Saturday, September 29, 2012

MIRLN --- 9-29 September 2012 (v15.13)

MIRLN --- 9-29 September 2012 (v15.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses (Congressional Research Service, 6 Sept 2012) - The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm's way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations, which might include in furtherance of homeland security, crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation's skies in less than 20 years. This report assesses the use of drones under the Fourth Amendment right to be free from unreasonable searches and seizures. The touchstone of the Fourth Amendment is reasonableness. A reviewing court's determination of the reasonableness of drone surveillance would likely be informed by location of the search, the sophistication of the technology used, and society's conception of privacy in an age of rapid technological advancement. While individuals can expect substantial protections against warrantless government intrusions into their homes, the Fourth Amendment offers less robust restrictions upon government surveillance occurring in public places and perhaps even less in areas immediately outside the home, such as in driveways or backyards. Concomitantly, as technology advances, the contours of what is reasonable under the Fourth Amendment may adjust as people's expectations of privacy evolve.

top

Copyright Trolls' Bogus "Negligence" Theory Thrown Out Of Court Again (EFF, 6 Sept 2012) - Judges on both coasts of the U.S. have now rejected one of the copyright trolls' favorite tactics - suing an Internet subscriber for "negligence" when someone else allegedly downloaded a movie illegally. Judge Phyllis Hamilton of the Northern California federal court threw out a negligence suit by a Caribbean holding company against a Californian, Joshua Hatfield. The company, AF Holdings, had alleged that Mr. Hatfield allowed unnamed third parties to use his Internet connection to download a pornographic movie using BitTorrent, infringing copyright. Judge Hamilton ruled that Hatfield was not responsible for the actions of strangers. She joins Judge Kaplan of the Southern District of New York, who reached the same conclusions in another case in July. The "negligence" strategy had three fatal flaws, according to the court. First, an Internet subscriber like Mr. Hatfield has no legal duty to police his Internet connection to protect copyright owners like AF Holdings. Second, even if AF had a valid "negligence" claim against Mr. Hatfield under state personal injury law, federal copyright law would override it. This is called preemption. And finally, even if copyright law didn't trump a negligence claim, Section 230 of the federal Communications Decency Act probably would.

top

Sniffing Open WiFi Networks is Not Wiretapping, Judge Says (Ars Technica, 7 Sept 2012) - A federal judge in Illinois has ruled that intercepting traffic on unencrypted WiFi networks is not wiretapping. The decision runs counter to a 2011 decision that suggested Google may have violated the law when its Street View cars intercepted fragments of traffic from open WiFi networks around the country. The ruling is a preliminary step in a larger patent trolling case. A company called Innovatio IP Ventures has accused various "hotels, coffee shops, restaurants, supermarkets," and other businesses that offer WiFi service to the public of infringing 17 of its patents. Innovatio wanted to use packet sniffing gear to gather WiFi traffic for use as evidence in the case. It planned to immediately delete the contents of the packets, only keeping the headers. Still, the firm was concerned that doing so might violate federal privacy laws, so it sought a preliminary ruling on the question. Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications "made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." Judge James Holderman ruled that this exception applies to Innovatio's proposed packet sniffing. In the Google Street View case, a California judge had suggested that WiFi communications were not public, even if they were sent without encryption.

top

- and -

'Stingray' Phone Tracker Fuels Constitutional Clash (WSJ, 13 Sept 2012) - For more than a year, federal authorities pursued a man they called simply "the Hacker." Only after using a little known cellphone-tracking device-a stingray-were they able to zero in on a California home and make the arrest. Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries. A stingray's role in nabbing the alleged "Hacker"-Daniel David Rigmaiden-is shaping up as a possible test of the legal standards for using these devices in investigations. The FBI says it obtains appropriate court approval to use the device. Stingrays are one of several new technologies used by law enforcement to track people's locations, often without a search warrant. These techniques are driving a constitutional debate about whether the Fourth Amendment, which prohibits unreasonable searches and seizures, but which was written before the digital age, is keeping pace with the times. On Thursday the government will argue it should be able to withhold details about the tool used to locate Mr. Rigmaiden, according to documents filed by the prosecution. In a statement to the Journal, Sherry Sabol, Chief of the Science & Technology Office for the FBI's Office of General Counsel, says that information about stingrays and related technology is "considered Law Enforcement Sensitive, since its public release could harm law enforcement efforts by compromising future use of the equipment." A stingray works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It lets the stingray operator "ping," or send a signal to, a phone and locate it as long as it is powered on, according to documents reviewed by the Journal. The device has various uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident.

top

- and -

Do Users of Wi-Fi Networks Have Fourth Amendment Rights Against Government Interception? (Volokh Conspiracy, Orin Kerr, 24 Sept 2012) - Here's the question: Does governmental interception and analysis of the contents of a person's wi-fi traffic constitute a Fourth Amendment search? And does it depend on whether the traffic is encrypted or unencrypted? The answer turns out to be surprisingly murky. Because the Wiretap Act has been thought to protect wireless networks, the Fourth Amendment issue has not come up: There's a surprising lack of caselaw on it. Second, there are plausible arguments on either side of the debate both for encrypted and unencrypted transmissions. So I wanted to run through the arguments and then ask which side readers find more persuasive. I'll start with unencrypted communications and then turn to encrypted communications * * * [Editor: the author, Orin Kerr, is the leading authority on the Third-Party Doctrine, and reliably working to protect and expand it; after several paragraphs, he produces this gem:] Decrypting ciphertext may seem like unlocking a locked communication, but the ciphertext is actually already exposed: Decryption is a matter of analyzing that which has been already exposed rather than bringing new things into view. From that perspective, decryption is not a search. I made this argument in an early article that I think I still find persuasive: The Fourth Amendment in Cyberspace: Can Encryption Create a Reasonable Expectation of Privacy?, 33 Conn. L. Rev. 503 (2001) . Readers are invited to read the whole article to understand the full argument (it's relatively short) * * *

top

The Constitution Project's New Report on Fusion Centers (Lawfare, 11 Sept 2012) - The Constitution Project today released a new report titled Recommendations for Fusion Centers: Preserving Privacy & Civil Liberties While Protecting Against Crime & Terrorism . In the wake of the 9/11 attacks, the federal government worked with states and some major cities to develop a network of these centers (there are now nearly 80 of them), to share information among law enforcement and some intelligence agencies. The report summarizes their development and the complex web of laws that apply to their activities, analyzes civil liberties and effectiveness issues, and recommends reforms to this set of programs.

top

Lawsuit Says Phone Companies Gouged FBI on Wiretaps (GigaOM, 11 Sept 2012) - A former New York prosecutor, John Prather, claims AT&T, Verizon, Qwest and Sprint regularly charged law enforcement agencies 10 times what they should have for routine wiretaps. He's now suing on behalf of the FBI and state and city police departments to recover many millions of dollars for overcharging that allegedly took place for almost 20 years. The case provides a window on the evolving world of wiretaps during an era of increasing surveillance. But the case is complicated because Prather stands to get a big chunk of money if the case succeeds and, as the phone companies argue, he may not be a real whistle-blower in the first place. Congress, realizing that it would be expensive for phone companies to make their equipment CALEA-compliant, authorized $500 million to help them carry out the upgrades. The law also permitted the companies to recover "reasonable" costs for carrying out wiretaps. It's those "reasonable" costs that are the basis of the lawsuit.

top

Wyndham Hotels Tries To Boot FTC From Its Premises (Steptoe, 13 Sept 2012) - Wyndham Hotels & Resorts LLC earlier this month filed a motion to dismiss a Federal Trade Commission complaint, contending that the FTC does not have the authority to regulate the data security practices of private companies. The FTC's complaint alleges that the hospitality company violated the FTC Act, which prohibits "unfair and deceptive acts or practices," by not maintaining "reasonable and appropriate" data security measures. In its motion to dismiss, Wyndham asserts that "[n]othing in the text or history of Section 5 purports to give the Commission authority to decide whether data-security protections are 'unfair,' 'reasonable,' or appropriate." While the FTC has been using Section 5 to bring an increasing number of enforcement actions against private companies based on apparent data privacy or security lapses, companies invariably settle the actions, leaving the FTC's authority unchallenged. We may now finally get to see what a court thinks of the FTC's expansive interpretation of its statutory authority.

top

Florida Court: Lawyers And Judges Should Not Be Facebook Friends (JD Supra, 13 Sept 2012) - Can't lawyers and judges just be "friends?" Apparently not, so ruled Florida's Fourth District Court of Appeal last week in Domville v. State, No. 4D12-556 (Fla. 4th DCA 2012). The Fourth District's decision is seemingly the first of its kind since the Florida Judicial Ethics Advisory Committee issued an opinion in November 2009 forbidding judges from accepting "social networking" friendships from lawyers who may appear before them. In Domville, a criminal defendant moved to disqualify the trial judge whom the defendant alleged was a Facebook friend of the prosecutor assigned to the case. The defendant supported his motion with an affidavit averring that this "Facebook relationship" caused the defendant to believe that the judge could not "be fair and impartial." The defendant further explained that he was a Facebook user and that his "friends" consisted "only of [his] closest friends and associates, persons whom [he] could not perceive with anything but favor, loyalty and partiality." On appeal, the Domville court quashed the trial court's order denying disqualification of the trial judge and, in so doing, gave the Advisory Committee's opinion much credence: "as the [Advisory] Committee recognized, a judge's activity on a social networking site may undermine confidence in the judge's neutrality." The Advisory Committee further admonished this practice because "the identification of the lawyer as a 'friend' on [a] social networking site [improperly] conveys the impression that the lawyer is in a position to influence the judge."

