Saturday, November 23, 2013

MIRLN --- 3-23 Nov 2013 (v16.16)

MIRLN --- 3-23 Nov 2013 (v16.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Cyber security: lawyers are the weakest link (The Lawyer, 28 Oct 2013) - In space, no one can hear you scream, but cyberspace will soon be alive with the shrieks of lawyer pain as client confidentiality disappears out a gapingly wide-open digital window. Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for the goldmine of sensitive and confidential client data firms hold. And that threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when bank and corporate general counsel - as well as those in charge of family offices - will insist on law firm security audits as part of routine panel reviews. This is not the stuff of science fiction or scaremongering, according to the experts. One cyber security specialist relates that a top 10 City firm chief information officer is convinced of the inevitability of a prominent legal practice going down in flames as a result of a cyber attack breaching client confidentiality and rendering the practice's wider reputation and market position untenable. Some suggest the financial services sector is starting to see law firms as the 'soft underbelly' in the cyber security battle. While they themselves have recognised the threat, upgraded systems and implemented state-of-the-art layers of defence, their lawyers, argue some senior bankers, are a weak link. Firms holding vast quantities of confidential information regarding financial services sector clients are a target for hackers because they are behind the cyber security curve. But while not complacent about the threat, some specialist lawyers are cynical, sensing a whiff of hyperbole behind the jargon. "The technology industry has a fantastic ability to create new terminology for old concepts," comments one City firm data privacy specialist. "You could argue that cyber security is just another aspect of general data protection, and privacy and information management."

top

Fifth amendment prevents compelled decryption (Berkman, 31 Oct 2013) - On Monday, the Cyberlaw Clinic filed an amicus brief in the Supreme Judicial Court on behalf of the American Civil Liberties Union Foundation of Massachusetts, the American Civil Liberties Union Foundation, and the Electronic Frontier Foundation in the case of Commonwealth v. Gelfgatt, SJC No. 11358. In the brief, we argue that the Fifth Amendment and article 12 of the Massachusetts Declaration of Rights prohibit the government from compelling a defendant to decrypt their electronic data for use against them in criminal proceedings because it involves the kind of testimonial acts protected by constitutional protections against self-incrimination. This is the Cyberlaw Clinic's third brief filed in a series of cases before the Supreme Judicial Court addressing updates to constitutional protections in light of new technologies. Prior filings on behalf of the Electronic Frontier Foundation concerned warrant requirements for GPS tracking of suspects ( Commonwealth v. Rousseau ) and historical cell phone location records ( Commonwealth v. Augustine ).

top

Data security: pay it now or pay out later (Squire Sanders, 31 Oct 2013) - The price of compliance may be high, but the price of non-compliance is even higher. Based on its recent $3 million data breach settlement, AvMed, and many other entities that have experienced data breach litigation, would likely agree that paying for security upgrades now, is far superior to paying for data breaches later. In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Last week, AvMed signed a settlement agreement to end the class action litigation that began in 2010. The settlement essentially requires AvMed to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades and updates to security policies and procedures (all of which are set out in HIPAA regulations). Not only does AvMed have to correct its non-compliance, but it must also forfeit the "unjust enrichment" it has received over the years by not spending sufficiently for data security it should have provided. AvMed will reimburse "premium overpayments" of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.

top

Bad Code: the whole series (Lawfare, Jane Chong, 4 Nov 2013) - Over the last month, on our New Republic: Security States newsfeed, we rolled out a series designed to explain why fairly allocating the costs of software deficiencies between software makers and users is so critical to addressing the growing problem of vulnerability-ridden code-and how such a regime will require questioning some of our deep-seated beliefs about the very nature of software security. Below is a consolidation of the five-part series in full. [ Polley : Then read Paul Rosenzweig's Cybersecurity and the Least Cost Avoider , also at Lawfare.]

top

Law firms focus on cybersecurity (SecurityInfoWatch, 4 Nov 2013) - In 2007, cybercriminals took more than 45 million credit and debit card numbers from the network of retailer TJ Maxx's parent company. The cost to the company, TJX Cos., soared above $250 million, and drove the state of Massachusetts, where the company is headquartered, to enact some of the toughest cybersecurity rules in the country. With so much money and potential damage to a company's reputation at stake in the event of a data breach, it's no wonder that law firms are devoting resources to cybersecurity, not only to protect their own firms' data but also as a potentially lucrative practice area. Buchanan Ingersoll & Rooney announced Oct. 23 it was launching a cybersecurity and data protection practice, expanding on its existing data security practice. Pittsburgh-based shareholders Matthew Meade and Sue Friedberg, and Philadelphia-based shareholder Jack Tomarchio, a former intelligence officer with the U.S. Department of Homeland Security, will lead the practice. Buchanan Ingersoll joins the growing list of law firms that have added cybersecurity practices in 2013, said David Bodenheimer, a partner with Washington, D.C.-based firm Crowell & Moring. He is also chairman of the American Bar Association Public Contract Law Section's Cybersecurity Committee. Mr. Bodenheimer said that, in 2013, many law firms expanded existing practice areas that dealt with health care and financial data protection issues. After President Barack Obama signed an executive order Feb. 12 directing federal agencies to develop cybersecurity standards for parts of the private sector, Mr. Bodenheimer said, firms recognized this as a practice area with great potential. "When boards of directors started turning to senior management and asking, 'What is this threat and what are we doing about it?' they started to call their law firms," Mr. Bodenheimer said.

top

EXL loses key client due to breach of confidential data (India's Economic Times, 6 Nov 2013) - Nasdaq-listed outsourcing firm EXL Services has lost a key client due to breach of confidential client data by a few of its employees, a development that will impact its revenues and raise larger questions on data security. EXL, which competes with the likes of Genpact, WNS and Firstsource and gets more half of its revenues from the healthcare and insurance space, told investors that it received a termination notice from The Travelers Indemnity Company on November 1, 2013, scrapping a deal that was signed in 2006. American insurer Travelers accounted for 9.6% of the company's total revenue for the quarter ended September 2013 and the termination is likely impact 2014 revenues by $14 million ( Rs 86 crore) to $28 million ( Rs 172 crore). EXL further said that Travelers was ending the contract because it failed to comply with the provisions of the agreement in handling client information. "The termination arose from an incident where company employees, who have since been terminated, shared a procedural document externally in violation of the company's strict client confidentiality policies. The company and Travelers sought an amendment to the existing agreement but were unable to reach terms mutually acceptable to the parties," the filing said. Under its agreement with Travelers, EXL also needs to provide transition-related services for 18 months from the termination date, at its own cost.

top

Password protection laws (MLPB, 7 Nov 2013) - Sarah O'Donohue, Emory University School of Law, is publishing 'Like' it or Not, Password Protection Laws Could Protect Much More than Passwords in volume 20 of the Journal of Law & Business Ethics 
Emory University School of Law (2014). Here is the abstract: "Employers and schools in several states are now prohibited from requesting access to the social networking accounts of their employees, students, and applicants as a result of the "password protection" laws that are sweeping the nation. These laws take an expansive view of the definition of privacy by implying that viewing content on a user's restricted-access social networking profile without his consent constitutes an invasion of privacy. Courts have consistently held that the information users post on social networking websites is, in fact, not private. Further highlighting the contrast between legislative and judicial interpretations of privacy in the context of these new technologies, the express language in one of the password protection laws declares that all Internet users have a reasonable expectation of privacy in their social networking website communications and affairs. This Article argues that password protection laws should be interpreted narrowly as only prohibiting the invasive methods used by employers and schools to gather information from social networking profiles - not as establishing in all cases that communications to which access has been restricted are private. The reasonableness of a user's expectation of privacy in the content of his social networking profile must be determined by courts on a case-by-case basis, informed by such factors as how many people he invites to view it, the relationship between the user and his chosen audience, the exact calibration of his privacy settings, and the degree to which his digital information is guarded by the website under its privacy and data use policies."

top

Apple issues first transparency report, includes "warrant canary" (EFF, 7 Nov 2013) - On Tuesday, yet another one of the nine companies originally implicated in the PRISM program released its first transparency report . Apple joins the ranks of Google, Yahoo, and Facebook , among others that have issued reports that detail the number of requests the companies receive from governments for user data. EFF has long called on corporations to be transparent about what they do with the data that users entrust to them. Transparency reports have become the industry standard, and we are delighted to be able to award Apple another star in the 2014 edition of our annual Who Has Your Back campaign, where we assess major Internet companies' commitment to standing by the rights of users in the face of government requests for personal information about their customers. This is Apple's first transparency report, and it only looks at the first half of 2013. The report includes information about which countries have asked for user data, the number of requests received and granted, the number of times Apple has objected to information requests, as well as the number of information requests where Apple has not disclosed data. The U.S. is reported to have made the most requests. After the U.S., the top three countries requesting user information are the United Kingdom (127), Spain (102), and Germany (93). In the report, Apple makes an important distinction between government requests for "data" and government requests for "content". Apple defines data as "personal identifiers", such as Apple IDs, email addresses, and telephone and credit card numbers. When Apple hands over user content, however, the company provides governments with more detailed information like iCloud emails, contacts, photos, and calendars. Perhaps the most interesting part of the transparency report are the last two sentences: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Apple's statement is an implementation of the so-called " warrant canary ." Canaries are used to signal that, as of the date published, there have been no law enforcement requests of a particular type received. In Apple's case, the canary is limited to a signal that no secret Section 215 orders have been served on the company. If the canary is removed in the next transparency report, it is safe for users to assume that a Section 215 data request and the accompanying gag order has been issued. We appreciate Apple's implementation in particular, including its six-month delay, because if its use is ever challenged in court, the ample time will allow a judge to coolly and calmly review the constitutionality of any government attempt to compel Apple to lie. We fear that if the first challenge to a warrant canary comes before a court in a more rushed context, a rushed judge could make bad law.

top

Payment card industry gets updated security standard with new requirements (Computerworld, 8 Nov 2013) - The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions and service providers. The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015. The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That's partly because there have been many cases of merchants and payment processors sustaining significant cardholder data breaches despite having passed PCI DSS compliance assessments. The PCI Security Standards Council recognized this problem and included a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments.

top

Do you have coverage to protect against cyber attack risks? (Inside Counsel, 8 Nov 2013) - Exposure to losses from data breaches and loss of personal information continues to rank high on the list of worries for general counsel around the country. GCs have good reason to worry. Marsh, one of the largest insurance brokers in the world, reports that over 600 million confidential personal records have been breached in the last five years. Verizon's 2013 Data Breach Investigations Report is even more telling with its opening line that in 2012 "[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage." The Verizon Report's statistics are even more alarming. Specifically, 37 percent of data breaches affected financial organizations. The next highest segments vulnerable to cyber-attacks include retail businesses and restaurants, followed by manufacturing, transportation and utilities. In response to the growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (CGL). Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for such losses. As companies of all sizes approach the calendar year-end, now is the time to analyze exposure for cyber risks and address insurance needs to close any gaps in coverage. If GCs are as worried about losses as noted in current reports, then they should be leading the charge to address the need for cyber insurance.

top

Amazon to deliver on Sundays using postal service fleet (Washington Post, 11 Nov 2013) - The Internet has been blamed for the death of the mail, but now it's offering hope to the beleaguered U.S. Postal Service. Amazon announced Monday that it will begin Sunday deliveries using the government agency's fleet of foot soldiers, office workers and truck drivers to bring packages to homes seven days a week. To accommodate the online retailing giant, the Postal Service said it will for the first time deliver packages at regular rates on Sundays. Previously, a shipper had to use its pricey Express Mail service and pay an extra fee for Sunday delivery. The initiative will begin immediately in Los Angeles and New York and spread to the Washington area and much of the rest of the nation next year, Postal Service officials said. The partnership should help the turnaround effort underway at the financially strapped Postal Service, they said. The arrangement with Amazon could open the doors to more partnerships with retailers that are eager to use the 500,000 USPS employees and 31,000 post offices across the country to satisfy consumers who want to get what they buy online faster.

top

Samsung, Nokia say they don't know how to track a powered-down phone (ArsTechnica, 11 Nov 2013) - Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to "find cellphones even when they were turned off. JSOC troops called this 'The Find,' and it gave them thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq, according to members of the unit." Many security researchers scratched their heads trying to figure out how this could be so. The British watchdog group Privacy International took it upon itself to ask eight major mobile phone manufacturers if and how this was possible in August 2013. On Monday, the group published replies from the four firms that have responded thus far: Ericsson, Google, Nokia, and Samsung. (Apple, HTC, Microsoft, and BlackBerry have not yet sent in a response.) A research officer at the organization, Richard Tynan , wrote that "two themes stood out among the companies that replied: hardware manufacturers claim that they strive to switch off almost all their components while the phone is powered down, and if tracking occurs it is likely due to the installation of malware onto the phone."

top

PAES under the microscope: an empirical investigation of patent holders as litigants (Patently-O, 12 Nov 2013) - Today, a certain type of patent litigant-the non-practicing entity ("NPE"), also known as a patent assertion entity ("PAE"), patent monetization entity ("PME"), or simply patent troll-is the target of much public debate, if not venom. Indeed, President Obama himself got involved in this debate, with his Council of Economic Advisers preparing a report this summer entitled "Patent Assertion and U.S. Innovation." The Executive Summary of the President's report sounds the following alarm about PAE suits: Suits brought by PAEs have tripled in just the last two years, rising from 29 percent of all infringement suits to 62 percent of all infringement suits. This asserted explosion in PAE-initiated litigation has fed into a wider perception that PAEs are out of control and need reining in by Congress. But is the factual assertion by the President's report an accurate characterization of total PAE litigation activity? We address this important issue in our new article, Patent Assertion Entities (PAEs) Under the Microscope: An Empirical Investigation of Patent Holders as Litigants . To investigate PAE litigation, we personally hand-coded all 7,500+ patent holder litigants in 2010 and 2012. In our coding, we finely classified the nature of the litigants, going beyond the simple PAE / non-PAE label. Specifically, we coded each patent holder as one of the following: (1) a University; (2) an Individual Inventor/Family Trust; (3) a large Patent Aggregator (e.g., Acacia); (4) a Failed Operating Company or Failed Start-up; (5) a Patent Holding Company that appears unaffiliated with the original inventor or owner; (6) an Operating Company; (7) an IP Holding Company affiliated with an operating company; or (8) a Technology Development Company (e.g., Walker Digital). Based on our data, and contrary to the assertions in the President's report, we do not find an explosion in PAE litigation between 2010 and 2012. In particular, the President's report considered only the raw number of lawsuits filed in 2010 and 2012 . By limiting its analysis to numbers of cases filed, rather than the underlying parties involved, the President's report was incomplete and led to an erroneous conclusion.

top

FCC smartphone app gauges speed of user's network (NYT, 14 Nov 2013) - The Federal Communications Commission on Thursday released its first smartphone app, a free program that allows consumers to measure the broadband speed they are getting on their mobile devices and to determine whether it is as fast as wireless companies say. The app provides information on upload and download speeds and on how efficiently data is transmitted, a measure known as packet loss. The app, F.C.C. Speed Test , also will allow the commission to aggregate data about broadband speeds from consumers across the country. It will use the data to create an interactive map, giving consumers a tool to use in comparison shopping rather than relying on wireless companies' promises. The app, available in the Google Play store, will run periodically in the background on a consumer's phone, automatically performing tests when a user is not otherwise using the phone. F.C.C. officials stressed that the software would not collect any personal or uniquely identifiable information, and that it would release information only after the data was analyzed. The app uses open-source code, and the agency details its methodologies and privacy policy on its website. [ Polley : until they release an iPhone version, you might try Speedtest.net's Mobile Speed Test, which I like. It doesn't, however, pass results along to the FCC for the aggregation/mapping project.]

top

Attack ravages power grid (Just a test) (NYT, 14 Nov 2013) - In windowless rooms from here to California, nearly 10,000 electrical engineers, cybersecurity specialists, utility executives and F.B.I. agents furiously grappled over 48 hours with an unseen "enemy" who tried to turn out the lights across America. The enemy injected computer viruses into grid control systems, bombed transformers and substations and knocked out power lines by the dozen. By late Thursday morning, in this unprecedented continental-scale war game to determine how prepared the nation is for a cyberattack, tens of millions of Americans were in simulated darkness. Hundreds of transmission lines and transformers were declared damaged or destroyed, and the engineers were rushing to assess computers that were, for the purposes of the drill, tearing their system apart. "It's going really well," said Gerry W. Cauley, the president and chief executive of the North American Electric Reliability Corporation, which ran the drill. "A bit scary, but really well." The degree of simulation varied, organizers said. Nobody touched actual operating equipment, but some companies sent trucks with linemen aboard to investigate the status of key transformers because the "scenarios" written by Mr. Cauley's group included computer viruses that kept technicians at the control centers from knowing the condition of crucial equipment. The drill also involved "denial of service" attacks, in which hackers flooded a computer connected to the Internet with so many messages that it could not handle the load. In real life, banks and other companies have been hit with such attacks. Drill participants said they would not talk about the specific locations of the simulated attacks, for two reasons: The locations were chosen at points that the insiders knew were vulnerable, and the companies involved were promised that if they participated, their performance would not be held up to public criticism. The purpose, organizers said, was to pose problems that were hard to solve, to expose areas that needed improvement.

top

Forest change mapped by Google Earth (BBC, 14 Nov 2013) - A new high-resolution global map of forest loss and gain has been created with the help of Google Earth. The interactive online tool is publicly available and zooms in to a remarkably high level of local detail - a resolution of 30m. It charts the story of the world's tree canopies from 2000 to 2012, based on 650,000 satellite images by Landsat 7. In that time, the Earth lost a combined "forest" the size of Mongolia, enough trees to cover the UK six times. Brazil's progress in reducing deforestation was more than offset by losses in Indonesia, Malaysia, Paraguay and Angola, according to a study in the journal Science . "This is the first map of forest change that is globally consistent and locally relevant," said Prof Matthew Hansen of the University of Maryland, who led the project team which developed the map. Indonesia's rainforests suffered from intense activity "What would have taken a single computer 15 years to perform was completed in a matter of days using Google Earth Engine computing." Their study reports a number of key findings on forest change from 2000-2012 - based on the satellite imagery. The Earth lost 2.3 million square kilometres of tree cover in that period, due to logging, fire, disease or storms. But the planet also gained 800,000 sq km of new forest, a net loss of 1.5 million sq km in total. Brazil showed the best improvement of any country, cutting annual forest loss in half between 2003-04 and 2010-11. Indonesia had the largest increase in deforestation, more than doubling its annual loss to nearly 20,000 sq km in 2011-12. In the United States, the "disturbance rate" of south-eastern forests was four times that of South American rainforests - more than 31% of forest cover was either lost or regrown. Paraguay, Malaysia and Cambodia had the highest national rates of forest loss. Overall, tropical forest loss is increasing by about 2,100 sq km per year, the researchers said. [Polley: Spotted by MIRLN reader Gordon Housworth .]

top

Court knocks wind out of challenge to FTC's cybersecurity authority (Steptoe, 14 Nov 2013) - The judge hearing the challenge by Wyndham Hotels & Resorts to the Federal Trade Commission's authority to regulate companies' data security practices suggested last week that she is likely to back the FTC. The FTC sued Wyndham after the company suffered three data security breaches, claiming that the company had engaged in "unfair and deceptive acts and practices" by not maintaining "reasonable and appropriate" data security measures. Wyndham moved to dismiss, arguing that the Commission lacks the authority to regulate companies' data security practices, and that the FTC should at least have to establish rules and regulations putting companies on notice as to what practices they needed to implement. At oral argument, Judge Esther Salas of the U.S. district court for New Jersey seemed poised to reject Wyndham's arguments and to uphold the FTC's broad power over data security practices.

top

Siding with Google, judge says book search does not infringe copyright (NYT, 14 Nov 2013) - Google's idea to scan millions of books and make them searchable online seemed audacious when it was announced in 2004. But fast-forward to today, when people expect to find almost anything they want online, and the plan seems like an unsurprising and unavoidable part of today's Internet. So when a judge on Thursday dismissed a lawsuit that authors had filed against Google after countless delays, it had the whiff of inevitability. Even the judge, Denny Chin of the United States Court of Appeals for the Second Circuit, said during a September hearing on the case that his law clerks used Google Books for research. "It advances the progress of the arts and sciences, while maintaining respectful consideration for the rights of authors and other creative individuals, and without adversely impacting the rights of copyright holders," Judge Chin wrote in his ruling . Google and other technology companies often push the limits of regulation and law, and hope that eventually the rest of the world - and the law - will catch up. "What seemed insanely ambitious and this huge effort that seemed very dangerous in 2004 now seems ordinary," said James Grimmelmann, a law professor at the University of Maryland who has followed the case closely. "Technology and media have moved on so much that it's just not a big deal." The ruling examined whether Google's use of copyrighted works counted as so-called fair use under copyright law, which Judge Chin determined it did. The decision opened the door for other companies to also scan books. Google's book search is transformative, he wrote, because "words in books are being used in a way they have not been used before." It does not replace books, he wrote, because Google does not allow people to read entire books online. It takes security measures, like not showing one out of every 10 pages in each book, to prevent people from trying to do so. One potential problem for Google was the notion that using copyrighted material for moneymaking purposes weighs against a finding of fair use. Though the company does not sell the books and stopped running ads alongside them in 2011, it benefits commercially because people are drawn to Google websites to search the books, Judge Chin wrote. But, he added, "Even assuming Google's principal motivation is profit, the fact is that Google Books serves several important educational purposes." [ Polley : potentially a broad expansion of "transformative" use; coupled with the minimal weight given Google's commercial benefits, this may be a very weighty decision with important implications.]

top

Web restrictions not the answer to juror online research (Harvard's DMLP, 15 Nov 2013) - Juror use of the Internet to do research or communicate about trials is a growing and persistent problem. So, what can a judge do? For several years now courts have been giving jurors more detailed admonitions and jury instructions against educating themselves about cases online, to little effect. A few judges have taken a different approach, ordering web sites with information on specific cases to remove the information from the Internet. But in a pair of recent decisions, appeals courts have said this method of limiting juror online research is an unconstitutional prior restraint. * * *

top

Facebook, still dominant, strives to keep cachet (NYT, 17 Nov 2013) - When Evan Spiegel peered into a crystal ball to divine a future for his company, Snapchat, he did not see Facebook. He saw something else, something much bigger - a social network that could exist on its own, outside Facebook. Facebook is still the dominant social media service, and has been an attractive suitor for many start-ups. And Snapchat most likely spurned Facebook partly because it thought it could fetch much more than the billions Facebook was willing to pay. But the snub also foreshadows a possible future where Facebook is no longer the default place on the web where people go to network. The swift rise of upstarts like Snapchat in a shifting social media landscape suggests a change in how and where people like to spend their time. The rebuff also reveals a changing perception of Facebook in the tech industry. As the once scrappy start-up evolves into a sprawling corporation, younger companies who view themselves as disruptive do not find Facebook's size and cushy campus as appealing. Not to mention that a lot of them are trying to provide alternatives to Facebook, which means selling to Facebook would defeat their entire purpose. Despite the site's primacy in the social media market, some numbers suggest that Facebook addiction has given way to Facebook fatigue, at least among some users. A study by the Pew Internet and American Life Project found that the majority of users have at one point or another taken a multiweek break from the service, citing the tedium and irrelevancy of its content. Among the crucial younger demographic - users ages 18 to 29 - that first propelled Facebook into prominence, 38 percent said they expected to spend less time using the site this year. The survey confirmed what some at the company already knew. In its latest quarterly call with investors, it said its youngest users were spending less time on the service, although overall teenage engagement was stable. That fatigue may also have started to trickle down to the developers who build apps on top of Facebook's platform. [ Polley : This is part of why I stayed away from Facebook's IPO. Together with their dizzying, ever-confusing privacy policy(ies), I get the sense that they're destined for oblivion.]

top

Latest release of documents on NSA includes 2004 ruling on email surveillance (NYT, 18 NOV 2013) - The Obama administration released hundreds of pages of newly declassified documents related to National Security Agency surveillance late Monday, including an 87-page ruling in which the Foreign Intelligence Surveillance Court first approved a program to systematically track Americans' emails during the Bush administration. "The raw volume of the proposed collection is enormous," wrote Judge Colleen Kollar-Kotelly, who was then the chief judge on the secret surveillance court. The government censored the date of her ruling in the publicly released document, and many sections - including a description of what she had been told about terrorism threats - were heavily redacted. Many of the documents have historic significance, showing how Bush administration surveillance programs that were initially conducted without court oversight and outside statutory authorization were brought under the authority of the surveillance court and subjected to oversight rules. The documents also included reports to Congress, training slides and regulations issued under President Obama . The Bush administration temporarily shut down its bulk collection of email logs after Justice Department lawyers raised legal concerns in March 2004. Judge Kollar-Kotelly declared the collection lawful in July 2004 , according to documents leaked by Edward J. Snowden, the former N.S.A. contractor. The trove also included the Bush administration's 2006 application for initial approval by the surveillance court to collect bulk logs of all domestic phone calls under a provision of the Patriot Act that allows the collection of business records deemed "relevant" to an investigation, another program it had previously undertaken unilaterally. The call record program is still active.

top

What's in your wallet? Could it be the Department of Homeland Security? (ABA's Business Law Today, Nov 2013; by Stephen Middlebrook) - A hot topic in the financial services industry press is news that the Department of Homeland Security (DHS) has plans to stop certain people at the border and scan the payment cards in their wallets, check the cardholder's balances and, in certain cases, seize the funds on the card. The initiative is related to regulatory changes proposed by the Financial Crimes Enforcement Network (FinCEN), the part of Treasury that oversees anti-money laundering regulations. 76 F.R. 64049 (October 17, 2011). FinCEN requires people crossing the border to declare if they are carrying more than $10,000 in "monetary instruments." Monetary instrument is currently defined to include cash, traveler's checks, certain negotiable instruments, and securities. Because law enforcement has concerns that prepaid cards are being used by criminals to launder money and move it out of the country, FinCEN has proposed adding prepaid cards, but not debit or credit cards, to the list of monetary instruments that must be declared at the border. Assessing the value of paper currency and negotiable instruments is relatively easy because the value appears on the face of the document. This is not true, however, for prepaid and other payment cards. To determine how much money is associated with a card, you must contact the financial institution that issued the card and query the current available balance. Consequently, verifying the value of a prepaid card at the border cannot be done independently by the border agent but requires the government to obtain information from the issuing financial institution. Homeland Security has acknowledged their new program in several documents as well as in meetings with the card networks, but we still don't know much about how it will be implemented. DHS stated in a comment letter it filed regarding the FinCEN proposal that it plans to deploy hand held devices at the border to scan debit, credit, and prepaid cards and report back information about the cardholder's account. In addition to cards, Homeland Security has suggested the FinCEN requirements should also apply to "cell phones, key fobs, or other tangible objects" that might possibly be tied to a prepaid account.

NOTED PODCASTS

Birth of the Global Mind (Long Now, by Tim O'Reilly; 97 minutes; 5 Sept 2012) - "The history of civilization is a story of evolution in our ability to build complex 'multicellular minds,'" says Tim O'Reilly, founder and CEO of O'Reilly Media (books, conferences, foo camps, Maker Faires, Make magazine.) Speech allowed us to communicate and coordinate. Writing allowed that coordination to span time and space. Twentieth century mass communications allowed shared information and culture to blanket the world. In the 21st century, memes spread mind to mind in nearly real time. But that's not all. In one breakthrough computer application after another, we see a new kind of man-machine symbiosis. The Google autonomous vehicle turns out not to be just a triumph of artificial intelligence algorithms. The car is guided by the cloud memory of roads driven before by human Google Streetview drivers augmented by powerful and precise new sensors. In the same way, crowd-sourced data from sensor-enabled humans is leading to smarter cities, breakthroughs in healthcare, and new economies. [ Polley : very, very interesting.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Government Forms Cybersecurity Unit (CNET, 6 June 2003) -- The Department of Homeland Security on Friday said it created a new division to address threats to the nation's technological infrastructure. Called the National Cyber Security Division (NCSD), the 60-person unit is charged with addressing potential security breaches to private-sector and government computer systems. The division was created as part of President George W. Bush's National Strategy to Secure Cyberspace and the Homeland Security Act of 2002, and it will be run under the Department's Information Analysis and Infrastructure Protection Directorate. "Most businesses in this country are unable to segregate the cyberoperations from the physical aspects of their business because they operate interdependently," Department of Homeland Security Secretary Tom Ridge said in a statement. "This new division will be focused on the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure assets," he added. NCSD's chief will be Robert Liscouski, the assistant secretary of Homeland Security for Infrastructure Protection. The division will be organized into three units to: identify risks and reduce vulnerabilities to government and private-sector computer systems; operate a Cyber Security Tracking, Analysis & Response Center to detect attacks to the Internet and alert the public; and develop education programs on security measures. According to the NCSD, the division will build on existing capabilities from the former Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System. Computer industry group Business Software Alliance (BSA) immediately applauded the move. "Study after study indicates we remain ill-prepared to defend against threats to our critical information networks--meaning a major virus or cyberattack could wreak havoc on our communications, transportation, utility, financial or other vital information infrastructure," said Robert Holleyman, CEO of BSA.

top

Time Warner cable dials in phone service (CNET, 21 May 2003) -- Time Warner Cable's "Digital Phone" will cost $40 a month and be available only in the Portland, Maine, area. Time Warner's trial offering is similar to experiments with telephone services from rival cable providers Comcast Cable Communications and Cablevision Systems. Calling plans are the latest weapon cable providers are using as they battle for dominance of U.S. broadband services market. Nearly 60 percent of all U.S. homes get broadband from their cable television provider. The rest of the homes wired for broadband in the United States use digital subscriber line (DSL) connections from telephone companies. Cable and telephone companies use bundles of steeply discounted services to attract and keep customers. Cable companies sell television and broadband access at discounted rates, but only when bought as part of a package of services. Telephone companies offer similar deals on telephone and broadband connections. Until recently, telephone companies didn't worry about cable adding voice services into their bundles. But the growing sophistication of voice over IP, which turns voice calls into digital packets for dispatch over the Internet, allows cable companies to sell cable TV, telephone service and broadband connections on one bill. That's one more service--specifically cable television-- than telephone companies can offer. In their current form, these new cable company phone services pose little threat, more like a novelty act in places like Coatsville, Pa., where Comcast is trialing its telephone service. But if they were to be expanded substantially, "then the best way to describe this would be 'wow,'" said In-Stat/MDR senior analyst Daryl Schooler. "What does any of the major phone companies have on their bundle? Local and long distance and data," Schooler said. "This move by the cable guys gives them local, long distance voice, video and data all over one pipe."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: