MIRLN --- 1-22 October 2011 (v14.14)
MIRLN --- 1-22 October 2011 (v14.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)
- DHS Creates New Senior Cyber Position In NPPD
- Orwell’s Armchair
- EU Cloud Vendors Liable For Breaches
- Federal Reserve Wants to Read Your Facebook Posts
- Law School Lets You Apply For College From Smart Phones
- Stream Away
- How New Labor Guidelines Could Affect Your Social Media Policy
- Arrested in Seattle, Computer Security Expert Creates Searchable Website of Police Dashcam Video Log
- A Citizen’s Guide to Reporting on #OccupyWallStreet
- Pentagon Website Covers Guantanamo Trials
- FOIA and the Question of Secret Law
- FBI To Launch Nationwide Facial Recognition Service
- Publisher Claims Ownership of Time-Zone Data
- US Power Plants Vulnerable to Cyberattack
- Cybercrime Becomes Bigger Threat to Energy Industry than Terrorists
- SEC Asks Companies to Disclose Cyber Attacks
- RSA Details March Cyberattack, Blames “Nation State” for SecurId Breach
- Does Keystroke Monitoring Violate ECPA?
- Judge Royce Lambert: No Warrant Needed For Cell Phone Location Data
- People Are Starting To Leave Their Facebook Passwords In Their Will
- Three Emerging Cyber Threats
- How the Top 50 Nonprofits Do Social Media
- Los Angeles To Google: We Won’t Pay For LAPD Seats
- Spanish Court Reverses Course: Says Linking To Infringing Material Is A Crime
- Cyber Attacks and Warfare
- French Cookies Are Beginning to Taste Like British Biscuits
DHS Creates New Senior Cyber Position In NPPD (FederalNewsRadio, 22 Sept 2011) - The Homeland Security Department continues to shift cybersecurity oversight chairs. Suzanne Spaulding is the new deputy undersecretary for the department’s National Protection and Programs Directorate (NPPD), according to an email from Rand Beers, DHS under secretary of NPPD, obtained by Federal News Radio. Spaulding replaces Phil Reitinger, who left June 3. Reitinger joined Sony as its chief information security officer in August. “Suzanne brings a wealth of experience, having spent nearly 25 years working on national security issues in the public and private sectors,” Beers wrote in the email to staff. “As deputy undersecretary, Suzanne will focus on efforts to reduce risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification.” In her new role, Spaulding will oversee the US-VISIT program, infrastructure protection, the Federal Protective Service and the Office of Risk Management and Analysis. Spaulding is expected to start in early October, Beers said. Along with naming Spaulding, Beers said Greg Schaffer will move into a new position, the deputy undersecretary for cybersecurity on an interim basis. “This position will help the directorate ensure robust operations and strengthened partnerships in the constantly evolving field of cybersecurity,” Beers said. Schaffer has been the acting deputy undersecretary and will assume the role of acting deputy undersecretary for cybersecurity until a permanent person is announced in the coming weeks. Spaulding comes to DHS after serving as a principal for the Bingham Consulting Group in Washington. She also was the minority staff director for the House Permanent Select Committee on Intelligence and was the general counsel for the Senate Select Committee on Intelligence. Additionally, Spaulding spent six years at the CIA and served as senior counsel and legislative director for former Sen. Arlen Specter (D-Pa.). [Editor: Suzanne is extremely capable and her background has prepared her well for this role. She’s also been very active in the ABA and with the Standing Committee on Law & National Security, where I served with her from 2002-2009.]
Orwell’s Armchair (by Derek Bambauer, forthcoming U. Chicago Law Review) - Abstract: “America has begun to censor the Internet. Defying conventional scholarly wisdom that Supreme Court precedent bars Internet censorship, federal and state governments are increasingly using indirect methods to engage in “soft” blocking of on-line material. This Article assesses these methods and makes a controversial claim: hard censorship, such as the PROTECT IP Act, is normatively preferable to indirect restrictions. It introduces a taxonomy of five censorship strategies: direct control, deputizing intermediaries, payment, pretext, and persuasion. It next makes three core claims. First, only one strategy - deputizing intermediaries - is limited significantly by current law. Government retains considerable freedom of action to employ the other methods, and has begun to do so. Second, the Article employs a process-based methodology to argue that indirect censorship strategies are less legitimate than direct regulation. Lastly, it proposes using specialized legislation if the U.S. decides to conduct Internet censorship, and sets out key components that a statute must include to be legitimate, with the goal of aligning censorship with prior restraint doctrine. It concludes by assessing how soft Internet censorship affects current scholarly debates over the state’s role in shaping information on-line, sounding a skeptical note about government’s potential to balance communication.” [Editor: recommended by Chris Soghoian]
EU Cloud Vendors Liable For Breaches (SC Magazine, 29 Sept 2011) - The European Union will introduce rules that make cloud providers legally liable for data breaches. The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday. It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative. Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point. If they refused, they would be seen as unsafe, he said. Vendors must prove their security models were adequate to get accredited. Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.
Federal Reserve Wants to Read Your Facebook Posts (FCW, 30 Sept 2011) - Complaints on Twitter or Facebook about jobs or rising food prices may become fodder for the Federal Reserve Bank of New York’s assessments of the world’s current economic conditions. The bank has issued a request for proposals seeking a contractor to help gauge the nation’s economic mood by sampling conversations on social media platforms such as Facebook, Twitter, YouTube and blogs. The bank said it wants a Sentiment Analysis and Social Media Monitoring Solution to gather and report data from around the world, in multiple languages, on a continuous basis. The proposal calls for “Social Media Listening Platforms” to be created to “monitor billions of conversations” and generate text analytics. Bank officials state in the RFP that they want to stay current on public opinion, and social media monitoring provides a means to do that. “Social media platforms are changing the way organizations are communicating to the public,” the request states. “Conversations are happening all the time and everywhere. There is need for the Communications Group to be timely and proactively aware of the reactions and opinions expressed by the general public as it relates to the Federal Reserve and its actions on a variety of subjects.”
Law School Lets You Apply For College From Smart Phones (Atlanta TV, 3 Oct 2011) - John Marshall School of Law in Atlanta has taken the act of applying to school and brought it into the new age of technology. John Marshall has introduced a mobile application that allows potential students to apply for law school from the palm of their hand. Prospective students can visit m.johnmarshall.edu from their mobile device from their smart phone or their tablet to apply. “We want students to be able to come to a law school forum, tour our campus, talk to us and apply immediately. If they have to wait until they get home and turn on a computer, they may not apply,” Alan Boyer, Associate Dean of Recruitment and Marketing said in a statement released Monday. Students who use their mobile device over the next few weeks to apply to John Marshall will also get a waiver of the customary $50 application fee.
Stream Away (Inside Higher Ed, 5 Oct 2011) - A federal judge on Monday threw out a lawsuit by an educational media trade group and one of its constituents against the University of California over the legality of streaming copyrighted videos on secure course websites. While the case was dismissed largely on technical grounds, U.S. District Court Judge Consuelo B. Marshall indicated that streaming a copyrighted work on a secure website is no different from holding a screening in a classroom. “The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context,” Marshall wrote in her decision. Because the only rights-holding plaintiff in the case, Ambrose Video Publishing, had licensed UCLA to “publicly perform” its videos in the classroom, streaming it on a secure site was also permissible, the judge said. However, legal experts say the decision hardly resolved the central question of whether streaming copyrighted videos in online classrooms is protected under the fair use provisions to U.S. copyright law. The Association for Information and Media Equipment (AIME), along with Ambrose, brought the suit late last year after it found out that the University of California at Los Angeles was facilitating online streaming for its courses. The case attracted a great deal of attention from fair use advocates, who argued—as did the university—that allowing students to stream videos via password-protected course websites was no different from convening a group viewing in a classroom, which they argued was covered under fair use. AIME has countered that in order to convert the videos into digital versions that could be streamed, UCLA was copying the videos’ content unlawfully.
- and -
Judge Suggests DMCA Allows DVD Ripping if You Own the DVD (ArsTechnica, 5 Oct 2011) - A Monday ruling suggests that educational institutions are entitled to stream legally purchased DVDs on campus without the permission of copyright holders. A federal judge dismissed a lawsuit charging UCLA with violating the Digital Millennium Copyright Act and other provisions of copyright law by ripping DVDs and streaming them to students. “UCLA is pleased that the court dismissed the plaintiffs’ lawsuit challenging UCLA’s practice of streaming previously purchased video content for educational purposes,” said Scott Waugh, UCLA executive vice chancellor and provost. “The court ruling acknowledges what UCLA has long believed, that streaming licensed DVDs related to coursework to UCLA students over UCLA’s secure network is an appropriate educational use.” The lawsuit was brought by a trade association of educational video publishers called the Association for Information Media and Equipment (AIME), and one of its members, Ambrose Video Publishing. The plaintiffs allege that around January 2006, UCLA purchased video streaming software that included a DVD-ripping capability, and began streaming DVDs it had purchased-including some belonging to Ambrose-to members of the UCLA community. Ambrose and AIME sued in December 2010, alleging copyright infringement, breach of contract, and other harms. They argued that UCLA violated the anti-circumvention provisions of the DMCA when it ripped Ambrose’s copy-protected DVDs. They also argued that its DVDs are sold under a licensing agreement that prohibits rebroadcast and public display. And they noted that Ambrose was just one of many copyright holders whose works were included in UCLA’s 2,500-work streaming library. UCLA countered that copyright’s fair use doctrine gives educators broad latitude to publicly perform copyrighted works as part of their instructional activities. They also noted that Ambrose’s own catalog states that “All purchases by schools and libraries include public performance rights.” As for the DMCA claim, UCLA argued that because the school was the lawful owner of the DVDs at issue, it had a right to access the DVDs and therefore could not have run afoul of the ban on circumventing access-control measures. Judge Consuelo B. Marshall sided with UCLA. He noted that the plaintiffs conceded that UCLA had the right to show its DVDs in the classroom, and ruled that UCLA’s streaming service was functionally equivalent. “The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context,” he wrote. Marshall also ruled that UCLA’s copies of the DVDs were incidental to its lawful streaming service, and was therefore fair use. Case is Association For Information Media and Equipment v. University of California
How New Labor Guidelines Could Affect Your Social Media Policy (Mashable, 5 Oct 2011) - While social media has been around for a while, there are still aspects of it that are very new, such as policy development. Such policies have to stand the test of time and evolve as the workplace - and the social media platforms and their usage - changes. In August, the National Labor Relations Board (NLRB) released a report on the outcome of investigations into 14 cases involving the use of social media and employers’ social media policies. The NLRB is an independent agency in the U.S. government that protects employees’ rights to join together to improve wages and working conditions, with or without a union. Here’s an overview of the report and some pointers on what your company should consider when it comes to social media policy development.
Arrested in Seattle, Computer Security Expert Creates Searchable Website of Police Dashcam Video Log (ABA Journal, 5 Oct 2011) - Arrested three years ago in Seattle when a police officer apparently didn’t appreciate his “brainiac” attitude after he was questioned about swatting giant sponge golfballs from bar to bar during a pub crawl, a computer security expert has fought back bigtime. Once the obstruction case against him was dismissed, Eric Rachner pursued a public-disclosure claim against the city’s police department over its failure to provide all video camera footage of his arrest, winning a $60,000 judgment. And today he filed suit against the department again, asserting claims in his King County Superior Court complaint (PDF) for false arrest, obstruction of justice, malicious prosecution and “spoliation of video evidence,” reports the Seattle Times. But that’s not all. Tomorrow the 35-year-old Rachner plans to activate a website that he says will allow arrested citizens and their attorneys to see whether there is any video from the dashboard cameras that police are supposed to activate during arrests. As part of the judgment in his favor in the disclosure suit, Rachner and his lawyer, Cleveland Stockmeyer, were given copies of the department’s log of every dashcam arrest video shot by Seattle patrol officers between July 2008 and August of this year. By checking the log, other arrestees and their counsel “might find, as we did in Eric’s case, that the video and the police reports were so at odds that they might as well have been from different incidents,” Stockmeyer tells the Times. Much of Rachner’s latest suit focuses on what he contends is a widespread practice of the department of failing to provide requested dashcam footage not only to arrestees who request it but even to federal investigators. The department, he alleges in the suit, “has had a policy and custom to falsely conceal video when it is requested.” Other videos, he claims, have been lost and officers sometimes don’t activate the dashcams when they are supposed to, all of which results in a loss of evidence. A local television station filed suit against the police last month, the newspaper says, after learning Rachner had dashcam logs that had been withheld from a reporter.
A Citizen’s Guide to Reporting on #OccupyWallStreet (Berkman’s CMLP, 7 Oct 2011) - We at the Citizen Media Law Project have taken great interest in the ongoing “Occupy Wall Street” protest in New York. Much of what we know about the protest has come from independent reporters and citizen journalists covering the story from the ground. Knowing this, we are alarmed to hear reports of policearresting reporters during the protest. This, of course, could greatly discourage press coverage of this story. In order to encourage citizen reporting from the ground in New York, and to dispel the uncertainties as to the rights of those covering the protest, we have created this special question-and-answer guide regarding covering the protest in New York as a special addendum to our CMLP Legal Guide. For more general information, you can also refer to our guide’s section on New York law. Note: This guide specifically addresses the law as it pertains to New York City and the protests currently occurring in Zuccotti Park. The information provided below will not apply with respect to the other #occupy protests throughout the country. While we tried our best to present the law as it generally applies in New York, specific facts and circumstances often alter outcomes in specific cases. Also, this post provides the law as it exists in October of 2011. We do not intend to update this post as the law changes, so if you find yourself returning to this at a later time please note that the law may have changed. PDF version of the CMLP guide here.
Pentagon Website Covers Guantanamo Trials (Robert Ambrogi, 7 Oct 2011) - The Department of Defense has launched a website, Military Commissions, devoted to coverage of trials by the military courts in operation at Guantanamo to try accused terrorists. Notably, the site allows users to view and download documents and court filings from the commission cases against specific individuals and to obtain summaries of the charges against them. The site also provides a description of military commissions and how they work. It includes an interesting chart that compares the rules and procedures in military commissions with those in courts-martial and Article III courts. There is also a collection of significant court opinions relating to military commissions and of current and historical documents pertaining to the commissions. There is even a section providing details on travel to Guantanamo Bay. The Pentagon created the site, it says, to help “provide fair and transparent trials of those persons subject to trial by Military Commissions while protecting national security interests.”
FOIA and the Question of Secret Law (Lawfare, 7 Oct 2011) - Charlie Savage of the New York Times has filed this FOIA suit in an effort to acquire a classified report issued by DOJ and ODNI to Congress “pertaining to intelligence collection authorities” under section 215 of the USA PATRIOT Act (permitting the government to obtain from the FISC an order for the production of “any tangible things” upon a showing of “reasonable grounds” in relation to an international terrorism or counterintelligence investigation). The report appears to have sparked fierce objections from Senators Ron Wyden and Mark Udall, who have asserted in floor debate that the government has a troubling “secret” interpretation of the PATRIOT Act. The suit itself presents the question whether legal analysis, as distinct from details of the program itself, warrants protection under FOIA exemption 1. The complain calls for release of at least a redacted version of the DOJ/ODNI report, if not the whole thing. If successful, of course, this strategy could have significant implications across a range of settings involving internal government legal advice.
FBI To Launch Nationwide Facial Recognition Service (NextGov, 7 Oct 2011) - The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told NextGov. The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI’s existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings. Often law enforcement authorities will “have a photo of a person and for whatever reason they just don’t know who it is [but they know] this is clearly the missing link to our case,” said Nick Megna, a unit chief at the FBI’s criminal justice information services division. The new facial recognition service can help provide that missing link by retrieving a list of mug shots ranked in order of similarity to the features of the subject in the photo. Today, an agent would have to already know the name of an individual to pull up the suspect’s mug shot from among the 10 million shots stored in the bureau’s existing Integrated Automated Fingerprint Identification System. Using the new Next-Generation Identification system that is under development, law enforcement analysts will be able to upload a photo of an unknown person; choose a desired number of results from two to 50 mug shots; and, within 15 minutes, receive identified mugs to inspect for potential matches. Users typically will request 20 candidates, Megna said. The service does not provide a direct match. Michigan, Washington, Florida and North Carolina will participate in a test of the new search tool this winter before it is offered to criminal justice professionals across the country in 2014 as part of NGI. The project, which was awarded to Lockheed Martin Corp. in 2008, already has upgraded the FBI’s fingerprint matching service. Local authorities have the choice to file mug shots with the FBI as part of the booking process. The bureau expects its collection of shots to rival its repository of 70 million fingerprints once more officers are aware of the facial search’s capabilities. [Editor: reminds me of the premise behind CBS’s interesting new show “ Person of Interest”.]
Publisher Claims Ownership of Time-Zone Data (Wired, 9 Oct 2011) - The publisher of a database chronicling historical time-zone data is claiming copyright ownership of those facts, and is suing two researchers for re-purposing it in a free-to-use database relied on by millions of computers. The researchers’ publicly available database was being hosted on a server at the Maryland-based National Institutes of Health, which apparently has removed the data at the request of Massachusetts-based publishing house, Astrolabe. The publisher markets its programs to astrology buffs “seeking to determine the historical time at any given time in any particular location, world-wide,” and claims ownership to the data in its “AC International Atlas” and “ACS American Atlas” software programs. Astrolabe’s federal lawsuit, filed last week, is among the boldest claims of copyright infringement since 2005. That’s when Bikram Choudhury, the hot-yoga guru, claimed copyright to his yoga positions. Choudhury had sent cease-and-desist letters ordering studios to stop teaching what he claimed were his copyrighted yoga poses. In an out-of-court settlement, the targeted studios agreed they would not capitalize off of the Bikram brand name. But they were not prohibited from teaching his style of yoga, which was based off of an art form thousands of years old. The suit also faces the tough challenge of overcoming a 1991 Supreme Court decision, concerning a company that harvested listings from a phone company’s telephone book and re-published them. The court ruled that “copyright does not extend to facts contained in [a] compilation.” Astrolabe claims Arthur Olson, a computer scientist at the National Institutes of Health, and Paul Eggert, a computer scientist at the University of California at Los Angeles, have “ unlawfully reproduced the works” (.pdf) and distributed them without permission from the copyright holder. The allegedly infringing database credits the Astrolabe database.
US Power Plants Vulnerable to Cyberattack (FT, 11 Oct 2011) - Hundreds of thousands of people in darkness, hospitals in chaos, a banking system under siege - a cyberattack on the US electricity grid could have catastrophic consequences. When federal researchers discovered that outside hackers could take control of the generators used to produce electricity in the US and destroy them, analysts warned that a coordinated assault on the grid could blackout large regions and cause devastation akin to scores of hurricanes striking at once. Regulators asked utilities to fix that design flaw, as they have with others discovered later. Now, four years since that first warning, experts say that power plants - along with financial institutions, transportation systems and other infrastructure - have become even more vulnerable. “The next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system,” Leon Panetta, US defence secretary, said at his June confirmation hearing. The economic damage from a single wave of cyberattacks on critical infrastructure could exceed $700bn - or the cumulative toll of 50 major hurricanes ripping into the nation simultaneously, wrote Stanton Sloane when he was chief executive of SRA International. Skeptics argue that the dangers are being talked up by those eager to be hired to help. Other countries, such as the UK, are also exposed, but officials agree that the US is the most vulnerable to cyberattack because its companies and people are so dependent on the internet. [M]ost alarming for the US defence establishment is the lack of security around the electricity grid. Many power plants, as well as factory floors and pipelines, rely on automation equipment that can be reprogrammed remotely yet do not require even the authentication imposed on average computer users, said John Pollet of Red Tiger Security, which has carried out security assessments on more than 150 facilities: “There is a systemic problem” across all manufacturers of the gear. Some control systems can be located with special Google searches and then ordered to shut down or speed up, potentially blowing up a power or water treatment plant, presentations at Black Hat hackers conference showed in August. Many of these control systems were designed before the age of widespread internet connections.
- and -
Cybercrime Becomes Bigger Threat to Energy Industry than Terrorists (FuelFix, 13 Oct 2011) - In years past, discussions about security in the energy industry usually focused on protecting refineries from terrorist attacks and overseas workers from kidnapping. Today, the greater threat is the digital theft of competitive information or technical data by outside hackers or unscrupulous employees, speakers at an FBI-sponsored event on energy security said Wednesday. “The shift from physical security to data security has been a significant one for all of us,” said Russell Cancilla, Vice President and Chief Security Officer at Baker Hughes. “Theft of intellectual property, state-sponsored corporate espionage, those kinds of things have grown exponentially in recent years.” A few well-known incidents in the energy industry occurred in 2008, when computer systems owned by oil companies including ConocoPhillips, Marathon Oil and Exxon Mobil were reportedly hacked by outside forces seeking oil and gas lease bidding information. Sections of the U.S. power grid were also probed by outside forces in recent years, although it does not appear any damage was done. But the energy industry tends to be tight-lipped about such breaches. [Editor: Baker Hughes seems to have evolved their thinking since March’s MIRLN 14.04.]
- and -
SEC Asks Companies to Disclose Cyber Attacks (Reuters, 13 Oct 2011) - U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses. Senator John Rockefeller had asked the SEC to issue guidelines amid concern that it was becoming hard for investors to assess security risks if companies failed to mention data breaches in their public filings. “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything,” Rockefeller said in a statement. “It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it,” Rockefeller said in a statement. There is a growing sense of urgency about cyber security following breaches at Google Inc, Lockheed Martin Corp, the Pentagon’s No. 1 supplier, Citigroup, the International Monetary Fund and others. Tom Kellermann, chief technology officer of security firm AirPatrol Corp, said that the SEC guidance tells companies to report cyber attacks and disclose steps to remediate problems. “They must also incorporate cyber events into their material risk reports,” said Kellermann, who has advised U.S. President Obama on cyber policy. The SEC gets into specifics, telling companies what type of data they might need to provide investors. “Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue,” it says. SEC guidance here: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm [Editor: there’s much to criticize in the guidance - e.g., the seeming requirement fully to disclose exploited vulnerabilities, which might still be exploited - but I think this is a move in the right direction. See article from Hogan Lovells.]
RSA Details March Cyberattack, Blames “Nation State” for SecurId Breach (Ars Technica, 12 Oct 2011) - At EMC’s RSA Conference Europe in London today, RSA executives shared more details on the cyber attack that stole information on the company’s SecurID authentication tokens in March. RSA executive chairman Noviello said at a press conference that two separate hacker groups worked in collaboration with a foreign government, ZDNet UK reports. He would not disclose the parties involved, but said “we can only conclude it was a nation-state sponsored attack.” According to RSA executives, no customers’ networks were breached as a result of the SecurID data stolen. RSA president Tom Heiser said during a presentation at the conference it was clear that the attack was intended to go after military contractors’ data. The coordinated effort, which used a series of spear phishing attacks against RSA employees to penetrate the company’s network, posing as people they trusted. The phishing attack installed a “zero-day” exploit to establish a foothold. IDG reported that the exploit used an Excel spreadsheet with an embedded malicious Adobe Flash file. The foothold, and the tag-team attack that followed, were used to gain access to the SecurID data. However, RSA’s chief security officer Eddie Schwartz said during the press conference that the intrusion was detected before any customers were attacked. According to RSA executives, the data was used in only one attack on a customer, and that attack was unsuccessful. No other customers were affected, according to RSA, despite reports that several defense contractors, including Lockheed Martin, had experienced breaches.
Does Keystroke Monitoring Violate ECPA? (Steptoe, 13 Oct 2011) - A recent federal court decision points out two of the many critical ambiguities in the Electronic Communications Privacy Act (ECPA): what constitutes an “interception” under the Wiretap Act portion of ECPA, and when is an email in “electronic storage” and therefore protected by the Stored Communications Act portion of ECPA? The court in Rene v. G.F. Fishers Inc. held that the use of keystroke logging software to monitor signals sent from a keyboard to a personal computer was not an interception of an electronic communication because it did not occur on “a system affecting interstate or foreign commerce.” But the court found that the same actions could violate Indiana’s wiretapping law, underscoring again how state laws may be more privacy-protective than ECPA. The court also held that unopened emails in a person’s inbox are in “electronic storage” within the meaning of the SCA, and reserved judgment on whether opened emails were also in electronic storage. The storage question is one that has befuddled courts for years.
Judge Royce Lambert: No Warrant Needed For Cell Phone Location Data (BLT, 13 Oct 2011) - Prosecutors do not need a warrant to compel a cellular phone service provider to turn over data about call location, a federal judge in Washington said in a ruling unsealed Wednesday. The ruling examines the government’s attempt to get data from the undisclosed service provider amid a U.S. Attorney’s Office investigation of an armed robbery of an armored truck. Chief Judge Royce Lamberth of U.S. District Court for the District of Columbia redacted the name of the service provider, the target phone number and the name of its alleged user. Lamberth ruled in part for prosecutors, reviving the government’s push to obtain cell phone data. The judge reversed a magistrate judge’s ruling from August. But Lamberth did not rubberstamp the government’s request, submitted under the Stored Communications Act. Instead, he said prosecutors must present additional evidence to prove the requested data is material to the armed robbery investigation. The burden is lower than the one a warrant would require. The dispute gave the court the opportunity to explore the scope of a controversial Washington federal appeals court ruling about the propriety of warrantless GPS surveillance. In ruling against the government in the armed robbery matter, Magistrate Judge John Facciola said the D.C. Circuit’s decision in Jones required the government to obtain a warrant to compel the disclosure of the requested cellular data. Lamberth said that Facciola concluded that cell phone data-including the location of the tower that transmitted a call-is “tantamount to the sort of continuous GPS surveillance” at issue in the GPS case. A “reasonable cellular phone customer presumably realizes that his calls are all transmitted by nearby cell-site towers, and that cellular phone companies have access to and likely store data regarding the cell-site towers used to place a customer’s calls,” Lamberth said. Lamberth said a person’s “decision to place a cellular phone call and thus provide information regarding his location to the phone company thus defeats an individual’s privacy interest in that information.” Lambert’s Ruling here.
People Are Starting To Leave Their Facebook Passwords In Their Will (Business Insider, 13 Oct 2011) - One in 10 people in the United Kingdom leave their passwords to sites such asFacebook, Flickr, andTumblr in their will, according to a story in the Guardian. Facebook makes it difficult for living members to get the passwords of their deceased relatives. As a result, a “growing numbers of people want their digital identities to be controlled after they are gone,” Emma Barnett writes. “They also want their families to have access to personal photos and home videos which are now more commonly being stored in the cloud, rather in a physical album at home.” The trend is increasing because people in Britain and all over the world have noticed Facebook walls of the deceased becoming easy targets for hacking and spammers. The European Union is also considering laws that would give living relatives easier access. But for now, an increasing number of wills will include a strange series of letters and numbers (or, you know, something like noah1234).
Three Emerging Cyber Threats (Bruce Schneier, 15 Oct 2011) - Last month, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: (1) The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They’re collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior. (2) Ill-Conceived Regulations from Law Enforcement. We’re seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I’m thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they’ll all make us less safe. (3) The Cyberwar Arms Race. I’m not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.
How the Top 50 Nonprofits Do Social Media (PhilanTopic, 17 Oct 2011) - We love a good infographic—especially when it relates to things that interest us, like nonprofits and social media. This one, from craigslist founder Craig Newmark and the folks at craigconnects, kept us busy for a while. Based on an informal audit conducted in August and September, the infographic is intended to answer questions like: Do the highest-earning nonprofits use social media more effectively than nonprofits that earn less? Are those same nonprofits the most “engaging”? How are people using social media to respond to and interacting with large nonprofits? Here are a few key findings:
- 92 percent of the top 50 nonprofits promote at least one social media presence on their homepage;
- PBS has the most followers (840,653) on Twitter;
- The American Cancer Society follows the most people/orgs (200,522) on Twitter;
- Food for the Poor is the most “talkative” nonprofit on Facebook, with 220 posts over the two-month survey period;
- The nonprofit with the highest net income, the YMCA, only posted 19 times to Facebook over the two-month survey period but has more than 24,000 fans.
- and -
Feds’ Social Media Use Increases (NextGov, 18 Oct 2011) - Federal employees are increasingly turning to social media websites for work and personal use, particularly as more agencies lift restrictions on access, according to a new survey. The new Social Media in the Public Sector study, released Tuesday by Market Connections, found that just 19 percent of agencies ban access to some or all social media websites like Facebook, Twitter and LinkedIn. This is down sharply from 2010, when 55 percent of agencies banned access. The survey, which was conducted in September and drew nearly 900 public sector participants, including 352 federal employees and 272 government contractors, found that 74 percent of all respondents access social media websites at work, while 92 percent access them at home and 70 percent access them on mobile devices. The most widely used mobile devices by feds were the iPhone (53 percent), Blackberry (42 percent), Android (39 percent) and iPad (27 percent). LinkedIn and Twitter showed the biggest gains among social media websites used by federal respondents. Use of LinkedIn by feds, for example, grew from 32 percent in 2010 to 70 percent this year, while Twitter use increased from 30 percent last year to 55 percent this year. Eighty-six percent of federal respondents said they use Facebook, up from 72 percent last year, while 80 percent said they use YouTube, up from 61 percent in 2010, the survey found. Government-specific social networking websites also saw a boost in federal participation. According to the survey, 35 percent of federal workers and 55 percent of contractors said they use GovLoop, while GovTwit is being used by 30 percent of both government and contractor employees. Meanwhile, 37 percent of federal respondents said they are permitted to use social media as representatives of their agency, versus just 9 percent last year. Federal respondents said social media was most useful in helping inform decision making (100 percent), communicating externally with citizens and other agencies (81 percent), communicating with colleagues (78 percent), research (64 percent) and promotion/marketing (61 percent), the survey found.
- and -
Why I Deleted My Facebook Account (Bitter Lawyer, 18 Oct 2011) - Two weeks ago today, I did something that I thought was fairly non-controversial (I was wrong, apparently). I deactivated my Facebook account. And not just the half-hearted deactivation option Facebook offers, whereby your account remains saved and can be reactivated at any time-I actually completely deleted my account. Here’s the really crazy part: I’ve spent the last 14 days fielding hundreds of emails from family, friends, and periphery ranging from mere curiosity to utter disbelief that I’m no longer on Facebook. No one can understand why I would ever want to disconnect myself from the (unfortunately) ubiquitous social network. Well, here’s why. [Editor: isn’t there some irony in the fact that she’s blogging about escaping too-much-sharing with the “Screen People”? Still, I take her point.]
Los Angeles To Google: We Won’t Pay For LAPD Seats (Business Insider, 18 Oct 2011) - One of Google’s flagship government customers is trying to get out of paying for part of its contract, saying that Google has been too slow to meet its revised security requirements. Two years ago, Google got the City of LA to switch 30,000 employees from its old email system, Lotus Groupwise, to Gmail. But the deployment is going slower than expected because of additional security requirements by the LA Police Department. The LA Times reported on these problems back in April. Now, an August 2011 letter from Los Angeles CTO Randi Levin shows what the city is demanding. That letter says that CSC has been “unable to complete and comply with all LAPD security requirements” and other agencies that keep criminal records. So the city of LA is refusing to pay for those seats, and asking Google to do the work for free. “There will be no charge to the City for any Google licenses for the LAPD,” proposes the letter. LA also wants Google to pay for the Groupwise licenses used by the LAPD through November 12, 2012.
Spanish Court Reverses Course: Says Linking To Infringing Material Is A Crime (TechDirt, 19 Oct 2011) - We’ve noted over and over again that Spanish courts have quite reasonably interpreted Spain’s copyright law to mean that a site that just links to infringing content is not liable for the infringement. This makes a lot of sense. You should not blame a third party for the actions of its users. Yet the entertainment industry has made these rulings out to be an absolutely horrible miscarriage of justice, and have—with the support of the US government—pushed hard for draconian new copyright laws within the country. While public outcry (and leaked State Dept. cables showing that the US was really behind it) helped derail the effort the first time around, supporters are still trying to push it through. However, while the existing law stands, it’s a bit surprising to see that one Spanish court has gone completely in the other direction and found the operators of a couple sites to be guilty of criminal copyright infringement, for which they may face a year in jail, in addition to fines. The lawyer for one of the guys suggests that this ruling is a result of politics, not the law. It’s hard not to think that way given how it appears to fly in the face of most other decisions in Spain. I would imagine that there’s still going to be an appeal in the case before it’s really settled.
Supreme Court of Canada Stands Up for the Internet: No Liability for Linking (Michael Geist, 19 Oct 2011) - The Supreme Court of Canada today issued its much anticipated ruling in Crookes v. Newton, a case that focused on the issue of liability for linking to allegedly defamatory content. The court provided a huge win for the Internet as it clearly understood the significance of linking to freedom of expression and the way the Internet functions by ruling that there is no liability for a mere hyperlink. The key quote from the majority, written by Justice Abella: “I would conclude that a hyperlink, by itself, should never be seen as “publication” of the content to which it refers.” This is an enormous win for the Internet since it rightly recognizes that links are just digital references that should not be viewed as republication of the underlying content.
Cyber Attacks and Warfare (Media Law Prof Blog, 19 Oct 2011) - Michael Gervais, Yale Law School, has published Cyber Attacks and the Laws of War. Here is the abstract:
“In the past few decades, cyber attacks have evolved from boastful hacking to sophisticated cyber assaults that are integrated into the modern military machine. As the tools of cyber attacks become more accessible and dangerous, it’s necessary for state and non-state cyber attackers to understand what limitations they face under international law. This paper confronts the major law-of-war issues faced by scholars and policymakers in the realm of cyber attacks, and explores how the key concepts of international law ought to apply. This paper makes a number of original contributions to the literature on cyber war and on the broader subject of the laws of war. I show that many of the conceptual problems in applying international humanitarian law to cyber attacks are parallel to the problems in applying international humanitarian law to conventional uses of force. The differences are in degree, not of kind. Moreover, I explore the types of cyber attacks that states can undertake to abide by international law, and which ones fall short.” Paper here.
French Cookies Are Beginning to Taste Like British Biscuits (Steptoe, 20 Oct 2011) - By the sound of things, French data protection regulators thought their lawmakers were acting a bit kooky when, as we previously reported, they passed an ordinance providing that consent for the installation of cookies by a website can be inferred by browser settings. In a public statement last month, the Commission Nationale de l’Informatique et des Libertés, France’s data protection agency, stated its intention to strictly apply active consent requirements in enforcing the ordinance. Specifically, it said that browser settings allowing all cookies, without making a distinction between their purposes, cannot be deemed a valid consent expressed by the user. This new statement reflects a stricter reading of the requirements of amended EU privacy law than what was apparently expressed by French lawmakers in August, and it would appear to bring France’s treatment of cookies more in line with the UK’s approach.
Find the Person Behind an Email Address (Digital Inspiration) - You get an email from a person with whom you have never interacted before and therefore, before you reply to that message, you would like to know something more about him or her. How do you do this without directly asking the other person? Web search engines are obviously the most popular place for performing reverse email lookups but if the person you’re trying to research doesn’t have a website or has never interacted with his email address on public forums before, Google will probably be of little help. No worries, here are few tips and online services that may still help you uncover the identity of that unknown email sender. [Editor: Interesting; the TinEye tool looks scary, and worked when I searched for one of my own head-shots; we’re not too far away from full-bore facial recognition tools.]
Wilful vs. Willful (Volokh Conspiracy, 19 Oct 2011) - A student saw “wilful” used in an opinion, and asked whether it was a typo. How things have changed in a few decades! Here’s a Google Ngrams graph comparing the use of “wilful” (blue) and “willful” (red) in Google’s American English sources * * * “Wilful” was once the only common spelling (and still remains the dominant spelling in British English, again according to Google Ngrams ). But then things changed, and now “willful” is considerably more common. Indeed, a quick Westlaw query suggests that “willful” is 10 times more common in 2011 court opinions. It’s thus probably wiser to use “willful,” unless one knows that one’s audience (say, a judge) has a contrary preference; using the more common spelling is more likely to convey your message without needlessly distracting the reader. Interestingly, the first two references I found for “wilful [sic]” in court cases were in 1962 and 1963, though in those years judicial usage was nearly evenly split between “wilful” and “willful.” Those references were the only such “sic” references until 1971, but it the last few years, there have been more than 10 “wilful [sic]” references in court cases per year, which further reflects how dominant “willful” has become.
CAMERAS SCANNED FANS FOR CRIMINALS (St. Petersburg Times, 31 Jan. 2001) Were you one of the 100,000 fans and workers to pass through the stadium turnstiles at Sunday’s Super Bowl? Did you smile for the camera? Each and every face that entered Raymond James Stadium for the big game was captured by a video camera connected to a law enforcement control room inside the stadium and checked electronically against the computer files of known criminals, terrorists and con artists of the Tampa Police Department, the FBI and other state and local law enforcement agencies. Sunday’s Super Bowl was the first major sporting event to adopt the face-matching surveillance system. But the designers of the system expect other security-sensitive sporting events, ranging from the upcoming 2002 Winter Olympics in Salt Lake City to the hooligan-plagued soccer leagues in parts of Europe, to express great interest. http://www.sptimes.com/News/013101/TampaBay/Cameras_scanned_fans_.shtml
U.S. CONGRESS EYES VIRTUAL ASSEMBLY OPTIONS Spooked by anthrax in the U.S. Capitol Building, lawmakers are considering an option proposed by the Democratic Leadership Council to convene “an electronic Congress.” The DLC says a Web site “could easily be built” that would allow Congress and their staffers to debate, draft legislation and vote over the Internet. Such a site likely would use biometrics or “human verification” procedures to restrict access, and “the best system might require members to spread around the country to go to the nearest state capitol or city hall to use special kiosks there.” The proposal, contained in an article titled “Legislating by Any Means Necessary,” suggests that the site could be open to the public on “a read-only basis, so citizens could watch their representatives much as they can now on C-SPAN.” A DLC staffer who worked on the report says, “This was supposed to be a conversation starter. We put this out there not as a full-baked proposal, not as an end-to-end solution.” (Wired News 25 Oct 2001) http://www.wired.com/news/politics/0,1283,47841,00.html