Saturday, November 02, 2013

MIRLN --- 13 Oct - 2 Nov 2013 (v16.15)

MIRLN --- 13 Oct - 2 Nov 2013 (v16.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

The ABA Cybersecurity Legal Handbook -- A Resource for Attorneys, Law Firms, and Business Professionals is now available on Amazon, in hardcopy and Kindle format. Provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyber attack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.

NEWS | PODCASTS | LOOKING BACK | NOTES

The toll of enterprise cybercrime: $11.8 million per year; 122 attacks per week (Network World, 8 Oct 2013) - A survey of 60 companies in the U.S. about the impact of cybercrime indicates that the annualized cost of dealing with cyberattacks of all kinds is now $11.6 million per year on average, up from $8.9 million last year. According to the report, the "2013 Cost of Cyber Crime Study: United States" based on extensive interviews by Ponemon Institute with company personnel, cyberattacks have become "common occurrences" with the companies that participated in the study reporting 122 successful attacks per week (up from 102 per week last year). The 60 companies represented in the Ponemon study were generally larger, with a minimum of 1,000 enterprise seats. Cybercrime costs to each of them were reckoned in terms of direct and indirect costs associated with loss of theft of information, disruption to business operations, revenue loss and destruction of property and equipment. The study also sought to understand costs spent on detection, investigation and incident response, containment and recovery.

top

Directors must act now on cybersecurity (Cadwalader's Ken Wainstein, formerly of DoJ, 11 Oct 2013) - In a 2012 Corporate Board Member/FTI Consulting survey , 48 percent of public company directors and 55 percent of corporate general counsels rated data security as their number one concern. * * * Corporate boards - especially of companies that own and operate critical infrastructure - must understand and account for the implications of these developments. For example, companies must consider their role in the "voluntary program" being developed under the authority of the President's Executive Order and the potential litigation risk if they choose not to meet the resulting voluntary standards. Corporate boards must also be aware of the SEC disclosure obligations with respect to cyber risk and intrusions, not to mention the possibility of an FTC enforcement action if they suffer a data breach. Even more fundamentally, corporate boards must appreciate that they have a fiduciary duty to protect and ensure the integrity of corporate information assets against cyber theft and attack. With the increasing legal obligations and challenges stemming from the cyber threat to corporate America, directors and officers would be wise to take an active role in developing, overseeing, and managing corporate cybersecurity compliance programs within their companies.

top

Google jousts with wired South Korea over quirky Internet rules (NYT, 13 Oct 2013) - South Korea is one of the world's most digitally advanced countries. It has ubiquitous broadband, running at speeds that many Americans can only envy. Its Internet is also one of the most quirky in the world. A curfew restricts school-age children from playing online games at night; adults wanting to do so need to provide their resident registration numbers to prove that they are of age. Until last year, commenters on the Web were legally required to use their real names. A simple Web search in Korean can be a fruitless experience, because the operators of many sites, including some government ministries, bar search engines from indexing their pages. Travelers who want to go from Gimpo International Airport to the Gangnam neighborhood of Seoul cannot rely on Google Maps. Google Maps can provide directions only for public transport, not for driving, to any place in Korea. Anyone crazy enough to try the journey on bicycle or on foot, directions for which Google Maps provides elsewhere, will be similarly stymied. The highly regulated Internet comes as a surprise to many people, Koreans included, because South Korea is a strong democracy with a vibrant economy seemingly ready for the digital information age. South Koreans were early adopters of Internet games and smartphones. It has world-beating electronics companies like Samsung and LG. But here the Internet is just different. The Korean government has its reasons, most of them well-intentioned. The curfew, for example, was put in place to deal with concerns over game addiction among teenagers. South Korean security restrictions that were put in place after the Korean War limit Google's maps, the company says. The export of map data is barred, ostensibly to prevent it from falling into the hands of South Korea's foe to the north, across the world's most heavily fortified border. Google and other foreign Internet companies say the rule also prevents them from providing online mapping services, like navigation, that travelers have come to rely on in much of the rest of the world. Foreign Internet companies say the country's rules prevent them from competing against domestic rivals because they cannot provide the same services they do elsewhere. South Korea is one of the few major markets where Google is not the leading search engine. A South Korean rival, Naver, has the most users.

