Saturday, August 08, 2015

MIRLN --- 19 July – 8 August 2015 (v18.11)

MIRLN --- 19 July - 8 August 2015 (v18.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Troubling trademark ruling over Amazon's internal search results (Eric Goldman, 13 July 2015) - When a consumer asks a retailer for a product the retailer doesn't carry, how should the retailer respond? A recent federal appellate court opinion suggested that Amazon.com gave the wrong answers to consumers searching for a watch brand that it didn't carry. Multi-Time Machine makes high-end military-style watches under brand names including "MTM Special Ops." MTM tightly controls its distribution channels. As a result, Amazon.com doesn't carry MTM's watches. When Amazon consumers searched for "MTM Special Ops Watches" in Amazon's internal search engine, consumers were provided a list of "aesthetically similar, multi-function watches manufactured by MTM's competitors" such as Luminox and Chase-Durer, but the search results page did not expressly say that Amazon doesn't carry MTM watches. Amazon's disclosures on its internal search results page differ from competitors Buy.com and Overstock.com, both of whom "clearly announce that no search results match the 'MTM Special Ops' query and those websites do not route the visitor to a page with both MTM's trademark 'MTM Specials Ops' repeatedly at the top and competitors' watches below. Their pages show the search query playback but then forthrightly state that no results for the 'MTM Special Ops' search query were found, and then list competitors' products." MTM claimed that Amazon's search results constituted trademark infringement. The district court ruled for Amazon , saying that the search results page didn't create actionable consumer confusion. In a split vote, last week the Ninth Circuit Court of Appeals reversed, holding that Amazon's search results presentation might constitute trademark infringement and sending the case to the jury. The majority opinion focuses on a much-criticized trademark doctrine called initial interest confusion. The Ninth Circuit has had a dozen or so cases addressing initial interest confusion, and its handling of the doctrine has vacillated wildly. In 1999, the Ninth Circuit adopted an exceptionally (and, in my opinion, unreasonably ) overbroad definition of the concept. This led to a series of tortured and inconsistent rulings until 2011, when the Ninth Circuit adopted a more constrained definition that virtually killed the doctrine . In this case, the Ninth Circuit bypasses its 2011 definition and instead defines initial interest confusion from a 2004 ruling.

top

Best practices for protecting client information, according to the CFPB (Lawyerist, 18 July 2015) - New federal regulations promulgated by the Consumer Financial Protection Bureau will apply to real estate lawyers. But they are also a pretty solid starting point for any lawyer or law firm. Here's a summary of the best practices , compiled by Law Technology Today's Pegeen Turner: * * *

top

DoJ: Firms should hire cyber-savvy lawyers (eCommerce Times, 20 July 2015) - Hardly a day goes by without a headline about a cyberintrusion. No entity is immune -- international retailers, airlines, hotels, mom and pop stores, cloud providers -- even the U.S. government. However, it seems that few businesses contemplate how important it is for their attorney to know and understand cybersecurity, as well as know what to do when a cyberintrusion occurs. The U.S. government -- itself a cybervictim -- provides the guidance we have been waiting for. The Cybersecurity Unit, part of the Computer Crime & Intellectual Property Section (CCIPS) within the Department of Justice Criminal Division, earlier this year issued its Best Practices for Victim Response and Reporting of Cyber Incidents . The Cybersecurity Unit is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. CCIPS prevents, investigates and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions and foreign counterparts. Of course, many DoJ employees are lawyers who have to assess crimes and help prosecute the bad guys. The CCIPS therefore is actually one of the best sources of information about cyberintrusions. The DoJ report includes 15 pages of best practices. This column focuses on just one of them, but you might want to look at the entire report. It is a best practice for every business is to have "legal counsel that is familiar with legal issues associated with cyber incidents" and with technology and cyberincident management, since "cyber incidents can raise unique legal questions," according to the DoJ: An organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and communications privacy laws). Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice. Many private organizations retain outside counsel who specialize in legal questions associated with data breaches while others find such cyber issues are common enough that they have their own cyber-savvy attorneys on staff in their General Counsel's offices. Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization's decision making and help ensure that a victim organization's incident response activities remain on firm legal footing."

top

- and -

Do you need a cybersecurity attorney on retainer? (CSO, 4 August 2015) - Developing plans to protect your digital information and network while complying with state and federal regulations can be a legal challenge for any corporation. Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer? Having the consultation of a cybersecurity attorney while developing an incident response plan is instrumental. Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents. "A decade ago there was not enough demand in the field of cyber security law to build a practice around it," said JJ Thompson, chief executive officer at Rook Security. Today, entire practices are flourishing in the field of cyber security law. Cybersecurity attorneys play a greater role now than they did five to 10 years ago because they have more specific and more informed expertise than general litigators. Thompson noted, "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identified as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance, and working with government. * * *

top

Constitutional Malware (Stanford's Jonathan Mayer, 20 July 2015) - Abstract: The United States government hacks computer systems, for law enforcement purposes. According to public disclosures, both the Federal Bureau of Investigation and Drug Enforcement Administration are increasingly resorting to computer intrusions as an investigative technique. This article provides the first comprehensive examination of how the Constitution should regulate government malware. When applied to computer systems, the Fourth Amendment safeguards two independent values: the integrity of a device as against government breach, and the privacy properties of data contained in a device. Courts have not yet conceptualized how these theories of privacy should be reconciled. Government malware forces a constitutional privacy reckoning. Investigators can algorithmically constrain the information that they retrieve from a hacked device, ensuring they receive only data that is-in isolation-constitutionally unprotected. According to declassified documents, FBI officials have theorized that the Fourth Amendment does not apply in this scenario.

