MIRLN --- 25 March – 14 April 2012 (v15.05)

MIRLN --- 25 March - 14 April 2012 (v15.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | PODCASTS | RESOURCES | BOOK REVIEW | FUN | LOOKING BACK | NOTES

Most 2011 Cyberattacks Were Avoidable, Verizon Says (Computerworld, 22 March 2012) - Despite rising concern that cyberattacks are becoming increasingly sophisticated, hackers used relatively simple methods 97% of data breaches in 2011, according to a report compiled by Verizon. The annual Verizon report on data breaches , released Thursday, also found that in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. The findings suggest that while companies are spending increasing sums of money on sophisticated new security controls, they are also continuing to overlook fundamental security precautions. The conclusions in the Verizon report are based on the investigations into more than 850 data breaches. The report was compiled with the help of the U.S. Secret Service and law enforcement agencies in the United Kingdom, The Netherlands, Ireland and Australia, Verizon said.

top

The ‘Secret’ American Laws You Have to Pay to See (Daily Finance, 23 March 2012) - In America, dealing with the legal system isn’t cheap If you find yourself in court, chances are that you’ll spend a fortune hiring the best lawyer you can afford. But while good legal counsel costs a bundle, access to the law itself is supposed to be free. In other words, although you may need a professional to help you understand the legal code, you are supposed to be able to find out what the laws are without paying for the privilege. But that’s not the case with all laws. For some, you have to pay a stiff price just to take a peek. Codes and standards—the rules governing everything from fire safety in your office to your home electrical system—occupy a twilight area between private information and public law. On the one hand, some of these rules are part of the legal system, and a failure to abide by them can result in stiff penalties. On the other, many of them were developed and updated by private organizations like the U.S. Green Building Council, the National Fire Protection Association or the Society of Automotive Engineers. Having produced these codes and standards, these nonprofit organizations are legally allowed to charge for access to them. According to Jerry Goldman, research professor of law and director of the Oyez Project at the Chicago-Kent College of Law, this poses a serious challenge to some of America’s most deeply-held ideals. “In a democracy, our laws are our operating system,” he argues. “The operating system has to be free if we want a vibrant democracy.” By denying access to the law, Goldman claims, standards-setting organizations have created a “barrier to entry” for people who want to know the rules governing many aspects of their lives: “A layperson who wants to understand building code—who wants to lift up the hood and see what’s going on, as it were—will be stuck with the full price of the code, and will be deterred from pursuing the issue further.” One group has faced the code issue head-on. Public.Resource.Org , a nonprofit organization dedicated to free access to the law, has spent the last five years posting state safety codes online. Recently, the group upped the stakes with their decision to copy and distribute 73 safety standards manuals that are integrated into federal law. In a largely symbolic move, they sent out 25 copies of the code books to a variety of groups, including the National Archives, the White House, and Harvard Law School.

top

Punishing Prometheus: The Supreme Court’s Blunders in Mayo v. Prometheus (PatentlyO, 26 March 2012) - “Not even wrong.” So said Wolfgang Pauli about a proposed analysis by a young physicist, meaning that the arguments were not subject to falsification, the basic tool of scientific analysis. So too it can be said about the Supreme Court’s decision in Mayo v. Prometheus. The Court’s analysis creates a framework for patent eligibility in which almost any method claim can be invalidated. Like so many pseudo-sciences in which every phenomenon can be rationalized and in which there is no test that can show the theory to be incorrect, under Prometheus seemingly anything can be “explained” as being unpatentable subject matter. Let me say at the outset that I’ve been a student of patent law, and patent eligibility in particular, since 1993. My clients have frequently been those whose inventions bumped up against the boundaries of patentable subject matter-in software, e-commerce, finance, business operations, user interfaces, and bio-informatics to name a few-so I have become intimately acquainted with both the legal and practical implications of this question. As such my personal reaction to this decision is very strong, and I will be quite blunt in what follows. Over the next several days I will address just some of the logical and legal errors in the Court’s decision.

top

Sealand, HavenCo, and the Rule of Law (James Grimmelman, March 2012) - In 2000, a group of American entrepreneurs moved to a former World War II antiaircraft platform in the North Sea, seven miles off the British coast. There, they launched HavenCo, one of the strangest start-ups in Internet history. A former pirate radio broadcaster, Roy Bates, had occupied the platform in the 1960s, moved his family aboard, and declared it to be the sovereign Principality of Sealand. HavenCo’s founders were opposed to governmental censorship and control of the Internet; by putting computer servers on Sealand, they planned to create a “data haven” for unpopular speech, safely beyond the reach of any other country. This Article tells the full story of Sealand and HavenCo-and examines what they have to tell us about the nature of the rule of law in the age of the Internet. The story itself is fascinating enough: it includes pirate radio, shotguns, rampant copyright infringement, a Red Bull skateboarding special, perpetual motion machines, and the Montevideo Convention on the Rights and Duties of State. But its implications for the rule of law are even more remarkable. Previous scholars have seen HavenCo as a straightforward challenge to the rule of law: by threatening to undermine national authority, HavenCo was opposed to all law. As the fuller history shows, this story is too simplistic. HavenCo also depended on international law to recognize and protect Sealand, and on Sealand law to protect it from Sealand itself. Where others have seen HavenCo’s failure as the triumph of traditional regulatory authorities over HavenCo, this Article argues that in a very real sense, HavenCo failed not from too much law but from too little. The “law” that was supposed to keep HavenCo safe was law only in a thin, formalistic sense, disconnected from the human institutions that make and enforce law. But without those institutions, law does not work, as HavenCo discovered. [Editor: Full paper here . See covering ArsTechnica story here . I produced a podcast about this last year: http://knowconnect.com/mirln/podcast-feed/ ]

top

More Companies are OK with Employees Using Facebook at Work (Computerworld, 26 March 2012) - Earlier this month, a report from industry research firm Gartner, noted that the number of large companies that block employees from accessing social networking sites while on the job is dropping. The Gartner study showed that in 2010, 50% of large organizations blocked social sites, but by 2014, that number should drop to 30%. The study found that for some company departments and processes, such as marketing, access to external social media is a business need. Meanwhile, employees are finding ways to circumvent corporate blocks by using their personal smartphones .

top

How Important Is Attribution In Copyright Issues? (TechDirt, 27 March 2012) - Many, many people think that attribution is a key part of copyright law, but in the US it’s really not a part of the law at all (with a few tiny, nearly meaningless exceptions). Attribution issues may come up in situations of plagiarism, but they have little do with copyright infringement, which is infringement with or without attribution. Elsewhere, there are issues of moral rights, but for the most part, the US does not recognize moral rights in copyright. Of course, many have argued that perhaps attribution is more important than much of what is in copyright law, and at times there have been efforts to focus more on the question of attribution over infringement. A recent study has tried to quantify some issues around this idea and put questions about the value of attribution into context. Eric Goldman points our attention to this recent paper by Christopher Sprigman, Christopher Buccafusco and Zachary Burns which is entitled Valuing Attribution and Publication in Intellectual Property . The paper’s authors seek to get a real sense of what the tradeoffs are for content creators—and they quickly discover that content creators are willing to accept significantly less money in exchange for attribution and publicity. They also discover—as their own previous studies have shown—that content creators tend to significantly overvalue their own works. But the key finding is that attribution has tremendous value to content creators—both amateurs and professionals alike.

top

The Effects of Data Breach Litigation (Bruce Schneier, 27 March 2012) - “Empirical Analysis of Data Breach Litigation,” Sasha Romanosky, David Hoffman, and Alessandro Acquisti; Abstract: “In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement.” Draft version of full paper here .

top

The NFL’s Intellectual Property Claims (MLPB, 27 March 2012) - Eric E. Johnson, University of North Dakota School of Law; Stanford Law School Center for Internet and Society, has published The NFL, Intellectual Property, and the Conquest of Sports Media at 86 North Dakota Law Review 760 (2010). Here is the abstract: “This article explores how the National Football League (NFL) has used assertions of intellectual property to control media coverage of its activities and events. Some history is uncovered, including the NFL’s project of wresting copyright ownership to televised game coverage away from the broadcast television networks. Also reviewed is the NFL’s spurious claims of copyright ownership over footage shot by third persons. The article further explains how the NFL has, in recent years, begun to use press accreditation as a way to gain copyright ownership over news-media footage and to eliminate competition with the NFL’s own web and television media businesses. It is concluded that the NFL’s press policies and its assertions of intellectual property ownership represent a threat to press freedoms of the sports and news media.” Paper here .

top

Texas Ban on Photographing People Without Their Consent “With Intent to Arouse or Gratify the Sexual Desire of Any Person” (Volokh Conspiracy, 28 March 2012) - Texas Penal Code § 21.15(b)(1) makes it a crime to photograph someone “without the person’s consent” and “with intent to arouse or gratify the sexual desire of any person.” (A separate provision applies to photographing people in bathrooms or private dressing rooms.) In Ex parte Nyabwa (Tex. Ct. App. Dec. 13, 2011) , a Texas appellate court upheld the statute reasoning that “[p]hotography” - apparently including the taking of photographs - “is a form of speech normally protected by the First Amendment,” but: “The State argues that the statute is not a regulation of speech at all, but instead is a regulation of the photographer’s or videographer’s intent. Discussing a similar First-Amendment issue, the Court of Criminal Appeals concluded that a telephone-harassment statute does not implicate the free speech guarantee - even though the conduct may include spoken words - where the statute focuses on the actor’s intent to inflict emotional distress and not to legitimately communicate ideas, opinions or information. Scott, 322 S.W.3d at 669-70. In much the same way, Texas Penal Code section 21.15(b) regulates a person’s intent in creating a visual record and not the contents of the record itself. We thus conclude that the statute is not a regulation of speech and does not violate the First Amendment.”

top

Treasury Issues Guidance on Exports of Personal Communications Services to Iran (Steptoe, 29 March 2012) - The Treasury Department’s Office of Foreign Assets Control ("OFAC") has issued interpretive guidance and a new licensing policy regarding its rule authorizing the export to Iran of certain services and software incident to the exchange of personal communications over the Internet. Because the original rule was unclear, many companies chose not to rely on it and simply avoided offering services or exporting software to Iran. The new guidance makes explicit that certain services and software for personal communications (such as Yahoo! Messenger and Skype’s free peer-to-peer service), data storage, and browsers are within the scope of the previous authorization. And the new licensing policy makes clear that OFAC will grant licenses on a case-by-case basis for similar paid products not covered by the existing authorization (such as Skype Credit and Google Talk). [Editor: In a vaguely related vein, see the recent posting below from LinkedIn: “Please remember that this group is a place where employees and alumni/ae can connect and stay connected, not a technical help forum. In general, there is no issue with an occasional question—for example, the recent exchange about the running time of [snip] seems to have been helpful to the requester, and may have interested some other people. HOWEVER, remember that this group includes people who work in countries designated as “embargo countries” by the U.S. State Department and by some other governments; that the embargo in question includes technology information, not just products; and that the embargo applies to all U.S. citizens and residents, wherever they reside in the world, and to people of any nationality residing in the U.S. Do not risk creating problems for yourself, for another member, or for this group as a whole by asking or answering a question that could be interpreted, according to U.S. law, as an exchange of technology information between a U.S. person and a person or company in one of the embargo countries. For additional details, please ask your company’s export compliance officer or legal staff.” Fascinating.]

top

Lawsuit Against Avvo for Lawyer’s Profile Dismissed as SLAPP (Eric Goldman, 29 March 2012) - Florida lawyer Larry Joe Davis, Jr. claimed that his Avvo profile misrepresented his practice. He sued Avvo in Florida for false advertising, publicity rights misappropriation and unfair trade practices. Avvo invoked the forum selection clause in its user agreement to successfully transfer the case from Florida to Washington. In this ruling, the court finds the lawsuit is a SLAPP and dismisses the case. Further, per Washington’s anti-SLAPP statute, Avvo will get its attorneys’ fees plus a $10k bonus. In other words, another lawyer-plaintiff will be writing a large check to the defense for a lawsuit he never should have brought. The court first finds that a lawsuit over providing information to the public to help them choose professional service providers constitutes “an action involving public participation.” The court treats this as self-evident, but as I’ve documented before, California courts (for anti-SLAPP purposes) don’t automatically treat consumer reviews as matters of public concern even though I think they should. It’s good to see this court recognize the social importance of providing information that guides the marketplace’s invisible hand. Once Avvo made that threshold showing, the burden fell on Davis to show his prima facie case, which he failed to do. On the crucial question of whether Avvo’s allegedly wrongful activities occurred in “trade or commerce,” the court says Avvo’s ad-supported listings are not sufficiently commercial, citing Avvo’s 2007 win in the similar Browne case. The key to this ruling is that Washington’s anti-SLAPP law is more robust that Florida’s mostly toothless anti-SLAPP protection. Had Avvo not been able to transfer the case to Washington and get its choice-of-law provision enforced, it probably still would be litigating the case and burning its cash. Davis v. Avvo , 2:11-cv-01571-RSM (W.D. Wash. March 28, 2012)

top

Judge: Bradley Manning Supporter Can Sue Government Over Border Search (ArsTechnica, 29 March 2012) - An outspoken supporter of WikiLeaks suspect Bradley Manning has won the right to sue the federal government over a border search-and-seizure that agents conducted in 2010 after his return to the US from a Mexico vacation. David Maurice House, an MIT researcher, was granted the right to pursue a case against the government on Wednesday after a federal judge denied the government’s motion to dismiss. The American Civil Liberties Union filed a federal lawsuit in May 2011 on House’s behalf, charging that he had been targeted solely for his lawful association with the Bradley Manning Support Network. “This ruling affirms that the Constitution is still alive at the US border,” ACLU Staff Attorney Catherine Crump said in a statement. “Despite the government’s broad assertions that it can take and search any laptop, diary or smartphone without any reasonable suspicion, the court said the government cannot use that power to target political speech.” US customs agents met and briefly detained House as he deplaned at Chicago’s O’Hare Airport in November 2010. The agents searched House’s bags, then took him to a detention room and questioned him for 90 minutes about his relationship to Manning (the former Army intelligence analyst currently facing a court martial for leaking classified documents to the secret-spilling site WikiLeaks). The agents confiscated a laptop computer, a thumb drive, and a digital camera from House and reportedly demanded, but did not receive, his encryption keys. DHS held onto House’s equipment for 49 days and returned it only after the ACLU sent a strongly worded letter.

top

Copyright and Right of Publicity Law (MLPB, 30 March 2012) - Michael D. Murray, Valparaiso University School of Law, has published The Ethics of Intellectual Property: An Ethical Approach to Copyright and Right of Publicity Law Ethics Core Encyclopedia - National Center for Professional & Research Ethics . Here is the abstract: “The ethical approach to copyright and right of publicity law should be a constant concern of designers and artists. Copyright is the intellectual property protection of original and creative works including designs, images, writings, and other creations. Right of publicity is a right to control the use of a person’s name, image, or likeness under legal theories that draw from intellectual property law, equity, privacy law, and property law. This encyclopedia article discusses the ethical approach to the use of copyrighted works and names, images, and likenesses protected by the right of publicity.”

top

Hacks of Valor - Why Anonymous Is Not a Threat to National Security (Foreign Affairs, Yochai Benkler, 4 April 2012) - Over the past year, the U.S. government has begun to think of Anonymous, the online network phenomenon, as a threat to national security. According to The Wall Street Journal, Keith Alexander, the general in charge of the U.S. Cyber Command and the director of the National Security Agency, warned earlier this year that “the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack.” His disclosure followed the U.S. Department of Homeland Security’s release of several bulletins over the course of 2011 warning about Anonymous. Media coverage has often similarly framed Anonymous as a threat, likening it to a terrorist organization. Articles regularly refer to the Anonymous offshoot LulzSec as a “splinter group,” and a recent Fox News report uncritically quoted an FBI source lauding a series of arrests that would “[chop] off the head of LulzSec.” This is the wrong approach. Seeing Anonymous primarily as a cybersecurity threat is like analyzing the breadth of the antiwar movement and 1960s counterculture by focusing only on the Weathermen. Anonymous is not an organization. It is an idea, a zeitgeist, coupled with a set of social and technical practices. Diffuse and leaderless, its driving force is “lulz”—irreverence, playfulness, and spectacle. It is also a protest movement, inspiring action both on and off the Internet, that seeks to contest the abuse of power by governments and corporations and promote transparency in politics and business. Just as the antiwar movement had its bomb-throwing radicals, online hacktivists organizing under the banner of Anonymous sometimes cross the boundaries of legitimate protest. But a fearful overreaction to Anonymous poses a greater threat to freedom of expression, creativity, and innovation than any threat posed by the disruptions themselves. No single image better captured the way that Anonymous has come to signify the Internet’s irreverent democratic culture than when, in the middle of a Polish parliamentary session in February 2012, well-dressed legislators donned Guy Fawkes masks—Anonymous’ symbol—to protest their government’s plan to sign the Anti-Counterfeiting Trade Agreement (ACTA). [Editor: spot-on.]

top

“Dear Cell Phone, ...” (Steptoe, 5 April 2012) - You may not inscribe your most personal thoughts into your cell phone (then again, maybe you do), but, whatever the case, the Seventh Circuit has held that a cell phone is no different from a diary when it comes to the government’s ability to search it without a warrant. The court in United States v. Flores-Lopez ruled that a police search of an arrestee’s cell phone in order to obtain its phone number was constitutional under the Fourth Amendment’s search-incident-to-arrest exception. The court acknowledged that a cell phone is capable of holding a much greater amount of personal data than a traditional container, and this fact could give rise to greater privacy interests. But the court suggested that because the information sought in this case (i.e., the telephone number) was so “trivial,” it could be searched incident to an arrest, without a warrant, even if there was no risk of harm to the officer or of destruction of evidence. The court left open the question whether a search for more extensive information should be permitted under this exception.

top

Wolfram|Alpha Offers Data on U.S. Federal Court Filings, Caseloads and More (Law.com, 5 April 2012) - Wolfram|Alpha is an online service/search engine with the mission of getting knowledge and answers for people “not by searching the web, but by doing dynamic computations based on a vast collection of built-in data, algorithms, and methods.” Via FutureLawyer , I learned that Wolfram|Alpha recently announced that it has added some data on each of the 94 district courts in the federal court system, which it hopes will offer some “fascinating bits of information about the justice system in this country.” For example, entering the term “ California courts ” will produce a list of all of the district courts in the state, along with data for each court, such as the number of cases filed and terminated per year, and the number of cases pending. There is also interesting data on points such as the median time to trial in each of the state’s four district courts ( e.g. , 19.7 months in the Central District versus 35.1 months in the Southern District). Clicking further to learn about a particular district court (here is the link for the Northern District , for example) produces information on that court including a map of its jurisdiction, charts of its annual filings and much more. Customized graphs and other data are available for users of the Wolfram|Alpha Pro service, which appears to have a $4.99/month fee.

top

Are Retweets Endorsements?: Disclaimers and Social Media (CMLP, 5 April 2012) - “RTs do not = endorsements.” We’ve all seen it on Twitter bios, usually bios belonging to members of the media. These kinds of disclaimers, disassociating the tweets from the people who retweet them, are common. The Twitter bio belonging to Brian Stelter of the New York Times (@brianstelter) notes, “RT & links aren’t endorsements.” But for some, those disclaimers are not enough. Last fall, the Associated Press introduced an updated social media policy for its reporters and editors. As recently reported in Yahoo! News , the AP memo advised reporters and editors that “Retweets, like tweets, should not be written in a way that looks like you’re expressing a personal opinion on the issues of the day. A retweet with no comment of your own can easily be seen as a sign of approval of what you’re relaying.” The guidelines note, “[W]e can judiciously retweet opinionated material if we make clear we’re simply reporting it.” Members of the media might want to be careful, however, that statements like “No comment” or “without comment” before tweets do not take on meanings of their own. Often, retweeting something “without comment” can indicate an unwillingness to comment due to an either enthusiastic support for or disapproval of the content of the original tweet. [Editor: There’s more, and it’s useful.]

top

Organizations in Dark as Employees Party on with BYOD (GCN, 5 April 2012) - Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought. A new study by the SANS Institute found that only 9 percent of organizations surveyed were “fully aware” of the devices accessing their networks, and only 50 percent were “vaguely or fairly” aware. Meanwhile, organizations are scrambling to manage the risk, pursuing everything from user education and mobile device management to Network Access Control and monitoring, SANS said in announcing the study . Among other results, the survey of 500 IT professionals found that fewer than 20 percent of organizations are using endpoint security tools, although the organizations using them are using agent-based, rather than agentless, tools. “More than 60 percent of organizations today allow staff to bring their own devices,” SANS Senior Instructor and survey author Kevin Johnson, said in the announcement.

top

Viacom Didn’t Actually ‘Win’ Against YouTube, But The Appeals Court Ruling Is Still Dangerous (TechDirt, 6 April 2012) - We already covered the 2nd Circuit’s ruling in the appeal of the Viacom/YouTube case, but I wanted to follow up after seeing much of the coverage. There have been a number of reports that outright declare this a “victory" for Viacom , which is a very generous reading of the ruling. To be sure, the appeals court reinstates the case that had been effectively shut down by the district court—but it did so in a manner that rejected every single one of Viacom’s interpretations of the law. The biggest concern in this lawsuit was that Viacom would be able to use it to effectively reinterpret the DMCA the way it wanted the law to act, rather than the way the law was actually written (and which the case law has supported for years). The court clearly rejected that attempt by Viacom. 

But, of course, it wasn’t a complete vindication for YouTube. Reviving the lawsuit is clearly a partial step backwards for YouTube, but it’s entirely possible that they could still prevail in the district court on the specific points that were sent back for trial. And, in the details of why the appeals court revived the case are some significant problems, many of which are outlined in a thorough post by Eric Goldman . I don’t agree that the ruling is quite as significant as Goldman does, but he does make some good points about problems with the setup of the DMCA’s safe harbor and (equally troubling) the way the court ruled on a few key points that make little sense.

top

60 Websites in 60 Minutes from ABA TechShow (Lawyerist, 6 April 2012) - The popularity of “N things in N minutes” seminars is a little baffling to me, especially since you can apparently get CLE credit for some of these shallowest of all seminars. But the lists themselves can be interesting. This list of 60 websites from ABA TechShow contains everything from useful tools for lawyers to effective ways to waste time reading relationship drama on Facebook. It’s a good source of Friday-afternoon time wasting, if nothing else.

top

Here’s What Facebook Sends the Cops in Response to a Subpoena (ZDnet, 7 April 2012) - Facebook already shares its Law Enforcement Guidelines publicly, but we’ve never actually seen the data Menlo Park sends over to the cops when it gets a formal subpoena for your profile information. Now we know. This appears to be the first time we get to see what a Facebook account report looks like. The 71-page document is actually two documents in one. The first eight pages are the actual subpoena; the remaining 62 pages are from Facebook. Most of the pages sent over from the social networking giant consist of a single photograph, plus formal details such as the image’s caption, when the image was uploaded, by whom, and who was tagged. Other information released includes Wall posts, messages, contacts, and past activity on the site. The document was released by The Boston Phoenix as part of a lengthy feature titled “Hunting the Craigslist Killer,” which describes how an online investigation helped officials track down Philip Markoff. The man committed suicide, which meant the police didn’t care if the Facebook document was published elsewhere, after robbing two women and murdering a third.

top

Commerce Agency Still Offline 12 Weeks After Virus Hits (GCN, 9 April 2012) - What would you do without Google, or some other search engine, always ready to find what you need on the Internet? How could you do your job without e-mail and the attachments it carries? And where did you put that letter opener? A small agency within the Commerce Department has been finding those things out for the past 12 weeks, The Washington Post reports. A virus contained in an e-mail hit the 215-employee Economic Development Administration 80 days ago and proved to be so pernicious that it threatened Commerce’s entire network, the Post reported. So EDA shut down its system and sent employees back to the 1980s, to a life of working with fax machines, postal mail and telephones. The agency is slowly starting to recover, though the troubles persist, and the technological throwback has had a few positives, such as increasing personal contact, the article said. Meanwhile, the investigation continues into what has proved to be one nasty virus. Commerce Secretary John Bryson told the Post, “[W]e have the best resources in the federal government looking into this,” although, 12 weeks later, “we don’t yet have any deeper understanding of what happened.” The U.S. Computer Emergency Readiness Team reported the virus Jan. 20, and EDA was taken offline Jan. 24 as a preventive measure, the site SPAMfighter reported at the time. The result has been any organization’s nightmare. Despite security precautions, what happened to EDA could happen in a lot of places. In April 2011, for instance, Oak Ridge National Laboratory was offline for more than a week after a phishing attack. But 12 weeks is a long time to be living in the past, as online tools, mobile communications and other trappings of technology increasingly become part of the working life. For younger employees, in particular, it might feel like some kind of cultural re-enactment. It could also give agencies cause to consider not burning their technology bridges so fast as they plunge ahead into new devices and platforms. Maybe they should think twice before getting rid of things like fax machines and other technology dinosaurs . Apparently, old tech is still a useful safety valve.

top

Spies and American Universities (InsideHigherEd, 9 April 2012) - A lengthy Bloomberg article outlines a series of incidents that have alarmed security officials and some university leaders who fear that some countries are attempting to use American universities’ foreign connections for the purpose of spying. The article notes numerous incidents, including an American researcher who was invited to give a talk abroad. Then someone there asked for a copy of her paper, inserted a thumb drive into her laptop, and downloaded every document she had. In another instance, Michigan State University was approached by a Dubai-based company about providing funds and students for the university’s Dubai campus, which was struggling financially. Lou Anna K. Simon, president at Michigan State, contacted the Central Intelligence Agency because she was afraid the company might be a front for Iran. When the CIA couldn’t confirm the company’s legitimacy, Simon passed on the deal and shut down the Dubai campus. The article also quoted from a 2011 Pentagon report that said that attempts by East Asian countries to obtain classified or proprietary information through “academic solicitation” (requesting to see academic papers or discuss work with professors), jumped eightfold in 2010.

top

Report Analyzes Decline in State Support for Higher Education (InsideHigherEd, 10 April 2012) - State spending on higher education increased by $10.5 billion in absolute terms from 1990 to 2010, but considering changes in enrollments and inflation, funding per public full-time equivalent student dropped by 26.1 percent from 1990-1991 to 2009-2010, according to a report released Monday by the think tank Demos. During the same period, the report documents, tuition at public institution has seen large increases in many states. While many of those states have also increased aid budgets, a large share of those funds has gone to programs that are not based on financial need. The report notes that household income has not generally increased to match the tuition increases, and that the volume of outstanding student debt has grown by a factor of 4.5 since 1999.

top

World Bank Publications and Research Now Easier to Access, Reuse (BeSpacific, 10 April 2012) - “Two years after opening its vast storehouse of data to the public, the World Bank is consolidating more than 2,000 books, articles, reports and research papers in a search-engine friendly Open Knowledge Repository , and allowing the public to distribute, reuse and build upon much of its work-including commercially. The repository, launched today, is a one-stop-shop for most of the Bank’s research outputs and knowledge products, providing free and unrestricted access to students, libraries, government officials and anyone interested in the Bank’s knowledge. Additional material, including foreign language editions and links to datasets, will be added in the coming year. And, in a bid to promote knowledge-sharing around the world, the Bank has become the first major international organization to require open access under copyright licensing from Creative Commons - a non-profit organization whose copyright licenses are designed to accommodate the expanded access to information afforded by the Internet.”

top

Ninth Circuit Hands Down En Banc Decision in United States v. Nosal, Adopting Narrow Interpretation of Computer Fraud and Abuse Act (Volokh Conspiracy, 10 April 2012) - The Ninth Circuit has just handed down its long-awaited en banc decision in United States v. Nosal , the case I’ve blogged a lot about involving the scope of the Computer Fraud and Abuse Act and whether violating employee restrictions on workplace computer use is a federal crime. The opinion by Chief Judge Kozinski is a huge victory for those of us who have urged the courts to adopt a narrow construction of the CFAA. Chief Judge Kozinski’s analysis essentially adopts the argument we made in the Lori Drew case (and that I pushed in two articles ) that “exceeds authorized access” has to be interpreted narrowly to avoid turning the CFAA into the statute that inadvertently criminalizes a tremendous scope of innocuous activity: [W]e hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws . . . to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones, 529 U.S. at 858 (internal quotation marks and citation omitted).”

top

Appeals Court Limits Law Used in Goldman Programmer Case (NYT, 11 April 2012) - A federal appeals court has restricted the use of a national law cited in federal prosecutors’ efforts to convict a former Goldman Sachs programmer accused of illegally downloading computer code from his onetime employer. In an opinion released on Wednesday, the United States Court of Appeals for the Second Circuit ruled that the former employee, Sergey Aleynikov, had not violated the Economic Espionage Act of 1996 or federal stolen property laws. The opinion elaborates on the February decision by a three-judge panel of the appeals court to overturn Mr. Aleynikov’s conviction, a reversal that dealt a blow to one of the most prominent federal prosecutions of corporate espionage in recent years. The appeal centered on whether his actions constituted a crime under the Economic Espionage Act. Prosecutors argued that Goldman’s high-frequency trading system was produced for interstate commerce, while Mr. Aleynikov’s lawyers countered that it was meant for internal use. Writing for the appeals court, Chief Judge Dennis Jacobs, who presided over the February appeals hearing, agreed with the defense. While conceding that Goldman’s code was “highly valuable,” he said the investment bank’s trading program was never intended to be sold. That fell short of the interstate commerce requirements of the Economic Espionage Act, according to the appeals court’s reading of the statute. Because the high-frequency trading system “was not designed to enter or pass in commerce, or to make something that does, Aleynikov’s theft of source code relating to that system was not an offense” under the Economic Espionage Act, Judge Jacobs wrote in the opinion. The judge also found that while Mr. Aleynikov had taken code and uploaded it to his own computers, he had not actually taken a physical object - and therefore had not violated the letter of federal law. That he later transferred the code to a thumb drive still did not make his actions a federal crime.

top

An Online Art Collection Grows Out of Infancy (NYT, 12 April 2012) - I don’t know how many wonders of the world there are by now, but it is possible that the Google Art Project will someday join the list. The greatly expanded second iteration of this online compilation of self-selected art museums and artworks was unveiled last week. It makes available images of more than 32,000 works in 31 mediums and materials, from the collections of 151 museums and arts organizations worldwide, forming a broad, deep river of shared information, something like a lavishly illustrated art book fused with high-end open storage. But world-wonder status will not happen tomorrow. The project has plenty of limitations and some bugs to work out. Numerous important museums have remained aloof, for one thing, including the Louvre, the Prado, the Centre Pompidou, Stedelijk in Amsterdam, Topkapi Palace in Istanbul and every Swiss museum of note. Others, having joined, participate grudgingly, whether protective of their own Web sites or unwilling to deal with copyright permissions that apply to art not yet in the public domain; this includes vast quantities of 20th-century Modernist material, which remains in very short supply here. To cite one glaring gap: Although there are now more than 6,500 names on the list of artists (cumbersomely alphabetized by first name, with no option to reconfigure by last name), the site still does not include a single work by Picasso. There is also apparently nothing by Georges Braque, Marcel Duchamp, Kazimir Malevich or Max Beckmann and only a single painting by Matisse, thanks to the Toledo Museum of Art. Postwar American and European art fares no better; none of the main Abstract Expressionists are represented. No Beuys, Fontana or Manzoni. Nothing notable by Johns, Rauschenberg or Warhol (although the Art Institute of Chicago has managed put up a very nice 1961 painting by Twombly). But that will undoubtedly change. One of the glories of the Google Art Project is that it is a collective, additive work in progress that allows any museum or art-related organization to join and upload as many - or as few - high-resolution images of artworks as it chooses. At some point some museum somewhere is going to tackle the Picasso rights problem. [Editor: so, my favorites aren’t here yet; still, this is remarkable.]

top

Canada Seeks to Turn Coins Into Digital Currency (NYT, 12 April 2012) - Last month, Canada announced that it would eliminate its penny . Now the Royal Canadian Mint is using one of the oldest forms of currency, gold, to attract software developers to its project, the MintChip Challenge, to transform the country’s remaining coins into digital currency. The creators of the best digital payment application entered in the contest will receive a gold wafer currently worth about $17,000. Unlike some digital payment systems, the MintChip has low aspirations. It is only intended to pay for low-value items, physically or online. Since Canada long ago replaced $1 and $2 banknotes with coins, that effectively means anything worth less than $5 to $10. Despite its name, the MintChip is more a protocol and system than a physical device. While the mint currently has prototype versions based on a chip, it said the system could be included in mobile phones or, for people interested only in online transactions, remain entirely on servers. When used in a physical form, the MintChip does not require an Internet connection for payments and, unlike debit and credit cards, its transactions are not run through third parties.

top

NOTED PODCASTS

Virginia Heffernan on The Digital Dialectic (Berkman, 27 March 2012; 69 minutes) - Virginia Heffernan - columnist, national correspondent for Yahoo News, and author of the soon-to-be-released Magic and Loss: The Pleasures of the Internet - discusses analog culture, digital culture and what’s next. [Editor: Snooping in people’s bookshelves and medicine cabinets sometimes gives insight into character. Likewise, you’ll learn about me from my full-throated endorsement of this terrific podcast: she’s articulate, thoughtful, and full of insights. Now I have to go get her book and start following her on Twitter. Aside: Zittrain has it wrong about Jamie Gorelick and crypto controls - they predate the Clinton administration by more than a decade.]

top

RESOURCES

CRS: Cybersecurity: Selected Legal Issues (14 March 2012) - The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information amongst private sector and government entities. This report also discusses the degree to which federal law may preempt state law. In order to protect federal information networks, the Department of Homeland Security (DHS), in conjunction with the National Security Agency (NSA), uses a network intrusion system that monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system raises significant privacy implications-a concern acknowledged by DHS, interest groups, academia, and the general public. DHS has developed a set of procedures to address these concerns such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, there are concerns that the program may implicate privacy interests protected under the Fourth Amendment.

top

The Dubious Autonomy of Virtual Worlds (SSRN paper, Mark Lemley) - Current debates over the autonomy of virtual worlds have an eerie similarity to discussions about the independence of cyberspace two decades ago. The history of the Internet offers some important lessons for how the law will affect virtual worlds, and how it should do so.

top

BOOK REVIEW

Locked Down: Information Security for Lawyers (ABA Press, 2012, by Sharon Nelson, David Ries, John Simek) - In November of 2011, the FBI met with major law firms to deal with the rising number of law firm computer intrusions, warning them that hackers see attorneys as a back door to the valuable data of their corporate clients. In an age where lawyers frequently conduct business across wireless networks using smartphones and laptops, how can attorneys safeguard client data and confidential information? Locked Down explains the wide variety of information security risks facing law firms and how lawyers can best protect their data from these threats--with any budget. [Editor: There’s little here new to MIRLN readers, but the volume contains a useful survey of applicable bar rules and opinions implicating infosec competence and duties, and may help convince your colleagues that infosec deserves systematic attention. The technical discussion is almost entirely dedicated to Microsoft environments, and of little use to Macintosh users (anybody using Linux probably can skip the entire book). Half of the book consists of appendices (e.g., model rules and ethics opinions), a glossary, and a few checklists.]

top

FUN

April Fools (EFF, 1 April 2012) - [Editor: If you were disappointed by a dearth of decent April Fool’s events (probably because it didn’t fall on a work-day), the Electronic Frontier Foundations has one.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

MAJOR LABEL FIRST: UNENCRYPTED MP3 FOR SALE ONLINE (Newsbytes, 23 May 2002)—For apparently the first time ever, a major record-label subsidiary is releasing an unencrypted MP3 file onto the Internet, hoping fans will fork over 99 cents for the right to own and use the song without constraints. Maverick Records and Vivendi Universal Net USA jointly announced today that a special dance remix of, “Earth,” a track by bassist Meshell Ndegeocello, marks the first time a major-label artist has ever put a downloadable MP3 song up for sale on the Internet. The song became available for download for 99 cents today at a number of VUNet USA sites, including MP3.com, Rollingstone.com, GetMusic.com and MP4.com. The 50,000 subscribers to the Emusic MP3 service also will be able to buy and download the tune. “This is a case of the music labels seeing if the honor system is going to work online,” said Steve Vonder Haar, an analyst with Interactive Media Strategies in Arlington, Texas. Because the track is an unencrypted MP3, it will be possible for listeners to burn the song onto CD and to transfer it to portable players. And, like CD tracks that easily can be converted to MP3 files, the song inevitably will find its way onto the numerous illicit file-sharing networks. “This is a bold step for Maverick Records and Meshell Ndegeocello,” said Derrick Oien, president of VUNet USA’s Music and Media Group, in a written statement. “They deserve recognition for giving digital music fans a simple way to collect and enjoy this previously-unreleased new song.” http://www.newsbytes.com/news/02/176747.html

top

CHEW ON THIS: TOOTH PHONE IMPLANTS (Cnet, 18 June 2002)—British engineers say they have invented a revolutionary tooth implant that works like a mobile phone and would not be out of place in a James Bond spy movie. The “tooth phone” consists of a tiny vibrator and a radio wave receiver implanted into a tooth during routine dental surgery. The phone was designed by James Auger and Jimmy Loizeau. The implant does not yet have its own microchip installed, but Auger says the technology is tried and tested, and a fully functional phone could be put together in no time at all. “With the current size of microchips, this is feasible. They are now small enough to implant in the tooth,” he said Tuesday. Sound, which comes into the tooth as a digital radio signal, is transferred to the inner ear by bone resonance, meaning information can be received anywhere and at any time--and nobody else can listen in. The invention raises the prospect