top

Mississippi the latest state to claim copyright over official compilation of its laws (TechDirt, 14 Oct 2013) - We've written about Carl Malamud and his ongoing crusade to make sure that the law is actually publicly accessible and not locked up by copyright. Just recently, we noted that he'd run into some troubles with Georgia, and it appears now he's facing a similar challenge from Mississippi. The basic story was actually posted as an update to Malamud's ongoing Kickstarter project, which we've already told you about. The issue? Malamud had purchased, formatted and posted Mississippi's Code of Law, Annotated . As with Georgia, the real issue seems to be in the question of whether or not the annotations themselves are covered by copyright, as they're often produced and sold by a private company (usually LexisNexis), but in coordination with the government. That's the case here, as the letter Malamud received from Mississippi's intellectual property counsel , Larry Schemmel, suggests. Schemmel goes to great lengths to point out that the unannotated code is "freely available," but that the "creative work" behind the annotations is covered by copyright, and thus should be taken off of Malamud's site. However, as Malamud notes in his response letter (complete with a bunch of "exhibits"), the State of Mississippi makes it fairly clear that the annotated code is part of the law , and thus he argues it, too, should be freely accessible.

top

New rules restrict telemarketing calls to your mobile (Marketplace, 16 Oct 2013) - New Federal Communications Commission rules on telemarketing take effect today. The rules are designed to cut down on marketing calls -- especially to cell phones. The regulations require telemarketers to get written consent from consumers before calling their cell phones with automatic dialing systems. The new rules also apply to text messages from marketers. Attorney David Klein advises telecom companies. He says the FCC is trying to tip the balance of power toward consumers. Klein also says there are exceptions. Your wireless carrier can still call or message you, as can your doctor's office and political pollsters. But there's a big hole in the rules. They don't apply to international telemarketers.

top

Federal security breaches traced to user noncompliance (CSO Online, 17 Oct 2013) - According to a new study by MeriTalk, federal cybersecurity professionals are so focused on implementing rigid policies to lock down data that they often ignore how those rules will impact end users within their agencies. The result, perhaps predictably, is that many government workers resent the burden that security protocols impose, complaining that they are time-consuming and hinder productivity, while nearly a third say that they regularly use a workaround to circumvent the security roadblocks. Respondents to the MeriTalk survey, which was underwritten by cloud provider Akamai, noted a direct correlation between onerous security policies and a lack of compliance. Small wonder then that security professionals said that nearly half -- 49 percent -- of federal security breaches can be attributed to end users not complying with the policies in place at their agencies. "Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security," Ruff said. The increasing sophistication of cyber threats and the new IT initiatives agency CIOs are pursuing across the government add a sense of urgency to harmonizing security policies with end user behavior. For instance, 74 percent of the cybersecurity professionals polled said that they are unprepared for an international attack, and an equal number said they aren't equipped to adequately secure access to mobile devices. Then 70 percent said that they aren't prepared to secure cloud environments, and 70 percent also said they aren't ready to fend off a denial-of-service attack. At the same time, half of cybersecurity workers polled said that they anticipate that their agency will be the victim of a DoS attack in the coming year.

top

NSA snooping exposed by Snowden breaches international law, experts say (Slate, 17 Oct 2013) - Spy agencies in the United States and the United Kingdom have argued that their recently exposed dragnet surveillance programs are legal and necessary. But international law experts are not so sure. At a hearing in the European Parliament on Monday, the surveillance initiatives operated by the National Security Agency and its British counterpart, the Government Communications Headquarters, were the subject of legal scrutiny as part of an ongoing inquiry prompted by leaks by NSA whistleblower Edward Snowden. Participating in the session was a judge who has served in the European Court of Human Rights for 15 years, a former United Nations special rapporteur on human rights and counterterrorism, and a London-based international law professor. All three agreed that the scope of the surveillance revealed in the Snowden leaks constituted violations of both European and international laws and treaties. Martin Scheinin, the U.N. special rapporteur on human rights and counterterrorism from 2005 to 2011, said that the Snowden leaks showed a "massive interference with the privacy rights of EU citizens and others." The surveillance, he said, amounted to "an unlawful or arbitrary interference with privacy or correspondence, and this conclusion follows independently from multiple grounds." Finland-born Scheinin, who is currently the president of the International Association of Constitutional Law , added that he believed the United Kingdom and the United States "have been involved and continue to be involved" in activities that violate their obligations under the International Covenant on Civil and Political Rights . The ICCPR is a 1966 multilateral treaty that is ratified by more than 160 countries, including the United States and the United Kingdom. Article 17 of the treaty states that citizens should not be "subjected to arbitrary or unlawful interference with [their] privacy, family, home or correspondence."