top

New MSU center aims to improve practice of law (Michigan State U, 20 July 2015) - With fewer students enrolling in law schools and the high expense of legal services, the legal profession needs radical change, says a Michigan State University College of Law professor who hopes to make a difference with a new legal research center. MSU Law's Center for Legal Services Innovation - LegalRnD for short - launched this month, introducing students to leaner, more effective business models and the use of data and technology to improve legal services. Studies show about three out of four people with low to moderate incomes don't receive the legal services they need, said Daniel Linna Jr. , assistant dean for career development and director of LegalRnD. At the same time, businesses often go without legal services because of the expense. But it's important to bring law to everyone who needs it - and that means shaking things up. "We work hard for our clients, but we haven't stepped back and seriously asked ourselves, 'How can we improve legal service delivery for our clients?'" Linna said. "Nor have we invested in legal research and development. As a solution, we intend to engage in the research and development the legal industry hasn't done to develop 21st-century legal practice." LegalRnD classes are interdisciplinary, taught by faculty from other MSU colleges. And in the fall, Ken Grady , a leading expert in the legal industry, will join LegalRnD, teaching legal service delivery. Innovation is a big focus of LegalRnD, Linna said. In June, LegalRnD was the coordinating sponsor of LexHacks, a legal "hackathon" in Chicago. Lawyers, law students, technologists and other professionals competed for $5,250 in prizes to create solutions to improve legal services.

top

Law firm notifies clients after laptop stolen on trolley (DataBreaches.net, 22 July 2015) - The California law firm of Atkinson, Andelson, Loya, Ruud & Romo is notifying clients after a personal laptop belonging to a member of the firm was stolen while the attorney was on the MTS Trolley in downtown San Diego on April 23. Since that time, the firm has been working with law enforcement but, to date, they have been unable to locate or recover the stolen laptop computer. According to the notification letter signed by James H. Palmer, their General Counsel: Working with outside computer forensic experts, we have confirmed that the laptop may have contained confidential information. We believe based on that investigation that the laptop contained personally identifiable information, including names, addresses, telephone numbers and social security numbers. The laptop did not contain driver's license numbers but may have contained certain financial information and/or medical records of individuals. We have no reason to believe that the laptop was stolen for the information it contained. We also have no information indicating that this information has been accessed or used in any way. Those being notified are offered free credit monitoring and protection services with ID Experts service, MyIDCare.

top

California says you must understand e-discovery in order to litigate (Lawyerist, 22 July 2015) - California's proposed ethics opinion on attorney duties in e-discovery has been finalized. The opinion is unsurprising in terms of its analysis of today's technology and long-standing ethics rules, and it highlights that in today's world, discovery is extremely complex and high stakes. In the Committee on Professional Responsibility and Conduct Formal Opinion No. 2015-193, California makes it abundantly clear that a lawyer who does not understand how electronically stored information is managed and retrieved for litigation purposes needs to get assistance before embarking on discovery in just about any matter. While there may not be electronic discovery in every case, every case does need to be evaluated for it, and when e-discovery is going to be conducted by either side, the lawyers involved need to understand (or get help understanding) the way the information is stored, retained, deleted, and mined. The potential for ethics violations is extremely high, and with that potential comes incredible malpractice exposure. Here's the full opinion * * *

top

NACD suggests questions for boards to ask cybersecurity officers (Cooley, 22 July 2015) - As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies' chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of Personnel Management and at a number of private companies. But that's not likely to be effective, the NACD argues. Why not? Because no security system is perfect and all companies are vulnerable to some extent. Instead, the NACD recommends, boards should focus on decreasing the risk of attack as well as understanding the process that is in place to manage a cyberattack should one occur. Copied below are examples the NACD views as more effective questions for boards to ask their heads of cybersecurity: * * * Directors are advised to engage CISOs regularly and, where necessary, encourage the CISO to educate board members about the range of potential security problems: only "11% of board members across industries say they have a ' high level' of knowledge about the topic, according to a recent NACD survey of 1,034 directors." Finally, NACD advocates that CISOs work with board members to develop "a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies…."