top

The Ethics of Cloud Computing for Lawyers (ABA GP/Solo eReport, 17 Sept 2012) - Can you legally use cloud computing in a law-firm environment? What are best practices if you use cloud computing? Of course, many ethical issues arise when lawyers seek to store confidential client data on servers to which third parties have access. It's not surprising, then, that over the last few years a number of ethics committees have wrestled with the ethical issues presented when lawyers seek to use cloud computing in their law practices. Those committees have released the following opinions: North Carolina State Bar Council 2011 Formal Ethics Opinion 6, Massachusetts Bar Association Ethics Opinion 12-03 , Oregon State Bar Formal Opinion No. 2011-188 , Professional Ethics Committee of the Florida Bar Op. 10-2 (2011), New York State Bar Association's Committee on Professional Ethics Op. 842 (2010), Pennsylvania Bar Association Ethics Opinion No. 2010-060 (2010), and Iowa Committee on Practice Ethics and Guidelines Ethics Opinion 11-01 (2011). Thus far, US ethics commissions have determined that it is ethical for lawyers to use cloud computing, with most concluding that lawyers must take reasonable steps to ensure that their law firm's confidential data is protected from unauthorized third party access. The Iowa opinion, Ethics Opinion 11-01 , handed down in September 2011, is illustrative and offers a well-balanced and thorough analysis of a lawyer's ethical obligations when using cloud computing platforms to store confidential client data. For a full list of the ethics opinions from the various jurisdictions, you can refer to an online chart recently published by the ABA. This handy chart compares and contrasts the different holdings and can be found here .

top

Could a Workplace Social Network Replace Email and Phone? One Agency Thinks So (NextGov, 14 Sept 2012) - The National Nuclear Security Administration plans to roll out a workplace social network next spring that will replace much of the agency's emailing and phone calls, Chief Technology Officer Travis Howerton said Friday. The platform, called One Voice, is a pilot that other divisions of the Energy Department may adopt in the future, Howerton said at a breakfast discussion about federal technology policy sponsored by the Association for Federal Information Resources Management, a government-industry partnership. The initial launch will be for NNSA's roughly 45,000 employees and contractors. Howerton described the social networking program as similar to Facebook in that there will be a broadly accessible layer that everyone in the system can look at as well as numerous subcommunities for people in particular divisions or with certain expertise. Accessing the site will require extensive authentication, he said. Additional authentication will be required for specific communities that discuss sensitive information, he said. The social networking platform will include embedded systems for instant messaging, Web conferencing and other tools, he said. A social information exchange rather than a one-to-one email exchange will help employees to filter out more extraneous information and will reduce the pressure to send unnecessary responses, he said. It also will bring useful participants into a conversation that an emailer might not have thought to include and filter out those who are extraneous, he said. The system will archive all information so less institutional knowledge will be lost when an employee leaves the agency or changes jobs, he said.

top

Dutch Court Rules Linking to Photos is Copyright Infringement (ArsTechnica, 14 Sept 2012) - A Dutch court has ruled that the website GeenStijl infringed copyright by linking to unauthorized copies of nude pictures of reality star Britt Dekker. The pictures originally appeared in the Dutch version of Playboy magazine. According to the Associated Press, the website has been ordered to pay €28,400 ($36,000) and will face further fines if it does not remove the links. Linking generally does not constitute copyright infringement in the United States. However, the US government has begun prosecuting the operators of "link sites" that contain large numbers of carefully organized links to infringing content.

top

Cybersecurity Bill: Why Senator is Taking His Case Straight to Top CEOs (CSM, 19 Sept 2012) - Seeking to overcome opposition from the US Chamber of Commerce and other business groups to a cybersecurity bill, Sen. Jay Rockefeller (D) of West Virginia took the unusual step Wednesday of writing the CEOs of the 500 largest US companies to request their views on cybersecurity and the legislation aimed at protecting the nation's critical infrastructure from computer attacks. Senator Rockefeller wrote a day after two other Senate Democrats, Chris Coons of Delaware and Richard Blumenthal of Connecticut, wrote a joint letter to President Obama calling on him to issue an executive order aimed at protecting critical infrastructure from cyberattack. Rockefeller and Sen. Diane Feinstein (D) of California also have called for presidential action. Recipients of Rockefeller's letter included Virginia Rometty, CEO of IBM, as well as the chiefs of ExxonMobil, Wal-Mart, General Electric, Ford and big utility companies. But the mailing list also sent it to many company chieftans whose cybernetworks are unlikely to be vital to the nation's welfare. While Rockefeller has in the past polled small groups of businesses, it was apparently the first time detailed views on this subject were being requested en masse. Responses to such letters are purely voluntary, but usually receive thoughtful replies, according to a spokesman for the Senate Commerce, Science and Transportation committee where Rockefeller serves as chairman. Rockefeller's letter appeared aimed at building an independent assessment of business viewpoints that might defuse lobbying that many blamed for the failed vote. One such letter (to IBM) is here .

top

Data Breach Insurance Coverage Lawsuit Highlights Necessity for Cyber Liability (Scott & Scott LLP, Sept 2012) - In August of 2012, the Sixth Circuit ruled on a case that determined who is responsible for the costs associated with loss of data arising from a hacking incident in Retailer Ventures, Inc. v. Nat'l Union Fire Ins. Co., -- F.3d --, 2012 WL 3608432 (6th Cir. Aug. 23, 2012). In this matter, DSW Shoe Warehouse was targeted by computer hackers who successfully accessed their systems and harvested the credit card and checking account information for more than 1.4 million DSW customers. In its efforts to conduct thorough investigations into the incident and comply with the numerous state and federal data breach notification requirements, DSW incurred expenses of more than $5M. DSW sought to offset these costs (which, by the way, are not at all atypically large for a data breach of this size), by making a claim on its insurance policy under an endorsement called "Computer & Funds Transfer Fraud Coverage." While this endorsement may seem like a no-brainer policy to make a data breach claim under, the language of the policy provided coverage for loss "resulting directly" from theft as a result of computer fraud. Here, however, the insurance provider refused to cover the loss, claiming that any loss sustained did not "result directly" from the hacking event. On appeal, the Sixth Circuit affirmed the lower court's award in favor of DSW that the insurance provider had breached the contract with DSW when it refused to cover DSW's claim as the language of the policy was ambiguous, and thus should be construed in a light most favorable to the non-drafting party. While DSW ultimately prevailed, this case highlights how important it is to have a cyber liability policy in place that is written to specifically cover the costs associated with a data breach event. When forced to rely on non-cyber liability endorsements, the insured may find itself having to engage in legal gymnastics to argue that it is entitled to coverage of associated breach costs. Even for events involving a fraction of the number of users, costs can quickly extend to the 6 figures and beyond. If your company routinely handles sensitive customer information, be sure you and your vendors have cyber liability policies in place to cover the costs related to these unfortunate events.

top

- but -

Don't Waste Your Money On Cyber Breach Insurance (Dark Reading, 26 Sept 2012) - As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs. Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure. "These insurance policies can't eliminate risk, they can only help you control and minimize it," says Rich Santalesa, senior counsel for Infolaw Group. "It's really one arrow in the quiver of those dealing with today's cyber risks and some of the liabilities that can spring from them." One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area. "If you demonstrate that you're a really good driver, then your car insurance rates go down," he says. "In the cyber world, it's not quite there yet because people just don't know what those profiles are and how to accurately evaluate those levels of risk." Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says. "So they don't get blindsided by something in their clients' environments, the application process of these insurance policies is actually pretty extreme," he says. "They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable."

top

Eleventh Circuit Rules "Damages" Properly Alleged in Data Breach-Identity Theft Lawsuit (Information Law Group, 17 Sept 2012) - In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft. The Court's opinion, decided under Florida law, gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims. See Curry v. AvMed, Inc. , No. 11-13694, 2012 WL 2012 WL 3833035, - F.3d -- (11th Cir. Sep. 5, 2012) . After amending their complaint several times, the plaintiffs alleged that AvMed was negligent in protecting their sensitive information; was negligent per se when it violated Fla. Stat. § 695.3025, which protects medical information; breached its contract (or alternatively, implied contract) with Plaintiffs; were unjustly enriched; breached the implied covenant of good faith and fair dealing; and breached the fiduciary duty it owed to Plaintiffs. The federal district court dismissed the case for failure to state a cognizable injury. On appeal, the circuit court held that allegations of identity theft that caused monetary damages - an issue of first impression in the Eleventh Circuit - are an injury in fact sufficient to confer Article III standing. The court also added that allegations of monetary loss are cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty.

top

Feds Charge Activist with 13 Felonies for Rogue Downloading of Academic Articles (Wired, 18 Sept 2012) - Federal [prosecutors] added nine new felony counts against well-known coder and activist Aaron Swartz, who was charged last year for allegedly breaching hacking laws by downloading millions of academic articles from a subscription database via an open connection at MIT. Swartz , the 25-year-old executive director of Demand Progress , has a history of downloading massive data sets, both to use in research and to release public domain documents from behind paywalls. He surrendered in July 2011, remains free on bond and faces dozens of years in prison and a $1 million fine if convicted. Like last year's original grand jury indictment on four felony counts , (.pdf) the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT's attempts to kick his laptop off the network while downloading millions of documents from JSTOR, a not-for-profit company that provides searchable, digitized copies of academic journals that are normally inaccessible to the public. Using a program named keepgrabbing.py, the scraping took place from September 2010 to January 2011 via MIT's network, and was invasive enough to bring down JSTOR's servers on several occasions, according to the indictment. In essence, many of the charges stem from Swartz allegedly breaching the terms of service agreement for those using the research service. "JSTOR authorizes users to download a limited number of journal articles at a time," according to the latest indictment. "Before being given access to JSTOR's digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR's computer servers with automated programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques." MIT authorizes guests to use the service, which was the case with Swartz, who at the time was a fellow at Harvard's Safra Center for Ethics. The case tests the reach of the Computer Fraud and Abuse Act , which was passed in 1984 to enhance the government's ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality. The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website's terms of service or a company's computer usage policy, a position a federal appeals court in April said means "millions of unsuspecting individuals would find that they are engaging in criminal conduct." The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites' terms of service were better left to civil lawsuits.

top

Library of Congress Unveils New Bill-Tracking Site to Replace THOMAS (Hillicon Valley, 19 Sept 2012) - The Library of Congress on Wednesday unveiled Congress.gov, a new site that will allow members of the public to learn about past and pending legislation. The site, which offers bill summaries, bill texts and vote tallies, will eventually replace THOMAS, Congress's current legislative database. Congress.gov offers a host of improvements over the old service. The site is now accessible on mobile devices and features live and archived video of floor debates. The Library of Congress also cooperated with the House and Senate to provide profiles and biographical data of every member of Congress, along with information on all the bills they have introduced. The new site features a dramatically overhauled search engine, which allows users to search across numerous years. THOMAS required users to specify a particular congressional session. Search results are now sorted by relevance instead of bill number. Users can narrow the results by choosing to view measures only from particular parties, committees, years or other categories. Congress.gov also features multimedia presentations on the legislative process and provides a glossary of legislative terms.

top

Comprehensive Risk Assessment Guidance for Federal Information Systems Published (NIST, 20 Sept 2012) - Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to its original 2002 publication, is the authoritative source of comprehensive risk assessment guidance for federal information systems, and is open for public comments through November 4. "Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations-using the results to determine appropriate risk responses," said NIST Fellow Ron Ross. Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.* The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in risk management, says Ross.

top

Company Computers are Not SCA 'Facilities' (Steptoe, 20 Sept 2012) - A former employee who remotely accessed company computers over 125,000 times in order to transmit spyware and monitor network communications did not violate the Stored Communications Act (SCA). The U.S. District Court for the Southern District of Ohio ruled last week in Freedom Banc Mortgage Services, Inc., v. O'Harra that while the former employee's actions did violate the Computer Fraud and Abuse Act, they did not violate the SCA because the company network did not constitute an electronic communications "facility" within the meaning of the SCA. This reading of the SCA conflicts with a number of other federal district court rulings, which have held that the statute covers private servers.

top

Six Ventures Bring Data to the Public as Winners of Knight News Challenge (Knight Foundation, 20 Sept 2012) - Six media innovation ventures that make it easier to access and use information on local communities, air quality, elections, demographics and more received a total of $2.22 million today as winners of the Knight News Challenge: Data. The data challenge, one of three launched by the John S. and James L. Knight Foundation this year, accelerates projects with funding and advice from Knight's network of media innovators. For the data round, Knight Foundation sought ideas that make the large amounts of information produced each day available, understandable and actionable. "The winning projects go well beyond collecting data to unlocking its value in simple and powerful ways, so journalists can analyze numbers and trends, and communities can make decisions on issues important to them," said Michael Maness, vice president for journalism and media innovation at Knight Foundation.

  • Safecast: Creating a community of citizen and professional scientists to measure and share data on air quality in Los Angeles and other U.S. cities. The air quality effort is inspired by Safecast's success in providing radiation data following Japan's 2011 nuclear disaster.
  • LocalData : Providing a set of tools that communities can use to collect data on paper or via a smartphone app, then export or visualize the data via an easy-to-use dashboard. The city of Detroit has used the tools, created by Code for America fellows, to track urban blight.
  • Open Elections : Creating the first freely available, comprehensive source of U.S. election results, allowing journalists and researchers to analyze trends that account for campaign spending, demographic changes, legislative track records and more. Senior developers from The Washington Post and The New York Times lead the project.
  • New Tools for OpenStreetMap : Launching tools that make it easier for communities to contribute to OpenStreetMap, the community-mapping project used by millions via foursquare and Wikimedia and becoming a leading source for open, street-level data. DevelopmentSeed will create the tools.
  • Pop Up Archive : Taking multimedia content - including audio, pictures and more - from the shelf to the Web, so that it can be searchable, reusable and shareable. Founded by University of California grad students and SoundCloud Fellows , the project beta tested by helping archive the collection of the independent, Peabody-winning production team the Kitchen Sisters.
  • Census.IRE.org : Providing journalists and the public with a simpler way to access Census data, so they can spend less time managing the information and more time analyzing it and finding trends. The project is led by a senior developer from the Chicago Tribune in partnership with Investigative Reporters and Editors (IRE) .

top

Attorney Had Implied, Irrevocable License to Use Complaint Allegedly Drafted by Former Client (Wolters Kluwer IP Law Daily, 21 Sept 2012; subscription required) - Because an attorney had an implied license to use a complaint allegedly drafted and copyrighted by a former client during the course of litigation in which the attorney continued to represent other clients, the former client's copyright suit based on the attorney's filing of an allegedly infringing second complaint in the earlier suit was rejected by the federal district court in Brooklyn ( Unclaimed Property Recovery Service, Inc. v. Kaplan, September 20, 2012, Marbley, A. ). The court declined to address the "novel" question of whether a legal complaint qualifies for copyright protection. The attorney, Norman Kaplan, represented Unclaimed Property Recovery Service (NPRS), its manager Bernard Gelb (not an attorney), and others in a class action against Chase Manhattan Bank. After Kaplan resigned as attorney for NPRS and Gelb in the class action but continued to represent other plaintiffs, Gelb obtained certificates of registration from the U.S. Register of Copyrights for the first complaint and exhibits. After Kaplan filed the second complaint in the class action, Gelb and UPRS brought this suit seeking statutory damages for copyright infringement and a permanent injunction against Kaplan's copying or republishing of the first class action complaint. Kaplan contended that the first complaint and exhibits did not qualify for copyright protection because they contained only facts. The court, however, found it unnecessary to address this novel question. Even assuming that the first complaint and exhibits qualified for copyright protection were substantially similar to the second complaint and exhibits, Kaplan had an implied license that was a complete defense to the claim of copyright infringement, the court held. Gelb and UPRS conceded that Kaplan had a license to the file the first complaint and exhibits. A client who assists in the preparation of a legal document, and hands it over to his attorney for filing, impliedly gives the attorney license to use the document through the course of the litigation, the court observed.

top

Louboutin's Soles are Red, Tiffany Boxes are Blue (Baker Hostetler, 24 Sept 2012) - Single color trademarks are registerable, protectable, and enforceable. So held the Second Circuit in its long awaited decision in the Christian Louboutin SA v. Yves Saint Laurent America Holding Inc. case. In doing so, the Second Circuit rejected the District Court's finding that Christian Louboutin's trademark on red-soled shoes may be invalid in itself and that single color trademarks in the fashion context were unenforceable. In light of the fact that the District Court was inclined to cancel Louboutin's registration, the Second Circuit's decision represents a victory for Louboutin and other designers, as well as purveyors of any goods or services that seek to utilize upon a single color as a trademark. The Second Circuit overturned the District Court's holding that barred a single color serving as a trademark in the fashion industry. Citing a prior Supreme Court opinion on the subject, Qualitex Co. v. Jacobson , 514 U.S. 159, 34 USPQ2d 1161 (1995), the Court explained that "the Supreme Court specifically forbade the implementation of a per se rule that would deny protection for the use of a single color as a trademark in a particular industrial context." See Opinion . The Second Circuit did explain that a single color almost never would be inherently distinctive, and therefore could only become a trademark if it acquired secondary meaning. The Court also rejected the District Court's suggestion of a fashion industry specific rule.

top

First NLRB Decision on Employer Social Media Policies (Employer Law Report, 24 Sept 2012) - Employers adopting social media policies have to consider whether they would be struck down by the National Labor Relations Board (NLRB) if challenged as invalid under Section 7 of the National Labor Relations Act. Section 7 protects the rights of union, as well as non-union, employees to communicate at or away from work about terms and conditions of employment. Citing a desire to provide guidance to employers regarding workplace regulation of employee use of social media, the chief lawyer for the NLRB (its "General Counsel") issued guidance reports in August 2011 , January 2012 and May 2012 to show what sorts of social media policies the General Counsel believes violate Section 7. The NLRB considers but is not bound by the General Counsel's guidance when issuing decisions. Until recently, the NLRB itself had not had occasion to issue a decision on a social media policy. 

In Costco Wholesale Corporation (NLRB Case No. 34-CA-012421) , the NLRB considered a social media policy for the first time. The NLRB invalidated portions of Costco's policies and in doing so signaled that it will probably track closely with the General Counsel's guidance when reviewing social media policies. That means a very aggressive review and the likelihood that policies which are not drafted narrowly and carefully will be struck down. Reviewing an unfair labor practice charge filed by the United Food and Commercial Workers' Union challenging various Costco employee handbook policies, the NLRB considered the following two policies which relate to social media use * * *

top

A New Issue For Bitcoin: Crypto Key Disclosure (TechDirt, 24 Sept 2012) - The debate is still raging whether Bitcoin is a brilliant idea that will revolutionize business and society, a high-tech money laundering scheme, or just a fad that will soon pass into history. But in a fascinating post, Jon Matonis points to a problem that doesn't really seem to have been considered before: " Key disclosure laws may become the most important government tool in asset seizures and the war on money laundering. When charged with a criminal offense, that refers to the ability of the government to demand that you surrender your private encryption keys that decrypt your data. If your data is currency such as access control to various amounts of bitcoin on the block chain, then you have surrendered your financial transaction history and potentially the value itself." That's no mere theoretical issue in countries like Australia , South Africa and the UK that already have such key disclosure laws.

top

NBC Unpacks Trove of Data From Olympics (NYT, 25 Sept 2012) - [M]ore than 50,000 [people participated] in a dozen studies conducted by Comcast's NBCUniversal unit as part of its so-called Billion Dollar Research Lab. The research did not cost $1 billion, but NBCUniversal paid more than four times that sum in 2011 to broadcast the Olympics through 2020. As part of that giant tab, the media company gets an exceptional opportunity to study viewers' behavior. The findings of the studies, shared with The New York Times, revealed vast shifts in the way people watched the Games this year compared with the Olympics in Vancouver in 2010 and in Beijing in 2008, and they offered insight into how television will further evolve into a multiplatform experience. Think of it as the world's largest "sandbox" in which media researchers can play, said Alan Wurtzel, president of research and media development at NBCUniversal. "It gives us a glimpse into the future." For research wonks there's no event quite like the Olympics. Roughly 217 million people in the United States watched the London Games, making it the most watched television event in history. And unlike other big, live events like the Super Bowl or the Academy Awards, the Olympics offer researchers a prolonged, 17-day period during which to study behavior. That sandbox showed that eight million people downloaded NBC's mobile apps for streaming video, and there were two billion page views across all of NBC's Web sites and apps. Forty-six percent of 18- to 54-year-olds surveyed said they "followed the Olympics during my breaks at work," and 73 percent said they "stayed up later than normal" to watch, according to a survey of about 800 viewers by the market research firm uSamp. The results signaled vast changes from just two years ago in Vancouver, when tablets and mobile video streaming were still in their infancy. The two most streamed events on any device during the London Olympics, the women's soccer final and women's gymnastics, surpassed all the videos streamed during the Vancouver Olympics combined. The growing number of viewers who own tablets will only lead to more streaming. "That's clearly a glimpse of where tablets are going," Mr. Wurtzel said. Thinking ahead to the Winter Olympics in Sochi, Russia, in 2014 and to the Summer Games in Rio de Janeiro in 2016, he added: "All bets will be off as the price of tablets goes down." But perhaps the most important results for NBC's business interests were its findings that the deluge of online viewing options did not cannibalize the coveted prime-time audience, Mr. Wurtzel said.

top

Your Smartphone Is Listening To You Sleep (Fast Company, 25 Sept 2012) - Last week Siri, Apple's voice-commanded digital assistant, got an upgrade that gave her many new powers. But developments in voice recognition tech across all kinds of devices mean that your next-next-gen smartphone will easily surpass Siri's passive listening skills and turn it, and systems like it, into chat-happy, always-on life mates. Nuance is the company behind many of the innovations in voice recognition, and may or may not have played a part in the latest iteration of Siri, which grew out of SRI International. The recent advances in voice tech are partly due to developments in the core technology of voice recognition and partly due to Nuance's clever choice to make a database of millions of bits of real speech from its users, which it can use to train and optimize its algorithms--even to the point of better understanding different dialects. This week the company's chief technology officer Vlad Sejnoha revealed that Nuance has been working with chip manufacturers to give smartphones an amazing new voice-command power. Nuance wants to give phones the power to listen to you when they're otherwise "asleep." The scenario Nuance's CTO imagines is that in the future your phone will always be listening. So your phone is quietly sitting there, sipping at battery power so it doesn't consume that precious resource, until you ask it when your next meeting is, or if it can text your partner or if it's going to rain later. The benefits are obvious, says Sejnoha--there's less of a barrier to using it because you don't have to turn on the device, and indeed if a strong mic is involved, you won't even have to be near it. Nuance is even working on making its system better at isolating a user's voice from background chatter so you could even drop it into conversations with your friends, throwing a question at your smartphone even while talking to other people in a noisy environment.

top

Dead Model's Parents Can't get Facebook Messages, Judge Says (GigaOM, 27 Sept 2012) - A California judge has shut down a U.K. couple's attempt to obtain the Facebook messages of their daughter, a 23-year-old model who died in a mysterious tragedy. The judge's decision highlights, once again, growing questions over privacy and how to handle social media after we die. The California case turns on Sahar Daftary, a former "Face of Asia" winner, who fell 150 feet from the balcony of a luxury apartment in Manchester. Her parents had asked Facebook for her messages in the hopes they would shed light about how and why she died. But in his ruling last week, Judge Paul Grewal quashed the request after Facebook argued that turning over the messages could violate federal privacy laws. Daftary's mother had argued that, as the executor of her daughter's will, she had a right to access Sahar's Facebook account. But Facebook pointed to a law called the Stored Communications Act that forbids companies from sharing users' emails without their permission. The judge sided with Facebook. Both sides have a point here. On one hand, family members may want to learn more about a loved one's last days. But on the other, Facebook is right to worry about privacy laws. Facebook and other companies are probably also keen to avoid getting caught in the middle of a fight between relatives (or, worse, insurance companies) over a dead person's profile. Finally, there is the issue of what the dead person themselves would have wanted. As social media lawyers Venkat Balasubramani and Eric Goldman point out , what if the departed want to take their Facebook secrets to the grave?

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

FOLLOW YOUR LENT BOOK ON THE INTERNET (Houston Chronicle, 23 July 2002) -- Scenario No. 1: You read a book. It's a wonderful read. You tell a few people about the book. You might even let a friend borrow it. But the book eventually ends up on your bookshelf, where you can admire it. Scenario No. 2: You read a book. It's a wonderful read. Instead of letting it collect dust on your shelf, you leave your book in some public place so other people can read it. The Internet allows you to follow its path forever. Which scenario appeals to you? If the second one sounds intriguing, make your way to BookCrossing (www.bookcrossing.com) and become a member of a worldwide book community. BookCrossing works like this: First, read a good book. Second, register the book at the Web site along with your comments. You get a BookCrossing identification number. You can download a label, write the number on it and affix it to the book. Or you can write it on a bookmark or include it in a handwritten note. Third, "release" the book to a friend, donate it to charity, "forget" it on an airplane or bus or leave it in a restaurant. The label or your note will tell people to go to the Web site and add their comments, then pass the book on when they've read it. Each time someone records a journal entry on your "released" book, you will be notified by e-mail. When you drop off a book, you also can enter "Release Notes" on the location, and others can go hunting for it. As of Monday, there were 13,499 books "in the wild" in the United States, including 73 in Houston, five at Bush Intercontinental Airport, three in Baytown, four in Galveston and 18 in The Woodlands. [Editor's note: first-sale doctrine; "fair use"; important principles that will suffer continued challenge.]

top

YALE ACCUSES PRINCETON OF HACKING (Salon.com, 26 July 2002) -- Yale University complained to the FBI on Thursday that admissions officials at Princeton hacked into a Yale Web site that was set up for prospective students. Yale said it found 18 unauthorized log-ins to the Web site that were traced back to computers at Princeton, including computers in the admissions office. "We're assessing the information to see if there is a federal violation," FBI spokeswoman Lisa Bull said. The head of admissions at Princeton said the school just checked the site to see how secure it was. Princeton gained access by looking up students who had applied to both schools [using birthdates and social security numbers to gain entry]. "It was really an innocent way for us to check out the security," Stephen LeMenager, Princeton's dean of admissions, told the Yale Daily News, which broke the story Thursday in its online edition. "That was our main concern of having an online notification system, that it would be susceptible to people who had that information -- parents, guidance counselors, and admissions officers at other schools." Yale said Princeton's actions violated the privacy of the students. http://www.salon.com/tech/wire/2002/07/25/yale_princeton/index.html?

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: