MIRLN --- 17 March - 6 April 2013 (v16.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | RESOURCES | BOOK REVIEW | LOOKING BACK | NOTES
- Investors Demand Cyber Security Transparency
- Are Governments Ready to be Buyers of Cybersecurity Insurance?
- Which Encryption Apps Are Strong Enough to Help You Take Down a Government?
- Court Rules That Prosecutors Can Use E-mail Sent by Personal Attorney to Employee's Work Account
- Who Owns a MOOC?
- Justice Dept. Drops Fight Against Tougher Rules to Access E-Mail
- Minnesota Modifies Liberal Open Records Law to Make Car Location Data Private
- In Depth: The District Court's Remarkable Order Striking Down the NSL Statute
- Supreme Court Sides with Bookseller in Major Copyright Ruling, Says Resale is OK
- Courses, Facebook, and Secret Groups
- Whole Internet Probed for Insecure Devices
- Michigan's Internet Privacy Protection Act
- AP Wins Big: Why a Court Said Clipping Content Is Not Fair Use
- A Libertarian Nightmare: Bitcoin Meets Big Government
- First Amendment Protects Online Republication of Court Records
- The Dangers of Surveillance
- US Attorney Asserts Jurisdiction in International Cases Because of Computer Server Location
- Leading Library Journal's Editorial Board Resigns Over Publisher's Copyright Policy
- Public Cloud Service Agreements: What to Expect and What to Negotiate
- When Social Media at Work Don't Create Productivity-Killing Distractions
- Toward an International Law of the Internet
- Law Firms Offer Cybersecurity Advice and Attorney-Client Privilege to Hacked Companies
- Social Media: SEC Issues Reg FD Guidance (In Form of Enforcement Report)
- If You Were 17, It Could Have Been Illegal To Read Seventeen.com Under the CFAA
- Law Firm Fell Victim to Phishing Scam, Precipitating $336k Overseas Wire Transfer, Bank Suit Alleges
Investors Demand Cyber Security Transparency (Carlton Fields, 5 March 2013) - Almost daily we hear about a new cyber threat or information security breach. Just last week one of the world's largest cloud services providers, Evernote, fell victim to an attack that resulted in a security breach that potentially compromised more than 50 million user accounts. As corporate America becomes better informed about the cyber threats facing U.S. companies, investors will demand more information and transparency about a company's information security policies and practices. A recent survey conducted by Zogby Analytics raises serious concerns for C-suite managers who are simultaneously facing increased scrutiny from regulators, increased demands from investors, and a need to remain mindful of the damage negative press can have on stock prices. According to the Zogby survey, 70 percent of investors are interested in reviewing company cyber security practices and almost 80 percent would likely not consider investing in a company with a negative history of attacks. Notably, the survey also found that 66 percent of investors said corporate responses to attacks are more noteworthy than the attacks themselves. Additionally, the survey revealed investors are twice as concerned if a company had a breach of customer data (57 percent) as opposed to a theft of intellectual property (29 percent). While consumer-related data breaches grab headlines, the findings on intellectual property theft are particularly alarming. They demonstrate a fundamental misunderstanding of the damage that billions of dollars' worth of intellectual property theft can have on a company's bottom line.
Are Governments Ready to be Buyers of Cybersecurity Insurance? (Public CIO, 8 March 2013) - South Carolina is learning the hard way that the costs associated with a data breach can spiral upward in a hurry. Last year, hackers infiltrated a Department of Revenue computer system and swiped millions of unencrypted Social Security numbers and other personally identifiable information. The state reportedly has spent more than $20 million so far cleaning up the mess, including $12 million on credit monitoring services for affected citizens, and millions more on breach notification letters, security improvements, data forensics teams and IT consultants. And South Carolina isn't done opening its wallet - state agencies beyond the revenue department likely will request more funding to make IT security improvements of their own. Although South Carolina's woes are an extreme example - one security expert branded the hacking "the mother of all data breaches" - the incident shows how much an organization should expect to pay out to remediate a large-scale data breach. Other government agencies are dealing with the sticker shock. A separate high-profile breach last year of health-care data in Utah, for example, is costing millions; officials there spent hundreds of thousands of dollars alone on a crisis communications team. These figures aren't outliers: A study conducted last year by the Ponemon Institute found that cybercrime cost the average U.S. organization $8.9 million annually. Some public-sector officials and brokers in the insurance industry think the time has come to apply these same principles in the world of government IT. A small portion of local and state governments already have purchased what's known as "cybersecurity insurance," and at least a few officials think it's time to start talking about the idea more seriously. "The probabilities are such, because your networks and services are so complex and integrated now, that you can't cover up every manhole. Sooner or later someone is going to get through," said Dick Clark, the former CIO of Montana who retired last year, about the state's rationale for buying cyberinsurance. Montana recently joined the few states believed to carry some form of the insurance. Clark said if Montana suffered a South Carolina-style data breach, his state would have a tough time covering the $10 million or $20 million cost. Montana likely would have to raid its general fund to cover the expense, he said. States and cities, Clark said, need to be aware that a data breach can bring a swath of unplanned costs.
Which Encryption Apps Are Strong Enough to Help You Take Down a Government? (Gizmodo, 10 March 2013) - It seems like these days I can't eat breakfast without reading about some new encryption app that will (supposedly) revolutionize our communications - while making tyrannical regimes fall like cheap confetti. This is exciting stuff, and I want to believe. After all, I've spent a lot of my professional life working on crypto, and it's nice to imagine that people are actually going to start using it. At the same time, I worry that too much hype can be a bad thing - and could even get people killed. Given what's at stake, it seems worthwhile to sit down and look carefully at some of these new tools. How solid are they? What makes them different/better than what came before? And most importantly: should you trust them with your life? To take a crack at answering these questions, I'm going to look at four apps that seem to be getting a lot of press in this area. In no particular order, these are Cryptocat , Silent Circle [by Phil Zimmerman], RedPhone and Wickr * * *
Court Rules That Prosecutors Can Use E-mail Sent by Personal Attorney to Employee's Work Account (Suits By Suits, 18 March 2013) - Employees use their work e-mails for all kinds of communications, from the business-related to the personal and private. When a dispute arises, however, it's getting more difficult to keep those private e-mails from seeing the light of day. For example, last week's Inbox highlighted one recent decision in which a New York federal court ruled that an executive had "no reasonable expectation of confidentiality or privacy" in his work e-mail. United States v. Finazzo , No. 10-CR-457 (E.D.N.Y. Feb. 19, 2013). Finazzo is different from most of the cases we cover on this blog (with the exception of this post last week ) because it is a criminal case. The defendant is Christopher Finazzo, a former executive at Aeropostale , who was indicted on charges of mail fraud and false statements to the SEC. The government based the charges on Finazzo's undisclosed interest in one of Aeropostale's vendors, a company called South Bay. Aeropostale found out about Finazzo's role in South Bay when its investigator uncovered an e-mail that Finazzo's personal attorney sent to his work account, in which the attorney listed assets to be considered for the drafting of Finazzo's will. In the criminal case, Finazzo moved to keep the government from using the e-mail at trial, arguing that it was a privileged attorney-client communication. The court denied his motion, finding that the e-mail was not a confidential or private document. In assessing the privacy of the document, the court weighed a number of factors * * *
Who Owns a MOOC? (InsideHigherEd, 19 March 2013) - Faculty union officials in California worry professors who agree to teach free online classes could undermine faculty intellectual property rights and collective bargaining agreements. The union for faculty at the University of California at Santa Cruz said earlier this month it could seek a new round of collective bargaining after several professors agreed to teach classes on Coursera , the Silicon Valley-based provider of popular massive open online classes, or MOOCs. The union said the professors lobbied for a 12-year-old California law to guarantee that faculty -- not universities -- own the intellectual property rights to class lectures and course materials. But before professors can have their courses put on Coursera, they are expected to sign away those rights to the university so the university can give the professors' work to Coursera, the union said in a March 5 letter to a top labor relations official at Santa Cruz. In these waivers, professors "irrevocably grant the university the absolute right and permission to use" their course content, name, image and likeness. The university's own contract with Coursera remains neutral and said only that rights will "remain with the applicable instructor and university." [Polley: implicates the informal "Faculty Exception" to the work-for-hire doctrine (see, e.g., page 30 of this AAUP document ).]
Justice Dept. Drops Fight Against Tougher Rules to Access E-Mail (Washington Post, 19 March 2013) - The Justice Department has dropped its long-standing objection to proposed changes that would require law enforcement to get a warrant before obtaining e-mail from service providers, regardless of how old an e-mail is or whether it has been read. "There is no principled basis" to treat e-mail less than 180 days old differently than e-mail more than 180 days old, Elana Tyrangiel, acting assistant attorney general in the department's Office of Legal Policy, said Tuesday. Tyrangiel, testifying before a House Judiciary subcommittee, also said that opened e-mail should have no less protection than unopened e-mail. Current law requires law enforcement to obtain a warrant before gaining access to e-mail that is 180 days old or less if it has not been opened. But prosecutors may obtain e-mail older than 180 days, or any e-mail that has been opened, with a mere subpoena. The department's shift means that legislative efforts to amend the 1986 Electronic Communications Privacy Act stand a better chance at succeeding. Lawmakers have drafted legislation that would impose a warrant requirement for all e-mail held by commercial providers. In practice, since a 2010 ruling by the U.S. Court of Appeals for the 6th Circuit requiring a warrant for stored e-mail, most large commercial e-mail providers, such as Google and Yahoo, have adopted that standard.
Minnesota Modifies Liberal Open Records Law to Make Car Location Data Private (ArsTechnica, 19 March 2013) - A Minnesota state agency decreed on Monday that a vehicle's location data as captured by license plate readers , which under existing state law had been completely public, should now be kept private. This comes more than four months after a Minneapolis public committee lobbied to change the state's policy. The new temporary measure will expire in 2015. According to the Minneapolis Star-Tribune : "The Department of Administration ruled Monday that the following data generated by license plate readers would be private: plate numbers; times, dates, and locations of vehicle scans; and vehicle photos." As we reported earlier , Minnesota has a rather liberal open records state law known as the Data Practices Act , which makes all government data public by default. That means that anyone (up until now) could request the entire data set-including license plate data-from any law enforcement agency. In December 2012, Minneapolis mayor R.T. Rybak requested to a state committee that the data be immediately re-classified as "non-public." The new proposal resulted from increased scrutiny of the practice in Minneapolis after a local reporter managed to track the mayor's movements in August 2012 by filing a request with the police.
In Depth: The District Court's Remarkable Order Striking Down the NSL Statute (EFF, 19 March 2013) - On Friday, EFF received the long-awaiting ruling on its 2011 petition to set aside a National Security Letter (NSL) issued to a telecommunications company. The petition challenged the constitutionality of one of five national security letter statutes, 18 U.S.C. § 2709 . And what a ruling it was. In a detailed and careful 24-page opinion , Judge Susan Illston of the district court for the Northern District of California methodically addressed the government's attempted justifications for this controversial domestic surveillance tool and found that the statute failed to meet the standards of settled First Amendment law. First, a moment to underscore the importance of this ruling. Over the past decade, since the PATRIOT Act expanded its reach from foreign agents and spies to anyone whose information may be "relevant" to a national security investigation, the FBI has issued hundreds of thousands of NSLs seeking potentially intimate information about Americans. Supporters of NSLs have frequently attempted to discount privacy concerns and have characterized criticism as " hyperbole ," but the reality is very different. As Judge Victor Marrero of the Southern District of New York noted in his 2004 Doe v. Ashcroft NSL decision, the NSL statute grants enormous, unchecked power to pry into the private lives of people within the United States * * *. With Friday's opinion, entitled In Re National Security Letter, not only did the court set aside this particular letter, it barred any NSLs to telecommunications providers, finding that the statute was so inherently flawed that it could not stand. The decision will likely be appealed, and the order has been stayed in order to give the government the time to file an appeal, but the federal district court deserves enormous credit for not shying away from EFF's request and instead tackling most of the difficult issues head on. With this case, EFF follows in the strong footsteps of our friends at the ACLU. In 2008, on behalf of Nicholas Merrill , the ACLU succeeded in convincing both a district court and the Second Circuit Court of Appeals to recognize the acknowledge the serious structural problems with the NSL statute. Unfortunately, despite finding the statute unconstitutional, the Second Circuit in its Doe v. Mukasey opinion approved the continued use of NSLs if the FBI undertook certain voluntary measures aimed at curbing abuse. The district court here found similar constitutional flaws but took those problems to their rightful conclusion. The court flatly rejected the Second Circuit's attempts to rewrite the statute and rely on voluntary FBI actions to fix it, instead striking it down. While the decision rested primarily on failings with the gag provision, the court ruled that that provision was not severable from the rest of the statute and struck the statute in its entirety. As a result, if the decision is upheld, Congress must step in and repair the structural defects to better protect First Amendment rights if it intends to continue to grant similar power to the FBI. The court made five critical findings * * *
Supreme Court Sides with Bookseller in Major Copyright Ruling, Says Resale is OK (PaidContent, 19 March 2013) - In a court ruling that has major implications for used good merchants across the country, the Supreme Court overturned a lower court decision that forbid a textbook seller from reselling textbooks that he had purchased from overseas. In a 6-3 ruling , the court rejected publisher John Wiley's interpretation of a rule known as the " first sale doctrine " which prevents copyright owners from exerting rights over a product once it has been purchased legally. This rule is what allows used book and music stores to sell used items without the copyright owners permission. In recent years, copyright owners facing a wave of imported good have argued that the "first sale" only applies to goods manufactured in the United States. Lower courts have till now sided with the copyright owners which has produced considerable uncertainty about whether or not retailers good import and sells goods that they had legally bought from abroad. Writing for the majority, Justice Stephen Breyer rejected John Wiley's argument that the phrase "lawfully made under this act" implied a geographic limitation. He also referred to library associations, used-book dealers, technology companies, consumer-goods retailers, and museums - all of which had urged the court to reject the restricted notion of "first sale." The John Wiley ruling comes three years after the Supreme Court failed to resolve the same issue in a dispute between watch maker Omega and the retailer Costco. In that case, Omega had put little pictures on its watches and then argued that Costco infringed on its copyright when it imported them; that case produced a 4-4 tie which meant the lower ruling against Costco was upheld. The result was different this time with different judges on the bench. The ruling is likely to be a relief for used booksellers and others who feared that geographical limits on first sale would harm their business. In the case before the Supreme Court, the defendant was a college student who had arranged for his family in Asia to buy textbooks and mail them to him in America where he sold them at a profit. Justices Ginsburg, Kennedy and Scalia dissented from the ruling. To learn more about the first sale doctrine, read our background on the Wiley case here . [Polley: Dennis Crouch's Patently-O has an analysis of the case, suggesting that it also has implications for the patent exhaustion doctrine. EFF's take on the case is here .]
Courses, Facebook, and Secret Groups (InsideHigherEd, 21 March 2013) - Our students are leveraging the web and mobile apps to collaborate, share information, and study together. They are sharing online resources such as videos and learning objects Khan Academy, digital textbook resources, YouTube, iTunesU, and other open online education resources. Students are actively sharing information about study strategies and techniques designed to help each other learn the material and do well on quizzes, tests, and papers. There is a world of social learning going on, and we (meaning us instructors, educational technologists - basically anyone employed on the instructional or administrative sides of the house), know nothing about what is going on. The reason: Facebook Secret Groups. To quote from the Facebook privacy option description page: Secret: Non-members can't find these groups in searches or see anything about the group, including its name and member list. The name of the group will not display on the timelines of members. To join a secret group, you need to be added by a member of the group. What is so appealing for students about Facebook Secret Groups is that instructors, or anyone else that works for the school, can't access the group. We can't even know that the group exists. An enormous amount of really high quality is learning going on on our networks and our campuses, but it is completely invisible to all of us. Facebook Secret Groups for classes means that our students are taking control of their learning. Freed from instructor and administrative surveillance and judgment they are able to learn in ways that fit their needs, not ours. They can be critical of our teaching, dismissive of our learning technologies, and disparaging of assignments - all without fear of retribution by grading.
Whole Internet Probed for Insecure Devices (BBC, 21 March 2013) - A surreptitious scan of the entire internet has revealed millions of printers, webcams and set-top boxes protected only by default passwords. An anonymous researcher used more than 420,000 of these insecure devices to test the security and responsiveness of other gadgets, in a nine-month survey. Using custom-written code, they sent out more than four trillion messages. The net's current addressing scheme accommodates about 4.2 billion devices. Only 1.3 billion addresses responded. The number of addresses responding was a surprise as the pool of addresses for that scheme has run dry. As a result, the net is currently going through a transition to a new scheme that has a vastly larger pool of addresses available. The scan found half a million printers, more than one million webcams and lots of other devices, including set-top boxes and modems, that still used the password installed in the factory, letting almost anyone take over that piece of hardware. Often the password was an easy to guess word such as "root" or "admin". "Whenever you think, 'That shouldn't be on the internet, but will probably be found a few times,' it's there a few hundred thousand times," wrote the un-named researcher in a paper documenting their work . HD Moore, who carried out a similar survey in 2012, told the Ars Technica news website the results looked "pretty accurate".
Michigan's Internet Privacy Protection Act (by MIRLN subscriber Michael Khoury , March 2013) - The tempest in the teapot for 2012 was generated when applicants at educational institutions and those searching for employment were compelled to turn over their user names and passwords for social media and other accounts. According to an April 2012 report by the Council of State Governments, "State Leaders Work to Protect the Privacy of Employees' and Students' Social Media Accounts,"1 the issue became significant in Michigan when a teacher's aide was fired for refusing to provide login credentials to her social media account. Late in the 2012 legislative session, Michigan became the sixth state in the United States to enact legislation addressing the privacy of individual accounts and prohibiting employers and educational institutions from taking actions related to these accounts * * *
AP Wins Big: Why a Court Said Clipping Content Is Not Fair Use (PaidContent, 22 March 2013) - A federal court has sided with the Associated Press and the New York Times in a closely-watched case involving a company that scraped news content from the internet without paying for it. The case has important implications for the news industry and for the ongoing debate about what counts as "fair use" under copyright law. Here's a plain English explanation of what the case is all about and what it means for content creators and free speech. The defendant in the case is Norway-based Meltwater, a service that monitors the internet for news about its clients. Its clients, which include companies and governments, pay thousands of dollars a year to receive news alerts and to search Meltwater's database. Meltwater sends its alerts to client in the form of newsletters that include stories from AP and other sources. Meltwater's reports include headlines, the first part of the story known as the "lede," and the sentence in the story in which a relevant keyword first appears. The Associated Press demanded Meltwater buy a license to distribute the story excerpts and, when the service refused, the AP sued it for copyright infringement. Meltwater responded by saying it can use the stories under copyright's "fair use" rules, which creates an exception for certain activities. Specifically, Meltwater said its activities are akin to a search engine - in the same way that it's fair use for Google to show headlines and snippets of text in its search results, Meltwater said it's fair use to clip and display news stories. The case has divided the tech and publishing communities. The influential Electronic Frontier Foundation filed in support of Meltwater, arguing that AP could inhibit innovation and free expression if it succeeds with the copyright claim. On the other side, the New York Times and other news outlets filed to support the AP ; they claim Meltwater was simply free-riding and that the company is undermining the ability to create the sort of journalism on which a free society depends. In a decision published Thursday in New York, U.S. District Judge Denise Cote shot down Meltwater in blunt language. While much of the 90-page ruling covers procedural issues and other defenses put forth by Meltwater, the heart of the decision is about fair use. Judge Cote rejected the fair use claim in large part because she didn't buy Meltwater's claim that it's a "search engine" that makes transformative use of the AP's content. Instead, Cote concluded that Meltwater is more like a business rival to AP: "Instead of driving subscribers to third-party websites, Meltwater News acts as a substitute for news sites operated or licensed by AP." Cote's rejection of Meltwater's search engine argument was based in part on the "click-through" rate of its stories. Whereas Google News users clicked through to 56 percent of excerpted stories, the equivalent rate for Meltwater was 0.08 percent, according to figures cited in the judgment. Cote's point was that Meltwater's service doesn't provide people with a means to discover the AP's stories (like a search engine) - but instead is a way to replace them. [Polley: implications for MIRLN? Fair use, or infringement? Would it be different if I charged for MIRLN? EFF's take on the case is here .]
A Libertarian Nightmare: Bitcoin Meets Big Government (Salon, 22 March 2013) - What's not to like about Bitcoin, every libertarian's favorite crypto-currency? For starters, Bitcoins are as cyberpunk as William Gibson's wildest dream: a form of monetary exchange invented in 2009 by a mysterious character who called himself "Satoshi Nakamoto" but then disappeared from view after unleashing his virtual currency upon the world. Bitcoins are undeniably cool: marvelously "mined" from the ore of computer processing power and electricity; more ready for prime time than any previous experiment in purely digital money. And Bitcoins, increasingly, are a success. At a Thursday afternoon all-time-high valuation of $72 per Bitcoin, there were around $700 million worth of Bitcoins in circulation. People are using Bitcoins to buy real goods and services, to hedge against European financial calamity, and to score drugs. That's money. Over the years, Bitcoin has experienced ups and downs; the currency has been targeted by hackers and thieves and botnets and been victim to more than one embarrassing software glitch. But it has persevered, and this week, one can fairly say that Bitcoin came of age. On Monday, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) released its first " guidance " as to how "de-centralized virtual currencies" should fit into the larger regulatory regime under which currencies of all kinds are required to operate. The word "Bitcoin" is never mentioned in FinCEN's release, but that's just a technicality. Everyone in the Bitcoin community knew who the guidance was aimed at. Bitcoin is a big boy now. The State is paying attention. But while some observers have applauded FinCEN's guidance as acknowledgment that Bitcoin isn't illegal or considered a "threat" by the government, not everyone is cheering the news. Because there's a problem here. Bitcoin isn't just an elegant way to create money using peer-to-peer networks and cryptography. Bitcoin is a currency with an ideology. * * * [Polley: Spotted by MIRLN reader Corinne Cooper of Professional Presence ]
First Amendment Protects Online Republication of Court Records (Eric Goldman, 23 March 2013) - The court summarizes the facts: Nieman discovered in 2009 that certain legal-search websites (such as Lexis/Nexis.com, Justia.com, Leagle.com, and VersusLaw.com) were linking copies of documents from his prior lawsuit to his name. That litigation involved a former employer and was settled in 2011. When Nieman encountered difficulty obtaining another insurance job, he suspected that potential employers had learned of his prior lawsuit online and "blacklisted" him from employment opportunities. Nieman alleged that in late 2011 he wrote to each of the defendants and asked them to delink his court cases from their online search results. The defendants declined. The court's efficient disposition of the resulting lawsuits (citations omitted): The First Amendment privileges the publication of facts contained in lawfully obtained judicial records, even if reasonable people would want them concealed. We have explained that judicial "[o]pinions are not the litigants' property. They belong to the public, which underwrites the judicial system that produces them." Other legal documents included by the court as part of the public record of the judicial proceedings are also covered by the First Amendment privilege. The forprofit nature of the defendants' aggregation websites does not change the analysis; speech is protected even when "carried in a form that is 'sold' for profit." All of Nieman's claims are based on the defendants' republication of documents contained in the public record, so they fall within and are barred by the First Amendment privilege. The district court also relied on 47 USC 230; the Seventh Circuit doesn't address that issue. Nieman v. VersusLaw, Inc. , 2013 WL 1150277 (7th Cir. March 19, 2013)
The Dangers of Surveillance (Harvard Law Review, 25 March 2013) - Abstract: From the Fourth Amendment to George Orwell's Nineteen Eighty-Four, our law and literature are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don't really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with "privacy," we lack an understanding of what "privacy" means in this context, and why it matters. Developments in government and corporate practices, however, have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It is also gives the watcher power over the watched, creating the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance. At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance.
US Attorney Asserts Jurisdiction in International Cases Because of Computer Server Location (ABA Journal, 26 March 2013) - U.S. Attorney Neil MacBride of the Eastern District of Virginia is claiming jurisdiction to pursue cases against alleged international copyright pirates and out-of-state securities fraud defendants, citing the location of computer servers in his district. The Associated Press explains. MacBride says he has jurisdiction over most securities fraud cases because the servers for the EDGAR database of the Securities and Exchange Commission are located in Alexandria. He also claimed jurisdiction to bring charges against the Hong Kong file-sharing company Megaupload because many of the servers storing its content were leased from a northern Virginia company. A lawyer for Megaupload, Ira Rothken, has questioned prosecutors' theory that they have jurisdiction in the criminal copyright case because Internet traffic flows through their district. He is claiming a foreign corporation without U.S. offices cannot be prosecuted in this country. Megaupload officials are currently fighting extradition to the United States. [Polley: crazy, the idea of EDGAR-based jurisdiction; wrong, the idea that Megaupload is in HK - try New Zealand.]
Leading Library Journal's Editorial Board Resigns Over Publisher's Copyright Policy (MLPB, 26 March 2013) - The Chronicle of Higher Education reports that the editorial board of the Journal of Library Administration , a leading publication in the area of library management, has resigned en masse over the publisher's copyright policy. The now former editor, Damon Jaggers, notes that Taylor and Francis, the publisher of the journal, did negotiate with reluctant authors who objected to its previous policy, but the new policy requires potential authors to ante up $3,000 to publish with the journal.
Science Blogs reproduces the editorial board's resignation announcement here, along with some commentary. Below is the notification from the board: The Board believes that the licensing terms in the Taylor & Francis author agreement are too restrictive and out-of-step with the expectations of authors in the LIS community. A large and growing number of current and potential authors to JLA have pushed back on the licensing terms included in the Taylor & Francis author agreement. Several authors have refused to publish with the journal under the current licensing terms. Authors find the author agreement unclear and too restrictive and have repeatedly requested some form of Creative Commons license in its place. After much discussion, the only alternative presented by Taylor & Francis tied a less restrictive license to a $2995 per article fee to be paid by the Author. As you know, this is not a viable licensing option for authors from the LIS community who are generally not conducting research under large grants. Thus, the Board came to the conclusion that it is not possible to produce a quality journal under the current licensing terms offered by Taylor & Francis and chose to collectively resign.
Public Cloud Service Agreements: What to Expect and What to Negotiate (Cloud Standards Customer Council, 30 March 2013) - For datacenters that have already leveraged outsourced infrastructure, the value of service level objectives and their formal contracts is understood. For datacenters that are using clouds as their first entrée into outsourced infrastructure, service agreements may be totally new. IT managers are not comfortable relying on infrastructure and infrastructure management that are outside their immediate control. Therefore, they are quickly realizing that they cannot guarantee a required level of service without understanding their objectives and formalizing such service level with organizations that are on the critical path of their business services delivery. This paper provides cloud consumers with a pragmatic approach to understand and evaluate public cloud service agreements. The recommendations in this paper are based on a thorough assessment of publicly available agreements from several leading public cloud providers. In addition to this paper, a great deal of research and analysis regarding the landscape of cloud service agreements is available in the CSCC companion paper, the "Practical Guide to Cloud Service Level Agreements". In general, we have found that the current terms proposed by public cloud providers fall short of the commitment that many businesses will require. Of course, these providers have reputations to establish or maintain, therefore they will likely employ all reasonable efforts to correct problems, restore performance, protect security, and so on. But neither the specifics of the measures they will take, nor the remedies they offer if they fall short, are currently expressed well enough in their formal agreements in most cases. Furthermore, the language about service levels is often distributed among several documents that do not follow a common industry-wide terminology. We hope that one impact of this paper will be to improve this state of affairs. [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe IT & Knowledge Management ]
When Social Media at Work Don't Create Productivity-Killing Distractions (Bloomberg, 1 April 2013) - Workers who are encouraged to tweet, chat, like, and Skype on the job are among the most productive, new academic research says, shooting yet another hole in the managerial argument that social media in the workplace leads to goofing off and slacking on company time. Far from being a distraction, common social media tools such as Facebook, Twitter, and LinkedIn, plus Skype to chat, enable employees to answer more customer queries, and more quickly, says Joe Nandhakumar, professor of information systems at the Warwick Business School in the United Kingdom. He and his research team attribute this productivity boost to something Nandhakumar calls the "theory of virtual co-presence"-the ability to collaborate with others over long distances in relatively short, productive sessions to resolve problems or accomplish tasks. Plenty of surveys and studies have looked at the benefits of granting employees unfettered social media access in the workplace, often focusing on increased collaboration among co-workers and, at the very least, keeping companies digitally savvy enough to compete for young talent . The Warwick Business School study is unique: Over more than two years, it followed the way a company's policy to encourage social media usage among its employees led to increased customer interaction and, eventually, higher productivity.
Toward an International Law of the Internet (BeSpacific, 2 April 2013) - Toward an International Law of the Internet, Molly Land, New York Law School, November 19, 2012, Harvard International Law Journal, Vol. 54, 2013 (Forthcoming) via SSRN : "This Article presents the first and only analysis of Article 19 of the International Covenant on Civil and Political Rights as it applies to new technologies and uses this analysis to develop the foundation for an "international law of the Internet." Although Article 19 does not guarantee a right to the "Internet" per se, it explicitly protects the technologies of connection and access to information, and it limits states' ability to burden content originating abroad. The principles derived from Article 19 provide an important normative reorientation on individual rights for both domestic and international Internet governance debates. Article 19's guarantee of a right to the technologies of connection also fills a critical gap in human rights law. Protecting technology allows advocates to intervene in discussions about technological design that affect, but do not themselves violate, international human rights law. Failure to attend to these choices - to weigh in, ahead of time, on the human rights implications of software code, architecture design, and technological standards - can have significant consequences for human rights that may not be easily undone after the fact."
Law Firms Offer Cybersecurity Advice and Attorney-Client Privilege to Hacked Companies (ABA Journal, 2 April 2013) - Law firms are getting involved as companies investigate hacker incidents, providing attorney-client privilege to shield the findings in future lawsuits. The Wall Street Journal has a story on the trend. In one example, Nationwide Insurance hired Ropes & Gray after a hacker obtained personal details about 1 million people from the insurer. In another, Alston & Bird hired a former Justice Department lawyer in January to head its security-incident and management-response team. The lawyer, Kimberly Peretti, was a senior lawyer in the department's Computer Crime and Intellectual Property Section. Mike Dubose, who leads Kroll Advisory Solutions' cyberinvestigations practice, advises clients to hire a law firm before it hires Kroll. He explained that a client who hires Kroll directly probably won't be protected by attorney-client privilege. "What a company does not want is its investigation or due diligence, undertaken with the best of intentions, to be used against it in litigation," Dubose told the Wall Street Journal. [Polley: possibly great for protecting privilege; not-so-great for solving the problem unless the hired lawyer(s) are tech-fluent and already know your business inside-out. Further, almost all such internal investigations would/should have a non-privileged component, designed for ultimate disclosure to regulators or other non-control audiences. It's a real trick to manage a dual-track privileged/non-privileged internal investigation, and all the harder if counsel doesn't "grok" the technology.]
Social Media: SEC Issues Reg FD Guidance (In Form of Enforcement Report) (CorporateCounsel.net, 3 April 2013) - Last month, the SEC's Division of Investment Management issued this guidance in an effort to clarify when mutual funds must file social media messaging with the SEC. The guidance provides 5 categories of communications that IM doesn't believe needs to be filed - and examples of communications that do. At the time, I thought Corp Fin might weigh in with its own social media guidance soon - particularly due to widespread criticism in the wake of news that Netflix had received a Wells Notice from the Division of Enforcement (see my own blog on this topic - and Prof. Joe Grundfest's amicus curiae brief ). The answer is "yes, sort of." Yesterday, the SEC issued this Section 21(a) Report of Investigation stating that Enforcement has decided not to go after Netflix - mostly because its 2008 "corporate use of website" guidance may not have been sufficiently clear about how it applies to social media (given that social media exploded onto the scene more recently). More importantly, the Report clarifies that the SEC's '08 framework is sufficiently flexible to accommodate new "push" technologies like Facebook and Twitter - so that companies should continue to apply their own facts against whether they have created a "recognized channel of distribution" using that framework. Even though the SEC's press release touts the new report as a greenlight for companies - the press release's title is "SEC Says Social Media OK for Company Announcements If Investors Are Alerted" - I'm dubious that companies and their advisors will see it that way. For starters, the new guidance comes from an Enforcement report (here's an explanation of what a Section 21(a) report is) - perhaps not the best vehicle to encourage new practices. And it doesn't get into the nitty gritty like IM's new guidance does. Given the slow adoption rate of social media by IR, finance and governance professionals - compared to the rest of the world - I'm not convinced this will be enough to get folks moving (for example, see this blog by Blank Rome's Yelena Barychev and this Cooley news brief from Cydney Posner). [Polley: see also Bloomberg Adds Twitter Feeds to Financial Platform on Heels of New SEC Rules (PaidContent, 4 April 2013)]
If You Were 17, It Could Have Been Illegal To Read Seventeen.com Under the CFAA (EFF, 3 April 2013) - If you are 17 or under, a federal prosecutor could have charged you with computer hacking just for reading Seventeen magazine online-until today. It's not because the law got any better. Earlier today, we wrote about news sites that alarmingly prohibit their youth audiences from accessing the news and the potential criminal consequences under the Computer Fraud and Abuse Act . In response, the Hearst Corporation modified the terms of service across its family of publications, including the Hearst Teen Network, which notably includes titles like Seventeen, CosmoGirl, Teen and MisQuince. Seventeen highlights the absurdity of giving terms of service the force of law under the CFAA. It boasts a readership of almost 4.5 million teen readers with an average age of 16 and a half, and yet, until today, the average reader was legally banned from visiting Seventeen.com. That's right, for a magazine dedicated to teen fashion, the publisher's terms explicitly restricted online access to readers 18 and older. What's worse, the Justice Department could choose to bring the might of the government to enforce this contract against a Seventeen reader who may never have even seen the agreement. Federal prosecutors have argued in court that accessing a website in violation of terms of service is a crime. If the website's terms, like Seventeen magazine's previous version , explicitly state that you must be an adult to visit their sites or participate in their interactive features, then teenagers accessing the site "without authorization" under the CFAA and could be doing jail time, according to the DOJ. Hearst removed the following line from the terms for publications ranging from the Houston Chronicle to the San Francisco Chronicle, from Popular Mechanics to Seventeen: "YOU MAY NOT ACCESS OR USE THE COVERED SITES OR ACCEPT THE AGREEMENT IF YOU ARE NOT AT LEAST 18 YEARS OLD." The revisions are dated "April 23, 2013," but presumably they meant April 3. Thank you Hearst, we appreciate your prompt response. But the real problem is the CFAA, which allows prosecutors to use these silly terms to manufacture computer crimes. And prosecutors have plenty of opportunities, as ridiculous terms of service abound throughout the Internet.
Law Firm Fell Victim to Phishing Scam, Precipitating $336k Overseas Wire Transfer, Bank Suit Alleges (ABA Journal, 4 April 2013) - A North Carolina bank claims in a lawsuit that it isn't responsible for a $336,600 wire transfer to Russia from a law firm account. The suit by Charlotte-based Park Sterling Bank claims the law firm of Wallace & Pittman fell victim to a phishing scam that began with a click on a link in a fraudulent email, the Charlotte Observer reports. The email claimed to be from an industry group and warned that a banking transaction had failed to clear. Because of the clicked link, hackers were able to track a user's keystrokes and learn banking passwords used by Wallace & Pittman, the suit says. Hackers used the passwords to send $336,600 to a "Konstantin Pomogalove" in Moscow, according to legal documents cited by the newspaper. After receiving notice of the transaction, the law firm immediately sought to stop the transfer. Nevertheless, he call was too late, the story says. Park Sterling Bank initially refunded the money then told the law firm it wanted the funds returned. Before the bank could debit the amount, the law firm obtained a restraining order and closed its account. Park Sterling Bank says the law firm should have opted for a higher security level that requires two approvals for wire transfers, and says the law firm is responsible for the loss under its customer agreement. Wallace & Pittman, on the other hand, claims the international nature of the wire transfer should have raised the bank's suspicions, and the institution should have warned of phishing scams. [Polley: nearly on-point case decided against the bank's customer here .]
RESOURCES
Cloud Ethics Opinions (ABA's LTRC, March 2013) - There's a compelling business case for cloud computing, but can lawyers use it ethically? We've compiled these comparison charts to help you make the right decision for your practice. [Polley: clickable State map, with links to opinions and other resources.]
The Fair Use/Fair Dealing Handbook (InfoJustice.org, 27 March 2013) - More than 40 countries with over one-third of the world's population have fair use or fair dealing provisions in their copyright laws. These countries are in all regions of the world and at all levels of development. The broad diffusion of fair use and fair dealing indicates that there is no basis for preventing the more widespread adoption of these doctrines, with the benefits their flexibility brings to authors, publishers, consumers, technology companies, libraries, museums, educational institutions, and governments. Fair dealing was first developed by courts in England in the eighteenth century, and was codified in 1911. Fair dealing became incorporated into the copyright laws of the former British Imperial territories, now referred to as the Commonwealth countries. Over the past century, the fair dealing statutes have evolved in many of the Commonwealth countries, and increasingly resemble the fair use statute in the United States. Thus, although fair dealing is generally considered to be less flexible and open-ended than fair use, this is no longer the case in many Commonwealth countries. This handbook contains all the fair use and fair dealing statutes we were able to identify: The Fair Use/Fair Dealing Handbook
BOOKS
"Trademark and Deceptive Advertising Surveys" (review by Eric Goldman, 20 March 2013) - I read only a couple of books per year. As very long-form scholarship, books usually require big blocks of time to read (and I rarely have such blocks), and I typically find the payoff isn't worth the time investment. As a result, it's rare that I read a book, rarer when I like a book, and exceptionally rare when I think a book is worth recommending to you. Yet, I can hardly contain my enthusiasm for the 2012 book, "Trademark and Deceptive Advertising Surveys: Law, Science and Design," edited by Shari Seidman Diamond and Jerre B. Swann and published by the ABA's IP Section. It may be the best book I've read in years. Why do I like this book so much? It's the *perfect* legal resource guide. The chapters are written by the leading experts in the field--names you most likely recognize, including William Barber, Jerre Swann, Bruce Keller, Shari Seidman Diamond, Itamar Simonson, Jacob Jacoby and many more. In each chapter, an expert explains how he/she handles an aspect of the consumer survey process and why he/she makes certain professional judgments. It's like having am initial consultation with, or some private coaching from, the leaders in the consumer survey field, except that they aren't billing you by the hour and they give you citations for your deeper investigation if you want. I know I'm a hardcore geek, so my experience may not be representative, but I found this book a page-turner that I couldn't put down. Every page was packed with a golden nugget or two of insight, page after page, chapter after chapter. I'm not exaggerating at all when I say that I found the book gripping.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
FCC to Begin VOIP Inquiry (CNET, 6 Nov 2003) -- The Federal Communications Commission said Thursday that it plans to formally decide whether to regulate Internet telephone companies. The FCC will begin a yearlong inquiry into the "appropriate regulatory environment for these services" on Dec. 1, the commission said in an announcement. "The FCC has been studying VoIP issues for several years, but things have greatly accelerated over the past year, and, thus, so have the FCC's actions to address the complex issues that arise," FCC Chairman Michael Powell wrote in an accompanying letter to Oregon Sen. Ron Wyden, who is sponsoring an Internet tax ban that could affect voice over Internet Protocol services. VoIP is a technology for making phone calls using the Internet Protocol, the world's most popular method for sending data from one computer to another. It requires a network connection and a PC with a speaker and a microphone or a device to convert a telephone's analog signal into IP and vice versa. Pressure has been on the FCC to make its position known on VoIP ever since a U.S. District Court shot down an attempt by regulators in Minnesota to make VoIP provider Vonage follow state telephone rules. In that court case, Vonage argued that its service uses the Internet, which has historically fallen under federal control. Vonage, BellSouth, SBC Communications and Motorola have asked the FCC to draft a nationwide policy instead of a patchwork of possibly different state regulations. States are beginning to try to regulate VoIP services, which provide many of the same functions as the traditional phone system but with different technology and at a lower cost. At stake is a key distinction between voice services, which in the past have used the Public Switched Telephone Network, and data services such as the Internet.
Memories in the Corner of My Eye (Wired, 11 Nov 2003) -- Trying to remember a full day's schedule is no mean feat -- especially when it's full of business meetings, grocery shopping, kids' soccer practice and music lessons, and sundry other errands. Help may be on the way from a pair of specs dubbed the memory glasses. The specs have a tiny television screen embedded into one of the lenses and are hooked up to a PDA. The PDA can be programmed to send messages or images to the screen. Each prompt is geared to jog the wearer's memory -- whether it is an image of a soccer ball, the day's calendar or the name of the guy who just said hello. And all of these messages are flashed before the eye at 1/180 of a second, so the wearer isn't even conscious that they have been sent. "The thing that's unique about my work on the memory glasses is the use of subliminal messages," said Richard DeVaul, the glasses' inventor and a doctoral student at the Massachusetts Institute of Technology's Media Lab. DeVaul said subliminal messages aren't powerful enough to stimulate action; rather, they act as prompters -- they fill in the blanks that the wearer is already searching for. The fact that the wearer is unconscious of them is, according to DeVaul, the key to his system. "We can never precisely know what the wearer needs to know, or when he needs to know it, and this is why the fact the messages are subliminal is so important. If the information given is not helpful at that time, it's not important because it isn't noticed," DeVaul said. So rather than producing a barrage of distracting pop-up messages, the system provides a noninvasive wealth of information and memory cues about appointments, shopping-list items, meeting agendas, and the spouse's birthday. And for those awkward chance meetings when you are completely at a loss as to whom you are talking to, the system can flash a name or an image of the last meeting you had with the mystery person to help jog your memory. The system can find these matches by using voice- or face-recognition technologies. DeVaul has been using off-the-shelf PDAs in tests of the glasses. The mini TV screen itself is a few millimeters square and can be integrated into the wearer's own glasses, but for the trial the MIT team has been using a clip-on version.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top
No comments:
Post a Comment