top

Law firms see insurance as bulwark against data breach (Bloomberg, 24 July 2015) - David Johnson had just finished meeting with a cybersecurity consultant about beefing up the company's protections when he learned the servers had been hacked. As general counsel of Global Cash Access, a company that manages cash on hand for casinos, Johnson was highly concerned about protecting the company servers: Literally, millions of dollars were at stake. Hiring a consultant to sniff out vulnerabilities had been the first step taken by the company's new senior vice president of IT, and everyone at the meeting had agreed the consultant should take the next few months to see if he could penetrate their computer system. But it didn't even take that long: The consultant walked to his car outside their office, opened his laptop and immediately hacked into their servers. "It was kind of like, 'Oh. This isn't good," said Johnson, now a Duane Morris partner, who said the IT department made several major changes as a result. The incident, which took place in 2013, illustrates how difficult it can be to accurately assess the vulnerability of one's system and why General Counsel consistently rank cybersecurity as a top concern in surveys. And yet even as lawyers position themselves as experts who can advise companies on cybersecurity threats, many law firms are being targeted and experiencing data breaches. "Our law firm clients report being extorted or threatened with denial of service and being held hostage," said Mark Greenwood, managing director with Aon Risk Solutions, which sells cyberinsurance to several dozen law firms. Greenwood declined to disclose which firms had reported a breach, but said the minimum cost of hiring a consultant to identify the hole in a cybersecurity system and to then fix it is $500,000. He further estimated that the largest law firms are paying for $5 million to $40 million in coverage, mid-size firms are purchasing up to $10 million in coverage, and smaller firms are buying up to $5 million in coverage. The insurance provides firms with a "coach" who can take the lead if a breach occurs, crisis communication and PR specialists, as well as online training and support from IT professionals, according to Greenwood. In the last year alone, his group has signed up 30 new law firms for cyber insurance, he said. But most data breach incidents at law firms have not publicly surfaced, although there have been a few incidents - at least one small law firm in Southern California was forced to send letters to clients after a breach and there have been reported incidents of other larger firms being targeted. In May, the New York Times obtained and published an article about an internal report at Citigroup that suggested law firms are likely vulnerable targets for hackers, but that it was difficult to tell if data breaches are on the rise or not because there is no regulatory reporting requirement for the legal industry.

top

Seventh Circuit: data breach victims have standing based on future harm (Venkat Balasubramani, 24 July 2015) - Plaintiffs sued Neiman Marcus on behalf of a putative class alleging claims arising out of a 2013 data breach. Neiman Marcus informed its customers (in 2014) that an attack had occurred and 350,000 cards had been exposed. Neiman Marcus first learned of fraudulent charges in December 2013, but according to plaintiffs, Neiman Marcus kept the information confidential so as to not disrupt the "lucrative holiday shopping season". Neiman Marcus's position was that while card information was compromised, no other sensitive information was exposed. Neiman Marcus also offered one year of free credit monitoring and identity-theft protection to customers that had made card purchases within a certain time period. Plaintiffs asserted a variety of claims, including negligence, breach of implied contract, unjust enrichment, unfair business practices, invasion of privacy, and violations of state data breach laws. The district court granted Neiman Marcus's 12b6 motion to dismiss. On appeal, the Seventh Circuit reverses. Plaintiffs alleged two categories of imminent injuries: (1) increased risk of future fraudulent charges, and (2) greater susceptibility to ID theft. They also alleged present injuries: (1) lost time resolving fraudulent charges; (2) lost time and money protecting themselves against ID theft; (3) loss from having shopped at Neiman Marcus now they made were aware of its shoddy data security practices; and (4) loss of control over their personal information. As to the people who have already seen fraudulent charges and expended the time to "sort things out," the court says that they clearly have standing. The court also says that plaintiffs who are apprehensive about future unreimbursed charges and who take preventative measures likewise satisfy standing. Neiman Marcus argued that the common practice of credit card companies is to reimburse for such fraudulent charges and thus preventative measures are unnecessary, but the court says this places a spin on the facts. Bank reimbursement policies are not definitive and universally applied. While the risk of harm was for something that is likely to occur in the future, this does not preclude standing under Clapper, a recent Supreme Court case. [ see also Change in the prevailing winds in consumer data breach cases? (Mintz Levin, 22 July 2015)]

top

Akamai on broadband: A few surprises and a new (but useless) metric (AEI, 24 July 2015) - Akamai's most recent "State of the Internet" report is 60 pages of insightful data on broadband around the world. The report contains reiterations of many things we already knew (including that the US is not, in fact, falling behind), but also offers some surprising insights into IPv6 adoption and a completely new - albeit somewhat useless - metric. In terms of Internet speeds in different US states, Delaware ranks number one with an average peak (Akamai's measure of broadband capacity) of 85.6 Mbps. If Delaware were a country, it would rank 3rd overall, behind Singapore and Hong Kong. In the overall global ranking, Singapore retains the lead with an average broadband capacity of 98.5 Mbps. * * * While there are few surprises in Akamai's speed rankings, IPv6 adoption rankings is a different ballgame. Belgium is the world leader in IPv6, followed by Germany and then the US. This is surprising since conventional wisdom says China - who didn't even make the top 10 - is the biggest adopter. There may be a lot of IPv6 within China, but none of the external sensors see it. [ Polley : some interesting tables and graphs]

top

Georgia sues Carl Malamud group, calls publishing state's annotated code of laws online unlawful (ABA Journal, 24 July 2015) - A nonprofit founded by Carl Malamud, a 2009 ABA Journal Legal Rebel who was once described by the New York Times as a "self-styled Robin Hood of the information age," has been sued by the state of Georgia. Public.Resource.Org is accused of violating copyright law by distributing the Official Code of Georgia Annotated on the Internet, reports Techdirt . Malamud is president of the group and is known for his campaigns to make statutes, case decisions and government documents freely available to the public. The state is not asserting that it is a copyright violation to publish the text of the statutes themselves, "since the laws of Georgia are and should be free to the public." However, Public.Resource.Org has no right to republish the annotated version of Georgia's code, which is created by a third-party legal publisher as a work for hire under contract with the state legislature, alleges the complaint (PDF). It was filed Tuesday in federal district court in Atlanta. As part of the contract, LexisNexis makes the text of the Georgia statutes freely available online at www.legis.ga.gov , the state notes. But Malamud and his group want more and have downloaded copyrighted material in an effort to push for greater access, the suit contends: "Defendant is employing a deliberate strategy of copying and posting large document archives such as the OCGA (including the copyrighted annotations) in order to force the State of Georgia to provide the OCGA, in an electronic format acceptable to Defendant. Defendant's founder and president, Carl Malamud, has indicated that this type of strategy has been a successful form of 'terrorism' that he has employed in the past to force government entities to publish documents on Malamud's terms." Georgia is seeking a court order prohibiting both copying and use of its copyrighted material in derivative works. The suit also seeks seizure of infringing material and attorney's fees and costs.

top

Twitter is deleting stolen jokes on copyright grounds (The Verge, 25 July 2015) - Let's face it: coming up with a grade-A tweet isn't easy. That's why some people just copy good tweets from other people and act like they came up with the 140-character witticism on their own. This has been going on since the beginning of Twitter. It now appears Twitter is using its legal authority to crack down on these tweet-stealers. A number of tweets have been deleted on copyright grounds for apparently stealing a bad joke. As first spotted by @PlagiarismBad , at least five separate tweets have been deleted by Twitter for copying this joke: * * * [ Polley : I'd have included the joke here notwithstanding possibly copyright infringement liability (I think I'd have had pretty decent affirmative defenses), but just don't get it.] Olga Lexell, who, according to her Twitter bio, is a freelance writer in LA, appears to be the first person to publish the joke on Twitter. In a tweet posted this afternoon , she confirmed that she did file a request to have the tweets removed: I simply explained to Twitter that as a freelance writer I make my living writing jokes (and I use some of my tweets to test out jokes in my other writing). I then explained that as such, the jokes are my intellectual property, and that the users in question did not have my permission to repost them without giving me credit. Twitter, like many companies that host content from users, has an entire system for handling claims of copyright infringement. Under the Digital Millennium Copyright Act (DMCA), Twitter is provided "safe harbor" from copyright claims so long as it does not try to protect infringing material. Typically, claims concern embedded media like photos and videos, or they're for tweets that link to other websites that are illegally hosting copyrighted material, like movies. It's rarer for a DMCA request to involve the actual text of a 140-character tweet.

top

- and -

Radio Berkman 225: Can you copyright a joke? (Harvard's Berkman Center podcast, 31 July 2015; 17 minutes) - With 316 million users posting 500 million tweets a day, someone is bound to write an unoriginal tweet now and then. But there are some Twitter users whose entire existence relies completely on plagiarizing tiny jokes and relatable observations created by other Twitter users. Many plagiarizing accounts have follower numbers ranging from the thousands to the millions. Meaning their exposure can lead to career opportunities and sponsorships built on the creativity of others who are just getting started in their writing careers. So it was not without excitement that Twitter users found out last week that they can report plagiarizing accounts to Twitter under the Digital Millennium Copyright Act, and have these copied tweets removed. But now we're forced to ask the question: are jokes protected under copyright? We asked Andy Sellars of Harvard Law School's Cyberlaw Clinic to weigh in.

top

Patents for startups (Patently-O, 26 July 2015) - Google's cross-licensing program "LOT" continues to grow and apparently now includes more than 300,000 patent properties. LOT Network operates as a poison pill for patent rights. In particular, members agree to license their entire portfolio of patents to all other members. However, the license only becomes effective if the patent is transferred to a non-LOT member, such as a patent assertion entity. For many major operating companies, the most dangerous new patents will likely come from the start-up world and so Google (and others) have been considering how get start-ups to join the network. The company's most recent proposal is its "Patent Starter Program" where Google will give away patent two families to start-up companies who agree to join the LOT Network. http://www.google.com/patents/licensing/ . It will be interesting to watch as this development moves forward.

top

Public confidential information: California weighs in, asks for comments (David Hricik on Patently-O, 27 July 2015) - Suppose you get a call from a third party about a matter you're handling for a client. She tells you that she had written a blog post about a prior dispute she had had with your client, which your client had paid to settle. Per your request, she emails you a link to the blog post. You forward the link to a friend, saying nothing about it other than "this is interesting." Did you do anything wrong? The information you forwarded was not privileged: it came from a third party, so that doctrine doesn't apply. But, lawyers' obligation of confidentiality extends far beyond privileged information, to protecting "confidential" information. Whether information is "confidential" turns on applicable law, and in some states it includes even information that was publicly available when the lawyer was representing the client. Generally, confidential information must be kept confidential if revealing it would be detrimental to the client, or former client, or the client had asked it not be revealed. The California bar association has a proposed bar opinion that would make it clear that, while not privileged, even public information must be accorded protection as confidential information. The California bar has asked for comments, and you can do so here , and find the entire opinion. Now think about patent practice. You learn about a piece of prior art while representing Client A. For whatever reason, it wasn't pertinent to Client A's application, so you didn't disclose it. Patent issues. Matter ends. Now you're representing Client B in prosecution. You remember that piece of prior art, and if you disclose it in Client B's case, it is more likely that Client B will get a patent that, let's say, will aid it compete with former Client A. Can you? Must you? There are a lot of ways this issue comes up in patent practice, and some states like this proposed California opinion take a counterintuitive view of what is confidential. Be careful out there and be sure to think about whether the USPTO rules, or your state rules, would control on that question.

top

NY Public Library's moving image specialist Arlene Yu on dance as 'useful art' (Broadway World.com, 28 July 2015) - " Dear Miss Hutchinson," the letter begins, " ...I was very much interested in an article by John Martin entitled "They Score a Dance as Others Do Music" which appeared in the New York Times Magazine, issue of July 2, 1950. It occurred to me to inquire whether you had at all considered the possibility of copyrighting the scores of new ballets as expressed by the dance notation explained in the article. It seems to me conceivable that by copyrighting such a score, not only could the notation as expressed be protected against unauthorized reproduction but also, and more importantly, the copyright might protect the dance itself against performance except when authorized by the proprietor of the copyright. " The letter, dated July 19, 1950, was from Richard S. MacCarteney, the Chief of the Reference Division of the U.S. Copyright Office . "Miss Hutchinson" was Ann Hutchinson, later Hutchinson Guest, one of the leading authorities on dance notation, and more specifically, Labanotation . Two years later, the choreography by Hanya Holm for the Cole Porter musical Kiss Me, Kate b ecame the first dance work ever accepted for copyright registration in the United States. "Choreography is Copyrighted for the First Time," trumpeted the New York Herald Tribune , calling the registration an "epoch-making event in the dance field." Quoting attorney Arnold Weissberger, the Herald Tribune explained the significance of the Copyright Office's acceptance of Kiss Me, Kate as the first "?recognition of a choreographic work as an independent creation.'" By November 1953, the Copyright Office had issued Circular No. 51, specifically covering the copyright of choreographic works as "dramatic or dramatico-musical compositions." Although choreography would still not be fully recognized as copyrightable - except as a type of dramatic work - until the Copyright Act of 1976, the 1952 registration of Kiss Me, Kate 's choreography marked an important step in the acceptance of dance as a serious art form, separate from theater and music.

top

US likely to scale back planned limits on intrusion-software exports (Reuters, 29 July 2015) - The U.S. Department of Commerce said on Wednesday it will revise regulations intended to restrict the export of software that can used to break into computers and smart phones. An initial draft of the regulations, published in May, attracted hundreds of comments, many of them complaints that the rules were so broad as to bar the easy sale of standard tools used to test electronic security. "All of those comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed," a spokesman for the Commerce Department said in an interview. "A second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn." The spokesman, who declined to give his name, said the process will take months. The step had been expected after the avalanche of objections from major technology companies as well as security specialists. Even some activists who applauded the idea of cracking down on the sale of tools to despotic regimes that spy on dissidents said the draft had been clumsy. Some version of regulation is called for under the latest iteration of the Wassenaar agreement among 41 countries, which limits the movement of "dual-use" technologies sought for both peaceful and military purposes. The U.S. plan had gone further than other countries, for example, in taking aim at tools for finding software flaws. "We're very encouraged," said Joseph Lorenzo Hall, chief technologist at the nonprofit Center for Democracy & Technology. He said he expected the next set of rules to be more narrowly tailored and added that the trade group would keep pushing to deregulate cryptography software and protect security research.

top

Eighth Circuit adds to confusion over when emails are protected by ECPA (Steptoe, 30 July 2015) - The Eighth Circuit has ruled, in Anzaldua v. Northeast Ambulance and Fire Protection District , that copies of emails stored in a "draft" or "sent" folder are not in "electronic storage" and therefore are not protected under the Stored Communications Act (SCA), a part of the Electronic Communications Privacy Act (ECPA). The plaintiff alleged that his ex-girlfriend and employer had accessed, without his permission, a copy of one email he drafted but did not send, and a copy of another that he had already sent. The court held that the emails were not in "electronic storage" when they were accessed because they were not in "temporary, intermediate storage" incident to transmission and also were not being held for purposes of "backup protection." This decision adds to the confusion among courts over how to interpret the statute's definition of electronic storage.

top

OMB mulling cybersecurity guidelines for contractors (Law360, 30 July 2015) - The White House Office of Management and Budget announced on Thursday that it will soon release draft guidance on data security measures for federal contractors. The agency cited a need to protect federal agency data, which is increasingly stored on contractors' and subcontractors' systems, and said that it will review acquisition and information technology policies currently in place for third-party vendors. The draft guidance will be posted and available for comment at policy.cio.gov, the OMB said. "The increase in threats facing federal information systems demand that... (sub. req'd.)

top

Global law firm implements innovative internal messaging system (BeSpacific, 30 July 2015) - "In an idea that has yet to be fully embraced by its staff, DLA Piper has introduced its own internal Twitter for enterprise called Grapevine. Using Greets instead of Tweets, Grapevine is an open security model which is being used to send messages; spread news, information and know-how across the firm; and send automated messages to update fee-earners on areas such as matter status and bill payments. It is envisaged that Grapevine, which is the brainchild of chief information officer Daniel Pollick and his team, will become a replacement for the 'no action required by you' element of email, allowing staff to consume news when they choose."

top

Rise of facial recognition queried by US agency (BBC, 31 July 2015) - A government-related agency in the US has suggested lawmakers consider strengthening privacy laws around facial recognition. Such systems are increasingly being used in public areas, such as shopping centres. The Government Accountability Office (GAO) did not make specific recommendations but suggested the need for a legal review . The report comes a month after privacy campaigners walked out of discussions on creating a code of conduct for private companies wishing to use facial-recognition technology. The GAO report pointed out that there was currently a dearth of relevant legislation in the United States on the issue. "No federal privacy law expressly regulates commercial uses of facial-recognition technology, and laws do not fully address key privacy issues stakeholders have raised," it said.

top

Broken Windows theory (Slate, 3 August 2015) - Windows 10 is the operating system Microsoft needs. In other words, it's not Windows 8, a Frankenstein's monster of a tablet-plus-desktop OS that alienated everyone from PC manufacturers to corporate users. Instead, Windows 10 is an incremental improvement on Windows 7, one that is faster, slicker, and has some new bells and whistles, like virtual desktops and functional tablet support. One of Windows 10's leaps, unfortunately, is straight into your personal data. Apple and Google may have ignited the trend of collecting increasing amounts of their customers' information, but with Windows 10, Microsoft has officially joined that race. By default, Windows 10 gives itself the right to pass loads of your data to Microsoft's servers, use your bandwidth for Microsoft's own purposes, and profile your Windows usage. Despite the accolades Microsoft has earned for finally doing its job, Windows 10 is currently a privacy morass in dire need of reform. The problems start with Microsoft's ominous privacy policy, which is now included in the Windows 10 end-user license agreement so that it applies to everything you do on a Windows PC, not just online. It uses some scary broad strokes: Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary. Apple's and Google's privacy policies both have their own issues of collection and sharing, but Microsoft's is far vaguer when it comes to what the company collects, how it will use it, and who it will share it with-partly because Microsoft's one-size-fits-all privacy policy currently applies to all your data, whether it's on your own machine or in the cloud. As Microsoft puts it: Rather than residing as a static software program on your device, key components of Windows are cloud-based. … In order to provide this computing experience, we collect data about you, your device, and the way you use Windows. In other words, Microsoft won't treat your local data with any more privacy than it treats your data on its servers and may upload your local data to its servers arbitrarily-unless you stop Microsoft from doing so. Microsoft's security story has been far from perfect; this move could make it far worse. For now, it's not easy to restrict what Windows collects, but here's how.

top

Uncovering Echelon: the top-secret NSA/GCHQ program that has been watching you your entire life (Tech Crunch, 3 August 2015) - If history is written by the victors, government surveillance agencies will have an awfully long list of sources to cite. Domestic digital surveillance has often seemed to be a threat endured mostly by the social media generation, but details have continued to emerge that remind us of decades of sophisticated, automated spying from the NSA and others. Before the government was peering through our webcams , tracking our steps through GPS , feeling every keystroke we typed and listening and watching as we built up complex datasets of our entire personhood online, there was still rudimentary data to be collected. Over the last fifty years, Project ECHELON has given the UK and United States (as well as other members of the Five Eyes ) the capacity to track enemies and allies alike within and outside their states. The scope has evolved in that time period from keyword lifts in intercepted faxes to its current all-encompassing data harvesting. In a piece published today in The Intercept , life-long privacy advocate Duncan Campbell describes his past few decades tracking down the elusive Project ECHELON, "the first-ever automated global mass surveillance system. [ Polley : Interesting piece. Echelon has been an open "secret" for a couple decades, but got drowned out by Snowden disclosures; we were discussing Echelon's possible scope in ABA proceedings in the 1990s.]

top

Appeals court says Netflix doesn't violate privacy by displaying viewing history to anyone using that account (TechDirt, 3 August 2015) - The Ninth Circuit Appeals Court has upheld a win for Netflix in yet another privacy class-action lawsuit arising from the publication of then-Supreme Court nominee Robert Bork's rental history oh so many years ago. The Video Privacy Protection Act sprang into being in 1988 and was used to extract a settlement from Netflix over 20 years later. The lawsuit Netflix settled featured one key difference: in that case, rental information -- in the form of "anonymized data" -- was released to third parties working on better suggestion algorithms in hopes of winning $1 million. In this case, no information was released in any form to third parties… at least not in this sense. At the center of this lawsuit were complaints that Netflix exposed viewing history to certain third parties, i.e., anyone who used the same login as the account holder. This would include family, friends and guests at a person's residence. Since Netflix allows any number of devices to be allowed to access the account simultaneously (depending on how much you want to pay per month), one person's viewing history could theoretically be accessed by a great many people. So, while there may be a privacy concern, it isn't a logical one. The information "exposed" to third parties is done so willingly by the account holder by sharing login info/logged-in devices with other viewers. Certainly the original account holder would like immediate access to recently viewed content. But this convenience also allows anyone using that login to see what's been viewed by that account.

top

US authority warns hospitals over use of hackable drug pump (BBC, 3 August 2015) - The US Food and Drug Administration is now "strongly encouraging" hospitals not to use a leading brand of drug pump over hacking fears. Hospira, which made the Symbiq Infusion System pump, had already discontinued the product for business reasons. The devices were previously revealed to be hackable by an independent researcher . The manufacturer told the BBC at the time that it was working with the FDA on a more secure system. The FDA is urging healthcare facilities to switch to alternative infusion systems "as soon as possible". Although no known instances of hacking have occurred, Hospira said in June that vulnerabilities discovered by security researcher Billy Rios were being investigated by the firm, in co-operation with the Department of Homeland Security (DHS) and the FDA. Mr Rios recently published a blog post in which he claimed the security flaw had gone unfixed for over a year. The FDA's statement said that the agency was continuing to investigate the issues but advised hospitals to take action now. In 2007 there were more than 400,000 Hospira pumps in use in hospitals around the world, according to the company's website.

top

What happened when we got subpoenaed over our Tor exit node (Boing Boing, 4 August 2015) - Tor, The Onion Router, is a privacy and anonymity network that bounces traffic around the Internet in nested cryptographic wrappers that make it much harder to tell who its users are and what they're doing. It's especially hated by the NSA and GCHQ. Many people run Tor nodes, but only a few run "exit nodes" through which traffic exits the Tor network and goes out to the public, normal Internet. Having a lot of exit nodes, with high-speed connections, is critical to keeping Tor users safe and secure. We wanted to do our bit for allowing, for example, Bahranian and Chinese dissidents to communicate out of view of their domestic spy agencies, so we turned some of our resources over to Tor in 2012, including access to our blazing-fast Internet connection. The nightmare scenario for Tor exit-node operators is that you'll get blamed for the stuff that people do using your node. In Germany and Austria , prosecutors have actually brought criminal action against Tor exit-node operators. So we were a little freaked out in June when an FBI agent sent us a subpoena ordering us to testify before a federal grand jury in New Jersey, with all our logs for our Tor exit node. We contacted our lawyer, the hard-fightin' cyber-lawyer Lauren Gelman , and she cooled us out. She sent the agent this note: Special Agent XXXXXX. I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached). The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records. I would be happy to discuss this further with you if you have any questions. And that was it. The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury. I'm not saying that everyone who gets a federal subpoena for running a Tor exit node will have this outcome, but the only Tor legal stories that rise to the public's attention are the horrific ones. Here's a counterexample: Fed asks us for our records, we say we don't have any, fed goes away.

top

LOT Polish airlines now accepting Bitcoin (Tech Crunch, 5 August 2015) - I'm not a big fan of the "X accepts bitcoin" type of post but this one is near and dear to my heart - and actually interesting. LOT Polish airlines, the official Polish air carrier, is now accepting bitcoin . What does that mean? It means that you'll soon be able to pay BTC to go to KRK. The transactions are being handled by PSP, a Polish payments platform backed by a number of forward-thinking Polish banks. Interestingly, Poland is a leader in payments with a number of clever smaller banks offering more NFC and bitcoin payment options than anywhere else in Europe. airBaltic and Air Lituanica are also accepting bitcoin but LOT is the first major carrier to do so in Europa Centralna . Hopefully soon we can pay for our Tyskie in Satoshis.

top

CA4: Accessing cell site data without a warrant violates Fourth Amendment (Lawfare, 5 August 2015) - Earlier today, a three-judge panel of the Fourth Circuit handed down its quite important decision in United States v. Graham. The gist of the two-judge majority opinion (penned by Senior Circuit Judge Andre Davis) is to hold, first, that accessing cell site data without a warrant violated the defendants' Fourth Amendment rights; but, second, that the violation did not require suppression, because it resulted from law enforcement's good faith reliance on procedures set forth by the Stored Communications Act. The majority's ruling adds to a circuit split on the Fourth Amendment issue: It tracks a decision of the Third Circuit, but conflicts directly with judgments issued by the Fifth and Eleventh Circuits- the latter of which took up the question en banc and found no constitutional violation.

top

James Comey: Retweets equal material support for terrorism, but don't worry, we'll only prosecute real terrorists (TechDirt, 7 August 2015) - Better add that "RTs ≠ endorsements" line to your Twitter profile. Huffington Post's Ryan J. Reilly's coverage of the FBI's efforts against ISIS notes that FBI head James Comey considers retweeting to be material support of terrorism . But that's OK, because the FBI's crew of mind-readers will make sure that anyone who didn't "mean it" avoids prosecution. "Knowing it was wrong, you provided material support for a terrorist organization or some other offense," Comey said, explaining how the FBI sees these suspects in response to Huffington Post questions during a meeting with reporters last month. "That is the bulwark against prosecuting someone for having an idea or having an interest. You have to manifest a criminal intent to further the aims prohibited by the statute." Asked if reposting materials alone would cross the line, Comey said the answer would be different based on the individual circumstances. "It would depend upon what your mental state is in doing it," the FBI director said. "I can imagine an academic sharing something with someone as part of research would have a very different mental intent than someone who is sharing that in order to try and get others to join an organization or engage in an act of violence. So it's hard to answer in the abstract like that."

top

RESOURCES

Key findings from the 2015 US state of cybercrime survey (PWC, July 2015) - It's no wonder, then, that we found rising concern among the 500 US executives, security experts, and others from the public and private sectors who participated in the 2015 US State of Cybercrime Survey. In fact, 76% of respondents said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59% the year before. Organizations must summon the vision, determination, skills, and resources to build a risk-based cybersecurity program that can quickly detect, respond to, and limit fast-moving threats. The US State of Cybercrime Survey is a collaborative effort with PwC, CSO, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service. Survey is here .

top

Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning (GAO, 23 July 2015) - Department of Defense (DOD) installations have experienced utility disruptions resulting in operational and fiscal impacts due to hazards such as mechanical failure and extreme weather. Threats, such as cyber attacks, also have the potential to cause disruptions. In its June 2014 Annual Energy Management Report (Energy Report) to Congress, DOD reported 180 utility disruptions lasting 8 hours or longer, with an average financial impact of about $220,000 per day, for fiscal year 2013. Installation officials provided specific examples to GAO, such as at Naval Weapons Station Earle, New Jersey, where in 2012, Hurricane Sandy's storm surge destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs. DOD officials also cited examples of physical and cyber threats, such as the "Stuxnet" computer virus that attacked the Iranian nuclear program in 2010 by destroying centrifuges, noting that similar threats could affect DOD installations. * * * Military services have taken actions to mitigate risks posed by utility disruptions and are generally taking steps in response to DOD guidance related to utility resilience. For example, installations have backup generators and have conducted vulnerability assessments of their utility systems. Also, DOD is in the planning stages of implementing new cybersecurity guidance, by March 2018, to protect its industrial control systems (ICS), which are computer-controlled systems that monitor or operate physical utility infrastructure. Each of the military services has working groups in place to plan for implementing this guidance. However, the services face three implementation challenges: inventorying their installations' ICS, ensuring personnel with expertise in both ICS and cybersecurity are trained and in place, and programming and identifying funding for implementation. For example, as of February 2015, none of the services had a complete inventory of ICS on their installations. Without overcoming these challenges, DOD's ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions. Full report here .

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

A&E, National Geographic to send TV over Internet (Reuters, 5 Jan 2005) -- Four cable television channels, including A&E and National Geographic (news - web sites), will use the Internet to broadcast programs in a deal with video-on-demand company Akimbo Systems, Akimbo said on Wednesday. The Biography Channel and the History Channel are also part of the announcements at the Consumer Electronics Show, the largest annual technology trade show in the United States. A major theme at the show this year is the proliferation of lower-priced, larger high-definition television screens, and companies like Akimbo are scrambling to carve out a niche providing content for those big screens. Privately held Akimbo sells a programming service and a television set-top box that uses high-speed Internet connections to gather and store TV shows. It can hold up to 200 hours of video. A&E, Biography Channel and History Channel -- all units of A&E Television Networks, a joint venture of broadcasters ABC and NBC and the Hearst Corp. -- will provide various shows like "American Justice," "Biography," "Growing Up Gotti" and "Dog the Bounty Hunter" to Akimbo. National Geographic will serve up films from programs from its library and films like "Inside the Pentagon (news - web sites)" and "21 Days to Baghdad."

top

Hollywood seeks iTunes for film (CNET, 30 March 2005) -- Sony Pictures Digital Entertainment is trying to develop and own the next iTunes--but for films. "We want to set business models, pricing models, distribution models like (Apple Computer CEO Steve) Jobs did for music, but for the film industry," Michael Arrieta, senior vice president of Sony Pictures, said at the Digital Hollywood conference here. "I'm trying to create the new 'anti-Napster,'" he added. To that end, Arrieta said, his group plans to digitize Sony Pictures' top 500 films and make them available for the first time in various digital environments within the next year. He said the distribution for films like "Spider-Man 2" will go beyond just Movielink, the video-on-demand joint venture of Sony Pictures and several other major studios, which to date has hosted a limited library of Sony's movies. For example, Sony plans to sell and make films available in flash memory for mobile phones in the next year, Arrieta said. It also will further develop its digital stores for downloading and owning films on the PC, he said in an interview. Sony's plans--and similar moves by other studios--are likely to avoid empowering any one technology company--such as Apple in the music equation--and allow studios to pocket more of the profits. The philosophy in Hollywood is "Define your own agenda or someone else will for you."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: