Saturday, July 30, 2011

MIRLN --- 10-30 July (v14.10)

MIRLN --- 10-30 July (v14.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

COMING PROGRAM (ABA Annual meeting): "eAttorney, MiAttorney: How Technology Has Changed Communication and Collaboration With Clients." August 5 from 8:30 a.m. to 10:00 a.m. at the Metro Toronto Convention Center, Room 716B, 700 Level, South Building. Panel: Daniel Schwartz, Michael Downey, Jordan Furlong, Dennis Kennedy.

READER COMMENTS

RE " Catch Me If You Can (Law Tech News, 1 June 2011)" from MIRLN 14.09 : "Very interesting to see this in real life. It struck me back when I first started thinking about security and search that it is a security breach accelerator. It is possible to identify the presence of restricted documents with specific information by using carefully crafted full text search queries. This sounds like a very similar exploit. Search engine results need to enforce the same access/inclusion and reporting policies as access to the documents themselves. Proactive auditing of search queries is also a good idea. Not exposing document titles or content summaries is not enough - any indication of a search match is enough." [Rob Pettengill]

NEWS | LOOKING BACK | NOTES

Alabama Lawyer Group Sues Legalzoom, Wants Ban In State (Birmingham News, 10 June 2011) - The DeKalb County Bar Association said today it has filed a lawsuit that asks a judge to bar the online forms company LegalZoom.com from doing business in Alabama, saying the Los Angeles-based firm is engaging in the unauthorized practice of law. The suit filed in DeKalb County Circuit Court requests that LegalZoom be permanently prohibited from creating legal documents and related services for Alabama residents. Fort Payne attorney Daniel Campbell, president of county's bar association, said in a statement that LegalZoom's offering of standard legal forms such as wills and incorporation papers that are then customized to the buyer's preference has been prohibited by Alabama law for many years. "Alabama's unauthorized practice of law statutes prohibit anyone who is not a lawyer from advising or counseling another person on legal matters, and from preparing or assisting another person in preparing any document or instrument such as a will or deed in Alabama," the bar association said in a statement.

top

DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools (FastCompany, 8 July 2011) - A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House have been aware of the threat for quite some time. When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that "I am aware of instances where that has happened," after some hesitation. This supply chain security issue essentially means that, somewhere along the line, technology being marketed in the United States was either compromised or purposely designed to enable cyberattacks. Schaffer, who has an extensive background in cybersecurity and communications infrastructure management, did not elaborate on the compromised tech that DHS has encountered. However, he did emphasize that foreign components are found in many American-manufactured devices. As a matter of sheer speculation, it is not hard to imagine computers, portable devices, and components marketed in the United States being purposely infected with malware, spyware, or other forms of security-compromising software by request of either foreign companies or foreign governments. More worryingly, the hearing specifically mentioned hardware components as possibly being compromised--which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.

top

Nothing Personal: How Database Licenses Make Pirates of Us All (InsideHigherEd, 11 July 2011) - The other day, as I was tracking down the text of a classic article in JSTOR to refer to in a blog post, I was struck by the pop-up box that required me to agree to terms of service before it would let me see the article. I actually read it this time instead of clicking through. It reads: "Your use of the JSTOR archive indicates your acceptance of JSTOR's Terms and Conditions . JSTOR's Terms and Conditions provides, in part, that unless you have obtained prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in the JSTOR archive only for your personal, non-commercial use." This is standard database license language, though most databases don't thrust it in your face every time you search. I understand discouraging people from downloading massive amounts of articles and doing evil things with them, like posting them online for anyone to read or putting them up on torrent sites. I get it. I wouldn't do that. But even though I had clicked through that annoying pop up box any number of times, it suddenly struck me as a bit bizarre that in order to see a scholarly article in this paragon of scholarly databases, I have to swear I will do nothing with the material that might be for other than personal, non-commercial use. Does that mean I can't write about that article I looked up in places like this blog? This is, after all, public, and I just swore I would use the article only for personal use. Whoops! My bad. Would it mean I couldn't use JSTOR in research for a book? D'oh! I'm certain I consulted databases when writing a book that earns me a hundred dollars every ten years or so. I should be ashamed of myself. In the past, libraries didn't stop you at the door and demand that you agree to a pledge that you won't in any way profit from your visit or use what you learned when visiting the library for some public purpose. We actually thought - silly us! - that libraries were meant to help you build new things and go public with ideas. (And crazy founders! They actually thought copyright would promote science and the useful arts! But that's another story. We're talking licenses, here.) Libraries don't set policy for the use of materials, now, publishers and vendors do. JSTOR isn't quite as strict as some databases. SciFinder Scholar instructs users to contact the company, er, society and pony up for a different service if they are doing research for a consulting job, and users agree that "I will delete stored records when I no longer need them for the relevant research project, or after the completion of my degree program, whichever occurs first." (Have you purged those citations from EndNote yet? You haven't? Dude.) And then there are those curious restrictions within restrictions; you are not allowed to place a link to a Harvard Business Review article that your library licenses for campus use in a syllabus, for example. The library pays for campus use - but not that kind of campus use. For that, you pay extra. Clicking through that little notice is as routine as being instructed every time we fly how to fasten a seat belt. (Seriously: how likely will we pay attention to safety features of an airplane when the instructions start out with "insert the metal tab into the buckle"?) It's no more likely to lead to reflection than that FBI warning on every video that details the years in jail and fines you might incur. (Five years, to be precise, and $250,000. You should know that by now. You've seen it a million times.) We agree to absurd terms of service all the time and swear we read through agreements that we haven't. It's part of modern life. But still: personal use ? What does that even mean in a scholarly context?

top

How Digital Detectives Deciphered Stuxnet (Wired, 11 July 2011) - It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the "clean" cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings. Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month. [W]hen the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate - later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why? [Editor: Bruce Schneier liked this story, too. It reads like a Neal Stephenson novel.]

top

DOJ: We Can Force You to Decrypt that Laptop (CNET, 11 July 2011) - The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution's Fifth Amendment, which broadly protects Americans' right to remain silent. In a brief filed last Friday, Fricosu's Colorado Springs-based attorney, Philip Dubois, said defendants can't be constitutionally obligated to help the government interpret their files. "If agents execute a search warrant and find, say, a diary handwritten in code, could the target be compelled to decode, i.e., decrypt, the diary?" To the U.S. Justice Department, though, the requested court order represents a simple extension of prosecutors' long-standing ability to assemble information that could become evidence during a trial. The department claims: "Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible." Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form." In an amicus brief ( PDF ) filed on Friday, the San Francisco-based Electronic Frontier Foundation argues that the Justice Department's request be rejected because of Fricosu's Fifth Amendment rights. The Fifth Amendment says that "no person...shall be compelled in any criminal case to be a witness against himself." [Editor: I seem to recall reading one of these law review articles, which essentially concluded that if you'd never written down your passphrase (but it existed only in your memory), then you couldn't be compelled to decrypt the files. For key files, I've followed that practice.]

top

A New U.S. Law-Enforcement Tool: Facebook Searches (Reuters, 12 July 2011) - U.S. law-enforcement agencies are increasingly obtaining warrants to search Facebook, often gaining detailed access to users' accounts without their knowledge. A Reuters review of the Westlaw legal database shows that since 2008, federal judges have authorized at least two dozen warrants to search individuals' Facebook accounts. Many of the warrants requested a laundry list of personal data such as messages, status updates, links to videos and photographs, calendars of future and past events, "Wall postings" and "rejected Friend requests." Federal agencies seeking the warrants include the FBI, DEA and ICE, and the investigations range from arson to rape to terrorism. The Facebook search warrants typically demand a user's "Neoprint" and "Photoprint" -- terms that Facebook has used to describe a detailed package of profile and photo information that is not even available to users themselves. These terms appear in manuals for law enforcement agencies on how to request data from Facebook. The manuals, posted on various public-advocacy websites, appear to have been prepared by Facebook, although a spokesman for the company declined to confirm their authenticity. None of the warrants discovered in the review have been challenged on the grounds that it violated a person's Fourth Amendment protection against unlawful search and seizure, according to a review of the cases. Some constitutional-law experts said the Facebook searches may not have been challenged because the defendants - not to mention their "friends" or others whose pages might have been viewed as part of an investigation -- never knew about them. By law, neither Facebook nor the government is obliged to inform a user when an account is subject to a search by law enforcement, though prosecutors are required to disclose material evidence to a defendant. Twitter and several other social-media sites have formally adopted a policy to notify users when law enforcement asks to search their profile.

top

Secret Service Descends on Artist For Mildly Creepy Public Photography (TechDirt, 12 July 2011) - So this is one of those interesting scenarios that really tests the boundary between what people find to be socially unacceptable behavior versus what is actually illegal under current law. Artist Kyle McDonald put a strange art project into practice when he installed what amounts to surveillance software on the public computers at an Apple store and used the images collected to create a presentation that he hoped would give us, by the facial expressions captured, insight into our relationship with the computers we use. An interesting project that borders on creepy. But it is illegal? Apparently, the Secret Service is now involved: " On three days in June, McDonald's program documented people staring at computers in Apple stores. Since the stores wiped their computers every night, he had to go back in and reinstall the program each day he took photos. He uploaded a collection of the photos to a Tumblr blog, and last Sunday he set up 'an exhibition' at the Apple stores. During the unauthorized event at the Apple stores on West 14th Street and in Soho, when people looked at an Apple store machine, they saw a picture of themselves. Then they saw photos of other people staring at computers. Amazingly, nobody made a fuss. [...] Over the course of the project, McDonald set up roughly 100 Apple store computers to call his servers every minute. That's a lot of network traffic, and he learned that Apple monitors traffic in its stores when he received a photo from a Cupertino computer of what appeared to be an Apple technician. The technician had apparently traced the traffic to the site McDonald used to upload the program to Apple Store computers; and installed it himself. McDonald figured that Apple had decided the program wasn't a big deal. That was until four Secret Service men in suits woke him up on Thursday morning with a search warrant for computer fraud. They confiscated two computers, an iPod and two flash drives, and told McDonald that Apple would contact him separately." Even more interesting than his project about how people perceive their relationship with their computer might be how people perceive the artist's actions here. Many people seem to be up in arms, and feel quite strongly that his actions were criminal and should be punished. But what crimes did he actually commit? None of the immediately obvious arguments would appear to be viable when you consider the facts of the situation. [Editor: Interesting legal analysis - there's an artist who's done something quite similar, but he blanked-out the key faces of most subjects - but not all. His work is showing in Europe, apparently without legal repercussions.]

top

Judge Rules "Locker" Site is Not Direct Copyright Infringer (ArsTechnica, 12 July 2011) - A federal judge in Miami has dismissed direct copyright infringement charges against Hotfile, a popular online "locker" service that the major Hollywood studios allege is responsible for massive copyright infringement. But he allowed the case to proceed on charges that Hotfile has induced and profited from the infringing activities of its users. The 9-page opinion , first reported by the Hollywood, Esq. blog , provides early clues about how Judge Adalberto Jordan views the defendants, Hotfile and its alleged owner Anton Titov. The case, which began in February , represents the latest front in the never-ending arms race between Hollywood studios and users seeking free copies of their movies. Hotfile is a "cyberlocker" site. Users upload files they wish to share with others and are rewarded financially if these files prove popular. The studios allege that the overwhelming majority of the files users upload to Hotfile are copyrighted content being distributed without the consent of copyright holders' like themselves. Hotfile, for its part, argues that it is providing an ordinary Web-hosting service and is not responsible for content its users choose to upload. Hotfile lacks any interface for browsing or searching the files on the site, allowing it to plausibly deny any knowledge of their contents. The studios allege that Hotfile "relies on third-party pirate link sites to host, organize and promote URL links to Hotfile-hosted infringing content." Hotfile faces two distinct charges: direct and secondary liability. The studios argued that Hotfile is directly liable for the infringing actions of its users because it owns and operates the servers through which the infringing copies were made. It also argues that they are secondarily liable under the inducement theory articulated by the Supreme Court in the 2005 Grokster decision. [Editor: this is important, and implicates Cloud storage services like Dropbox, too. See "Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011)" from MIRLN 14.09 .]

top

Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies (ArsTechnica, 13 July 2011) - The Do Not Track efforts led by self-managed advertising groups aren't going as well as some might hope, with at least eight participating companies continuing to track users across the Web even after they opt out. The finding highlights the weaknesses of an entirely voluntary system: just because the companies say they will do it doesn't necessarily mean that they will. The Network Advertising Initiative (NAI) is one of several self-regulating groups aimed at adopting voluntary codes of conduct when it comes to advertising to users online. Late last year, those groups (including the NAI) announced that they would begin pushing the Advertising Option Icon , an icon that is meant to let users know which sites are participating in behavioral tracking. Users would then be able to easily opt out of any behaviorally targeted advertising if they so choose. Collectively, the groups represent some 5,000 other companies that advertise online, though use of the icon itself is voluntary as long as they offer the opt-out functionality. But how many companies are actually respecting those rules? Stanford's Center for Internet & Society recently examined the tracking behavior of 64 of 75 of NAI's member companies when users turn on the Do Not Track settings or opt out of behavioral ad tracking. Of the 64, the CIS said that 33 companies left their tracking cookies in place after the user opted out. This in itself sounds surprising, but it's not-as part of their agreement with NAI, companies only have to agree to stop offering behaviorally targeted ads to users when users want to opt out. They can continue to keep cookies on your machine, as long as those cookies aren't being used to create specially targeted ads. So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox , Internet Explorer , and Safari , which we just learned is actually a step beyond NAI's baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest's sake, it's worth noting that Google falls into this category). That leaves us with the eight companies dwelling in the hall of shame: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street On Demand, and TARGUSinfo AdAdvisor. These guys all specify in their privacy policies that users can opt out of behavioral tracking and advertising, but the CIS researchers found that they all kept some form of unique user information around on the user's computer even after opting out. Most of them removed certain pieces of information while keeping other items, but one (Vibrant Media) simply kept on tracking as if the user had never opted out in the first place.

top

Senators Ask Spy Chief: Are You Tracking Us Through Our iPhones? (Wired, 14 July 2011) - Two key senators want to know if the leader of the vast U.S. intelligence apparatus believes it's legal for spooks to track where you go through your iPhone. In a letter that Sens. Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) will send later on Thursday, obtained by Danger Room, the senators ask Director of National Intelligence James Clapper, "Do government agencies have the authority to collect the geolocation information of American citizens for intelligence purposes?" Both senators are members of the panel overseeing the 16 intelligence agencies. In May, they sounded warnings that the Obama administration was secretly reinterpreting the Patriot Act to allow a broader amount of domestic surveillance than it had publicly disclosed. "[R]ecent advances in geolocation technology have made it increasingly easy to secretly track the movements and whereabouts of individual Americans on an ongoing, 24/7 basis," they write. "Law enforcement agencies have relied on a variety of different methods to conduct this sort of electronic surveillance, including the acquisition of cell phone mobility data from communications companies as well as the use of tracking devices covertly installed by the law enforcement agencies themselves." Wyden and Udall want "unclassified answers" from Clapper. If Clapper thinks his spies can go after U.S. citizens' geodata, they want the "specific statutory basis" for that collection, along with a description of any "judicial review or approval by particular officials" that might accompany it. They also want to know if Clapper thinks there's any affirmative legal "prohibition" to geodata collection by spies, if the spy chief doesn't think it's legal. The senators note that legislative restrictions on GPS acquisition so far only apply to cops and feds, not spies. "Clearly Congress needs to also understand how intelligence authorities are being interpreted as it begins to consider legislation on this issue," they write. They also remind Clapper that the FISA Amendments Act is set to expire at the end of the year. The letter asks Clapper to disclose if the surveillance dragnet it authorizes includes the communications of "law-abiding Americans," the key objection from civil libertarians to the Act, and if any "significant interpretations of the FISA Amendments Act [are] currently classified."

top

- and -

The Government Just Admitted For The First Time It Is Using Cell Phone Data To Track Your Location (Business Insider, 26 July 2011) - A group of Senators questioned the general attorney for the National Security Agency Tuesday about whether U.S. intelligence agencies are using cell phone geo location data to track U.S. citizens without their knowledge. According to The Wall Street Journal, the leader of the National Counterterrorism Center Matthew Olson told the Senate Select Committee on Intelligence that: "There are certain circumstances where that authority may exist." The response came after repeated questions by Sen. Ron Wyden (D., Ore) whether the government has authority to "use cell site data to track the location of Americans inside the country." Olson admitted the possibility, said "it's a very complicated question," and told the committee the intelligence community is working on a memo to better answer the question.

top

How Khan Academy Is Changing the Rules of Education (Wired, 15 July 2011) - "This," says Matthew Carpenter, "is my favorite exercise." I peer over his shoulder at his laptop screen to see the math problem the fifth grader is pondering. It's an inverse trigonometric function: cos-1(1) = ?. Carpenter, a serious-faced 10-year-old wearing a gray T-shirt and an impressive black digital watch, pauses for a second, fidgets, then clicks on "0 degrees." Presto: The computer tells him that he's correct. The software then generates another problem, followed by another, and yet another, until he's nailed 10 in a row in just a few minutes. All told, he's done an insane 642 inverse trig problems. "It took a while for me to get it," he admits sheepishly. Carpenter, who attends Santa Rita Elementary, a public school in Los Altos, California, shouldn't be doing work anywhere near this advanced. In fact, when I visited his class this spring-in a sun-drenched room festooned with a papercraft X-wing fighter and student paintings of trees-the kids were supposed to be learning basic fractions, decimals, and percentages. As his teacher, Kami Thordarson, explains, students don't normally tackle inverse trig until high school, and sometimes not even then. But last November, Thordarson began using Khan Academy in her class. Khan Academy is an educational website that, as its tagline puts it, aims to let anyone "learn almost anything-for free." Students, or anyone interested enough to surf by, can watch some 2,400 videos in which the site's founder, Salman Khan, chattily discusses principles of math, science, and economics (with a smattering of social science topics thrown in). The videos are decidedly lo-fi, even crude: Generally seven to 14 minutes long, they consist of a voice-over by Khan describing a mathematical concept or explaining how to solve a problem while his hand-scribbled formulas and diagrams appear onscreen. Like the Wizard of Oz, Khan never steps from behind the curtain to appear in a video himself; it's just Khan's voice and some scrawly equations. Initially, Thordarson thought Khan Academy would merely be a helpful supplement to her normal instruction. But it quickly become far more than that. She's now on her way to "flipping" the way her class works. This involves replacing some of her lectures with Khan's videos, which students can watch at home. Then, in class, they focus on working problem sets. The idea is to invert the normal rhythms of school, so that lectures are viewed on the kids' own time and homework is done at school. It sounds weird, Thordarson admits, but this flipping makes sense when you think about it. It's when they're doing homework that students are really grappling with a subject and are most likely to need someone to talk to. And now Thordarson can tell just when this grappling occurs: Khan Academy provides teachers with a dashboard application that lets her see the instant a student gets stuck.

top

Getty Images Says Google Plus Terms of Service is "OK" (ReadWriteWeb, 15 July 2011) - Should photographers be concerned about Google Plus ? This is the subject on an ongoing debate right now, due to the wording Google uses in its Terms of Service - specifically parts that seem to indicate it will have rights to photos posted on the new social network. But some folks, including both professional photographers and an intellectual property attorney say the reaction is overblown. The issue is not a "Google" problem - it's something to consider before posting your images online, anywhere on the Web. This week, the lawyers at stock photography leader Getty Images have decided to weigh in on the situation, too, as it relates to the company's Flickr Collection contributors. Getty's verdict? "We're OK with Google+," it says. Members of the private group (note: link only works for members) "Getty Images Contributors" on Flickr were recently informed by a company representative that Getty's lawyers have deemed Google Plus OK for them to use. "The important thing to watch out for in Terms of Service, and it's the same as we've talked about for contests, is that whatever they do (or allow third parties to do) with the images should be in the context of the service itself, not to re-license or otherwise commercialize the images to other parties (or even the main company itself) outside of the context they're posted for," writes Flickr member Tom W at Getty Images, in a message posted to all group members. Tom cites specific sections of the Google Plus ToS (11.2 and 11.3) in his post, explaining that their intent is to allow Google to provide copies of the images to third parties "in the context of the service - social networking, photo-sharing, etc." For example, if members wanted to allow their friends to print copies of their photos, like Flickr does with Snapfish. However, says Tom, Google does "not provide for licensing to another party for their own use." [Editor: also carries a useful checklist for parsing photo-license Terms of Service generally.]

top

Financial Services Industry Group Issues Social Media Guidance (Hogan Lovells, 15 July 2011) - A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns. The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks. These risks are discussed in the context of three types of social media use: (1) By a financial institution to communicate with or service the financial institution's customers; (2) By the financial institution's employees in their personal or professional capacities; and (3) By the financial institution's employees or contractors outside the office. The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms. It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media. The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities. While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media. Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media. It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

top

Cooley Law School Sues Bloggers and Lawyers (InsideHigherEd, 15 July 2011) - The Thomas M. Cooley Law School, a freestanding institution in Michigan, on Thursday sued four anonymous individuals who have posted critical comments online and lawyers who have started an investigation into Cooley's job placement rates. The suits charge defamation, interference with business interests and other violations of the law. "With ethics and professionalism at the core of our law school's values, we cannot - and will not - sit back and let anyone circulate defamatory statements about Cooley or the choices our students and alumni made to seek their law degree here," said Brent Danielson, chair of Cooley's board, in an announcement of the suits. One of the anonymous bloggers being sued runs a site called Thomas M. Cooley Law School Scam "to bring truth and awareness to the students getting suckered in by this despicable excuse for a law school." The blog questions Cooley's academic quality and charges that very few of its graduates find jobs. (Cooley says 76 percent of graduates find jobs, and that the figure was higher before the economic downturn.) The law firm being sued is Kurzon Strauss, in New York, which ran a notice on the J.D. Underground website stating (according to the complaint) that it was "conducting a broad, wide-ranging investigation of a number of law schools for blatantly manipulating their post-graduate employment data and salary information" to take advantage of "the blithe ignorance of naive, clueless 22-year olds who have absolutely no idea what a terrible investment obtaining a J.D. is." The notice specifically requests information about Thomas Cooley and, according to the law school, suggested that it was "perhaps one of the worst offenders" in manipulating the data. Currently the J.D. Underground website features a posting with some similar language (but not nearly as strong) to that cited in the complaint, and another posting from the law firm retracting some of its earlier statements, suggesting that "certain allegations ... may have been couched as fact." David Anziska, a partner in the firm, said in an interview Thursday that "this is one of the most ridiculous lawsuits filed in recent memory." Anziska said that the firm will not only defend itself, but plans to sue Cooley for its suit. He declined to comment on the status of the investigation into job-placement rates of Cooley and other law schools, but said that the notice prompted more than 50 responses.

top

NCAA Social Networking Regulations Provide Challenge for MU Compliance Department (Missourian, 16 July 2011) - Social networking websites like Facebook and Twitter have made student athletes more accessible than ever. The 140-character limit on Twitter might not necessarily encourage a meaningful discourse, but things as simple as an athlete checking in while on vacation or a fan telling a recruit why he should commit to his favorite school can still make an impact. On [June] 21, the University of North Carolina received a Notice of Allegations from the NCAA detailing a litany of violations committed by their athletics programs. Among them was the failure to "adequately and consistently monitor social networking activity" by student athletes that should have caused the school to discover other violations sooner than they did. The implication seen by many in the NCAA's ruling - that athletic departments should be going through the entirety of their student athletes' social networking pages for potential violations - is troublesome for officials like Mitzi Clayton, MU's assistant athletics director for compliance. Clayton said she views such rigorous monitoring as an unattainable goal. [C] ompliance at MU continues to rely on the system already in place. Individual programs are tasked with monitoring the social networking activities of athletes, a practice once primarily concerned with potential image issues that may now focus more heavily on looking for potential violations. The football program, for example, uses a computer program called UDiligence. Designed primarily to protect student athletes from damaging the reputations of themselves and their schools, UDiligence searches for trigger words in student activity and alerts team officials when any red flags pop up. Other sports opt for a simpler approach, and a captain or coach frequently checks on posts from the team's players.

top

Wikipedia Rolling Out Article Rating System (ReadWriteWeb, 18 July 2011) - Love it or hate it, you can't say Wikipedia is slow to innovate. The giant encyclopedia site announced this weekend that it will now roll-out site-wide an article rating system that allows page visitors to rate an entry on a scale of 1 to 5 on trustworthiness, objectivity, completeness and quality of writing. Article raters have the option of self-identifying as a subject matter expert for whatever article they rate. Wikipedia says that after limited testing of the feature, user response has been overwhelmingly positive; readers have said they found the rating system useful, that they felt compelled to give feedback and have been shown increasingly likely to begin editing articles for the first time after using the rating tool. Data about article ratings is also made available for export and outside analysis under a Creative Commons license. The feature is limited to English Wikipedia for now.

top

Multinational Employers Face Multiple Facebook Rulings (Proskauer, 20 July 2011) - Recent prosecutions by the National Labor Relations Board have the employer community all atwitter over the Board's apparent social media policy. While social media law is too new and undeveloped to give a clear picture, the Labor Board's approach appears to give employees broad latitude to disparage their employer on Facebook and similar social media sites - viewing the online exchanges more like water cooler conversations among coworkers than public broadcasts to actual or potential customers. Early indications are that foreign tribunals are taking a different approach. In several recent cases, they have affirmed the employers' right to dismiss employees for comments made in social media forums.

top

Social Media History Becomes a New Job Hurdle (NYT, 20 July 2011) - Companies have long used criminal background checks, credit reports and even searches on Google and LinkedIn to probe the previous lives of prospective employees. Now, some companies are requiring job candidates to also pass a social media background check.

A year-old start-up, Social Intelligence, scrapes the Internet for everything prospective employees may have said or done online in the past seven years. Then it assembles a dossier with examples of professional honors and charitable work, along with negative information that meets specific criteria: online evidence of racist remarks; references to drugs; sexually explicit photos, text messages or videos; flagrant displays of weapons or bombs and clearly identifiable violent activity. "We are not detectives," said Max Drucker, chief executive of the company, which is based in Santa Barbara, Calif. "All we assemble is what is publicly available on the Internet today." The Federal Trade Commission, after initially raising concerns last fall about Social Intelligence's business, determined the company is in compliance with the Fair Credit Reporting Act, but the service still alarms privacy advocates who say that it invites employers to look at information that may not be relevant to job performance.

top

Cyber Weapons: The New Arms Race (Business Week, 20 July 2011) - In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company's top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira's source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee's webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. "There are lots of knuckleheads out there that take what they can and leave," he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn't want a computer he could sell on Craigslist. He wanted Nicira's ideas. Those familiar with the burglary refuse to talk about it on the record, citing orders handed down by the federal investigators. In private, they share a common concern: Cyber espionage and nation-state-backed hacking incidents appear to be increasing in frequency and severity. What once seemed the province of Hollywood-high-tech robbers with guns; Internet worms that take out power plants-has become real. They fear that online skirmishes and spying incidents are escalating into a confusing, vicious struggle that involves governments, corporations, and highly sophisticated free-ranging hackers. This Code War era is no superpower stare-down; it's more like Europe in 1938, when the Continent was in chaos and global conflict seemed inevitable. Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That's changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google (GOOG) accused China of spying on the company's workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. (INTC) The hacked included Adobe Systems (ADBE), Juniper Networks (JNPR), and Morgan Stanley. (MS) Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. "It'd be fair to say that at least 2,000 companies have been hit," Brenner says. "And that number is on the conservative side." Dozens of others, ranging from Lockheed Martin (LMT) and Intel (INTC) to the Indian Defense Ministry, the International Monetary Fund, and the Pacific Northwest National Laboratory, have suffered similar assaults. Earlier this year hackers raided the computer networks of RSA (EMC), a marquee security firm that protects other companies' computers. They stole some of the most valuable computer code in the world, the algorithms behind RSA's SecureID tokens, a product used by U.S. government agencies, defense contractors, and major banks to prevent hacking. It was like breaking into a heavily guarded locksmith and stealing the master combination that opened every vault in every casino on the Las Vegas Strip. This month the Pentagon revealed that it, too, had been hacked: More than 24,000 files were stolen from the computers of an unnamed defense contractor by "foreign intruders."

top

FFIEC Ups The Ante On Authentication (Steptoe, 21 July 2011) - The Federal Financial Institutions Examination Council (FFIEC) has released a Supplement to its 2005 Authentication in an Internet Banking Environment Guidance. The overarching thrust of the Supplement is that, because fraudsters are becoming increasingly sophisticated at breaking through customer authentication systems with techniques like keylogging and man-in-the-middle attacks, financial institutions should use systems of layered security to prevent fraudulent activity. The FFIEC now also recommends that banks "offer" multifactor authentication to their business customers. As we have previously reported, some courts have said that a bank's failure to follow the FFIEC's Guidance could give rise to a negligence claim. And it is possible that courts and regulators could look to the FFIEC's Guidance when evaluating the cybersecurity of non-financial institutions, as well. Banks and other companies should therefore look closely at the Guidance and the Supplement and evaluate whether their own authentication systems are up to snuff in light of their particular circumstances.

top

Uniform Electronic Legal Material Act approved by the Uniform Law Commission (BeSpacific, 21 July 2011) - Uniform Electronic Legal Material Act Drafted by the National Conference of Commissioners on Uniform Law - approved and recommended for enactment, July 18, 2011: "A new act approved [July 12, 2011] by a national law group establishes an outcomes-based, technology-neutral framework for providing online legal material with the same level of trustworthiness traditionally provided by publication in a law book. The Uniform Electronic Legal Material Act was approved today by the Uniform Law Commission (ULC) at its 120th Annual Meeting in Vail, Colorado. Increasingly, state governments are publishing laws, statutes, agency rules, and court rules and decisions online. In some states, important state-level legal material is no longer published in books, but is only available online. While electronic publication of legal material has facilitated public access to the material, it has also raised concerns. Is the legal material official, authentic, government data that has not been altered? For the long term, how will this electronic legal material be preserved? How will the public access the material 10, 50, or 100 years from now? The Uniform Electronic Legal Material Act provides a consistent approach to solving these problems."

top

Thousands of Scientific Papers Uploaded to The Pirate Bay (GigaOM, 21 July 2011) - A user called Greg Maxwell just uploaded a torrent with 18,592 scientific publications to The Pirate Bay, in what appears to be a protest directed both at the recent indictment of programmer Aaron Swartz for data theft as well as the scientific-publishing model in general. All of the documents of the 32-gigabyte torrent were taken from JSTOR, the academic database that's at the center of the case against Swartz. The torrent consists of documents from the Philosophical Transactions of the Royal Society, the copyright to which has long since expired. However, the only way to access these documents until now has been via JSTOR, as Maxwell explains in a long and eloquent text on the Pirate Bay, with individual articles costing as much as $19. "Purchasing access to this collection one article at a time would cost hundreds of thousands of dollars," he writes. Maxwell goes on to explain that he gained access to the documents years ago in what he says was a legal manner, but was afraid to publish them because of potential legal repercussions from the publishers of scientific journals. He says the indictment of Aaron Swartz, who allegedly tried to download thousands of files from JSTOR through the library at MIT, made him change his mind.

top

How Much Data is Facebook Giving Law Enforcement Under Secret Warrants? (Ride The Lightning, 21 July 2011) - The short answer is that no one knows. According to Reuters , since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorism. What interested me most is that these warrants demands a user's "Neoprint" and Photoprint" - terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook's claim that the "Download Your Account" button gives you everything that Facebook itself possesses. Reuters apparently gleaned some of this information from Westlaw, where it found that at least 11 warrants have been granted since the beginning of 2011, double the number granted in all of 2010. The real truth is that no one knows how many warrants have been granted since it is likely that many records have been sealed. Facebook could tell us, of course, but declines to do so. It does say that it pushes back against law enforcement "fishing expeditions." Now that gives me a lot of comfort because my trust in Facebook is so absolute. That "trust" is buttressed by the fact that Facebook doesn't tell users about the warrants to give them a chance to challenge those warrants legally. Why not Facebook? Twitter (and others) have adopted a policy notifying users of law enforcement warrants. If Facebook is as interested in user rights as it claims, it is time to rectify this omission.

top

UK Government Clears Staff to Share Restricted Documents Via the Cloud Service (IT Pro, 21 July 2011) - Government staff will soon be able to share "restricted" documents in the cloud, following a deal between the services arm of the Foreign and Commonwealth office, and the software as a service provider Huddle. FCO Services will run Huddle's software on its internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted. Other Government departments, including the Department of Environment and Rural Affairs, and the Cabinet Office, already use a public version of Huddle for "external collaboration," sharing documents up to IL2. This service is already being used by businesses, including Kia Motors, P&G and Disney.

top

EU Cookies--Where Did the Pieces Fall? (Wiley Rein, July 2011) - The deadline has come and gone for European Union (EU) Member States to start requiring companies to obtain individuals' consent prior to placing cookies on computers, mobile devices and other hardware. In its wake, industry players continue to struggle to understand what this cookie consent requirement means. U.S. companies should consider basic compliance steps if they offer websites, mobile applications or other online offerings to EU individuals, as EU regulators have long sought to hold such U.S. companies responsible. "Consent" was left ambiguous by EU lawmakers in late 2009 amendments to the EU E-Privacy Directive (directive 2009/136/EC, which amended directive 2002/58/EC). Thus, substantial uncertainty has persisted about whether the new EU law might disrupt the function of cookies. For many years, EU data protection authorities (DPAs) have contended that a foreign website operator placing a cookie on a computer in the European Union is availing itself of "equipment" located in the EU. Thus, they argue, that operator is subject to EU law. By this theory, a U.S.-based website operator would be required to obtain the informed, opt-in consent of EU individuals before placing cookies on their hard drives. Not surprisingly, recent guidance from individual Member State DPAs concerning the cookie consent requirement does not disclaim a potential extraterritorial reach. Where a U.S. company has a prominent presence in the European Union, and especially where that company is active in online behavioral advertising, the threat of DPA action on cookies is greater. EU authorities have been mixed on the question of whether prior "opt in" consent is necessary to place a cookie. Interpretive language in the E-Privacy Directive itself suggests that consent could be based merely on an individual's browser settings. Despite the May 2011 implementation deadline, many Member States have failed to fully implement the directive amendments. Even where legislation is in effect, it often fails to specify whether opt-in consent is necessary. Finally, Member States seem to be taking markedly different approaches to implementing the amendment, creating yet another "regulatory patchwork" in the EU privacy area. U.S. companies that direct online offerings to EU individuals should continue to monitor how the cookie consent requirements develop. But it seems premature to overhaul online offerings in order to create a mechanism for obtaining opt-in cookie consent. For example, the United Kingdom's implementation of the directive mentions that browser settings can be the basis for consent. Though UK privacy regulators contend in informal statements that default browser settings are insufficient, their proposed response-to work with browser providers to change default settings-seems unlikely to produce results in a commercially reasonable time frame.

top

Sony Insurer Sues to Deny Data Breach Coverage (Reuters, 22 July 2011) - One of Sony Corp's insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year. The dispute comes as demand soars for "cyberinsurance," with companies seeking to protect themselves against customer claims and associated costs for data and identity theft. How to write such policies has become a huge subject of debate in the insurance industry. Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general." "Zurich doesn't think there's coverage, but to the extent there may be a duty to defend it wants to make sure all of the insurers with a potential duty to defend are contributing," said Richard Bortnick, an attorney at Cozen O'Connor and publisher of the digital law blog CyberInquirer. Bortnick, who is not involved in the case, said that while Sony may be able to claim there was property damage as a result of the data breach, Zurich is likely to argue that the sort of general liability insurance it wrote for Sony was never intended to cover digital attacks. Sony has said it expects the hacking to drag down operating profit by 14 billion yen ($178 million) in the current financial year, including costs for boosting security measures. Zurich American, in its court papers, said 55 purported class-action complaints have been filed in the United States against Sony. The insurer also said Sony has been subject to investigations by state and federal regulators since the breach.

top

France Telecom to Bid Adieu to Minitel (WSJ, 25 July 2011) - Next year, Minitel-France's precursor to the Internet-will finally meet its maker. For 30 years the toaster-sized screen weathered the Internet revolution. Despite a text-only service, basic graphics and snail-like speed, the terminal generated €30 million ($43.1 million) in revenue in 2010, with around 85% redistributed to service providers such as banks and weather forecasters, according to France Telecom SA, which operates the service. Despite the service still being profitable, the telecommunications operator has decided to swing the axe. "The Minitel will die on June 30, 2012," said a France Telecom spokeswoman on Friday, explaining that the architecture the Minitel runs on has become obsolete. That Minitel survived so long is a reminder that even in today's fast-changing technological world the key to online success lies with a sturdy, easy-to-use system that guarantees a secure connection. The Minitel was ordered up by the French government in the late 1970s as part of an initiative to get people to share information and, eventually, reduce the consumption of paper. Launched in 1982, the box-like terminal with its monochrome screen and small keyboard was dished out by France Telecom to millions of French homes, where users paid by the minute to log on, chat, buy train tickets and check bank accounts. [Editor: I fondly remember using Minitel from my Paris office in the late 1990s; simple, functional, and ahead-of-its-time; one of the reasons I came to appreciate French engineering and philosophy.]

top

With Digital Mapmaking, Scholars See History (NYT, 26 July 2011) - Few battles in history have been more scrutinized than Gettysburg's three blood-soaked days in July 1863, the turning point in the Civil War. Still, there were questions that all the diaries, official reports and correspondence couldn't answer precisely. What, for example, could Gen. Robert E. Lee actually see when he issued a series of fateful orders that turned the tide against the Confederate Army nearly 150 years ago? Now historians have a new tool that can help. Advanced technology similar to Google Earth, MapQuest and the GPS systems used in millions of cars has made it possible to recreate a vanished landscape. This new generation of digital maps has given rise to an academic field known as spatial humanities. Historians, literary theorists, archaeologists and others are using Geographic Information Systems - software that displays and analyzes information related to a physical location - to re-examine real and fictional places like the villages around Salem, Mass., at the time of the witch trials; the Dust Bowl region devastated during the Great Depression; and the Eastcheap taverns where Shakespeare's Falstaff and Prince Hal caroused. "Mapping spatial information reveals part of human history that otherwise we couldn't possibly know," said Anne Kelly Knowles, a geographer at Middlebury College in Vermont. "It enables you to see patterns and information that are literally invisible." It adds layers of information to a map that can be added or taken off at will in various combinations; the same location can also be viewed back and forth over time at the click of a mouse. Today visitors to Gettysburg can climb to the cupola of the Lutheran seminary, where Lee stationed himself on July 2, the second day of fighting; or stand on Seminary Ridge, where the next day Lee watched from behind the Confederate lines as thousands of his men advanced across the open farmland to their deaths in the notorious Pickett's Charge. But they won't see what the general saw because the intervening years have altered the topography. Over the decades a quarry, a reservoir, different plants and trees have been added, and elevations have changed as a result of mechanical plowing and erosion. Geographic Information Systems, known as GIS, allowed Ms. Knowles and her colleagues to recreate a digital version of the original Gettysburg battlefield from historical maps, documented descriptions of troop positions and scenery, and renderings of historic roads, fences, buildings and vegetation. "The only way I knew how to answer the question," about what Lee saw, Ms. Knowles said, "was to recreate the ground digitally using GIS and then ask the GIS program: What can you see from a certain position on the digital landscape, and what can you not see?" She said her work helps "make Lee's dilemma more vivid and personal." Nineteenth-century military leaders relied primarily on their own eyes, and small differences in elevation were strategically important. "Lee probably could not have possibly seen the massive federal forces building up on the eastern side of the battlefield on Day 2 during the famous attack on Little Round Top," Ms. Knowles said. "He had to make decisions with really inadequate information."

top

LOOKING BACK - MIRLN TEN YEARS AGO

HACK INSURER ADDS MICROSOFT SURCHARGE (ZD Net News, 20 August 2001) -- Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in premiums to clients that use Microsoft's Internet Information Server software, which the Code Red worm feasted on. In light of the $2 billion in damage caused by Code Red, founder and CEO John Wurzler's decision just before the virus hit seems prescient. Wurzler gained notoriety earlier this year for hiking cyberinsurance

rates on companies that use Microsoft NT software on their servers. So far, Wurzler appears to be the only insurer singling out Microsoft for higher rates. And some security officials are not kind in their comments. http://www.zdnet.com/zdnn/stories/news/0,4586,2805929,00.html?chkpt=zdnnp1tp02

top

VIRTUAL SHAREHOLDER MEETINGS FLOP (CNET News, 7 September 2001) -- Annual reports, proxies and other corporate documentation are still shipped out by paper mail to shareholders every year. Shareholders still gather annually for a physical meeting with the board of directors. And although there have been some changes in the law to move things into the age of cyberspace, most observers say that the physical world will be with us for some time. And maybe that's for good reason. Advocates say it's in the shareholders' interest to keep meetings in person and that moving them online could put their rights in jeopardy. However, Delaware has already passed one law, and Massachusetts is working another that would allow companies to communicate with shareholders electronically and even hold shareholders' meetings online. While these new rules make it easier to disseminate information, critics charge that they also allow corporations to avoid confrontation. The Delaware law, which went into effect last year, allows a company to hold its annual meeting solely online. But to date, no company has done so. http://news.cnet.com/news/0-1005-200-7083108.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: