Saturday, March 03, 2012

MIRLN --- 12 February – 3 March 2012 (v15.03)

MIRLN --- 12 February - 3 March 2012 (v15.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Breaking Virtual Ground (InsideHigherEd, 13 Feb 2012) - Massachusetts Institute of Technology announced today that registration has opened for its first online course through MITx , its new online spin-off devoted to offering "interactive" online versions of MIT courses to people not enrolled at the prestigious university. The first course is an adapted version of Circuits and Electronics, an introductory course in which students learn the basic architecture of computers and gadgets. Participants will watch five- to 10-minute video tutorials, read an e-textbook, and complete homework assignments, virtual laboratories and two exams. At the end of the course, they will receive a cumulative grade and a certificate from MITx. Registration will cost nothing, and there is no limit to enrollment. The "modest" fees that the university has said it will charge for MITx will most likely be tied to the credential, according to a spokesman. He said pricing has not been determined yet. The assignments and exams will be graded by computer programs. MITx does not plan to include any protection against cheating beyond an honor code and the natural obstacles inherent in the complexity of the assignments and exam questions. The completion certificate will note this explicitly, Agarwal says. In the future, MITx may pursue more sophisticated checks on dishonesty, he added. One homegrown e-learning innovation MITx hopes to bring to bear in its inaugural course is a virtual circuits laboratory that will allows participants to play with chips and resistors and orient themselves to the building blocks of microprocessors - all via a browser window. Instead of handling a breadboard and connecting components with their hands, the MITx registrants will do so by clicking, dragging and dropping in "the gaming equivalent of a physical lab," Agarwal said.

top

Congress Left in Dark on DOJ Wiretaps (Wired, 13 Feb 2012) - A Senate staffer was tasked two years ago with compiling reports for a subcommittee about the number of times annually the Justice Department employed a covert internet and telephone surveillance method known as pen register and trap-and-trace capturing. But the records, which the Justice Department is required to forward to Congress annually, were nowhere in sight. That's because the Justice Department was not following the law and had not provided Congress with the material at least for years 2004 to 2008. On the flip side, Congress was not exercising its watchdog role, thus enabling the Justice Department to skirt any oversight whatsoever on an increasingly used surveillance method that does not require court warrants, according to Justice Department documents obtained via the Freedom of Information Act. The mishap is just one piece of an ever-growing disconnect between Americans' privacy interests, and a Congress seemingly uncommitted to protecting those interests. The reports, recently posted on Justice Department website, chronicle a powerful surveillance tool undertaken tens of thousands of times annually by the Federal Bureau of Investigation, the Drug Enforcement Agency, the Marshals Service and the Bureau of Alcohol, Tobacco and Firearms. The reports show that, from 2004 to 2008, the number of times this wiretapping method was employed nearly doubled, from 10,885 to 21,152. Judges sign off on these telco orders when the authorities say the information is relevant to an investigation. No probable cause that the target committed a crime - the warrant standard - is necessary. The Justice Department, beginning in late 2010, has only published the reports from 2004 to 2009 , the year it obtained 23,895 judicial orders to conduct such surveillance. It did not immediately comment on whether the 2010 and 2011 reports have been compiled and sent to Congress, or explain why the mishap occurred. Internet security researcher Christopher Soghoian recently obtained e-mails via a two-year FOIA process confirm for the first time that Congress was left out of the loop for at least the years 2004 to 2008. Using FOIA, he and others have crowbarred from the Justice Department the reports from 1999 to 2009 . "This is an important surveillance tool," Soghoian said in a telephone interview. "In addition to showing that DOJ is lazy and not obeying the law, the most notable thing here is that Congress was asleep at the wheel." The handful of government e-mails (.pdf) Soghoian obtained confirm for the first time that Congress was left out of the loop for at least the years 2004 to 2008. A law review article suggests the same for years 1999 through 2003 .

top

Feds Argue Using a Fake Name Can Deprive You of Rights (WSJ, 14 Feb 2012) - Does using a fake name when you sign up for a cellphone plan mean the government can get information from your phone without a warrant? That's one argument the Department of Justice is making in an Arizona case - that using a false name is fraud and means you don't have a reasonable expectation of privacy. Such a stance might raise questions about the widespread practice of using pseudonyms to sign up for services online. But legal experts said it's unlikely a court would take the argument that far. The case, which the Journal first covered in an article last year , involves the use of a cellphone-tracking device called a stingray to find a mobile broadband card that the government says was being used to file fraudulent tax returns. The government conceded in the case that the use of the stingray was intrusive enough qualify as a search under the Fourth Amendment, which protects against unreasonable searches and seizures. But in a court filing on Jan. 27, the government argues that the defendant, Daniel David Rigmaiden, doesn't have standing to bring a Fourth Amendment claim because the broadband card, service and computer were purchased under false names and the apartment was rented using the name of a dead person and a fake ID. Courts recently have found that a warrantless search is OK if the person used fraud to get the thing being searched, said Susan Freiwald, a professor at the University of San Francisco School of Law. In one example, the defendant had bought a computer with a stolen credit card and the person who actually owned the card consented to the search. In another, the defendant was receiving mail addressed to an alias he used only as part of a fraud. But other cases have found that people still have a reasonable expectation of privacy - and thus can't have their property searched without a warrant - even if they are using an alias. "It's not against the law to use a fake name," said Adam Candeub, director of the Intellectual Property, Information and Communications Law Program at Michigan State University. The use of a fake ID and signing of a lease might be a different matter, though. "It can be fraudulent if you are entering into a contract under a fake name, but if it is a simple retail transaction the law is not clear," he said. Ms. Freiwald said that although prosecutors have argued repeatedly that using an alias diminishes a person's Fourth Amendment rights, "it would be too large an encroachment on both privacy rights and the rights of free speech if the mere use of a pseudonym were enough to deprive someone" of Fourth Amendment protections.

top

FCC to Get Tougher on Robocalls (USA Today, 14 Nov 2012) - The Federal Communications Commission today is set to approve tougher rules giving consumers additional protection against unwanted autodialed or prerecorded calls to home phone lines. "We have gotten thousands of complaints," says FCC Chairman Julius Genachowski. "Consumers were still getting robocalls they don't want and shouldn't get." He expects the commission to approve new rules that will require telemarketers to get written consent before making such calls. Even though Congress in 2008 passed legislation making Do Not Call permanent, some telemarketers have continued to make unsolicited calls because of loopholes in the law. Under the new FCC rules, telemarketers must get consent before calling home phones, even if the consumer hasn't included their number on the Do Not Call registry. Current rules already prohibit such calls to cellphones without consent. Previously, companies that consumers already had done business with could robocall them, but that exemption will be removed under the new rules. Other new provisions require telemarketers to give consumers a quick way to end the call and automatically add their number to telemarketers' Do Not Call lists. Not covered by the new rules: robocalls from schools and other non-profit organizations and political groups, because they are considered informational. Those calls cannot be made without consent to wireless phones, however.

top

Mayo Clinic Center For Social Media : Role Model For Legal Profession (Kevin O'Keefe, 14 Feb 2012) - If you've been following Mayo Clinic, you've seen their commitment to be the leader in social medicine in medicine. The latest comes with the announcement of their fourth annual Social Media Summit , a week long program in Rochester, Minn. campus this October. Mayo Clinic is not placing an emphasis on social media as a gimmick or as an attention grabber. Mayo is doing so because of its dedication to the patient. Mayo sees social media as critical to helping its colleagues promote health, fight disease, and promote healthcare. Mayo has founded the Media and developed a world wide Social Media Health Network as part of their efforts.

top

First State Attorney General Action Under HITECH (Proskauer, 14 Feb 2012) - On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection agency, lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents the first case brought by a state attorney general under HIPAA.

top

Fair Use Or Free Riding? The AP's New Attack On News Scraping (PaidContent.org, 14 Feb 2012) - The Associated Press is becoming more aggressive in trying to rein in the information the news service scatters around the world. After helping to launch a copyright monitoring service, the AP is now suing a company that clips headlines and news items for its customers. In a complaint filed this morning in New York federal court, the AP accused Norway-based Meltwater of wrongfully repackaging and sharing its content without a license. The lawsuit comes at a time when content owners continue to wrestle with how to stop what they perceive as free riding by news monitors and aggregators. In its lawsuit, the AP is also claiming copyright infringement on the grounds that Meltwater has copied and stored the articles, and that it is sharing "the heart" of the articles by reproducing more than 30% of them. [Editor: here we go again. The 30% threshold reminds me of when Palm Pilots limited cut-and-paste to a fixed number of words.]

top

SEC to Telcos: Yes, Net Neutrality is a Significant Policy Issue (ReadWriteWeb, 15 Feb 2012) - Back in December 2006, as part of its agreement to merge with former regional Bell operating company BellSouth, AT&T made a pledge to the Federal Communications Commission. In that pledge, AT&T promised it would maintain a fair and neutral policy toward all Internet packet routing, applying no privileges based on packets' origin, content, or destination. It's perhaps the clearest definition of net neutrality that has ever been devised. So a group of AT&T shareholders have been wondering why the company is running from it. Last month, they sought a shareholders' vote to effectively embed AT&T's 2006 net neutrality language as network policy. AT&T sought the Securities and Exchange Commission's permission to block that shareholders' proposal. Yesterday, after five Democratic senators weighed in, the SEC denied AT&T's motion, and the proposal now must go forward. "The open (non-discriminatory) architecture of the Internet is critical to the prosperity of our economy and society," the proposal from Trillium Asset Management begins. After making references to the potential benefits of net neutrality policy to the economy, and after citing the then-likely merger with T-Mobile (which is now off), the Trillium proposal would resolve that AT&T "operate a neutral network with neutral routing along the company's wireless infrastructure such that the company does not privilege, degrade or prioritize any packet transmitted over its wireless infrastructure based on its source, ownership or destination." Last week, the SEC Chief Counsel's office issued a letter to AT&T's attorneys essentially forbidding it to block the Trillium motion. "In view of the sustained public debate over the last several years concerning net neutrality and the Internet and the increasing recognition that the issue raises significant policy considerations," wrote Attorney-Advisor Erin E. Martin, "we do not believe that AT&T may omit the proposal from its proxy materials."

top

Warrantless Search of Digital Camera Constitutes an Unreasonable Search, Court Holds (Steptoe, 16 Feb 2012) - A federal district court in Oregon last month ruled that the warrantless search of a digital camera was not permitted pursuant to the "search-incident-to arrest" exception from the requirement for a warrant, and therefore violated the Fourth Amendment. The court in Schlossberg v. Solesbee ruled that the large volume of personal data that can be stored on modern mobile devices entitles them to a higher standard of privacy and thus, absent the existence of an exigent circumstance, an officer must obtain a warrant to search any electronic device found on a suspect. The court noted that neither the Supreme Court nor the Ninth Circuit had previously considered the warrantless search of an arrestee's camera, and that courts have split over whether warrantless searches of other electronic devices fall within the search-incident-to-an-arrest exception.

top

How Companies Learn Your Secrets (NYT, 16 Feb 2012) - Andrew Pole had just started working as a statistician for Target in 2002, when two colleagues from the marketing department stopped by his desk to ask an odd question: "If we wanted to figure out if a customer is pregnant, even if she didn't want us to know, can you do that? " As the marketers explained to Pole - and as Pole later explained to me, back when we were still speaking and before Target told him to stop - new parents are a retailer's holy grail. Most shoppers don't buy everything they need at one store. Instead, they buy groceries at the grocery store and toys at the toy store, and they visit Target only when they need certain items they associate with Target - cleaning supplies, say, or new socks or a six-month supply of toilet paper. But Target sells everything from milk to stuffed animals to lawn furniture to electronics, so one of the company's primary goals is convincing customers that the only store they need is Target. There are, however, some brief periods in a person's life when old routines fall apart and buying habits are suddenly in flux. One of those moments - the moment, really - is right around the birth of a child, when parents are exhausted and overwhelmed and their shopping patterns and brand loyalties are up for grabs. But as Target's marketers explained to Pole, timing is everything. Because birth records are usually public, the moment a couple have a new baby, they are almost instantaneously barraged with offers and incentives and advertisements from all sorts of companies. Which means that the key is to reach them earlier, before any other retailers know a baby is on the way. Specifically, the marketers said they wanted to send specially designed ads to women in their second trimester, which is when most expectant mothers begin buying all sorts of new things, like prenatal vitamins and maternity clothing. "Can you give us a list?" the marketers asked. For decades, Target has collected vast amounts of data on every person who regularly walks into one of its stores. Whenever possible, Target assigns each shopper a unique code - known internally as the Guest ID number - that keeps tabs on everything they buy. "If you use a credit card or a coupon, or fill out a survey, or mail in a refund, or call the customer help line, or open an e-mail we've sent you or visit our Web site, we'll record it and link it to your Guest ID," Pole said. "We want to know everything we can." [Editor: it's a long piece, but very interesting.]

top

Ethics Complaint Claims Lawyer Tried to Sway Potential Jurors by Posting Discovery Video on YouTube (ABA Journal, 16 Feb 2012) - An ethics complaint alleges a downstate Illinois lawyer attempted to sway public opinion against the prosecution of his drug client by posting a discovery video online. Lawyer Jesse Raymond Gilsdorf hired a company to post the video of an undercover drug buy on YouTube in April 2011 and then linked to it on Facebook, according to the complaint . The two-part video received more than 2,000 hits before a judge ordered its removal. The Legal Profession Blog has a story. The video was labeled "Cops and Task Force Planting Drugs." It implied that police had engaged in improper conduct and entrapped Gilsdorf's client, who was charged with unlawful delivery of a controlled substance in Pike County, the complaint alleges. Gilsdorf did not receive the consent of his client before posting the video, the complaint says.

top

Law Firm Websites Are Not the Foundation of Online Business Development (Kevin O'Keefe, 18 Feb 2012) - The fact is law firms have websites. The question is not whether to have a website or not. The question is whether law firms should throw more money and time at their website when the firm's lawyers and business development professionals don't know how to use the Internet to network. Lawyers and law firms got plenty of work before we had websites. They did it through networking. The Internet doesn't change that. The Internet just presents lawyers a golden opportunity to network so as to build relationships and enhance one's reputation at an accelerated rate. When it comes to networking through the Internet, a website doesn't make the list of the most important items to master: (1) LinkedIn . Not just as your profile of record that's more important than the bio on your websites, but as a consummate networking arena. (2) RSS reader . How can you network with others online if you cannot hear what others are talking about? (3) Blog . There is simply no better way for a lawyer to grow professionally and from a business development standpoint than to blog in an engaging fashion. (4) Twitter . In addition to Twitter possibly being the single biggest personal branding tool since the television, Twitter provides lawyers a powerful information network and relationship building tool. (5) Facebook . Too many lawyers divide the online world into personal and professional. Networkers know you can't do it. Facebook enables lawyers to enhance their relationships with close business associates. (6) Google+ . No one has a firm grip on where Google+ is headed, but their is no question it's here to stay and is going to influence search and discovery of information and people. Lawyers would be well served to experiment with Google+. Those six tools are all about networking through the Internet. Networking that empowers a lawyer to build relationships and enhance their reputation.

top

Hoo-ah: How the US Army Has Become a Social Media Leader (ReadWriteWeb, 19 Feb 2012) - Over the past several years, the US Army has developed an exemplary program in exploiting numerous social media methods, and done so without a lot of flash, expense, or personnel. They have an engaged audience, numerous followers, and maintained a multi-pronged campaign into all of the major social media networks, including recent beach-heads in Pinterest and Google+. All this, and with a five-person team based in the Pentagon and without spending much in the way of budget too. They are a worthy case study for organizations that are trying to make their own assaults on social media and haven't been as effective. Let's take a tour of the Army social media landscape and show you what they are doing right. Regardless of your politics, I think you will agree that they are leading by example when it comes to social media. [Editor: good, actionable material here.]

top

Many Voices, but Still One Times (NYT's Public Editor, 19 Feb 2012) - DAVID CARR put his finger on something in his column last Monday, which dealt with the tension between individual journalists' social media expressions and their employers' established standards. Digital innovation has created great opportunities for the former and severe challenges for the latter. The problem is part of a much larger phenomenon. In the current environment, New York Times journalists are empowered to build their own personal following via social networks like Twitter and Facebook, while at the same time the wider audience can use blogs and curation sites to pull content away from The Times. The result is a deconstructed New York Times that is reassembled by others far from The Times's home base at NYTimes.com. The paper should at least try to balance this, I believe, by using home base to reinforce its voice and its standards for journalism. Home base should be an anchor that not only offers content but also an institutional statement about what The Times stands for and what it thinks. One step toward accomplishing this would be a powerful reader portal on the Web site, a place where useful tools and straightforward communication could help strengthen The Times's brand. What might be included? [Editor: very interesting; If the Old Gray Lady moves this way, it'll create a de facto best practice for other news e-outlets.]

top

Is Writing Style Sufficient to Deanonoymize Material Posted Online? (33 Bits, 20 Feb 2012) - Ryan Calo writes: I have a new paper appearing at IEEE S&P with Hristo Paskov, Neil Gong, John Bethencourt , Emil Stefanov , Richard Shin and Dawn Song on Internet-scale authorship identification based on stylometry , i.e., analysis of writing style. Stylometric identification exploits the fact that we all have a 'fingerprint' based on our stylistic choices and idiosyncrasies with the written word. To quote from my previous post speculating on the possibility of Internet-scale authorship identification: Consider two words that are nearly interchangeable, say 'since' and 'because'. Different people use the two words in a differing proportion. By comparing the relative frequency of the two words, you get a little bit of information about a person, typically under 1 bit. But by putting together enough of these 'markers', you can construct a profile. The basic idea that people have distinctive writing styles is very well-known and well-understood, and there is an extremely long line of research on this topic. This research began in modern form in the early 1960s when statisticians Mosteller and Wallace determined the authorship of the disputed Federalist papers, and were featured in TIME magazine. It is never easy to make a significant contribution in a heavily studied area. No surprise, then, that my initial blog post was written about three years ago, and the Stanford-Berkeley collaboration began in earnest over two years ago.

top

LawVest Unveils Fixed-Price Law Firm Combining Solicitors and Barristers (Legal Futures, 20 Feb 2012) - A groundbreaking business law firm operating entirely on fixed fees and featuring a mix of leading barristers and solicitors opens today, aiming for a market that it claims has been "protected from real competition for too long". Riverview Law is the brainchild of LawVest, which as first revealed on Legal Futures last autumn has investment from global law firm DLA Piper. LawVest is to apply to become an alternative business structure (ABS). Operating through Riverview Solicitors and Riverview Chambers, it offers businesses with up to 1,000 employees annual contracts from as little as £200 a month for all their day-to-day legal support, or receive a fixed price for a particular piece of work. The annual contracts provide unlimited access to legal advice. Advice is mainly provided remotely, backed up by sophisticated IT. Large organisations can outsource their in-house legal function to Riverview Law, also at a fixed price. Riverview is an option for DLA clients who are no longer core to the global firm's plans, but LawVest chief executive Karl Chapman emphasised that Riverview will receive "no preferential treatment" and DLA lawyers will be under no obligation to refer work. "The business will stand and fall on the quality, standards, service and prices we provide," he said.

top

CIA to Software Vendors: A Revolution is Coming (Reuters, 21 Feb 2012) - The U.S. Central Intelligence Agency told software vendors on Tuesday that it plans to revolutionize the way it does business with them as part of a race to keep up with the blazing pace of technology advances. Rather than stick with traditional all-you-can-eat deals known as "enterprise licensing agreements," the CIA wants to buy software services on a "metered," pay-as-you-go basis, Ira "Gus" Hunt, the agency's top technology officer, told an industry conference. "Think Amazon," he said, referring to the electronic commerce giant where the inventory is vast but the billing is per item. "That model really works." The old way of contracting for proprietary software inhibits flexibility, postponing the CIA's chance to take advantage of emerging capabilities early on, Hunt said. Hunt made his remarks at a conference on emerging technologies organized by the Armed Forces Communications & Electronics Association's Washington D.C. chapter. Replying to a question, he said the CIA would be willing to give vendors with security clearances a "peek under the covers" to address any doubt about whether it was fairly accounting for proprietary software used under any pay-as-you-go deal. "Don't kid yourself that we can't do this thing because we can," he said, adding that the agency was seeking to build strong partnerships with its information technology suppliers.

top

Corporate Clients Should Ask Specific Questions About Law Firm Computer Security, Experts Say (ABA Journal, 21 Feb 2012) - We live in a world in which computer attacks via the Internet are routine, and many law firms are both particularly inviting targets and especially vulnerable. So determining whether outside counsel has sufficient computer safeguards is a question business clients should routinely ask, according to Corporate Counsel. One expert says 80 major law firms were hacked last year, Bloomberg reports. And in a recent Forbes column, another expert tells a chilling tale of two partners from an unidentified law firm who visit him for advice after discovering that all of their client files have been obtained by China-based hackers. It's difficult not to be victimized in such attacks, which often involve opening an attachment to a seemingly legitimate spoofed email that purports to be from a known individual such as a work colleague, says Alan Paller of the SANS Institute. So corporate clients should ask-and law firms should be prepared to answer-some specific questions about Internet security, another expert tells Corporate Counsel. Among them: Does the law firm keep logs of everyone who has accessed client files and require the use of complex passwords on its work stations and servers? "The issue ends up being that the lawyers are so oriented to the convenient use of computers," says Eric Friedberg, a former federal prosecutor who is now co-president of consultant Stroz Friedberg. "It presents real challenges to pervasively establish a culture of security, because convenience has to be subjugated to secure computer use." For the complete list of computer security questions he recommends that business clients ask their law firms, read the full Corporate Counsel article .

top

UK's High Court for the First Time OKs Service Via Facebook (ABA Journal, 21 Feb 2012) - In a United Kingdom first, the High Court there has agreed to allow a hard-to-locate individual to be served via Facebook in a civil case. Fabio de Biase has been granted 14 days to respond-much more than the norm-to be sure he has enough time to check his Facebook account, the Am Law Daily reports. His former employer, broker TFS Derivatives, is a defendant in a suit brought by investment manager AKO Capital, which claims it has been significantly overcharged. TFS hopes to force de Biase, a derivatives negotiator who managed the relationship between the two companies, to pay a portion of any damages won by AKO. Stories in Legal Week and the Telegraph provide further details. The U.K.'s County Court, as well as courts in Australia and New Zealand, have previously allowed service via the social networking site, and the High Court previously allowed service via Twitter.

top

Pain in the Butt (InsideHigherEd, 22 Feb 2012) - The term "cybersquatting" -- buying and selling Internet domains that correspond with existing brands -- is not the most elegant coinage in the English language. University of Hawaii officials have found that cybersquatters can be tasteless decorators, as well. In January, the university found that somebody had purchased UniversityofHawaii.xxx and was offering to sell the domain on eBay. Earlier this month, the domain went live with photos of nude couples having sex in various Hawaii-like settings, according to Hawaii News Now -- prompting a cease-and-desist letter from university lawyers that has apparently persuaded the site to shut down. Hawaii was the first victim of a virtual land grab for a new category of Web domain that ends with "dot-xxx," a suffix meant to signal pornographic content. The university appears to have successfully persuaded the proprietor of UniversityofHawaii.xxx to shut down the site. But Educause, an influential higher ed technology group, says the new dot-xxx addresses, as well as other newly available "generic top-level domain names" (gTLDs), are turning out to be an unequivocal pain for colleges and universities. "The effects of these initiatives thus far have been modest, but they have been entirely negative. So far as we know, no college or university has benefited from either initiative," wrote Gregory Jackson, vice president of policy at Educause, in blog post on Friday. "Rather, institutions have been exposed to risk and incurred costs without receiving any value in return." After speculating in the fall that colleges and universities had little to fear from the new dot-xxx domains, Jackson began soliciting feedback from institutions in the Educause network to gauge the effects of the new virtual real estate, which became active in December. "Lots [of institutions] looked at the low costs and decided to buy or claim a bunch of domains, usually variations on institution or team names," Jackson told Inside Higher Ed. "A couple were approached by squatters, but ignored them." So far, he says, the University of Hawaii is the only instance of a cybersquatter actually posting porn at a university-themed domain. Because it had allowed its federally registered trademark on "University of Hawaii" to lapse eight years ago, the university was unable to defend against interlopers by reserving "UniversityofHawaii.xxx" last fall during a special pre-registration period. But officials at several universities have pointed out that it would be expensive and difficult to try to block all possible variations on their brand, even if the trademarked phrases were secure. That was Hawaii's rationale for declining to buy up dot-xxx properties even when non-trademarked phrases became available for purchase.

top

Courts Continue to Grapple with Discovery Disputes Around Social Networking Evidence (Eric Goldman, 22 Feb 2012) - Tompkins v. Detroit Metro Airport , 10-10413 (E.D. Mich.; Jan. 18, 2012) This is a slip and fall case where the plaintiff alleges that injuries she suffered at Detroit's Metro airport affected her quality of life and ability to work. Defendant asked plaintiff to release her medical records and records from her Facebook account. She refused as to the Facebook account, arguing that the private portions of her account should not be turned over in discovery. The court says (citing to McMillen v. Hummingbird and Romano v. Steelcase ) that there's no privilege as to information contained in social networking accounts. Access to this information by an opponent in litigation is governed by traditional discovery principles. The court notes that in both Romano and McMillen the plaintiffs made injury claims that were inconsistent with information contained in the public portions of their social networking accounts. The court says that while there is no privilege protecting private (or quasi-private) information in a social networking account, "the [d]efendant does not have a generalized right to rummage at will through information that [p]laintiff has limited from public view." The court says there has to be a threshold showing that "the requested information is likely to lead to the discovery of admissible evidence." [Translation: a standard argument in every personal injury case that the plaintiff must have posted pictures of herself frolicking on the beach will not fly.] Davenport v. State Farm Mutual Auto Ins. , 2012 U.S. Dist. LEXIS 20944 (M.D. Fla; Feb. 21, 2012) Here, the insurance company defendant sent a request to plaintiff seeking all photographs posted to social networking sites, whether posted by plaintiff or by a third party. As in Tompkins, the court says there's no special privilege that attaches to social networking content, but the rules of discovery limit an opponent's ability to request this information. Plaintiff proposed that she be required to produce only photographs taken by her that depict her. She says the photos she has been "tagged" in do not satisfy the Rule 26 relevance standard, but the court disagrees. The court says plaintiff has to produce all photographs which depict her, whether she posted them or she had been tagged in the picture. The court does limit this by saying the default discovery rules only require a party to produce information that is within the party's "possession, custody, or control." The court says this "likely" means that plaintiff will "need to produce only photographs that she posted or in which she was tagged." The court does not offer any additional details on whether material posted to a social networking site is still within that party's "possession, custody, or control." Courts are really all over the place on issues relating to the discovery of information posted to social networks. The decisions grapple with (but none coherently address) the following issues: (1) whether any of the communications are covered under the Stored Communications Act and how this affects discoverability; (2) whether an opponent can obtain direct access a non-party or witnesses social networking site (several decisions have ordered password swaps, waivers, or in-camera reviews); (3) whether the discovery request should be directed to the social network directly or to the party whose information is sought; (4) what threshold showing is required form a party seeking discovery; (5) whether information posted to a social networking site is within the control, possession or custody of the party who posted it (for purposes of Rule 26).

Courts appear perfectly willing to smack down discovery requests that overreach, but continue to struggle with finding a balance and dealing with the logistical issues inherent in these types of discovery disputes.

top

Strengthening Third-Party Contracts to Lower Breach Risks (Dark Reading, 22 Feb 2012) - Details emerged this week that showed that recent Anonymous hacks of Federal Trade Commission (FTC) websites could potentially have been prevented had the FTC not dispensed with security provisions in a contract with the third-party vendors who hosted the sites. As organizations continue to divide labor in IT-particularly in development of public-facing websites-the incident could prove a good lesson in the importance of shoring up contract language and SLAs to ensure third parties are not adding undue risks of data breaches in the future. In the case of the FTC, the federal agency suffered two embarrassing breaches within the last two months. In January, Anonymous attacked the FTC's OnGuardOnline.gov site and this month it again hacked the FTC's Bureau of Consumer Protection site. The websites in question were open to attack due to a failure to patch the server operating systems and applications associated with the site, a weakness that Anonymous took advantage of to publicize its distaste for the Anti-Counterfeiting Trade Agreement (ACTA) backed by the federal government. The sites in question were developed by public relations firm Fleishman-Hilliard, which hosted the sites on resources provided by hosting and cloud services provider Media Temple. The two firms are currently duking it out in a very public finger-pointing spat reported by Ars Technica, which also brought to light the fact that the $1.5 million contract to develop the sites initially included security provisions during the acquisition process but then dropped those requirements. According to John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP, these days such contract omissions are pretty rare, but they still happen. "It's unusual, particularly these days when sensitivity to security and privacy is high, but gaps in functionality like this aren't unheard of," he says. "When dealing with cloud / hosting agreements, any time the supplier isn't responsible for the end-to-end service, and the integration of all of the subsidiary functions provided by third parties, things like this can happen."

top

Two Lawyers Sue West and LexisNexis for Reproducing Legal Briefs (ABA Journal, 23 Feb 2012) - Two lawyers have filed a class action suit claiming West Publishing and Reed Elsevier are violating the copyrights of lawyers by reproducing their lawsuit documents in Westlaw and LexisNexis databases. The plaintiffs, Oklahoma lawyer Edward White and New York City lawyer Kenneth Elan, filed suit on Wednesday in Manhattan federal court. How Appealing links to coverage by the Volokh Conspiracy and the Wall Street Journal Law Blog . White has obtained copyright registration for some of his motions, while Elan has not. They seek to represent two classes of lawyers who have and haven't copyrighted their work. The suit says the publishers charge substantial fees for access to lawyers' work. West, for example, charges $622 a month for solos to access its "All State Briefs" and "All Federal Briefs" databases, the suit says. The Law Blog says the suit "appears to be a novel interpretation of copyright law" while the Volokh Conspiracy says the argument for infringement is "moderately strong." "The question is whether the commercial posting of the briefs is fair use; and fair use law is, as usual, vague enough that there's no clear answer," the Volokh Conspiracy says.

top

Liability and the Cybersecurity Bill (Lawfare, 23 Feb 2012; by Paul Rosenzweig) - In an earlier post about the information sharing provisions of the cybersecurity bill pending in the Senate I highlighted the issue of liability protection and the preemption of State law, musing that those provisions might prove controversial with those who wanted to retain traditional rights of action in State courts. Well, other people have the opposite concern. Gus Coldebella, the former Acting General Counsel of the Department of Homeland Security, thinks that the liability provisions don't go far enough and need to be fixed. Here's the gist of it from the introduction: "[The bill] doesn't sufficiently tamp down potential legal liability for private entities, and in some cases increases it, creating an insurmountable disincentive for companies to voluntarily share cyber information. It leaves owners of critical infrastructure subject to civil litigation and outsized damages if an attack happens, even when they fully comply with the Act's mandates. Before the Act comes out of beta, Congress should debug its liability protection provisions." The entire article is worth a read. More fodder for consideration as the bill moves forward.

top

Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents (Volokh, 24 Feb 2012) - The important decision is In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011 . From the opinion by Judge Tjoflat: "We hold that the act of Doe's decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that (1) Doe's decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions. First, the decryption and production of the hard drives would require the use of the contents of Doe's mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files. We are unpersuaded by the Government's derivation of the key/combination analogy in arguing that Doe's production of the unencrypted files would be nothing more than a physical nontestimonial transfer. The Government attempts to avoid the analogy by arguing that it does not seek the combination or the key, but rather the contents. This argument badly misses the mark. In Fisher, where the analogy was born, and again in Hubbell, the Government never sought the "key" or the "combination" to the safe for its own sake; rather, the Government sought the files being withheld, just as the Government does here. Hubbell, 530 U.S. at 38, 120 S. Ct. at 2044 (trying to compel production of documents); Fisher v. United States, 425 U.S. at 394-95, 96 S. Ct. at 1572-73 (seeking to access contents possessed by attorneys). Requiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory. See Hubbell, 530 U.S. at 43, 120 S. Ct. at 2047. Hence, we conclude that what the Government seeks to compel in this case, the decryption and production of the contents of the hard drives, is testimonial in character." Also note that the court's analysis isn't inconsistent with Boucher and Fricosu , the two district court cases on 5th Amendment limits on decryption. In both of those prior cases, the district courts merely held on the facts of the case that the testimony was a foregone conclusion. [Editor: extremely important case, and (I believe) the right result. EFF's discussion of the decision is here .]

top

NIST Issues Draft Computer Security Breach Incident Handling Guide (Foley, 27 Feb 2012) - The National Institute of Standards and Technology (NIST) has published for public comment a draft update to a guide [SP 800-61] for organizations managing their responses to computer security incidents such as hacking attacks. The Guide notes that computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. NIST acknowledges that performing incident response effectively is a complex undertaking. Establishing a successful incident response capability requires substantial planning and resources. The Guide is intended to help both established and newly formed incident response teams. Unlike most threats several years ago, which tended to be short-lived and easy to notice, many of today's threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time. The Guide discusses seven (7) requirements and recommendations to enhance the efficient and effective incident response activities. [Editor: see also Revision of SP 800-53 Addresses Current Cybersecurity Threats, Adds Privacy Controls (28 Feb 2012) - To handle insider threats, supply chain risk, mobile and cloud computing technologies, and other cybersecurity issues and challenges, NIST has released Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP) 800-53, Revision 4 (Initial Public Draft). The document is considered a principal catalog of security standards and guidelines used by federal government agencies that NIST is required to publish by law.

"The changes we propose in Revision 4 are directly linked to the current state of the threat space-the capabilities, intentions and targeting activities of adversaries-and analysis of attack data over time," explained Ron Ross, FISMA Implementation Project Leader and NIST fellow.]

top

Reidentification Theory Doesn't Save Privacy Lawsuit (Eric Goldman, 28 Feb 2012) - CVS Caremark provided consumer data to pharma companies and data brokers. The plaintiffs alleged that the data transfers violated CVS's privacy policies, but CVS apparently disclosed only "de-identified" data as contemplated by HIPAA. Plaintiffs couldn't sue under HIPAA, both because CVS complied with HIPAA and because HIPAA doesn't enable a private cause of action for these violations. Although these facts implicate Sorrell v. IMS , that case didn't come up because the plaintiffs didn't sue under an analogous statute specifically pharmaceutical data transfers. Instead, the plaintiffs sued under Pennsylvania's consumer protection act, claiming that CVS made material misrepresentations in its privacy policies about its data handling. The court dismisses the suit--with prejudice!--on two principal grounds. To salvage the situation, the plaintiffs' lawyer tried to argue that the de-identified information could be re-identified by recipients, but apparently the plaintiffs' lawyer couldn't make the argument very cogently. It seems pretty clear that the lawyer didn't fully understand re-identification--at least, not well enough to explain how it might trump CVS's privacy promises. Thus, the court never really gets to the merits of the re-identification theory, but clearly it did not pique the judge's interest. Presumably the "single journal article" referenced is Paul Ohm's Broken Promises of Privacy article. As we've already seen, privacy plaintiffs' lawyers are avid readers of the privacy scholarly literature, looking for new theories to help them grind their axes. Privacy scholars should be gratified by this practitioner attention. As we know, most law review articles never get read (my mom won't even read mine). As this case illustrates, privacy plaintiffs' lawyers may build their entire cases around the academic literature. Although the re-identification theory doesn't go anywhere in this case, arguably CVS dodged a bullet. Ever since I read Paul's paper, I have been recommending that companies stop making PII/non-PII distinctions in their privacy policies. It was instantly clear to me from reading Paul's paper that plaintiffs could attack a privacy policy's promise not to disclose "PII" using a reidentification theory because we don't reliably know which bits of data can be used to uniquely identify individuals. Indeed, the language CVS used (it wouldn't disclose information that "may identify" consumers) was especially dangerous, because any bit of information, in combination with the right set of other data, has the theoretical capacity to uniquely identify individuals. The plaintiffs' lawyer in this case was sniffing around the issue but didn't nail it; but other cases--especially after goofy rulings like Pineda treating zip codes as PII--will raise the issue better and pose significant danger to defendants. This case is a warning sign that CVS, and everyone else, should carefully reexamine the PII/non-PII distinctions in their privacy policies. Steinberg v. CVS Caremark Corp. , 2012 WL 507807 (E.D. Pa. Feb. 16, 2012)

top

Judge Posner on Searching a Cell Phone Incident to Arrest (Volokh Conspiracy, Orin Kerr, 29 Feb 2012) - I am often filled with a mild sense of both excitement and dread when I learn that Judge Posner has authored an opinion in areas of law that I follow closely. Excitement, because I know it will be fascinating to read. And dread, because I know it will be filled with extensive error-prone dicta on issues not briefed and reasoning that is hard to square with existing precedents. On that score, Judge Posner's opinion today in United States v. Flores-Lopez doesn't disappoint. The issue: When the Fourth Amendment allows the police to search a cell phone incident to arrest. The conclusion: As far as I can tell, Judge Posner seems to have some sort of graduated scale in mind, in which minimally intrusive searches of phones are okay as a routine matter incident to arrest but more extensive searches require more justification or maybe a warrant. * * * Incidentally, my own view is that the best rule for searching cell phones incident to arrest is the Arizona v. Gant rule for automobile searches incident to arrest. That is, searches of electronic storage devices should be allowed under the search incident to arrest exception if there is reason to believe evidence of the crime of arrest will be found on the phone, but not allowed if there is no such evidence. Matching the rule for cars and electronic storage devices makes sense, I think. Both are containers of containers that are used for many purposes, can store a lot of information and evidence, and yet are also often with the person at the time of arrest.

top

NOTED PODCASTS

Aerial Robots Swarm the Stage at TED (ArsTechnica, 2 March 2012; 16 min video) - Vijay Kumar's videos have already been a hit on YouTube, as people have been fascinated to watch swarms of robotic quadrotors perform various feats, like flying through narrow windows and coasting across a room in formation. But Kumar still had a few tricks up his sleeve when he took the stage at TED, and he seized the opportunity to show some serious ways in which aerial robots will change our world. Kumar, however, envisions aerial robots that can fly themselves and carry out their tasks, on their own, or with minimal human input beyond initial design and programming. His drones offload even more of the job of stabilizing their flight to computers that aren't even on-board the copter (a weight and complexity advantage). Once airborne, the entire flight is computer-controlled. [Editor: absolutely enthralling!]

top

Chief Judge Alex Kozinski - The Privacy Paradox: Privacy and its Conflicting Values (Stanford's CIS, 3 Feb 2012; 52 minutes) - [Editor: funny, thoughtful discussion by the Judge about new technologies' impact on privacy law, and several recent cases. I was surprised at some of his remarks - e.g., his praise for an EFF action - which I hadn't expected from a sitting judge.]

top

RESOURCES

Contemporary Issues in Cyberlaw (William & Mitchell Law Review, Feb 2012) - [Editor: entire issue dedicated to cyberlaw; articles by Eric Goldman, Roland Trope, and Sarah Jane Hughes, et al.]

top

Where Are Laws Equal for Men and Women? (The World Bank, Feb 2012) - Women, Business and the Law presents indicators based on laws and regulations affecting women's prospects as entrepreneurs and employees, in part drawing on laws contained in the Gender Law Library. Both resources can inform research and policy discussions on how to improve women's economic opportunities and outcomes.

top

Doing Business Law Library (The World Bank, Feb 2012) - The Doing Business law library is the largest free online collection of business laws and regulations. We link to official government sources wherever possible. Translations are not official unless indicated otherwise. We update the collection regularly but are unable to guarantee that laws are the most recent version.

top

LOOKING BACK - MIRLN TEN YEARS AGO

BBC BANS USE OF NON-MS PDAS (The Register, 30 Jan. 2002) -- The BBC IT department has evidently taken the Microsoft shilling, in some style. Our sources informed us a while back that the company is spending a total of £61 million on Windows upgrades for approximately 24,000 desktops, and now an internal memo leaked to Silicon.com reveals that it has banned staff from using any non-Microsoft PDA with company machines. So BBC staffers using Palms and Psions (Psion, incidentally, is based not a molotov cocktail's throw from Beeb HQ) can deem themselves security threats, and have until summer of next year to switch or stop using them with the company kit. The BBC is actually standardising on PocketPC 2002, claiming that all other PDA platforms are insecure. Microsoft does indeed publicise the security features of of PocketPC 2002, and there is, sort of, a real security issue for IT departments when it comes to PDAs. But it's actually a lot more about BOFH control-freakery than it is really about security. http://www.theregister.co.uk/content/54/23882.html

top

COMCAST SAYS IT RECORDS WEB BROWSING OF ITS 1 MILLION INTERNET SUBSCRIBERS (SiliconValley.com, 13 Feb. 2002) -- Comcast Corp., the nation's third-largest cable company, has started recording the Web browsing activities of each of its 1 million high-speed Internet subscribers without notifying them of the change. Comcast acknowledged Tuesday that it is recording which Web pages each customer visits as part of a technology overhaul that it hopes will save money and speed up its network, but which was not intended to infringe on privacy. Outside experts - including the vendor whose powerful software Comcast is using - said Comcast is recording more information about the online activities of customers than is necessary for the technology enhancements. "It's not needed," said Steve Russell, a vice president for Inktomi Corp. Russell said Inktomi's software also records other information from Comcast subscribers, which can include passwords for Web sites and credit-card numbers under limited circumstances. Russell discounted privacy concerns, saying engineers are using some of the information to improve Comcast performance and that many other Internet devices record data racing across computer networks. But two of the nation's largest Internet providers, America Online and Earthlink, said they purposely do not collect details about the Web browsing of their combined 35 million subscribers. http://www.siliconvalley.com/mld/siliconvalley/2661735.htm

-- and, later that same day --

COMCAST SAYS IT WILL IMMEDIATELY STOP RECORDING CUSTOMER WEB BROWSING (SiliconValley.com, 13 Feb. 2002) -- Comcast Corp., the nation's third-largest cable company, pledged Wednesday to immediately stop recording the Web browsing activities of each of its 1 million high-speed Internet subscribers. Comcast said in a statement that it will stop storing the information ``in order to completely reassure our customers that the privacy of their information is secure.'' Comcast reassured customers Wednesday that the information had been stored only temporarily, was purged automatically every few days and ``has never been connected to individual subscribers.'' http://www.siliconvalley.com/mld/siliconvalley/news/2664051.htm

-- and, the NEXT day we get a different spin --

COMCAST PROMISES NOT TO TRACK SUBSCRIBERS (The Register, 14 Feb. 2002) -- A little brouhaha started last week with a post to the Vuln-Dev mailing list, in which a contributor called J. Edgar Hoover observed that Comcast's cable Internet service was using an Inktomi traffic server capable of recording the comings and goings of its subscribers. Five days later the Associated Press' Ted Bridis got hold of the story and 'broke' it, without bothering to credit his source, apparently in hopes that the world would credit him with this amazing discovery. There isn't actually a great deal to this story beyond speculation, or you'd have read it on the seventh, when J Edgar stepped forward. The questionable equipment isn't necessarily a problem. ISPs and NSPs often use caching hardware to serve pages more quickly and balance traffic loads. The real question here would be 'what is Comcast doing with this information?' And of course our wire drone offers not one shred of evidence that it was being misused -- which would, of course, constitute a story. The upshot of all this hack-fabricated 'controversy' is that Comcast has stated that it wasn't tracking users' surfing habits and wasn't selling user-specific marketing data. The company further issued a guarantee that they won't do any such thing in future. http://www.theregister.co.uk/content/6/24062.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA's Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers' submissions, and the editor's discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: