous instances of unregistered securities sales online. But Scott Friestad, an associate director in the SEC's enforcement division, called the beer campaign "fairly new." He said he couldn't recall another instance of someone selling shares online to buy an existing company.

top

Crime to Post Images That Cause "Emotional Distress" "Without Legitimate Purpose" (Volokh Conspiracy, 6 June 2011) - Friday, a new Tennessee law was changed to provide (new material italicized):

(a) A person commits an offense who intentionally:

(4) Communicates with another person or transmits or displays an image in a manner in which there is a reasonable expectation that the image will be viewed by the victim by [by telephone, in writing or by electronic communication] without legitimate purpose:

(A) (i) With the malicious intent to frighten, intimidate or cause emotional distress; or

(ii) In a manner the defendant knows, or reasonably should know, would frighten, intimidate or cause emotional distress to a similarly situated person of reasonable sensibilities; and

(B) As the result of the communication, the person is frightened, intimidated or emotionally distressed.

So the law now applies not just to one-to-one communication, but to people's posting images on their own Facebook pages, on their Web sites, and in other places if (1) they are acting "without legitimate purpose," (2) they cause emotional distress, and (3) they intend to cause emotional distress or know or reasonably should know that their action will cause emotional distress to a similarly situated person of reasonable sensibilities. So,

· If you're posting a picture of someone in an embarrassing situation - not at all limited to, say, sexually themed pictures or illegally taken pictures - you're likely a criminal unless the prosecutor, judge, or jury concludes that you had a "legitimate purpose."

· Likewise, if you post an image intended to distress some religious, political, ethnic, racial, etc. group, you too can be sent to jail if governments decisionmaker thinks your purpose wasn't "legitimate." Nothing in the law requires that the picture be of the "victim," only that it be distressing to the "victim."

· The same is true even if you didn't intend to distress those people, but reasonably should have known that the material - say, pictures of Mohammed, or blasphemous jokes about Jesus Christ, or harsh cartoon insults of some political group - would "cause emotional distress to a similarly situated person of reasonable sensibilities."

· And of course the same would apply if a newspaper or TV station posts embarrassing pictures or blasphemous images on its site.

Pretty clearly unconstitutional, it seems to me.

top

A New Way To Transfer Copyright Via Shrink Wrap License Agreements (Media Law Prof Blog, 7 June 2011) - Andrew P. Connors has published Dissecting Electronic Arts' Spore: An Analysis of the Illicit Transfer of Copyright Ownership of User-Generated Content in Computer Software at 4 Liberty University Law Review 405 (2010). Here is the abstract: "This Note addresses the legality of a new kind of "shrink-wrap" End User License Agreement (EULA) contained within a computer software installation that purports to transfer copyright in works created with the software from the user of the software to the manufacturer of the software. This Note analyzes the enforceability of this type of contract in the context of Electronic Arts' much-lauded computer game, Spore. Rather than a conventional game that relies on in-house graphic designers and animators for its content, Spore relies on the collective creativity of its millions of users to make most of the content in the game. By way of a built-in three dimensional modeler, users create advanced three-dimensional objects, including virtual organisms, buildings, vehicles, and spaceships, which are uploaded to a central server and distributed to all game users. Subsequently, the individual users download copies of these uploaded objects on their local machines automatically. Hence, the users interact with content created by other users, rather than the graphic designers and animators employed by the computer game manufacturer. Because case law supports the enforcement of this kind of "shrink-wrap" license, this unique EULA represents a novel threat to the intellectual property interests of authors of creative works. Hence, this Note argues that Congress should amend Title 17, Chapter 2 of the United States Code in order to preclude the enforcement of this type of contract, to the extent that it misappropriates the legitimate intellectual property interests of authors of creative works and subverts the policy underlying federal copyright protection."

top

An Amazing Visualization Of The U.S. Labor Market Over The Past 150 Years (Business Insider, 7 June 2011) - In 1850 nearly half of Americans worked on a farm. Today that share is less than two percent. Technological and economic development have led to a massive decrease in farmers and laborers. At the same time the service sector has surged, with vast increases in office jobs. The following charts from the UC Berkeley Visualization Labs show every occupation's share of the labor force over time, with male workers in blue and female in red. You can see an interactive chart here or click on to see close-ups of the biggest labor shifts.

top

Copyright and Fictional Characters (Media Law Prof Blog, 7 June 2011) - Tabrez Ahmad and Debmita Mondal, both of KIIT University Law School, have published The Conflicting Interests in Copyrightability of Fictional Characters . Here is the abstract: "The commercial and popular appeal of fictional characters far surpasses the characters' role within the original work, and so it is important to ensure that the characters' creators are fairly and uniformly protected from unauthorized exploitation of their creations. This paper is based on the intellectual property law protection that could be granted to graphic and fictional characters that are part of our daily lives. Although fictional characters have become an increasingly pervasive part of the world today, they still do not enjoy well-defined legal protection against infringement. The judgments of various courts have been dealt with in detail to determine the attitude of the courts with regard to this kind of protection. An attempt has been made to find out how distinctly delineated must the story be told from a fictional character to avoid copyright violation. The courts have not been hesitant to develop various tests over the ages to determine whether a character is well delineated or not. So such tests have been vividly dealt in this paper and their sources have been stressed back to respective cases. If the character is found to be extremely well-developed, unique and has a personality different from other characters, only then is a copyright protection granted to such a fictional character. 

The paper has been broadly divided into three sections: Part 1 - Dealing with the concept of fictional characters, their components and types, Part 2 - The concepts copyrightability of characters and infringement of such copyright referring to the relevant cases, Part 3 - A comparative study between alternative protection available under other IP regimes and copyright law, Part 4 - the Indian scenario, and finally, the conclusion. Thus, this article tends to explore the availability and weaknesses of copyright law and alternative doctrines in protecting fictional characters, and briefly examines the argument for establishing a separate legal category specifically for fictional characters."

top

E-Mail Accounts, The Warrant Requirement, and the Territorial Limits of Court Orders (Volokh Conspiracy, 7 June 2011) - My friend Jennifer Granick points me to an interesting new case, Hubbard v. Myspace (S.D.N.Y. June 1, 2011) , that touches on a fascinating Fourth Amendment question: What are the territorial limits of search warrants for Fourth Amendment purposes? To be clear, the Hubbard case itself involved a statutory challenge, not a constitutional one. The plaintiff sued MySpace for complying in California with a state warrant issued in Georgia that was faxed to MySpace in California on the ground tat the Stored Communications Act, 18 U.S.C. 2703, did not allow MySpace to comply with the out-of-state warrant. As a statutory claim, the argument was pretty clearly incorrect. But at the end of his opinion (p.11) Judge Kaplan touches on a really interesting issue: What about the Fourth Amendment? Specifically, the interesting issue is this: If the Fourth Amendment imposes a warrant requirement on government access to an e-mail account, which I think it does and the Sixth Circuit has expressly so held , is the warrant requirement satisfied by an out-of-state warrant from a jurisdiction far away with no authority to actually compel compliance with the warrant? Or is the warrant requirement only satisfied by a warrant issued locally, or at least in the same state or federal district? This issue generally doesn't come up in traditional physical investigations because the police will get a local warrant to physically search a local location, and arrests generally don't require warrants. But warrants for e-mail accounts are unusual: The police obtain the warrant and fax it to the ISP, and the Stored Communications Act contemplates out of state warrants. ISPs usually don't have to comply with out of state warrants, as they are out of state and not binding on them: But the question I'm interested in here is, does the out of state warrant satisfy the warrant requirement? I would think the best answer is that the warrant requirement does not have a territorial limit: For Fourth Amendment purposes, the warrant requirement is satisfied so long as a neutral and detached magistrate somewhere has found probable cause, established particularity, and signed the warrant authorizing the disclosure. I think that for a few reasons. First, the Eighth Circuit has expressly approved of the constitutionality of an out-of-state e-mail warrant in one case, United States v. Bach , which involved a Minnesota state warrant for an e-mail account that was faxed to Yahoo in California. Although Bach did not discuss the extraterritorial nature of the warrant, the approval of the facts of that case hints that the extraterritorial nature of the warrant doesn't matter. Second, I think the territorial limits of courts to issue warrants is at least arguably the kind of statutory limit on state power that the Supreme Court has said is irrelevant to Fourth Amendment reasonableness in Virginia v. Moore, 128 S.Ct. 1598 (2008). Third, cases from the wiretapping context have held that judges in one district can authorize intercepts in other districts. See, e.g., United States v. Ramirez, 112 F.3d 849 (7th Cir. 1997) (Posner, J.)

top

National Archives hires 1st 'Wikipedian in Residence' (Archivalia, 7 June 2011) - "The National Archives has appointed its first "Wikipedian in Residence" to help connect with the Wikipedia community. The Archives announced Wednesday that Dominic McDevitt-Parks was hired to help shape the Internet's leading online encyclopedia. He is a graduate student in history and archives management at Simmons College in Boston. The paid summer intern position is based at the Archives II facility in College Park, Md. The Archives says McDevitt-Parks has more than seven years of Wikipedia editing experience. His job will be to foster collaboration between the Wikipedia community and the National Archives. That could include using some of Wikipedia's tools for ongoing digitization projects at the archives.

top

How Facebook Can Put Google Out Of Business (Business Insider, 8 June 2011) - I was surprised to hear former Google CEO Eric Schmidt publicly lament lost opportunities and missed chances to catch Facebook the other day. I used to envy Google and the vast digital empire that Schmidt commanded. Google had one of the most intricate monopolies of all time. It had the most impressive dataset the world had ever seen; the most sophisticated algorithm to make sense of it; an audience of a billion users expressing their interest; and more than a million advertisers bidding furiously to reach those consumers at just the right moment. I used to think that Google was unstoppable. Until I realized one very important thing: Despite the fact that Google goes to great lengths to keep its index fresh by indexing pages that often change every hour, or even every few minutes, and despite its efforts at realtime search (including searching the Twitter firehose), its dominant dataset is dead, while the Web is-each day more so than the last-vibrantly and energetically alive. Facebook's data allows it to do more than just guess what its customers might be interested in; the company's data can help it know with greater certainty what its customers are really interested in. And this key difference could potentially give Facebook a tremendous advantage in search when it eventually decides to move in that direction. If Google's business has been built on choosing which Web pages, out of all those in the universe, are most likely to appeal to any given (but anonymous) query string, think about this: Facebook already knows, for the most part, which pages appeal to whom-specifically and directly. And, even more powerfully, Facebook knows each of our individual and collective behavior patterns well enough to predict what we'll like even without us expressing our intent. Think of it: Facebook can apply science that is analogous to what Amazon uses to massively increase purchase likelihood by suggesting and responding to every minute interactive cue. Whereas Amazon relies on aggregate behavior, Facebook adds in the intimate patterns of each individual-along with their friends and the behavioral peers they've never met all around the world. And each of them is logged in and identified as a real person.

top

Buying Personal Names for Keyword Ads Isn't a Publicity Rights Violation (Eric Goldman, 9 June 2011) - A Wisconsin court has said that a keyword advertiser didn't violate publicity rights by buying a person's name for keyword advertising. Although the propriety of keyword advertising on a third party trademark has been hotly contested since at least 2004, I believe this is the first ruling addressing the publicity rights issue. The legal novelty of the ruling makes it an important early precedent, but the opinion is not especially persuasive. To me, the judge seemed overwhelmed by both the challenging legal doctrines and technology at issue in this case. In response, the judge issued one of the most citation-free opinions of its length that I have ever seen. This is not a scholarly opinion, and that makes less likely to influence other courts. It also means that an appellate court will likely give this opinion relatively low deference. The fact that the court dismissed the lawsuit is, on its face, good news for both search engines and advertisers. However, I thought the judge's arguments were questionable and, at least at one crucial juncture, internally inconsistent. The ruling turned on a specific word in the Wisconsin publicity rights statute, and courts applying other statutes can easily distinguish this opinion if they want to rule for the plaintiffs. Therefore, this ruling could morph from a defense win into a plaintiff's friend depending on how future courts rely on and interpret it. Habush v. Cannon , 09-CV-18149 (Wis. Cir. Ct. June 8, 2011). The June 2010 denial of the motion to dismiss. A good overview article from when the complaint was filed.

top

- and -

Trademark Owner Sues Over Alleged Twittersquatting (Eric Goldman, 9 June 2011) - The last big tussle over twittersquatting, and infringement through use of a trademark or name in a twitter handle was between Tony La Russa and the person who operated a fake account in La Russa's name. La Russa sued Twitter but his lawsuit ended in a whimper, when he dropped the complaint. A couple of days ago, Coventry First, "a leading company in the life settlement industry" brought suit against unnamed defendants over the @coventryfirst twitter account. It has not named Twitter and looks like it's going after the person(s) behind the account. You can access a copy of the complaint here , and Exhibit A, which contains a screenshot of the account here . You don't see many lawsuits of this nature so this one surprised me. The part that shocked me is that the twitter account was recently established and had 14 tweets and 5 followers at the time the complaint was filed (and now has 3 followers). The account has minimal activity and likely no effect whatsoever on Coventry First's business and affairs. It probably comes up when you do a search for "Coventry First," but it doesn't look like it's garnered much interest. There's also no indication from the complaint that Coventry First tried to utilize Twitter's complaint mechanism or otherwise brought up any issues it had with the person who runs the @coventryfirst Twitter account. Coventry First's complaint suffers from many of the failings as La Russa's or any other complaint against a squatter or infringer on Twitter--there is no indication that the allegedly infringing Twitter account is being used for any commercial purpose. @coventryfirst is not selling or promoting any products or services. It's tough to see how this can amount to trademark infringement or unfair competition under the Lanham Act. In addition to trademark claims, Coventry First also asserts a claim for unjust enrichment. It's entirely unclear how anything @coventryfirst does amounts to unjust enrichment. Twitter accounts aren't exactly moneymakers on their own, and if anything, the person behind @coventryfirst has spent a few hours setting up the account and has generated zero dollars from it. Coventry First, LLC v. Does , 11-cv-03700-JS (complaint filed June 7, 2011)

top

Regulators Pressure Banks After Citi Data Breach (Reuters, 9 June 2011) - Major U.S. banks came under growing pressure from banking regulators to improve the security of customer accounts after Citigroup Inc became the latest high-profile victim of a cyber attack. While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry's data security measures. The Federal Deposit Insurance Corp, the nation's primary regulator, is preparing new measures on data security. Its chairman Sheila Bair said on Thursday she may ask "some banks to strengthen their authentication when a customer logs onto online accounts."

top

- and -

Senators Ask SEC for Guidance on Information Security Risk Disclosure (CorporateCounsel.net, 9 June 2011; guest blog courtesy of Jim Brashear, General Counsel, Zix Corporation) - The news media recently have reported many high-profile breaches of corporate data security. These incidents should prompt securities lawyers to focus on the potential materiality of public companies' risks concerning data security, data privacy and data breaches and the necessary disclosures when those risks are material. Why are data breaches potentially material? As the Inside Investor Relations blog points out, "hackers can bring down your networks - and your stock price." A data breach can remove an competitive advantage, through the loss of proprietary information. A data breach can seriously impair a company's brand and reputation. If consumers or business partners lose confidence in the ability of a company to protect information, they may move their data and business elsewhere. In a May 11th letter to SEC Chair Mary Schapiro, five Democrat members of the Senate Committee on Commerce, Science & Transportation asked the SEC to "issue guidance regarding disclosure of information security risk, including material network breaches." The letter opines that "Federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share." [Original emphasis] The letter cites a 2009 survey by Hiscox which concluded that 38% of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public filings. The letter criticizes the lack of disclosure about steps being taken by companies to reduce those risk exposures. One might expect the SEC Staff to be particularly sensitive to the adverse impacts of a data breach that exposes consumers' personal information. After all, the SEC's own employees were recently affected by a data breach when the Department of the Interior's National Business Center sent out SEC employees' social security numbers and other payroll information in unencrypted emails. In light of the potential materiality of these issues, forward-thinking securities counsel have already been advising clients about the need to include in their public disclosure discussions about material data security, privacy and data breach risks. See, for example, the client advisory by Sullivan & Worcester, which provides several examples of SEC rules applicable to data security, privacy and data breach risk disclosure. We expect that more firms will begin advising public company clients to focus on the potential materiality of their risks concerning data security, data privacy and data breaches and to craft necessary disclosures when those risks are material. [Editor: see MIRLN 14.03 , where we reported that Baker Hughes decided a successful attack on their systems wasn't "material"; and MIRLN podcast 14.04 where I talked about this disclosure/governance issue.]

top

- and -

IMF Reports Cyberattack Led to 'Very Major Breach' (NYT, 11 June 2011) - The International Monetary Fund, still struggling to find a new leader after the arrest of its managing director last month in New York, was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown. The fund, which manages financial crises around the world and is the repository of highly confidential information about the fiscal condition of many nations, told its staff and its board of directors about the attack on Wednesday. But it did not make a public announcement. Several senior officials with knowledge of the attack said it was both sophisticated and serious. "This was a very major breach," said one official, who said that it had occurred over the last several months. Because the fund has been at the center of economic bailout programs for Portugal, Greece and Ireland - and possesses sensitive data on other countries that may be on the brink of crisis - its database contains potentially market-moving information. It also includes communications with national leaders as they negotiate, often behind the scenes, on the terms of international bailouts. Those agreements are, in the words of one fund official, "political dynamite in many countries." It was unclear what information the attackers were able to access. The concern about the attack was so significant that the World Bank, an international agency focused on economic development, whose headquarters is across the street from the I.M.F. in downtown Washington, cut the computer link that allows the two institutions to share information.

top

- and -

Ensuring the Supply Chain is Cost-Friendly -- and Protected (SC Magazine, 13 June 2011) - According to a survey conducted by Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS) in association with McAfee, as much as $1 trillion of intellectual property is stolen by cybercriminals each year. Is this figure not enough to suggest that an out-of sight, out-of-mind placement of security in favor of cost-cutting could actually prove to be more costly for the automotive industry in the long run? The automotive industry relies heavily on its secure and reliable communications for key business operations, such as supply chain management via electronic data interchange (EDI), computer aided design (CAD), computer aided engineering (CAE), and product data management (PDM). One could say that the systems and data that enable these communications are the lifeblood of the automotive supply chain, potentially even the automotive industry. However, as the industry struggles to operate more efficiently with fewer expenses, these collaboration and document exchange services become a very large and natural target for cutting costs. In an attempt to formally find ways to cut costs associated with the enablement of these services, the Automotive Industry Action Group (AIAG) established a committee in the latter part of 2010 that is designed to bring together a number of global industry representatives with the goal of identifying cost-effective alternatives to dedicated private collaboration networks. This committee recently met with other global industry representatives during the recent "Collaborative Supply Chain Data Network Connectivity" event held in Southfield, Mich. It should come as no surprise that the topic of cost-cutting ran hot through most of the sessions and conversations during the event. Unfortunately, it appeared that the main discussion point of savings and the associated discussions surrounding the adoption of new technologies as a way to reduce costs have pushed the topics of security and reliability to the side. As described by McAfee in its 2011 report , "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," the globalization and commoditization of IT have driven businesses to store increasing amounts of precious corporate data in the cloud. As this shift has taken place, cybercriminals have discovered new ways to target this precious data, both from inside and outside the organization. More pointedly, in 2010 alone, the U.S. Secret Service handled cybercrime violations totaling over $500 million in actual fraud loss.

top

Two-Hundred Year Old Document Declassified (Lawfare, 9 June 2011) - No, it's not a Mel Brooks-Carl Reiner routine. It's a story over at Secrecy News , where Steve Aftergood reports: "The National Security Agency announced yesterday that it has declassified a report that is over two hundred years old. The newly declassified report, entitled "Cryptology: Instruction Book on the Art of Secret Writing," dates from 1809. It is part of a collection of 50,000 pages of historic records that have just been declassified by NSA and transferred to the National Archives. The NSA said the new release demonstrated its "commitment to meeting the requirements" of President Obama's January 2009 Memorandum on Transparency and Open Government. The bulk of the newly released documents are from World War II and the early post-War era. (NSA itself was established in 1952.) A list of titles released to the National Archives is here . Last April, the Central Intelligence Agency declassified several documents on the use of "invisible ink" that dated from the World War I era. But those were not even a century old." You can't make this stuff up.

top

Do Police Officers Conducting a Search Have Fourth Amendment Rights Not To Be Secretly Taped by Government? (Volokh Conspiracy, 10 June 2011) - No, says the district court in United States v. Wells, 2011 WL 2259748 (N.D. Okla. May 12, just posted on Westlaw). Here's the situation: A Tulsa police officer is being investigated for supposedly stealing money and drugs. The FBI sets up a sting, in which an undercover officer plays a drug dealer. The officer and his colleagues show up to the motel room where the sting is happening, arrest the undercover officer, take him outside, get his consent to search the room, and then search it. In the meantime, they are videotaped and audiotaped searching the room. Their lawyers seek to exclude the videotapes, because the videotapes supposedly violated the officers' Fourth Amendment rights. The court doesn't buy it. Even though guests sometimes have Fourth Amendment rights to be presumptively free of surveillance when they're staying at a friend's home - or in a motel - these weren't ordinary guests.

top

Coming To A Bar Near You: Facial Recognition & Real-Time Data (ReadWriteWeb, 10 June 2011) - Facial recognition and detection software is a hot button issue on the Web right now. Facebook has stirred a hornets nest by using facial recognition with users' pictures, asking people to tag their friends. Google has said that is a line of creepy it will not cross. Facial detection software is not just limited to the Web though. A new startup in Chicago called SceneTap uses facial detection and people-counting cameras to scope out your local bar to tell you "what is going on." What is the male-to-female ratio at your favorite club? Who is buying drinks? SceneTap cameras see it all and provide the data to users and bar owners. Seem a little creepy? Maybe not as much as you might think. SceneTap's stated goal is to give real-time information into your local bar scene. As such, it is a location-based service that gives you information, deals and social media connections, location information and more. It is kind of like Yelp plus Foursquare plus Groupon with Facebook and Twitter integration, operating in real-time. According to founder and CEO Cole Harper, the footage collected by SceneTap is not meant to be looked at by anyone. There is a demarcation between "facial detection" and "facial recognition" that SceneTap says it does not cross. The way it works is that there is a camera facing the door of the bar. A person comes in and the camera creates a box around the face, analyzing the eyes, nose and facial structure. It takes that data and scans it through a database to find the most similar type of match. Are you a 25-year-old female? That is what the SceneTap camera is trying to find out. The cameras are not monitored by people and information is not stored. Bar owners do not have access to the feeds as the stream is encrypted from the backend. SceneTap does technically have access to the visual feed but Harper says that it would only be used for maintenance.

top

Social Media Join Toolkit for Hunters of Disease (NYT, 13 June 2011) - On a chilly February night in Los Angeles, attendees at the DomainFest Global Conference crushed together in a tent at the Playboy Mansion for cocktails and dancing. Two days later, Nico Zeifang, a 28-year-old Internet entrepreneur from Germany, woke up with chest pains, chills and a soaring fever. Four colleagues shared his symptoms, Mr. Zeifang soon learned. So he did what any young techie would: He logged on to Facebook and posted a status update. "Domainerflu count," it said. "Who else caught the disease at D.F.G.?" Within hours, 24 conference attendees from around the world added themselves to Mr. Zeifang's Facebook list; within a week, the number climbed to 80. Many of them "friended" him to get information and to compare notes on their fevers and phlegmy coughs. Almost everyone, it seemed, had a theory about the source of the infection. Many suspected the artificial fog that permeated the tent. Los Angeles County health authorities and the federal Centers for Disease Control and Prevention stepped in to investigate a few days later. By that time, victims from across the globe already had arrived at their own diagnosis - legionellosis - and had posted their own Wikipedia entry on the outbreak. The C.D.C. officer assigned to the Los Angeles case did not show up at Mr. Zeifang's doorstep with a black bag. Instead, she joined his Facebook page, read up on everyone's symptoms, recommended certain diagnostic tests and referred the victims to the agency's online questionnaire.

top

Iceland Crowdsources Its Constitution (Mashable, 13 June 2011) - As it drafts the country's new governing document, Iceland's Constitutional Council is turning to social media sites to make the process transparent and to collect input from the public. The council has made a draft of the document available online and is accepting recommendations for amending it. "It is possible to register through other means, but most of the discussion takes place via Facebook," Berghildur Bernhardsdottir, a spokeswoman for the constitutional review project, told the Associated Press. Recommendations need to be approved by local staff before being passed on to the council and posted online for discussion, but suggestions then approved by the council are added to the draft of the document. Suggestions from the public that have been added thus far include livestock protection and a clause that specifies who owns the country's natural resources (the nation), according to the AP.

top

New York's Highest Court Interprets 47 U.S.C. § 230 Broadly (Volokh Conspiracy, 14 June 2011) - The case is Shiamili v. The Real Estate Group of New York, Inc. , decided today. Defendants, who are apparently real estate brokers, ran a blog. Several people posted pseudonymous comments critical of Shiamili, another real estate broker. Defendants left those comments up, and even reposted one of the comments as a separate post, with a heading and an illustration provided by defendants. Shiamili sued the defendants. The court held that the defendants were protected by 47 U.S.C. § 230 , which generally immunizes Internet content providers from being held liable for posts by other service providers. And the court held this even though the defendants deliberately reproduced one of the comments in a separate post: The defendants did not become "content providers" by virtue of moving one of the comments to its own post. Reposting content created and initially posted by a third party is well-within "a publisher's traditional editorial functions" (Zeran, 129 F3d at 330). Indeed, this case is analogous to others in which service providers have been protected by section 230 after reposting or otherwise disseminating false information supplied by a third party. To cite only a few examples, in Ben Ezra, Weinstein, and Co., Inc. v Am. Online Inc. (206 F3d 980 [10th Cir 2000]) the defendant service provider would publish updated securities information supplied by third parties and derived from a variety of stock exchanges and markets. Plaintiff sued the provider for publishing inaccurate information concerning the price and share volume of plaintiff's stock. The Tenth Circuit found that the inaccurate information was "created" by third parties, and the web provider was not "responsible, in whole or in part, for [its] creation and development" (id. at 986). The Ninth Circuit reached the same result in Batzel (333 F3d at 1018), cited with approval in Roommates.com (521 F3d at 1170). There, the editor of an email newsletter received a tip and incorporated it into the newsletter, adding a headnote. The tip proved false, but the Ninth Circuit found that section 230 protected the editor from being sued for libel because he had been "merely editing portions of an e mail and selecting material for publication" (Batzel, 333 F3d at 1031). Similarly, in DiMeo (248 Fed Appx at 281) - a case quite like this one - the plaintiff sued for defamation based on comments left by anonymous users on defendant's website, where defendant could "select which posts to publish and edit[ed] their content" (DiMeo v Max, 433 F Supp 2d 523, 530 [ED Pa 2006]). The Third Circuit found that "the website posts ... constitute information furnished by third party information content providers" (248 Fed Appx at 282). The judges agreed that 47 U.S.C. § 230; didn't immunize defendants for "the heading, sub-heading, and illustration that accompanied the reposting" - they themselves created that material. But the judges split 4-3 on whether those particular items were defamatory; the majority say they weren't, and the dissenters said they were.

top

Major Internet Service Providers Cooperating with NSA on Monitoring Traffic (Washington Post, 16 June 2011) - Three of the nation's largest Internet service providers are cooperating with a new National Security Agency program to sift through the traffic of major defense contractors with the goal of blocking cyberattacks by foreign adversaries, senior defense and industry officials say. The novel program, which began last month on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation's largest defense firms. Such attacks, including one last month against Bethesda-based Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets. "We hope the . . . cyberpilot can be the beginning of something bigger," Deputy Defense Secretary William J. Lynn III said at a global security conference in Paris on Thursday. "It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security." The prospect of an NSA role in the monitoring of Internet traffic already had raised concerns among privacy activists, and Lynn's suggestion that the program might be extended beyond the work of defense contractors threatened to raise the stakes further. [Editor: I find this very ominous; the cure will be worse than the disease.]

top

RESOURCES

Three-Volume History of Counterintelligence (Bruce Schneier, 1 June 2011) - CI Reader: An American Revolution Into the New Millennium , Volumes I , II , and III is published by the U.S. Office of the National Counterintelligence Executive.

top

LOOKING BACK

BIG STINK OVER A SIMPLE LINK (Wired, 6 Dec. 2001) -- KPMG, an international services firm, prides itself on its "e-business" savvy, and it charges companies boatloads to improve their "new economy" businesses. But this week several website owners were wondering whether KPMG's Internet acumen was really worth anything at all, as it announced a policy that seemed to breach the most basic freedom on the Web -- the freedom to link to any site you want to. In a letter to a consultant in Britain who runs a personal website that has not been especially nice to KPMG, the company said it had discovered a link on his site to www.kpmg.com, and that the website owner, Chris Raettig, should "please be aware such links require that a formal Agreement exist between our two parties, as mandated by our organization's Web Link Policy." http://www.wired.com/news/business/0,1367,48874,00.html

top

PAY UP--AND WHILE YOU'RE AT IT, SHUT UP: What is the future of copyright online? Let's hope it's not as simple as reading the writing on the iCopyright contract. Under a rights agreement drafted by iCopyright.com, the Albuquerque Journal has begun to charge website operators $50 per link to one of its articles. In addition to forking over the cash, the terms of the agreement require that the linker agree not to say anything "derogatory" about the article itself, "the author, the publication that contains the article, or anyone depicted in the content." Fortunately, the Albuquerque Journal's demand for payment--and no back talk--is likely to add up only to wishful thinking. "It's far from clear that they could take any legal action against someone who chose to link freely," says Wendy Seltzer, a Harvard/Berkman Center fellow. "Publishers will have more leverage using technology than the law--for example, by offering stable URLs or convenient displays only to those who pay the desired fee." http://www.wired.com/news/business/0,1367,40850,00.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

2 comments:

Rob Pettengill said...

Re: Catch me if you can - Very interesting to see this in real life. It struck me back when I first started thinking about security and search that it is a security breach accelerator. It is possible to identify the presence of restricted documents with specific information by using carefully crafted full text search queries. This sounds like a very similar exploit.
Search engine results need to enforce the same access/inclusion and reporting policies as access to the documents themselves. Proactive auditing of search queries is also a good idea. Not exposing document titles or content summaries is not enough - any indication of a search match is enough.

Rob Pettengill said...

Re: Catch me if you can - Very interesting to see this in real life. It struck me back when I first started thinking about security and search that it is a security breach accelerator. It is possible to identify the presence of restricted documents with specific information by using carefully crafted full text search queries. This sounds like a very similar exploit.
Search engine results need to enforce the same access/inclusion and reporting policies as access to the documents themselves. Proactive auditing of search queries is also a good idea. Not exposing document titles or content summaries is not enough - any indication of a search match is enough.