top

First breach baby grows bigger (Steptoe, 17 Oct 2013) - The granddaddy of data breach notification laws just gave its original offspring longer arms. Governor Jerry Brown of California has signed into law two bills that expand the state's notification law. One (S.B. 46) significantly broadens the scope of covered personal information to include a user name or email address when acquired in combination with a password or security question and answer that permit access to any online account. The other (A.B. 1149) extends the notification requirements to local government agencies. As with California's original notification law, it seems likely that other states will begin to follow suit by expanding the coverage of their own laws. [ Polley : see LOOKING BACK below, for related story.]

top

Illinois high court rejects 'Amazon' sales tax (USA Today, 19 Oct 2013) - The Illinois Supreme Court threw out a state law Friday that taxes certain Internet sales, saying the so-called "Amazon tax" violated federal rules against "discriminatory taxes" on digital transactions. The 6-1 ruling represented the first time a court had invalidated an Internet sales tax law among 18 states that have them. It brought an immediate cry from traditional, store-based retailers for Congress to step into regulating taxes on web sales. The court determined that Illinois' 2011 "Main Street Fairness Act" was superseded by the federal law, which prohibits imposing a tax on "electronic commerce" and obligates collection that's not required of transactions by other means, such as print or television. Illinois' law required out-of-state retailers to collect state taxes on annual sales of more than $10,000 that involve in-state "affiliates," or website operators and bloggers, that draw consumers to the retailers' sites in exchange for a cut of each sale. Illinois' tax collector, the Department of Revenue, said it's considering asking the U.S. Supreme Court to intervene. Amazon.com did just that in August, when it sought a review of the New York Court of Appeals' March ruling upholding the law there. The Empire State was among the first to argue that a business with "affiliates" within its borders gives the company a physical presence there - a must if a state hopes to collect taxes from it, according to a 1992 U.S. Supreme Court ruling.

top

Would you bet on the future of Online Dispute Resolution (ODR)? (Legal Whiteboard, Bill Henderson, 20 Oct 2013) - I would. The best example of ODR I have come across is Modria , who's tagline is "Any issue, resolved." Before dismissing Modria as a trivial Internet parlor game, consider this: The technology and process at work here got its start at Paypal and Ebay. Why did Paypal and Ebay become so good at dispute resolution? Because their goal of becoming mega-volume businesses depended on it. If you have millions of transactions daily, a huge volume of low-stakes complaints is inevitable. If dissatisfied customers stay dissatisfied, they don't come back. Worse, they'll talk to their friends. Now watch [its] video. Note that the target audience is businesses who (a) feel disputes are a drain on their time and energy, and (b) want happy, loyal customers who vouch for them to friends and family. A prompt, fair resolution to a dispute actually deepens the trust relationship. That's not speculation. That's science. And Modria, and it investors, know that. * * *

top

Dubious news hook lets me confirm and blog my pre-existing views (Stewart Baker, 20 Oct 2013) - I'm a much bigger fan of Girl Talk, whom I've blogged about before, than of current copyright law, so it's hard to resist a chance to talk about both. Girl Talk (actually a fellow named Greg Gillis) produces delightful mashups of hip-hop and classic rock that shed new light on both. Since Girl Talk relies on a claim of fair use for his sampling and doesn't seek the original label's authorization, he has trouble selling his albums through the usual channels. Now Michael Schuster, another Girl Talk lawyer-fan, has produced a law-review study of All Day, Girl Talk's latest album , arguing that the songs it samples actually had higher sales in the year after the sampling than in the year before. For those of us who think copyright law is too protective of plaintiffs, the article is comforting. It suggests that current law may actually be hurting the authors it purports to help by discouraging musicians from introducing their fans to our pop-cultural heritage. Actually, though, I think the article is a little too comforting. I am always skeptical of scholarly research that reinforces academic prejudices, since scholars tend adjust their standards of proof to fit their prejudices. Hostility to copyright is pretty much the norm in academic circles, and if you read the article skeptically, it loses much of its persuasiveness. Schuster achieves his results by playing with the sample, dropping nine songs from a sample of about 200 because they completely wreck his argument. His reason for dropping the songs is that they were hits in the 30 months prior to the release of Girl Talk's album, and hits by definition suffer declining sales after topping out. If he didn't drop those songs, Schuster's data would show a 50% drop in sales of the songs that Girl Talk samples. Schuster says he's just correcting for noise in the data, and it isn't appropriate to charge Girl Talk with the natural rhythm of pop music sales. Maybe so, but once you start making big after-the-fact adjustments to a sample of 200, you can prove pretty much anything. At best, Schuster has developed an interesting hypothesis that ought to be tested by a new experiment untainted by data cherry-picking.

top

Can lawyers use Groupon-type marketing? ABA ethics opinion sees problems with prepaid deals (ABA Journal, 21 Oct 2013) - Lawyers who offer prepaid deals through daily deal or group-coupon offers are treading on ethically precarious ground, according to an ABA ethics opinion. The opinion (PDF) doesn't specifically mention Groupon, probably the best-known group coupon website, except in a footnote referencing a state bar opinion. But its description of the typical arrangement has Groupon-like characteristics: Daily deals are advertised on a website, and consumers who want deal notifications can sign up to receive them in emails. After a threshold number of people purchase a deal, the marketing organization and the business share the proceeds. The buyers get a voucher, code or coupon. The ethics opinion says these deals may be structured in two ways. In coupon deals, a lawyer might sell a $25 coupon for a 50 percent discount on up to five hours of legal services, for example. In prepaid deals, a lawyer might charge $500 for up to five hours of legal service, a value of $1,000. The money is collected up front by the marketing organization. It's the latter structure that is particularly troubling to the ABA Standing Committee on Ethics and Professional Responsibility. "The committee believes that coupon deals can be structured to comply with the Model Rules," according to Formal Opinion 465. "The committee has identified numerous difficult issues associated with prepaid deals, especially how to properly manage payment of advance legal fees, and is less certain that prepaid deals can be structured to comply with all ethical and professional obligations under the Model Rules." In coupon deals, the legal opinion says, no legal fees are involved unless and until a lawyer-client relationship is formed, time is spent and the discounted fees are collected. As a result, the aggregate amount collected from coupon sales may be deposited into a lawyer's general account. But the money collected in prepaid deals amounts to advance legal fees that need to be identified by purchaser name and deposited into a trust account, the ABA opinion says. The lawyer will have to obtain sufficient information about deal buyers to comply.

top

Wall Street banks learn how to survive in staged cyber attack (Reuters, 21 Oct 2013) - A few months ago, a group of Wall Street banks fashioned a risk-manager's worst nightmare to determine how they would survive. Luckily, it was all pretend. In a staged simulation called Quantum Dawn 2, bank executives in charge of operations, technology and crisis planning were tasked with detecting how a massive cyber attack was unfolding in the markets - but each one only got to see a tiny red flag waving in a sea of information. In some cases, a blue-chip stock started to plummet inexplicably. Soon, shocking news about the company hit the market, but unbeknownst to the participant, the news was fake. For others, trading systems were on the fritz, or government websites stopped functioning. Even basic technology such as telephones and printers stopped working properly for some. Individually, any of these problems would be reason to worry. The challenge for Quantum Dawn 2's victims was not only spotting a problem, but communicating with rivals, exchanges and government authorities to conclude that markets were in the throes of a systemic crisis and needed to be shut down. "It didn't all happen at once - each attack affected firms differently," said Karl Schimmeck, vice president of Financial Services Operations at the Securities Industry and Financial Markets Association (SIFMA), a Wall Street trade group that oversaw the event. "Some firms would see a problem, some firms wouldn't, and some firms only 'see' it second-hand because they're communicating with each other." The most visible attacks affect customers' access to websites through a distributed denial of service - or "DDOS" - attack. But banks are also worried about more insidious attacks, in which hackers quietly infiltrate systems to swipe valuable data, or lie in wait to plow across the entire industry with a systemic attack - the doomsday scenario Quantum Dawn 2 participants want to avoid. One key lesson from the drill was that the private sector and government authorities must share information more freely and quickly, said Ed Powers, the national managing principal of Deloitte & Touche LLP's security and privacy practice, which was an independent observer of Quantum Dawn 2. While firms have detailed information about individual attacks, authorities can help prevent a crisis by sharing information about broader threats when appropriate, he said.

top

NSA surveillance: the 21st-century panopticon (The Atlantic, Bruce Schneier, 21 Oct 2013) - The basic government defense of the NSA's bulk-collection programs-whether it be the list of all the telephone calls you made, your email address book and IM buddy list, or the messages you send your friends-is that what the agency is doing is perfectly legal, and doesn't really count as surveillance, until a human being looks at the data. It's what Director of National Intelligence James R. Clapper meant when he lied to Congress . When asked, "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" he replied, "No sir, not wittingly." To him, the definition of "collect" requires that a human look at it. So when the NSA collects-using the dictionary definition of the word-data on hundreds of millions of Americans, it's not really collecting it, because only computers process it. The NSA maintains that we shouldn't worry about human processing, either, because it has rules about accessing all that data. General Keith Alexander, director of the NSA, said that in a recent New York Times interview: "The agency is under rules preventing it from investigating that so-called haystack of data unless it has a 'reasonable, articulable' justification, involving communications with terrorists abroad, he added." There are lots of things wrong with this defense. First, it doesn't match up with U.S. law. Wiretapping is legally defined as acquisition by device, with no requirement that a human look at it. This has been the case since 1968 , amended in 1986. Second, it's unconstitutional. The Fourth Amendment prohibits general warrants: warrants that don't describe "the place to be searched, and the persons or things to be seized." The sort of indiscriminate search and seizure the NSA is conducting is exactly the sort of general warrant that the Constitution forbids, in addition to it being a search by any reasonable definition of the term. The NSA has tried to secretly redefine the word "search," but it's forgotten about the seizure part. When it collects data on all of us, it's seizing it. * * * [ Polley : The rest is also worth reading.]

top

Bad Code: Part III (Lawfare, Jane Chong, 22 Oct 2013) - What do software users have in common with Mary Mallon, better known today as Typhoid Mary? A lot-and that's why we shouldn't be leaving the quality of code in the hands of the market. Confused? Connect the rest of the dots over at Security States, where we've just published the latest installment in our series on what it would take to hold software makers liable for the insecurity of their products. Part 1 offered an overview of the problems associated with insecure software; Part 2 argued that the technical challenges associated with minimizing software vulnerabilities weigh in favor of, not against, imposing liability on software makers. Here is an excerpt from Part 3 : Security experts have written tomes on why monthly patch rollouts and steadily proliferating antivirus options do not collectively constitute a viable security solution to the problem of insecure code. But more can be said about the nature of this inadequacy, which traces back to the inadequacy of users. Consumers of "Internet hygiene services" are ultimately as ill-equipped to bear the burden of shaping the market to minimize software security risks as Mallon's employers were in controlling the spread of typhoid. The analogy applies on two levels, for as users we play the role of the victims-the New Yorkers who hired Typhoid Mary-but in important respects we also play the role of Mary herself. Three features make Typhoid Mary a relevant analogy for the modern software user, and shed light on why relying on users to make responsible cyber hygiene decisions cannot make for a responsible national cybersecurity policy.

top

- and -

Bad Code: Part V (Lawfare, Jane Chong, 31 Oct 2013) - Does holding software providers accountable for the insecurity of their code amount to going nuclear on the industry-the equivalent of pushing the big red button? I argue that this is the way critics see it, in the fifth and final installment of our Security States cyberliability series. Meanwhile proponents see liability as a far subtler weapon, along the lines of a many-levered machine. The distinction is a crucial one, one that suggests the two sides are talking past each other. Here's an excerpt from Part 5 : [H]olding software providers accountable for their code need not entail exposing software providers to lawsuits for any and all vulnerabilities found in their products. Liability critics battle a straw man when they make arguments like this one , from computer security authority Roger Grimes: "If all software is imperfect and carries security bugs, that means that all software vendors-from one-person shops to global conglomerate corporations-would be liable for unintentional mistakes." Liability is a weapon far more nuanced than its critics believe. Geer and Grimes see liability as a big red button-a kind of nuclear option, to be avoided at all costs. Meanwhile proponents understand liability as a complex machine ideally outfitted with a number of smart levers. Consider: software's functions range from trivial to critical; security standards can be imposed at the development or testing stage, in the form of responsible patching practices or through obligations for timely disclosure of vulnerabilities or breaches; the code itself might be open-source or proprietary or in any case free. An effective liability regime is one that takes these many factors into account when it comes to designing rules, creating duties or imposing standards.

top

- and -

Toyota's killer firmware (Slashdot, 29 Oct 2013) - "On Thursday, a jury verdict found Toyota's ECU firmware defective , holding it responsible for a crash in which a passenger was killed and the driver injured. What's significant about this is that it's the first time a jury heard about software defects uncovered by a plaintiff's expert witnesses . A summary of the defects discussed at trial is interesting reading, as well the transcript of court testimony . 'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.' Anyone wonder what the impact will be on self-driving cars?"

top

Fon finally launches in the US, inviting consumers to share their Wi-Fi (GigaOM, 23 Oct 2013) - If you thought Fon's recent roaming partnership with AT&T was a first step toward the Spanish Wi-Fi aggregator's launch in the U.S., then you would have been right. The company announced on Wednesday that it has begun selling its Wi-Fi routers to U.S. consumers. Called Foneras, the devices work like any other Wi-Fi access point with one exception: they automatically partition off a portion of their Wi-Fi signals to create a shared broadband network accessible to any Fon member at no cost. Fon has been operating in Europe since 2007 and first expanded internationally to Japan in 2011 through a partnership with Softbank. It actually has a presence in the U.S. of a few thousand members (called Foneros), but they're primarily European expats that have brought their Foneras over the Atlantic. Starting today, Fon will begin recruiting members within the U.S., selling the latest version of its router for $59 on Amazon.com and on its website . Europeans embraced a Wi-Fi-first attitude toward connecting mobile devices like smartphones and tablets, while us Yanks seemed content to use our cellular connections, she said (perhaps a vestigial remnant of our old unlimited data plans). That attitude has shifted in recent years, and U.S. companies are starting to embrace the concept of shared Wi-Fi . The most obvious example of that is Comcast, which recently began opening up all of its customer's home Wi-Fi routers to other Comcast customers .

top

Third Circuit requires warrant for GPS monitoring and limits good-faith exception in United States v. Katzin (Volokh Conspiracy, Orin Kerr, 23 Oct 2013) - Today the Third Circuit handed down United States v. Katzin , an important cases on three related issues of Fourth Amendment law: first, whether the installation of a GPS device requires a warrant; second, the scope of the Davis good-faith exception to the exclusionary rule; and third, who has standing to suppress the evidence from the physical search of a car following a GPS search. The divided court ruled in the defendants' favor on all three issues. First, installation of a GPS device requires a warrant; second, the Davis good-faith exception applies only when there was directly on-point binding appellate precedent allowing the government's acts; and third, every passenger in the car at the time it is stopped has standing to challenge the fruits of the subsequent physical search. There's a lot in the Katzin case, so I thought I would blog on the three issues and offer my perspective on them. * * *

top

Federal prosecutors, in a policy shift, cite warrantless wiretaps as evidence (NYT, 26 Oct 2013) - The Justice Department for the first time has notified a criminal defendant that evidence being used against him came from a warrantless wiretap, a move that is expected to set up a Supreme Court test of whether such eavesdropping is constitutional. Prosecutors filed such a notice late Friday in the case of Jamshid Muhtorov, who was charged in Colorado in January 2012 with providing material support to the Islamic Jihad Union, a designated terrorist organization based in Uzbekistan. Mr. Muhtorov is accused of planning to travel abroad to join the militants and has pleaded not guilty. A criminal complaint against him showed that much of the government's case was based on intercepted e-mails and phone calls. The government's notice allows Mr. Muhtorov's lawyer to ask a court to suppress the evidence by arguing that it derived from unconstitutional surveillance, setting in motion judicial review of the eavesdropping. The New York Times reported on Oct. 17 that the decision by prosecutors to notify a defendant about the wiretapping followed a legal policy debate inside the Justice Department. The debate began in June when Solicitor General Donald B. Verrilli Jr. discovered that the department's National Security Division did not notify criminal defendants when eavesdropping without a warrant was an early link in an investigative chain that led to evidence used in court. As a result, none of the defendants knew that they had the right to challenge the warrantless wiretapping law. The practice contradicted what Mr. Verrilli had told the Supreme Court last year in a case challenging the law, the FISA Amendments Act of 2008.

top

How one small American VPN company is trying to stand up for privacy (ArsTechnica, 27 Oct 2013) - In recent months, I've started to take my own digital security much more seriously. I encrypt my e-mail when possible, I've moved away from Gmail , and I've become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt , I've started to kick the tires of the products that I rely upon on a daily basis. When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use is Private Internet Access (PIA). Why PIA? No particular reason, really. I don't remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak . I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified? Unfortunately, Private Internet Access' website doesn't really make clear who is behind its site. The site's footer points to London Trust Media , which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee-one of the firm's two owners. Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. One of PIA's biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement. "We've never been asked for keys, nor [have we] handed over user data," Lee told Ars. "What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don't have any logs whatsoever. We don't log metadata [or] session data either. We will comply with anything, but we can't comply because we do not provide any logs. We don't log, period." Of course, one of the biggest problems is that there's essentially no way for me to verify PIA's (or anyone else's) practices. Lots of VPN firms claim not to log, and I'd like to believe them, but there's really no way for me to know for sure that Lee can't see that I'm loading Ars about 100 times a day. Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept. "You have to trust the VPN-they have access to your data," Dan Auerbach of the EFF told Ars. "Even if they're really good, the government can come in and say we have a warrant... You have to take it on faith that there will be no CALEA -type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn't require you to trust just one party. That's the basic problem with VPNs." * * * [ Polley : This continues, with interesting discussion about legal issues, including possible use of a " warrant canary ". For many of the reasons stated in this story, I've decided to cancel my VPN account with GetCloak.com; it comes down to my inability to trust any third-party service provider that might log, or steal, my traffic. I'd suggested to GetCloak that they make public security promises that might be enforceable by the FTC, but even those might not be sufficient to enable me to use my financial log-in credentials over their network. So, I'm back to using AT&T, via my iPhone tethering, to secure my sensitive traffic, notwithstanding NSA interception. Better the NSA than somebody I don't know and really cannot trust.]

top

Adobe breach far worse than thought (GigaOM, 30 Oct 2013) - Remember that Adobe source code breach that freaked everyone out? Well, it's worse than we thought. It turns out that it affected not "just" Acrobat, Acrobat Reader and Cold Fusion users, but Photoshop users as well. The number of customers' whose data was filched is not 3 million, as Adobe said early this month, but more like 38 million, as Photoshop is used by millions of people to edit photographs and images. The issue with source code theft is that the bad guys can go through the code, line by line, to find vulnerabilities and start exploiting them long before anyone knows what's going on. [ Polley : I was interviewed about the Adobe hack in this Law360 article .]

top

Antigua preparing to move forward with WTO authorized rejection of US copyrights (Patently-O, 31 Oct 2013) - Over the past several decades, the US has been at the forefront of pushing through low international trade barriers and strong intellectual property rights. The current scheme is organized through the World Trade Organization and the vast majority of nations have signed-on as members. The WTO has a dispute resolution mechanism that allows one country to bring another country to task for failing to abide by their trade-related promises. Most of these cases involve either import restrictions placed on certain goods or the "dumping" of goods. Since around 2003, the US has taken fairly effective measures to destabilize the market for cross-border gambling and betting services. In response to those measures, the country of Antigua and Barbuda filed a WTO dispute complaining that the US action was a trade violation and, the WTO panel agreed with Antigua. The particular findings are that "three US federal laws (the Wire Act, the Travel Act and the Illegal Gambling Business Act) and the provisions of four US state laws (those of Louisiana, Massachusetts, South Dakota and Utah) on their face, prohibit … cross-border supply … contrary to the United States' specific market access commitments for gambling and betting services." [ Link ] The penalty for a WTO violation typically involves the WTO allowing counter-measures by the injured party - typically their own import quota or restriction. In countries with a strong domestic industry, the import quota can provide a strong, be it temporary, boost. However, those quotas also injure local consumers who typically pay more for lower quality goods or services. Antigua's particular situation is also unique because the country does not have much of any domestic industry beyond tourism (including Gambling). As such, a typical quota does not make sense as a penalty against the US. At the end of the day, the WTO authorized Antigua to suspend its TRIPs obligations with respect to U.S. intellectual property at a cost to the US. Antigua is now rapidly moving forward with a monetization scheme that would essentially create a local market for copyrighted work owned by U.S. entities, but where no royalties are paid to the U.S. copyright holders. Antiguan legislation is expected in the upcoming weeks followed by bids from private contractors to build-out the online marketplace.

top

Digital copyright, fair use, and digital rights management (MLPB, 31 Oct 2013) - Nicolo Zingales, Tilburg Law and Economics Center (TILEC), has published Digital Copyright, 'Fair Access' and the Problem of DRM Misuse in the Boston College Intellectual Property & Technology Forum (2012) . Here is the abstract: The advent of the digital age and the wide diffusion of copyrighted works over the Internet have brought about a drastic challenge to the pre-existing rules and legal standards governing the exchange of information. This article points out one of the ways the development of these new technologies has altered the boundaries of copyright, specifically by enabling copyright holders to strategically expand the scope of protection through the strategic use of Digital Rights Management (hereinafter, DRM). After a brief overview of these technologies and their contribution to the development of online markets for copyrighted works, the article discusses the risks of using DRM as a means of stretching the legal protection conferred by Intellectual Property law. As a potential solution to such problem, the article looks at the role of the courts and the approach embraced vis a vis specific cases of abuse of DRM in the copyright context. In carrying out this analysis, some considerations are made on the pro-competitive benefit that may derive from these practices, and thus the different outcome that would result from an application of a pure antitrust scrutiny to the same situation. The article then concludes recommending a two-fold approach to the assessment of the legality of such practices, where antitrust analysis and IP principles are intermingled, proposing a legal test to facilitate this complex assessment.

top

NOTED PODCASTS

Alessandro Acquisti: Why privacy matters (TED talk, June 2013) - The line between public and private has blurred in the past decade, both online and in real life, and Alessandro Acquisti is here to explain what this means and why it matters. In this thought-provoking, slightly chilling talk, he shares details of recent and ongoing research -- including a project that shows how easy it is to match a photograph of a stranger with their sensitive personal information. [ Polley : very interesting - I hadn't appreciated how robust facial-recognition systems have become, and what happens when those systems are applied to Facebook (and the like) photo-uploading systems, and then advertising-push systems.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

California Disclosure Law Has National Reach (SecurityFocus, 6 Jan 2003) -- A new California law requiring companies to notify their customers of computer security breaches applies to any online business that counts Californians as customers, even if the company isn't based in the Golden State. So warned Scott Pink, deputy chair of the American Bar Association's Cybersecurity Task Force, in a conference call Monday organized by an industry trade group and attended by approximately 50 representatives of technology companies and law firms concerned about the scope of the new law, which will take effect on July 1st of this year. "If you are selling products or providing services to residents of California, it would probably be determined that you're conducting business in California under this law," said Pink. "This is something that has captured the attention of many corporate counsel and many IT managers around the United States, as they try to understand what the law requires and how it impacts them." The law, called "SB 1386," is intended to combat identity theft. It passed last September in the wake of a high-profile computer intrusion into a California state government system that housed payroll information on 200,000 state workers, in which the victim employees were not warned that their personal information was stolen until weeks after the incident. The law passed over strong objections from industry groups. To trigger the law, a breach must expose certain type of information: specifically, customers' names in association with their social security number, drivers license number, or a credit card or bank account number. After such an intrusion, the company must notify the affected customers in "the most expedient time possible and without unreasonable delay." Other types of information are not covered, and the disclosure only needs to be made to California residents. But as a practical matter, Pink said, online businesses may find it easier to notify everyone impacted by a breach, rather than trying to cherry-pick Californians for special treatment.

top

Spam Suits Seek Poetic Justice (CNET, 4 April 2003) -- Call it the case of the hijacked haiku. Antispam company Habeas is suing bulk e-mailers, accusing them of using its poetry without permission in an unusual use of trademark law to clamp down on spammers. Habeas, headed by lawyer and antispam activist Anne P. Mitchell, puts a new twist on spam prevention by inserting some trademarked haiku lines into the header of an e-mail. The haiku is supposed to indicate to spam filters that the accompanying message is not spam in an effort to make sure that legitimate messages get through to recipients. Habeas' haikus are recognized by the antispam filters and technology of companies including Spam Assassin, AOL and Juno. When it launched last August, Habeas promised to closely track how its haikus were used and threatened to sue those who ran afoul of its trademarks and copyrights. This week, Habeas followed through on those threats, filing two suits in federal court in San Jose, Calif., accusing some Internet marketers of trademark violation and breach of contract. "The only reason to put our mark in the e-mail is to make sure it gets past spam filters," Mitchell said. "If someone uses our trademark without permission, we are required to go after them."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: