Saturday, October 12, 2013

MIRLN --- 22 Sept - 12 Oct 2013 (v16.14)

MIRLN --- 22 Sept - 12 Oct 2013 (v16.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | DIFFERENT | FUN | LOOKING BACK | NOTES

Spain passes new anti-piracy laws (ArsTechnica, 20 Sept 2013) - On Friday, the Spanish government approved new measures that would target those who even link to unauthorized copyrighted material for "direct or indirect profit." The measures, which don't take effect until early 2014, will include penalties of up to six years in prison for "aggravated cases" (Google Translate) for those who violate copyright. The new amendment to the country's existing penal code will not affect search engines or peer-to-peer file sharing sites, according to Reuters . Spain is the home of RojaDirecta.com, a site that promoted unauthorized sports streams and whose domain was seized by the United States government. The domain was eventually returned last year. (The site has since switched to RojaDirecta.me, based in Montenegro.) "This is a real balance between protecting copyright and new technologies," Spain's Justice Minister Alberto Ruiz-Gallardon told reporters at a news conference in Madrid.

top

"Link rot" at the Supreme Court: 49% of links in decisions don't work (GigaOM, 23 Sept 2013) - Adam Liptak of the New York Times provides a lively account of how half the links in Supreme Court decisions - links that provide precedent and justify the law - lead to broken or missing webpages. The so-called "link rot," described in a Harvard study, is a problem for the legal profession, and shows how courts' shift away from fusty paper practices isn't all positive. More broadly, the situation shows how future discussions of infrastructure renewal should encompass plans to repair the country's digital infrastructure as well.

top

FDA will regulate some mobile medical apps as devices (NextGov, 24 Sept 2013) - The Food and Drug Administration plans to apply the same strict regulations to mobile apps as it does to medical devices, such as blood pressure monitors, if those apps perform the same functions as stand-alone or computer based devices. The FDA has developed a "tailored" approach to regulation of mobile apps that would allow use of some apps without oversight, according to Dr. Jeffrey Shuren, director of the FDA's Center for Devices and Radiological Health. "Some mobile apps carry minimal risks to consumers or patients, but others can carry significant risks if they do not operate correctly," he said. The FDA said that "if a mobile app is intended for use in performing a medical device function (i.e. for diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease), it is a medical device, regardless of the platform on which it is run," in a guidance document for industry and its staff released Monday. A mobile app that doctors or patients use to log and track trends with their blood pressure would not be regulated as a device. Mobile medical apps that recommend calorie or carbohydrate intakes to people who track what they eat also are also not within the current focus of FDA's regulatory oversight.

top

Law firm can read ex-partner's incoming email, opinion says, but must forward email about his cases (ABA Journal, 25 Sept 2013) - A dispute over a law firm's handling of email sent to the account of a former partner resulted in a legal ethics roadmap that may help others faced with the same situation. The partner had no right to insist that the account simply be closed and set to send a bounce-back message to that effect, held the Philadelphia Bar Association Professional Guidance Committee in a Sept. 13 advisory opinion that authorized the firm to read the incoming email. However, any email that related to matters the partner took with him to his new firm must be forwarded by his old firm, Bloomberg BNA reports. The opinion also said replies to email senders had to provide the ex-partner's new contact information. Additionally, "the inquirer is reminded that considerations of substantive law may influence this analysis," the opinion notes. "Although the Committee does not address those considerations here, relevant points to consider may include the firm's partnership agreement, any sidebar agreements with [the ex-partner] concerning the latter's withdrawal, and/or the firm's written or customary employment practices."

top

NSA gathers data on social connections of U.S. citizens (NYT, 28 Sept 2013) - Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans' social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials. The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans' networks of associations for foreign intelligence purposes after N.S.A. officials lifted restrictions on the practice, according to documents provided by Edward J. Snowden, the former N.S.A. contractor. The policy shift was intended to help the agency "discover and track" connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011. The agency was authorized to conduct "large-scale graph analysis on very large sets of communications metadata without having to check foreignness" of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners. The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such "enrichment" data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

top

- and -

Why it's important to publish the NSA programs (Bruce Schneier, 8 Oct 2013) - The Guardian recently reported on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the Internet to attack individual computers. This builds on a Brazilian news story from a mid-September that, in part, shows that the NSA is impersonating Google servers to users; a German story on how the NSA is hacking into smartphones; and a Guardian story from early September on how the NSA is deliberately weakening common security algorithms, protocols, and products. The common thread among these stories is that the NSA is subverting the Internet and turning it into a massive surveillance tool. The NSA's actions are making us all less safe, because its eavesdropping mission is degrading its ability to protect the US. Among IT security professionals, it has been long understood that the public disclosure of vulnerabilities is the only consistent way to improve security. That's why researchers publish information about vulnerabilities in computer software and operating systems, cryptographic algorithms, and consumer products like implantable medical devices, cars, and CCTV cameras. * * * [ Polley : The TOR stories trouble me greatly - I think they indicate that NSA occasionally infects TOR-users computers with what we'd call malware. I believe this may be illegal, without an individualized warrant (which seems highly unlikely). Further, the man-in-the-middle aspects to NSA's TOR activities also strike me as legally questionable.]

top

Is Florida too tough on lawyers using LinkedIn and Twitter? Endorsements and short skirts targeted (ABA Journal, 30 Sept 2013) - Orlando lawyer Luis Gonzalez has no plans to block endorsements on LinkedIn, no matter what the new Florida ethics rules require. "I'm not changing a damn thing," he tells the Daily Business Review . "I want the bar to come after me. I'm 61 years old, and I'm not going to tolerate garbage like that." Gonzalez is one of several lawyers criticizing the state bar's new social media rules, enacted as part of new rules on lawyer advertising approved in May by the Florida Supreme Court. Many law firms consider the rules regarding Facebook, Twitter and LinkedIn to be the toughest in the country, the story says. According to this summary (PDF), the guidelines require advertising lawyers to list their names and office addresses, bar misrepresentative testimonials and restrict the use of the words "specialist" and "expert," as well as their variations. Lawyers on Twitter are concerned about the need to state an office location on each tweet, the story says. Lawyers on LinkedIn also are concerned about the need to ban third-party endorsements and to refrain from using the word "expertise." For lawyers on Facebook there is another potential problem-the need to refrain from posting inappropriate or unprofessional photos and videos. Kathy Bible, advertising counsel for The Florida Bar, told the Daily Business Review that the bar is involved in two disciplinary probes regarding LinkedIn, but there are no probes of Twitter violations. She added she has privately talked to some lawyers about inappropriate Facebook photos. "One lawyer had pictures of his staff with skirts too short," she told the Daily Business Review. "He kindly removed them when we asked."

top

Ohio's lessons: state governments and facial recognition (New Republic, 2 Oct 2013) - With all the attention these days on NSA activities, it's easy to forget that much surveillance in the United States takes place at the state and local level, and it is also regulated by state and local law. Much of the really high tech stuff is centralized in the federal government's hands, but debate about at least one new technology-facial recognition-is going on in some places at the state level, and that's a good thing. Most facial recognition technology works by identifying various distinguishing features and measurements of an individual human face in an image and comparing them to images stored in a large database of pictures matched with other data (say, for instance, all passport or driver's license photos or all pictures stored in a social network application). Especially if linked up with proliferating camera systems and postings of pictures online, this is a powerful identification tool, and not just for detecting or recognizing suspects but for ID-ing those with whom they associate. Those who worry about the government looking through your call records should probably worry about it looking through your pictures, too. In the private sector, Google has put a hold on integrating facial recognition technology in its Glass pending development of privacy protections. A 2012 Federal Trade Commission report on this technology begins, though, by reminding readers of a scene from Steven Spielberg's Minority Report, in which ubiquitous electronic advertisement systems scan moving crowds and deliver targeted ads: "John Anderton... You could use a Guinness right about now." The case of Ohio illustrates the potential benefits of state-level experimentation and adaptation, especially as lessons are learned and best practices shared, but it also shows how processes can go awry. Ohio Attorney General Mike DeWine recently came under fire amid reports that his state was using facial recognition technology to identify crime suspects with, among other things, driver's license photos-but without having informed the public, with poor oversight, and without any review by his office of rules for using the system.

top

Top enterprise cyber security 'appalling' - former NSA CIO/CTO (Computing, 2 Oct 2013) - Former National Security Agency (NSA) CIO and CTO Dr Prescott Winter believes that many large organisations don't know what they're doing when it comes to cyber security and as a result defences against hackers and cyber attacks are "appalling". Winter, who spent 27 years at the NSA and is now managing director of security services firm The Chertoff Group, made the comments as part of his keynote at Splunk Worldwide User's Conference 2013 in Las Vegas. He used the keynote to discuss how big data is changing cyber security. "As we look at the situation in the security arena at the Chertoff Group, we see an awful lot of big companies - Fortune 100-level companies - with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing," said Winter, who argued big data has a role to play in improving this. "We do a lot of security assessments at the Chertoff Group and our view is in order to protect your enterprise - which is possible despite all the doom and gloom - we think that this integrated cyber security ecosystem, which is a real asset-based, business-driven, risk management approach, is an effective way to protect your enterprise," Winter explained.

top

How to get busy lawyers to hear you - Ambrogi's presentation to NABE (Robert Ambrogi, 2 Oct 2013) - I was the plenary speaker last week at the annual meeting of the Communications Section of the National Association of Bar Executives. My topic was, "Communicating Amid Clamor and Calamity: How Technology Has Rewired Lawyers' Practices and What It Means for How You Communicate With Them." If you think the title was long, my slide deck was even longer. I talk first about ways technology has changed law practice and then offer tips for how to be more effective in communicating with busy lawyers.

top

A buyer's guide to cyber insurance (McGuire Woods, 2 Oct 2013) - * * * Premiums for cyber insurance can vary widely. Gartner, Inc., reported recently that cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage. While the coverage has become more available, insurers continue to develop their understanding of cyber risks. Some carriers have underwriters with knowledge and experience regarding cyber losses, while other carriers do not. As a result, insurers have had difficulty pricing this insurance, and there can be large differences (as much as 25 percent) between the premium charged by two different carriers to insure the same risk. The number of United States companies purchasing cyber insurance has increased with the availability of the insurance products. The national insurance broker Marsh recently reported that the number of Marsh clients purchasing cyber insurance increased 33 percent in 2012 over 2011. Marsh noted that the services industry, which includes professional, business, legal, accounting and personal services firms, experienced the largest uptick in the number of clients purchasing cyber insurance - a 76 percent jump over 2011. The limits of liability purchased by U.S. businesses vary widely. Chubb reports that the average policy limits purchased by its clients are between $1 million and $5 million, while Marsh reports that its clients purchased an average of $16.8 million in limits across all industries, an increase of nearly 20 percent over 2011. The maximum limit available from a single insurer ranges from $10 million to $20 million, but policyholders are able to stack limits of liability to create towers of insurance up to $350 million. * * *

top

Bad code: should software makers pay? (Part 1) (Lawfare, 3 Oct 2013) - As far as legal remedies go for software vulnerabilities, code might as well be crack cocaine. So I suggest in my piece today over at Lawfare 's new feed at the New Republic : Security States . This is the first installment in a month-long series on whether and how to go about holding vendors liable for insecure software. It opens : The joke goes that only two industries refer to their customers as "users." But here's the real punch line: Drug users and software users are about equally likely to recover damages for whatever harms those wares cause them. Let's face it. Dazzled by what software makes possible-the highs-we have embedded into our lives a technological medium capable of bringing society to its knees, but from which we demand virtually no quality assurance. The $150 billion U.S. software industry has built itself on a mantra that has become the natural order: user beware. The rapid evolution of software technology and the surge in the total number of computer users actually led early commentators to warn of software vendors' increasing exposure to lawsuits -and the "catastrophic" consequences to ensue. But history has gone the other way. Operating within a "legislative void," the courts have consistently construed software licenses in a manner that allows software vendors to disclaim almost all liability for software defects. Bruce Schneier, perhaps the most prominent decrier of the current no-liability regime for software vendors, puts it simply: "there are no real consequences for having bad security." The result is a marketplace crammed with shoddy code. [ Polley : sounds like this could be an interesting series of posts.]

top

California's new 'online eraser' law should be erased (Eric Goldman, 3 Oct 2013) - People mocked Google CEO Eric Schmidt for his 2010 suggestion that teenagers should change their names when they turn 18 to avoid the indiscreet and ill-advised Internet posts they made as youths. The California legislature thought it had a better solution for this problem and enacted a law, SB 568 (California Business & Professions Code Sec. 22581), that allows kids to use an "online eraser" to wipe away some of their past posts. Unfortunately, California's solution is no less mockable than Schmidt's. The new law says that websites and apps "directed" to minors, or that have actual knowledge that a user is a minor, must allow registered users under 18 to remove (or ask the provider to remove or anonymize) publicly posted content and make certain disclosures to these users. A website/app is "directed" to minors when it is "created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults." The law is riddled with ambiguities, so let me explore just three: * * *

top

Ruh-roh: Adobe breach is just the beginning, researcher says (GigaOM, 7 Oct 2013) - The Adobe source code breach disclosed last week was scary. Perhaps scarier still is that the perpetrators have hit other as-yet unnamed companies. There have been similar intrusions to other companies which are now being notified, security expert Alex Holden told the ThreatPost blog . It was Holden, founder and chief information security officer (CISO) of Hold Security , along with security blogger Brian Krebs , who uncovered the Adobe breach. Talking to ThreatPost, a blog owned by Kaspersky Labs, a security company, Holden characterized this Adobe breach as: "one of the worst in U.S. history because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses." Adobe made the breach, which affected Acrobat, Acrobat Reader, ColdFusion and other applications, public late last week. The intruders apparently penetrated its security in late July or mid August.

top

Open source software and copyright (MLPB, 8 Oct 2013) - Andres Guadamuz, University of Sussez, and Andrew John Rens, Duke University School of Law, & University of Cape Town, Intellectual Property Research, have published Comparative Analysis of Copyright Assignment and Licence Formalities for Open Source Contributor Agreements . Here is the abstract: "This article discusses formal requirements in open source software contributor copyright assignment and licensing agreements. Contributor agreements are contracts by which software developers transfer or license their work on behalf of an open source project. This is done for convenience and enforcement purposes, and usually takes the form of a formal contract. This work conducts a comparative analysis of how several jurisdictions regard those agreements. We specifically look at the formal requirements across those countries to ascertain whether formalities are constitutive or probative. We then look at the consequences of the lack of formalities for the validity of those contributor agreements."

top

Cyber-crime costs continue to rise: study (eWeek, 8 Oct 2013) - The bad news is in: The cost of cyber-crime in 2013 is actually going up despite projections last year that it might level off in the future. "The bad news is that companies across different industries are experiencing a fairly substantial cost of cyber-crime," Larry Ponemon, chairman and founder of the Ponemon Institute told eWEEK. According to the 2013 Cost of Cyber-Crime Study, conducted by the Ponemon Institute and sponsored by Hewlett-Packard, the annual cost of cyber-crime in the U.S. now stands at $11.56 million per organization. The 2013 figure is an increase of 26 percent from the $8.9 million Ponemon reported in 2012. U.S. organizations now suffer from an average of 122 attacks a week, a sharp increase from the 102 attacks per week reported for 2012. Adding to the cost, as well, is the fact that it is now taking organizations more time to respond to attacks than in prior years. According to the 2013 report, it now takes 32 days on average to resolve a cyber-attack, up from 24 days in 2012. As to why the response time has gone up, Ponemon suspects that the root cause is increased attack complexity.

top

Presentation about the problems of online trespass to chattels (Eric Goldman, 8 Oct 2013) - You may recall my prior post where I outlined my conceptual objections to online trespass to chattels doctrines, including the common law, the Computer Fraud & Abuse Act and state computer crime laws like California Penal Code Sec. 502. As I outline in that post, I don't think nibbling around the edges with CFAA reform is very helpful. Instead, I challenge the basic premise that sending electronic signals to a remote computer is a chattel "use." If we follow the logic of that revised premise, most of the online trespass to chattels doctrines simply go away. I think this issue is so important that I put together a "stump speech," replete with my signature use of Microsoft clipart. Last month, I gave this talk for the first time at the Utah State Bar Cyberlaw Section's "i-Symposium" in Lehi, Utah. The talk recording ( download ) and accompanying PowerPoint slides ( download ) are available in the HTLI iTunesU page (items 39 and 40).

top

VA state police used license plate readers at political rallies, built huge database (ACLU, 8 Oct 2013) - From 2010 until last spring, the Virginia State Police (VSP) maintained a massive database of license plates that allowed them to pinpoint the locations of millions of cars on particular dates and times. Even more disturbing, the agency used automatic license plate readers (ALPRs) to collect information about political activities of law-abiding people. The VSP recorded the license plates of vehicles attending President Obama's 2009 inauguration, as well as campaign rallies for Obama and vice presidential candidate Sarah Palin. (Documentation of this program, disclosed in response to an ACLU of Virginia public records request, can be found here .)

top

DIFFERENT

Inside Nuance: the art and science of how Siri speaks (KillerVideoReviews, 25 Sept 2013) - In this feature we go behind the scenes at Nuance Communications, a company that develops voice technology for Apple, Dragon, and many others. Technology companies have been trying to make computers speak "naturally" since before the PC was first introduced. Now, with more advanced software and an elaborately crafted process, companies are getting closer to making computer-human interaction seamless. [ Polley : fascinating, 10 minute video on YouTube here .]

top

Scientists used Facebook for the largest ever study of language and personality - and the results are groundbreaking (Business Insider, 2 Oct 2013) - A group of University of Pennsylvania researchers who analyzed Facebook status updates of 75,000 volunteers have found an entirely different way to analyze human personality, according to a new study published in PLOS One. The volunteers completed a common personality questionnaire through a Facebook application and made their Facebook status updates available so that researchers could find linguistic patterns in their posts. Drawing from more than 700 million words, phrases, and topics, the researchers built computer models that predicted the individuals' age, gender, and their responses on the personality questionnaires with surprising accuracy. The "open-vocabulary approach" of analyzing all words was shown to be equally predictive (and in some cases more so) than traditional methods used by psychologists, such as self-reported surveys and questionnaires, that use a predetermined set of words to analyze. Basically, it's big data meets psychology. The Penn researchers also created word clouds that "provide an unprecedented window into the psychological world of people with a given trait," graduate student Johannes Eichstaedt, who worked on the project, said in a press release. "Many things seem obvious after the fact and each item makes sense, but would you have thought of them all, or even most of them?" [ Polley : story includes some pretty fascinating word-clouds; this looks like quite an interesting study.]

top

FUN

Page 46 of the iOS7 Terms & Conditions (Twitter posting, 22 Sept 2013) - 3. Transfer. You may not rent, lease, lend, sell, redistribute, or sublicense the iOS Software. You may however (a)

  • Oh, you know what? This is page 46, nobody's still reading this. I bet only about five people have clicked to read the T&Cs in the first place - we might as well just say anything we like.
  • Tony on floor 5 of Apple HQ smells of sardines.
  • When someone sends a funny email around the offices we have to reply with iLaughed. It's in our job description.
  • Remember that legal kerfuffle over Apple and Apple studios? Want to know how we fixed it? We bought The Beatles. We have the surviving ones come and sing to us for scraps. We're looking at ways to reanimate the dead ones.
  • The canteen only sells apple products. Apples, apple juice, apple flapjacks, toffee apples. We get fired if we're caught earing anything without apples in it. I'M APPERGIC TO APPLES AND I'M ALWAYS SO HUNGRY. * * *

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

GPS tracking of suspects requires warrant, Washington court rules (11 Sept 2003) -- Police cannot attach a Global Positioning System tracker to a suspect's vehicle without a warrant, the Washington Supreme Court declared Thursday in the first such ruling in the nation. The court, however, refused to overturn the murder conviction of William Bradley Jackson, who unknowingly led police to the shallow grave of his 9-year-old daughter in 1999. Spokane County deputies had a warrant for the GPS tracking device used in that case, although prosecutors argued they did not need one. ``Use of GPS tracking devices is a particularly intrusive method of surveillance, making it possible to acquire an enormous amount of personal information about the citizen under circumstances where the individual is unaware that every single vehicle trip taken and the duration of every single stop may be recorded by the government," Justice Barbara Madsen wrote in the unanimous decision. She raised the prospect of citizens being tracked to ``the strip club, the opera, the baseball game, the `wrong' side of town, the family planning clinic, the labor rally." The closely watched case had evoked worries about police using the satellite-tracking devices like Big Brother to watch citizens' every move. Doug Honig, a spokesman for the American Civil Liberties Union of Washington, said the ruling is the first of its kind in the country.

top

Barnes & Noble shelves e-books (CNET, 9 Sept 2003) -- Barnes&Noble.com has discontinued sales of e-books, according to a statement on the company's Web site. Customers using Microsoft's eBook reader have until Dec. 9 to access downloads purchased from the store, while Adobe Reader customers have 90 days to retrieve any outstanding files, according to a notice posted on the site Tuesday. Meanwhile thousands of e-book titles were listed as unavailable. "B&N.com no longer sells eBooks," the statement noted. E-books sparked a flurry of excitement in 2000 when best-selling author Stephen King experimented with the format. Since then, however, analysts said the format has largely disappointed, both in terms of sales and in the technology used to access them. The decision to end e-book sales is a setback for both Microsoft and Adobe Systems, which have been pushing new technology for digital books.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: