en vpolley@knowconnect.com Copyright 2012 2012-01-20T18:45:00-07:00 http://www.knowconnect.com/mirln/article/mirln_1_21_jan_2012_v1501/ http://www.knowconnect.com/mirln/article/mirln_1_21_jan_2012_v1501/#When:18:45:00Z MIRLN --- 1-21 Jan 2012 (v15.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | LOOKING BACK | NOTES Ruling by Justice Dept. Opens a Door on Online Gambling Publishers vs. Libraries: An E-Book Tug of War Cyber Threat to Power Grid Puts Utility Investors at Risk 440,783 “Silent SMS” Used to Track German Suspects in 2010 ABA Identity Management Legal Task Force Posts First Draft How the US Pressured Spain to Adopt Unpopular Web Blocking Law Promoting Vetted News Content on Social Media (or, How Not to Give Your Lawyer a Heart Attack) Feds Want Judge to Force Suspect to Give Up Laptop Password Man Convicted of Murder Gets Retrial After Virus Eats Transcripts FedRAMP Security Controls Unveiled Who Owns Your Employee’s LinkedIn Connections at Your Law Firm? Lockdown - The Coming War On General-Purpose Computing Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm ECJ Confirms IP Addresses are “Personal Data” US Killer Spy Drone Controls Switch to Linux Obama Administration Says Constitution Protects Cell Phone Recordings FOIA Documents Reveal Homeland Security is Monitoring Political Dissent E-Mail After Work Hours? That’s Overtime, Says [Brazilian] Law World Bank Assumes Control of Google Map Data Legal Ethics to Go, Thanks to New Bar App Authentication of Primary Legal Materials and Pricing Options Thou Shalt Not Tweet To Strangers… and Other Foolishness from the Florida Bar Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data Ruling by Justice Dept. Opens a Door on Online Gambling (NYT, 24 Dec 2011) - The Justice Department has reversed its long-held opposition to many forms of Internet gambling, removing a big legal obstacle for states that want to sanction online gambling to help fix their budget deficits. The legal opinion , issued by the department’s office of legal counsel in September but made public on Friday, came in response to requests by New York and Illinois to clarify whether the Wire Act of 1961, which prohibits wagering over telecommunications systems that cross state or national borders, prevented those states from using the Internet to sell lottery tickets to adults within their own borders. Although the opinion dealt specifically with lottery tickets, it opened the door for states to allow Internet poker and other forms of online betting that do not involve sports. Many states are interested in online gambling as a way to raise tax revenue. top Publishers vs. Libraries: An E-Book Tug of War (NYT, 24 Dec 2011) - Last year, Christmas was the biggest single day for e-book sales by HarperCollins. And indications are that this year’s Christmas Day total will be even higher, given the extremely strong sales of e-readers like the Kindle and the Nook. Amazon announced on Dec. 15 that it had sold one million of its Kindles in each of the three previous weeks. E-books and audio books on the Web site of the New York Public Library. Publishers are waiting for an industrywide approach to e-lending to gel. But we can also guess that the number of visitors to the e-book sections of public libraries’ Web sites is about to set a record, too. And that is a source of great worry for publishers. In their eyes, borrowing an e-book from a library has been too easy. Worried that people will click to borrow an e-book from a library rather than click to buy it, almost all major publishers in the United States now block libraries’ access to the e-book form of either all of their titles or their most recently published ones. Borrowing a printed book from the library imposes an inconvenience upon its patrons. “You have to walk or drive to the library, then walk or drive back to return it,” says Maja Thomas, a senior vice president of the Hachettte Book Group, in charge of its digital division. And print copies don’t last forever; eventually, the ones that are much in demand will have to be replaced. “Selling one copy that could be lent out an infinite number of times with no friction is not a sustainable business model for us,” Ms. Thomas says. Hachette stopped making its e-books available to libraries in 2009. E-lending is not without some friction. Software ensures that only one patron can read an e-book copy at a time, and people who see a long waiting list for a certain title may decide to buy it instead. Explaining Simon & Schuster’s policy - it has never made its e-books available to libraries - Elinor Hirschhorn, executive vice president and chief digital officer, says, “We’re concerned that authors and publishers are made whole by library e-lending and that they aren’t losing sales that they might have made in another channel.” top Cyber Threat to Power Grid Puts Utility Investors at Risk (Forbes, 27 Dec 2011) - The electric-utility industry’s concerns about cyber security has escalated sufficiently for several investor-owned utilities to include cyber-attacks as a material risk factor in recent filings with the U.S. Securities and Exchange Commission. In November, Consolidated Edison of New York, a large electric and gas utilities serving customers in New York City and Westchester County, included cyber-attacks as a risk factor that could affect investors quarterly report (10-Q) for the first time. Con Edison’s 10-Q stated: “A Cyber Attack Could Adversely Affect the Companies. The Utilities and other operators of critical energy infrastructure may face a heightened risk of cyber attack. In the event of such an attack, the Utilities and the competitive energy businesses could have their operations disrupted, property damaged and customer information stolen; experience substantial loss of revenues, response costs and other financial loss; and be subject to increased regulation, litigation and damage to their reputation.” Although Con Edison is not the first utility to disclose cyber-security a serious threat in SEC filings, it is perhaps the first to describe cyber-attacks as a stand-alone risk category. For example, Pepco Holdings, a large power and gas utility serving customers in Delaware, the District of Columbia, Maryland and New Jersey, includes cyber-attacks in a broader, catch-all disclosure about terrorism and other mega-catastrophes. top 440,783 “Silent SMS” Used to Track German Suspects in 2010 (F-Secure, 29 Dec 2011) - The 28th Chaos Communication Congress ( 28C3 ) is currently underway in Berlin and on Tuesday, researcher Karsten Nohl gave a presentation called: Defending mobile phones. If you have an hour, it’s worth watching . But one of the most interesting things, from our point of view, was Nohl’s brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million “Silent SMS” to track suspects in 2010.

So we did a web search and found nothing about it in the English language press. However, Wikipedia’s SMS entry has (had) this:

 “Silent messages, often called silent SMS, stealth SMS, or stealthy ping, will not show up on the display, neither
 is there an acoustical signal when they are received. However, at the mobile provider some data is created
 (for example, the subscriber identification IMSI). This kind of message is sent especially by the police to locate
 a person or to create a complete movement profile of a person. In Germany in the year 2010, nearly half a
 million “silent SMSs” were sent by the federal police, the customs, and the secret service “Office for Protection
 of the Constitution.” So what exactly does this mean?

 Well, basically, various German law enforcement agencies have been “pinging” mobile phones. Such pings only reply whether or not the targeted resource is online or not, just like an IP network ping from a computer would.

 But then after making their pings, the agencies have been requesting network logs from mobile network operators. The logs don’t reveal information from the mobile phones themselves, but they can be used to locate the cell towers through which the pings traveled. And thus, can be used to track the mobile targeted. top ABA Identity Management Legal Task Force Posts First Draft (SecureIDNews, 2 Jan 2012) - The first draft of the American Bar Association Task Force Report tentatively titled “Solving the Legal Challenges of Online Identity Management” has been posted on the Task Force Web site for review and comment. It is set out in three parts, as three separate documents: 1. Part 1: Identity Management Fundamentals and Terminology 2. Part 2: Legal Regulation of, and Barriers to, Identity Management 3. Part 3: Structuring the Legal Framework for an Identity System The three documents can be downloaded here . The documents are located on the right side of the page, immediately under the heading “Resources and Drafts.” The draft is still preliminary but are supposed to act as a starting point for discussion. The task force wants to move ahead quickly so input and suggested revisions are welcome, says Tom Smedinghoff, a partner at Edwards Wildman Palmer LLP and chairman of the group. top How the US Pressured Spain to Adopt Unpopular Web Blocking Law (Ars Technica, 6 Jan 2012) - Though a deeply divided Congress is currently considering Internet website censorship legislation, the US has no such official policy-not even for child porn, which is voluntarily blocked by some ISPs. Nor does the US have a government-backed “three strikes” or “graduated response” system of escalating warnings to particular users accused of downloading music and movies from file-sharing networks. Yet here was the ultimatum that the US Embassy in Madrid gave the Spanish government in February 2008: adopt such measures or we will punish you. Thanks to WikiLeaks, we have the text of the diplomatic cable announcing the pressure tactics. “We propose to tell the new government that Spain will appear on the Watch List if it does not do three things by October 2008. First, issue a [Government of Spain] announcement stating that Internet piracy is illegal, and that the copyright levy system does not compensate creators for copyrighted material acquired through peer-to-peer file sharing. Second, amend the 2006 “circular” that is widely interpreted in Spain as saying that peer-to-peer file sharing is legal. Third, announce that the GoS [Government of Spain] will adopt measures along the lines of the French and/or UK proposals aimed at curbing Internet piracy by the summer of 2009.” See also EFF’s posting on this— https://www.eff.org/deeplinks/2012/01/spains-ley-sinde-new-revelations top Promoting Vetted News Content on Social Media (or, How Not to Give Your Lawyer a Heart Attack) (CMLP, 5 Jan 2012) - By now, it is a given that many journalists have a regular presence on social networking services. The value of social media for gathering information, developing the journalist’s public persona, and promoting the journalist’s work is well-recognized. And although many news outlets have established guidelines and policies regarding behavior on social media, most outlets still permit journalists substantial discretion as to the tone and content of their tweets and posts. Special concerns arise, however, when you use social media to promote articles that have been vetted by your attorneys. To understand these concerns, it helps to understand more about what media lawyers are looking for when we perform prepublication review of an article. Although there are numerous issues that we might consider, media lawyers are primarily concerned with any statements in an article that might adversely affect the reputation of identifiable people or companies. Of course, a great deal of sound journalism can be damaging to reputation, including stories about political corruption, unfair business practices, or criminal activity. The lawyer’s concern is normally not whether such stories are newsworthy (that is up to you and your editor), but whether there is adequate factual support for the statements in your article. Thus, on the most basic level, our review involves identifying the individuals and companies at issue in an article and the factual support for statements about those people. We give particular attention to people who are not the main focus of the article, because it is sometimes the case that less time is given to researching facts about secondary parties. Errors about these side players in a story can also generate legal claims, and sometimes your lawyer might suggest cutting references in your article to secondary parties if it seems that the facts about those people are underdeveloped. On a deeper level, we are concerned with the overall context and gist of the article. Because defamation claims can arise not only from the explicit text of an article but also from reasonable inferences drawn from the text, we want to be sure that there are no inferences that an audience could draw from your article that you do not intend. To that end, we might suggest language changes or restructuring of the article to eliminate juxtapositions of fact and other contextual clues that make it appear that an article is suggesting more than it can actually support. Our goal in this process is risk management: We try to enable you to publish everything that you want to publish while moderating any risks involved. top Feds Want Judge to Force Suspect to Give Up Laptop Password (Wired, 5 Jan 2012) - Federal prosecutors want a judge to order a Colorado woman to provide the password to decrypt her laptop, which the government seized with a search warrant. With backup from digital rights groups, the woman is fighting the feds, arguing that being forced to provide her password violates the Fifth Amendment’s protection against forced self-incrimination. Colorado U.S. District Judge Robert Blackburn is expected to rule any day on whether to force defendant Ramona Fricosu to decrypt her Toshiba Satellite M305, which authorities seized from her in 2010 with a court warrant while investigating financial fraud. The case is being closely watched by digital rights groups, as the issue has never been squarely weighed in on by federal courts, and the Supreme Court has never addressed the issue. But a factually similar dispute involving child pornography ended with a Vermont federal judge ordering the defendant to decrypt the hard drive of his laptop. While that case never reached the Supreme Court, it differed from the Fricosu matter because U.S. border agents already knew there was child porn on the computer because they saw it while the computer was running during a 2006 routine stop along the Canadian border. The Electronic Frontier Foundation’s Marcia Hoffman said (.pdf) in a court filing that the very act of requiring Fricosu to input her password into the laptop would be incriminating “because it might reveal she had control over the laptop and the data there.” Assistant U.S. Attorney Patricia Davies said (.pdf) said there is no Fifth Amendment breach, and that it might “require significant resources and may harm the subject computer” if it tried to crack the encryption. [Editor: seems to me that there was some decent case-law on this 15 years ago, arising in the context of former Oregon Senator Bob Packwood’s diary; my recollection is sketchy, but revolves around the argument that if you’ve NEVER written down the password, being forced to divulge it is testimonial action, protected by the 5 th . OTOH, if you have written it down, being compelled to hand it over is not protected testimonial action.] top Man Convicted of Murder Gets Retrial After Virus Eats Transcripts (The Register, 5 Jan 2012) - A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings. Randy Chaviano, of Hialeah, Florida, was given a life sentence for the fatal shooting of Carlos Acosta after he was convicted by a Miami jury in July 2009. An appeal was lodged when it was discovered that only a partial record of the trial that led to Chaviano’s conviction could be found. In the circumstances the Third District Court of Appeal had no option but to strike the conviction and order a fresh trial. Court stenographers normally record proceedings on both paper and digital disk. But Terlesa Cowart, stenographer at Chaviano’s 2009 trial, forgot to bring enough rolls of paper and relied on digital recordings alone to chronicle proceedings. She transferred this data to her PC and erased it from the stenograph. Bad move. The PC subsequently became infected by an unidentified virus, causing the destruction of the records. No secure backup was taken, so the state will be put through the expense of a second trial that will cause, at the very least, inconvenience for witnesses and heartache for the victim’s family. top FedRAMP Security Controls Unveiled (GovInfoSecurity, 9 Jan 2012) - The federal government has issued some 170 controls for FedRAMP, the program designed to vet cloud computing providers for federal government agencies. The security controls for the Federal Risk and Authorization Management Program, or FedRAMP, align with the National Institute of Standards and Technology Special Publication 800-53 Revision 3 for low and moderate impact systems. Cloud computing providers must implement these security controls in order for them to receive authorization to provide cloud services to federal agencies. Writing in a blog posted on the Federal Chief Information Officers Council website, Department of Homeland Security CIO Richard Spires said the security controls approved by the board create a baseline of controls to properly address the unique elements of authorizing cloud products and services, including multi-tenancy, control of an infrastructure and shared resource pooling. “This baseline serves all federal agencies and [cloud service providers], to which additional controls may be added by agencies to meet specific requirements,” Spires said. Implementation of the FedRAMP security controls will be detailed in the several documents to be released before the initial operating capability of the program later this year. Those documents will align with the NIST SP 800-37 Risk Management Framework and include * * *. [Editor: see also “Questions to Ask of Cloud Vendors” by Mintz Levin on 19 Dec 2011 here: http://www.privacyandsecuritymatters.com/2011/12/things-to-do-in-2012-questions-to-ask-of-cloud-vendors/?elq_mid=17029&elq_cid=996107#page=1 ] top Who Owns Your Employee’s LinkedIn Connections at Your Law Firm? (Kevin O’Keefe, 10 Jan 2012) - Last month I asked who owns the Twitter followers at your law firm? My question was precipitated by the Phonedog.com lawsuit in which an employer claims the employer owns the Twitter account started by an ex-employee while still an employee. The Wall Street Journal’s Joe Palazzolo reports before we had an employer’s claim to Twitter followers, we had a company claiming the right to a fired employee’s LinkedIn account and the ex-employee’s connections. Upon being sued by the ex-employee to get her account back, the company filed a counterclaim alleging, among other things, that the connections were trade secrets. Philadelphia employment lawyer, Eric Meyer, summarized the company’s claim. “The defendants claim that Dr. Eagle’s LinkedIn connections belong to them and that Dr. Eagle effectively stole those connections. The defendants also claim that Dr. Eagle now reaps the benefit of the time and effort that the defendants previously put into maintaining her LinkedIn account. (The new owners contend that former employees of Edcomm were required to utilize an Edcomm template when creating LinkedIn accounts, use an Edcomm email address, and permit Edcomm to monitor their Linkedin pages).” [Editor: see also posting on InsideHigherEd—http://www.insidehighered.com/blogs/who-owns-twitter-account ] top Lockdown - The Coming War On General-Purpose Computing (Cory Doctorow, 11 Jan 2012) - General-purpose computers are astounding. They’re so astounding that our society still struggles to come to grips with them, what they’re for, how to accommodate them, and how to cope with them. This brings us back to something you might be sick of reading about: copyright. But bear with me, because this is about something more important. The shape of the copyright wars clues us into an upcoming fight over the destiny of the general-purpose computer itself. In the beginning, we had packaged software and we had sneakernet. We had floppy disks in ziplock bags, in cardboard boxes, hung on pegs in shops, and sold like candy bars and magazines. They were eminently susceptible to duplication, were duplicated quickly, and widely, and this was to the great chagrin of people who made and sold software. Enter Digital Rights Management in its most primitive forms: let’s call it DRM 0.96. They introduced physical indicia which the software checked for-deliberate damage, dongles, hidden sectors-and challenge-response protocols that required possession of large, unwieldy manuals that were difficult to copy. [Editor: 2007 Pioneer Award winner Cory Doctorow writes up his keynote presentation from the Chaos Communication Congress. Very interesting piece; it got a fair amount of coverage in the blogosphere.] top Mass Ct: ZIP Code is Personal Identification Info Under Credit Card Statute But Plaintiff Must Still Allege Harm (Eric Goldman’s blog, 10 Jan 2012) - Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute which restricted the type of information a retailer could collect: “ California Supreme Court Rules That a ZIP Code is Personal Identification Information—Pineda v. Williams-Sonoma .” A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismisses the case on the basis that the plaintiff failed to allege a cognizable injury. The new case is Tyler v. Michaels Stores, Inc. , 2012 WL 32208 (D. Mass.; Jan. 6, 2012) top ECJ Confirms IP Addresses are “Personal Data” (A&L Goodbody, 13 Jan 2012) - As we reported recently, the CJEU held in Scarlet Extended SA ("Scarlet") v Societe belge des auteurs, compositeurs et editeurs ("SABAM"), Case C-70/10 that an order requiring a Belgian internet service provider to filter certain peer to peer files is not permissible under EU law. The CJEU found that any national measures to protect copyright must “strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures”. This case is also noteworthy for its landmark decision that internet protocol addresses constitute “protected personal data”. The CJEU held that the injunction sought, requiring installation of the contested filtering system, “would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.” This decision is particularly interesting as Charlton J., in EMI Records (Ireland) Limited v Eircom Limited [2010[] IEHC 108, held that an IP address was not “personal data” under the Data Protection Act 1988-2003, in circumstances where it was collected by a record company and provided to Eircom, in order for Eircom to deal with the owner of the IP address in accordance with the ‘three strikes’ scheme. Charlton J. concluded that as the name and address of the owner of the IP address was unlikely to come into the possession of the record company, since it was a matter for Eircom to deal the relevant person, the IP address in and of itself did not constitute “personal data” in the hands of the record company. Different positions have been adopted by the Member States on this issue, despite the Article 29 Working Party issuing an Opinion (Opinion 4/2007 on the concept of Personal Data) which states that it considers IP addresses as constituting “personal data”. The Working Party stated this was “especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by copyright holders in order to prosecute computer users for violation of intellectual property rights).” The CJEU’s clarification that IP addresses are “personal data” should ensure a more consistent interpretation is adopted across the EU in the future. Interestingly, the European Commission’s draft EU Data Protection Regulation, which has been leaked ahead of scheduled publication on Data Protection Day, 28 January 2012, also indicates that IP addresses constitute “personal data”. top US Killer Spy Drone Controls Switch to Linux (The Register, 12 Jan 2012) - The control of US military spy drones appears to have shifted from Windows to Linux following an embarrassing malware infection. Ground control systems at Creech Air Force Base in Nevada, which commands the killer unmanned aircraft, became infected with a virus last September. In a statement at the time the Air Force dismissed the electronic nasty as a nuisance and said it posed no threat to the operation of Reaper drones, but the intrusion was nonetheless treated seriously. “The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the pilots to safely fly these aircraft remained secure throughout the incident,” it said. The discovery of the virus was nonetheless hugely embarrassing for the Air Force. The credential-stealing malware, first reported by Wired, made its way from a portable hard drive onto ground systems, which control the drones’ weapons and surveillance functions. Portable disks are used to load map updates and transfer mission videos from one computer to another, Defense News added. top Obama Administration Says Constitution Protects Cell Phone Recordings (Ars Technica, 13 Jan 2012) - The Obama administration has told a federal judge that Baltimore police officers violated the First, Fourth, and Fourteenth Amendments by seizing a man’s cell phone and deleting its contents. The deletions were allegedly in retaliation for the man’s use of the phone to record the officers’ arrest of his friend. According to the Maryland ACLU, this is the first time the Obama Justice Department has weighed in on whether the Constitution protects citizens’ right to record the actions of police with their cell phones. * * * The filing is the latest sign of an emerging consensus that the First Amendment protects the right to record the public conduct of government officials with a cell phone. Last week, the Boston PD was forced to admit its officers acted improperly when they arrested a man for recording an arrest, after the First Circuit Court of Appeals ruled against the city. And while Judge Richard Posner worried that a right to record the police will lead to excessive “snooping around,” his fellow judges on the Seventh Circuit seemed sympathetic to the ACLU’s argument that Illinois’s strict wiretapping statute violates citizens First Amendment rights. top FOIA Documents Reveal Homeland Security is Monitoring Political Dissent (EPIC, 13 Jan 2012) - As the result of EPIC v. DHS, a Freedom of Information Act lawsuit , EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security’s surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that “reflect adversely” on DHS or the U.S. government. One tracking report—“Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI”—summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring . top E-Mail After Work Hours? That’s Overtime, Says [Brazilian] Law (CNET, 14 Jan 2012) - The liberty some seem to enjoy most is yours. As recessions hit and profit pressures become the sole reason for existence, bosses seem to believe that they own workers--until they discard them for younger, fresher models Now a curiously human law has reared its head in Brazil. According to the Associated Press , this law says that if a company e-mails you after your allotted working hours, then this is the same as if one’s supervisor is giving one an instruction to perform a certain work task. Ergo, argue Brazilian labor lawyers, if a worker receives such an e-mail and has to act on it, he or she qualifies for overtime pay. top World Bank Assumes Control of Google Map Data (ReadWriteWeb, 16 Jan 2012) - Google announced a partnership with the World Bank today to make Google Map Maker data more accessible to government organizations in disaster scenarios. Google Map Maker is the tool for crowd-sourcing the editing and maintenance of Google’s world map. Its user-generated data include locations of hospitals, schools, settlements, water sources and minor roads. Access to these data will help governments, NGOs, researchers and individuals plan without waiting for the changes to be approved and added to the official maps. World Bank partner organizations, such as government and U.N. agencies, can contact World Bank offices to request access to the data. Kenya, South Sudan, Tanzania, Sierra Leone, Ghana, Zambia, Nigeria, Democratic Republic of Congo, Moldova, Mozambique, Nepal and Haiti will pilot the project. This partnership could improve response time and effectiveness in crises in underserved areas of the world. It’s just a shame that Google has decided to compete with Ushahidi and other open-source efforts to solve this problem. Access to Google Map Maker data is privileged, and Google has chosen the mother of all elite gatekeepers, the World Bank, to facilitate this program. top Legal Ethics to Go, Thanks to New Bar App (Robert Ambrogi, 16 Jan 2012) - A new mobile app introduced this week by the New York State Bar Association lets lawyers search and access ethics opinions from their mobile phones. The NYSBA Mobile Ethics App includes the state bar’s catalog of more than 900 legal ethics opinions, dating back to 1964. The app allows users to search for an opinion by keyword, retrieve it by opinion number, or browse a list of categories such as “attorney advertising,” “concurrent representation” and “non-refundable retainer.” Results show both a digest of the opinion and its full text. It can notify you when new opinions are added. top Authentication of Primary Legal Materials and Pricing Options (BeSpacific, 17 Jan 2012) - “The recent passage of the Uniform Electronic Legal Material Act (UELMA) has brought to the forefront the issue of costs of authenticating primary legal materials in electronic format. This white paper briefly reviews five methods of electronic authentication. These methods are based on trustworthiness, file types, effort to implement, and volume of electronic documents to be authenticated. Six sample solutions are described and their relative costs are compared. The white paper also frames the legal landscape and background of authentication for primary legal materials in electronic format, and provides context and points to applicable resources. The aim of this collective effort is to promote the understanding of costs related to authentication and invite further discussion on the issue...It is not intended to offer legal advice. Please consult an attorney for assistance with specific concerns or advice.” top Thou Shalt Not Tweet To Strangers… and Other Foolishness from the Florida Bar (Kevin O’Keefe, 18 Jan 2012) - “The Standing Committee on Advertising [of the Florida Bar Association] has reviewed the networking media, and issues the following guidelines for lawyers using them.” Whew, I was wondering when someone would get around to reviewing all of the social media and social networking sites on the Internet as well as review all the various methods of engagement and interaction that come with them. A lot of lawyers like me were out here in the wilderness of social networking and social media relying solely on our common sense, good judgment, and existing ethics guidelines for guidance on how to ethically use the Internet today. What a foolhardy approach. Now we have the all knowing wise men and women of the Florida Bar’s ‘Standing Committee on Advertising’ commanding as of January 10, 2012, that: “Invitations sent directly from a social media site via instant messaging to a third party to view or link to the lawyer’s page on an unsolicited basis are solicitations in violation of Rule 4-7.4(a), unless the recipient is the lawyer’s current client, former client, relative, or is another lawyer.” And commanding: “Pages of individual lawyers on social networking sites that are used solely for social purposes to maintain social contact with family and close friends [presumably Facebook], are not subject to the lawyer advertising rules.” top Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data (Eric Goldman, 18 Jan 2012) - Ceridian is a payroll processing firm. Reilly and Pluemacher were employees of a law firm that was a Ceridian customer. In December 2009, Ceridian suffered a “security breach.” A hacker infiltrated Ceridian’s system and gained access to information belonging to 27,000 employees at 1,900 companies. After investigating, Ceridian sent a letter to the affected individuals, letting them know that their personal information, including “first name, last name, social security number and, in several cases, birth date and/or bank account” information was accessed. Ceridian provided the affected individuals one year of free credit monitoring and identity theft protection. (It’s unclear as to whether plaintiffs took advantage of this, but they alleged that they spent money for monitoring efforts.) The Third Circuit focuses on the issue of whether plaintiffs have standing. The court canvasses the precedent and says most courts addressing standing for data breach plaintiffs have concluded that plaintiffs lack standing because the harm is too speculative. The court agrees: “Here, no evidence suggests that the data has been--or will ever be--misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury.” top LOOKING BACK UCITA CHANGES FAIL TO APPEASE (Computerworld, 7 Jan.2002)—The drafters of the controversial UCITA software licensing law have done an about-face on some of its key provisions, including recommending a ban on remote system shut-offs by software vendors. But the changes don’t appear to go far enough to win support from businesses fighting state-by-state adoption of the measure. “These changes are not meaningful. They are more window dressing than real substance,” said Elaine McDonald, an attorney at Principal Financial Group in Des Moines, Iowa, which is a member of a broad coalition of businesses and groups opposing the measure. The Uniform Computer Information Transactions Act has been under attack by library and consumer groups and by companies, including giants such as The Boeing Co. in Chicago and Caterpillar Inc. in Peoria, Ill., all of which maintain that the law gives too much power to vendors. Opponents blocked UCITA in every state where it was introduced last year. Facing the possibility that UCITA could die, its drafting committee met last month and adopted a series of amendments intended to win support. In particular, the committee reversed course on the so-called self-help provision, which would have allowed vendors to remotely turn off systems in a contract dispute without court intervention. Vendors would now have to go to court when such disputes arise. “I do know that some of the changes that are being proposed will result in satisfying the concerns of some,” said Carlyle Ring Jr., chairman of the UCITA drafting committee of the National Conference of Commissioners on Uniform State Laws, a Chicago-based organization that spearheads commercial law adoption in the U.S. “Others are not going to be as satisfied,” he said. UCITA provides a framework for licensing contracts that lack certain specific provisions. Opponents say UCITA’s default provisions grant several questionable rights to software publishers. http://www.computerworld.com/s/article/67149/UCITA_Changes_Fail_to_Appease top MORTGAGE VENDOR WILL ALLOW ELECTRONIC SIGNATURES ON MORTGAGE APPLICATIONS (CNN, 22 Jan. 2002)—Mortgage vendor Quicken Loans Inc. is deploying what may be the first electronic signature network for high-value business-to-consumer transactions. Starting this spring, the company will let loan seekers use electronic signatures to complete and submit mortgage applications immediately after being preapproved online, without requiring the usual paperwork and ink signatures. Unlike emerging efforts to implement electronic signatures in other consumer settings, Quicken’s loan process won’t require consumers to use private keys, download digital certificates or use specialized signing software to authenticate themselves. Instead, the company will combine information provided by the consumer during the loan application process with a unique user name and information such as details of an auto loan to authenticate users. Quicken’s effort shows that some corporations may finally be working through the technical, regulatory and legal concerns related to the use of electronic signatures in high-value consumer transactions, said Avivah Litan, an analyst at Stamford, Connecticut-based Gartner Inc. “As far as I know, Quicken Loans is the first application to implement e-signatures in high-value B2C transactions,” she said. http://www.cnn.com/2002/TECH/ptech/01/22/quicken.loans.idg/index.html top MIRLN 2012-01-20T18:45:00-07:00 http://www.knowconnect.com/mirln/article/mirln_4_31_december_v1417/ http://www.knowconnect.com/mirln/article/mirln_4_31_december_v1417/#When:16:35:01Z MIRLN --- 4-31 December (v14.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | PODCASTS | RESOURCES | BOOKS | DIFFERENT | LOOKING BACK | NOTES New EU Directive on Consumer Rights Affects Website Terms iCloud to the Rescue? Red Cross Wants Real Life Laws Enforced Within Virtual Worlds The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal Cut-and-Paste Reveals Redacted Info on Apple Smartphone Market in Federal Judge’s Opinion Oregon Judge Rules Bloggers Aren’t Journalists Does a Naked Retweet Carry an Endorsement by a Lawyer or Law Firm? DARPA Unshredding Contest Feds Launch Cloud Security Standards Program Privacy Fades in Facebook Era Law Firms and Social Media: A Match Not Yet Made in Heaven Are You Following Your Clients On Twitter? LexisNexis and Vizibility Release Research Results on the Use of Social Media Within Law Firms Some Facts About Carrier IQ YouTube for Schools and Lecture Capture M.I.T. Expands Its Free Online Courses UK Judge Sanctions Live-Tweeting for Reporters Is It Enough to Tell Jurors Not to Tweet? Court Denies Motion to Provide Access to Social Networking Sites in Civil Discovery Judge Dismisses Twitter Stalking Case It’s Official: The LAPD Ain’t Going to Google Breach Response: The Legal View PATRIOT Act Continues To Harm US Businesses: BAE Refuses To Use MS Cloud Over PATRIOT Act Fears The Online Media Legal Network Celebrates its Second Birthday! Metropolitan Museum Provides a Trove of Images for Google Goggles Don’t Break the Internet Do Individuals Have “A Right To Be Forgotten”? NewtGingrich.com, Occupied The PeaceTones Legal Empowerment Project Volkswagen Agrees to Curb Company E-Mail in Off Hours New EU Directive on Consumer Rights Affects Website Terms (IT Law Group, 8 Nov 2011) - In late October 2011, the European Council of Ministers formally adopted the new EU Consumer Rights Directive . The new Directive will drastically affect the rules that apply to online shopping. Numerous provisions will also apply to both the online and the offline markets. The Directive is intended to protect “consumers,” i.e., all natural persons who are acting for purposes that are outside their trade, business, craft, or profession. It creates new obligations for “traders,” a broad term that encompasses all categories of persons who sell products or services. The Directive defines the term “trader” as any natural or legal person who is acting, directly or indirectly for purposes relating to his/its trade, business, craft of profession in relations to contracts covered by the Directive. These contracts include: sales contracts, service contracts, distance contracts, off-premises contracts, and public auction contracts that are concluded between a trader and a consumer. US companies that operate websites that sell to European customers, as well as their affiliates who make direct sales to EU consumers, must start evaluating the numerous consequences that the implementation of the Directive on Consumer Rights will have on their operations. The consequences include: * * * top iCloud to the Rescue? (Digital Samurai, 11 Nov 2011) - We doubt it, but let’s slow down and stop drinking the Apple Kool-Aid. There are some very interesting items in the T&C (Terms & Conditions) that most people don’t even read. The tendency is to click, click, click just to get to the end quickly. The T&C for iCloud is around 12-13 pages long, depending on the device used to view it. So let’s dive right into some of the “features” presented in the T&C and what they may mean. First, you are required to have a compatible device, duh? It also states that “…certain software (fees may apply)…” whatever that means. There are a lot of words about the location-based services and what Apple and its partners can do with the collected data. Make sure you understand the cloud collects GPS location, crowd-sourced Wi-Fi information, device ID, Apple ID, etc. That sounds like enough information to be personally identifiable to us. There are no words on how long they store the data, if at all, but we’re pretty sure they don’t throw it away after processing. You can opt out of the collection by not using any location-based services, which we doubt many will do. Apple doesn’t take any responsibility for the integrity of any content stored in iCloud. In other words, you are on your own so don’t assume that you can actually use any of the data that you may transmit to iCloud. There’s a whole sentence in capital letters that states “…Apple does not guarantee or warrant that any content you may store or access through the service will not be subject to inadvertent damage, corruption, loss, or removal in accordance…” Geez, you call that a backup solution? Apparently not, since a few pages later they say “You are responsible for backing up, to your own computer or other device, any important documents, images or other Content that you store or access via the Service.” One of the more disturbing provisions states that Apple will give your data to any law enforcement authority, government official or third party if they feel it appropriate, necessary or legally required. That’s pretty scary and there is nothing that says Apple will even give you notice that they are giving over your data. Apparently your data is not encrypted in iCloud or Apple has the decryption keys, which still means unintended parties can see your data. This means that iCloud is NOT an acceptable service for attorneys that keep client information on their iDevices. top Red Cross Wants Real Life Laws Enforced Within Virtual Worlds (TechDirt, 5 Dec 2011) - Kotaku has published an article in which the International Committee of the Red Cross proposes that real life laws such as the Geneva and Hague Conventions should be enforced within video games . Before you get too riled up, they are not proposing that video game players be locked up and punished for war crimes for actions performed within the game, but are rather proposing that game designers program those conventions into the games: “ In computer and video games, violence is often shown and the players become ‘virtually violent’. However, such games are not zones free of rules and ethics. It would be highly appreciated if games reproducing armed conflicts were to include the rules which apply to real armed conflicts. These rules and values are given by international humanitarian law and human rights law. They limit excessive violence and protect the human dignity of members of particularly vulnerable groups. “ These types of arguments are very similar to the arguments made by those who have requested laws regulating violence in video games in the past. Those people argued that the lack of consequences in the game would influence player behavior in real life. We know that the US Supreme Court rejected those arguments as the science behind them was not sound. But we all know that pesky court rulings never get in the way of those who want to control human behavior. The Red Cross is looking to have game developers to voluntarily include these laws within the game world noting that some developers already take the time to do it. If that fails, it has no qualms about getting the government involved: “One possible course of action could be to encourage game designers/producers to incorporate IHL in the development and design of video games, while another could be to encourage governments to adopt laws and regulations to regulate this ever-growing industry.” top The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal (Volokh Conspiracy, 5 Dec 2011) - In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal , the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass. [Editor: interesting argument, well-presented.] top Cut-and-Paste Reveals Redacted Info on Apple Smartphone Market in Federal Judge’s Opinion (ABA Journal, 6 Dec 2011) - A federal judge’s opinion in Apple’s patent infringement suit against Samsung Electronics was formatted in a way that exposed redacted information. The mistaken revelation in the opinion issued Friday by U.S. District Judge Lucy Koh discussed Apple studies showing its customers are unlikely to switch to Samsung’s Android devices, Reuters reports. The redacted portions also included some details on Apple’s licensing deals with Nokia and IBM. The redacted material was revealed when the opinion, released in PDF format, was cut and pasted into another document. According to Reuters, the redactions reveal courts’ predilection to seal materials in intellectual property cases. The story quotes Emory law professor Timothy Holbrook, who said he didn’t see any apparent trade secrets in the redactions. “Most of it just seems like it was sealed out of an abundance of caution,” he said. Koh’s opinion denied Apple’s request for a preliminary injunction in its suit claiming Samsung’s Galaxy products infringe patents for the iPhone and iPad. The opinion revealing the information was sealed and a new version was posted about four hours later. top Oregon Judge Rules Bloggers Aren’t Journalists (CNET, 7 Dec 2011) - A U.S. District Court judge in Portland, Ore., ruled that a blogger who wrote about an investment firm that subsequently accused her of defamation must pay the company $2.5 million because she’s a blogger who doesn’t legally qualify as a journalist. Crystal Cox, whose blogs are a mixture of fact, opinion, and commentary, wrote several posts that were critical of Obsidian Finance Group and its co-founder, Kevin Padrick. In one blog post , Cox accused Padrick of fraud while serving as trustee in a real estate bankruptcy case. The firm considered the posts defamatory and filed a $10 million lawsuit (PDF) against Cox in January. The blog the court focused on during the case was more factual in tone, suggesting she had an inside source who was leaking her information. Obsidian demanded she reveal the source of her information to prove its veracity. Cox, who acted as her own attorney in the case, refused to reveal her source, arguing that she was afforded the same protections as journalists under Oregon’s Shield Law. top Does a Naked Retweet Carry an Endorsement by a Lawyer or Law Firm? (Kevin O’Keefe, 7 Dec 2011) - Does a retweet mean an endorsement of something that was tweeted by someone else or a simple “check this out?” That’s a question journalists are trying to answer that also applies to some law firms. Last month the Associated Press released modified guidelines for social media (pdf), including a specific section on retweeting. [Editor: Interesting exploration of the issues.] top DARPA Unshredding Contest (Bruce Schneier, 8 Dec 2011) - DARPA held an unshredding contest, and there’s a winner : “Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame,” said Dan Kaufman, director, DARPA Information Innovation Office. “The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed by the ingenuity this type of competition elicits.” top Feds Launch Cloud Security Standards Program (Computerworld, 8 Dec 2011) - Federal agencies will soon have a government-wide security standard for assessing, authorizing and monitoring cloud products and services. Federal CIO Steven VanRoekel Thursday unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies. The program requires that all federal agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS). FedRAMP will also provide federal agencies with standard procurement language to use in requests for proposals from cloud service vendors. A Joint Authorization Board, comprising of security experts from the Department of Homeland Security (DHS), General Services Administration (GSA) and the Department of Defense will be responsible for updating the FedRAMP security requirements on an ongoing basis. A group of third-party assessors hired from the private sector will be responsible for independently assessing cloud service providers and certifying their compliance with the standards. The Federal CIO council, a group of government IT executives that set federal IT management practices, will publish an initial set of baseline security and privacy controls for cloud providers within 30 days, VanRoekel said in a White House Office of Management and Budget memorandum ( download pdf ) sent on Thursday to federal agency CIOs. [Europeans considering cloud services may find the ENISA (the European Network and Information Security Agency) guide to “Cloud Computing Risk Assessment” useful: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment ] top Privacy Fades in Facebook Era (NYT, 11 Dec 2011) - As much as it pains me to say this: privacy is on its deathbed. I came to this sad realization recently when a stranger began leaving comments on photos I had uploaded to Instagram, the iPhone photo-sharing app. After several comments - all of which were nice - I began wondering who this person was. Now the catch here is that she had used only a first name on her Instagram profile. You would think a first name online is enough to conceal your identity. Trust me, it’s not. So I set out, innocently and curiously, to figure who she was. I knew this person lived in San Francisco, from her own photos. At first I tried Google, but a first name and city were not enough to narrow it down. Then I went to her photos and looked for people whom she had responded to in the comments. Eventually I found a conversation with someone clearly her friend. I easily found that person’s full name, went to the person’s Facebook friend list and searched for my commenter’s first name. There it was: a full name. With that, I searched Google and before I knew it, I had this person’s phone number, home address and place of employment. Creepy, right? I even had a link to a running app that she uses that showed the path of her morning run. This took all of 10 minutes. “We used to have privacy through obscurity online, so even if people had that information out there, the steps that it would take to aggregate it all were too great,” said Elizabeth Stark, a lecturer in law at Stanford who teaches about privacy on the Internet. “Previously you could have searched every photo on the Internet for a photo of Nick Bilton until you eventually found one, but that would take a lifetime. Now, facial recognition software can return more images about someone instantly.” [Editor: try it - go to http://images.google.com/ and click on the camera icon in the search bar to search-by-image. It worked for one of my own images. There are similar services - e.g. www.tineye.com ] top Law Firms and Social Media: A Match Not Yet Made in Heaven (WJS, 12 Dec 2011) - While a number of global law firms have dipped their toes in the social media pool, relatively few have taken the plunge into genuine interactivity, according to an audit released today by LexisNexis Martindale-Hubbell. The company looked at how 110 global law firms used LinkedIn, Twitter, YouTube and other social media from April to mid-May of 2011. The upshot? “It’s just getting going,” said Bryn Hughes, the company’s marketing and communications manager in international markets. “For the legal sector, I think they are slow to adapt to new technology.” Firms appear interested in using social media as a marketing platform, particularly outfits based in places with excellent internet penetration: New York, Canada, the United Kingdom and Western Europe. Still, most of those surveyed use social networks as one-way channels to distribute company news, and few embraced blogging and YouTube or integrated social media widget into firm web sites, the audit found. Hughes said that lawyers he had spoken with seem interested in using social media, but remained cautious about liability, client confidentiality and the potential embarrassment of posting erroneous statements online. Here’s the snapshot of the findings: 77% of firms surveyed had profiles on LinkedIn 31% used Twitter 29% used Facebook 10.9% used YouTube 8% had official firm blogs 7% used social media widgets to integrate firm web sites top - and - Are You Following Your Clients On Twitter? (Kevin O’Keefe, 20 Dec 2011) - Good attorneys and law firms are always looking for ways to stay in touch in with their clients. Weeks can go by without meeting a client on an active matter. Months or a year can by without talking to a client for which you have no matters pending. How do you stay in touch? Many law firms send out newsletters and alerts, arguably to share helpful information, with the intent to keep ‘mind share.’ That’s a one-way broadcast style of communicating. You’re not engaging the client, listening to the client, nor meeting them on their turf. An easy way to stay in touch with clients is to follow them on Twitter. It’s becoming more and more common that people have Twitter accounts, whether business leaders or consumers. Look up your clients on Twitter. Look in their LinkedIn profile for their Twitter handle. Start following your clients. top - and - LexisNexis and Vizibility Release Research Results on the Use of Social Media Within Law Firms (PR Newswire, 21 Dec 2011) - Vizibility Inc. and LexisNexis announced today the results of a survey conducted to shed light on the use of social media in legal services marketing. To illustrate the findings, the results have been released as an infographic . The research suggests a high degree of reliance on broadly defined social media marketing programs, with 81% of survey participants reporting they already use social media marketing tools and another 10.1% saying they plan to deploy social media marketing elements within six months. Furthermore, reliance on social media tools and how they’re measured differ significantly by firm size. The survey found that a clear majority of participants consider social media an important part of their overall marketing strategy, with nearly half (48.5%) reporting that social media is “somewhat important” while another 31% believe the tools are “extremely important” to their total marketing efforts. A minority, 5% of responding firms, report not using social media. “You have to measure the results from social media to justify it. Our new data reveals a split between small and large firms in social media marketing objectives,” noted Lawyers.com(SM) Editor in Chief and LawMarketing Blog author Larry Bodine. “For example, among small firms, almost 71% of participants in practices with five or fewer attorneys said that they rely on social media marketing to generate new business. In contrast, among respondents from big firms with 100 or more attorneys, only 37% measure social media success this way. Large firms better get smart about social media if they expect it to produce new work.” top Some Facts About Carrier IQ (EFF, 13 Dec 2011) - There has been a rolling scandal about the Carrier IQ software installed by cell phone companies on 150 million phones, mostly within the United States. Subjects of outright disagreement have included the nature of the program, what information it actually collects, and under what circumstances. This post will attempt to explain Carrier IQ’s architecture, and why apparently conflicting statements about it are in some instances simultaneously correct. The information in this post has been synthesised from sources including Trevor Eckhart, Ashkan Soltani, Dan Rosenberg, and Carrier IQ itself. top YouTube for Schools and Lecture Capture (InsideHigherEd, 13 Dec 2011) - YouTube announced YouTube for Schools today, a variant of YouTube designed to be more education friendly. This site seems primarily aimed at the primary and secondary market, although higher ed may find some things to like. If a school signs up for the service it can upload videos that are then displayed without any non-educational videos (or commenting). The YouTube University site has playlists for arts, business, education, engineering, history, humanities, languages, law, mathematics, medicine, science and social sciences. top - and - M.I.T. Expands Its Free Online Courses (NYT, 19 Dec 2011) - While students at the Massachusetts Institute of Technology pay thousands of dollars for courses, the university will announce a new program on Monday allowing anyone anywhere to take M.I.T. courses online free of charge - and for the first time earn official certificates for demonstrating mastery of the subjects taught. “There are many people who would love to augment their education by having access to M.I.T. content, people who are very capable to earn a certificate from M.I.T.,” said L. Rafael Reif, the provost, in a conference call with reporters Friday. M.I.T. led the way to an era of online learning 10 years ago by posting course materials from almost all its classes. Its free OpenCourseWare now includes nearly 2,100 courses and has been used by more than 100 million people. But the new “M.I.T.x” interactive online learning platform will go further, giving students access to online laboratories, self-assessments and student-to-student discussions. Mr. Reif and Anant Agarwal, director of the Computer Science and Artificial Intelligence Lab, said M.I.T.x would start this spring - perhaps with just one course - but would expand to include many more courses, as OpenCourseWare has done. “The technologies available are much more advanced than when we started OpenCourseWare,” Mr. Agarwal said. “We can provide pedagogical tools to self-assess, self-pace or create an online learning community.” The M.I.T.x classes, he said, will have online discussions and forums where students can ask questions and, often, have them answered by others in the class. M.I.T. said its new learning platform should eventually host a virtual community of learners around the world - and enhance the education of M.I.T.’s on-campus students, with online tools that enrich their classroom and laboratory experiences. The development of the new platform will be accompanied by an M.I.T.-wide research initiative on online teaching and learning, including grading by computer. And because the M.I.T.x platform will be available free to people around the world, M.I.T. officials said they expected that other universities would also use it to offer their own free online courses. top UK Judge Sanctions Live-Tweeting for Reporters (Mashable, 14 Dec 2011) - A high-ranking UK judge has issued official guidelines that allow journalists to live-tweet public court proceedings in England and Wales without seeking permission. The practice guidance allows journalists to issue live, text-based communications on mobile phones and other Internet-connected devices, including emails, tweets and Facebook status updates. Reporters won’t be able to share Twitpics or sound bites over the social web, however; photography and sound recording on these (and other) devices still needs court approval. These new sanctions do not extend to the public. Public attendees will still need to seek permission to use their mobile devices for text-based communications - and any other purpose - during court sessions. top - and - Is It Enough to Tell Jurors Not to Tweet? (CMLP, 19 Dec 2011) - The Arkansas Supreme Court has reversed a murder conviction - and death sentence - in a case where one juror tweeted during trial, while another fell asleep. Both these problems, the court said, constituted juror misconduct requiring reversal and a new trial. Erickson Dimas-Martinez v. State , 2011 Ark. 515 (Dec. 8, 2011). The Supreme Court was particularly concerned about one of the juror’s tweets, “Its over,” sent 50 minutes before the jury informed the court that it had agreed on a sentence. As a result of this tweet, the court said, followers of the juror’s Twitter feed - including, the court said, at least one journalist (with the online magazine Ozarks Unbound ) - “had advance notice that the jury had completed its sentencing deliberations before an official announcement was made to the court.” Dimas-Martinez’s lawyers also pointed out that the tweeting juror tweeted during trial despite continued admonitions to the jury throughout the trial warning them not to do so, and that he continued tweeting after the trial judge specifically told him to stop after defense lawyers discovered an earlier tweet. (That one said, “Choices to be made. Hearts to be broken. We each define the great line.") The case raises the question of whether admonishing jurors to not use the Internet and social media is effective. The Arkansas Supreme Court expressed its clear concern, and suggested that measures more drastic than admonitions may need to be taken: “[W]e take this opportunity to recognize the wide array of possible juror misconduct that might result when jurors have unrestricted access to their mobile phones during a trial. Most mobile phones now allow instant access to a myriad of information. Not only can jurors access Facebook, Twitter, or other social media sites, but they can also access news sites that might have information about a case. There is also the possibility that a juror could conduct research about many aspects of a case. Thus, we refer to the Supreme Court Committee on Criminal Practice and the Supreme Court Committee on Civil Practice for consideration of the question of whether jurors’ access to mobile phones should be limited during a trial.” It is worth noting that while the jurors in this murder trial were told not to tweet about the trial, it does not appear, based on the admonitions repeated in the Arkansas Supreme Court’s decision, that they were told why. top Court Denies Motion to Provide Access to Social Networking Sites in Civil Discovery (Volokh Conspiracy, 14 Dec 2011) - The decision by the Pennsylvania Court of Common Pleas is Arcq v. Fields (Dec. 8), and it distinguishes Largent v. Reed (blogged about recently here ) on the ground that the party seeking discovery lacked a sufficient good-faith basis for requesting access to the private portion of the other side’s social networking accounts. In Largent, and in other cases, the party seeking discovery saw the public portion of her adversary’s Facebook account, and therefore had a basis to conclude that there may be relevant information in the private portions of the account. In Arcq, by contrast, the party seeking discovery made a blanket request for access to all of the other side’s social networking accounts, and yet didn’t know if his adversary even had any such accounts. The court in Arcq concludes that because the moving party did not first see the public portion of his adversary’s site, he lacks a good-faith basis to believe that there is relevant evidence in the private portions and therefore the motion to access the social networking sites is denied. top Judge Dismisses Twitter Stalking Case (NYT, 15 Dec 2011) - In a case with potentially far-reaching consequences for freedom of expression on the Internet, a federal judge on Thursday dismissed a criminal case against a man accused of stalking a religious leader on Twitter, saying that the Constitution protects “uncomfortable” speech on such bulletin-boardlike sites. The government had accused the defendant, William Lawrence Cassidy, of harassing and causing “substantial emotional distress” to a Buddhist religious leader named Alyce Zeoli. He had posted thousands of messages about her, some predicting her violent death. He lived in California, she in Maryland. In his 27-page order, Judge Roger W. Titus wrote that “while Mr. Cassidy’s speech may have inflicted substantial emotional distress, the government’s indictment here is directed squarely at protected speech: anonymous, uncomfortable Internet speech addressing religious matters.” In his order, Judge Titus drew an analogy to the colonial period, when the Bill of Rights was written. A blog, he said, is like a bulletin board that a person of that time might have planted in his front yard. “If one colonist wants to see what is on another’s bulletin board, he would need to walk over to his neighbor’s yard and look at what is posted, or hire someone else to do so,” he offered. With Twitter, he went on, news from one colonist’s bulletin board could automatically show up on another’s. The postings can be “turned on or off by the owners of the bulletin boards,” he wrote. In other words, one can disregard what is posted on a bulletin board. “This is in sharp contrast to a telephone call, letter or e-mail specifically addressed to and directed at another person,” he concluded. Hanni Fakhoury, a lawyer with the Electronic Frontier Foundation, based in San Francisco, which filed a brief in support of the defendant’s motion to dismiss the case, said he was heartened by the distinction that the judge drew between speech on a public platform, versus through e-mail or telephone. The order is among the first to address a recently expanded cyberstalking law and, as such, could have important repercussions. “This is an area where there has been very little case law,” said Eugene Volokh, a law professor at the University of California, Los Angeles. “It is likely to be quite influential.” Judge’s order is here . top It’s Official: The LAPD Ain’t Going to Google (GigaOM, 15 Dec 2011) - After a long-running controversy, the 13,000 employees of the Los Angeles Police Department will definitely not move to Google Apps. And that’s final. On Wednesday, the Los Angeles City Council voted to officially kill a proposed deployment of Google Apps to the LAPD. The city’s other 17,000 employees-those outside law enforcement - will keep using Gmail, the Los Angeles Times reported last night. Two years ago, the LA-Google deal, with CSC acting as contractor, was trumpeted by Google to show that Google Apps - Gmail, specifically - was ready for use by large organizations. But the LAPD had misgivings about how secure Gmail is. For law enforcement and court officials who must deal with sensitive information - evidence, names of confidential informants, etc. - security is critical. Because the LAPD must communicate with the FBI and other federal law enforcement agencies, its communications must meet federal Criminal Justice Information Security standards, as well - something no cloud-based mail is yet able to do. That means the issue is not be as much about Gmail per se as cloud-based email, in general, a fact conceded privately by even some of Google’s largest competitors. A spokeswoman for LA city council president Eric Garcetti reiterated that today. “This is about the security of cloud. There are federal as well as local security requirements that must be met,” she said. top Breach Response: The Legal View (BankInfoSecurity, 15 Dec 2011) - As legal issues surrounding data breaches become increasingly complex, more organizations are turning to attorneys for post-breach response, says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams. Complying with a multitude of regional and international laws when consumers’ personal information is compromised is critical. And depending on the size and reach of the organization breached, that could mean complying with dozens of mandates and regulations in various parts of the country and world. Sotto, who focuses on privacy and information security, says the role of attorneys has changed significantly in recent years. After a data breach, attorneys handle many facets during the response process. “A lawyer who’s well-versed in managing data breaches knows that she or he needs to manage really much more than the straight legal compliance issues,” Sotto says in an interview with BankInfoSecurity’s Tracy Kitten [transcript below]. Attorneys’ duties post-breach typically include: forensics investigations; managing public relations; managing media issues generally; hiring and training call-center agents; retaining a mail house; retaining a credit monitoring and identity protection service; and dealing with the inevitable fallout of a data breach internally. “And of course, the lawyers also need to set things up to try to mitigate the risk of litigation that typically follows a security incident,” Sotto says. top PATRIOT Act Continues To Harm US Businesses: BAE Refuses To Use MS Cloud Over PATRIOT Act Fears (TechDirt, 15 Dec 2011) - Following on recent reports that, under the PATRIOT Act, European companies that use Microsoft’s cloud offerings in Europe might find their data subject to US government snooping and seizure, it appears that some rather large European companies are rethinking their cloud deployment plans. UK defense contracting giant BAE had apparently planned to start using Microsoft Office 365, until it was pointed out that this could make their documents subject to US snooping under the PATRIOT Act… and the company changed its plans . At what point do PATRIOT Act supporters realize that such broad provisions don’t help the US at all, but only lead to situations like this, where business is driven elsewhere. [Editor: see complementary story at ArsTechnica here .] top The Online Media Legal Network Celebrates its Second Birthday! (Berkman, 15 Dec 2011) - We are pleased to announce that the Online Media Legal Network, the Citizen Media Law Project’s legal referral service, is now two years old! The OMLN was started in Dec. 2009 as a way to help online journalism ventures and digital media creators find lawyers experienced in the sorts of legal issues media ventures face and to provide legal services on a pro bono or reduced-fee basis. Now, two years later, the OMLN has a network of 232 lawyers in 49 states and the District of Columbia who are willing to offer their services to needy citizen journalists and online publishers. And help they have: as of Dec. 9, the OMLN has over 170 clients and has found counsel for 347 different legal matters, ranging from setting up a business to authoring website terms of use to defending clients against defamation claims. We commemorated the event with a talk this week as part of the Berkman Center’s Tuesday Luncheon Series, where we discussed the history of the OMLN, how the OMLN works, and what we’ve learned from it. [Editor: fairly dry podcast is here .] top Metropolitan Museum Provides a Trove of Images for Google Goggles (NYT, 16 Dec 2011) - Over the past year visual-art obsessives have been having a field day with the feature of the Google smart-phone app called Google Goggles, which allows a user to shoot a picture of something - a painting, a photograph, a poster - and in seconds see an identification of the image and a list of search results for more information about it. The app, which was introduced for Android phones in late 2009 and last year for the iPhone, has been getting much better recently at digging up the title, artist and art-historical provenance of the work that the phone camera is looking at. Part of the credit for that can go to holders of huge art-image databases like the J. Paul Getty Museum, which provided Google several months ago with access to several hundred images from its collection, becoming the first museum to do so. Now the Metropolitan Museum of Art has gotten involved. It announced Friday that it has supplied more than 76,000 images of paintings, drawings, prints and photographs in its collection to the project, meaning that if you come across a reproduction of a painting that rings a bell - like “Juan de Pareja” - but can’t remember who painted it, your phone can tell you within seconds that it was Diego Velázquez. The app then directs you to the work on the Met’s site, for example, which tells you where to find the painting in the museum and gives you much more information about it. (Two-dimensional works function best with the app; it tends to struggle with sculpture, so the Met has so far stuck to paintings and other works on flat surfaces.) top Don’t Break the Internet (Profs Lemley, Levine & Post, in Stanford Law Review, 19 Dec 2011) - Two bills now pending in Congress-the PROTECT IP Act of 2011 (Protect IP) in the Senate and the Stop Online Piracy Act (SOPA) in the House-represent the latest legislative attempts to address a serious global problem: large-scale online copyright and trademark infringement. Although the bills differ in certain respects, they share an underlying approach and an enforcement philosophy that pose grave constitutional problems and that could have potentially disastrous consequences for the stability and security of the Internet’s addressing system, for the principle of interconnectivity that has helped drive the Internet’s extraordinary growth, and for free expression. [Editor: full paper here .] top Do Individuals Have “A Right To Be Forgotten”? (MLPB, 19 Dec 2011) - Jef Ausloos, Electronic Frontier Foundation, has published The ‘Right to Be Forgotten’ - Worth Remembering? in Computer Law & Security Review (2012). Here is the abstract: “In the last few years there has been a lot of buzz around a so-called ‘right to be forgotten.’ Especially in Europe, this catchphrase is heavily debated in the media, in court and by regulators. Since a clear definition has not emerged (yet), the following article will try to raise the veil on this vague concept. The first part will weigh the right’s pros and cons against each other. It will appear that the ‘right to be forgotten’ clearly has merit, but needs better definition to avoid any negative consequences. As such, the right is nothing more than a way to give (back) individuals control over their personal data and make the consent regime more effective. The second part will then evaluate the potential implementation of the right. Measures are required at the normative, economical, technical, as well as legislative level. The article concludes by proposing a ‘right to be forgotten’ that is limited to data-processing situations where the individual has given his or her consent. Combined with a public-interest exception, this should (partially) restore the power balance and allow individuals a more effective control over their personal data.” Paper is here . top NewtGingrich.com, Occupied (Washington Post, 21 Dec 2011) - When you go to NewtGingrich.com right now, you might end up on the Washington Post. The pro-Democratic super PAC American Bridge has bought the domain and programmed it to redirect to various Web sites, a clever attack on the former House speaker. The link might take you to Freddie Mac ‘s Web site, Tiffany’s , information about Greek cruises , or to the ad Gingrich cut with former House Speaker Nancy Pelosi in favor of addressing climate change. Sometimes the page goes to a Post article about his campaign’s June implosion . American Bridge has now put NewtGingrich.com on Craigslist , jokingly offering to sell the site for somewhere between $10,000 and a million dollars to “someone with greater need than us.” The only other candidate whose .com website remains unclaimed by the candidate is Texas Gov. Rick Perry’s RickPerry.com. For a few months, that site redirected to the campaign website of Rep. Ron Paul (R-Texas); it now goes to a generic page. As the Post reported recently , web domains are a new battleground in the 2012 campaign. Anonymous proxies often make it hard to determine which campaign is behind attack Web sites. top The PeaceTones Legal Empowerment Project (Robert Ambrogi, 22 Dec 2011) - On the latest Lawyer2Lawyer podcast , we look at Peacetones , an initiative of the Internet Bar Organization to empower artists in the developing world with legal and technology tools to bring their music to the world online. Also in the program, we share a holiday treat from a great songwriter and longtime friend, attorney Larry Savell . Read more about this week’s show and listen to the full program at the Legal Talk Network . [Editor: I’m on the board of InternetBar.org, where MIRLN is mirrored.] top Volkswagen Agrees to Curb Company E-Mail in Off Hours (NYT, 23 Dec 2011) - Volkswagen has agreed to deactivate e-mails for its German staff members’ company BlackBerrys when they are off duty. Under an agreement reached this week with labor representatives, staff members at Volkswagen will receive e-mails via BlackBerry from half an hour before they start work until half an hour after they finish, and will be in blackout mode the rest of the time, a spokesman for the company said. The new e-mail protocol for Europe’s biggest automaker applies to staff members covered by collective bargaining, so it would seem that board-level executives will still be attached to their BlackBerrys. Very few companies have taken such drastic measures to force workers toward a better work-life balance. Deutsche Telekom, the telecommunications company, introduced a “smart device policy” last year that calls on workers to claim communication-free time when they are off work, in exchange for a promise that management will not expect them to read e-mail or pick up the phone at all times. “Mobile communication devices offer a great amount of freedom, but also embody the risk of no longer being able to switch off,” the company said. In Europe’s biggest economy, where burnout is blamed for almost 10 million sick days a year, labor representatives want to limit the amount of time that employees spend responding to e-mails on weekends and during vacation. Bitkom, a German technology organization, published a study this year showing that 88 percent of German workers are reachable for clients, colleagues and bosses by e-mail or mobile phone outside of working hours, compared with 73 percent two years ago. [Editor: see related story from MIRLN 14.16 involving Atos.] top MIRLN 2011-12-30T16:35:01-07:00 http://www.knowconnect.com/mirln/article/mirln_13_november_2011_3_december_v1416/ http://www.knowconnect.com/mirln/article/mirln_13_november_2011_3_december_v1416/#When:20:16:01Z MIRLN --- 13 November 2011 - 3 December (v14.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) COMMENTS | NEWS | PODCASTS | LOOKING BACK | NOTES Utah Mayor Used Alias To Write Upbeat News Stories Stanford Law Review Online Launched - Offers Timely Legal Analysis Site to Resell Music Files Has Critics Authors Guild: Kindle Owners’ Lending Library Is “Nonsense” Cambridge University Press to Try Renting Academic Articles Title Firm Sues Bank Over $207k Cyberheist Pentagon: Offensive Cyber Attacks Fair Game Righthaven Case Ends in Victory for Fair Use Fair Use In European Law Can A Copyright Be Assigned By Email? New Version of NC SaaS Ethics Opinion Findlaw Legal Pulse as Launched - Aggregates Topical News and Social Media Panel Admonishes Criminal Defense Attorney For Blog Naming Clients, Omitting Disclaimer EU Privacy Law is No Excuse for Spoliation of Evidence Digital Downloads Sub for Weighty Scores Web Poster’s Anonymity Preserved By Appellate Decision French IT Company Declares The Email Dead Cablegate One Year Later: How WikiLeaks Has Influenced Foreign Policy, Journalism, and the First Amendment D.C. Courts Fight the Future in New Rule Limiting Electronic-Device Use in Courthouse Complaint: Medical “Copyright Over Your Comments” Contracts Are Illegal Medical Justice Capitulates by “Retiring” Its Anti-Patient Review Contracts MyShingle Comments on Proposed Model Rule 5.3 [by] ABA Commission on Ethics 20/20 A Note to Our Readers About Comments Carrier IQ Tracking Scandal Spirals Out of Control France Still In Search Of Perfect Cookie U.S. Publishes Final Rules on Student Privacy Law ANNOUNCEMENT (for ABA members) On 24 October 2011, Dan Schwartz sent the following blast to an audience of ABA technology leaders. If you should have been on that list, consider yourself added. The more the merrier: “ Dear Fellow ABA Member—We all get a lot of ABA related e-mail. But, as members of the Standing Committee on Technology and Information Systems (SCOTIS), we ask for your indulgence for one more to introduce something, we believe, will offer great value to all of us and the ABA: an ABA Technology Stakeholders Community. What would YOU like to see the ABA do with technology? Join our forum. It’s easy and it’s free. (No lifetime commitment necessary, either). Use the following, easy-to-remember link and become engaged in the discussion: http://ambar.org/techatstake and feel free to share it with other ABA members via e-mail, Twitter, Facebook, LinkedIn, Google+ or whatever other tool you like to use. We are reaching out to you because we have identified you as a technology stakeholder within the ABA. Whether through your position, your section, or just interest, we are trying to build a new community within the ABA—one that isn’t based on Section, but rather a love for and an interest in technology. Through a new technology forum (and eventually, some new-fangled way to communicate) we hope to reach out to various groups, to solicit input and discussion on important subjects, and share useful information. Ultimately, we hope that this forum will provide meaningful input to the ABA and its members, and be a place where ABA members can share information and discuss solutions to the technology issues the ABA faces. top COMMENTS re “ Employers Demanding the Right to Remotely Wipe Employees’ Phones “ from MIRLN 14.05, a reader comments: Last summer [XYZ Co] changed its policy, and so will pay phone charges (including data), and the carrier will give you a “free phone”, however if you want a smartphone to read email, then the employee is supposed to by the phone, but XYZ has a similar sting: “(1) I agree to allow XYZ to install or uninstall software as necessary to remotely manage and secure my PDA or mobile device; (2) I agree not to uninstall or disable XYZ installed software; (3) XYZ accepts no liability for loss of data or functionality on my PDA or mobile device; and (4) Upon ceasing to work for XYZ I accept that ALL data may be wiped from my PDA or mobile device.” My 3.5yr XYZ owned smartphone died on Wednesday, so I’m a little hesitant about giving XYZ the rights to control my equipment, or even make the device stop functioning at my expense. top NEWS Utah Mayor Used Alias To Write Upbeat News Stories (NPR, 11 Nov 2011) - Disguising himself with an alias, the mayor of Utah’s second-largest city has been writing upbeat freelance articles about his town for area news outlets because he claimed the media spent too much time on crime coverage. He unapologetically revealed himself this week, insisting the balance was needed. “I thought about all the people just reading about crime in our city and nothing better,” West Valley City Mayor Mike Winder said Friday. “I’m trying to stand up for us because we do get the short end of the stick negative stories.” Winder had been writing under the name Richard Burwash, an alias he actually swiped from a real man, a one-time professional tennis player from California that he found on the Internet. He said getting stories published by the Deseret News, KSL-TV’s website and a community weekly was as easy as setting up a Gmail account and Facebook page. He communicated with editors by email and phone, never showing his face. As an unpaid writer for several months earlier this year, the so-called Burwash even quoted himself as mayor in some stories. In one published piece, he wrote about the opening of a Buddhist Temple in his Salt Lake City suburb, quoting himself as saying, “We applaud any time a group builds a place to celebrate peace and to encourage people to live better lives.” [Editor: See also “ Google+ Launches Guide for Politicians and Candidates “ (Mashable, 28 Nov 2011)] top Stanford Law Review Online Launched - Offers Timely Legal Analysis (Stanford, 11 Nov 2011) - The Stanford Law Review (SLR) launched a new website today, the Stanford Law Review Online offering timely, short-format, law-review-quality legal analysis. The site hosts perspectives , where multiple scholars weigh in on legal issues in the news (similar to newspaper op-eds for readers with a legal background). The new site also provides a forum to respond to law review articles published in the journal edition of SLR . The goal of the website is to provide a more flexible outlet to publish short, original legal scholarship and commentary on a faster time-frame with the same editorial quality that is the hallmark of the Stanford Law Review . The first perspective, California’s De Facto Sentencing Commissions , by Stanford Law Professor Robert Weisberg is available online today. top Site to Resell Music Files Has Critics (NYT, 14 Nov 2011) - Music fans looking to clear out some clutter can always try to sell their old CDs. But can someone resell an old digital music file of “Thriller” that’s languishing on a computer? A legitimate secondhand marketplace for digital music has never been tried successfully, in part because few people think of reselling anything that is not physical. But last month a new company, ReDigi, opened a system that it calls a legal and secure way for people to get rid of unwanted music files and buy others at a discount. The service has already drawn concern from music executives and legal scholars, who say it is operating in a gray area of the law. Last Thursday the Recording Industry Association of America, which represents the major record companies, sent ReDigi a cease-and-desist letter, accusing it of copyright infringement. John Ossenmacher, ReDigi’s chief executive, contends that the service complies with copyright law, and that its technology offers safeguards to allay the industry’s concerns that people might profit from pirated music. “ReDigi is a marketplace that gives users tools to be in compliance with copyright law,” he said. “Before I put a file up for sale ReDigi says you will need to delete them, and if not it won’t take them.” When a user wants to upload a song for sale, ReDigi analyzes its metadata - a kind of digital fingerprint - to verify that it came from an official store like iTunes or Amazon. (It does not accept files ripped from a CD, or others whose provenance it considers suspect.) A desktop program then deletes any copies left on a user’s computer, and can detect if that user tries to add copies later. Songs on the service, which is based in Cambridge, Mass., cost 79 cents, as much as 50 cents less than the price of new tracks at iTunes. ReDigi users also get coupons worth 20 cents for each song upload for sale, effectively reducing the cost of a track to 59 cents. ReDigi’s fee ranges from 5 to 15 percent, a spokeswoman said. The company also plans to open a similar market for e-books, Mr. Ossenmacher said. ReDigi says it is legal under the first-sale doctrine, the idea that once someone buys a copyrighted item like a CD or book, that buyer is free to resell it. But legal scholars say that the law is unclear when it comes to digital goods because transferring a digital file from one party to another usually involves making a copy of it, something generally not allowed under copyright law. “The real challenge for the first-sale doctrine in the digital environment,” said Mark A. Lemley, a professor at Stanford Law School, “is that courts have generally said that if you’ve gone beyond using your copy, and made a new copy, then you’re outside the scope of the doctrine.” Jason M. Schultz, an assistant professor of law at the University of California, Berkeley, said there were aspects to the first-sale law that may apply to digital goods, but have been largely untested in the courts. The recording industry association’s letter to ReDigi, a copy of which was obtained by The New York Times, says that the company violates copyright by making copies of files, and by providing 30-second samples of songs without licenses. A spokeswoman for ReDigi said on Friday that the company had not received the letter. top - and- Authors Guild: Kindle Owners’ Lending Library Is “Nonsense” (PaidContent.org, 15 Nov 2011) - The Authors Guild is taking a stand against the Kindle Owners’ Lending Library, Amazon’s new initiative allowing Kindle-owning Prime members to borrow free e-books. Amazon (NSDQ: AMZN) is “boldly breaching its contracts” with publishers, the Guild contends, in “an exercise of brute economic power.” The Kindle Owners’ Lending Library contains over 5,000 titles, many of which are being included without publisher permission. In those cases, Amazon is simply buying a copy of the book at the wholesale price any time a Prime member borrows it (hence no “big six” publishers’ titles are in the program, since they set their own e-book prices). When the program first launched, many publishers did not even know that their books were included. The Association of Author Representatives and others have raised questions over how authors whose books are included will be paid. The Authors Guild contends that the publishers who willingly included their books in the lending library (and were paid a hefty sum by Amazon to do so) are in the wrong: “While these publishers generally have the right to license e-book uses for many of their authors’ titles (just as most trade publishers do), our reading of the standard terms of these contracts is that they do not have the right to do so without the prior approval of the books’ authors.” top - and - Cambridge University Press to Try Renting Academic Articles (ArsTechnica, 30 Nov 2011) - Ars’ science articles link to the academic papers that are being discussed, and based on reader comments, people have a clear interest in looking over the publications. Unfortunately, that interest often runs into a significant hurdle, one that can be summarized as “they expect me to pay $30 to read that?” Now, one academic publisher is experimenting with a system that might get a few more people reading its products: it’s offering to rent access to the articles. The publisher, Cambridge University Press, isn’t a major force in the world of academic journals; many of its offerings, such as the Journal of Helminthology and the American Journal of Alternative Agriculture, appeal to very niche audiences. But it appears to be a reasonable attempt to find a balance somewhere between strict article purchasing and an open access model. Under the plan, users would pay a moderate fee for one-time access (£3.99/$5.99/€4.49) to a PDF of the article. They won’t be able to save, print, or copy any of the text-just display it in their browser. Cambridge University Press plans on adding support for mobile browsers shortly. The prices still seem a bit high for a casual reader, but it’s certainly a significant step down from the typical prices (for the journals in question, it represents an 86 percent discount). On its own, Cambridge University Press doesn’t publish enough material that this will significantly change academic publishing. The best hope for this effort to have a larger impact would be if it inspired a larger publisher to perform a similar experiment. top Title Firm Sues Bank Over $207k Cyberheist (KrebsOnSecurity, 14 Nov 2011) - A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime. Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas. The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates. When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1. Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password. top Pentagon: Offensive Cyber Attacks Fair Game (Washington Post, 15 Nov 2011) - The Pentagon has laid out its most explicit cyberwarfare policy to date, stating that if directed by the president, it will launch “offensive cyber operations” in response to hostile acts. Those hostile acts may include “significant cyber attacks directed against the U.S. economy, government or military,” Defense Department officials stated in a long-overdue report to Congress released late Monday. But the report is still silent on a number of important issues, such as rules of engagement outside designated battle zones - a sign of how challenging the policy debate is in the newest and most complex realm of warfare. The statements are consistent with preexisting policy, but have never before been stated quite so explicitly, even in the Pentagon’s recently released cyberspace strategy . That strategy focused on the importance of deterring attacks by building defenses that would “deny” adversaries the benefits of success. In the latest report, the Pentagon states that adversaries threatening a crippling cyber attack against the United States “would be taking a grave risk.” top Righthaven Case Ends in Victory for Fair Use (EFF, 18 Nov 2011) - In a victory for fair use, the publisher of the Las Vegas Review-Journal, Stephens Media, filed papers yesterday conceding that posting a short excerpt of a news article in an online forum is not copyright infringement. The concession will result in entry of a judgment of non-infringement in a long-running copyright troll case that sparked the dismissal of dozens of baseless lawsuits filed by Righthaven LLC. The case began when the online political forum Democratic Underground—represented by the Electronic Frontier Foundation (EFF), Fenwick & West LLP, and attorney Chad Bowers—was sued by Righthaven for a five-sentence excerpt of a Review-Journal news story that a user posted on the forum with a link back to the newspaper’s website. Democratic Underground countersued, asking the court to rule that the excerpt did not infringe copyright and is a fair use of the material, and brought Righthaven-backer Stephens Media into the case. top Fair Use In European Law (Media Law Prof Blog, 21 Nov 2011) - P. B. Hugenholtz and Martin Senftleben, University of Amsterdam, have published Fair Use in Europe: In Search of Flexibilities. Here is the abstract: “There appear to be good reasons and ample opportunity to (re)introduce a measure of flexibility in the national copyright systems of Europe. The need for more openness in copyright law is almost self-evident in this information society of highly dynamic and unpredictable change. A historic perspective also suggests that copyright law, particularly in the civil law jurisdictions of Europe, has lost much of its flexibility in the course of the past century. By contrast, with the accelerating pace of technological change in the 21st Century, and in view of the complex process of law making in the EU, the need for flexible copyright norms both at the EU and the national level is now greater than ever. Against this background, the authors argue that the EU copyright acquis leaves considerably more room for flexibilities than its closed list of permitted limitations and exceptions suggests. In the first place, the enumerated provisions are in many cases categorically worded prototypes rather than precisely circumscribed exceptions, thus leaving the Member States broad margins of implementation. In the second place, the EU acquis leaves ample unregulated space with regard to the right of adaptation that has so far remained largely unharmonized. A Member State desiring to take full advantage of all policy space available under the Information Society Directive, might achieve this by literally transposing the Directive’s entire catalogue of exception prototypes into national law. In combination with the three-step test, this would effectively lead to a semi-open norm almost as flexible as the fair use rule of the United States. Less ambitious Member States seeking to enhance flexibility while keeping its existing structure of limitations and exceptions largely intact, can explore the policy space left by distinct exception prototypes. In addition, the unharmonized status of the adaptation right would leave Member States free to provide for limitations and exceptions permitting, for example, fair transformative uses in the context of producing and disseminating user-generated content.” The paper is here . top Can A Copyright Be Assigned By Email? (Eric Goldman’s blog, 21 Nov 2011) - Can a copyright be assigned by an exchange of emails? Section 204(a) of the Copyright Act provides that a transfer of copyright ownership is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or by such owner’s duly authorized agent. The 11th Circuit has recently affirmed a lower court’s decision that an exchange of emails was sufficient to constitute a contract to assign a copyright. The court’s decision, however, does not seem to adequately address whether the email exchange satisfies the “writing” requirement in Section 204. Vergara Hermosilla v. The Coca Cola Company, No. 11-11317 (11th Cir. Nov. 3, 2011). top New Version of NC SaaS Ethics Opinion (VirtualLawPractice, 22 Nov 2011) - The NC Bar has published the revised version of it proposed ethics opinion entitled “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”, 2011 FEO 6 on the website. It will also be published in the next issue of the NC State Bar Journal . You can read some of the history of this opinion in this post . After a year or more of subcommittee review and revision, this latest version will hopefully be the final one that the Ethics Committee recommends for adoption by the Council at their January meeting. The subcommittee removed the list of minimum requirements for the selection of a technology vendor. Many of the items on the list had raised concern as detailed here by myself and others. The new version of the opinion sticks with the “reasonable care” standard requiring the attorney to do his or her due diligence in researching the technology and any third-party provider. The proposed opinion states: “…a law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.” The opinion then goes on to state that because technology and security risks change so rapidly, the opinion will not include minimum requirements that might quickly become outdated and create a false sense of security for practitioners. Instead, they suggest that in order to conduct due diligence the attorney can 1) look for confidentiality provisions in the vendor’s user agreement or SLA, 2) review the SLA and any security policies, 3) evaluate how the vendor has stored secures the data and 4) review how the vendor backs up the data. top Findlaw Legal Pulse as Launched - Aggregates Topical News and Social Media (BeSpacific, 22 Nov 2011) - News release : “FindLaw.com is introducing FindLaw Legal Pulse , a new content area that offers continuously updated legal headlines from around the world, along with news, photo feeds and analysis from such sources as Reuters, the Associated Press, New York Times and Washington Post. The content covers a broad range of law-related topics—everything from Supreme Court decisions to legislative updates, everyday legal issues and even sports and celebrity news. FindLaw Legal Pulse offers tangible user benefits—the news is up-to-date, comes from a rich variety of sources, and is tailored to audiences with legal interests.” [Editor: so far, I’m not impressed - the above-the-fold stories (styled “Editor’s Picks") haven’t changed in a week.] top Panel Admonishes Criminal Defense Attorney For Blog Naming Clients, Omitting Disclaimer (BNA, 23 Nov 2011) - A criminal defense attorney who blogs about criminal proceedings, including his clients’ cases, violated Virginia lawyer conduct rules by including clients’ names in blog posts without their consent, a Virginia State Bar disciplinary committee determined in an order released Nov. 8 (In re Hunter, Virginia State Bar, 3d Dist. Comm., VSB No. 11-032-084907, 11/8/11). The panel also found that the attorney’s blog, This Week in Richmond Criminal Defense, hosted on his law firm’s website, constitutes advertising and therefore should have included a disclaimer required by rules governing lawyer advertising. The panel’s order publicly admonishes the attorney, Horace F. Hunter, and warns that further ethics violations will result in more serious sanctions. “Respondent’s website discusses information regarding his clients’ cases, the disclosure of which would be embarrassing or be likely to be detrimental to the client,” the committee’s opinion states. “Respondent did not receive consent from any of the clients listed in the postings on the respondent’s web page prior to disseminating such case information.” top EU Privacy Law is No Excuse for Spoliation of Evidence (Steptoe, 23 Nov 2011) - European Union requirements to delete personal data once it is “no longer necessary” for business purposes do not excuse a company from U.S. law regarding spoliation of evidence. A decision last month by the U.S. District Court for the Northern District of California in IO Group Inc., et al. v. GLBT Ltd., et al., rejected a British website operator’s argument that its intentional destruction of emails relevant to copyright infringement litigation could not be considered spoliation of evidence because it was done per the requirements of the U.K. Data Protection Act 1998. This decision highlights the fact that U.S. courts often will not excuse noncompliance with U.S. law on grounds that complying would result in a violation of foreign law - a conundrum that is increasingly faced by companies that have data stored abroad but are subject to U.S. jurisdiction. top Digital Downloads Sub for Weighty Scores (NYT, 24 Nov 2011) - Digital gadgetry has increasingly been making its mark on classical music performance. It hit a milestone this week at the New York Philharmonic. Jeffrey Kahane, the pianist and conductor who is making a guest appearance at the orchestra, used an iPad on Tuesday instead of a score to lead the orchestra in a Mozart symphony. It was a first for the orchestra, the Philharmonic said. Mr. Kahane said it was also his debut with the device in such a major setting. Mr. Kahane conducted from a harpsichord, improvising an accompanying part, or continuo, to the symphony. The sight of a computer tablet sitting atop a quintessentially nonelectronic instrument made of wood, strings and plectrums for plucking them was incongruous. Musicians more and more are using iPads and laptops instead of traditional paper scores, especially pianists. The Borromeo String Quartet makes it a regular practice. Wireless foot pedals or a quick screen tap make it easier to turn pages. Downloading scores for study or performance saves about 30 or 40 pounds of luggage while on the road, said Mr. Kahane, who is music director of the Los Angeles Chamber Orchestra. Mr. Kahane said the iPad would be impractical for a Mahler symphony, say, with its much larger scoring, and there is the danger of equipment malfunction. But tapping also eliminates the possibility of turning two pages at once, tearing out a leaf or pulling the whole score off the stand, as can happen, he said. He uses a stylus or other program features to mark the scores, many of which he downloads from open-source sites. Mr. Kahane said he had about 100 scores on his iPad, including Mozart’s Symphony No. 33, the work played on Tuesday and scheduled for performances on Friday, Saturday and Tuesday. top Web Poster’s Anonymity Preserved By Appellate Decision (Chicago Tribune, 26 Nov 2011) - The name of an anonymous Web poster who ridiculed a former Buffalo Grove trustee’s 15-year-old son does not have to be revealed, an appellate court has ruled in a case closely watched for its implications for Internet anonymity. “Encouraging those easily offended by online commentary to sue to find the name of their ‘tormentors’ would surely lead to unnecessary litigation and would also have a chilling effect on the many citizens who choose to post anonymously” on newspaper websites, the Illinois First District Appellate Court ruled. Putting publishers and website hosts in the position of “cyber-nanny” is “a noxious concept that offends our country’s long history of protecting anonymous speech,” Justice Terrence Lavin wrote. top French IT Company Declares The Email Dead (Business Insider, 28 Nov 2011) - The CEO of one of Europe’s largest IT companies has told his staff they are to stop emailing each other stating that it is no longer an “appropriate” communication tool. The Telegraph reports that Thierry Breton, CEO of Atos, wants to abandon email all together within 18 months. Instead, he wants to promote instant messaging and the good old fashioned spoke word. The Wall Street Journal reports that Breton hasn’t sent a work email for three years. Now, France’s former finance minister is hoping to pass his ethos on to his employees stating to the Telegraph: “It is not normal that some of our fellow employees spend hours in the evening dealing with their emails.” “The email is no longer the appropriate (communication) tool.” The newspaper also reported that only 11 percent of French 11 to 19-year-olds utilize email as a communication method. [Editor: Atos was part of Schlumberger, where I worked for 2 decades. They aren’t (usually) crazy; maybe this story is incomplete. See also the story below under “ LOOKING BACK ”] top Cablegate One Year Later: How WikiLeaks Has Influenced Foreign Policy, Journalism, and the First Amendment (EFF, 28 Nov 2011) - One year ago today, WikiLeaks started publishing a trove of over 250,000 leaked U.S. State Department cables, which have since formed the basis of reporting for newspapers around the globe. The publication has given the public a window into the inner workings of government at an unprecedented scale, and in the process, has transformed journalism in the digital age. In recognition, WikiLeaks founder Julian Assange was just awarded Australia’s version of the Pulitzer Prize, in addition to the Martha Gellhorn journalism prize he won in the United Kingdom earlier this year. As Salon’s Glenn Greenwald observed, “WikiLeaks easily produced more newsworthy scoops over the last year than every other media outlet combined.” Yet at the same time, the Justice Department has been investigating WikiLeaks for criminal violations for doing what other media organizations have been doing in the U.S. for centuries-publishing truthful information in the public interest. Here is a look at Cablegate’s impact on journalism surrounding six countries central to U.S. foreign policy, and why it is vital for the media to stand up for WikiLeaks’ First Amendment right to publish classified information. top D.C. Courts Fight the Future in New Rule Limiting Electronic-Device Use in Courthouse (Berkman CMLP, 28 Nov 2011) - The Blog of the Legal Times reports that the Superior Court of the District of Columbia - the local trial court for the nation’s capital - has issued a new administrative order regarding use of electronic devices in the courthouse. And like other courts, the new rules impose a class system of “haves” and “have nots” - favored types of the people can have and use the devices, while everyone else can not. The rules also contain an archaic view of electronic devices that effectively means that even when the rules allow them to be used, they cannot be used for any modern, web-based functions. Unlike most other “state” courts , the D.C. Superior Court maintains an almost complete ban on photography in court. See D.C. Super. Ct. R. Crim. Proc. 53(b); D.C. Super. Ct. R. Civil Proc. 203(b); D.C. Super. Ct., Juv. Proceed. R. 53(b), and D.C. Super. Ct. Dom. Rels. R. 203(b). The Radio Television Digital News Association points out a limited exception to the ban: the juvenile and criminal court rules permit photography “in any office or other room of the courthouse” with the consent of the person in charge of the office or room and the person or people being photographed. In practice, this means that all such devices must be left outside the courthouse, or checked with court officers at the entrances. The new order , Admin. Order 11-17 (D.C. Super. Nov. 9, 2011) continues this policy, by generally requiring that “before entering any courtroom, everyone shall turn off all electronic devices in his or her possession. Pocket-sized electronic devices shall be turned off and stowed so that they are not visible.” The order’s definition of “electronic device” is expansive, and includes all types of cameras (whether film or digital), cell phones, computers, analog or digital recorders, MP3 players, “and any other device that is capable of receiving, transmitting, or recording messages, images, sounds, data, or other information by electronic means”. The order specifically mentions that it covers “all members of the media and students, who may take notes manually,” but the order also provides that “[m]embers of the media may be given permission by the presiding judicial officer to use electronic devices in the courtroom for official business.” While the order says that this requirement applies to “everyone,” it does not really apply to every person in the courthouse. The order goes on to state that “[t]his prohibition does not include a litigant representing himself or herself and to whom the court has given permission to use an electronic device or any person appearing before a judicial officer in the well of the courtroom if authorized by the presiding judicial officer to use an electronic device in the courtroom.” The order also exempts “[m]embers of the Bar or other individuals who are authorized to sit in designated rows of the courtroom (such as pretrial service officers, probation officers, supervision officers, or social workers in court on official business).” top Complaint: Medical “Copyright Over Your Comments” Contracts Are Illegal (ArsTechnica, 29 Nov 2011) - When our own Timothy B. Lee stepped into a Philadelphia dentist’s office earlier this year, he had an unpleasant experience : the dentist required him to sign over control of all copyright in future online commentary related to that dentist. Here’s how Tim described the visit: “When I walked into the offices of Dr. Ken Cirka, I was looking for cleaner teeth, not material for an Ars Technica story. I needed a new dentist, and Yelp says Dr. Cirka is one of the best in the Philadelphia area. The receptionist handed me a clipboard with forms to fill out. After the usual patient information form, there was a “mutual privacy agreement” that asked me to transfer ownership of any public commentary I might write in the future to Dr. Cirka. Surprised and a little outraged by this, I got into a lengthy discussion with Dr. Cirka’s office manager that ended in me refusing to sign and her showing me the door.” The contract in question came from Medical Justice , which claims to be “relentlessly protecting physicians from frivolous lawsuits.” Over the last few years, the company has pioneered a strange niche in the medical business: providing contractual templates that first barred patients from commenting about their doctors online and later gave doctors the power to veto negative reviews. Is this legal? The Center for Democracy & Technology (CDT) filed a complaint today with the Federal Trade Commission (FTC) arguing that Medical Justice was itself engaging in “deceptive and unfair business practices” through the sale of these contracts. The complaint argues that Medical Justice is “engaging in a deceptive business practice by selling contracts which are themselves deceptive to doctors and patients as to whether they are legally enforceable.” CDT asks that Medical Justice be barred from selling these kinds of contracts to doctors, that it alert doctors who have already purchased them that the contracts are “likely unenforceable and illegal,” and that it give up all money earned from the sale of the contracts. top - and - Medical Justice Capitulates by “Retiring” Its Anti-Patient Review Contracts (Eric Goldman, 1 Dec 2011) - It’s been a rough week for Medical Justice, the company that tries to help doctors suppress patient reviews. First, the Center for Democracy and Technology filed an FTC complaint alleging three main points: (1) Medical Justice deceives doctors by selling them contracts that don’t work as promised, (2) the effort to suppress patient reviews is unfair under Sec. 5 of the FTC Act, and (3) Medical Justice violates the endorsement/testimonial guidelines through efforts that appear to create fake reviews for doctors. See the CDT announcement . Second, Public Citizen filed a declaratory judgment action against a dentist who tried to use Medical Justice’s contract to suppress a patient’s review. The dentist didn’t actually sue the patient, but he did send over a draft complaint. The DJ complaint touches on a number of interesting issues, including contract unconscionability and dentist ethics, but the copyright angles are perhaps the most interesting. See the Public Citizen announcement . Both CDT and Public Citizen acknowledge the DoctoredReviews website , which Jason Schultz, two Berkeley students and I launched a half-year ago as a way of calling attention to the problems being created by Medical Justice’s contracts. Although I’m delighted that the website was helpful to them, I’m even more grateful that they took the website’s advocacy and turned it into action. While the FTC complaint and lawsuit work their way through the system, they have already been effective: after going through multiple iterations of its review-suppression contracts, Medical Justice apparently threw in the towel and admitted it is dropping the contracts altogether. Timothy B. Lee at Ars Technica reports: “While we believe these agreements are honest, ethical, and legal, we are going to use this situation as an opportunity to retire these written agreements used since 2007,” MJ CEO Jeffrey Segal told Ars on Wednesday. He claims that MJ will recommend to doctors that they stop using the agreements, and that patients will not be asked to sign any such agreements in the future.” top MyShingle Comments on Proposed Model Rule 5.3 [by] ABA Commission on Ethics 20/20 (Carolyn Elefant, 30 Nov 2011) - Below is my final set of comments on the ABA Commission on Ethics 20/20′s proposals. My comments address the Commission’s proposal to subject lawyers to the same level of supervisory oversight for passive cloud services as for human, non-legal service providers. For reasons discussed in this post , I strongly oppose any additional requirements which pose additional burdens on lawyers who seek to use the cloud. Moreover, I just don’t see the need to extend the oversight and supervisory obligations of Model Rule 5.3 to passive services, except if the point is backlash against the cloud . Think about it - lawyers have long been permitted to rely on services like banking, phones and computerized legal research without the need for an express directive to oversee and instruct these vendors. As my comments discuss, lawyers must act prudently in selecting any service - that’s not just an ethical mandate, but simple common business sense. We can’t run effective profitable practices if we employ phone service that goes down every two days or legal research tools that produce inaccurate results. Do we really need more ethics rules governing selection of passive services? In addition, as my comments point out, it may well be impossible for lawyers - and particularly solos to meet the active oversight and instruction requirements proposed in Model Rule 5.3. Solos lack the bargaining power to force vendors to modify their services to our liking. So why impose a requirement that can’t be enforced? You can read my full comments at the end of this post, and my earlier comments here . top A Note to Our Readers About Comments (NYT Managing Editor, 30 Nov 2011) - Today we are introducing enhancements to our comment system to improve the community experience across NYTimes.com. The first thing you’ll probably notice is an entirely new design, which for the first time brings our readers’ comments onto the same page as the article or blog post. This improves the old system, which relegated them to a separate page. We are also adding new functions. Comments are now threaded, giving readers the ability to respond to one another. In addition, we’ve added tie-ins to social media: comments, both yours and others’, can now be shared to Twitter and Facebook. And finally, we are introducing a program for “trusted” commenters—those who have maintained a history of posting outstanding comments on the site. Submissions from these members of our community will not be moderated in advance. Trusted commenter status is offered by invitation only. ( Read more about this program .) We look forward to hearing from you. Please leave your reactions and questions about the new system in the thread below. We’ll do our best to respond to as many as possible. top Carrier IQ Tracking Scandal Spirals Out of Control (Mashable, 1 Dec 2011) - Carrier IQ, a diagnostic tool installed in millions of smartphones all over the world, is gathering a lot of info about your activity - possibly even recording keystrokes, content of SMS messages and more - and sending it to a third party. It’s present on nearly all Android devices, but not Galaxy Nexus, Google Nexus One, Nexus S, or the Motorola Xoom. It’s also present on iOS devices, but it seems to be active only when the device is in diagnostic mode. This is the short version of what is quickly becoming a very complicated story with huge implications for user privacy. Carrier IQ is a tool whose primary purpose is recording various info which helps carriers improve the quality of service for their customers. In October, researcher Trevor Eckhart discovered that Carrier IQ is recording, among other things, your every keystroke and possibly sending it back to Carrier IQ’s servers. Carrier IQ responded by sending Ekchart a cease & desist letter and publishing a media alert, in which it claims the company is “not recording keystrokes or providing tracking tools.” Fast forward to this week, when Eckhart posted video evidence (below) suggesting that Carrier IQ is recording keystrokes and reading incoming SMS messages on Android, more precisely on an HTC EVO 3D. Worse, the app cannot be stopped or removed by the user. While this doesn’t prove that Carrier IQ is actually sending the data back to Carrier IQ’s servers, it’s definitely disconcerting to see all this done by an app which is completely out of users’ control. Many questions are still left unanswered. We don’t know what Carrier IQ does with the data it collects, or whether it sends keystrokes, SMS messages or other info back to Carrier IQ’s servers. We don’t know the nature of the deal between Carrier IQ and - seemingly - most of the world’s carriers, since almost every device which is sold together with a carrier contract has the app installed. We’ll keep you updated as the story unfolds. top France Still In Search Of Perfect Cookie (Steptoe, 1 Dec 2011) - France’s data protection agency, the Commission National de l’Informatique et des Libertés, has released yet more guidance on acceptable practices for implementing amendments to EU privacy law that requires website operators to obtain user consent prior to the installation of cookies. The latest set of guidelines reiterates the data regulator’s intent to strictly apply active consent requirements in enforcing France’s laws implementing the EU e-Privacy Directive, once again reminding website operators that browser settings alone are not sufficient to fulfill EU privacy obligations. This statement goes further than the agency’s September guidance in clarifying what measures are necessary to comply with EU requirements by providing examples of adequate and inadequate website consent mechanisms. Even the loquacious Proust didn’t need this many words to describe his wondrous madeleine in In Search of Lost Time. top U.S. Publishes Final Rules on Student Privacy Law (InsideHigherEd, 2 Dec 2011) - The U.S. Education Department today published final rules to update the Family Educational Rights and Privacy Act, making relatively few substantive changes from proposed regulations that drew significant comment and quite a bit of criticism from some college groups. The rules give colleges and universities more latitude to share student-level information with state agencies and others, without student consent. top NOTED PODCASTS World of Lawcraft (Berkman Center, 4 Nov 2011; 32 minutes) - Video games aren’t just, well, fun and games. When you pop open a video game - be it Farmville on Facebook for your smartphone or World of Warcraft on your $10,000 immersive gaming setup - you are entering into any number of different terms and conditions agreements about behavior and property that govern your playtime. But questions have started to arise as more and more games build the concept of virtual property into their play. New powers, levels, avatars, privileges - who do those things belong to, and under what jurisdiction do they fall? Greg Lastowka is a professor of law at Rutgers University and author of the book Virtual Justice: The New Laws of Online Worlds . Lastowka has given a great deal of thought to the virtual worlds of video games, and documented some of the cases where the laws of the game and the laws of real life clash, sometimes violently. [Editor: Interesting discussion, but I was surprised that he didn’t touch on money-laundering issues in MMORPG environments. On that subject, Neal Stephenson’s new book, REAMDE , is a pretty interesting read.] top Michael Nielsen on Doing Science in the Open (Berkman Center, 25 Oct 2011; 72 minutes) - Consider the Polymath Project, an ongoing experiment in “massively collaborative” mathematical problem solving. The idea is to use online tools like blogs and wikis to collaboratively attack difficult mathematical problems. Michael Nielsen - author of the book Reinventing Discovery and an advocate of open science - discusses how online tools like the Polymath Project can be used to transform the way we humans work together to make scientific discoveries, and how the normally conservative scientific culture can become more open. [Editor: The podcast implicates knowledge-production (if not management) in the distributed academic sphere, with crowdsourcing, Communities of Practice, and cultural enablers/barriers. There’s an interesting post by Nick Milton parsing some of the implications for knowledge management - “ It’s Not Always Experts Who Have the Answers ."] top LOOKING BACK SHORT MESSAGING MAKES A DENT IN E-MAIL USE E-mail use has fallen by 5% this year in the U.K., due to the popularity of short text messaging via mobile phones. According to a report for Barclays bank, the drop was even more dramatic—10%—among 18- to 24-year-olds. “Young people aren’t giving up on the Internet,” says Barclays e-commerce chief Simon Newman. “They take what they want out of it and move on to other high-tech media for convenience and leisure.” (Ananova 30 Mar 2001) http://www.ananova.com/news/story/sm_259919.html top POORER COUNTRIES GET FREE E-ACCESS TO MEDICAL JOURNALS (Washington Post 9 Jul 2001)—Mirroring the drug industry’s newfound commitment to make medicines for AIDS, malaria and tuberculosis more widely available to Third World countries, six publishing houses recently announced they will provide free electronic access to about 1,000 medical journals to medical schools, research laboratories and government health departments in poorer countries. Institutions in countries in which the per-capita gross national product (GNP) is less than US$1,000 a year will receive the journals free. In countries where the per-capita GNP is US$1,000 to US$3,000, there would be a minimal charge. http://www.washingtonpost.com/wp-dyn/articles/A33714-2001Jul8.html top MIRLN 2011-12-02T20:16:01-07:00 http://www.knowconnect.com/mirln/article/mirln_23_october_12_november_2011_v1415/ http://www.knowconnect.com/mirln/article/mirln_23_october_12_november_2011_v1415/#When:19:03:01Z MIRLN --- 23 October - 12 November 2011 (v14.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | NOTED PODCASTS | DIFFERENT | LOOKING BACK | NOTES Lawmakers’ Websites Improving, Report Finds FBI Going to Court More Often to Get Personal Internet-Usage Data Nasdaq Server Breach: 3 Expected Findings Make or Buy in the Age of the Free-Agent Lawyer When Secrets Aren’t Safe With Journalists A “Wow”: CEO Pushes Reg FD Limits on Twitter Insulin Pump Hack Delivers Fatal Dosage Over the Air NIST Publishes Guide for Monitoring Security in Information Systems Data Breach Mitigation Costs Were Cognizable Damages Regulating Network Neutrality UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones Homeland Security Reviews Social Media Guidelines CIA Following Twitter, Facebook Our Pleasure to Serve You: More Lawyers Look to Social Networking Sites to Notify Defendants Open Secret: Cisco Site Shares Privacy Approach TRUSTe to Issue Free Privacy Policy Creation Starter Kit for Mobile Developers Keeping Up with the Joneses-How Far Does the ‘Reasonable Expectation of Privacy’ Go? Judges Weigh Phone Tracking Safe in the Cloud? Online Service Risks Need Care and Coverage New Study Finds 67 Percent of Cloud Servers are Perceived Vulnerable or Potentially at Risk by IT Personnel Facebook: Monitoring Juror Social Media Networking Sites; “Friending” Employees of Adverse Parties Case of Fake Facebook Profile Can Proceed, Judge Rules Judge Orders Exchange of Facebook and Dating Website Passwords in Custody Fight Out of the Crowd: Public-Supplied Info Gains Ground in Courts Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the ‘Children’s Online Privacy Protection Act’ Feds Drop Plan to Lie in Public-Record Act Requests Hyperlinks and the First Amendment Ninth Circuit Affirms Google’s Section 230 Win Over a Negative Business Review Surveillance System May Have Recorded Courthouse Conversations in Violation of Federal Law Apple’s Siri Could Get You into Hot Water Behind the Wheel FTC Settles with Online Advertiser over Flash Cookie Use Employers Demanding the Right to Remotely Wipe Employees’ Phones? Lawmakers’ Websites Improving, Report Finds (Hillicon Valley, 24 Oct 2011) - The overall quality of congressional websites is on the rise, but many still lack basic educational and transparency features, according to a new report. House websites - including member, committee and leadership office sites - saw some degree of improvement from 2009 to 2011, while the Senate saw a small decline, according to the report released Monday outlining best practices in online communications on Capitol Hill. New members elected in 2010 were also found to have developed much better websites in their first year in office compared with their Senate counterparts, the Congressional Management Foundation (CMF) found. Roughly 61 percent of websites from House freshmen earned high marks for their sites from CMF, versus just 31 percent for new senators. The CMF singled out several lawmakers and committees for excellent online communications, with top marks going to Sen. Mark Begich (D-Alaska) for best Senate member website, and Rep. Paul Ryan (R-Wis.) for best House member website. According to the report, many member websites still do not offer basic information about their activities, the work of Congress or the legislative process. Forty percent of lawmakers did not post information on bills members have sponsored or co-sponsored in the current session of Congress, and 44 percent did not post information on the legislator’s voting record, according to the report. Forty-seven percent did not post information on how a bill becomes a law, and 67 percent did not provide guidance for communicating with the member office. Lawmakers did take better advantage of social media tools, however, as the use of such technology by congressional offices rose exponentially. top FBI Going to Court More Often to Get Personal Internet-Usage Data (Washington Post, 25 Oct) - The FBI is increasingly going to court to get personal e-mail and Internet usage information as service providers balk at disclosing customer data without a judge’s orders. Investigators once routinely used administrative subpoenas, called national security letters, seeking information about who sent and received e-mail and what Web sites individuals visited. The letters can be issued by FBI field offices on their own authority, and they obligate the recipients to keep the requests secret. But more recently, many service providers receiving national security letters have limited the information they give to customers’ names, addresses, length of service and phone billing records. “Beginning in late 2009, certain electronic communications service providers no longer honored” more expansive requests, FBI officials wrote in August, in response to questions from the Senate Judiciary Committee. This marked a shift from comments made last year by Obama administration officials, who asserted then that most service providers were disclosing sufficient information when presented with national security letters. Investigators seeking more expansive information over the past two years have turned to court orders called business record requests. In the first three months of this year, more than 80 percent of all business record requests were for Internet records that would previously have been obtained through national security letters, the FBI said. The FBI made more than four times as many business records requests in 2010 than in 2009: 96 compared with 21, according to Justice Department reports. top Nasdaq Server Breach: 3 Expected Findings (Information Week, 25 Oct 2011) - Remember the Nasdaq breach? [Reported in MIRLN 14.05 ] It’s worse than previously thought. Last week, two experts with knowledge of Nasdaq OMX Group’s internal investigation said that while attackers hadn’t directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. “God knows exactly what they have done. The long-term impact of such [an] attack is still unknown,” cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts’ findings. In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company’s website. At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying “at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.” But it wasn’t clear how long the malicious files may have resided on Nasdaq’s systems. Indeed, based on past breaches, many businesses fail to spot when they’ve been hacked, at least right away. Interestingly, Nasdaq didn’t immediately inform customers about the breach, after the FBI--which is investigating the matter, together with the National Security Agency--asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn’t publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we’ll likely see these three findings * * * top Make or Buy in the Age of the Free-Agent Lawyer (ABA Journal, 26 Oct 2011) - At all stages of a company’s life cycle, leadership continually asks the classic “Make or Buy” question. When should a company hire and develop expertise internally, and when does it make more sense to outsource tasks and purchase professional services? When it comes to legal needs, every company has its own pressure points. Mature companies mostly tie in-house headcount to revenue metrics or benchmark against industry norms. Start-ups are more interesting to follow with respect to make or buy decisions, because their behavior usually reflects a cultural choice. Case in point, the fastest growing company in the United States, GroupOn, didn’t hire its first General Counsel until June, 2011. Based on GroupOn’s revenue history and the huge amount of private equity in play, that’s pretty late in the game. Given GroupOn’s truly unique culture, which feeds on humor and independent thinking, I suspect that leadership was in no rush to build a law department. The need for policies and procedures does not necessarily equate to a desire for policies and procedures. Eventually, however, most $1 billion-plus companies hire at least one attorney to manage legal services delivery, and of course, many have law departments of significant size. In the “New Normal,” the make or buy question expands. For companies with law departments, the objective for chief legal officers goes well beyond the old school notion of justifying additional headcount and then lobbying for it. Instead, progressive law departments are asking simply, “how can we make more in-house?” Taking more work inside does not automatically equate to hiring more attorneys. Instead, an evolving range of options are now in play. For example, many larger law departments have developed brand new job descriptions for tech-savvy operations professionals. This is the kind of quasi-legal role envisioned by Richard Susskind in The End of Lawyers? The objective in creating this position is to incorporate large-scale cost savings via the proper use of knowledge management systems, eBilling software, content providers and more. [Editor: Interesting; Come to think of it, I guess that much of my practice is as such an “adjunct”.] top When Secrets Aren’t Safe With Journalists (NYT OpEd by Chris Soghoian, 26 Oct 2011) - Brave journalists have defied court orders and have even been jailed rather than compromise their ethical duty to protect sources. But as governments increasingly record their citizens’ every communication - even wiretapping journalists and searching their computers - the safety of anonymous sources will depend not only on journalists’ ethics, but on their computer skills. Sadly, operational computer security is still not taught in most journalism schools, and poor data security practices remain widespread in news organizations. Confidential information is sent over regular phone lines and via text messages and e-mail, all of which are easy to intercept. Few journalists use secure-communication tools, even ones that are widely available and easy to use. Government officials often attempt to get journalists to reveal their sources by obtaining subpoenas and compelling testimony and the required telecommunications records. But sometimes that’s not even necessary, because sources have already been exposed by their own lax communications. And then there is illicit monitoring - I believe that American journalists should assume that their communications are being monitored by their government - and possibly other governments as well. As an expert on privacy and government surveillance, I regularly speak with journalists at major news organizations, here and abroad. Of the hundreds of conversations I’ve had with journalists over the past few years, I can count on one hand the number who mentioned using some kind of intercept-resistant encrypted communication tools. Even when journalists try to do the right thing, they still make dangerous mistakes, like relying on Skype. Skype is slightly more secure than phones but is by no means safe from snooping - which can be done with commercially available interception software. top A “Wow”: CEO Pushes Reg FD Limits on Twitter (CorporateCounsel.net, 27 Oct 2011) - This blog from Dominic Jones of IR Web Report is a “must” read. I’m going to tease it out by excerpting the first few paragraphs below: ALAN Meckler, CEO of WebMediaBrands Inc. (NASDAQ: WEBM), may be single-handedly redefining how corporate executives in the buttoned-down world of public companies communicate with their investors. The 64-year-old media entrepreneur, whose company owns interests in a number of online businesses and blogs, has been using Twitter to talk about his micro-cap company in ways that have stunned some observers and even drawn questions from the SEC. While some in the conservative world of corporate disclosure have speculated about how Twitter might meet the SEC’s Reg FD requirements , Meckler appears to have made up his mind that Twitter is as good a channel as any to break news about everything from pending acquisitions to his next quarter’s results. The result is that investors in WEBM are being treated to a new level of access to their chief executive and board chairman, as well as unprecedented commentary and news about the company’s business in a real-time, abbreviated format that was previously unheard of. top Insulin Pump Hack Delivers Fatal Dosage Over the Air (The Register, 27 Oct 2011) - In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker Halted conference in Miami. It was delivered by McAfee’s Barnaby Jack, the same researcher who last year showed how to take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills. Jack’s latest hack works on most recent Medtronic insulin pumps, because they contain tiny radio transmitters that allow patients and doctors to adjust their functions. It builds on research presented earlier this year that allowed the wireless commandeering of the devices when an attacker was within a few feet of the patient, and knew the serial number of his pump. Software and a special antenna designed by Jack allows him to locate and seize control of any device within 300 feet, even when he doesn’t know the serial number. top NIST Publishes Guide for Monitoring Security in Information Systems (BeSpacific, 28 Oct 2011) - Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137): “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).3 Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information.” top Data Breach Mitigation Costs Were Cognizable Damages (CCH Financial Privacy Law Guide, 31 Oct 2011) - The U.S. Court of Appeals for the First Circuit determined that out-of-pocket mitigation costs of credit and debit card replacement and credit insurance incurred by data breach victims were reasonably foreseeable expenses and, therefore, constituted a cognizable harm under Maine law. The breach involved a Maine-based supermarket chain operator’s electronic payment processing system that resulted in the theft of 4.2 million credit and debit card numbers. The First Circuit reversed a federal district court’s dismissal of negligence and implied contract claims arising from the data breach, in which it had determined that the alleged injuries were too unforeseeable and speculative to be cognizable under Maine law. Anderson v. Hannaford Brothers Co. [Analysis by Edwards Wildman here: http://www.edwardswildman.com/newsstand/detail.aspx?news=2659&elq_mid=16289&elq_cid=996107 ] top Regulating Network Neutrality (Media Law Prof Blog, 31 Oct 2011) - Eric Null, Cardozo Law School, has published The Difficulty with Regulating Network Neutrality, at 29 Cardozo Arts and Entertainment Law Journal 459 (2011). Here is the abstract: Network neutrality is, and has been, an essential design element of the Internet. Increasingly, there has been pressure to move from a neutral network to a network that is optimized for particular functions (such as video streaming), and technology has responded to that call through the creation of a powerful technology called Deep-Packet Inspection. DPI allows access providers to directly violate the neutrality principle because it provides a mechanism for unequal treatment of content. The tension between network neutrality and DPI is significant - so much so that the Federal Communications Commission ("FCC") has intervened. The FCC recently published its final Report and Order for Preserving the Open Internet in the Federal Register, which establishes a general principle that neutrality should be safeguarded. Despite this safeguard, the FCC provided for a reasonable network management exception to neutrality, which allows access providers to treat content unequally if the provider is reasonably managing its network. The reasonable network management exception is a broad exception. However, a broad exception, potentially overbroad, may not be the most prudent form for regulating network neutrality. To determine what form is appropriate for network neutrality regulation, one should engage in a rules-versus-standards analysis specifically in this context. There is no obvious choice, but context can provide useful background when determining whether to regulate with rules or standards. Network neutrality regulation should be written as a rule, not a standard. Establishing a rule-like regulation will deter non-neutral behavior by access providers, and will preserve the Internet’s neutral architecture and the benefits that equal treatment of content provides. In addition, rule-like regulations reduce the burden placed on enforcers, typically users, of the regulation. For these reasons, the reasonable network management exception should also be worded like a rule; those arguing for a broad, standard-like exception have not successfully demonstrated why a broad exception is required. Paper is here . top UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones (Wired, 31 Oct 2011) - Britain’s largest police force has been using covert surveillance technology that can masquerade as a mobile phone network to intercept communications and unique IDs from phones or even transmit a signal to shut off phones remotely, according to the Guardian. The system, made by Datong in the United Kingdom, was purchased by the London Metropolitan police, which paid $230,000 to Datong for “ICT hardware” in 2008 and 2009. The portable device, which is the size of a suitcase, pretends to be a legitimate cell phone tower that emits a signal to dupe thousands of mobile phones in a targeted area. Authorities can then intercept SMS messages, phone calls and phone data, such as unique IMSI and IMEI identity codes that allow authorities to track phone users’ movements in real-time, without having to request location data from a mobile phone carrier. In the case of intercepted communications, it is not clear whether the network works as a blackhole where intercepted messages go to die, or whether it works as a proper man-in-the-middle attack, by which the fake tower forwards the data to a real tower to provide uninterrupted service for the user. In addition to intercepting calls and messages, the system can be used to effectively cut off phone communication, such as in a war zone where phones might be used as a trigger for an explosive device, or for crowd control during demonstrations and riots where participants use phones to organize. A spokesman for the U.S. Secret Service verified to CNET that the agency has done business with Datong, but would not say what sort of technology it bought from the company. The FBI is known to use a similar technology called Triggerfish, which also pretends to be a legitimate cell tower base station to trick mobile phones into connecting to it. The Triggerfish system, however, collects only location and other identifying information, and does not intercept phone calls, text messages, and other data. [Related Wired article on FBI’s use of such towers here .] top Homeland Security Reviews Social Media Guidelines (AP, 31 Oct 2011) - The wave of uprisings across North Africa and the Middle East that have overturned three governments in the past year have prompted the U.S. government to begin developing guidelines for culling intelligence from social media networks, a top Homeland Security official said Monday. Department of Homeland Security Undersecretary Caryn Wagner said the use of such technology in uprisings that started in December in Tunisia shocked some officials into attention and prompted questions of whether the U.S. needs to do a better job of monitoring domestic social networking activity. “We’re still trying to figure out how you use things like Twitter as a source,” she said. “How do you establish trends and how do you then capture that in an intelligence product?” Wagner said the department is establishing guidelines on gleaning information from sites such as Twitter and Facebook for law enforcement purposes. Wagner says those protocols are being developed under strict laws meant to prevent spying on U.S. citizens and protect privacy, including rules dictating the length of time the information can be stored and differences between domestic and international surveillance. Wagner said the Homeland Security department, established after the 9/11 attacks, is not actively monitoring any social networks. But when the department receives information about a potential threat, contractors are then asked to look for certain references within “open source” information, which is available to anyone on the Internet. top - and - CIA Following Twitter, Facebook (AP, 4 Nov 2011) - In an anonymous industrial park in Virginia, in an unassuming brick building, the CIA is following tweets - up to 5 million a day. At the agency’s Open Source Center, a team known affectionately as the “vengeful librarians” also pores over Facebook, newspapers, TV news channels, local radio stations, Internet chat rooms - anything overseas that anyone can access and contribute to openly. From Arabic to Mandarin Chinese, from an angry tweet to a thoughtful blog, the analysts gather the information, often in native tongue. They cross-reference it with the local newspaper or a clandestinely intercepted phone conversation. From there, they build a picture sought by the highest levels at the White House, giving a real-time peek, for example, at the mood of a region after the Navy SEAL raid that killed Osama bin Laden or perhaps a prediction of which Mideast nation seems ripe for revolt. Yes, they saw the uprising in Egypt coming; they just didn’t know exactly when revolution might hit, said the center’s director, Doug Naquin. The center already had “predicted that social media in places like Egypt could be a game-changer and a threat to the regime,” he said in a recent interview with The Associated Press at the center. CIA officials said it was the first such visit by a reporter the agency has ever granted. The CIA facility was set up in response to a recommendation by the 9/11 Commission, with its first priority to focus on counterterrorism and counterproliferation. But its several hundred analysts - the actual number is classified - track a broad range, from Chinese Internet access to the mood on the street in Pakistan. The center’s analysis ends up in President Barack Obama’s daily intelligence briefing in one form or another, almost every day. top Our Pleasure to Serve You: More Lawyers Look to Social Networking Sites to Notify Defendants (ABA Journal, Oct 2011) - Although Jessica Mpafe had not seen her husband in years, she assumed he moved back to West Africa’s Ivory Coast. Mpafe of Minnesota had no physical address to serve him with divorce papers. So she asked the court whether she could send the notice by general delivery, where the post office holds mail until the recipient calls for it. Kevin S. Burke, the Hennepin County, Minn., judge presiding over the case, thought that would be a waste of postage. “General delivery made sense 100 years ago, but let’s be real,” says Burke, implying that few use it anymore. Nor did the judge trust publishing legal notices in a trade paper when the defendant can’t be located. “Nobody, particularly poor people, is going to look at the legal newspaper to notice that their spouse wants to get divorced,” Burke says. On May 10 the judge wrote an order authorizing Mpafe to serve notice of process to her husband by email, “Facebook, Myspace or any other social networking site.” His order stated that while the court allowed service by publication in a legal newspaper, it was unlikely the respondent would see it. “The traditional way to get service by publication is antiquated and is prohibitively expensive,” Judge Burke wrote. “Service is critical, and technology provides a cheaper and hopefully more effective way of finding respondent.” It was something of a radical move. While courts in Australia, Canada, New Zealand and the United Kingdom embrace electronic legal notice, it’s rare in the United States. Many state and federal statutes disallow electronic service of process, lawyers say. In federal cases, some attorneys cite Federal Rule of Civil Procedure 4(f)(3), which allows service only for foreign defendants “by other means not prohibited by international agreement, as the court orders.” In a 2002 case, the 9th U.S. Circuit Court of Appeals at San Francisco upheld a default judgment against Rio International Interlink, a Costa Rican gambling website that was served electronically after traditional methods failed. The trademark infringement action was brought by Rio Properties Inc., a Las Vegas hotel and casino. The defendant, wrote Judge Stephen S. Trott, “had neither an office nor a door; it had only a computer terminal. ... When faced with an international e-business scofflaw playing hide-and-seek with the federal court, email may be the only means of effecting service of process.” top Open Secret: Cisco Site Shares Privacy Approach (ABA Journal, Oct 2011) - Safeguarding information from the onslaught of rapidly advancing technologies that track, store and share sensitive data is one of the greatest concerns among businesses and law firms. Internet giant Cisco Systems feels it has found a collaborative approach to privacy, and it’s sharing its story right out there on the Web. “Privacy is an evolving area and there’s going to be a lot of changes to come. So let’s share our best practices,” says Van Dang, Cisco’s deputy general counsel. Dang recently launched a cloud-based privacy portal on her company’s website so clients and corporations can explore Cisco’s privacy and compliance programs, as well as comment about their own best practices. The portal contains compliance reference materials such as agreement templates and security checklists, and it also promotes Cisco products. The portal hosts a community forum to encourage feedback, and it links to law firm and industry blogs on privacy and security issues. Dang hopes to eventually build a fully interactive platform that allows law firms to create and add their own content directly on the site. Developed during a nine-week flurry by Dang and a team of Cisco professionals last winter, the project is intended to help legal departments and law firms offer greater client and consumer protection with fewer resources, while creating collaborative industry standards for best practices. The Cisco privacy portal is here . top - and - TRUSTe to Issue Free Privacy Policy Creation Starter Kit for Mobile Developers (ReadWriteWeb, 2 Nov 2011) - Internet privacy solutions provider TRUSTe is concerned that mobile apps do not have built-in privacy solutions. TRUSTe claims that 77% of all mobile applications lack privacy policies that can allow users to decide how they want to share data third parties. As such, TRUSTe is coming out with a free privacy policy for mobile developers later this month. Essentially what TRUSTe is coming out with is a privacy policy wizard or starter kit for mobile developers that do not have policies in place for their apps. Developers are led through a set of questions defining what their apps do and do not do in terms of privacy and at the end of the quiz, TRUSTe gives them a line of code that links to the apps privacy policy. The free version does not give a developer a certified TRUSTe privacy seal and there is potential for abuse of the system by creating a privacy policy with an app that does not follow those guidelines. top Keeping Up with the Joneses-How Far Does the ‘Reasonable Expectation of Privacy’ Go? (ABA Journal, by Erwin Chemerinsky, 1 Nov 2011) - One of the most difficult, and potentially most important cases of the U.S. Supreme Court term will be argued on Nov. 8. United States v. Jones involves the question of whether it is a search or seizure within the meaning of the Fourth Amendment when the police plant a GPS device on a person’s vehicle and monitor it for 24 hours a day, for 28 days. Since Katz v. United States, decided in 1967, the Supreme Court has defined the protections of the Fourth Amendment in terms of the “reasonable expectation of privacy.” But how does that apply in this situation? On the one hand, the court has long held that people have no expectation of privacy for their public activities. The police could have followed Jones’ car on public streets for a month, perhaps by using undercover officers, and no one would have contended that there was a search or seizure that required a warrant. On the other hand, people have the expectation that police are not planting a device on their car to monitor their every move. As technology develops, police are gaining more ability to follow anyone at any time. A great deal of personal information can be learned by following someone for weeks. Yet, said Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals, “There is something creepy and un-American about such clandestine and underhanded behavior.” Kozinski, dissenting from denial of en banc rehearing in the 2010 case, United States v. Pineda-Moreno, added, “To those of us who have lived under a totalitarian regime, there is an eerie feeling of déjà vu.” [Editor: excellent, readable explication of the case.] top - and - Judges Weigh Phone Tracking (WSJ, 9 Nov 2011) - State and federal authorities follow the movements of thousands of Americans each year by secretly monitoring the location of their cellphones, often with little judicial oversight, in a practice facing legal challenges. Electronic tracking, used by police to investigate such crimes as drug dealing and murder, has become as routine as “looking for fingerprint evidence or DNA evidence,” said Gregg Rossman, a prosecutor in Broward County, Fla. The use of cellphone tracking by authorities is among the most common types of electronic surveillance, exceeding wiretaps and the use of GPS tracking, according to a survey of local, state and federal authorities by The Wall Street Journal. The widening practice also presents one of the biggest privacy questions in a generation: Do police need a search warrant to follow a person’s minute-by-minute movements using satellite or cellphone technology? Al Gidari, a partner at law firm Perkins Coie whose clients include mobile carriers, told Congress last year that wireless service providers receive an “astronomical” number of requests for user records-including location. “It is not uncommon for law enforcement to ask for a phone to be” tracked every 15 minutes, he said. Little is known about the practice because tracking requests are typically sealed from public view. While search warrants are generally delivered to people whose property is being searched, most people whose phones are targeted never learn about it. They typically find out only if they are charged with a crime and their tracking data are used as evidence against them. The Journal identified more than 1,000 instances of cellphone tracking in several large U.S. cities last year through open-records requests and court documents. The data showed that the practice is a widely and increasingly used police tool. Magistrate Stephen Smith of Houston, Texas, who approves such surveillance orders, has been studying the available data and estimates that federal courts alone issue 20,000 to 30,000 cellphone tracking orders annually. By comparison, federal and state courts approved 3,194 wiretaps in 2010, according to federal records. top Safe in the Cloud? Online Service Risks Need Care and Coverage (ABA Journal, 1 Nov 2011) - Document security, always a law practice issue, has come to the forefront as law firms and their clients consider using online-based software for business uses. Most often called cloud computing or software as a service, the process involves using the Internet to access useful applications. Rather than purchasing and installing the necessary software for a firm’s private computer system, users upload information onto the Internet-"the cloud"-where it is stored with a software service. “Certain levels of security will depend on the company you are dealing with and on the underlying cloud provider,” says Arlen Tanner, an attorney at Shook, Hardy & Bacon in Kansas City, Mo., who specializes in business records management. “Most cloud-based services are small startup companies leasing space on a large cloud, such as from Google, Amazon, Microsoft or IBM. Cloud service providers like Dropbox, for example, store your data on storage they lease from a major cloud provider.” Lawyers whose security measures prove inadequate for protecting client confidences are vulnerable to malpractice lawsuits. Liability depends on whether a lawyer has reasonable practices in place to protect against a breach of client confidences. A firm’s current malpractice insurance coverage for “errors and omission could cover some aspects of damages arising from a data breach depending on the factual circumstances, but it most likely doesn’t cover the type of expenses that can arise in the aftermath,” says Brant Weidner, a claims manager for Beazley Group in Chicago, a Lloyd’s of London syndicate offering lawyers’ professional liability insurance, including specialty lines for cyber- and data-related losses. “The fixes that clients demand or the law requires when a breach occurs are very specific and expensive.” Weidner advises asking insurers what losses are covered for cyberattacks. “Lawyers should have coverage specifically designed to deal with the losses that can arise in the event of a data breach: That means notifying clients that data has been disclosed, credit monitoring if necessary, and hiring a computer security expert to figure out why there was a breach. There is also the possibility of civil fines for violations. All of these costs can have not only financial but also professional consequences,” he says. “Beyond the costs,” Weidner says, “firms also need to consider whether they have exercised reasonable care, and they need to know what reasonable care looks like.” top - and - New Study Finds 67 Percent of Cloud Servers are Perceived Vulnerable or Potentially at Risk by IT Personnel (Ponemon Institute, 2 Nov 2011) - Dome9 Security ™, the leading provider of cloud security management for public and private clouds, as well as for dedicated and virtual private servers (VPS), and the Ponemon Institute, a privacy and information management research firm, today announced the results of a first-of-its-kind cloud security study, which found that 67 percent of IT security respondents report that their organization is very vulnerable or vulnerable because cloud ports and firewalls are not adequately secured. Furthermore, 54 percent of respondents said their organizations’ IT personnel are not knowledgeable or have no knowledge about the potential risk of open firewall ports in their cloud environments. The study “Cloud Security: Managing Firewall Risks” was independently conducted by the Ponemon Institute, one of the world’s foremost authorities on data security and privacy, and was sponsored by Dome9 Security. The research was conducted to determine the challenges organizations face when managing access and securing firewalls and ports in cloud environments. The study analyzed responses from 682 IT and IT security practitioners in the United States working in organizations that use hosted or cloud servers (dedicated or virtual private servers). On average, respondents have more than 10 years of IT or IT security experience, and 40 percent come from organizations with 5,000 employees or more in globally dispersed locations. “We believe this is the first study to look at the risk to cloud security because of unsecured ports and firewalls, and the results are very revealing,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute. “It is commonly accepted that organizations believe they struggle with security in the cloud, but this study gets to a root of the problem. For example, more than half of the respondents said it is very likely or likely that administrative cloud server ports left open for access expose the organization to increased hacker attacks and security exploits. Nineteen percent say these exploits have already happened.” For a copy of the study, see: http://www.dome9.com/resources/ponemon-cloud-security-study top Facebook: Monitoring Juror Social Media Networking Sites; “Friending” Employees of Adverse Parties (ABA Journal, Nov 2011) - You are representing a client in a personal injury matter. During pre trial voir dire proceedings and during the trial itself, can you search for and monitor jurors’ and potential jurors’ Twitter accounts and social network Internet postings? What are your obligations should you uncover evidence of juror misconduct? You represent a client in a wrongful discharge matter against the client’s former employer. You have reason to believe that certain high-level employees of the employer are dissatisfied and may be likely to post unfavorable comments about the employer on their private social networking pages. Can you send a “friend” request to these employees to gain access to their private social media pages? Since the publication of the last Eye on Ethics column on Facebook, November of 2010, “Facebook: State Bar Opinions Address Information Gathering,” there have been some new state bar opinions that have addressed various issues that relate to social networking. The topics covered include monitoring jurors’ social network and Internet postings, and whether a lawyer can “friend” high-level employees of an adverse represented party. [Editor: usefully parses recent NY County Opinion, and another by the San Diego County Bar.] top - and - Case of Fake Facebook Profile Can Proceed, Judge Rules (Law.com, 3 Nov 2011) - A woman accused of impersonating her boyfriend on a fake Facebook page and posting inflammatory comments can be prosecuted for identity theft, a judge ruled Wednesday in a case that could have wider implications for cyber-speech. Dana Thornton was indicted last year on one count of fourth-degree identity theft, a crime punishable by a maximum 18-month prison term upon conviction. Assistant Prosecutor Robert Schwartz said she created the Facebook page using photos and personal information about her ex-boyfriend, a police detective in northern New Jersey, and posted comments purported to be from him. According to grand jury testimony recited in court Wednesday, among the comments posted on the page were that the ex-boyfriend, a narcotics detective, was “high all the time,” had herpes and frequented prostitutes and escort services. At issue is a New Jersey law that makes it illegal to impersonate someone “for the purpose of obtaining a benefit for himself or another or to injure or defraud another.” Bradley Shear, a Bethesda, Md., lawyer who works on online issues, said he expects to see more cases like this one in the near future. The New Jersey case could be a difficult prosecution, he said, because of the way the state’s law is written. “This specific situation sounds like it may be better handled in civil rather than criminal court,” he said. “It’s very tough to say this is a violation of the law.” It is, however, a violation of Facebook’s terms of service, he said. So far, only California and New York have laws specifically banning online identity theft. Shear said those states are leading the way largely because of the large number of celebrities who live in them. But he said such laws can get tricky to enforce because it’s legally thorny when the alleged offender is out of state. top - and - Judge Orders Exchange of Facebook and Dating Website Passwords in Custody Fight (ABA Journal, 8 Nov 2011) - A Connecticut judge has ordered lawyers representing a divorcing couple to exchange passwords to their clients’ Facebook and dating websites. Judge Kenneth Schluger ordered the password exchange in the divorce of Stephen and Courtney Gallion, according to the Forbes blog The Not-So Private Parts . The judge cautioned in a Sept. 30 order that the exchange should be carried out by the lawyers, and neither spouse may post messages purporting to be the other. Stephen Gallion’s lawyer, Gary Traystman, told the blog his client believes the social networking accounts will provide evidence about Courtney Gallion’s ability to take care of their children. Stephen Gallion is arguing for full custody. According to the story, other judges have issued similar orders. “In ‘normal’ discovery, a litigant is usually asked to turn over ‘responsive material,’ not the keys to access all that material and more,” the story says, “but it seems that judges are applying different standards to social networking accounts.” top Out of the Crowd: Public-Supplied Info Gains Ground in Courts (ABA Journal, 1 Nov 2011) - In past years it wasn’t uncommon for a law firm, hired to defend a lucrative patent, to send associates and law clerks on time-consuming, poorly directed missions to scour old filings and Internet databases in search of prior art to determine the origins of the invention in question. No more. Lawyers and clients are harnessing the collective search power of online global communities to uncover a single piece of existing artwork that could turn a multimillion-dollar lawsuit. They’re crowdsourcing. Article One Partners develops patent studies that typically run six weeks, and asks targeted communities of scientists and other specialists to find relevant artwork for rewards that range from $5,000 to $50,000, depending on the nature of the dispute. The company then filters the submissions, sends the top selections to the client, and announces the winner of the best entry on its website. Crowdsourcing isn’t just for the patent set. Consumer reviews on a social media website provided important evidence in a trademark dispute in June when fast-food chain Chipotle sued another establishment called Chipotles for infringement. One key factor in the court’s decision to grant the plaintiff injunctive relief was the actual confusion among consumers demonstrated on customer review sites Urbanspoon and Yelp, where reviews erroneously linked the plaintiff and defendant. “The case gives a good example of how companies (and their competitors) should be aware of how their brands appear in social media,” wrote Chicago-based intellectual property lawyer Evan Brown on Internet Cases: A Blog About Law and Technology. Although the Arkansas federal court considered consumer reviews in the Chipotle dispute, crowdsourcing for admissible evidence may be a stretch in future cases as courts are likely to find user comments posted online as hearsay, particularly online user comments with no verifiable identity attached, Brown added. And it’s unlikely that an online consumer company like Yelp would comply in a civil suit to turn over commenters’ credentials or IP addresses for verification. However, those concerns didn’t stop London’s Metropolitan Police from posting images taken from British surveillance cameras of alleged rioters on the photo-sharing website Flickr this summer, asking the public to identify people in the photos for arrest. In this way, crowdsourcing was a digital version of circulating wanted posters and collecting the responses-only on a much more visible lamppost. top Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the ‘Children’s Online Privacy Protection Act’ (Berkman’s community members danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey; 1 Nov 2011) - Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general-purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy-makers, particularly in light of ongoing discussions surrounding COPPA and other age-based privacy laws. top Feds Drop Plan to Lie in Public-Record Act Requests (Wired, 3 Nov 2011) - Bowing to political pressure, the Justice Department abruptly dropped proposed revisions to Freedom of Information Act rules Thursday that would have authorized the government to inform the public that requested records do not exist even if they do. The proposal would have granted the government a new option to state that documents relevant to a FOIA request did not exist. According to the Justice Department’s proposal, if the government believes records should be withheld, the government agency to which the request was made “will respond to the request as if the excluded records did not exist.” Under normal practice, which seems Orwellian enough, the government may assert that it can neither confirm nor deny that relevant records exist if the matter involves national security. Civil rights groups, and a host of lawmakers from both sides of the spectrum, had blasted the Justice Department’s original proposal . top Hyperlinks and the First Amendment (MLPB, 3 Nov 2011) - Anjali Dala, Yale University, Yale Information Society Project, has published Protecting Hyperlinks and Preserving First Amendment Values on the Internet in volume 13 of the University of Pennsylvania Journal of Constitutional Law (May 2011). Here is the abstract: Hyperlinks are critical to communication in part because they facilitate access to information. They provide visitors on one website a way to navigate to internally referenced words, phrases, arguments, and ideas. In addition to being vehicles for communication, this article contends that hyperlinks are communicative in and of themselves. They signal user preferences, democratize the national dialogue, indicate credibility, function as a signature on a virtual petition and help establish virtual associations. This Article presents the first comprehensive examination of First Amendment concerns related to hyperlinks and argues that any judicial or legislative regulation of hyperlinks should be reviewed under a strict scrutiny standard. Nearly 50 years ago, the Supreme Court recognized a constitutional privilege to disseminate information in New York Times v. Sullivan. In Sullivan, the Court extended a constitutional privilege to newspapers because of their role as an incredibly important, unique medium of communication. The same sentiment should extend to protect new media as they emerge. This Article concludes by discussing how a strict scrutiny standard should be applied to claims alleging trademark infringement, e-trespass, copyright infringement, contributory infringement, and contract violation as a result of hyperlink use. Article here . top Ninth Circuit Affirms Google’s Section 230 Win Over a Negative Business Review (Eric Goldman, 3 Nov 2011) - The Blacks sued Google over a negative third party review of their business published in an unspecified Google property. This lawsuit was obviously preempted by 47 USC 230 from the get-go, so I easily fit my prediction of the case’s outcome into a tweet . In August 2010, the district court dismissed the lawsuit on Section 230 grounds in an efficient opinion. The Ninth Circuit didn’t find this case any more challenging than the district court did. In a brief unpublished memo opinion, the court upheld the district court’s ruling. The main substantive sentence of the Ninth Circuit’s opinion: The district court properly dismissed plaintiffs’ action as precluded by section 230(c)(1) of the Communications Decency Act ("CDA") because plaintiffs seek to impose liability on Google for content created by a third party. See Fair Hous. Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1162 (9th Cir. 2008) (en banc) ("Section 230 of the CDA immunizes providers of interactive computer services against liability arising from content created by third parties . . . ."); Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1122 (9th Cir. 2003) ("Through [section 230 of the CDA], Congress granted most Internet services immunity from liability for publishing false or defamatory material so long as the information was provided by another party."). Black v. Google, Inc. , 10-16992 (9th Cir. Nov. 1, 2011). top Surveillance System May Have Recorded Courthouse Conversations in Violation of Federal Law (ABA Journal, 4 Nov 2011) - A security system installed in June in one or more courthouses in Baldwin County, Ala., included a number of cameras that also recorded audio placed in high-risk areas such as exits and hallways. However, until yesterday no one apparently told lawyers who routinely look for a quiet spot in public areas to confer with clients, according to the Press-Register. Local defense attorneys expressed outrage at the potential breach of attorney-client privilege and the Baldwin County Commission said it had disabled the audio portion of the cameras this week “out of an abundance of caution,” the newspaper reports. District Attorney Hallie Dixon said she learned of the audio issue last week and insisted on the shutdown. The county sheriff says the U.S. Attorney’s office and the Federal Bureau of Investigation are reviewing the matter. “Just about every lawyer I have talked to has been shocked and outraged,” said Daniel Mitchell, a local defense lawyer. “We all knew there were cameras, but no one ever notified anyone that there was more than video monitoring. Our bar association certainly didn’t know about it.” top Apple’s Siri Could Get You into Hot Water Behind the Wheel (SiliconValley.com, 7 Nov 2011) - Siri may be a seductively smart companion. But let the new iPhone’s voice-activated Gal Friday sit beside you as you drive up Highway 101 and you might get into trouble with the law. Or maybe not. Police say you can talk to Siri while driving. Just don’t touch her. “It’s legal to talk to Siri, as long as the phone’s not in your hand,” says San Jose police Lt. Chris Monahan. “But if you ask for directions and she puts them up on her screen for you to read, then California’s vehicle code says you’re breaking the law.” But in an example of the law being a few steps behind the technology it’s trying to address, the bill’s author says that because Siri is not “a person” the law may not apply at all. “I’m a legislator, not a judge or a law enforcement official,” said state Sen. Joe Simitian, D-Palo Alto, who wrote the hands-free and texting laws enacted in 2008 and 2009. “But I don’t see how asking Siri for driving instructions and then looking down at the text on the phone is any more of a violation of existing law than reading your GPS device. The law talks about communicating with any ‘person.’ And if there’s one thing we know for sure, it’s that Siri is not a person.” top MIRLN 2011-11-11T19:03:01-07:00 http://www.knowconnect.com/mirln/article/mirln_1_22_october_2011_v1414/ http://www.knowconnect.com/mirln/article/mirln_1_22_october_2011_v1414/#When:16:29:00Z MIRLN --- 1-22 October 2011 (v14.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | RESOURCES | FUN | LOOKING BACK | NOTES DHS Creates New Senior Cyber Position In NPPD Orwell’s Armchair EU Cloud Vendors Liable For Breaches Federal Reserve Wants to Read Your Facebook Posts Law School Lets You Apply For College From Smart Phones Stream Away Judge Suggests DMCA Allows DVD Ripping if You Own the DVD How New Labor Guidelines Could Affect Your Social Media Policy Arrested in Seattle, Computer Security Expert Creates Searchable Website of Police Dashcam Video Log A Citizen’s Guide to Reporting on #OccupyWallStreet Pentagon Website Covers Guantanamo Trials FOIA and the Question of Secret Law FBI To Launch Nationwide Facial Recognition Service Publisher Claims Ownership of Time-Zone Data US Power Plants Vulnerable to Cyberattack Cybercrime Becomes Bigger Threat to Energy Industry than Terrorists SEC Asks Companies to Disclose Cyber Attacks RSA Details March Cyberattack, Blames “Nation State” for SecurId Breach Does Keystroke Monitoring Violate ECPA? Judge Royce Lambert: No Warrant Needed For Cell Phone Location Data People Are Starting To Leave Their Facebook Passwords In Their Will Three Emerging Cyber Threats How the Top 50 Nonprofits Do Social Media Feds’ Social Media Use Increases Why I Deleted My Facebook Account Los Angeles To Google: We Won’t Pay For LAPD Seats Spanish Court Reverses Course: Says Linking To Infringing Material Is A Crime Supreme Court of Canada Stands Up for the Internet: No Liability for Linking Cyber Attacks and Warfare French Cookies Are Beginning to Taste Like British Biscuits DHS Creates New Senior Cyber Position In NPPD (FederalNewsRadio, 22 Sept 2011) - The Homeland Security Department continues to shift cybersecurity oversight chairs. Suzanne Spaulding is the new deputy undersecretary for the department’s National Protection and Programs Directorate (NPPD), according to an email from Rand Beers, DHS under secretary of NPPD, obtained by Federal News Radio. Spaulding replaces Phil Reitinger, who left June 3. Reitinger joined Sony as its chief information security officer in August. “Suzanne brings a wealth of experience, having spent nearly 25 years working on national security issues in the public and private sectors,” Beers wrote in the email to staff. “As deputy undersecretary, Suzanne will focus on efforts to reduce risk and enhance the resiliency of critical infrastructure, secure federal facilities, and advance identity management and verification.” In her new role, Spaulding will oversee the US-VISIT program, infrastructure protection, the Federal Protective Service and the Office of Risk Management and Analysis. Spaulding is expected to start in early October, Beers said. Along with naming Spaulding, Beers said Greg Schaffer will move into a new position, the deputy undersecretary for cybersecurity on an interim basis. “This position will help the directorate ensure robust operations and strengthened partnerships in the constantly evolving field of cybersecurity,” Beers said. Schaffer has been the acting deputy undersecretary and will assume the role of acting deputy undersecretary for cybersecurity until a permanent person is announced in the coming weeks. Spaulding comes to DHS after serving as a principal for the Bingham Consulting Group in Washington. She also was the minority staff director for the House Permanent Select Committee on Intelligence and was the general counsel for the Senate Select Committee on Intelligence. Additionally, Spaulding spent six years at the CIA and served as senior counsel and legislative director for former Sen. Arlen Specter (D-Pa.). [Editor: Suzanne is extremely capable and her background has prepared her well for this role. She’s also been very active in the ABA and with the Standing Committee on Law & National Security, where I served with her from 2002-2009.] top Orwell’s Armchair (by Derek Bambauer, forthcoming U. Chicago Law Review) - Abstract: “America has begun to censor the Internet. Defying conventional scholarly wisdom that Supreme Court precedent bars Internet censorship, federal and state governments are increasingly using indirect methods to engage in “soft” blocking of on-line material. This Article assesses these methods and makes a controversial claim: hard censorship, such as the PROTECT IP Act, is normatively preferable to indirect restrictions. It introduces a taxonomy of five censorship strategies: direct control, deputizing intermediaries, payment, pretext, and persuasion. It next makes three core claims. First, only one strategy - deputizing intermediaries - is limited significantly by current law. Government retains considerable freedom of action to employ the other methods, and has begun to do so. Second, the Article employs a process-based methodology to argue that indirect censorship strategies are less legitimate than direct regulation. Lastly, it proposes using specialized legislation if the U.S. decides to conduct Internet censorship, and sets out key components that a statute must include to be legitimate, with the goal of aligning censorship with prior restraint doctrine. It concludes by assessing how soft Internet censorship affects current scholarly debates over the state’s role in shaping information on-line, sounding a skeptical note about government’s potential to balance communication.” [Editor: recommended by Chris Soghoian] top EU Cloud Vendors Liable For Breaches (SC Magazine, 29 Sept 2011) - The European Union will introduce rules that make cloud providers legally liable for data breaches. The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday. It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative. Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point. If they refused, they would be seen as unsafe, he said. Vendors must prove their security models were adequate to get accredited. Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law. top Federal Reserve Wants to Read Your Facebook Posts (FCW, 30 Sept 2011) - Complaints on Twitter or Facebook about jobs or rising food prices may become fodder for the Federal Reserve Bank of New York’s assessments of the world’s current economic conditions. The bank has issued a request for proposals seeking a contractor to help gauge the nation’s economic mood by sampling conversations on social media platforms such as Facebook, Twitter, YouTube and blogs. The bank said it wants a Sentiment Analysis and Social Media Monitoring Solution to gather and report data from around the world, in multiple languages, on a continuous basis. The proposal calls for “Social Media Listening Platforms” to be created to “monitor billions of conversations” and generate text analytics. Bank officials state in the RFP that they want to stay current on public opinion, and social media monitoring provides a means to do that. “Social media platforms are changing the way organizations are communicating to the public,” the request states. “Conversations are happening all the time and everywhere. There is need for the Communications Group to be timely and proactively aware of the reactions and opinions expressed by the general public as it relates to the Federal Reserve and its actions on a variety of subjects.” top Law School Lets You Apply For College From Smart Phones (Atlanta TV, 3 Oct 2011) - John Marshall School of Law in Atlanta has taken the act of applying to school and brought it into the new age of technology. John Marshall has introduced a mobile application that allows potential students to apply for law school from the palm of their hand. Prospective students can visit m.johnmarshall.edu from their mobile device from their smart phone or their tablet to apply. “We want students to be able to come to a law school forum, tour our campus, talk to us and apply immediately. If they have to wait until they get home and turn on a computer, they may not apply,” Alan Boyer, Associate Dean of Recruitment and Marketing said in a statement released Monday. Students who use their mobile device over the next few weeks to apply to John Marshall will also get a waiver of the customary $50 application fee. top Stream Away (Inside Higher Ed, 5 Oct 2011) - A federal judge on Monday threw out a lawsuit by an educational media trade group and one of its constituents against the University of California over the legality of streaming copyrighted videos on secure course websites. While the case was dismissed largely on technical grounds, U.S. District Court Judge Consuelo B. Marshall indicated that streaming a copyrighted work on a secure website is no different from holding a screening in a classroom. “The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context,” Marshall wrote in her decision. Because the only rights-holding plaintiff in the case, Ambrose Video Publishing, had licensed UCLA to “publicly perform” its videos in the classroom, streaming it on a secure site was also permissible, the judge said. However, legal experts say the decision hardly resolved the central question of whether streaming copyrighted videos in online classrooms is protected under the fair use provisions to U.S. copyright law. The Association for Information and Media Equipment (AIME), along with Ambrose, brought the suit late last year after it found out that the University of California at Los Angeles was facilitating online streaming for its courses. The case attracted a great deal of attention from fair use advocates, who argued—as did the university—that allowing students to stream videos via password-protected course websites was no different from convening a group viewing in a classroom, which they argued was covered under fair use. AIME has countered that in order to convert the videos into digital versions that could be streamed, UCLA was copying the videos’ content unlawfully. top - and - Judge Suggests DMCA Allows DVD Ripping if You Own the DVD (ArsTechnica, 5 Oct 2011) - A Monday ruling suggests that educational institutions are entitled to stream legally purchased DVDs on campus without the permission of copyright holders. A federal judge dismissed a lawsuit charging UCLA with violating the Digital Millennium Copyright Act and other provisions of copyright law by ripping DVDs and streaming them to students. “UCLA is pleased that the court dismissed the plaintiffs’ lawsuit challenging UCLA’s practice of streaming previously purchased video content for educational purposes,” said Scott Waugh, UCLA executive vice chancellor and provost. “The court ruling acknowledges what UCLA has long believed, that streaming licensed DVDs related to coursework to UCLA students over UCLA’s secure network is an appropriate educational use.” The lawsuit was brought by a trade association of educational video publishers called the Association for Information Media and Equipment (AIME), and one of its members, Ambrose Video Publishing. The plaintiffs allege that around January 2006, UCLA purchased video streaming software that included a DVD-ripping capability, and began streaming DVDs it had purchased-including some belonging to Ambrose-to members of the UCLA community. Ambrose and AIME sued in December 2010, alleging copyright infringement, breach of contract, and other harms. They argued that UCLA violated the anti-circumvention provisions of the DMCA when it ripped Ambrose’s copy-protected DVDs. They also argued that its DVDs are sold under a licensing agreement that prohibits rebroadcast and public display. And they noted that Ambrose was just one of many copyright holders whose works were included in UCLA’s 2,500-work streaming library. UCLA countered that copyright’s fair use doctrine gives educators broad latitude to publicly perform copyrighted works as part of their instructional activities. They also noted that Ambrose’s own catalog states that “All purchases by schools and libraries include public performance rights.” As for the DMCA claim, UCLA argued that because the school was the lawful owner of the DVDs at issue, it had a right to access the DVDs and therefore could not have run afoul of the ban on circumventing access-control measures. Judge Consuelo B. Marshall sided with UCLA. He noted that the plaintiffs conceded that UCLA had the right to show its DVDs in the classroom, and ruled that UCLA’s streaming service was functionally equivalent. “The type of access that students and/or faculty may have, whether overseas or at a coffee shop, does not take the viewing of the DVD out of the educational context,” he wrote. Marshall also ruled that UCLA’s copies of the DVDs were incidental to its lawful streaming service, and was therefore fair use. Case is Association For Information Media and Equipment v. University of California top How New Labor Guidelines Could Affect Your Social Media Policy (Mashable, 5 Oct 2011) - While social media has been around for a while, there are still aspects of it that are very new, such as policy development. Such policies have to stand the test of time and evolve as the workplace - and the social media platforms and their usage - changes. In August, the National Labor Relations Board (NLRB) released a report on the outcome of investigations into 14 cases involving the use of social media and employers’ social media policies. The NLRB is an independent agency in the U.S. government that protects employees’ rights to join together to improve wages and working conditions, with or without a union. Here’s an overview of the report and some pointers on what your company should consider when it comes to social media policy development. top Arrested in Seattle, Computer Security Expert Creates Searchable Website of Police Dashcam Video Log (ABA Journal, 5 Oct 2011) - Arrested three years ago in Seattle when a police officer apparently didn’t appreciate his “brainiac” attitude after he was questioned about swatting giant sponge golfballs from bar to bar during a pub crawl, a computer security expert has fought back bigtime. Once the obstruction case against him was dismissed, Eric Rachner pursued a public-disclosure claim against the city’s police department over its failure to provide all video camera footage of his arrest, winning a $60,000 judgment. And today he filed suit against the department again, asserting claims in his King County Superior Court complaint (PDF) for false arrest, obstruction of justice, malicious prosecution and “spoliation of video evidence,” reports the Seattle Times. But that’s not all. Tomorrow the 35-year-old Rachner plans to activate a website that he says will allow arrested citizens and their attorneys to see whether there is any video from the dashboard cameras that police are supposed to activate during arrests. As part of the judgment in his favor in the disclosure suit, Rachner and his lawyer, Cleveland Stockmeyer, were given copies of the department’s log of every dashcam arrest video shot by Seattle patrol officers between July 2008 and August of this year. By checking the log, other arrestees and their counsel “might find, as we did in Eric’s case, that the video and the police reports were so at odds that they might as well have been from different incidents,” Stockmeyer tells the Times. Much of Rachner’s latest suit focuses on what he contends is a widespread practice of the department of failing to provide requested dashcam footage not only to arrestees who request it but even to federal investigators. The department, he alleges in the suit, “has had a policy and custom to falsely conceal video when it is requested.” Other videos, he claims, have been lost and officers sometimes don’t activate the dashcams when they are supposed to, all of which results in a loss of evidence. A local television station filed suit against the police last month, the newspaper says, after learning Rachner had dashcam logs that had been withheld from a reporter. top A Citizen’s Guide to Reporting on #OccupyWallStreet (Berkman’s CMLP, 7 Oct 2011) - We at the Citizen Media Law Project have taken great interest in the ongoing “Occupy Wall Street” protest in New York. Much of what we know about the protest has come from independent reporters and citizen journalists covering the story from the ground. Knowing this, we are alarmed to hear reports of policearresting reporters during the protest. This, of course, could greatly discourage press coverage of this story. In order to encourage citizen reporting from the ground in New York, and to dispel the uncertainties as to the rights of those covering the protest, we have created this special question-and-answer guide regarding covering the protest in New York as a special addendum to our CMLP Legal Guide. For more general information, you can also refer to our guide’s section on New York law. Note: This guide specifically addresses the law as it pertains to New York City and the protests currently occurring in Zuccotti Park. The information provided below will not apply with respect to the other #occupy protests throughout the country. While we tried our best to present the law as it generally applies in New York, specific facts and circumstances often alter outcomes in specific cases. Also, this post provides the law as it exists in October of 2011. We do not intend to update this post as the law changes, so if you find yourself returning to this at a later time please note that the law may have changed. PDF version of the CMLP guide here. top Pentagon Website Covers Guantanamo Trials (Robert Ambrogi, 7 Oct 2011) - The Department of Defense has launched a website, Military Commissions, devoted to coverage of trials by the military courts in operation at Guantanamo to try accused terrorists. Notably, the site allows users to view and download documents and court filings from the commission cases against specific individuals and to obtain summaries of the charges against them. The site also provides a description of military commissions and how they work. It includes an interesting chart that compares the rules and procedures in military commissions with those in courts-martial and Article III courts. There is also a collection of significant court opinions relating to military commissions and of current and historical documents pertaining to the commissions. There is even a section providing details on travel to Guantanamo Bay. The Pentagon created the site, it says, to help “provide fair and transparent trials of those persons subject to trial by Military Commissions while protecting national security interests.” top FOIA and the Question of Secret Law (Lawfare, 7 Oct 2011) - Charlie Savage of the New York Times has filed this FOIA suit in an effort to acquire a classified report issued by DOJ and ODNI to Congress “pertaining to intelligence collection authorities” under section 215 of the USA PATRIOT Act (permitting the government to obtain from the FISC an order for the production of “any tangible things” upon a showing of “reasonable grounds” in relation to an international terrorism or counterintelligence investigation). The report appears to have sparked fierce objections from Senators Ron Wyden and Mark Udall, who have asserted in floor debate that the government has a troubling “secret” interpretation of the PATRIOT Act. The suit itself presents the question whether legal analysis, as distinct from details of the program itself, warrants protection under FOIA exemption 1. The complain calls for release of at least a redacted version of the DOJ/ODNI report, if not the whole thing. If successful, of course, this strategy could have significant implications across a range of settings involving internal government legal advice. top FBI To Launch Nationwide Facial Recognition Service (NextGov, 7 Oct 2011) - The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told NextGov. The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI’s existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings. Often law enforcement authorities will “have a photo of a person and for whatever reason they just don’t know who it is [but they know] this is clearly the missing link to our case,” said Nick Megna, a unit chief at the FBI’s criminal justice information services division. The new facial recognition service can help provide that missing link by retrieving a list of mug shots ranked in order of similarity to the features of the subject in the photo. Today, an agent would have to already know the name of an individual to pull up the suspect’s mug shot from among the 10 million shots stored in the bureau’s existing Integrated Automated Fingerprint Identification System. Using the new Next-Generation Identification system that is under development, law enforcement analysts will be able to upload a photo of an unknown person; choose a desired number of results from two to 50 mug shots; and, within 15 minutes, receive identified mugs to inspect for potential matches. Users typically will request 20 candidates, Megna said. The service does not provide a direct match. Michigan, Washington, Florida and North Carolina will participate in a test of the new search tool this winter before it is offered to criminal justice professionals across the country in 2014 as part of NGI. The project, which was awarded to Lockheed Martin Corp. in 2008, already has upgraded the FBI’s fingerprint matching service. Local authorities have the choice to file mug shots with the FBI as part of the booking process. The bureau expects its collection of shots to rival its repository of 70 million fingerprints once more officers are aware of the facial search’s capabilities. [Editor: reminds me of the premise behind CBS’s interesting new show “ Person of Interest”.] top Publisher Claims Ownership of Time-Zone Data (Wired, 9 Oct 2011) - The publisher of a database chronicling historical time-zone data is claiming copyright ownership of those facts, and is suing two researchers for re-purposing it in a free-to-use database relied on by millions of computers. The researchers’ publicly available database was being hosted on a server at the Maryland-based National Institutes of Health, which apparently has removed the data at the request of Massachusetts-based publishing house, Astrolabe. The publisher markets its programs to astrology buffs “seeking to determine the historical time at any given time in any particular location, world-wide,” and claims ownership to the data in its “AC International Atlas” and “ACS American Atlas” software programs. Astrolabe’s federal lawsuit, filed last week, is among the boldest claims of copyright infringement since 2005. That’s when Bikram Choudhury, the hot-yoga guru, claimed copyright to his yoga positions. Choudhury had sent cease-and-desist letters ordering studios to stop teaching what he claimed were his copyrighted yoga poses. In an out-of-court settlement, the targeted studios agreed they would not capitalize off of the Bikram brand name. But they were not prohibited from teaching his style of yoga, which was based off of an art form thousands of years old. The suit also faces the tough challenge of overcoming a 1991 Supreme Court decision, concerning a company that harvested listings from a phone company’s telephone book and re-published them. The court ruled that “copyright does not extend to facts contained in [a] compilation.” Astrolabe claims Arthur Olson, a computer scientist at the National Institutes of Health, and Paul Eggert, a computer scientist at the University of California at Los Angeles, have “ unlawfully reproduced the works” (.pdf) and distributed them without permission from the copyright holder. The allegedly infringing database credits the Astrolabe database. top US Power Plants Vulnerable to Cyberattack (FT, 11 Oct 2011) - Hundreds of thousands of people in darkness, hospitals in chaos, a banking system under siege - a cyberattack on the US electricity grid could have catastrophic consequences. When federal researchers discovered that outside hackers could take control of the generators used to produce electricity in the US and destroy them, analysts warned that a coordinated assault on the grid could blackout large regions and cause devastation akin to scores of hurricanes striking at once. Regulators asked utilities to fix that design flaw, as they have with others discovered later. Now, four years since that first warning, experts say that power plants - along with financial institutions, transportation systems and other infrastructure - have become even more vulnerable. “The next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system,” Leon Panetta, US defence secretary, said at his June confirmation hearing. The economic damage from a single wave of cyberattacks on critical infrastructure could exceed $700bn - or the cumulative toll of 50 major hurricanes ripping into the nation simultaneously, wrote Stanton Sloane when he was chief executive of SRA International. Skeptics argue that the dangers are being talked up by those eager to be hired to help. Other countries, such as the UK, are also exposed, but officials agree that the US is the most vulnerable to cyberattack because its companies and people are so dependent on the internet. [M]ost alarming for the US defence establishment is the lack of security around the electricity grid. Many power plants, as well as factory floors and pipelines, rely on automation equipment that can be reprogrammed remotely yet do not require even the authentication imposed on average computer users, said John Pollet of Red Tiger Security, which has carried out security assessments on more than 150 facilities: “There is a systemic problem” across all manufacturers of the gear. Some control systems can be located with special Google searches and then ordered to shut down or speed up, potentially blowing up a power or water treatment plant, presentations at Black Hat hackers conference showed in August. Many of these control systems were designed before the age of widespread internet connections. top - and - Cybercrime Becomes Bigger Threat to Energy Industry than Terrorists (FuelFix, 13 Oct 2011) - In years past, discussions about security in the energy industry usually focused on protecting refineries from terrorist attacks and overseas workers from kidnapping. Today, the greater threat is the digital theft of competitive information or technical data by outside hackers or unscrupulous employees, speakers at an FBI-sponsored event on energy security said Wednesday. “The shift from physical security to data security has been a significant one for all of us,” said Russell Cancilla, Vice President and Chief Security Officer at Baker Hughes. “Theft of intellectual property, state-sponsored corporate espionage, those kinds of things have grown exponentially in recent years.” A few well-known incidents in the energy industry occurred in 2008, when computer systems owned by oil companies including ConocoPhillips, Marathon Oil and Exxon Mobil were reportedly hacked by outside forces seeking oil and gas lease bidding information. Sections of the U.S. power grid were also probed by outside forces in recent years, although it does not appear any damage was done. But the energy industry tends to be tight-lipped about such breaches. [Editor: Baker Hughes seems to have evolved their thinking since March’s MIRLN 14.04.] top - and - SEC Asks Companies to Disclose Cyber Attacks (Reuters, 13 Oct 2011) - U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses. Senator John Rockefeller had asked the SEC to issue guidelines amid concern that it was becoming hard for investors to assess security risks if companies failed to mention data breaches in their public filings. “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything,” Rockefeller said in a statement. “It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it,” Rockefeller said in a statement. There is a growing sense of urgency about cyber security following breaches at Google Inc, Lockheed Martin Corp, the Pentagon’s No. 1 supplier, Citigroup, the International Monetary Fund and others. Tom Kellermann, chief technology officer of security firm AirPatrol Corp, said that the SEC guidance tells companies to report cyber attacks and disclose steps to remediate problems. “They must also incorporate cyber events into their material risk reports,” said Kellermann, who has advised U.S. President Obama on cyber policy. The SEC gets into specifics, telling companies what type of data they might need to provide investors. “Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue,” it says. SEC guidance here: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm [Editor: there’s much to criticize in the guidance - e.g., the seeming requirement fully to disclose exploited vulnerabilities, which might still be exploited - but I think this is a move in the right direction. See article from Hogan Lovells.] top RSA Details March Cyberattack, Blames “Nation State” for SecurId Breach (Ars Technica, 12 Oct 2011) - At EMC’s RSA Conference Europe in London today, RSA executives shared more details on the cyber attack that stole information on the company’s SecurID authentication tokens in March. RSA executive chairman Noviello said at a press conference that two separate hacker groups worked in collaboration with a foreign government, ZDNet UK reports. He would not disclose the parties involved, but said “we can only conclude it was a nation-state sponsored attack.” According to RSA executives, no customers’ networks were breached as a result of the SecurID data stolen. RSA president Tom Heiser said during a presentation at the conference it was clear that the attack was intended to go after military contractors’ data. The coordinated effort, which used a series of spear phishing attacks against RSA employees to penetrate the company’s network, posing as people they trusted. The phishing attack installed a “zero-day” exploit to establish a foothold. IDG reported that the exploit used an Excel spreadsheet with an embedded malicious Adobe Flash file. The foothold, and the tag-team attack that followed, were used to gain access to the SecurID data. However, RSA’s chief security officer Eddie Schwartz said during the press conference that the intrusion was detected before any customers were attacked. According to RSA executives, the data was used in only one attack on a customer, and that attack was unsuccessful. No other customers were affected, according to RSA, despite reports that several defense contractors, including Lockheed Martin, had experienced breaches. top Does Keystroke Monitoring Violate ECPA? (Steptoe, 13 Oct 2011) - A recent federal court decision points out two of the many critical ambiguities in the Electronic Communications Privacy Act (ECPA): what constitutes an “interception” under the Wiretap Act portion of ECPA, and when is an email in “electronic storage” and therefore protected by the Stored Communications Act portion of ECPA? The court in Rene v. G.F. Fishers Inc. held that the use of keystroke logging software to monitor signals sent from a keyboard to a personal computer was not an interception of an electronic communication because it did not occur on “a system affecting interstate or foreign commerce.” But the court found that the same actions could violate Indiana’s wiretapping law, underscoring again how state laws may be more privacy-protective than ECPA. The court also held that unopened emails in a person’s inbox are in “electronic storage” within the meaning of the SCA, and reserved judgment on whether opened emails were also in electronic storage. The storage question is one that has befuddled courts for years. top Judge Royce Lambert: No Warrant Needed For Cell Phone Location Data (BLT, 13 Oct 2011) - Prosecutors do not need a warrant to compel a cellular phone service provider to turn over data about call location, a federal judge in Washington said in a ruling unsealed Wednesday. The ruling examines the government’s attempt to get data from the undisclosed service provider amid a U.S. Attorney’s Office investigation of an armed robbery of an armored truck. Chief Judge Royce Lamberth of U.S. District Court for the District of Columbia redacted the name of the service provider, the target phone number and the name of its alleged user. Lamberth ruled in part for prosecutors, reviving the government’s push to obtain cell phone data. The judge reversed a magistrate judge’s ruling from August. But Lamberth did not rubberstamp the government’s request, submitted under the Stored Communications Act. Instead, he said prosecutors must present additional evidence to prove the requested data is material to the armed robbery investigation. The burden is lower than the one a warrant would require. The dispute gave the court the opportunity to explore the scope of a controversial Washington federal appeals court ruling about the propriety of warrantless GPS surveillance. In ruling against the government in the armed robbery matter, Magistrate Judge John Facciola said the D.C. Circuit’s decision in Jones required the government to obtain a warrant to compel the disclosure of the requested cellular data. Lamberth said that Facciola concluded that cell phone data-including the location of the tower that transmitted a call-is “tantamount to the sort of continuous GPS surveillance” at issue in the GPS case. A “reasonable cellular phone customer presumably realizes that his calls are all transmitted by nearby cell-site towers, and that cellular phone companies have access to and likely store data regarding the cell-site towers used to place a customer’s calls,” Lamberth said. Lamberth said a person’s “decision to place a cellular phone call and thus provide information regarding his location to the phone company thus defeats an individual’s privacy interest in that information.” Lambert’s Ruling here. top People Are Starting To Leave Their Facebook Passwords In Their Will (Business Insider, 13 Oct 2011) - One in 10 people in the United Kingdom leave their passwords to sites such asFacebook, Flickr, andTumblr in their will, according to a story in the Guardian. Facebook makes it difficult for living members to get the passwords of their deceased relatives. As a result, a “growing numbers of people want their digital identities to be controlled after they are gone,” Emma Barnett writes. “They also want their families to have access to personal photos and home videos which are now more commonly being stored in the cloud, rather in a physical album at home.” The trend is increasing because people in Britain and all over the world have noticed Facebook walls of the deceased becoming easy targets for hacking and spammers. The European Union is also considering laws that would give living relatives easier access. But for now, an increasing number of wills will include a strange series of letters and numbers (or, you know, something like noah1234). top Three Emerging Cyber Threats (Bruce Schneier, 15 Oct 2011) - Last month, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: (1) The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They’re collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior. (2) Ill-Conceived Regulations from Law Enforcement. We’re seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I’m thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they’ll all make us less safe. (3) The Cyberwar Arms Race. I’m not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive. top How the Top 50 Nonprofits Do Social Media (PhilanTopic, 17 Oct 2011) - We love a good infographic—especially when it relates to things that interest us, like nonprofits and social media. This one, from craigslist founder Craig Newmark and the folks at craigconnects, kept us busy for a while. Based on an informal audit conducted in August and September, the infographic is intended to answer questions like: Do the highest-earning nonprofits use social media more effectively than nonprofits that earn less? Are those same nonprofits the most “engaging”? How are people using social media to respond to and interacting with large nonprofits? Here are a few key findings: 92 percent of the top 50 nonprofits promote at least one social media presence on their homepage; PBS has the most followers (840,653) on Twitter; The American Cancer Society follows the most people/orgs (200,522) on Twitter; Food for the Poor is the most “talkative” nonprofit on Facebook, with 220 posts over the two-month survey period; The nonprofit with the highest net income, the YMCA, only posted 19 times to Facebook over the two-month survey period but has more than 24,000 fans. top - and - Feds’ Social Media Use Increases (NextGov, 18 Oct 2011) - Federal employees are increasingly turning to social media websites for work and personal use, particularly as more agencies lift restrictions on access, according to a new survey. The new Social Media in the Public Sector study, released Tuesday by Market Connections, found that just 19 percent of agencies ban access to some or all social media websites like Facebook, Twitter and LinkedIn. This is down sharply from 2010, when 55 percent of agencies banned access. The survey, which was conducted in September and drew nearly 900 public sector participants, including 352 federal employees and 272 government contractors, found that 74 percent of all respondents access social media websites at work, while 92 percent access them at home and 70 percent access them on mobile devices. The most widely used mobile devices by feds were the iPhone (53 percent), Blackberry (42 percent), Android (39 percent) and iPad (27 percent). LinkedIn and Twitter showed the biggest gains among social media websites used by federal respondents. Use of LinkedIn by feds, for example, grew from 32 percent in 2010 to 70 percent this year, while Twitter use increased from 30 percent last year to 55 percent this year. Eighty-six percent of federal respondents said they use Facebook, up from 72 percent last year, while 80 percent said they use YouTube, up from 61 percent in 2010, the survey found. Government-specific social networking websites also saw a boost in federal participation. According to the survey, 35 percent of federal workers and 55 percent of contractors said they use GovLoop, while GovTwit is being used by 30 percent of both government and contractor employees. Meanwhile, 37 percent of federal respondents said they are permitted to use social media as representatives of their agency, versus just 9 percent last year. Federal respondents said social media was most useful in helping inform decision making (100 percent), communicating externally with citizens and other agencies (81 percent), communicating with colleagues (78 percent), research (64 percent) and promotion/marketing (61 percent), the survey found. top - and - Why I Deleted My Facebook Account (Bitter Lawyer, 18 Oct 2011) - Two weeks ago today, I did something that I thought was fairly non-controversial (I was wrong, apparently). I deactivated my Facebook account. And not just the half-hearted deactivation option Facebook offers, whereby your account remains saved and can be reactivated at any time-I actually completely deleted my account. Here’s the really crazy part: I’ve spent the last 14 days fielding hundreds of emails from family, friends, and periphery ranging from mere curiosity to utter disbelief that I’m no longer on Facebook. No one can understand why I would ever want to disconnect myself from the (unfortunately) ubiquitous social network. Well, here’s why. [Editor: isn’t there some irony in the fact that she’s blogging about escaping too-much-sharing with the “Screen People”? Still, I take her point.] top Los Angeles To Google: We Won’t Pay For LAPD Seats (Business Insider, 18 Oct 2011) - One of Google’s flagship government customers is trying to get out of paying for part of its contract, saying that Google has been too slow to meet its revised security requirements. Two years ago, Google got the City of LA to switch 30,000 employees from its old email system, Lotus Groupwise, to Gmail. But the deployment is going slower than expected because of additional security requirements by the LA Police Department. The LA Times reported on these problems back in April. Now, an August 2011 letter from Los Angeles CTO Randi Levin shows what the city is demanding. That letter says that CSC has been “unable to complete and comply with all LAPD security requirements” and other agencies that keep criminal records. So the city of LA is refusing to pay for those seats, and asking Google to do the work for free. “There will be no charge to the City for any Google licenses for the LAPD,” proposes the letter. LA also wants Google to pay for the Groupwise licenses used by the LAPD through November 12, 2012. top Spanish Court Reverses Course: Says Linking To Infringing Material Is A Crime (TechDirt, 19 Oct 2011) - We’ve noted over and over again that Spanish courts have quite reasonably interpreted Spain’s copyright law to mean that a site that just links to infringing content is not liable for the infringement. This makes a lot of sense. You should not blame a third party for the actions of its users. Yet the entertainment industry has made these rulings out to be an absolutely horrible miscarriage of justice, and have—with the support of the US government—pushed hard for draconian new copyright laws within the country. While public outcry (and leaked State Dept. cables showing that the US was really behind it) helped derail the effort the first time around, supporters are still trying to push it through. However, while the existing law stands, it’s a bit surprising to see that one Spanish court has gone completely in the other direction and found the operators of a couple sites to be guilty of criminal copyright infringement, for which they may face a year in jail, in addition to fines. The lawyer for one of the guys suggests that this ruling is a result of politics, not the law. It’s hard not to think that way given how it appears to fly in the face of most other decisions in Spain. I would imagine that there’s still going to be an appeal in the case before it’s really settled. top -but- Supreme Court of Canada Stands Up for the Internet: No Liability for Linking (Michael Geist, 19 Oct 2011) - The Supreme Court of Canada today issued its much anticipated ruling in Crookes v. Newton, a case that focused on the issue of liability for linking to allegedly defamatory content. The court provided a huge win for the Internet as it clearly understood the significance of linking to freedom of expression and the way the Internet functions by ruling that there is no liability for a mere hyperlink. The key quote from the majority, written by Justice Abella: “I would conclude that a hyperlink, by itself, should never be seen as “publication” of the content to which it refers.” This is an enormous win for the Internet since it rightly recognizes that links are just digital references that should not be viewed as republication of the underlying content. top Cyber Attacks and Warfare (Media Law Prof Blog, 19 Oct 2011) - Michael Gervais, Yale Law School, has published Cyber Attacks and the Laws of War. Here is the abstract: “In the past few decades, cyber attacks have evolved from boastful hacking to sophisticated cyber assaults that are integrated into the modern military machine. As the tools of cyber attacks become more accessible and dangerous, it’s necessary for state and non-state cyber attackers to understand what limitations they face under international law. 

This paper confronts the major law-of-war issues faced by scholars and policymakers in the realm of cyber attacks, and explores how the key concepts of international law ought to apply. 

This paper makes a number of original contributions to the literature on cyber war and on the broader subject of the laws of war. I show that many of the conceptual problems in applying international humanitarian law to cyber attacks are parallel to the problems in applying international humanitarian law to conventional uses of force. The differences are in degree, not of kind. Moreover, I explore the types of cyber attacks that states can undertake to abide by international law, and which ones fall short.” Paper here. top French Cookies Are Beginning to Taste Like British Biscuits (Steptoe, 20 Oct 2011) - By the sound of things, French data protection regulators thought their lawmakers were acting a bit kooky when, as we previously reported, they passed an ordinance providing that consent for the installation of cookies by a website can be inferred by browser settings. In a public statement last month, the Commission Nationale de l’Informatique et des Libertés, France’s data protection agency, stated its intention to strictly apply active consent requirements in enforcing the ordinance. Specifically, it said that browser settings allowing all cookies, without making a distinction between their purposes, cannot be deemed a valid consent expressed by the user. This new statement reflects a stricter reading of the requirements of amended EU privacy law than what was apparently expressed by French lawmakers in August, and it would appear to bring France’s treatment of cookies more in line with the UK’s approach. top RESOURCES Find the Person Behind an Email Address (Digital Inspiration) - You get an email from a person with whom you have never interacted before and therefore, before you reply to that message, you would like to know something more about him or her. How do you do this without directly asking the other person? Web search engines are obviously the most popular place for performing reverse email lookups but if the person you’re trying to research doesn’t have a website or has never interacted with his email address on public forums before, Google will probably be of little help. No worries, here are few tips and online services that may still help you uncover the identity of that unknown email sender. [Editor: Interesting; the TinEye tool looks scary, and worked when I searched for one of my own head-shots; we’re not too far away from full-bore facial recognition tools.] top FUN Wilful vs. Willful (Volokh Conspiracy, 19 Oct 2011) - A student saw “wilful” used in an opinion, and asked whether it was a typo. How things have changed in a few decades! Here’s a Google Ngrams graph comparing the use of “wilful” (blue) and “willful” (red) in Google’s American English sources * * * “Wilful” was once the only common spelling (and still remains the dominant spelling in British English, again according to Google Ngrams ). But then things changed, and now “willful” is considerably more common. Indeed, a quick Westlaw query suggests that “willful” is 10 times more common in 2011 court opinions. It’s thus probably wiser to use “willful,” unless one knows that one’s audience (say, a judge) has a contrary preference; using the more common spelling is more likely to convey your message without needlessly distracting the reader. Interestingly, the first two references I found for “wilful [sic]” in court cases were in 1962 and 1963, though in those years judicial usage was nearly evenly split between “wilful” and “willful.” Those references were the only such “sic” references until 1971, but it the last few years, there have been more than 10 “wilful [sic]” references in court cases per year, which further reflects how dominant “willful” has become. top LOOKING BACK CAMERAS SCANNED FANS FOR CRIMINALS (St. Petersburg Times, 31 Jan. 2001) Were you one of the 100,000 fans and workers to pass through the stadium turnstiles at Sunday’s Super Bowl? Did you smile for the camera? Each and every face that entered Raymond James Stadium for the big game was captured by a video camera connected to a law enforcement control room inside the stadium and checked electronically against the computer files of known criminals, terrorists and con artists of the Tampa Police Department, the FBI and other state and local law enforcement agencies. Sunday’s Super Bowl was the first major sporting event to adopt the face-matching surveillance system. But the designers of the system expect other security-sensitive sporting events, ranging from the upcoming 2002 Winter Olympics in Salt Lake City to the hooligan-plagued soccer leagues in parts of Europe, to express great interest. http://www.sptimes.com/News/013101/TampaBay/Cameras_scanned_fans_.shtml top U.S. CONGRESS EYES VIRTUAL ASSEMBLY OPTIONS Spooked by anthrax in the U.S. Capitol Building, lawmakers are considering an option proposed by the Democratic Leadership Council to convene “an electronic Congress.” The DLC says a Web site “could easily be built” that would allow Congress and their staffers to debate, draft legislation and vote over the Internet. Such a site likely would use biometrics or “human verification” procedures to restrict access, and “the best system might require members to spread around the country to go to the nearest state capitol or city hall to use special kiosks there.” The proposal, contained in an article titled “Legislating by Any Means Necessary,” suggests that the site could be open to the public on “a read-only basis, so citizens could watch their representatives much as they can now on C-SPAN.” A DLC staffer who worked on the report says, “This was supposed to be a conversation starter. We put this out there not as a full-baked proposal, not as an end-to-end solution.” (Wired News 25 Oct 2001) http://www.wired.com/news/politics/0,1283,47841,00.html top MIRLN 2011-10-21T16:29:00-07:00 http://www.knowconnect.com/mirln/article/mirln_11_30_september_2011_v1413/ http://www.knowconnect.com/mirln/article/mirln_11_30_september_2011_v1413/#When:19:04:01Z MIRLN --- 11-30 September 2011 (v14.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | PODCASTS | LOOKING BACK | NOTES Report - A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11 Criminal Prohibitions on the Publication of Classified Defense Information ‘Find My Car’ App Can Also Catch Crooks This Post Should Be Considered Off the Record Court Allows Recovery of Lost Business and Investigation Costs Under CFAA NHL Restricts Players’ Use of Social Media on Game Days Executives May Be Too Confident on Cybersecurity, Survey Finds Amazon Cloud Earns Key FISMA Government Security Accreditation FISMA Mandates Monthly Security Reports For Agencies IRS Clarifies: Work Cellphones Are Not Taxable Perks Symantec Survey Finds Emails Are No Longer the Most Commonly Specified Documents in eDiscovery Requests Using Technology to Improve Client Service Abuse of Trust? Broadband Under The Sea: Where Do Those Cables Go? Non-Marketing Uses of Social Media for Lawyers Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users Full List of Sites the US Air Force Blocked to Hide from Wikileaks Info; Includes NY Times & The Guardian Apple and Dropbox Join Fight to Reform Electronic Privacy Law Is it Possible to Secure Law Firm Data? Newly Released Documents Reveal Defense Department Intelligence Violations Even If You Cancel Your OnStar Service, The Company Will Still Track (And Sell) Your Location Author Sues Production Company For Copyright Infringement For Changing The Script It Optioned From Him More Offices Let Workers Choose Their Own Devices Three Emerging Cyber Threats Facebook Hosts 4% Of All Photos Ever Taken In History Metropolitan Museum Unveils Revamped Web Site In China, Business Travelers Take Extreme Precautions to Avoid Cyber-Espionage Firings, Discipline Over Facebook Posts Leads to Surge in Legal Disputes Marine Corps Social Media Principles Manual Better Ideas Through Failure Taking A Computer Out of Screensaver Mode to See Suspect’s Facebook Wall Is a Fourth Amendment Search Bankrupt Borders Sells Customer Data to Barnes & Noble Which Telecoms Store Your Data the Longest? Secret Memo Tells All Pennsylvania Appeals Court Rules Text Messages Were Inadmissible Hearsay Our Pleasure to Serve You: More Lawyers Look to Social Networking Sites to Notify Defendants Report - A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11 (ACLU, 7 Sept 2011) - An ACLU report release to coincide with the 10th anniversary of 9/11 warns that a decade after the attacks, the United States is at risk of enshrining a permanent state of emergency in which core values must be subordinated to ever-expanding claims of national security. The report, entitled, “A Call to Courage: Reclaiming Our Liberties Ten Years after 9/11,” explores how sacrificing America’s values - including justice, individual liberty, and the rule of law - ultimately undermines safety. The report begins with an examination of the contention that the U.S. is engaged in a “war on terror” that takes place everywhere and will last forever, and that therefore counterterrorism measures cannot be balanced against any other considerations such as maintaining civil liberties. The report states that the United States has become an international legal outlier in invoking the right to use lethal force and indefinite military detention outside battle zones, and that these policies have hampered the international fight against terrorism by straining relations with allies and handing a propaganda tool to enemies. Taking on the legacy of the Bush administration’s torture policy, the report warns that the lack of accountability leaves the door open to future abuses. “Our nation’s official record of this era will show numerous honors to those who authorized torture - including a Presidential Medal of Freedom - and no recognition for those, like the Abu Ghraib whistleblower, who rejected and exposed it,” it notes. Concluding with the massive expansion of surveillance since 9/11, the report delves into the many ways the government now spies on Americans without any suspicion of wrongdoing, from warrantless wiretapping to cell phone location tracking - but with little to show for it. “The reality is that as governmental surveillance has become easier and less constrained, security agencies are flooded with junk data, generating thousands of false leads that distract from real threats,” the report says. Full report here . top Criminal Prohibitions on the Publication of Classified Defense Information (Congressional Research Service, 8 Sept 2011) - The online publication of classified defense documents and diplomatic cables by the organization WikiLeaks and subsequent reporting by The New York Times and other news media have focused attention on whether such publication violates U.S. criminal law. The suspected source of the material, Army Private Bradley Manning, has been charged with a number of offenses under the Uniform Code of Military Justice (UCMJ), including aiding the enemy, while a grand jury in Virginia is deciding whether to indict any civilians in connection with the disclosure. A number of other cases involving charges under the Espionage Act demonstrate the Obama Administration’s relatively hard-line policy with respect to the prosecution of persons suspected of leaking classified information to the media. This report identifies some criminal statutes that may apply, but notes that these have been used almost exclusively to prosecute individuals with access to classified information (and a corresponding obligation to protect it) who make it available to foreign agents, or to foreign agents who obtain classified information unlawfully while present in the United States. Leaks of classified information to the press have only rarely been punished as crimes, and we are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it. There may be First Amendment implications that would make such a prosecution difficult, not to mention political ramifications based on concerns about government censorship. To the extent that the investigation implicates any foreign nationals whose conduct occurred entirely overseas, any resulting prosecution may carry foreign policy implications related to the exercise of extraterritorial jurisdiction and whether suspected persons may be extradited to the United States under applicable treaty provisions. [Editor: Yochai Benkler has a working draft article titled “A Free Irresponsible Press: Wikileaks And The Battle Over The Soul Of The Networked Fourth Estate” here .] top ‘Find My Car’ App Can Also Catch Crooks (Sydney Morning Herald, 9 Sept 2011) - [Y]ou’ll never lose your car in the shopping centre again - and police now have at their fingertips technology to track down stolen and unregistered vehicles. Westfield Bondi Junction in Sydney recently added to its iPhone app the functionality for shoppers to find their parked car by entering its license plate number. The idea behind it is that if a shopper forgets where they parked then they can find their car using the app, which also lets users find out the opening hours of each retailer, see special offers and search for a store’s location in the shopping centre. But Westfield said police could also use it to find stolen or unregistered vehicles. In a statement, NSW Police said it worked closely with security at Westfield Bondi Junction and utilised their technology “when required”. See also http://www.theregister.co.uk/2011/09/14/find_my_car_fail/ top This Post Should Be Considered Off the Record (TechPresident, 14 Sept 2011) - Staffers for Sen. Sheldon Whitehouse, Democrat of Rhode Island, don’t mind if you read as they pass along hurricane updates or chat with other folks on Twitter. They’ll even plug someone’s business. Just don’t talk about what you read: Whitehouse’s communications director, Seth Larson, deputy press secretary, Richard Pezzillo, and new media director (!), Catherine Algeri, have disclaimers in their Twitter profiles that declare their posts - on public, unprotected accounts - to be off the record. Disclaimers in Twitter profiles are common. People from ABC News’ senior White House correspondent Jake Tapper to Gerrit Lansing, press secretary at the Republican-controlled House Budget Committee, sport a tag of the tweets-are-mine-alone and/or retweets-aren’t-endorsements category. But “off the record?” On Twitter? That’s a new one on me. Update : Looks like Whitehouse’s staff have decided to go public - their “off the record” pleas were gone from their Twitter profiles not long after I posted this piece. top Court Allows Recovery of Lost Business and Investigation Costs Under CFAA (Steptoe, 15 Sept 2011) - According to a recent decision, Mobil Mark, Inc., v. Paskosz, prospective plaintiffs worried that they cannot show sufficient damage or losses to state a civil claim under the Computer Fraud and Abuse Act (CFAA) should simply hire an expensive investigator. Earlier this month, the U.S. District Court for the Northern District of Illinois found that the cost of a company’s investigation into a former employee’s alleged data theft, and resulting lost customers and sales opportunities, can be counted as “losses” for purposes of the CFAA’s $5,000 damage or loss minimum for pursuing a civil claim. While courts have been notoriously split over what exactly constitutes compensable “damage” or “loss” under the Act, this ruling continues what seems to be somewhat of a trend of increasingly expansive readings of the statute. This is good news for employers who want to use the CFAA to go after rogue employees and possibly their competitors. top NHL Restricts Players’ Use of Social Media on Game Days (Thestar.com, 15 Sept 2011) - Thou shalt not Twitter during the game. Or before it. Or after it. Or during team meetings. The NHL and its Players’ Association have put together a new social media policy, that sets a blackout period when cannot use applications such as Twitter and Facebook. Basically, players may not tweet or use social media from two hours before the puck drop until after their media requirements are completed after the game. There is no blanket off-day restriction, but the league wants players to act “appropriately” and “not disclose competitively sensitive team info,” deputy commissioner Bill Daly told the Star. The league is asking players to speak, text or tweet on social media with the same caution they would speak in front of microphones, understanding what they say is public and for-the-record. A violation would subject the players to an undisclosed punishment. NHL on-ice officials are not allowed to tweet or “maintain any social media accounts,” Daly told the Star. top Executives May Be Too Confident on Cybersecurity, Survey Finds (NYT, 15 Sept 2011) - Every week comes a new report warning how vulnerable consumers, companies and government agencies are to hackers bent on breaching computer systems and extracting sensitive data. This week came a somewhat unusual report, compiled by the global consulting firm PricewaterhouseCoopers. It surveyed more than 9,000 executives in over 130 countries and found them confident in their ability to secure their information systems and bullish about cybersecurity spending. In the survey, released Thursday, 43 percent of respondents said they had confidence in their security protocols and 50 percent said they expected their companies to spend increasing amounts of money on cybersecurity. Digital hubris can be dangerous, though. PricewaterhouseCoopers parsed the data more closely. They asked the executives about the precautions they were taking. It turned out that only 13 percent of those surveyed had actually done what the consulting firm considered to be adequate - meaning they had an overall security strategy, they had reviewed the effectiveness of their strategy and they knew precisely the types of breaches that had already hit them over the last 12 months. Even as the use of social networks has proliferated, barely one in three respondents said their companies had a policy governing their employees’ use of tools like Facebook and LinkedIn. Social media, the report’s authors concluded, is a double-edged sword for many companies. “It’s a great business opportunity,” Mark Lobel, a principal at PricewaterhouseCoopers, said by phone. “It’s also a terrible avenue for data loss and data leakage.” Driving the spending on security was the prospect of cyber-espionage, or snooping on sensitive company and government data, everything from blueprints of fighter jets to confidential information about mergers and acquisitions. But only 16 percent of respondents said they were prepared for cyber-espionage. top Amazon Cloud Earns Key FISMA Government Security Accreditation (ArsTechnica, 15 Sept 2011) - Amazon has earned the FISMA security accreditation from the US General Services Administration, a key endorsement for its cloud security model that could increase adoption among federal agencies. FISMA, the Federal Information Security Management Act, is the fifth major certification or accreditation Amazon has gained for its Web Services business featuring the Elastic Compute Cloud infrastructure-as-a-service platform. “FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls,” Amazon said in an announcement today . “This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure as well as conducting third party audits. This is the first time AWS has received a FISMA Moderate authority to operate.” Amazon already counted the likes of NASA’s Jet Propulsion Laboratory and Treasury.gov as customers, so the company wasn’t exactly struggling to land big names. But adding to its roster of accreditations could help Amazon EC2 attract more mission-critical use cases. FISMA certification had already been obtained by Google for its Apps service and by Microsoft for its cloud infrastructure and its BPOS-Federal service. Prior to today, Amazon achieved compliance with the SAS 70 Type II auditing standard, the HIPAA health data privacy act, PCI DSS credit card standards, and the ISO 27001 international security standard. The new FISMA certification covers Amazon EC2, Amazon’s Simple Storage Service, the Virtual Private Cloud, and the services’ underlying infrastructure. top FISMA Mandates Monthly Security Reports For Agencies (Information Week, 15 Sept 2011) - Federal agencies must begin reporting security data to an online compliance tool as part of fiscal year 2011 requirements for the Federal Information Security Management Act (FISMA). The Department of Homeland Security (DHS) outlined new requirements for FISMA, the National Institute of Standards and Technology (NIST) security standard for federal IT solutions. One of them calls for agencies to establish monthly data feeds to CyberScope, a compliance tool developed to help the feds to better and more actively monitor cybersecurity. top IRS Clarifies: Work Cellphones Are Not Taxable Perks (Hillicon Valley, 16 Sept 2011) - The Internal Revenue Service issued a notice Wednesday clarifying that employer-provided cellphones are not taxable perks. The Small Business Jobs Act of 2010 removed cellphones from the definition of “listed property,” a category that normally requires additional record keeping by taxpayers. The IRS notice clarified that as a result of the law, when a business provides an employee with a cellphone to use for work, that phone is generally not a taxable benefit. The IRS also sent a memo to its examiners to explain the rule change. CTIA, a wireless trade association, praised the move. “I’m glad the IRS has finally had the last word on repeal of a rule that might have made sense in the late 1980s, but made no sense at all in today’s mobile, always-connected world,” wrote CTIA President Steve Largent in a blog post. top Symantec Survey Finds Emails Are No Longer the Most Commonly Specified Documents in eDiscovery Requests (Symantec press release, 19 Sept 2011) - Symantec Corp. (Nasdaq: SYMC) today announced the findings of its 2011 Information Retention and eDiscovery Survey which examined how enterprises manage their ever-growing volumes of electronically stored information and prepare for the eventuality of an eDiscovery request . The survey of legal and IT personnel at 2,000 enterprises worldwide found email is not the primary source of records companies must produce, and more importantly, respondents who employ best practices for records and information management are significantly less at risk of court sanctions or fines. “The fact that email is no longer the primary source of information for an eDiscovery request is a significant change from what has been the norm over the past several years,” said Dean Gonsowski, eDiscovery Counsel at Symantec. “With the wide variety of sources in play, including loose documents, structured data, SharePoint content and even social media, it is not enough for legal and IT to simply focus upon email alone. It’s critical for the two departments to work together to develop and implement an effective information retention policy.” top Using Technology to Improve Client Service (ABA’s Catherine Sanders Reach, 19 Sept 2011) - Everywhere you look, people are using technology outside the confines of the workplace. And no matter what type of clients you serve, it’s likely they want to be able to use the same technologies for similar conveniences when they’re working with you. Here are some suggestions for incorporating technology tools to give your clients enhanced options so you can meet-and even exceed-their expectations. top Abuse of Trust? (InsideHigherEd, 19 Sept 2011) - Less than a week after the University of Michigan brushed off a lawsuit by the Authors Guild over the university’s move to make copyrighted “orphan” works in its digital collection freely available to students and faculty, the Michigan Library suspended the practice Friday, admitting “serious” flaws in its process for identifying orphans. Friday’s mea culpa followed a public flogging of the library and its nonprofit digital consortium, HathiTrust, at the hands of the Authors Guild, in which the guild quickly tracked down the owners of the copyrights on several works that HathiTrust had categorized as “orphans”—books and articles that are in copyright but whose copyright owners cannot be located or identified. “The close and welcome scrutiny of the list of potential orphan works has revealed a number of errors, some of them serious,” the Michigan library wrote in its statement. “This tells us that our pilot process is flawed.” The librarians said they had “learned from [their] mistakes” and have “already begun an examination of our procedures to identify the gaps that allowed volumes that are evidently not orphan works to be added to the list.” The HathiTrust’s Orphan Works Project—a Michigan-led effort to identify and increase access to the orphans from the consortium’s digital library—has been suspended until the university can come up with “a more robust, transparent, and fully documented process” for making sure works are genuinely orphaned before categorizing them as such. The Authors Guild, along with authors’ associations in Australia and Quebec and a handful of individual authors, had filed suit last Monday against the HathiTrust, Michigan, and several other university libraries heavily involved in the Orphan Works Project. The plaintiffs claimed that by establishing its own set of procedures for clearing orphan works for wider accessibility, the libraries were taking copyright into their own hands. They argued that the orphans should stay under lock and key until Congress passes legislation governing how orphan works can be identified and displayed. Michigan and other HathiTrust supporters argued that giving faculty members and students access to digital orphan works was protected by the “fair use” provisions of U.S. copyright law. But the Authors Guild struck back on its blog, calling into question the integrity of Michigan’s process for attempting to find the copyright holders for its orphan candidates. In a series of “gotcha” blog posts, the guild documented its own efforts to find the copyright holders for HathiTrust orphans. It quickly tracked down several authors that HathiTrust had apparently been unable to reach. [Editor: EFF has a different perspective - see No Authors Have Been Harmed in the Making of This Library (EDD, 15 Sept 2011) - “We’ve been puzzling over the Author’s Guild’s decision to sue several university libraries for participating in the digitization and storage of millions of works (largely in connection with the Google Books project) and making scans of some of those works available to the academic community. Simply put, it appears that the Guild is dead set on wasting time and money addressing imaginary harms, whether or not its efforts might actually benefit either its members or the public.” InsideHigherEd runs yet another perspective here .] top Broadband Under The Sea: Where Do Those Cables Go? (GigaOM, 20 Sept 2011) - Want to know how your email packets from Rhode Island make it over to South Africa? Or what about your VoIP call from Hong Kong to Honolulu? Now there’s a map for that, thanks to the folks at Telegeography who have rolled out an interactive tool that shows you the location of various undersea cables. These cables are the links that connect the Internet across oceans and continents, and typically they only get noticed when they go down. For the truly nerdy, this makes awesome wall art (you can put it next to your spectrum allocation chart!), but if you’re more like the rest of the population, it’s a fun resource to turn to the next time a woman panning for copper cuts a cable, you’re looking for a good place to base a data center, or you want to see how interconnected we are. For example, Hillsboro, Ore., should be known as Cabletown given that three cables land there: more than any other city in the U.S. That and other fun facts await you, although I’d like a better search function so I could easily see how many cables Google has invested in, for example. Map here . [Editor: the article on this is Neal Stephenson’s “Mother Earth, Mother Board” from Wired from 1996 - here .] top Non-Marketing Uses of Social Media for Lawyers (Dennis Kennedy, 20 Sept 2011) - Since Tom Mighell and I haven’t gotten much chance over the last year or so to write together, we jumped at the chance to write an article on “non-marketing” uses of social media for lawyers for the ABA’s Law Practice Today webzine. Then we realized that volunteering to write an article is far easier than finding the time to actually write it. The result, however, is an article we really liked and one we’ve gotten some great feedback on. It’s called “Not Your Marketer’s Social Media: Ten Ways Lawyers Can Benefit from Non-Marketing Uses of Social Media. The article grew out of our podcast called “Using Social Media for Non-Marketing” and expands on some of the ideas in the podcast and adds a few new things. The main idea is that lawyers can benefit from social media in many different ways and that the over-attention on using social media for marketing to potential clients has a limiting effect on ways that lawyers think they might use social media. The article is an attempt to “think different” about social media - in practical ways that match your own personality and approach - and to go back to the basics on social media. Then, see what evolves from uses that best fit your own approach and comfort. Check out the new article and let us know what you think about it. [Editor: for example, I find about 1/3 of the stories in MIRLN thru social media tools, and I broadcast MIRLN-related items on Twitter with #mirln.] top Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users (Berkman guide, 20 Sept 2011) - This report explores these dilemmas and recommends principles, strategies, and tools that companies and users alike can adopt to mitigate the negative effects of account deactivation and content removal. Through case examples, we outline the ways in which platform providers can have a positive impact on user trust and behavior by being more clear and consistent in developing ToU and other policies, responding to and evaluating suspected violations, and providing opportunities for recourse and appeal. We also highlight concrete actions that users can take to educate themselves about how the moderation, takedown, and abuse-prevention mechanisms work for the services they use, provide and communicate context where necessary, and engage with companies and other users around such issues. From the activist who communicates with her network via her Facebook account, the user who posts documentary-style videos to YouTube or the citizen journalist who raises awareness with photos uploaded to Flickr, platforms that host user-generated content are increasingly used by a range of civic actors in innovative ways: to amplify voices, organize campaigns and coordinate disaster response, and advocate around issues of common concern. However, while the online space may be perceived as a public commons, private entities play a role in shaping online activity, behavior, and content via Terms of Use (ToU), community guidelines, and other mechanisms of control. Platform providers often enforce such rules in response to potential threats, misuse, or ToU violations; users must observe them or risk losing their accounts, their contacts, or their ability to post content. The clarity, transparency, and consistency of how such terms are established and implemented are important to all users, but for the growing number of human rights activists who depend on web 2.0 platforms for core elements of their work-and for whom removed content and deleted accounts can have severe consequences-the stakes are much higher. For platform providers, enforcing site guidelines can require balancing complex and often competing considerations, including supporting community norms and innovative user activity, while maintaining a safe and secure online environment, protecting the free expression and privacy rights of users while enforcing legal standards or responding to government pressure, and accounting for the potential risks faced by activists. Guide is here . top Full List of Sites the US Air Force Blocked to Hide from Wikileaks Info; Includes NY Times & The Guardian (TechDirt, 20 Sept 2011) - When the State Department cables leaked via Wikileaks, some government employees and agencies were put in a tough position, in that they couldn’t officially view those documents, since they were still classified. As we’ve noted in the past, this is stupid. In business, any boilerplate non-disclosure agreement says that if some info becomes public due to a third party, the NDA no longer applies. The US government, for reasons that escape me, refuses to do the same thing for classified info that leaks—even after the press has run stories on it. We heard all sorts of bizarre stories about government agencies trying to block access to this content which was everywhere, including reports that any Techdirt article that mentioned “Wikileaks” in the title was blocked from Defense Department computers. Jason Smathers decided to submit a Freedom of Information Act request (via the awesome Muckrock.com platform) to the US Air Force to find out what sites it was blocking. And while the Air Force initially denied the request, on appeal it just changed its mind and handed over the list, which you can see below. Most of the blocked URLs are to various Wikileaks mirror sites, but it also covers the major media properties that Wikileaks initially worked with on releasing these documents, including the NY Times and The Gu[a]rdian. top Apple and Dropbox Join Fight to Reform Electronic Privacy Law (EFF, 22 Sept 2011) - In April we launched “Who Has Your Back” , a campaign calling on major Internet companies like Google, Amazon and Microsoft to stand with their users when it comes to government demands for users’ data. Today, we’re pleased to see that two of the thirteen companies highlighted in our petition , Apple and Dropbox, have agreed to one of our requests: that they stand up for user privacy in Congress by joining the Digital Due Process coalition. Digital Due Process is a diverse coalition of privacy advocates like EFF, ACLU and the Center for Democracy & Technology and major companies like AT&T, eBay and Comcast that has come together with the shared goal of modernizing surveillance laws for the Internet age. The DDP coalition is especially focused on pressing Congress to update the woefully-outdated Electronic Communications Privacy Act or “ECPA.” top Is it Possible to Secure Law Firm Data? (slaw, 22 Sept 2011) - To answer the question, we interviewed our friend and colleague Matt Kesner, the CIO of Fenwick & West LLP, a West Coast law firm representing high tech and bio-tech clients. Matt has “walked the walk” when it comes to security and protecting data. Is the data at a law firm really different or are there “special” considerations when dealing with security within a law firm? Matt suggested that there are a lot of tensions at play within a law firm. There’s always the tension between IT and end-users. The end-users are more difficult to tame and are more independent than most other users. They don’t necessarily want to comply with the stated policies and procedures, thereby making security a more difficult task. Also, they tend to be driven by what the client wants, which may be in contradiction to the security procedures of the firm. The press hasn’t really identified many data breaches that have involved law firms. Since law firms are very much reputation based, they are not all that willing to publicize any data breach that may have occurred. Current data breach laws have changed that practice, but we still don’t hear of many specifics concerning law firms. Matt acknowledged that there have been two breaches at his own firm. His advice for security is to learn lessons from breaches so you can avoid a recurrence - at least a recurrence of the same sort of attack. Fortunately for Matt’s firm, the security incidents did not involve access to their network. Both occurrences involved their website, which was hosted externally. We are aware of some other firms being compromised, primarily through mobile devices and unprotected laptops. Matt confirmed that law firms are seeing an increase in hacking attempts. Reviews of his own firm’s logs show repeated “door rattles” and attempted infiltration of the network. They are being probed a lot more often, tested with various scripts being used to determine vulnerabilities and have experienced a higher proportion of successful malware and phishing attacks against their users. Many attacks appear to be originating from China, which is consistent with our experiences gleaned from security investigations involving these attacks. Our own government has cautioned us that every cell phone and smart phone that goes into China has spyware downloaded on it by the Chinese communications infrastructure. This spyware pretty much has unfettered access to the data that you are sending and receiving even if it is encrypted in transit. Another concern is bringing laptops to China. Matt advised us to weigh the laptop before and after taking it to China as many times hardware monitoring devices will be installed in the laptop itself. He also suggested taking a disposable cell phone when traveling to China. Many in the security field have stated that we are seeing activity from China’s “C-level” (rookie) hackers since law firm systems are fairly easy to penetrate. China isn’t even wasting the efforts of their “B-level” or “A-level” teams when attacking U.S. systems. Essentially, China’s entry level hackers are practicing on U.S. law firm networks before “graduating” to more advanced hacking activities. Matt told us that Chinese students actually take hacking classes and hack Western websites as part of their homework. Pretty scary stuff. top Newly Released Documents Reveal Defense Department Intelligence Violations (EFF, 22 Sept 2011) - EFF just received documents that reveal additional post-9/11 Defense Department misconduct, including attempts by the Army to investigate participants at a conference on Islamic law at the University of Texas Law School and Army-issued National Security Letters (NSLs) to telecommunications providers in violation of the law. top Even If You Cancel Your OnStar Service, The Company Will Still Track (And Sell) Your Location (TechDirt, 22 Sept 2011) - GM subsidiary OnStar is apparently alerting its customers that even if they decide to cancel their service in the future, OnStar will still track information about them—and, of course, potentially sell that data: “What’s changed [is that if] you want to cancel your OnStar service, we are going to maintain a two-way connection to your vehicle unless the customer says otherwise.” OnStar is spinning this as a plan to make it “easier to re-enroll” as a customer, but it also seems to admit that there’s demand out there for the data that OnStar collects, so it has plenty of incentive to get more such data, even from non-customers. Of course, they don’t even seem to acknowledge the creepiness factor of canceling a service, and then still having that service track your every move. [GM stops - 27 Sept 2011] top Author Sues Production Company For Copyright Infringement For Changing The Script It Optioned From Him (TechDirt, 22 Sept 2011) - While significant parts of the rest of the world include a “moral rights” component to copyright (which covers things like proper attribution), the US has always avoided it—even though it’s supposedly required by the Berne Convention, of which the US is a participant. The US has mainly gotten around this because it’s the US and it ignores international agreements when it wants to—but also because it put in a tiny bit of moral rights in extremely limited circumstances that are so rare you’ll almost never, ever hear about them. However, it does appear that some are trying to sneak in a form of moral rights via contract. 

 Copycense points us to the news of a writer, Matthew Jones, who is suing the people who optioned his screenplay (which was based on his own novel, Boot Tracks ) for changing the screenplay without his permission. He apparently wrote into the contract that such changes could not be made without his permission—and yet the screenplay was changed to help get funding. There’s an obvious contractual breach in there, but Jones is also claiming copyright infringement, suggesting that, by breaking the agreement, they were also creating an unauthorized derivative work. In this case, it’s a little more confusing, because there’s some question as to when the producer and director actually exercised the option to buy the screenplay/make the film. Either way, it may make for an interesting case and it makes me wonder if we’ll start to see more efforts by content creators to enforce such moral-like rights via contract. top More Offices Let Workers Choose Their Own Devices (NYT, 23 Sept 2011) - Throughout the information age, the corporate I.T. department has stood at the chokepoint of office technology with a firm hand on what equipment and software employees use in the workplace. They are now in retreat. Employees are bringing in the technology they use at home and demanding the I.T. department accommodate them. The I.T. department often complies. Some companies have even surrendered to what is being called the consumerization of I.T. At Kraft Foods, the I.T. department’s involvement in choosing technology for employees is limited to handing out a stipend. Employees use the money to buy whatever laptop they want from Best Buy, Amazon.com or the local Apple store. “We heard from people saying, ‘How come I have better equipment at home?’ “ said Mike Cunningham, chief technology officer for Kraft Foods. “We said, hey, we can address that.” Encouraging employees to buy their own laptops, or bring their mobile phones and iPads from home, is gaining traction in the workplace. A survey published on Thursday by Forrester Research found that 48 percent of information workers buy smartphones for work without considering what their I.T. department supports. By being more flexible, companies are hoping that workers will be more comfortable with their devices and therefore more productive. Corporate I.T. departments often resist allowing consumer technology on their networks because of security concerns. “They’re over the denial and anger stage, and now they are in the acceptance and ‘How can we help?’ stage,” said Mr. Schadler, who co-wrote the book “Empowered,” which addresses consumer technology in the workplace. “What broke the camel’s back was the iPad, because executives brought it into the company and said ‘Hey, you’ve got to support this.’” Kraft’s program is not quite companywide, however. Executives who handle confidential information, people who use laptops to operate production equipment, and most factory workers are ineligible. “It’s a relatively small part of the company,” Mr. Cunningham. “But it addresses the majority of the noise and complaining.” [Editor: Even law firms are doing this; Wilson Sonsini’s CIO, Phillip Hoare, is one of the early forward-thinkers here, and is crafting a process that helps assure security and confidentiality, even on employee-owned smart devices. Kudos.] top Three Emerging Cyber Threats (Bruce Schneier, 23 Sept 2011) - On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: (1) The Rise of Big Data . By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They’re collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior. (2) Ill-Conceived Regulations from Law Enforcement. We’re seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I’m thinking about data retention laws, Internet kill switches , and calls to eliminate anonymity . None of these will work, and they’ll all make us less safe.
 (3)The Cyberwar Arms Race. I’m not worried about cyberwar , but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.—That’s my list, and they all have the potential to be more dangerous than cybercriminals. top Facebook Hosts 4% Of All Photos Ever Taken In History (TechDirt, 24 Sept 2011) - For all the talk of how content creation is going down the drain due to lax copyright enforcement, it seems that everywhere we look, we just keep seeing more and more and more content creation. The latest is a report that Facebook currently hosts 4% of all photos ever taken . Specifically, it hosts 140 billion photos out of 3.5 trillion photos taken in history. Now, obviously, technology change is at work here. Photography really only showed up for real about a century and a half ago, and didn’t really hit the mainstream until less than a century ago. And, of course, for most of that time it involved (sometimes expensive) film and the expensive step of processing it. Photography has exploded over the last decade or so with the rise of digital cameras, and, of course, high quality digital cameras built into mobile phones. 

But, really, that raises a bigger point: the tools of creation for all sorts of things have been changing rapidly and making it easier and cheaper to create content, whether it’s a photograph, a song, a movie, a book or.. well… just about anything. We’re being inundated with new creative works… at the same time we’re being told that content creation is dying. Now, to be fair, much of the content production we’re talking about is amateur production, but some of that is of fantastic quality, and is leading people into professional content creation roles. But, I guess this raises a separate question. What is the real purpose of copyright? Is it only to incentivize professional content creation , or to incentivize content creation overall? Given the stated purpose is to “promote the progress,” and to provide the public with more content, I would argue the goal is to promote more overall content, and it seems that technology is doing a much better job of that than copyright. top Metropolitan Museum Unveils Revamped Web Site (NYT, 26 Sept 2011) - The Metropolitan Museum of Art, which has been trying to rebrand itself over the last year as a visitor-friendly art behemoth, unveiled a redesigned Web site on Monday, the first time the site has been thoroughly updated in more than a decade. It includes several new features that are beginning to become standard for large museums, like a zoomable, clickable floor plan similar to one the Art Institute of Chicago created two years ago. The Met’s version allows prospective visitors to look closely at almost 400 galleries to see what to expect, and visitors already at the museum to use smartphones on parts of the site to find their way to favorite artworks. The site also shows off the results of a huge undertaking ordered by Thomas P. Campbell, the museum’s director: that the curatorial departments make images and information available online for all of the almost two million items in the collection. About 340,000 comprehensive entries for objects are included on the revamped site, 200,000 of which have been created over the last nine months. The site also has a new multimedia section, making videos, recorded lectures, interactive educational programs and other digital projects more easily accessible. top In China, Business Travelers Take Extreme Precautions to Avoid Cyber-Espionage (Washington Post, 26 Sept 2011) - Packing for business in China? Bring your passport and business cards, but maybe not that laptop loaded with contacts and corporate memos. China’s massive market beckons to American businesses - the nation is the United States’ second-largest trading partner - but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive. Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations. Many other countries, including the United States, spy on one another for national security purposes. But China’s brazen use of ­cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies. “I’ve been told that if you use an iPhone or BlackBerry, everything on it - contacts, calendar, e-mails - can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution. Some industrial cyber-espionage takes place in the U.S corporate world, experts say, but not nearly to the extent found in China. Also, the U.S. government reportedly does not conduct economic espionage on behalf of U.S. industry. Travelers there often tote disposable cellphones and loaner laptops stripped of sensitive data. Some U.S. officials take no electronic gear. And a few corporate executives detour to Australia rather than risk talking business in a bugged Chinese hotel room. Other travelers hide files on thumb drives, which they carry at all times and use only on off-line computers. One security expert, who spoke on the condition of anonymity to avoid drawing scrutiny from the Chinese government, buys a new iPad for each visit, then never uses it again. “It’s real easy for them [the Chinese] to read everything that goes in and out of the country because the government owns all the networks,” said Jody Westby, chief executive of Global Cyber Risk, a consulting firm. “The real problem here is economic espionage,” she said. “There are countries where the search for economic information and high-value data is so aggressive that companies or people are very hesitant about taking their laptops to those countries.” Business travelers began adopting such safety measures for China several years ago, experts say. On the eve of the 2008 Beijing Olympics, Joel Brenner, then the U.S. national counterintelligence executive, first issued government safety guidance to overseas travelers, with such tips as: “If you can do without the device, don’t take it.” top Firings, Discipline Over Facebook Posts Leads to Surge in Legal Disputes (Business Insider, 26 Sept 2011) - In the age of instant tweets and impulsive Facebook posts, some companies are still trying to figure out how they can limit what their employees say about work online without running afoul of the law. Confusion about what workers can or can’t post has led to a surge of more than 100 complaints at the National Labor Relations Board - most within the past year - and created uncertainty for businesses about how far their social media policies can go. “Employers are struggling to figure out what the right policies are and what they should do when these cases arise,” said Michael Eastman, labor law policy director at the U.S. Chamber of Commerce. In one case, a Chicago-area car salesman was fired after going on Facebook to complain that his BMW dealership served overcooked hot dogs, stale buns and other cheap food instead of nicer fare at an event to roll out a posh new car model. The NLRB’s enforcement office found the comments were legally protected because the salesman was expressing concerns about the terms and conditions of his job, frustrations he had earlier shared in person with other employees. But the board’s attorneys reached the opposite conclusion in the case of a Wal-Mart employee who went on Facebook to complain about management “tyranny” and used an off-color Spanish word to refer to a female assistant manager. The worker was suspended for one day and disqualified from seeking promotion for a year. The board said the postings were “an individual gripe” rather than an effort to discuss work conditions with co-workers and declined to take action against the retailer. Those cases are among 14 investigations the board’s acting general counsel, Lafe Solomon, discussed in a lengthy report last month on the rise in social media cases. Solomon says federal law permits employees to talk with co-workers about their jobs and working conditions without reprisal - whether that conversation takes place around the water cooler or on Facebook or Twitter. “Most of the social media policies that we’ve been presented are very, very overbroad,” Solomon said in an interview. “They say you can’t disparage or criticize the company in any way on social media, and that is not true under the law.” The number of cases spiked last year after the board sided with a Connecticut woman fired from an ambulance company after she went on Facebook to criticize her boss. That case settled earlier this year, with the company agreeing to change its blogging and Internet policy that had banned workers from discussing the company over the Internet. The National Labor Relations Act protects both union and nonunion workers when they engage in “protected concerted activity” - coming together to discuss working conditions. But when online comments might be seen by hundreds or thousands of eyeballs, companies are concerned about the effect of disparaging remarks. Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often “surprised and upset” when they learn they can’t simply terminate employees for talking about work online. “All of us on the management side are being inundated with calls and inquiries from clients about this,” Davis said. “A lot of companies want their social media policies reviewed or they want to establish one for the first time.” But the NLRB’s Solomon also warns workers that not everything they write on Facebook or Twitter will be permissible under the law just because it discusses their job. “A lot of Facebook, by its very nature, starts out as mere griping,” Solomon said. “We need some evidence either before, during or after that you are looking to your fellow employees to engage in some sort of group action.” top Marine Corps Social Media Principles Manual (BeSpacific, 27 Sept 2011) - “The Marine Corps must continuously innovate to communicate in media-intensive environments, to remain the nation’s force in readiness. This mission is based on the Marine Corps Vision and Strategy 2025 and the public affairs tasks outlined in the Marine Corps Service Campaign Plan for 2009-2015. While building and launching a social media program or accessing a favorite social media site can sometimes be fast, easy, and inexpensive. Existing rules for public affairs as well as personal conduct still apply. The Marine Corps encourages Marines to explore and engage in social media communities at a level they feel comfortable with. The best advice is to approach online communication in the same way we communicate in person - by using sound judgment and common sense, adhering to the Marine Corps’ core values of honor, courage and commitment, following established policy, and abiding by the Uniform Code of Military Justice (UCMJ). The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps.” Manual here . top Better Ideas Through Failure (WSJ, 27 Sept 2011) - To pitch a prospective client for her ad agency, Amanda Zolten knew she a had to take a risk. But the client’s product-kitty litter-posed a unique challenge. Lucy Belle, Ms. Zolten’s cat, furnished the answer. Before she and her team met with six of the company’s executives, Ms. Zolten buried Lucy Belle’s mess in a box of the company’s litter and pushed it under the conference-room table. No one noticed until Ms. Zolten pointed it out-and the fact that no one had smelled it. Shocked, several executives pushed back from the table. Two left the room. After a pause, those who remained started laughing, says Ms. Zolten, a senior vice president with Grey New York. “We achieved what we hoped, which was creating a memorable experience,” she says. She won’t know for a few weeks whether Grey won the business. But her boss, Tor Myhren, has already named Ms. Zolten the winner of his first quarterly “Heroic Failure” award-for taking a big, edgy risk. Amid worries that we are becoming less innovative, some companies are rewarding employees for their mistakes or questionable risks. The tactic is rooted in research showing that innovations are often accompanied by a high rate of failure. “Failure, and how companies deal with failure, is a very big part of innovation,” says Judy Estrin of Menlo Park, Calif., a founder of seven high-tech companies and author of a book on innovation. Failures caused by sloppiness or laziness are bad. But “if employees try something that was worth trying and fail, and if they are open about it, and if they learn from that failure, that is a good thing.” top MIRLN 2011-09-30T19:04:01-07:00 http://www.knowconnect.com/mirln/article/mirln_21_august_10_september_2011_v1412/ http://www.knowconnect.com/mirln/article/mirln_21_august_10_september_2011_v1412/#When:19:10:00Z MIRLN --- 21 August - 10 September 2011 (v14.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | FUN | LOOKING BACK | NOTES Enter the Cyber-dragon Stuxnet as Cyberwarfare: Applying the Law of War to the Virtual Battlefield U.S. Defense Firms Face Relentless Cyberattacks Duty to Protect the Confidentiality of E-mail Communications with One’s Client Federal Judge Finds Cloud Music Lockers Do Not Violate Copyrights Khan Academy Integrates With Digital Textbooks Judge Says Warrant Required For Cell Phone Location Data Consumer Reviews at “Local” Review Sites Don’t Support Jurisdiction Embedded Serial Number Helps Photographer Find His Stolen Camera With CIA Help, NYPD Moves Covertly In Muslim Areas 15 Years for Recording a Talk with Cops? Woman Avoids Prison with Acquittal Law Profs Worry That Plan to Pulp Millions of Federal Court Files Will Destroy Historical Goldmine 4 More Universities Join Effort on ‘Orphan Works’ The EFF Reflects On ICE Seizing a TOR Exit Node Fair Use Face-Off, Canadian Edition New California Law Prohibits Jurors’ Social Media Use Overreactive Guidance for Social Networking Du Jour—NLRB Edition Posting a Privacy Policy May Not Be Enough - NARC to Enforce Industry Principles Nearly Half of Computer Users Get Software Illegally The Legality of Government Critical Infrastructure Monitoring The Spy Who Tweeted Me: Intelligence Community Wants to Monitor Social Media Enter the Cyber-dragon (Vanity Fair, August 2011) - Hackers have attacked America’s defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war-Operation Aurora! Operation Shady rat !-and learns why Washington has been slow to fight back. [Editor: lengthy, readable and comprehensive - has a myriad of details I’d not known, and is well worth your time. We saw this coming back in the early 1990s when I was at Schlumberger; there’s even less defense today than then.] - and - Stuxnet as Cyberwarfare: Applying the Law of War to the Virtual Battlefield (John Richardson, SSRN, 22 July 2011) - In the field of international humanitarian law, there are a number of questions about the conduct of warfare in the cyber domain. In some cases, answers can be gleaned from treaties and customary international law but in other instances, solutions are seemingly intractable, begging for solutions that may only be answered by technology itself. From a legal perspective, such oversimplifications trivialize humanitarian law as well as other legal constructs already struggling to address complex issues in the cyber realm. It is within this context that this paper focuses on a recent event known as Stuxnet, a computer virus that infected and damaged a nuclear research facility in Natanz, Iran. Reflecting on this particular cyber attack, this paper addresses two IHL issues: Does the Stuxnet attack rise to the level of an armed attack within the meaning of international humanitarian law? If so, did it adhere to the two core principles of IHL, namely distinction and proportionality? This paper finds that the Stuxnet attack does in fact rise to the level of an armed attack within the meaning of IHL and adheres to the principles of distinction and proportionality. - and - U.S. Defense Firms Face Relentless Cyberattacks (Reuters, 7 Sept 2011) - U.S. defense industries are facing relentless, sophisticated foreign attacks on their computer networks, a threat company leaders say poses a risk of significant damage and may require the government to take greater protective action. Top U.S. defense contractors speaking at the Reuters Aerospace and Defense Summit said many of the attacks appeared to be state-sponsored and came from multiple countries, but they declined to point a finger at any particular government. “Every defense company is constantly under attack. If anybody tells you they’re not, it just means they don’t know,” said Northrop Grumman (NOC.N) Chief Executive Wes Bush. “It is a threat that is broad-based. It’s not just from one source ... and it’s just unceasing.” David Hess, the president of engine maker Pratt & Whitney, a unit of United Technologies Corp (UTX.N), said he suspected the attacks against his firm’s network were coming from “foreign countries” but “none that I’d like to mention.” “I can say the attacks are sophisticated,” he added. “It’s not the result of some guy with sneakers in his cubicle hacking away at a computer screen.” Lockheed Martin Corp (LMT.N) Chief Executive Robert Stevens, whose company thwarted a serious cyberattack in late May, said incursions faced by defense industries are “very persistent.” To explore ways to cope with the problem, the Pentagon and Department of Homeland Security launched the Defense Industrial Base Cyber Pilot, a program for sharing classified and sensitive data about cyberattacks. Duty to Protect the Confidentiality of E-mail Communications with One’s Client (ABA Formal Opinion 11-459 , 4 August 2011) - A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client- lawyer communications via e-mail or other electronic means, using a business device or system under circumstances where there is a significant risk that the communications will be read by the employer or another third party. ABA Journal article (8 Sept) here ; related article about a possible duty to disclose (by employer, who has found employee emails to the employee’s counsel) here . Federal Judge Finds Cloud Music Lockers Do Not Violate Copyrights (ReadWriteWeb, 22 August 2011) - A federal judge in New York ruled today in the defendant’s favor on a copyright infringement case brought EMI and 14 record companies against cloud music locker service MP3tunes. Judge William H. Pauley III found that cloud-based music lockers are, for the most part, legally in the clear. The judge found that “MP3tunes did not promote infringement” by offering an open cloud storage service for music, meaning that it, as well as big-name services like Google Music and Amazon Cloud Drive, are on the right side of the law. The record companies claimed that services like these duplicate files in ways that violate copyrights, that they don’t do enough to stop repeat infringers, and that playing back songs from a locker constitute a “public performance,” which would require a license for the material. The judge rejected all these claims, finding that MP3tunes is protected as a service provider under the Digital Millennium Copyright Act (DMCA). The plaintiffs also argued that works recorded prior to 1972 were not protected by the DMCA, but the judge overturned this charge as well. Overall, this is a resounding victory for cloud locker services and their users, though, as Robertson says, “it was not a complete victory[, and it was] not a final ruling,” because some elements can still be appealed. EMI’s case relied on several misconstructions of the nature of these services, and the judge turned those aside. EMI claimed that these cloud services host a “master copy” of a file within their service, so that users who upload the same song are just playing one digital copy hosted by the service. Playing that file would constitute a “public performance” that would require a license. But in reality, cloud locker services store individual copies of a user’s own music, so they are merely service providers, and they can’t be held accountable for copyright violations. [See also “Judge Rules ‘Locker’ Site is Not Direct Copyright Infringer” (ArsTechnica, 12 July 2011) from MIRLN 14.10 ] and “Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011)” from MIRLN 14.09 .] See also EFF’s analysis: https://www.eff.org/deeplinks/2011/08/mp3tunes-victory-music-lockers-is-good —“*** One of those requirements is that the OSP maintain a repeat infringer policy. We’ve written before about this somewhat vague provision of the DMCA, and we were happy to see the MP3tunes court reaffirm what we already knew: that an OSP is only required to do ‘what it can reasonably be asked to do’ and it has ‘no affirmative duty to police [its] users.’ The court went even further, implying that a repeat infringer policy need only target ‘blatant infringers’.” Khan Academy Integrates With Digital Textbooks (Mashable, 22 August 2011) - The 12-minute video lectures that Bill Gates has called “the start of a revolution” will now be linked with the material in some digital textbooks. Etextbook maker Kno announced Monday that it will integrate thousands of tutorial videos from Khan Academy into its books. Khan Academy has been praised and funded by both Gates and Google. At its core, it’s a database of instructional YouTube videos that its founder, Salman Kahn, started creating in order to help his cousins with their math homework. Video production quality does not extend beyond the capabilities of Microsoft Paint, but Khan has a knack for making calculus seem like gradeschool math (the archive contains videos on both topics) that has made his tutorials a popular resource for independent learning. Kno will be linking them to its books through a new “smart links” feature. When students click on a Khan Academy tutorial from a new tab on one of Kno’s digital pages, Khan’s explanation of that topic plays within the book. Kno worked with Kahn Academy to implement its tutorials for the feature’s launch. Eventually, Kno Vice President of Marketing Ousama Haffar says, the feature will expand to include other educational images and videos. The digital textbook maker is also adding a 3D feature that allows users to turn images like molecule diagrams into 3D objects that rotate on the page. Judge Says Warrant Required For Cell Phone Location Data (ArsTechnica, 23 August 2011) - In recent years, the courts have struggled to decide whether the government needs a warrant to access historical records about a cell phone user’s location. Some courts have found that when users turn on their cell phones, they “voluntarily” transmit their location to their cell phone providers and thereby waive any expectation of privacy. On Monday, Judge Nicholas Garaufis of the Eastern District of New York soundly rejected this line of reasoning. The federal government had asked the courts to order Verizon Wireless to turn over 113 days of location data about a suspect’s cell phone. It did so under a provision of the Stored Communications Act that only requires law enforcement to show that the records are “relevant and material to an ongoing criminal investigation.” Does the government violate the Constitution when it obtains location data without meeting the Fourth Amendment’s “probable cause” standard? Some courts have found that it does not. But in a 22-page opinion, Judge Garaufis analyzed and rejected these other courts’ arguments, holding that law enforcement needs a warrant to obtain months of location data. “The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by ‘choosing’ to carry a cell phone must be rejected,” he wrote. “In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user’s reasonable expectation of privacy in cumulative cell-site-location records.” Decision here . Consumer Reviews at “Local” Review Sites Don’t Support Jurisdiction (Eric Goldman, 23 August 2011) - It doesn’t bring me a lot of joy to blog another Internet jurisdiction case, but the dispute’s substantive issues are important enough to blog this case. Wilkerson’s daughter won the California lottery. RSL approached her to buy the future payouts for a lump sum. The daughter took RSL’s deal, but things didn’t go well. In response, her dad posted negative reviews of RSL at Yahoo Local and Yelp. In both cases, the review pages allegedly indicated RSL’s location, and Wilkerson’s reviews indicated he knew the company was located in Houston. He also tried to drum up interest in a class action suit. RSL sued in Texas state court, and Wilkerson interposed a jurisdictional defense. The majority starts by wisely bypassing the Zippo test. For the number of times it’s cited, the Zippo test is often unhelpful and unenlightening. Citing several cases, the majority says the Zippo test would apply to the review site operator but not an individual reviewer: “* * * to the extent that the interactive features of Yahoo! and Yelp are the creations of the owners and operators of those websites, the interactive nature of a large-scale ubiquitous internet presence cannot be fully imputed to an individual user such as Wilkerson for the purpose of determining whether he established minimum contacts with Texas sufficient to justify exercising jurisdiction over him....Thus for purposes of analyzing personal jurisdiction over an individual in a case arising from his internet activity, we decline to reflexively apply the sliding-scale analysis of the interactivity of a commercial internet website to determine jurisdiction over the individual website user.” Amen. This year I added the Illinois v. Hemi 7th Circuit jurisdictional ruling, where the court expressly rejected the Zippo test. Perhaps we’re seeing the leading edge of anti-Zippo trend. Personally, I wouldn’t shed a tear if the Zippo test were retired--permanently. The majority instead turns to the “purposeful availment” test. The majority cites the Calder v. Jones case and notes that it looked at the “effects” of the defendant’s action, but it doesn’t call its test the “Effects test,” and I think that affects the result. A consumer reviewer doesn’t avail itself of the laws of the state its target is located in, but it might intentionally cause tortious effects in the state. I think the majority mucked this distinction. Case is Wilkerson v. RSL Funding, LLC , 2011 WL 3516147 (Tex. App. Ct. Aug. 11, 2011) Embedded Serial Number Helps Photographer Find His Stolen Camera (TechCrunch, 24 August 2011) - A photographer, John Heller, had $9,000 worth of gear stolen at a shoot in Hollywood. After giving up all hope of ever getting his Nikon D3 back, he checked with a site called GadgetTrak that scans Flickr and other image upload sites for photos matching the serial number of his DSLR. In a few seconds he had found shots with serial numbers matching his D3 belonging to a professional photographer. With the help of the police he got his gear back and now the tracking service is a recommend site for LAPD detectives on the hunt for fugitive cameras. Want to give it a try? You can search the service for free. It currently holds 10 million serial numbers and it checks sites like 500px.com and Flickr for recent shots. Also note that you should probably write down your camera’s serial number ASAP for this to work correctly at all. With CIA Help, NYPD Moves Covertly In Muslim Areas (AP, 24 August 2011) - In New Brunswick, N.J., a building superintendent opened the door to apartment No. 1076 one balmy Tuesday and discovered an alarming scene: terrorist literature strewn about the table and computer and surveillance equipment set up in the next room. The panicked superintendent dialed 911, sending police and the FBI rushing to the building near Rutgers University on the afternoon of June 2, 2009. What they found in that first-floor apartment, however, was not a terrorist hideout but a command center set up by a secret team of New York Police Department intelligence officers. From that apartment, about an hour outside the department’s jurisdiction, the NYPD had been staging undercover operations and conducting surveillance throughout New Jersey. Neither the FBI nor the local police had any idea. Since the terrorist attacks of Sept. 11, 2001, the NYPD has become one of the country’s most aggressive domestic intelligence agencies. A months-long investigation by The Associated Press has revealed that the NYPD operates far outside its borders and targets ethnic communities in ways that would run afoul of civil liberties rules if practiced by the federal government. And it does so with unprecedented help from the CIA in a partnership that has blurred the bright line between foreign and domestic spying. Neither the city council, which finances the department, nor the federal government, which contributes hundreds of millions of dollars each year, is told exactly what’s going on. 15 Years for Recording a Talk with Cops? Woman Avoids Prison with Acquittal (ABA Journal, 25 August 2011) - A woman charged under Illinois’ obscure eavesdropping law for secretly recording her conversation with two Chicago cops has been acquitted. Jurors acquitted Tiawanda Moore after deliberating less than an hour, the Chicago Tribune reports. She was charged under an Illinois law that bars the recording of public conversations without permission; potential penalties increase to 15 years in prison when cops are secretly recorded. Only a few states have similar laws. Moore recorded her conversation with two officers from the police department’s internal investigations unit because she believed they were trying to talk her into dropping a sexual harassment complaint against a patrol officer, the story says. Juror Ray Adams told the Tribune that he and other jurors thought the prosecution was “just a waste of time” and the officers “came across as intimidating and insensitive.” Moore’s defense relied on an exception that allows recordings based on a reasonable suspicion a crime may be committed. The ACLU filed a suit last year arguing that the law cannot be constitutionally applied to individuals who record police performing public duties in a public place, according to the ACLU of Illinois website . An appeal pending before the Chicago-based 7th U.S. Circuit Court of Appeals seeks to reinstate the suit after a federal judge dismissed it. The case is ACLU v. Alvarez . [Editor: see also Gene Volokh’s post “ First Amendment Right to Openly Record Police Officers in Public “, parsing the 1st Circuit case of Glik v. Cunniffe .] Law Profs Worry That Plan to Pulp Millions of Federal Court Files Will Destroy Historical Goldmine (ABA Journal, 25 August 2011) - In the digital age, there’s less of a need to keep paper records on hand, and federal officials are in the process of destroying millions of court files in an effort to cut storage costs. But law professors and historians say seemingly mundane material can be a treasure trove of historical information that is forever lost when shredded, pounded to pulp and recycled, the Associated Press reports. Among materials slated for destruction, according to the National Archives and Records Administration, are more than 10 million bankruptcy case files and several million more U.S. District Court district court files dating from 1970 to 1995. Theodore Eisenberg, a Cornell Law School professor who clerked for the late Justice Earl Warren at the U.S. Supreme Court, predicts that “really important” information about historic trends that help determine appropriate policy will be lost as a result of the records destruction. 4 More Universities Join Effort on ‘Orphan Works’ (InsideHigherEd, 25 August 2011) - Cornell, Duke, Emory and Johns Hopkins University are the latest to make digitized “orphan works”—those whose copyright holders are not known or reachable—in their collections available to students, faculty, and authorized users on their campuses. They join the University of Michigan, the University of Wisconsin, and the University of Florida among universities that have opened up their orphan works under the auspices of the educational “fair use” exemption to U.S. copyright law. In the wake of Google’s failed attempts to sell access to its massive cache of orphan works, a number of libraries have been working with each other and the Michigan-based HathiTrust Digital Library to identify orphans in their own digital collections and open them up to authorized users for research purposes. The EFF Reflects On ICE Seizing a TOR Exit Node (Slashdot, 26 August 2011) - “Marcia Hofmann, senior staff attorney at the EFF, gives more information on the first known seizure of equipment in the U.S. due to a warrant executed against a private individual running a Tor exit node. ‘This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King’s home, where he was operating a Tor exit relay.’ The EFF was able to get Mr King’s equipment returned, and Marcia points out that ‘While we think it’s important to let the public know about this unfortunate event, it doesn’t change our belief that running a Tor exit relay is legal.’ She also links to the EFF’s Tor Legal FAQ . This brings up an interesting dichotomy in my mind, concerning protecting yourself from the Big digital Brother: Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated , and less likely to be convicted , of any cyber crimes.” [Editor: OK, I’ve turned my TOR router back on; already running an open WiFi network.] Fair Use Face-Off, Canadian Edition (InsideHigherEd, 29 August 2011) - As professors and librarians in the United States await a judge’s ruling on a copyright lawsuit by publishers against Georgia State University over its e-reserves practices, a similarly themed battle in Canada has seen a number of high-profile research universities walk out on licensing agreements with that country’s major copyright clearinghouse. More than a dozen Canadian universities - including heavyweights such as the University of British Columbia, the University of Calgary and York University - have said they will not renew their agreements with Access Copyright , a government-created nonprofit that sells licenses to its library of copyright-cleared content. The idea of the licenses is to allow professors to include copyrighted works among their course materials without having to ask permission from copyright holders at every turn. But with Access Copyright vying to more than double the fee for its “comprehensive licenses” from $18 to $45 per student, and asking that the organization be allowed to survey their clients’ private networks so as to ensure compliance, many universities say they would be happier to drop the clearinghouse licenses and go it alone. The Access Copyright donnybrook and Georgia State lawsuit are unfolding in vastly different legal environments. Canadian copyright law does not include “fair use” exemptions for teaching; its “fair dealing” exemptions provide no special dispensation for educators and only protect scholars who want to make copies for “private study.” The standards Access Copyright is using to define “copies” of digital of works - which include storing a copyrighted work on a local device, displaying a copyrighted work on a computer screen, even posting a hyperlink to a copyrighted work without consent - are draconian even compared to the much-ballyhooed standards sought by the publishers suing Georgia State. (And, for obvious jurisdictive reasons, the outcome of each case will not have any legal bearing on the other.) Yet the two cases are similar in that they involve standoffs between copyright clearinghouses - the Georgia State lawsuit is being partially underwritten by the Massachusetts-based Copyright Clearance Center , which plays a similar role stateside as Access Copyright’s Canada - that are trying assert themselves in an increasingly digital world, and universities that claim that they are overreaching. New California Law Prohibits Jurors’ Social Media Use (Berkman/CMLP, 1 Sept 2011) - California has adopted a new statute which clarifies that jurors may not use social media and the Internet - such as texting, Twitter, Facebook, and Internet searches - to research or disseminate information about cases, and can be held in criminal or civil contempt for violating these restrictions. The new statute, 2011 Cal. Laws chap. 181 , expands the state’s existing jury instructions which currently, at the start of trial and prior to any recesses or breaks, admonish jurors not to discuss the case they are sitting on with each other or anyone else before deliberations. The current instructions make no specific mention of electronic research or communications. The new law also charges court officers to bar jurors from communicating outside the jury room, by electronic or other means, during deliberations. Under the new statute, “willful disobedience by a juror of a court admonishment related to the prohibition on any form of communication or research about the case, including all forms of electronic or wireless communication or research” can be punished as contempt of court, a misdemeanor. Overreactive Guidance for Social Networking Du Jour—NLRB Edition (Venkat blog post, 5 Sept 2011) - There has been a steady drumbeat from employment lawyers warning about the increasingly watchful eye of the National Labor Relations Board over so-called “social media terminations"--where a company fires an employee for making a statement about the company on Facebook or Twitter. The NLRB recently issued a report regarding the cases it was involved in. I took a look at the report and was surprised at the types of things the NLRB says that private employers cannot fire employees for. (The report is a quasi-advocacy document. Correction: it does not reflect the views of the NLRB, but those of its General Counsel, who is responsible for prosecuting cases before the NLRB.) Protected activity : Here are a few statements that the NLRB said was “protected activity” and therefore could not justify a firing: (a) salespeople who complained about the quality of snacks furnished by a car dealership-employer at a client event; (b) employees who complained about the employer’s tax withholding practices (and the fact that they owed money); (c) social services non-profit’s employee who posted that her coworkers did not do enough to help clients; (d) hospital employee who complained about a co-worker’s absences; (e) employee who posted a negative remark about a supervisor in response to the supervisor’s request for an incident report. Unprotected activity : Here are a few that the NLRB said were not protected activity: (a) posting that a Wal-Mart assistant manager was being a “super mega puta”; (b) Tweets by a journalist that criticized other media outlets and some with sexual content (after being warned); (c) bartender who posted about an employer’s tipping policy (in response to a non-employee question); (d) employee who posted on her Senator’s wall about government contracts her employer had secured; (e) employee who posted about mentally disabled clients. Overly broad social media policies : The NLRB also offered guidance on when employer social media policies were overly broad: * * * The NLRB’s 24 page document purports to provide guidance and promises to be “of assistance to practitioners and human resource professionals,” but it left me scratching my head. The report should come with a strong disclaimer that anyone who reads it may find themselves more confused about social media terminations. I get that employees have a right to organize, and employers are prohibited from interfering with the activities of employees which fall into this category, but the report reflects a hyper-nuanced view of what constitutes a complaint about the conditions of someone’s employment and what constitutes concerted activity. The report: NLRB Memo - Memorandum OM 11-74 (Aug. 18, 2011) ("Report of the Acting General Counsel Concerning Social Media Cases") Posting a Privacy Policy May Not Be Enough - NARC to Enforce Industry Principles (InfoLawGroup, 6 Sept 2011) - If your company has a posted privacy policy, it may be a good time to confirm that the cookies, tracking technologies, and other activities currently being used on your web site or sites are still consistent with your existing policy and industry standards. The National Advertising Review Counsel ("NARC") of the Better Business Bureau has recently stated that it will begin enforcing advertising industry privacy principles and publicly naming those companies who either aren’t complying with the principles or following their own privacy policies. For the more serious cases, NARC may even refer the matter to the FTC. Nearly Half of Computer Users Get Software Illegally (Hillicon Valley, 7 Sept 2011) - Nearly half of the world’s computer users get most of their software illegally, according to a study released Wednesday by trade group Business Software Alliance. Researchers surveyed 15,000 personal computer users in 32 countries about how they acquire software. They found 47 percent of computer users acquire their software illegally most or all of the time, despite the fact that 71 percent profess support for intellectual property rights. In developing countries, the rates are even higher. In China, an important market for software developers, 86 percent of computer users get most of their software illegally. In Nigeria, the figure is 81 percent. The study found that 34 percent of computer users in the United States acquire their software illegally. According to the study, a majority of the people who acquire their software illegally mistakenly believe the methods are legal. The Legality of Government Critical Infrastructure Monitoring (Bruce Schneier, 7 Sept 2011) - Mason Rice, Robert Miller, and Sujeet Shenoi (2011), “ May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats? “ International Journal of Critical Infrastructure Protection , 4 (April 2011): 3-13. Abstract: The government “owns” the entire US airspace­it can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are just as vital to national security, could the US government protect major assets­including privately-owned assets­by positioning sensors and defensive systems? This paper discusses the legal issues related to the government’s deployment of sensors in privately owned assets to gain broad situational awareness of foreign threats. This paper does not necessarily advocate pervasive government monitoring of the critical infrastructure; rather, it attempts to analyze the legal principles that would permit or preclude various forms of monitoring. The Spy Who Tweeted Me: Intelligence Community Wants to Monitor Social Media (Wired, 7 Sept 2011) - A research arm of the intelligence community wants to sweep up public data on everything from Twitter to public webcams in the hopes of predicting the future. The project is the brainchild of the Intelligence Advanced Research Projects Activity, or Iarpa, a relatively new part of the spy community that’s supposed to help investigate breakthrough technologies. While other projects exist for predicting political events , the Open Source Indicators program would be perhaps the first that mines data from social media websites. The idea is to use automated analysis to sift through the deluge of publicly available data to help predict significant societal events, like a popular revolution. The nascent project, called “Open Source Indicators,” is just the latest move by the national security community to come to grips with the flood of information now available on social media. As Danger Room’s Lena Groeger has reported, it’s also intended to predict natural disasters or economic disruptions . The science underlying the project is the notion that early indicators of major social upheavals might be hidden in plain, socially-networked sight. “Some of these changes may be indirectly observable from publicly available data, such as web search queries, blogs, micro-blogs, internet traffic, financial markets, traffic webcams, Wikipedia edits, and many others,” the announcement, published August 25, says . “Published research has found that some of these data sources are individually useful in the early detection of events such as disease outbreaks, political crises, and macroeconomic trends.” FUN Our 5 Favorite Lawyer Videos on YouTube (Bitter Lawyer, 7 Sept 2011) - With the launch of YouTube in 2005, lawyers were not far behind in posting cheesy law firm videos. And they continue to post them at an alarming rate, churning out the good, the bad, and the embarrassingly ugly. We recently gave our intern a laptop and a dial-up modem and asked her to search through years of YouTube videos to find the best. The result? Our top five lawyer YouTube videos. While far from perfect, they are definitely full of VHS awesomeness. Enjoy. LOOKING BACK - MIRLN TEN YEARS AGO WEB SITES PULL INTELLIGENCE DATA (AP, 4 October 2001)—Before Sept. 11, you could have visited the Federation of American Scientists’ Web site for diagrams and photos of U.S. intelligence facilities. You could have gone to another Web site and learned of gatherings at North Dakota’s Minot Air Force Base. And you could have gone online and ordered maps of military installations. No longer. Concerned they could be aiding terrorists, some government and private Web sites have decided to stop sharing quite so much potentially sensitive data. Such measures would not prevent terrorists from turning to libraries or even other Web sites for information that could be useful in attacks. ``But that is not a justification for publishing it in easily accessible ways. Let them work for it,” said Steven Aftergood, senior research analyst at the scientists’ group. The private organization removed from the Web its research containing locations, building layouts and aerial images of intelligence offices, some unacknowledged by the U.S. government. Also removed were details on nuclear sites abroad. The National Imagery and Mapping Agency suspended online and offline sales of maps of military installations as well as its highest-resolution maps of other U.S. locations. The U.S. Office of Pipeline Safety now restricts its mapping software and pipeline data to industry and government officials, while the Environmental Protection Agency (news - web sites) removed information on chemical plants and their emergency response plans. ``People have a right to know what kinds of risks there are, but unfortunately terrorists are people, too,” said Jim Makris, the EPA’s emergency coordinator. The reports are still available in EPA reading rooms, but Makris said identification is required. http://dailynews.yahoo.com/h/ap/20011003/tc/attacks_net_censorship_4.html IP PHONE CALLS ARE SHAKING UP THE TELECOM INDUSTRY One in 33 voice phone calls were transmitted via the Internet last year, and traditional telecom companies are beginning to sit up and take notice. IP (Internet protocol) telephony has made great strides in the last couple of years, eliminating most of the clunky technical features that relegated it to second-tier status. Currently, most user-friendly Internet calling services provide callers with a local access number. The caller dials that number to get a second dial tone, and then completes his or her phone call, using a personal access code. The International Telecommunication Union estimates that by 2004, up to 40% of all international telephone traffic will be Internet-based. “Price and cost savings are driving the market,” says ITU official Tim Kelly. An ITU survey found the cost of a one-minute call from the U.S. to Australia over a traditional phone line cost 17 cents, but the price dropped to 8 cents through a Net-based service. (Hollywood Reporter 7 Mar 2001) http://www.hollywoodreporter.com/ MIRLN 2011-09-09T19:10:00-07:00 http://www.knowconnect.com/mirln/article/mirln_1_20_august_2011_v1411/ http://www.knowconnect.com/mirln/article/mirln_1_20_august_2011_v1411/#When:17:22:00Z MIRLN --- 1-20 August 2011 (v14.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) NEWS | RESOURCES | LOOKING BACK | NOTES A Case for Pseudonyms Second Annual Ponemon Cost of Cyber Crime Study is Released FINRA to Issue More Guidance on Social Media Newspaper’s Discussion About Trademark Owner Protected as Nominative Use Do Changes to a Blog Post’s URL and the Site’s Metatags Restart the Statute of Limitations? Public Porn Prevents Policeman’s Privacy Law Firms Restricting Use of Social Media Demonstrates Lack of Trust Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act As Hackers Steal Up to $1B Annually from Biz Bank Accounts, Victims May Have No Recourse Are You Prepared for a Disaster? If Not, It’s Time to Get Your House in Order! The DA Thinks You Are Liberal Army to Shut Down eArmyU Hostile Witness ABA Releases “Managing E-Discovery and ESI” - An Excellent Resource Offensive Cyber Tools to Get Legal Review, Air Force Says A Legal Guide for Digital Journalists Making Clouds Less Ominous Monitoring School-Issued Email Accounts Revealed: Operation Shady RAT ‘The Economist’ Examines Emerging Alternatives to Traditional Law Firms A Look at Texas’s New Anti-SLAPP Law Friending for Evidence Navy Issues Online Guide to Google+ Law Firms on Facebook: 5 Examples of ‘Doing It Right’ As the Gavels Fell: 240 Years at Old Bailey New Notaries Needed For SSL Certs U.S. Court Fends Off Foreign Wiretap Orders A Case for Pseudonyms (EFF, 29 July 2011) - There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture. Online, the reasons multiply. Internet culture has long encouraged the use of “handles” or “user names,” pseudonyms that may or may not be tied to a person’s offline identity. Longtime online inhabitants may have handles that have spanned over twenty years. Pseudonymous speech has played a critical role throughout history as well. From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius’ letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day. A new debate around pseudonymity on online platforms has arisen as a result of the identification policy of Google+, which requires users to identify by “the name your friends, family, or co-workers usually call you”. This policy is similar to that of Facebook’s which requires users to “provide their real names and information.” Google’s policy has in a few short weeks attracted significant attention both within the community and outside of it, sparking debate as to whether a social platform should place limits on identity. A considerable number of Google+ users have already experienced account deactivation as a result of the policy, which Kirrily “Skud” Robert, a former Google employee kicked off the service for identifying as “Skud,” has closely documented . [Editor: interesting.] top Second Annual Ponemon Cost of Cyber Crime Study is Released (Ponemon Institute, 2 August 2011) - Today we released our Second Annual Cost of Cyber Crime Study. Our findings support other research studies suggesting increases in the frequency, severity and overall cost of cyber attacks on private and public sector organizations. [Editor: Very interesting analysis, with a US focus. Summary PowerPoint here . Biggest cost categories were information loss, business disruption, and revenue loss. Most-affected industries are defense, utilities/energy, and financial services. Oddly, smaller companies seem to have larger losses; larger companies face worse rogue-insider threats.] top FINRA to Issue More Guidance on Social Media (MoFo, 3 August 2011) - Social media continues to be a priority of the Financial Industry Regulatory Authority, Inc. ("FINRA"), and we can expect more guidance soon, according to a top official. The official, FINRA Chairman and CEO Richard G. Ketchum, recently noted that FINRA’s Social Networking Task Force continued to examine issues relating to the use of social media by member firms, but had yet to release new guidance on the topic.1 He said that FINRA intended to provide further guidance on social media issues this year. FINRA last issued guidance on this topic in Regulatory Notice 10-06. The Social Networking Task Force, which was organized by FINRA in 2009, is composed of FINRA staff and industry representatives. The task force discusses how firms and their registered representatives can use social media sites for legitimate business purposes in a manner consistent with investor protection. Regulatory Notice 10-06, which included input from the task force, provides significant guidance with respect to social media issues, but the landscape of social media is constantly changing, leaving many open questions. Social media issues are currently hot topics, and many firms are finding it hard to wait for FINRA’s guidance. In May 2011, a leading retail brokerage firm announced its intention to allow its advisers certain access to social media sites, such as Twitter and LinkedIn, but no other major American wealth management firm has done so. In light of Mr. Ketchum’s announcement, and given the desire of broker-dealers to use social media, we believe it is a good time to review FINRA’s current position on social media matters, most of which is described in Regulatory Notice 10-06. * * * top Newspaper’s Discussion About Trademark Owner Protected as Nominative Use (Eric Goldman, 3 August 2011) - I’m sure any trademark experts reading this post are scratching their heads at the blog post title. Newspapers discussing a trademarked product qualify for the nominative use defense. Well, duh. Why is that even a question that needs to be answered? Well, because sometimes trademark owners bring asinine lawsuits. In particular, this case may be part of an emerging trend in the surgical procedure industry to misuse trademark law as a weapon against unwanted criticism. See, e.g., the Lifestyle Lift cases (1, 2). This case involves the Lap Band surgical procedure. 1 800 GET THIN is a marketing agent for the procedure. The LA Times has repeatedly criticized the Lap Band. In one passage, it arguably implied that 1 800 GET THIN provided the procedure rather than just marketed it. Even against a pushover defendant, this is a weak point to gripe about. But against a well-regarded journalistic institution like the LA Times, there’s simply no point in tangling in court. Yet, 1 800 GET THIN still cranked up the machinery of justice. Predictably, the court expends few words in tossing the false designation of origin claim on nominative use grounds. The court also tosses the Lanham Act false advertising claim because the news article was editorial content, not advertising. This outcome was so predictable that most trademark litigators probably would have advised 1 800 GET THIN that it had no chance of winning and it should not even try. In fact, the LA Times may very well extract some cash out of 1 800 GET THIN for bringing such a weak case. The case doesn’t mention an anti-SLAPP motion, but this case seems tailor-made for anti-SLAPP protection. Otherwise, it’s a strong candidate for a Lanham Act fee shift and perhaps Rule 11 sanctions. Despite the “sun rising in the East” nature of this case’s legal outcome, I still wanted to highlight it because it reminds us that trademark law’s overexpansive sweep creates several problem. (I discuss these concerns in more detail in my paper, Online Word of Mouth and its Implications for Trademark Law). First, to the extent such a thing exists, this was an example of trademark bullying. The LA Times isn’t an easy target for bullying, but smaller defendants will just capitulate in the face of 1 800 GET THIN’s trademark threats. Second, the LA Times didn’t make a trademark “use” at all. We should have never reached the nominative use defense because there was no trademark use in the first place. The fact that courts aren’t gatekeeping at that level lets weak trademark cases get further than they should. In this situation, relying on the nominative use defense works fine in the Ninth Circuit but is dicey in other circuits that don’t cleanly recognize a nominative use defense. Third, if the LA Times doesn’t get 100% compensation from 1 800 GET THIN, then a travesty still occurred even though the LA Times prevailed in court. A final thought. Having seen so many such lawsuits, I must admit that I become more suspicious of any trademark owner who resorts to completely meritless trademark litigation. It makes me wonder what they are trying to hide. In this case, the fact that the Lap Band and 1 800 GET THIN desperately grasped at legal straws makes me more skeptical of the legitimacy of their offerings. Case is 1 800 GET THIN v. Hiltzik , 2:11-cv-00505-ODW -E (C.D. Cal. July 25, 2011) top Do Changes to a Blog Post’s URL and the Site’s Metatags Restart the Statute of Limitations? (Volokh Conspiracy, 3 August 2011) - An interesting decision, stemming from the Wolk v. Olson litigation. Here’s the legal background: A publisher is generally not be liable once the statute of limitations (generally a year or longer) has run since the original publication. At that point, under the “single publication rule” - which is generally accepted in most states, and has generally been applied to the Internet in the cases that have considered the issue - no further lawsuits can be brought based on the original post, even if the publisher eventually learns that the post is false. The mere fact that a blog post is being copied to a reader’s computer each time it’s accessed doesn’t constitute a new publication that restarts the statute of limitations. But do changes to the post constitute a republication, and restart the statute? Sufficiently substantive changes might, but for modest changes - such as most changes in a URL - the answer is likely no. A few cases have so held, see Canatella v. Van De Kamp (9th Cir. 2007) and In re Davis (W.D. Ky. 2006) ; the judge in this case suggested that she took a similar view, though she ultimately decided the case on other grounds * * * top Public Porn Prevents Policeman’s Privacy (Steptoe, 4 August 2011) - An Illinois Appellate Court has ruled that an employer that monitored the communications of an employee did not violate Illinois’ eavesdropping law (720 ILCS 5/14). The employee, a police officer, had been surfing pornography websites on a workplace computer. Even though Illinois law requires the consent of all parties to an electronic communication before monitoring is allowed, the law defines “electronic communication” narrowly, as a communication that both the “sending” and “receiving” parties intend to be private. The court reasoned that because the porn sites did not intend their outgoing communications to be private, the officer’s surfing was not covered by the eavesdropping law. top Law Firms Restricting Use of Social Media Demonstrates Lack of Trust (Kevin O’Keefe, 4 August 2011) - Boston lawyer and management consultant, Jay Shepherd, joined the discussion on law firms restricting their employees use of social media with a post at the Above the Law yesterday. In addition to the reasons against restricting the use of social media shared by Arik Hanson and I, Shepherd says restricting use of social media demonstrates lack of trust. [F]irms that restrict or censor their lawyers’ computer activities are telling them that they don’t trust these professionals to do their work. Rules like this end up replacing actual management, where partners actually pay attention to whether work gets done well and timely. Imagine if a firm banned the use of everything that its lawyers could use to chat with family and friends, check movie times, or shop for clothes or airline tickets. In other words, the lawyers couldn’t have freakin’ telephones on their desks. (I flat-out stole this notion from a Golden Practices blog post.) Small-firm owners: If you trust your younger lawyers to have a telephone, then you also need to trust them with social media. It’s 2011 (pronounced “twenty-eleven"). It’s not just lawyers in small firms ala Shepherd who think law firms restricting the use of social media by lawyers is a little nuts. Seattle’s Bruce Johnson, a leading First Amendment Attorney with Davis Wright Tremaine, upon hearing that upwards of 45% of law firms were restricting the use of social media commented on this blog’s Facebook Page, ...[T]hat is stunning. It’s like ordering lawyers not to have or use business cards.” top Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act (Eric Goldman’s blog, 4 August 2011) - I blogged about a case involving a labor dispute between Pulte Homes and Laborers’ International Union of North America (LIUNA). After Pulte terminated a LIUNA member for alleged misconduct and poor performance, LIUNA became embroiled in a labor-relations dispute with Pulte. LIUNA allegedly exhorted its members and others to “bombard Pulte’s sales offices and three of its executives with thousands of phone calls and e-mails.” LIUNA allegedly hired an auto-dialing service and encouraged its members to call Pulte. It also used engaged in a web-based email campaign where it encouraged visitors to its website to “fight back” and send e-mails to “specific Pulte executives.” Pulte sued LIUNA, asserting claims under the Computer Fraud and Abuse Act and state law. The district court denied Pulte’s request for an injunction and dismissed Pulte’s claims. Here is my blog post covering the district court’s ruling: “ Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act .” The Sixth Circuit reversed the district court’s ruling, finding that a phone or email bombardment campaign can constitute a violation of the Computer Fraud and Abuse Act. Case is Pulte Homes, Inc. v. Laborers’ Int’l Union, et al. , 09-2245; 10-1673 (6th Cir. Aug 2, 2011) top As Hackers Steal Up to $1B Annually from Biz Bank Accounts, Victims May Have No Recourse (ABA Journal, 4 August 2011) - Some $43 million was stolen in conventional bricks-and-mortar robberies, heists and stickups of U.S. banks last year. Meanwhile, cybercrooks stole hundreds of millions in what is being called a national security threat. The exact amount isn’t known. But security experts say up to $1 billion annually is being taken by hackers through online schemes targeting commercial accounts. That’s particularly bad news for the businesses, including law firms, that own the accounts, because their losses, unlike thefts from bank accounts held by individuals, often aren’t covered by federal deposit insurance, Bloomberg reports. Small businesses “just don’t have any clue, and everyone expects their bank to protect them,” Avivah Litan of computer analyst Gartner Inc. tells the news agency. “Businesses are not equipped to deal with this problem, and banks are barely equipped.” Sophisticated software and appropriate anti-fraud procedures can offer significant protection against hacking, the article says, but businesses-and many banks-are operating with less-than-optimum setups. As large sums of money are sometimes literally stolen by far-distant hackers under the shocked gaze of victimized business employees, neither banks nor law enforcement, seemingly, can do much to help. Using inexpensive malware that allows them to take over the computer’s operations as if they were sitting at the keyboard, cybercriminals, often based in Eastern Europe, can route large sums of money via the Internet to confederates or accounts they control. Valiena Allison, CEO of Experi-Metal Inc., for instance, got a call from her bank one morning a couple of years ago about a wire transfer. She hadn’t authorized it, and said so. But the company’s infected computer had, and over $5 million had been stolen, in unauthorized transfer after unauthorized transfer, by the end of the day. The bank recovered all but about $500,000 of the money. But that was the company’s loss, the bank said, because it had allowed its computer system to be taken over as a result of falling victim to a phishing scheme. A federal judge in Michigan last month disagreed, however, finding that the bank should have refused the transfer instructions due to facts including their frequency and the locations (Estonia and Russia) to which the money was being sent, Lori Desjardins of Pierce Atwood wrote in a recent Lexology (reg. req.) post. A Maine-based business, Patco Construction Inc., saw $500,000 siphoned from its accounts over a couple of days in 2009, and has now gone back to paper checks, as an earlier ABAJournal.com post details. A federal magistrate judge in a May recommendation said Patco had to take the loss concerning some $345,000 that the bank couldn’t recover. And a U.S. District Judge in Portland agreed, holding in a written opinion (PDF) today that Patco agreed with the bank’s security procedures. top Are You Prepared for a Disaster? If Not, It’s Time to Get Your House in Order! (ABA Annual meeting, 7 August 2011) - Disasters - everything from hurricanes and tornadoes to a computer virus or a flood in your basement - were on the agenda at a program Saturday during the American Bar Association Annual Meeting in Toronto. Whatever the unexpected life situation, the preeminent question is: Are you prepared? For the most part people hold a general belief that disasters happen to other people. Panelists at the program said they hope to turn that kind of thinking around, at least, in lawyers. “Disaster preparedness is cost-effective and easy to integrate,” said Gary A. Munneke, a professor at Pace University School of Law, in New York. “When disaster strikes, there is not time to plan-it’s simply time to react.” Munneke said there are three parts to the process: planning, response and recovery. “If lawyers are failing to plan, they are planning to fail,” said Catherine Sanders Reach, the director of the ABA Legal Technology Resource Center in Chicago. She admonished lawyers to “get your house in order.” Panelist David F. Bienvenu, chair of the ABA Special Committee on Disaster Response and Preparedness, lived through Hurricane Katrina in New Orleans. He was featured in a video about the need for all lawyers and firms to plan for a disaster. The video opened the program. “Are you prepared? It’s not a question of if, but when,” Bienvenu says in the video. Bienvenu said the ABA is not asking lawyers to do something the ABA has not done. The association has updated its business continuity plan and is working toward certification. The special committee also developed a guide for lawyers/firms on developing their own business continuity plan. top The DA Thinks You Are Liberal (InsideHigherEd, 8 August 2011) - Whether professors lean left or are so liberal that they are biased is much debated in higher education and in American society. But in what may be a new twist, the Nevada Supreme Court last week upheld the exclusion of a faculty member from a jury. His disqualifying trait? Being a professor. The ruling came in an appeal of a drug sale conviction in a case in which a professor was rejected for jury service. The professor was one of the peremptory challenges by the prosecution. While no reason needs to be given for peremptory challenges, in this case, the defense argued that minority citizens were being excluded with peremptory challenges. (The professor is identified in the court documents as a Middle Eastern computer science professor.) The prosecutor then defended the exclusion by saying that it had nothing to do with the potential juror’s ethnicity, but rather with his being a professor. “Professors are notoriously liberal,” the prosecutor said, according to the Supreme Court ruling, adding that “I just don’t like them on my juries, period.” The Nevada Supreme Court’s decision doesn’t explore the issue of whether professors can be presumed to be liberal. Rather, it faults the defense for failing to challenge the exclusion sufficiently at the time it was made, or for presenting new evidence that the argument was pretextual or otherwise illegitimate. top Army to Shut Down eArmyU (Army Times, 8 August 2011) - The eArmyU civilian education option that has provided distance learning support services to 64,000 soldiers over the past decade will be shuttered next year. The 1,429 soldiers enrolled in the program today may continue to register for eArmyU courses until March 31, 2012 even if a course runs past the shutdown date. Each of the soldiers has been sent a letter by the Human Resources Command, encouraging them to continue taking eArmyU classes until March 31, when they will be transitioned to regular tuition assistance. HRC officials said many of these soldiers are simultaneously enrolled in traditional tuition assistance courses, so they are familiar with that program. “While eArmyU has run successfully for 10 years, its has reached a point of maturity, essentially meeting its recruiting and retention objective (and) increasing soldiers’ participation in their own education development,” said Command Sgt. Maj. Bruce A. Lee, command sergeant major of the Human Resources Command. Online courses leading to degrees today account for nearly 78 percent of tuition assistance enrollments, which is a major reason why the eArmyU option is being discontinued. Today more than 1,500 schools offer online degrees within the traditional tuition assistance portal of GoArmyEd, compared to 30 available under eArmyU. top Hostile Witness (InsideHigherEd, 9 August 2011) - These days there are enough blogs on the theme that law school is a scam that there are multiple blogrolls on the subject, where readers can pick among First Tier Toilet! , Fluster Cucked , Subprime JD , Tales of a Fourth-Tier Nothing and more. Most of these blogs are run by law students or recent graduates frustrated by a lousy job market, student loan debt and a feeling that they were ripped off by their law schools. Another unemployed lawyer blog probably wouldn’t attract much attention, but these “scam” bloggers have been abuzz about the latest arrival on their blogrolls: a blog sharing many of their points of view, but written by a tenured law professor. “I can no longer ignore that, for a very large proportion of my students, law school has become something very much like a scam,” says the introductory post of the blog, Inside the Law School Scam. “Yet there is no such thing as a ‘law school’ that scams its students—law schools are abstract social institutions, not concrete moral agents. When people say ‘law school is a scam,’ what that really means, at the level of actual moral responsibility, is that law professors are scamming their students.” The professor has gone on in subsequent posts to describe his law faculty colleagues as overpaid, and as inadequate teachers. “The typical professor teaches the same classes year after year. Not only that—he uses the same materials year after year. I’m not going to bother to count—this is law school after all, and we don’t do empirical research—but I bet that more than half the cases I teach in my required first-year course were cases I first read as a 1L 25 years ago. After all I use the same casebook my professor used. I even repeat some of his better jokes (thanks Bill),” says one post. And that was followed by another criticizing the gradual decline in teaching loads of professors at law schools (a trend that has been documented elsewhere ), and arguing that students are paying quite a bit for minimal teaching time and effort. Of his fellow law professors, he writes: “They are like the most burnt out teachers at your high school, if you went, as I did, to a middling-quality public school. But with this difference: the most burnt-out teachers at your high school still had to show up for work for seven hours a day. Also, they didn’t get paid $200,000 (or even quite a bit more) per year. And you didn’t pay $50,000 a year for the benefit of their talents.” And LawProf says he’s just getting started. The author identifies himself only as “a tenured mid-career faculty member at a Tier One school.” He agreed to reveal his identity to Inside Higher Ed, and his description is accurate. top ABA Releases “Managing E-Discovery and ESI” - An Excellent Resource (Sharon Nelson, 10 August 2011) - I was recently honored to get an advance copy of Managing E-Discovery and ESI , a wonderful new sourcebook from the American Bar Association authored by Michael Berman, Courtney Barton and the Honorable Paul Grimm, in conjunction with a stellar cast of contributors. My first reaction to the breadth and scope of the book was simply “wow!” At over 800 pages, the book moves with assurance and expertise from pre-litigation through trial. Rather than having too many cooks in the kitchen, the numerous authors represent a collective wisdom about e-discovery, with each having niche areas of keen knowledge. top Offensive Cyber Tools to Get Legal Review, Air Force Says (Secrecy News, 10 August 2011) - Even the most highly classified offensive cyberwar capabilities that are acquired by the Air Force for use against enemy computer systems will be subject to “a thorough and accurate legal review,” the U.S. Air Force said in a new policy directive (pdf). The directive assigns the Judge Advocate General to “ensure all cyber capabilities being developed, bought, built, modified or otherwise acquired by the Air Force that are not within a Special Access Program are reviewed for legality under LOAC [Law of Armed Conflict], domestic law and international law prior to their acquisition for use in a conflict or other military operation.” In the case of cyber weapons developed in tightly secured Special Access Programs, the review is to be performed by the Air Force General Counsel, the directive said. See “Legal Reviews of Weapons and Cyber Capabilities,” Air Force Instruction 51-402, 27 July 2011. The Air Force directive is somewhat more candid than most other official publications on the subject of offensive cyber warfare. Thus, “for the purposes of this Instruction , an Air Force cyber capability requiring a legal review prior to employment is any device or software payload intended to disrupt, deny, degrade, negate, impair or destroy adversarial computer systems, data, activities or capabilities.” On the other hand, cyber capabilities requiring legal review “do not include a device or software that is solely intended to provide access to an adversarial computer system for data exploitation,” the directive said. top A Legal Guide for Digital Journalists (Robert Ambrogi, 12 August 2011) - Although it was launched in June, it has taken me this long to get around to checking out the Digital Journalist’s Legal Guide created by the Reporters Committee for Freedom of the Press . Now that I’ve had the chance to explore it, I have no doubt this will quickly become an essential resource both for established journalists and independent bloggers. The guide is designed to provide legal guidance to anyone who disseminates news online. It covers key areas of media and access law: access to courts, copyright and trademark, censorship, Internet regulation, invasion of privacy, libel, newsgathering, open records and meetings, and sources and subpoenas. The guide is layered in a way that allows a user to get quick answers on a topic and also drill down deeper into it. The front page of each section contains a summary of the applicable legal principles, answers to common questions about the topic, and links to pages that provide more detailed discussions about specific aspects of the topic. These section front pages also include links to relevant news articles from the RCFP website covering actual court cases and legal stories. Those links are effective at helping to illustrate how these legal principles are applied in real-world situations. Well before it published this guide, the RCFP’s website was already the preeminent source of legal guidance for journalists. Over the years, RCFP has published an array of legal guides on First Amendment, access, privacy, privilege and other media-law issues. top Making Clouds Less Ominous (InsideHigherEd, 12 August 2011) - A group of 12 high-profile research universities is currently negotiating with commercial e-mail providers to create a standard contract that would reduce the costs and anxieties associated with outsourcing the handling of sensitive institutional data to cloud-based vendors. If successful, the talks could pave the way for universities to move other types of data to the cloud - a migration that has been stalled by persistent concerns among institutions that are worried about putting sensitive university data on non-university servers, campus technology officials say. The discussions might also provide a model for other joint contracts between universities and technology vendors. Companies that run university e-mail systems negotiate individual contracts with their various clients. These negotiations often involve haggling over whether the company can provide its services in a way that does not put the university at risk of violating state and federal laws - as well as its own policies - regarding privacy, data security, accessibility, and other matters. “Every time we go to vendors, we start those conversations anew - it’s like Groundhog Day ,” says James Hilton, the CIO of the University of Virginia, one of the institutions involved in the talks. “It’s inefficient on their side, and it’s inefficient on our side.” The idea behind the group push for a standard contract is to “aggregate some of our terms and needs upfront and just do it once,” Hilton says. According to campus officials, the 12 universities have been hammering out the details of a possible standard contract with cloud-based e-mail vendors for the last year or so. The universities at the table include Virginia, Duke University, and 10 other “premier research universities,” says Hilton. (The effort grew out of conversations among members of the Common Solutions Group , a consortium that includes six universities from the Ivy League and five from the Big Ten.) On the vendor side, Microsoft, the second-largest e-mail provider for colleges and universities, confirmed that it is involved in the talks. The largest provider, Google, would not comment. The most salient concerns around outsourcing to cloud providers - compliance with the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Americans With Disabilities Act (ADA), and other laws - are common to many colleges and universities. A standard document addressing those concerns could allow institutions and cloud-based vendors to check off compliance issues with a single stroke, eliminating many billable hours on both sides of the negotiating table, says Tracy Futhey, the CIO at Duke. top Monitoring School-Issued Email Accounts (Dan Solove, 14 August 2011) - A recent case provides some guidance about when schools can monitor email accounts they issue to students. In Reichert v. Elizabethtown College , 2011 WL 3438318 (E.D.Pa. August 5, 2011), a troubled student (Christopher Reichert) had a heated exchange with the chairman of the education department, Dr. Carroll Tyminski. Afterwards, Tyminski arranged for Reichert’s email account to be monitored. Reichert sued under various federal and state electronic surveillance and computer misuse laws as well as a common law privacy tort. top Revealed: Operation Shady RAT (McAfee White Paper, August 2011) - For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely. Having investigated intrusions such as Operation Aurora and NightDragon (the systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know. Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon. I find the question ironic because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures in the last six months have, in fact, been a result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec. On the other hand, the targeted compromises we are focused on-known as advanced persistent threats (APTs)-are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth-closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries. [Editor: wow.] top ‘The Economist’ Examines Emerging Alternatives to Traditional Law Firms (Law.com, 15 August 2011) - In an article last week, The Economist takes a look at a few ways that technology is providing clients with alternatives to traditional law firms. These alternatives include things like LawPivot, which some have compared to “Quora for legal advice.” [Note to self: Learn what Quora is so that I can possibly then understand what LawPivot is.] They also include “unconventional law firms” such as Axiom and Clearspire that are pursuing new business models. I have mentioned Axiom before, noting its highly personal approach to the law firm website, which includes huge, day-in-the-life photos of Axiom lawyers doing things like gardening, having breakfast with their families or dancing. The Economist adds that Axiom, which is now 11 years old, has been able to grow its revenue steadily as companies seek ways to trim their legal spending: from $55 million in 2008, to $80 million in 2010, to an expected $120 million in 2011. Axiom differs from most firms in that it typically does not charge by the hour, but rather agrees to a flat fee for a project or for a set period of time that one of its teams will be engaged. It is also different from most law firms in that it employs only experienced lawyers, maintains little office space and charges significantly lower rates than most big law firms (about $200 an hour for highly experienced lawyers, according to a Daily Journal article written in early in 2010). Another law firm discussed by The Economist is Clearspire. Clearspire is made up of approximately 20 lawyers who work from home but “collaborat[e] on a multi-million-dollar technology platform that mimics a virtual office.” Clients can use the platform, as well, to do things like make changes to their own documents. With respect to billing, The Economist states that: From the start, Clearspire offers cost estimates for each phase of a legal job. Employees who underestimate how long it will take cannot simply jack up the bill-they must take the hit themselves. But if a lawyer finishes his work faster than promised, he gets a third of the savings. The client also gets a third, as does Clearspire. This gives everyone a stake in making the process more efficient and predictable. Clearspire also has an unusual, dual corporate structure: it consists of a law firm with salaried lawyers, and also a separate entity that is responsible for business development. top A Look at Texas’s New Anti-SLAPP Law (CMLP, 15 August 2011) - Back in mid-June, Texas’s new anti-SLAPP law finally took effect . (Since the bill passed both houses of the Texas legislature unanimously, it took effect immediately when Gov. Rick Perry signed it.) The CMLP’s legal guide is updated to reflect the new statute. It’s a good bill, and the whole “unanimous passage” part is a good sign for the larger anti-SLAPP project, so it’s worth taking a moment to see how the Texas statute stacks up. The new law (the “Citizens Participation Act") casts a wide net: it covers any exercise (in any medium) of free speech, petition, or association rights. That sounds nice in the abstract, but the trick is in the definitions. The “right of association” doesn’t get any clarification beyond reference to “individuals who join together to collectively express, promote, pursue, or defend common interests,” but that could provide some interesting arguments for defendants getting sued for posts on message boards and the like. It doesn’t limit protections to “matters of public concern,” like other sections: here, all we have are “common interests,” which could be a very broad provision indeed. And the text of the “right of association” section could even cover straight-up person-to-person communication - private emails, etc. The bill only requires those “individuals” to “communicat[e]” about “common interests.” If courts are willing, they could take that provision a very long way indeed. The statute also has a few bits that tip the scales slightly in favor of the little guy. Like I said, communications about goods and services in the marketplace are protected, but only from the customer end: businesses can’t use the anti-SLAPP statute to kill lawsuits against them over their advertising. And if a defendant frivolously tries to use the statute, they “may” (not “must” or “shall") be on the hook for some of the plaintiff’s legal fees, but there’s no punitive damage award running from defendants to plaintiffs. (That’s in contrast to, say, Washington’s law, which levies identical damage awards against SLAPP-happy plaintiffs or against defendants who frivolously use the anti-SLAPP statute.) Speaking of those damage awards (look, ma! transitions!), Texas’s damage scheme is interesting when contrasted with a statute like Washington’s . When Washington recently updated their anti-SLAPP statute, they based it heavily on California’s, but added damages above and beyond just recovering court costs and attorneys’ fees. Washington’s new statute provides for an automatic $10,000 award, on top of the costs and fees. That’s a nice bit of deterrence, and has the benefit of consistency; against the massive plaintiffs that can use SLAPP suits to great effect, though, ten grand is a drop in the bucket. Texas takes a different approach: On top of the fees and costs, the court “shall” award the defendant damages “sufficient to deter the party who brought the legal action from bringing similar actions.” It’s not optional - the judge has to give some sort of punitive damage award; the discretion lies in the size of the damages. It’ll be interesting to see how judges wield that provision; the flexibility could be useful in really bringing the hammer down on any big corporate plaintiffs while allowing some leniency for little-guy plaintiffs who sue Michael Moore ( for example ). On the other hand, though, we have to trust judges to actually impose those big fines. And how would a judge figure out how big is big enough? Try to quantify the monetary value of shutting down a critic, then add $1? We’ll have to wait and see how judges handle that foggy mandate. All in all, though, the Texas anti-SLAPP bill looks like a real beast. top Friending for Evidence (Lawyerist.com, 15 August 2011) - Are you completely ignoring social media? Are you blocking access to social media sites at your firm? Are you using social media to get evidence for trial? If you’re not careful, you may be violating your state’s ethics rules. Federal prosecutors are scouring the Facebook pages of defendants. More and more divorce cases include incriminating evidence captured on social media sites. As the use of social media evidence at trial continues to grow, some courts are beginning to delve into the ethical boundaries of obtaining such evidence and even a lawyer’s ethical obligations to provide competent representation. In their recent Law.com article, Ethical Bounds of Using Evidence From Social Networks , H. Christopher Boehning and Daniel J. Toal, provide a brief synopsis of recent decisions discussing how lawyers in certain jurisdictions may permissibly obtain information on social networking sites. Here are some areas the synopsis covers * * * top Navy Issues Online Guide to Google+ (FCW, 16 August 2011) - Although Google+ has attracted more than 10 million users since its recent debut, many people in government are wondering what it is and how it ought to be used. Thanks to the Navy, now there is an overview of the new site. The Navy recently published a 13-page online guide titled “What’s the deal with Google+?” on the SlideShare website, providing a basic introduction to the new social networking site and how it could be used by individuals. The Navy’s presentation had been viewed by 606 people as of Aug. 16. [1480 views on 18 August] One of the first questions it tackles is whether Google+ is like Facebook or something different. According to the Navy, the new site is different and offers several advantages over Facebook. [Editor: quite useful] top Law Firms on Facebook: 5 Examples of ‘Doing It Right’ (JD Supra, 16 August 2011) - We’re frequently asked to provide examples of ‘well-done’ law firm Facebook pages. Here’s a look at some of the pages we offer in response, with accompanying annotations to explain a few of the things we think each firm is doing well. This is by no means a complete list, nor a complete appraisal of ‘what makes a good law firm Facebook page.’ As you will see, each page below includes some aspect or element that serves as a good example of what you might do to create your firm’s presence on Facebook. top As the Gavels Fell: 240 Years at Old Bailey (NYT, 17 August 2011) - For 240 years the grand parade of human greed, love, cruelty, longing, and foolishness was captured in the Proceedings, the published record of trials that took place at the Old Bailey, the central criminal court, in London. Now, powerful digital tools developed by an international team of researchers to search these trial reports and summaries have begun to offer new insights into the evolution of the justice system, the institution of marriage and changing morals. The Old Bailey offers a unique window into the criminal justice system and, by extension, British culture. The free searchable online archive, oldbaileyonline.org, contains accounts of nearly 198,000 trials between 1674 and 1913. “It’s the largest body of accurately transcribed historical texts online,” said Tim Hitchcock , a historian at the University of Hertfordshire in England and part of the team. “All of human life is here.” Mr. Hitchcock argues that new methods of digitally analyzing and mapping the history of crime using the entire Proceedings will revise “the history of the criminal trial.” After scouring the 127 million words in the database for patterns in a project called Data Mining With Criminal Intent , he and William J. Turkel , a historian at the University of Western Ontario, came up with a novel discovery. Beginning in 1825 they noticed an unusual jump in the number of guilty pleas and the number of very short trials. Before then most of the accused proclaimed their innocence and received full trials. By 1850, however, one-third of all cases involved guilty pleas. Trials, with their uncertain outcomes, were gradually crowded out by a system in which defendants pleaded guilty outside of the courtroom, they said. Conventional histories cite the mid-1700s as the turning point in the development of the modern adversarial system of justice in England and Colonial America, with defense lawyers and prosecutors facing off in court, Mr. Hitchcock and Mr. Turkel said. Their analysis tells a different story, however. “Mapping all trials suggests that the real moment of evolution was in the first half of the 19th century,” with the advent of plea bargains that resulted in many more convictions, Mr. Hitchcock said. “The defendant’s experience of the criminal justice system changed radically. You were much more likely to be found guilty.” Last month the scholars submitted an article to the British journal Past and Present on their findings. top New Notaries Needed For SSL Certs (ReadWriteWeb, 19 August 2011) - Tim Greene, writing this week in Network World, brings up the latest developments in improving SSL certificates. As many of you recall, earlier this year we had two big security breaches involving these certs, including a situation where Comodo issued and then revoked a series of nine fake certs. While the fakes weren’t actually used, it was a close enough call. The problem is that your browser has a hard-coded list of certificate authorities (CAs). If you haven’t ever been to this part of your browser settings, you can bring it up now (Firefox is Tools/Options/Advanced, Chrome is Tools/Options/Under the Hood, etc.) and see a long list of CAs, some from companies that you may recognize (Microsoft, Thawte, Verisign) and many from companies that you probably have never heard of. (How many of us had ever heard of Comodo before the cert hack reported earlier this year? My point exactly.) Every time you go to a site using https:, it checks in with these CAs to determine if the cert from the destination website is legit or not. Most of the current browser versions will report on the identity of the website in the address bar and whether or not it checks out. To combat the bad guys, many more sites are now using SSL protocols: Gmail now defaults to it for reading your emails is one notable example. But all this security infrastructure goes out the window if the certs can’t be trusted. Getting a cert is easy: it just costs money (here is one place you can comparison shop for them) and even your friendly registrar can quickly provide one. You can also self-sign your website with your own cert, which will bring up a warning in most modern browsers for your visitors. When you purchase a cert, a chain of trust is established between the CA and your website using the cert, as you can see in the PayPal example above. But what if this circle of trust is compromised, as the character played so brilliantly by Robert DeNiro asks in the “Focker” films? That is why we need an Internet SSL notary public for SSL certs. Unlike the notaries that we all use from time to time for our paperwork, the process would involve a crowdsourced collection of certs that people already have trusted, rather than a single entity that would vet the certs from on high. And this being the Internet, of course there are two different proposed notary standards called Perspectives from a team at Carnegie Mellon and Convergence from an independent test lab. They both make use of Firefox plug-ins, and both are relatively new and unused by the vast majority of sites and the browsing public. The idea is just like picking which search engine site you will use by default, you can also choose which collect of notaries to trust for your SSL certs. Whether these notary efforts will catch on isn’t a sure bet: indeed, they have to be widely deployed before they are truly useful, and support more than just Firefox browsers too. But we definitely are overdue for better SSL root CA infrastructure, otherwise we will suffer the same fate as Ben Stiller’s character. top U.S. Court Fends Off Foreign Wiretap Orders (Steptoe, 18 August 2011) - The common wisdom is that Europe is much more protective of privacy than the United States. Just last week, the New York Times featured a story about growing support in Europe for a “right to be forgotten” - that is, to have information about oneself wiped off the Internet. But it’s important not to confuse “wisdom” with truth. A recent case illustrates why. In In re Dr. Jurgen Toft, a U.S. bankruptcy judge put the kibosh on German and English court orders that would have required U.S. email providers to intercept and disclose a German debtor’s emails. Aside from showing that European notions of privacy aren’t always what they’re cracked up to be, the case demonstrates the many different ways in which communications providers are confronted with demands for information. It also shows that the United States is hardly the only country that takes an expansive view of its authority to access communications in other countries. top RESOURCES New Searchable Version of U.S. Code Website Launched by House in Beta (BeSpacific, 17 August 2011) - “The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. It is prepared by the Office of the Law Revision Counsel of the United States House of Representatives.” top LOOKING BACK INFORMATION OVERLOAD IS A STATE OF MIND A new study titled “The Next Big Thing” found surprising anecdotal evidence that people who receive the greatest volume of electronic information reported a greater ability to cope, while the group that feels the most overwhelmed has the least amount of data to deal with. “We went into the survey expecting to find people were really struggling. We were surprised to find they were thriving,” says the study’s publisher, Josh Clark. “Anecdotally, there are people out there who are feeling overwhelmed, but practice makes perfect. The people who are most comfortable practice dealing with high volumes of information, and they are coping beautifully.” The study’s authors caution that because their response group was predominantly male with 42% working in the technology sector, its results cannot be extrapolated to the entire U.S. population. Nevertheless, the comparatively high response rates for the study mean the results are meaningful, and the results bear out what previous studies and empirical evidence has shown—that simplicity is the key to success in the technology age. (Newsbytes 7 Jun 2001) http://www.newsbytes.com/news/01/166615.html top CAR SPY PUSHES PRIVACY LIMIT (ZDNET News, 20 June 2001)—Car renters beware: Big Brother may be riding shotgun. In a case that could help set the bar for the amount of privacy drivers of rental cars can expect, a Connecticut man is suing a local rental company, Acme Rent-a-Car, after it used GPS (Global Positioning System) technology to track him and then fined him $450 for speeding three times. The case underscores the ways that new technologies can invade people’s privacy, said Richard Smith, chief technologist at the not-for-profit Privacy Foundation. “Soon our cell phones will be tracking us,” he said. “GPS could be one more on the checklist here. Frankly, giving out speeding tickets is the job of the police, not of private industry.” http://www.zdnet.com/zdnn/stories/news/0,4586,2778752,00.html top MIRLN 2011-08-19T17:22:00-07:00 http://www.knowconnect.com/mirln/article/mirln_10_30_july_v1410/ http://www.knowconnect.com/mirln/article/mirln_10_30_july_v1410/#When:15:49:00Z MIRLN --- 10-30 July (v14.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) COMING PROGRAM (ABA Annual meeting): “eAttorney, MiAttorney: How Technology Has Changed Communication and Collaboration With Clients.” August 5 from 8:30 a.m. to 10:00 a.m. at the Metro Toronto Convention Center, Room 716B, 700 Level, South Building. Panel: Daniel Schwartz, Michael Downey, Jordan Furlong, Dennis Kennedy. READER COMMENTS RE “ Catch Me If You Can (Law Tech News, 1 June 2011)” from MIRLN 14.09 : “Very interesting to see this in real life. It struck me back when I first started thinking about security and search that it is a security breach accelerator. It is possible to identify the presence of restricted documents with specific information by using carefully crafted full text search queries. This sounds like a very similar exploit. Search engine results need to enforce the same access/inclusion and reporting policies as access to the documents themselves. Proactive auditing of search queries is also a good idea. Not exposing document titles or content summaries is not enough - any indication of a search match is enough.” [Rob Pettengill] Alabama Lawyer Group Sues Legalzoom, Wants Ban In State DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools Nothing Personal: How Database Licenses Make Pirates of Us All How Digital Detectives Deciphered Stuxnet DOJ: We Can Force You to Decrypt that Laptop A New U.S. Law-Enforcement Tool: Facebook Searches Secret Service Descends on Artist For Mildly Creepy Public Photography Judge Rules “Locker” Site is Not Direct Copyright Infringer Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies Senators Ask Spy Chief: Are You Tracking Us Through Our iPhones? The Government Just Admitted For The First Time It Is Using Cell Phone Data To Track Your Location How Khan Academy Is Changing the Rules of Education Getty Images Says Google Plus Terms of Service is “OK” Financial Services Industry Group Issues Social Media Guidance Cooley Law School Sues Bloggers and Lawyers NCAA Social Networking Regulations Provide Challenge for MU Compliance Department Wikipedia Rolling Out Article Rating System Multinational Employers Face Multiple Facebook Rulings Social Media History Becomes a New Job Hurdle Cyber Weapons: The New Arms Race FFIEC Ups The Ante On Authentication Uniform Electronic Legal Material Act approved by the Uniform Law Commission Thousands of Scientific Papers Uploaded to The Pirate Bay How Much Data is Facebook Giving Law Enforcement Under Secret Warrants? UK Government Clears Staff to Share Restricted Documents Via the Cloud Service EU Cookies--Where Did the Pieces Fall? Sony Insurer Sues to Deny Data Breach Coverage France Telecom to Bid Adieu to Minitel With Digital Mapmaking, Scholars See History NEWS | LOOKING BACK | NOTES Alabama Lawyer Group Sues Legalzoom, Wants Ban In State (Birmingham News, 10 June 2011) - The DeKalb County Bar Association said today it has filed a lawsuit that asks a judge to bar the online forms company LegalZoom.com from doing business in Alabama, saying the Los Angeles-based firm is engaging in the unauthorized practice of law. The suit filed in DeKalb County Circuit Court requests that LegalZoom be permanently prohibited from creating legal documents and related services for Alabama residents. Fort Payne attorney Daniel Campbell, president of county’s bar association, said in a statement that LegalZoom’s offering of standard legal forms such as wills and incorporation papers that are then customized to the buyer’s preference has been prohibited by Alabama law for many years. “Alabama’s unauthorized practice of law statutes prohibit anyone who is not a lawyer from advising or counseling another person on legal matters, and from preparing or assisting another person in preparing any document or instrument such as a will or deed in Alabama,” the bar association said in a statement. top DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools (FastCompany, 8 July 2011) - A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House have been aware of the threat for quite some time. When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that “I am aware of instances where that has happened,” after some hesitation. This supply chain security issue essentially means that, somewhere along the line, technology being marketed in the United States was either compromised or purposely designed to enable cyberattacks. Schaffer, who has an extensive background in cybersecurity and communications infrastructure management, did not elaborate on the compromised tech that DHS has encountered. However, he did emphasize that foreign components are found in many American-manufactured devices. As a matter of sheer speculation, it is not hard to imagine computers, portable devices, and components marketed in the United States being purposely infected with malware, spyware, or other forms of security-compromising software by request of either foreign companies or foreign governments. More worryingly, the hearing specifically mentioned hardware components as possibly being compromised--which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties. top Nothing Personal: How Database Licenses Make Pirates of Us All (InsideHigherEd, 11 July 2011) - The other day, as I was tracking down the text of a classic article in JSTOR to refer to in a blog post, I was struck by the pop-up box that required me to agree to terms of service before it would let me see the article. I actually read it this time instead of clicking through. It reads: “Your use of the JSTOR archive indicates your acceptance of JSTOR’s Terms and Conditions . JSTOR’s Terms and Conditions provides, in part, that unless you have obtained prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in the JSTOR archive only for your personal, non-commercial use.” This is standard database license language, though most databases don’t thrust it in your face every time you search. I understand discouraging people from downloading massive amounts of articles and doing evil things with them, like posting them online for anyone to read or putting them up on torrent sites. I get it. I wouldn’t do that. But even though I had clicked through that annoying pop up box any number of times, it suddenly struck me as a bit bizarre that in order to see a scholarly article in this paragon of scholarly databases, I have to swear I will do nothing with the material that might be for other than personal, non-commercial use. Does that mean I can’t write about that article I looked up in places like this blog? This is, after all, public, and I just swore I would use the article only for personal use. Whoops! My bad. Would it mean I couldn’t use JSTOR in research for a book? D’oh! I’m certain I consulted databases when writing a book that earns me a hundred dollars every ten years or so. I should be ashamed of myself. In the past, libraries didn’t stop you at the door and demand that you agree to a pledge that you won’t in any way profit from your visit or use what you learned when visiting the library for some public purpose. We actually thought - silly us! - that libraries were meant to help you build new things and go public with ideas. (And crazy founders! They actually thought copyright would promote science and the useful arts! But that’s another story. We’re talking licenses, here.) Libraries don’t set policy for the use of materials, now, publishers and vendors do. JSTOR isn’t quite as strict as some databases. SciFinder Scholar instructs users to contact the company, er, society and pony up for a different service if they are doing research for a consulting job, and users agree that “I will delete stored records when I no longer need them for the relevant research project, or after the completion of my degree program, whichever occurs first.” (Have you purged those citations from EndNote yet? You haven’t? Dude.) And then there are those curious restrictions within restrictions; you are not allowed to place a link to a Harvard Business Review article that your library licenses for campus use in a syllabus, for example. The library pays for campus use - but not that kind of campus use. For that, you pay extra. Clicking through that little notice is as routine as being instructed every time we fly how to fasten a seat belt. (Seriously: how likely will we pay attention to safety features of an airplane when the instructions start out with “insert the metal tab into the buckle”?) It’s no more likely to lead to reflection than that FBI warning on every video that details the years in jail and fines you might incur. (Five years, to be precise, and $250,000. You should know that by now. You’ve seen it a million times.) We agree to absurd terms of service all the time and swear we read through agreements that we haven’t. It’s part of modern life. But still: personal use ? What does that even mean in a scholarly context? top How Digital Detectives Deciphered Stuxnet (Wired, 11 July 2011) - It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings. Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month. [W]hen the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate - later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why? [Editor: Bruce Schneier liked this story, too. It reads like a Neal Stephenson novel.] top DOJ: We Can Force You to Decrypt that Laptop (CNET, 11 July 2011) - The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution’s Fifth Amendment, which broadly protects Americans’ right to remain silent. In a brief filed last Friday, Fricosu’s Colorado Springs-based attorney, Philip Dubois, said defendants can’t be constitutionally obligated to help the government interpret their files. “If agents execute a search warrant and find, say, a diary handwritten in code, could the target be compelled to decode, i.e., decrypt, the diary?” To the U.S. Justice Department, though, the requested court order represents a simple extension of prosecutors’ long-standing ability to assemble information that could become evidence during a trial. The department claims: “Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.” Prosecutors stressed that they don’t actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding “the password to the drive, either orally or in written form.” In an amicus brief ( PDF ) filed on Friday, the San Francisco-based Electronic Frontier Foundation argues that the Justice Department’s request be rejected because of Fricosu’s Fifth Amendment rights. The Fifth Amendment says that “no person...shall be compelled in any criminal case to be a witness against himself.” [Editor: I seem to recall reading one of these law review articles, which essentially concluded that if you’d never written down your passphrase (but it existed only in your memory), then you couldn’t be compelled to decrypt the files. For key files, I’ve followed that practice.] top A New U.S. Law-Enforcement Tool: Facebook Searches (Reuters, 12 July 2011) - U.S. law-enforcement agencies are increasingly obtaining warrants to search Facebook, often gaining detailed access to users’ accounts without their knowledge. A Reuters review of the Westlaw legal database shows that since 2008, federal judges have authorized at least two dozen warrants to search individuals’ Facebook accounts. Many of the warrants requested a laundry list of personal data such as messages, status updates, links to videos and photographs, calendars of future and past events, “Wall postings” and “rejected Friend requests.” Federal agencies seeking the warrants include the FBI, DEA and ICE, and the investigations range from arson to rape to terrorism. The Facebook search warrants typically demand a user’s “Neoprint” and “Photoprint”—terms that Facebook has used to describe a detailed package of profile and photo information that is not even available to users themselves. These terms appear in manuals for law enforcement agencies on how to request data from Facebook. The manuals, posted on various public-advocacy websites, appear to have been prepared by Facebook, although a spokesman for the company declined to confirm their authenticity. None of the warrants discovered in the review have been challenged on the grounds that it violated a person’s Fourth Amendment protection against unlawful search and seizure, according to a review of the cases. Some constitutional-law experts said the Facebook searches may not have been challenged because the defendants - not to mention their “friends” or others whose pages might have been viewed as part of an investigation—never knew about them. By law, neither Facebook nor the government is obliged to inform a user when an account is subject to a search by law enforcement, though prosecutors are required to disclose material evidence to a defendant. Twitter and several other social-media sites have formally adopted a policy to notify users when law enforcement asks to search their profile. top Secret Service Descends on Artist For Mildly Creepy Public Photography (TechDirt, 12 July 2011) - So this is one of those interesting scenarios that really tests the boundary between what people find to be socially unacceptable behavior versus what is actually illegal under current law. Artist Kyle McDonald put a strange art project into practice when he installed what amounts to surveillance software on the public computers at an Apple store and used the images collected to create a presentation that he hoped would give us, by the facial expressions captured, insight into our relationship with the computers we use. An interesting project that borders on creepy. But it is illegal? Apparently, the Secret Service is now involved: “ On three days in June, McDonald’s program documented people staring at computers in Apple stores. Since the stores wiped their computers every night, he had to go back in and reinstall the program each day he took photos. He uploaded a collection of the photos to a Tumblr blog, and last Sunday he set up ‘an exhibition’ at the Apple stores. During the unauthorized event at the Apple stores on West 14th Street and in Soho, when people looked at an Apple store machine, they saw a picture of themselves. Then they saw photos of other people staring at computers. Amazingly, nobody made a fuss. [...] Over the course of the project, McDonald set up roughly 100 Apple store computers to call his servers every minute. That’s a lot of network traffic, and he learned that Apple monitors traffic in its stores when he received a photo from a Cupertino computer of what appeared to be an Apple technician. The technician had apparently traced the traffic to the site McDonald used to upload the program to Apple Store computers; and installed it himself. McDonald figured that Apple had decided the program wasn’t a big deal. That was until four Secret Service men in suits woke him up on Thursday morning with a search warrant for computer fraud. They confiscated two computers, an iPod and two flash drives, and told McDonald that Apple would contact him separately.” Even more interesting than his project about how people perceive their relationship with their computer might be how people perceive the artist’s actions here. Many people seem to be up in arms, and feel quite strongly that his actions were criminal and should be punished. But what crimes did he actually commit? None of the immediately obvious arguments would appear to be viable when you consider the facts of the situation. [Editor: Interesting legal analysis - there’s an artist who’s done something quite similar, but he blanked-out the key faces of most subjects - but not all. His work is showing in Europe, apparently without legal repercussions.] top Judge Rules “Locker” Site is Not Direct Copyright Infringer (ArsTechnica, 12 July 2011) - A federal judge in Miami has dismissed direct copyright infringement charges against Hotfile, a popular online “locker” service that the major Hollywood studios allege is responsible for massive copyright infringement. But he allowed the case to proceed on charges that Hotfile has induced and profited from the infringing activities of its users. The 9-page opinion , first reported by the Hollywood, Esq. blog , provides early clues about how Judge Adalberto Jordan views the defendants, Hotfile and its alleged owner Anton Titov. The case, which began in February , represents the latest front in the never-ending arms race between Hollywood studios and users seeking free copies of their movies. Hotfile is a “cyberlocker” site. Users upload files they wish to share with others and are rewarded financially if these files prove popular. The studios allege that the overwhelming majority of the files users upload to Hotfile are copyrighted content being distributed without the consent of copyright holders’ like themselves. Hotfile, for its part, argues that it is providing an ordinary Web-hosting service and is not responsible for content its users choose to upload. Hotfile lacks any interface for browsing or searching the files on the site, allowing it to plausibly deny any knowledge of their contents. The studios allege that Hotfile “relies on third-party pirate link sites to host, organize and promote URL links to Hotfile-hosted infringing content.” Hotfile faces two distinct charges: direct and secondary liability. The studios argued that Hotfile is directly liable for the infringing actions of its users because it owns and operates the servers through which the infringing copies were made. It also argues that they are secondarily liable under the inducement theory articulated by the Supreme Court in the 2005 Grokster decision. [Editor: this is important, and implicates Cloud storage services like Dropbox, too. See “Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011)” from MIRLN 14.09 .] top Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies (ArsTechnica, 13 July 2011) - The Do Not Track efforts led by self-managed advertising groups aren’t going as well as some might hope, with at least eight participating companies continuing to track users across the Web even after they opt out. The finding highlights the weaknesses of an entirely voluntary system: just because the companies say they will do it doesn’t necessarily mean that they will. The Network Advertising Initiative (NAI) is one of several self-regulating groups aimed at adopting voluntary codes of conduct when it comes to advertising to users online. Late last year, those groups (including the NAI) announced that they would begin pushing the Advertising Option Icon , an icon that is meant to let users know which sites are participating in behavioral tracking. Users would then be able to easily opt out of any behaviorally targeted advertising if they so choose. Collectively, the groups represent some 5,000 other companies that advertise online, though use of the icon itself is voluntary as long as they offer the opt-out functionality. But how many companies are actually respecting those rules? Stanford’s Center for Internet & Society recently examined the tracking behavior of 64 of 75 of NAI’s member companies when users turn on the Do Not Track settings or opt out of behavioral ad tracking. Of the 64, the CIS said that 33 companies left their tracking cookies in place after the user opted out. This in itself sounds surprising, but it’s not-as part of their agreement with NAI, companies only have to agree to stop offering behaviorally targeted ads to users when users want to opt out. They can continue to keep cookies on your machine, as long as those cookies aren’t being used to create specially targeted ads. So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox , Internet Explorer , and Safari , which we just learned is actually a step beyond NAI’s baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest’s sake, it’s worth noting that Google falls into this category). That leaves us with the eight companies dwelling in the hall of shame: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street On Demand, and TARGUSinfo AdAdvisor. These guys all specify in their privacy policies that users can opt out of behavioral tracking and advertising, but the CIS researchers found that they all kept some form of unique user information around on the user’s computer even after opting out. Most of them removed certain pieces of information while keeping other items, but one (Vibrant Media) simply kept on tracking as if the user had never opted out in the first place. top Senators Ask Spy Chief: Are You Tracking Us Through Our iPhones? (Wired, 14 July 2011) - Two key senators want to know if the leader of the vast U.S. intelligence apparatus believes it’s legal for spooks to track where you go through your iPhone. In a letter that Sens. Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) will send later on Thursday, obtained by Danger Room, the senators ask Director of National Intelligence James Clapper, “Do government agencies have the authority to collect the geolocation information of American citizens for intelligence purposes?” Both senators are members of the panel overseeing the 16 intelligence agencies. In May, they sounded warnings that the Obama administration was secretly reinterpreting the Patriot Act to allow a broader amount of domestic surveillance than it had publicly disclosed. “[R]ecent advances in geolocation technology have made it increasingly easy to secretly track the movements and whereabouts of individual Americans on an ongoing, 24/7 basis,” they write. “Law enforcement agencies have relied on a variety of different methods to conduct this sort of electronic surveillance, including the acquisition of cell phone mobility data from communications companies as well as the use of tracking devices covertly installed by the law enforcement agencies themselves.” Wyden and Udall want “unclassified answers” from Clapper. If Clapper thinks his spies can go after U.S. citizens’ geodata, they want the “specific statutory basis” for that collection, along with a description of any “judicial review or approval by particular officials” that might accompany it. They also want to know if Clapper thinks there’s any affirmative legal “prohibition” to geodata collection by spies, if the spy chief doesn’t think it’s legal. The senators note that legislative restrictions on GPS acquisition so far only apply to cops and feds, not spies. “Clearly Congress needs to also understand how intelligence authorities are being interpreted as it begins to consider legislation on this issue,” they write. They also remind Clapper that the FISA Amendments Act is set to expire at the end of the year. The letter asks Clapper to disclose if the surveillance dragnet it authorizes includes the communications of “law-abiding Americans,” the key objection from civil libertarians to the Act, and if any “significant interpretations of the FISA Amendments Act [are] currently classified.” top - and - The Government Just Admitted For The First Time It Is Using Cell Phone Data To Track Your Location (Business Insider, 26 July 2011) - A group of Senators questioned the general attorney for the National Security Agency Tuesday about whether U.S. intelligence agencies are using cell phone geo location data to track U.S. citizens without their knowledge. According to The Wall Street Journal, the leader of the National Counterterrorism Center Matthew Olson told the Senate Select Committee on Intelligence that: “There are certain circumstances where that authority may exist.” The response came after repeated questions by Sen. Ron Wyden (D., Ore) whether the government has authority to “use cell site data to track the location of Americans inside the country.” Olson admitted the possibility, said “it’s a very complicated question,” and told the committee the intelligence community is working on a memo to better answer the question. top How Khan Academy Is Changing the Rules of Education (Wired, 15 July 2011) - “This,” says Matthew Carpenter, “is my favorite exercise.” I peer over his shoulder at his laptop screen to see the math problem the fifth grader is pondering. It’s an inverse trigonometric function: cos-1(1) = ?. Carpenter, a serious-faced 10-year-old wearing a gray T-shirt and an impressive black digital watch, pauses for a second, fidgets, then clicks on “0 degrees.” Presto: The computer tells him that he’s correct. The software then generates another problem, followed by another, and yet another, until he’s nailed 10 in a row in just a few minutes. All told, he’s done an insane 642 inverse trig problems. “It took a while for me to get it,” he admits sheepishly. Carpenter, who attends Santa Rita Elementary, a public school in Los Altos, California, shouldn’t be doing work anywhere near this advanced. In fact, when I visited his class this spring-in a sun-drenched room festooned with a papercraft X-wing fighter and student paintings of trees-the kids were supposed to be learning basic fractions, decimals, and percentages. As his teacher, Kami Thordarson, explains, students don’t normally tackle inverse trig until high school, and sometimes not even then. But last November, Thordarson began using Khan Academy in her class. Khan Academy is an educational website that, as its tagline puts it, aims to let anyone “learn almost anything-for free.” Students, or anyone interested enough to surf by, can watch some 2,400 videos in which the site’s founder, Salman Khan, chattily discusses principles of math, science, and economics (with a smattering of social science topics thrown in). The videos are decidedly lo-fi, even crude: Generally seven to 14 minutes long, they consist of a voice-over by Khan describing a mathematical concept or explaining how to solve a problem while his hand-scribbled formulas and diagrams appear onscreen. Like the Wizard of Oz, Khan never steps from behind the curtain to appear in a video himself; it’s just Khan’s voice and some scrawly equations. Initially, Thordarson thought Khan Academy would merely be a helpful supplement to her normal instruction. But it quickly become far more than that. She’s now on her way to “flipping” the way her class works. This involves replacing some of her lectures with Khan’s videos, which students can watch at home. Then, in class, they focus on working problem sets. The idea is to invert the normal rhythms of school, so that lectures are viewed on the kids’ own time and homework is done at school. It sounds weird, Thordarson admits, but this flipping makes sense when you think about it. It’s when they’re doing homework that students are really grappling with a subject and are most likely to need someone to talk to. And now Thordarson can tell just when this grappling occurs: Khan Academy provides teachers with a dashboard application that lets her see the instant a student gets stuck. top Getty Images Says Google Plus Terms of Service is “OK” (ReadWriteWeb, 15 July 2011) - Should photographers be concerned about Google Plus ? This is the subject on an ongoing debate right now, due to the wording Google uses in its Terms of Service - specifically parts that seem to indicate it will have rights to photos posted on the new social network. But some folks, including both professional photographers and an intellectual property attorney say the reaction is overblown. The issue is not a “Google” problem - it’s something to consider before posting your images online, anywhere on the Web. This week, the lawyers at stock photography leader Getty Images have decided to weigh in on the situation, too, as it relates to the company’s Flickr Collection contributors. Getty’s verdict? “We’re OK with Google+,” it says. Members of the private group (note: link only works for members) “Getty Images Contributors” on Flickr were recently informed by a company representative that Getty’s lawyers have deemed Google Plus OK for them to use. “The important thing to watch out for in Terms of Service, and it’s the same as we’ve talked about for contests, is that whatever they do (or allow third parties to do) with the images should be in the context of the service itself, not to re-license or otherwise commercialize the images to other parties (or even the main company itself) outside of the context they’re posted for,” writes Flickr member Tom W at Getty Images, in a message posted to all group members. Tom cites specific sections of the Google Plus ToS (11.2 and 11.3) in his post, explaining that their intent is to allow Google to provide copies of the images to third parties “in the context of the service - social networking, photo-sharing, etc.” For example, if members wanted to allow their friends to print copies of their photos, like Flickr does with Snapfish. However, says Tom, Google does “not provide for licensing to another party for their own use.” [Editor: also carries a useful checklist for parsing photo-license Terms of Service generally.] top Financial Services Industry Group Issues Social Media Guidance (Hogan Lovells, 15 July 2011) - A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns. The guidance, titled “Social Media Risks and Mitigation,” was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks. These risks are discussed in the context of three types of social media use: (1) By a financial institution to communicate with or service the financial institution’s customers; (2) By the financial institution’s employees in their personal or professional capacities; and (3) By the financial institution’s employees or contractors outside the office. The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms. It also addresses concerns that are relevant to financial institutions as employers, such as bank employees’ personal use of social media. The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities. While FINRA has issued guidance on use of social media by firms subject to FINRA’s oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media. Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media. It gives guidance, for instance, on coordinating a company’s social media policies with its other policies, and performing a risk assessment to determine the risks a company’s social media activities could pose. top Cooley Law School Sues Bloggers and Lawyers (InsideHigherEd, 15 July 2011) - The Thomas M. Cooley Law School, a freestanding institution in Michigan, on Thursday sued four anonymous individuals who have posted critical comments online and lawyers who have started an investigation into Cooley’s job placement rates. The suits charge defamation, interference with business interests and other violations of the law. “With ethics and professionalism at the core of our law school’s values, we cannot - and will not - sit back and let anyone circulate defamatory statements about Cooley or the choices our students and alumni made to seek their law degree here,” said Brent Danielson, chair of Cooley’s board, in an announcement of the suits. One of the anonymous bloggers being sued runs a site called Thomas M. Cooley Law School Scam “to bring truth and awareness to the students getting suckered in by this despicable excuse for a law school.” The blog questions Cooley’s academic quality and charges that very few of its graduates find jobs. (Cooley says 76 percent of graduates find jobs, and that the figure was higher before the economic downturn.) The law firm being sued is Kurzon Strauss, in New York, which ran a notice on the J.D. Underground website stating (according to the complaint) that it was “conducting a broad, wide-ranging investigation of a number of law schools for blatantly manipulating their post-graduate employment data and salary information” to take advantage of “the blithe ignorance of naive, clueless 22-year olds who have absolutely no idea what a terrible investment obtaining a J.D. is.” The notice specifically requests information about Thomas Cooley and, according to the law school, suggested that it was “perhaps one of the worst offenders” in manipulating the data. Currently the J.D. Underground website features a posting with some similar language (but not nearly as strong) to that cited in the complaint, and another posting from the law firm retracting some of its earlier statements, suggesting that “certain allegations ... may have been couched as fact.” David Anziska, a partner in the firm, said in an interview Thursday that “this is one of the most ridiculous lawsuits filed in recent memory.” Anziska said that the firm will not only defend itself, but plans to sue Cooley for its suit. He declined to comment on the status of the investigation into job-placement rates of Cooley and other law schools, but said that the notice prompted more than 50 responses. top NCAA Social Networking Regulations Provide Challenge for MU Compliance Department (Missourian, 16 July 2011) - Social networking websites like Facebook and Twitter have made student athletes more accessible than ever. The 140-character limit on Twitter might not necessarily encourage a meaningful discourse, but things as simple as an athlete checking in while on vacation or a fan telling a recruit why he should commit to his favorite school can still make an impact. On [June] 21, the University of North Carolina received a Notice of Allegations from the NCAA detailing a litany of violations committed by their athletics programs. Among them was the failure to “adequately and consistently monitor social networking activity” by student athletes that should have caused the school to discover other violations sooner than they did. The implication seen by many in the NCAA’s ruling - that athletic departments should be going through the entirety of their student athletes’ social networking pages for potential violations - is troublesome for officials like Mitzi Clayton, MU’s assistant athletics director for compliance. Clayton said she views such rigorous monitoring as an unattainable goal. [C] ompliance at MU continues to rely on the system already in place. Individual programs are tasked with monitoring the social networking activities of athletes, a practice once primarily concerned with potential image issues that may now focus more heavily on looking for potential violations. The football program, for example, uses a computer program called UDiligence. Designed primarily to protect student athletes from damaging the reputations of themselves and their schools, UDiligence searches for trigger words in student activity and alerts team officials when any red flags pop up. Other sports opt for a simpler approach, and a captain or coach frequently checks on posts from the team’s players. top Wikipedia Rolling Out Article Rating System (ReadWriteWeb, 18 July 2011) - Love it or hate it, you can’t say Wikipedia is slow to innovate. The giant encyclopedia site announced this weekend that it will now roll-out site-wide an article rating system that allows page visitors to rate an entry on a scale of 1 to 5 on trustworthiness, objectivity, completeness and quality of writing. Article raters have the option of self-identifying as a subject matter expert for whatever article they rate. Wikipedia says that after limited testing of the feature, user response has been overwhelmingly positive; readers have said they found the rating system useful, that they felt compelled to give feedback and have been shown increasingly likely to begin editing articles for the first time after using the rating tool. Data about article ratings is also made available for export and outside analysis under a Creative Commons license. The feature is limited to English Wikipedia for now. top Multinational Employers Face Multiple Facebook Rulings (Proskauer, 20 July 2011) - Recent prosecutions by the National Labor Relations Board have the employer community all atwitter over the Board’s apparent social media policy. While social media law is too new and undeveloped to give a clear picture, the Labor Board’s approach appears to give employees broad latitude to disparage their employer on Facebook and similar social media sites - viewing the online exchanges more like water cooler conversations among coworkers than public broadcasts to actual or potential customers. Early indications are that foreign tribunals are taking a different approach. In several recent cases, they have affirmed the employers’ right to dismiss employees for comments made in social media forums. top Social Media History Becomes a New Job Hurdle (NYT, 20 July 2011) - Companies have long used criminal background checks, credit reports and even searches on Google and LinkedIn to probe the previous lives of prospective employees. Now, some companies are requiring job candidates to also pass a social media background check. A year-old start-up, Social Intelligence, scrapes the Internet for everything prospective employees may have said or done online in the past seven years. Then it assembles a dossier with examples of professional honors and charitable work, along with negative information that meets specific criteria: online evidence of racist remarks; references to drugs; sexually explicit photos, text messages or videos; flagrant displays of weapons or bombs and clearly identifiable violent activity. “We are not detectives,” said Max Drucker, chief executive of the company, which is based in Santa Barbara, Calif. “All we assemble is what is publicly available on the Internet today.” The Federal Trade Commission, after initially raising concerns last fall about Social Intelligence’s business, determined the company is in compliance with the Fair Credit Reporting Act, but the service still alarms privacy advocates who say that it invites employers to look at information that may not be relevant to job performance. top Cyber Weapons: The New Arms Race (Business Week, 20 July 2011) - In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee’s webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. “There are lots of knuckleheads out there that take what they can and leave,” he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn’t want a computer he could sell on Craigslist. He wanted Nicira’s ideas. Those familiar with the burglary refuse to talk about it on the record, citing orders handed down by the federal investigators. In private, they share a common concern: Cyber espionage and nation-state-backed hacking incidents appear to be increasing in frequency and severity. What once seemed the province of Hollywood-high-tech robbers with guns; Internet worms that take out power plants-has become real. They fear that online skirmishes and spying incidents are escalating into a confusing, vicious struggle that involves governments, corporations, and highly sophisticated free-ranging hackers. This Code War era is no superpower stare-down; it’s more like Europe in 1938, when the Continent was in chaos and global conflict seemed inevitable. Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That’s changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google (GOOG) accused China of spying on the company’s workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. (INTC) The hacked included Adobe Systems (ADBE), Juniper Networks (JNPR), and Morgan Stanley. (MS) Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. “It’d be fair to say that at least 2,000 companies have been hit,” Brenner says. “And that number is on the conservative side.” Dozens of others, ranging from Lockheed Martin (LMT) and Intel (INTC) to the Indian Defense Ministry, the International Monetary Fund, and the Pacific Northwest National Laboratory, have suffered similar assaults. Earlier this year hackers raided the computer networks of RSA (EMC), a marquee security firm that protects other companies’ computers. They stole some of the most valuable computer code in the world, the algorithms behind RSA’s SecureID tokens, a product used by U.S. government agencies, defense contractors, and major banks to prevent hacking. It was like breaking into a heavily guarded locksmith and stealing the master combination that opened every vault in every casino on the Las Vegas Strip. This month the Pentagon revealed that it, too, had been hacked: More than 24,000 files were stolen from the computers of an unnamed defense contractor by “foreign intruders.” top FFIEC Ups The Ante On Authentication (Steptoe, 21 July 2011) - The Federal Financial Institutions Examination Council (FFIEC) has released a Supplement to its 2005 Authentication in an Internet Banking Environment Guidance. The overarching thrust of the Supplement is that, because fraudsters are becoming increasingly sophisticated at breaking through customer authentication systems with techniques like keylogging and man-in-the-middle attacks, financial institutions should use systems of layered security to prevent fraudulent activity. The FFIEC now also recommends that banks “offer” multifactor authentication to their business customers. As we have previously reported, some courts have said that a bank’s failure to follow the FFIEC’s Guidance could give rise to a negligence claim. And it is possible that courts and regulators could look to the FFIEC’s Guidance when evaluating the cybersecurity of non-financial institutions, as well. Banks and other companies should therefore look closely at the Guidance and the Supplement and evaluate whether their own authentication systems are up to snuff in light of their particular circumstances. top Uniform Electronic Legal Material Act approved by the Uniform Law Commission (BeSpacific, 21 July 2011) - Uniform Electronic Legal Material Act Drafted by the National Conference of Commissioners on Uniform Law - approved and recommended for enactment, July 18, 2011: “A new act approved [July 12, 2011] by a national law group establishes an outcomes-based, technology-neutral framework for providing online legal material with the same level of trustworthiness traditionally provided by publication in a law book. The Uniform Electronic Legal Material Act was approved today by the Uniform Law Commission (ULC) at its 120th Annual Meeting in Vail, Colorado. Increasingly, state governments are publishing laws, statutes, agency rules, and court rules and decisions online. In some states, important state-level legal material is no longer published in books, but is only available online. While electronic publication of legal material has facilitated public access to the material, it has also raised concerns. Is the legal material official, authentic, government data that has not been altered? For the long term, how will this electronic legal material be preserved? How will the public access the material 10, 50, or 100 years from now? The Uniform Electronic Legal Material Act provides a consistent approach to solving these problems.” top Thousands of Scientific Papers Uploaded to The Pirate Bay (GigaOM, 21 July 2011) - A user called Greg Maxwell just uploaded a torrent with 18,592 scientific publications to The Pirate Bay, in what appears to be a protest directed both at the recent indictment of programmer Aaron Swartz for data theft as well as the scientific-publishing model in general. All of the documents of the 32-gigabyte torrent were taken from JSTOR, the academic database that’s at the center of the case against Swartz. The torrent consists of documents from the Philosophical Transactions of the Royal Society, the copyright to which has long since expired. However, the only way to access these documents until now has been via JSTOR, as Maxwell explains in a long and eloquent text on the Pirate Bay, with individual articles costing as much as $19. “Purchasing access to this collection one article at a time would cost hundreds of thousands of dollars,” he writes. Maxwell goes on to explain that he gained access to the documents years ago in what he says was a legal manner, but was afraid to publish them because of potential legal repercussions from the publishers of scientific journals. He says the indictment of Aaron Swartz, who allegedly tried to download thousands of files from JSTOR through the library at MIT, made him change his mind. top How Much Data is Facebook Giving Law Enforcement Under Secret Warrants? (Ride The Lightning, 21 July 2011) - The short answer is that no one knows. According to Reuters , since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorism. What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” - terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses. Reuters apparently gleaned some of this information from Westlaw, where it found that at least 11 warrants have been granted since the beginning of 2011, double the number granted in all of 2010. The real truth is that no one knows how many warrants have been granted since it is likely that many records have been sealed. Facebook could tell us, of course, but declines to do so. It does say that it pushes back against law enforcement “fishing expeditions.” Now that gives me a lot of comfort because my trust in Facebook is so absolute. That “trust” is buttressed by the fact that Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally. Why not Facebook? Twitter (and others) have adopted a policy notifying users of law enforcement warrants. If Facebook is as interested in user rights as it claims, it is time to rectify this omission. top UK Government Clears Staff to Share Restricted Documents Via the Cloud Service (IT Pro, 21 July 2011) - Government staff will soon be able to share “restricted” documents in the cloud, following a deal between the services arm of the Foreign and Commonwealth office, and the software as a service provider Huddle. FCO Services will run Huddle’s software on its internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted. Other Government departments, including the Department of Environment and Rural Affairs, and the Cabinet Office, already use a public version of Huddle for “external collaboration,” sharing documents up to IL2. This service is already being used by businesses, including Kia Motors, P&G and Disney. top EU Cookies--Where Did the Pieces Fall? (Wiley Rein, July 2011) - The deadline has come and gone for European Union (EU) Member States to start requiring companies to obtain individuals’ consent prior to placing cookies on computers, mobile devices and other hardware. In its wake, industry players continue to struggle to understand what this cookie consent requirement means. U.S. companies should consider basic compliance steps if they offer websites, mobile applications or other online offerings to EU individuals, as EU regulators have long sought to hold such U.S. companies responsible. “Consent” was left ambiguous by EU lawmakers in late 2009 amendments to the EU E-Privacy Directive (directive 2009/136/EC, which amended directive 2002/58/EC). Thus, substantial uncertainty has persisted about whether the new EU law might disrupt the function of cookies. For many years, EU data protection authorities (DPAs) have contended that a foreign website operator placing a cookie on a computer in the European Union is availing itself of “equipment” located in the EU. Thus, they argue, that operator is subject to EU law. By this theory, a U.S.-based website operator would be required to obtain the informed, opt-in consent of EU individuals before placing cookies on their hard drives. Not surprisingly, recent guidance from individual Member State DPAs concerning the cookie consent requirement does not disclaim a potential extraterritorial reach. Where a U.S. company has a prominent presence in the European Union, and especially where that company is active in online behavioral advertising, the threat of DPA action on cookies is greater. EU authorities have been mixed on the question of whether prior “opt in” consent is necessary to place a cookie. Interpretive language in the E-Privacy Directive itself suggests that consent could be based merely on an individual’s browser settings. Despite the May 2011 implementation deadline, many Member States have failed to fully implement the directive amendments. Even where legislation is in effect, it often fails to specify whether opt-in consent is necessary. Finally, Member States seem to be taking markedly different approaches to implementing the amendment, creating yet another “regulatory patchwork” in the EU privacy area. U.S. companies that direct online offerings to EU individuals should continue to monitor how the cookie consent requirements develop. But it seems premature to overhaul online offerings in order to create a mechanism for obtaining opt-in cookie consent. For example, the United Kingdom’s implementation of the directive mentions that browser settings can be the basis for consent. Though UK privacy regulators contend in informal statements that default browser settings are insufficient, their proposed response-to work with browser providers to change default settings-seems unlikely to produce results in a commercially reasonable time frame. top Sony Insurer Sues to Deny Data Breach Coverage (Reuters, 22 July 2011) - One of Sony Corp’s insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year. The dispute comes as demand soars for “cyberinsurance,” with companies seeking to protect themselves against customer claims and associated costs for data and identity theft. How to write such policies has become a huge subject of debate in the insurance industry. Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims “asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general.” “Zurich doesn’t think there’s coverage, but to the extent there may be a duty to defend it wants to make sure all of the insurers with a potential duty to defend are contributing,” said Richard Bortnick, an attorney at Cozen O’Connor and publisher of the digital law blog CyberInquirer. Bortnick, who is not involved in the case, said that while Sony may be able to claim there was property damage as a result of the data breach, Zurich is likely to argue that the sort of general liability insurance it wrote for Sony was never intended to cover digital attacks. Sony has said it expects the hacking to drag down operating profit by 14 billion yen ($178 million) in the current financial year, inc MIRLN 2011-07-29T15:49:00-07:00 http://www.knowconnect.com/mirln/article/mirln_19_june_2011_9_july_v1409/ http://www.knowconnect.com/mirln/article/mirln_19_june_2011_9_july_v1409/#When:15:41:00Z I’m moderating a 90-minute July 26 webinar by SMU, Univ of Texas, and the InternetBar.org on ODR - “The Future Of Justice: How Technology is Shaping the Dispute Resolution Ecosystem”. Panelists include Ethan Katsh and Prof. Vikki Rogers; $10 registration ends July 10; $49 thereafter. Join us! http://bit.ly/mzH2Of Catch Me If You Can Law Firm Not Liable for Purchasing Competitor’s Name as Keyword to Drive Traffic to Own Website NATO Uses Twitter to Help Gather Targets in Libya Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security Bank Left Holding the Bag in Phishing Attack What Big Media Can Learn From the New York Public Library The North Carolina Bar’s Double Standard for Data and Dollars Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery Business Must Report Data Breaches to Public, EU Says Survey: 90% of Companies Say They’ve Been Hacked U. of Michigan Library Opens Up Orphan Works Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says What the Drake Prosecution Was Really About - IG Report Vindicates NSA Whistleblowers Court Conducts In Camera Review of Plaintiff’s Facebook Page to Resolve Discovery Dispute Lawsuit: Sony Laid Off Security Staff, Unprepared for PS3 Hacks Companies Are Erecting In-House Social Networks ‘Times’ Ticks On Newsgathering Law: A Guide for Reporting FFIEC Releases Banking Authentication Guidance Olympic Social Media Guidelines In Full: Athlete Photos But No Video U.S. Company Preying on Foreigners Feels the Wrath of the FTC Alarm Over ABA Study of Online Advertising Proves Unfounded Talking (Exclamation) Points So Sue Me: Are Lawyers Really the Key to Computer Security? Ear! Ear! Podcast Gains Are in the Listening, Not Creating Job Posting to LinkedIn Group Doesn’t Violate Non-Solicitation Clause Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information Unlicensed: Are Google Music and Amazon Cloud Player Illegal? Google Loses Street View Battle, But Did It Win Wiretap War? NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES Catch Me If You Can (Law Tech News, 1 June 2011) - Could Matthew Kluger, a mergers and acquisitions attorney arrested on April 6, 2011, on charges of insider trading, have been caught before he did so much damage? That was the disturbing question CIOs discussed behind closed doors at many law firms this spring. Although it’s possible to discover the kind of information theft that Kluger allegedly committed, the odds are stacked against it, say CIOs, software vendors, analysts, and IT security experts. That has law firms increasingly worried. Kluger’s is just the latest in a string of law firm insider trading cases over the last two years, but it has ratcheted up the level of concern throughout BigLaw. Perhaps it’s because the case involved three of the most respected firms in the world: Cravath, Swaine & Moore; Skadden, Arps, Slate, Meagher & Flom ; and Wilson Sonsini Goodrich & Rosati. If it happened to them, it could happen to any law firm. What, exactly, happened? Kluger and two accomplices - a Wall Street trader and a mortgage broker - allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades. At his most recent employer, Wilson Sonsini, Kluger took information from M&A deals he was not involved with (in an apparent effort to avoid detection), according to the charges. He got the information from the firm’s document management system (DMS), say prosecutors. Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents - to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state (http://1.usa.gov/ltn642). Could someone really get that much information without opening the documents? “Easy,” says George Rudoy, CEO of Integrated Legal Technology. “Even with all the effort of organizing ethical walls, I have not heard nor seen firms locking the title of the documents. If you go directly into the document management system, you can read all the titles and in most cases you can read short descriptions even if the document is locked.” Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes. top Law Firm Not Liable for Purchasing Competitor’s Name as Keyword to Drive Traffic to Own Website (ABA Journal, 8 June 2011) - Once upon a time, when bus benches and the yellow pages offered some of the only ways to promote a personal injury firm effectively, competitors tried to crowd each other out or dominate the space with the biggest ad. It wasn’t unheard-of to put a billboard up right next to another law firm’s offices. And, now that the Internet provides another option, purchasing key words to drive traffic to a website is simply another form of acceptable proximity advertising, a Wisconsin judge has ruled. Although Habush Habush & Rottier had argued that it had a privacy right in the names of its name partners, Milwaukee County Circuit Judge Charles Kahn Jr. effectively told the plaintiff personal injury firm, “Welcome to the 21st century,” reports the Milwaukee Journal-Sentinel. While there may be a privacy issue, Kahn held, another law firm’s purchase of the names Habush and Rottier as advertising key words on the Internet is a reasonable commercial use. The Habush firm plans to appeal today’s ruling, as competitor Cannon & Dunphy celebrated its victory. Kahn was somewhat sympathetic to an argument that it is unethical for a law firm to misrepresent itself by using another law firm’s name. However, he said there is no ethical prohibition, at present, against doing so. “The time may come when a legislature, regulatory board or supreme court determines that the conduct at issue in this case is deceptive and misleading and therefore improper,” he wrote. “But no such body has yet drawn this conclusion.” [Editor: I think I agree that overriding ethical concerns should cause a different result. For good, albeit 15-month-old, summary of social media legal ethics/practice issues look at: http://solopracticeuniversity.com/2010/03/11/a-dozen-social-media-ethics-issues-for-lawyers/ ] top NATO Uses Twitter to Help Gather Targets in Libya (Mail & Guardian, 16 June 2011) - NATO is using information gleaned from Twitter to help analysts judge which sites could be targeted by commanders for bombing and missile strikes in Libya. Potentially relevant tweets are fed into an intelligence pool then filtered for relevance and authenticity, and are never passed on without proper corroboration. However, without “boots on the ground” to guide commanders, officials admit that Twitter is now part of the overall “intelligence picture”. They said Nato scooped up all the open source information it could to help understand Gaddafi, who is constantly changing his tactics and concealing himself—and his forces—in places such as schools and libraries. [NATO] monitors Twitter feeds from Tripoli and other places for “snippets of information”. These could then be tested, corroborated or not, by Nato’s own sources, including direct lines of communication with the rebels, and imagery and eavesdropping from Nimrod spy planes. Nato is also aware that Gaddafi might be using Twitter to feed false information. “We have to be careful it is not used for propaganda [by Gaddafi’s forces],” the Nato official said. top Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security (June 17, 2011) - A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week - if adopted by a U.S. district court in Maine - will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days. In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans. Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion. A copy of the recommended decision is available here (PDF). top - and - Bank Left Holding the Bag in Phishing Attack (Steptoe’s E-Commerce Law Week, 7 July 2011) - The U.S. District Court for the Eastern District of Michigan has held Comerica Bank responsible for withdrawals made by a hacker who had “phished” a Comerica customer in order to gain access to the customer’s accounts. Even though the customer’s employee had fallen for the phishing trick - an email made to look like it was from the bank, which asked for confidential account information - the court held that the bank failed to prove that it had acted in accordance with “reasonable commercial standards” when it allowed the hacker’s wire transfers to go through. Though the decision in ExperiMetal, Inc., v. Comerica Bank involves an interpretation of Michigan law, that law is based on the Uniform Commercial Code, meaning the decision will have at least persuasive effect in other states. This case underscores the importance for financial institutions of having well-developed procedures for detecting fraudulent transactions as part of their overall security programs. Until an effective means is developed to prevent phishing attacks altogether, some of the defense will need to focus on limiting the damage phishers can do once they are inside the bank’s network. top What Big Media Can Learn From the New York Public Library (The Atlantic, 20 June 2011) - With all [recent] change—not to mention a possible $40 million budget cut looming—it would be no surprise if the library was floundering like the music industry, newspapers, or travel agents. (Hey, man, we all get disintermediated sooner or later.) But that’s the wild thing. The library isn’t floundering. Rather, it’s flourishing, putting out some of the most innovative online projects in the country. On the stuff you can measure—library visitors, website visitors, digital gallery images viewed—the numbers are up across the board compared with five years ago. On the stuff you can’t, like conceptual leadership, the NYPL is killing it. The library clearly has reevaluated its role within the Internet information ecosystem and found a set of new identities. Let’s start from here: One, the New York Public Library is a social network with three million active users and two, the New York Public Library is a media outfit. The library still lends books, but over the past year, the NYPL has established itself as a beacon in the carcass-strewn content landscape with smart e-publications, crowdsourcing projects, and an overall digital strategy that shows a far greater understanding of the power of the Internet than most traditional media companies show. Biblion, a storytelling app whose iPad icon features the lion head, is the flashiest of these efforts. It presents a slice of the library’s 1939 World Fair Collection in a format that, while controversial, pushed the traditional boundaries of the e-publication. Moving around the app doesn’t feel like flipping through the pages of a museum catalog or crawling around a website. To me, it felt like a native application for the tablet era, a new form for the more spatial experience afforded by the tablet’s touchiness. Even for those who didn’t like the interface, the question had to be asked: this thing came out of a library? Then there is the library’s slick crowdsourcing projects, which allow users to digitize beautiful old menus from New York’s restaurants and plot historical maps of the city onto the GPS-enabled digital maps of today. Both projects are both useful and feature user interfaces that best most commercial crowdsourcing applications. top The North Carolina Bar’s Double Standard for Data and Dollars (Carolyn Elefant, 20 June 2011) - Two months ago, North Carolina released Proposed Formal Ethics Opinion 6 , Subscribing to Software as a Service (SaaS) While Fulfilling the Duties of Confidentiality and Preservation of Client Property. As others, including my Social Media for Lawyers co-author Nicole Black, NC Bar LPM Advisor Eric Mazzone, e-lawyering pioneer Richard Granat and North Carolina virtual lawyer Steph Kimbro have already written, the decision represents a step backward for lawyers - and indeed, may have the effect of precluding lawyers from using popular services like Google docs, Mozy, email or texting even for entirely non-confidential purposes. It’s bad enough that North Carolina’s proposed opinion will make it nearly impossible for lawyers to take advantage of new technologies that could reduce the cost of legal service. But to add insult to injury, FEO 6′s stringent regulations applies only to use of SaaS (or cloud) vendor services, while giving online banking services for trust account management a pass, in an proposed opinion released the same day, FEO 7 Using Online Banking to Manage a Trust Account. Yet, there’s no rational justification for North Carolina to maintain a double-standard for online management of client dollars and client data. North Carolina’s proposed FEO 7 requires lawyers using online banking to exercise reasonable care, specifically, taking steps to minimize the risk of loss or theft of client money. Though the Opinion states that lawyers have an affirmative duty to understand the risks of online banking and to employ best practices such as strong password policies, the Opinion goes on to state that: “Understanding the contract with the depository bank and the use of the resources and expertise available from the bank are good first steps toward fulfilling the lawyer’s fiduciary obligations.” Simply put, lawyers can meet their ethics obligations by relying on banks as a trusted source of information regarding online banking security practices.
Contrast the bar’s deferential approach towards online banking with its adversarial attitude towards SAAS companies. Lawyers can’t simply rely on a cloud providers’ expertise in security practices or on the company’s representations regarding its security practices. Instead, lawyers are required (not encouraged, but required!) to: personally, or through a security expert, evaluate the company’s measures for safeguarding the physical and electronic security of data, including but not limited to “firewalls, encryption techniques, socket security features, and intrusion-detection systems.” investigate a cloud provider’s financial history review the cloud provider’s security audits, and install special security software to ensure that users connected to cloud vendors are protected against malware and viruses. top Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery (Insurance Journal, 20 June 2011) - Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing. James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter. Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer’s commitment to a market can be tested, citing what he calls the “naive” capacity that exists. The coverage has evolved quickly- Whetstone compares the product’s acceptance to that of employment practices liability (EPL) coverage- to where cyberinsurance is a “must-have” for most firms today. The underwriting has also changed. “We used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.” top Business Must Report Data Breaches to Public, EU Says (ZDnet, 21 June 2011) - Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London. On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years. “I intend to introduce a mandatory requirement to notify data security breaches - the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services,” Reding said at the British Bankers’ Association’s Data Protection and Privacy Conference. In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services. top Survey: 90% of Companies Say They’ve Been Hacked (PC World, 22 June 2011) - If it sometimes appears that just about every company is getting hacked these days, that’s because they are. In a new survey ( download .pdf ) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their companies’ computers were breached at least once by hackers over the past 12 months. Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months. Those numbers are significantly higher than similar surveys and suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks. “We expected a majority to say they had experienced a breach,” said Johnnie Konstantas, director of product marketing at Juniper. “But to have 90% saying they had experienced at least one breach and more than 50% saying they had experienced two or more, is mind blowing,” she said. It suggests “that a breach has become almost a statistical certainty,” these days. The organizations that participated in the Ponemon survey cut across both the private sector and government and ranged from relatively small entities with less than 500 employees to enterprises with more than 75,000. The online survey was conducted over a five-day period earlier this month. Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls. [Editor: see discussion in MILRN 14.08 under “Senators Ask SEC for Guidance on Information Security Risk Disclosure” et al. This is becoming a huge governance issue, I think.] top U. of Michigan Library Opens Up Orphan Works (InsideHighedEd, 23 June 2011) - The University of Michigan Library will announce today that it will be allowing authorized library patrons to access all of its digitized “orphan works” in full. Students and guests will now be able to access online any texts they would have been able to find in the stacks, Michigan officials said in a press release. This is the latest step in Michigan’s attempts to identify and unlock the orphans—books whose copyright holders cannot be found or contacted—in its collection. The university announced last month that it is also working to identify more orphans among the millions of volumes held by HathiTrust Digital Library, a Michigan-based aggregator of university library collections. Other institutions are preparing making their own orphans available to authorized students and researchers, officials said in Wednesday’s press release. In light of a federal court’s recent rebuke of Google’s attempts to sell broad access to orphan works through its controversial Google Books Project, experts have speculated that it may be up to Congress to determine how orphans can and cannot be used. Michigan is not waiting around to open up its own orphans to authorized users, a move that it sees as covered by the “fair use” exemptions to copyright law. top Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says (ABA Journal, 23 June 2011) - A lawyer who sends a Facebook friend request to executives of a corporation he or she knows is represented by counsel in a litigation matter is violating a legal ethics rule against ex parte communications with parties, the San Diego County Bar Ethics Committee held in an advisory ethics opinion (PDF) last month. However, “nothing in our opinion addresses the discoverability of Facebook ruminations through conventional processes, either from the user-represented party or from Facebook itself,” writes the San Diego committee in its opinion. “The conclusion we reach is limited to prohibiting attorneys from gaining access to this information by asking a represented party to give him entry to the represented party’s restricted chat room, so to speak, without the consent of the party’s attorney. The evidentiary, and even the disciplinary, consequences of such conduct are beyond the scope of this opinion and the purview of this committee.” The opinion is billed in a Recorder article as the first to address the issue. But prior ethics opinions in New York and Philadelphia have focused on similar Facebook friending concerns: Lawyers Can’t Friend Potential Witnesses Under False Pretenses, Ethics Opinion Says Attorney Can’t Ask 3rd Party to ‘Friend’ Witness on Facebook, Opinion Says Friending a Naive Adverse Witness for Info Could Violate Ethics Rules [Editor: Eric Goldman’s blog also has a useful analysis of the San Diego holding: http://blog.ericgoldman.org/archives/2011/06/san_diego_count.htm] top What The Drake Prosecution Was Really About - IG Report Vindicates NSA Whistleblowers (Jesselyn Radack, Daily Kos, 23 June 2011) - The Department of Defense Inspector General just released a heavily redacted version of the Intelligence Audit “Requirements for the TRAILBLAZER and THINTHREAD SYSTEMS.” NSA whistleblower Tom Drake served as a critical material witness during the investigation for this report. Drake’s reward was an indictment under the Espionage Act. This Report is what the government’s case against NSA whistleblower Tom Drake was really about. Drake would have been on trial this week had the Justice Department’s case not crumbled two weeks ago in the face of negative judicial rulings and almost universally critical media coverage (chiefly inThe New Yorker and on 60 Minutes, The Washington Post, and Politico). The newly-released IG report completely vindicates Drake, and the Hotline complainants (former NSA officials J. Kirk Wiebe, Bill Binney and Ed Loomis, and former House Intelligence Committee staffer Diane Roark) who raised concerns that the National Security Agency (NSA) was trading the security of the American people for a undeveloped funding vehicle (Trailblazer) that needlessly invaded the privacy of Americans; all the while NSA rejected a viable, cheaper program (ThinThread) that contained privacy protections and was ready to deploy prior to 9/11. My organization, Government Accountability Project (GAP), represents Drake, Binney and Wiebe. [Editor: see discussion and related stories in MIRLN 14.07 about the Drake prosecution.] top Court Conducts In Camera Review of Plaintiff’s Facebook Page to Resolve Discovery Dispute (Eric Goldman’s blog, 24 June 2011) - Background: Discovery disputes over Facebook accounts and whether they are discoverable in civil cases are piling up. Courts and litigants continue to grapple with the central problem that even to the extent the information is properly discoverable, at least some portion of a litigant or party’s Facebook’s account deserves privacy protection and should also be protected by federal statutes such as the Stored Communications Act. On the other hand, an opposing litigant needs to get access to the Facebook profile in order to determine whether something contained in the account is relevant, in order to articulate a “likely to lead to the discovery of admissible evidence” argument. Courts have come up with interesting and mostly imperfect ways to solve this problem. In one case, a court suggested that the litigants “friend” the court so the court could review the contents of the account which would be visible to the witness’s friends. (” Judge Offers to Facebook ‘Friend’ Witnesses in Order to Resolve Discovery Dispute. “) In this case, the court conducted an in camera review of the plaintiff’s Facebook profile and determined what information was discoverable. * * * It still feels awkward that the court took the approach of actually logging in to plaintiff’s Facebook account using plaintiff’s password. Isn’t this a violation of the Facebook terms of service? There’s another issue lurking in the background of these disputes that courts will be forced to confront: can a party be forced to consent to disclosure of information that falls under the Stored Communications Act? No case has directly confronted this question, although one court has held that a party’s default and fugitive status is not consent. (See “ Being a Fugitive is Not Consent for Production under the Stored Communications Act .") top Lawsuit: Sony Laid Off Security Staff, Unprepared for PS3 Hacks (ArsTechnica, 24 June 2011) - A new class-action lawsuit has been filed against Sony that claims the company has been negligent with online security, leading to multiple hostile attacks and the loss of customers’ private data. The suit claims that personal information-including credit card numbers and expiration dates-were taken from Sony’s servers, and cites a number of confidential witnesses who claimed Sony’s security was inadequate. Perhaps most damning is the claim that Sony laid off employees working in security before the attacks. “Sony was more concerned about their development server being hacked rather than some consumer’s data being stolen,” according to a confidential witness quoted in the complaint. “They want to protect themselves and not the people that use their servers.” While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact. The suit claims that Sony “spent lavishly to secure its proprietary development server containing its own sensitive information,” while not providing nearly the same level of security for the information of its customers. The suit asks for “appropriate” restitution for class members, credit-monitoring services, and “exemplary damages” if its found that Sony acted in a reckless or negligent manner. top Companies Are Erecting In-House Social Networks (NYT, 26 June 2011) - What would Facebook look like without photos of drunken nights out and tales of misbehaving cats? It might look a lot like the internal social network at the offices of Nikon Instruments. The tone is decidedly businesslike, as employees exchange messages about customer orders, new products and closing deals. And the general rule is that “if you don’t want your company president to see it, don’t post it,” said John G. Bivona, a customer relations manager at Nikon Instruments, which makes microscopes. As social networks increasingly dominate communications in private lives, businesses of all sizes - from tiny start-ups to midsize companies like Nikon to behemoths like Dell - are adopting them for the workplace. Although it is difficult to quantify how many companies use internal social networks, a number of corporate software companies have sensed the opportunity and offer various systems, some free to existing customers, others that charge a fee per user. It’s one more instance of how consumer technology trends, like the use of tablet computers, are crossing into office life. Because of Facebook, most people are already comfortable with the idea of “following” their colleagues. But in the business world, the connections are between colleagues, not personal friends or family, and the communications are meant to be about work matters - like team projects, production flaws and other routine business issues. At Nikon, for example, which employs 500 people in offices throughout the United States, Canada and Brazil, a code of conduct for using the service leaves little room for the idle chit-chat that is pervasive on Facebook. Still, it can be tricky to transport the mores and practices of social networking into the office. For instance, some workers prefer to be “lurkers” who read posts rather than write them. Others are just not interested. At Symantec, the computer security company, a few employees initially disliked the idea of an internal social network, but nevertheless used it to air their complaints. Another issue is how to protect corporate secrets. The systems are generally set up so that companies can determine who sees particular files and who belongs to specific groups on the network. Yet problems still arise over where the data is ultimately stored. Some social network providers use their own servers. But that may conflict with the rules of some potential clients that prohibit storing company information outside their firewall, said Susan Landry, an analyst with Gartner. [Editor: these tools dovetail with “knowledge management” processes, facilitating communities of practice and lubricating knowledge-flows. Listen to Harvard Prof. Andrew McAfee’s 2009 podcast “Enterprise 2.0: How Organizations Are Exploiting Web 2.0 Technologies and Philosophies”, available at KnowConnect.com] top ‘Times’ Ticks On (InsideHigherEd, 28 June 2011) - The New York Times Company plans to continue its slow advance into the realm of higher education this fall. It announced today that it is teaming up with the University of Southern California to offer continuing education programs to try to tap a growing market of adults looking to pick up new skills. The new programs will comprise sequences of online courses taught by USC faculty through the Times Company’s online learning platform. While the programs will not count toward any degree, they represent the media company’s first foray into multicourse online sequences intended to confer a coherent body of knowledge. And that is yet another step toward full-fledged degree programs, which are coming, according to Felice Nudelman, the company’s executive director of education. The company is pursuing partnerships that might soon have it stamping its seal on diplomas, Nudelman says. “We intend to grow in that market,” she says. “With USC, we are excited with this first step because we are excited about the potential for further depth and collaboration.” The Times Company, which has seen its annual revenues fall by about 30 percent in the last five years, has waded into the waters of higher education more deliberately than some of its peers—most notably the Washington Post Company, which now pays for its journalism operations largely off the back of Kaplan Inc., one of the country’s largest degree-granting enterprises. But the Times’s activities in higher education have picked up in recent years. The Times Company in 2008 purchased a majority stake inEpsilen, an online learning and social networking platform. It has since teamed up with a number of colleges and universities to offer online courses in which students can earn certificates and, in some cases, transferable credits. The Times Company would not disclose how much money it has been making from its higher ed forays, but Nudelman says it has been “very happy” with the outcome so far. At a time when many institutions are entering into financial partnerships with outside education companies to help grow their online infrastructures, sometimes to the chagrin of traditional faculty, the Times is trying to position itself as an alternative to companies that offer similar services but seem like less natural allies to universities. “It is a model that we find our colleagues in the education sector to be comfortable with, and it’s a model that benefits both in terms of revenue,” says Nudelman. top Newsgathering Law: A Guide for Reporting (Citizen Media Law Project, 28 June 2011) - Post by David Ardia: ”I’m excited to announce the latest installment in a series of legal modules we are publishing in conjunction with Poynter’s News University. The free course, entitled Newsgathering Law & Liability: A Guide for Reporting , is designed for reporters, citizen journalists and anyone who wants to know more about the laws that relate to gathering content, interviewing sources and handling documents. It’s chock full of interactive exercises and quizzes and anyone can enroll at the NewsU site and take the course at their own pace. I co-authored the module with Geanne Rosenberg , Chair of the Department of Journalism and the Writing Professions at the City University of New York’s Baruch College. This is our second course module at NewsU. The first, entitled Online Media Law: The Basics for Bloggers and Other Publishers , went live in 2008 and—shockingly—is NewsU’s most popular legal course. Hopefully we will catch some of that magic with this one.” top FFIEC Releases Banking Authentication Guidance (DigitalIDNews, 29 June 2011) - The Federal Financial Institutions Examination Council released new guidance for financial institutions on online customer authentication to accounts. The council first releases guidance in 2005 recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats. The latest report reinforces those expectations. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states. “It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program.” The new guidance recognizes the emergence of malware and new, more sophisticated man in the middle and man in the browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices. Lacking from the report is any guidance on how financial institutions should do authentication on mobile devices. The FFIEC’s Guidance is here: http://images.avisian.com/Auth-ITS-Final_6-22-11_FFIEC_Formated.pdf top Olympic Social Media Guidelines In Full: Athlete Photos But No Video (PaidContent.org, 29 June 2011) - News media this week reported next year’s London Olympics will allow athletes to tweet from the Summer Games. In fact, that consent was contained in general guidelines applying to all social media, which were issued to athletes back in May and which themselves are a variant of guidelines issued for Vancouver 2010 and, later, the Youth Olympic Games in Lausanne… They are permissive yet notably try to protect broadcasters and sponsors. Video and audio from within venues is banned and other material must be “in a first-person, diary type format and should not be in the role of a journalist”. Athletes are forbidden from promoting their sponsors in social media. In parts, the guidelines are loose enough to potentially be contradictory. Athletes are allowed to “post still photographs” from inside venues but not to “distribute these photographs”. “Taking Facebook as an example, we would be crazy not to want to be involved in a platform that has half a billion active users - that’s one in 12 people in the world,” according to IOC communications director Mark Adams. IOC Guidelines are here: http://www.olympic.org/Documents/Games_London_2012/IOC_Social_Media_Blogging_and_Internet_Guidelines-London.pdf top U.S. Company Preying on Foreigners Feels the Wrath of the FTC (Steptoe’s E-Commerce Law Week, 30 June 2011) - Kryptonite may be Superman’s weakness, but it apparently has no effect on the Federal Trade Commission’s enforcement powers. The FTC recently reached a settlement with Balls of Kryptonite, a California retailer that had tricked British customers into believing that it was based in England. The enforcement action was brought under Section 5 of the FTC Act, which prohibits unfair or deceptive practices; the Undertaking Spam, Spyware, and Fraud Enforcement With Enforcers beyond Borders Act (U.S. SAFE WEB Act); and the FTC Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule). The U.S. SAFE WEB Act allows the agency to bring actions against U.S. companies that harm foreign nationals. Balls of Kryptonite was also accused of misrepresenting its participation in the EU-U.S. Safe Harbor Framework. Under the settlement, the company will be banned from using foreign website suffixes (such as “.co.uk"), and will cease certain business practices that were determined to be unfair or deceptive. Balls of Kryptonite will also be fined $500,000. The action represents the first time that the FTC has punished a company under the U.S. SAFE WEB Act for doing harm to foreign nationals. top Alarm Over ABA Study of Online Advertising Proves Unfounded (NLJ, 30 June 2011) - The ABA’s Commission on Ethics 20/20 caused a minor stir last fall when it launched a study into the ethics of online client development tools including Facebook. The Commission on June 29 released its conclusions, and they are hardly drastic. Rather than develop a new set of rules pertaining specifically to online advertising, the commission recommended several relatively minor clarifications to the existing rules. The point was to offer attorneys more guidance about their ethical responsibilities when it comes to online client development, according to the report submitted by the commission, which is chaired by Wilmer Cutler Pickering Hale and Dorr partner Jamie Gorelick. The commission’s Technology Working Group looked at recent surveys of how lawyers use technology, examined marketing Web sites, reviewed litigation and disciplinary proceedings involving online client development, and considered suggestions by other ABA sections. “As a result of these efforts, the commission concluded that no new restrictions on lawyer advertising are required,” the panel wrote. “For example, the commission concluded that Rule 7.1’s prohibition against false and misleading communications is readily applicable to online advertising and other forms of electronic communications that are used to attract new clients.” The relatively small scale of the proposed changes has helped ease the concerns that surfaced among legal marketers in October when the review was announced. Some marketers feared that the inquiry would lead to onerous restrictions, while others applauded the possibility that the ABA would clear up unanswered questions about what is permissible online. Massachusetts lawyer Robert Ambrogi said that the proposals strike a “sensible balance” between the need to regulate lawyer advertising and lawyers’ ability to use technology to educate consumers. [Editor: There are some areas of concern in the proposed revised rules - e.g., the requirement that disclaimers be “conspicuously placed” Comment 3 to Rule 1.18. The Commission’s Report here: http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20110629ethics202technologyclientdevelopmentinitialresolutionsandreport.authcheckdam.pdf ] top Talking (Exclamation) Points (NYT, 1 July 2011) - In an essay published in 1895 called “How to Tell a Story,” Mark Twain chastised writers who use “whooping exclamation-points” that reveal them laughing at their own humor, “all of which is very depressing, and makes one want to renounce joking and lead a better life.” One shudders to imagine what Twain would have made of e-mail. Writing is by definition an imperfect medium for relaying the human voice. And in the age of electronic communication, when that voice is transmitted so often via e-mail and text message, many literate and articulate people find themselves justifying the exclamation point to convey emotion, enthusiasm or excitement. Some do so guiltily, as if on a slippery slope to smiley faces. “I’ve degenerated to the point where I allow one per e-mail, but I don’t feel good about it,” said Alex Knight, a media and technology investor in Seattle. “If I use one, I will go back and delete the previous ones. It’s sort of ‘Sophie’s Choice.’ “ In their book “Send: Why People Email So Badly and How to Do It Better,” David Shipley and Will Schwalbe say that the exclamation point was originally reserved for an actual exclamation ("My goodness!” or “Good grief!") but that they have become unexpected champions of this maligned punctuation. “We call it the ur emoticon,” Mr. Schwalbe said in a recent phone conversation. “In an idealized world, we would all be able to do what our English teachers told us to do, which is to write beautiful prose where enthusiasm is conveyed by word choice and grammar.” [Editor: There’s quite a bit more here; it’s thoughtful and useful.] top So Sue Me: Are Lawyers Really the Key to Computer Security? (ArsTechnica, 1 July 2011) - If your code gets hacked, are you the one on the hook? In the early decades of the software industry, the answer was usually “no.” Software licenses routinely disclaimed liability, and until recently, security flaws were considered to be just another fact of life. When problems were discovered, companies were expected to fix them quickly, but they were rarely on the hook for the resulting damage. That’s changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own. It’s too early to know if these particular lawsuits will get anywhere, but they’re part of a growing trend. As online services become an ever more important part of the American economy, the companies that create them increasingly find that security problems are hitting them where it really hurts: the bottom line. The world in which software companies could safely treat security as an afterthought is gone-but it’s not yet clear what will replace it. Class action lawsuits and FTC enforcement actions are two possible mechanisms for getting companies to take security seriously. But there are other candidates, including prospective security audits, education, and data retention rules. The right rules will encourage companies to take security seriously, but too much regulation could unduly hamper the software development process. [Editor: Some leaders in the Intelligence Community are pointing to lawsuits-and the resulting move toward better governance-as a useful security development. Me, too.] top Ear! Ear! Podcast Gains Are in the Listening, Not Creating (Dennis Kennedy, 1 July 2011) - Podcasts have become a great way to get free, informative audio programs on a seemingly limitless number of topics, including legal topics. However, most lawyers are not taking full advantage of the potential of podcasts. That might be because most articles about lawyers and podcasting focus on lawyers creating their own podcasts. While podcasting might make sense for a limited number of lawyers, listening to podcasts will have value for many lawyers. In this column, we’ll focus on listening to podcasts, how to start listening to podcasts and, if you already do so, how to improve your experience. top Job Posting to LinkedIn Group Doesn’t Violate Non-Solicitation Clause (Eric Goldman’s blog, 3 July 2011) - Enhanced developed software, and had a relationship with Hypersonic, which modified existing software. The two companies often jointly bid on projects together. They were parties to an agreement which contained the following non-solicitation clause: “Employee Protection. During the term of this Agreement and for a period of twelve (12) months from the date of effective date of its termination, unless mutually agreed to in writing otherwise the Parties . . . shall refrain from soliciting or inducing, or attempting to solicit or induce, any employee of the other Party in any manner that may reasonably be expected to bring about the termination of said employee toward that end . . . .” Some time after Enhanced and Hypersonic unsuccessfully bid on a project, Hypersonic posted an open position for an outside sales representative to “its LinkedIn webportal” (which the court describes as “a social internet site that connects businesses and people"). An Enhanced employee saw the posting and informed the President of Hypersonic that he was interested. After this, the employee met with Hypersonic’s owner and hammered out a deal. Hypersonic then filed a complaint for declaratory relief regarding the enforceability of the agreement between Hypersonic and Enhanced. (There must have been some sabre-rattling obviously that prompted the filing of the complaint by Hypersonic.) The trial court concludes that Hypersonic did not violate the non-solicitation clause by posting the opening on LinkedIn. The appeals court affirms. The court looks to the dictionary definitions of the relevant terms ("solicit" and “induce") and concludes that Hypersonic did not solicit or induce the Enhanced employee to terminate his relationship with Enhanced: “[t]he record clearly supports that [the employee] made the initial contact with Hypersonic after reading the job posting on a publicly available portal of LinkedIn. In other words, [the employee] solicited Hypersonic.” A previous case addressing the question of whether recruiters violated their non-compete clause by “connecting” (on LinkedIn) with candidates who were in discussions with their previous employer settled quietly. Here’s Evan Brown’s initial post on the case: “ Nefarious LinkedIn use finally makes it to the courts .” Here is a copy of the stipulated permanent injunction , which imposes broad restrictions on the defendants’ solicitation of certain customers, but interestingly does not mention LinkedIn. [Editor: instant case: Enhanced Network Solutions Group v. Hypersonic Technologies Corp. , 2011 WL 2582870 (Ind. Ct. App. June 30, 2011)] top Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information (BeSpacific, 4 July 2011) - “The purpose of this proposed DFARS rule is to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyberintrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. This rule addresses the safeguarding requirements specified in Executive Order 13556, Controlled Unclassified Information. On-going efforts, currently being led by the National Archives and Records Administration regarding controlled unclassified information, may also require future DFARS revisions in this area. This case does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate.” Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011) top Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011) - Amazon.com made waves in March when it announced Cloud Player, a new “cloud music” service that allows users to upload their music collections for personal use. It did so without a license agreement, and the major music labels were not amused. Sony Music said it was keeping its “legal options open” as it pressured Amazon to pay up. In the following weeks, two more companies announced music services of their own. Google, which has long had a frosty relationship with the labels, followed Amazon’s lead; Google Music Beta was announced without the Big Four on board (read our first impressions). But Apple has been negotiating licenses so it can operate iCloud with the labels’ blessing. The different strategies pursued by these firms presents a puzzle. Either Apple wasted millions of dollars on licenses it doesn’t need, or Amazon and Google are vulnerable to massive copyright lawsuits. All three are sophisticated firms that employ a small army of lawyers, so it’s a bit surprising that they reached such divergent assessments of what the law requires. So how did it happen? And who’s right? [Editor: Pretty interesting piece, parsing the reverberations of the MP3 case, Cablevision’s user-dedicated remote-storage DVR service, de-duplication thinking, and possible litigation strategies of Google and Amazon.] top Google Loses Street View Battle, But Did It Win Wiretap War? (Steptoe’s E-Commerce Law Week, 7 July 2011) - In a recent ruling from the Northern District of California, a federal judge dismissed some claims but allowed others to proceed in a case brought against Google for alleged privacy violations in connection with its Street View program. In the class action suit, the plaintiffs brought claims against Google for violations of the wiretap portions of the federal Electronic Communications Privacy Act (ECPA) and various state laws that allegedly occurred when Google collected private information from unencrypted wireless networks while its specially outfitted cars drove through neighborhoods across the country, taking pictures for Google Street View. The court in In re Google Inc. Street View Electronic Communications Litigation allowed the plaintiffs’ ECPA claim to go forward, but dismissed their state law claim. Although most attention in the media will focus on the court’s ruling on the ECPA claim, the more consequential aspect of the ruling may be the court’s decision that ECPA preempts state wiretap statutes, and that plaintiffs therefore could not bring claims against Google for violations of those statutes. As we recently reported, most courts have found that ECPA does not preempt state law. But now that another federal court has found that ECPA does preempt state wiretap laws, more courts could follow suit. This is a big deal for communications providers that want to monitor communications for purposes of network security or behavioral advertising, for example, since some state wiretap laws are more restrictive than ECPA. It also matters for employers who want to monitor employee communications. Ultimately, the preemption question will have to be resolved by the circuit courts, the Supreme Court, or Congress. top MIRLN 2011-07-08T15:41:00-07:00