en vpolley@knowconnect.com Copyright 2013 2013-05-17T16:19:00-07:00 http://www.knowconnect.com/mirln/article/mirln_28_april_18_may_2013_v1607/ http://www.knowconnect.com/mirln/article/mirln_28_april_18_may_2013_v1607/#When:16:19:00Z MIRLN --- 28 April - 18 May 2013 (v16.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | PODCASTS | LOOKING BACK | NOTES Typosquatting Claims Against Security Researcher Are Legally Complicated SO THAT’S WHAT “RAND” MEANS?: A Brief Report on the Findings of Fact and Conclusions of Law in Microsoft v. Motorola Good Morning, Captain: Open IP Ports Let Anyone Track Ships on Internet EFF Surveys Major Tech Companies’ Privacy and Transparency Policies Newspapers Post Gains in Digital Circulation NIST Reworks Cyber Guidelines for the Hacking Era US Regulators Look at Dealing with Social Media Washington State Students Save $5.5M With Open Courseware Major Publishers Go MOOC Secret Bitcoin Mining Code Added to E-Sports Software Sparks Outrage ABA Opinion Cautions Judges to Avoid Ethics Pitfalls of Social Media Coursera Enters Teacher Professional Development Market Colombia’s Data Protection Law Takes Effect Florida Supreme Court Deepens Lower Court Split on Searching a Cell Phone Incident to Arrest China’s Cyberspies Outwit Model for Bond’s Q ACLU, EFF Sue For License Plate Record Disclosure in Los Angeles Viewing Cached Copyrighted Content Isn’t Infringing, UK Supreme Court Says Is the U.S. Government Recording and Saving All Domestic Telephone Calls? When Comments Turn Ugly: Newspaper Websites and Anonymous Speech Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules “Newsgathering in Massachusetts” Guide Now Available Online Cybersecurity Remains A Top Concern Facing Corporate Directors and General Counsel Indiana U. Approves Release of Kinsey Sex App Weakness in Adobe ColdFusion Allowed Court Hackers Access to 160k SSNs U.S. Cyberwar Strategy Stokes Fear of Blowback In Legal Fog, Kim Dotcom Removes 3D Gun Design E-books Now Make Up 1/5 of U.S. Book Sales Typosquatting Claims Against Security Researcher Are Legally Complicated (Eric Goldman’s blog, 27 April 2013) - Kenzie is a security researcher who has registered numerous domain names that are typographic errors of well-known trademarks (e.g., mastercard, mcdonalds, newscorp, mcafee, macworld, monster, pcworld). He points the domain names to the actual sites in question (e.g., mcdonalds points to mcdonalds.com), but he is looking to demonstrate how these typo domains are used for “social engineering” attacks. Kenzie did not offer the domain names for sale, did not read the emails intended for the subject organization, and generally kept his whole scheme out of the public eye. Upon demand, he also offered to transfer the domain names to the organizations in question. Nevertheless he was sued by Gioconda Law Group for registering Giocondolaw.com (with “o” instead of “a"). In response to Gioconda’s complaint, Kenzie, proceeding pro se, asserted a variety of defenses, including a critique of American privacy law. Gioconda moved for judgment on the pleadings. The court struggles with the application of the Anticybersquatting Consumer Protection Act (ACPA) factors to this case. On the one hand, this is clearly not a case where the registrant is trying to profit by selling back the domain name. On the other hand, the court says, all non-commercial uses are not necessarily exempt from the ACPA. [Not a particularly speech friendly position.] Ultimately, the court says that it’s not a case that can be resolved on the pleadings: “Defendants’s alleged ideological, scholarly, and personal motives for squatting on the [domain name], while perhaps idiosyncratic, do not fall within the sphere of conduct targeted by the ACPA’s bad faith requirement, If anything, given that defendant aims to both influence plaintiff’s behavior and shape public understanding of what he perceives to be an important vulnerability in cyber security systems, this case arguably falls closer to cases involving parody and consumer complaint sites designated to draw public attention to various social, political, or economic issue.” This is an interesting case that highlights the problems faced by security researchers generally. While the risk of liability here is less than what security researchers generally face (e.g., liability under the Computer Fraud and Abuse Act), it still shows a judge reluctant to grant the researcher’s conduct full protection as a non-commercial, First Amendment-protected venture. Case is Gioconda Law Group v. Kenzie , 2012 US Dist LEXIS 187801 (S.D.N.Y. Apr. 23, 2013) top SO THAT’S WHAT “RAND” MEANS?: A Brief Report on the Findings of Fact and Conclusions of Law in Microsoft v. Motorola (Patently-O, 27 April 2013) - In a meticulous 207-page opinion released on April 25, Judge James Robart in the Western District of Washington has crafted the first-ever judicial determination of a “reasonable and nondiscriminatory” (RAND) royalty rate for patents essential to industry standards. To some observers, the dense opinion (captioned “Findings of Fact and Conclusion of Law") may be nothing more than another bit of procedural arcana in the interminable litigation over smart phone patents ( summarized here ), this time in the battle between Microsoft and Motorola (now owned by Google). But for followers of industry standards, Judge Robart’s opinion was a highly-anticipated and desperately-needed attempt to establish basic guidelines for the interpretation of the RAND licensing commitments that pervade industry standardization bodies. Judge Robart’s opinion is important, not only because it resolves several highly contentious issues between Microsoft and Motorola, but because if provides a more general framework for analyzing RAND disputes in the future. At its heart, the bulk of Judge Robart’s opinion is a fairly conventional Georgia-Pacific analysis of the “reasonable royalty” rates applicable to Motorola’s patents. He spends a considerable amount of time analyzing comparable licensing transactions and determining their applicability to a hypothetical licensing negotiation between the parties. But Judge Robart makes significant modifications to the traditional Georgia-Pacific analysis in order to adapt it to the assessment of RAND royalty rates (which are related to, but different than, the “reasonable royalties” that serve as a measure of damages in patent infringement suits) (Para. 87). Here are some of the important observations that Judge Robart makes in this regard * * * top Good Morning, Captain: Open IP Ports Let Anyone Track Ships on Internet (Ars Technica, 29 April 2013) - While digging through the data unearthed in an unprecedented census of nearly the entire Internet , Researchers at Rapid7 Labs have discovered a lot of things they didn’t expect to find openly responding to port scans. One of the biggest surprises they discovered was the availability of data that allowed them to track the movements of more than 34,000 ships at sea. The data can pinpoint ships down to their precise geographic location through Automated Identification System receivers connected to the Internet. The AIS receivers, many of them connected directly to the Internet via serial port servers, are carried aboard ships, buoys, and other navigation markers. The devices are installed at Coast Guard and other maritime facilities ashore to prevent collisions at sea within coastal waters and to let agencies to track the comings and goings of international shipping. Rapid7 security researcher Claudio Guarnieri wrote in a blog post on Rapid7’s Security Street community site that he, Rapid7 Chief Research Officer H.D. Moore, and fellow researcher Mark Schloesser discovered about 160 AIS receivers still active and responding over the Internet. In 12 hours, the trio was able to log more than two gigabytes of data on ships’ positions-including military and law enforcement vessels. [Polley: related story: What Happened When One Man Pinged the Whole Internet (MIT Technology Review, 26 April 2013)] top EFF Surveys Major Tech Companies’ Privacy and Transparency Policies (EFF, 30 April 2013) - Today the Electronic Frontier Foundation (EFF) releases its third annual report, “Who Has Your Back?,” which looks at major technology service providers’ commitment to users’ rights in the face of government data demands. EFF’s report examines 18 companies’ terms of service, privacy policies, advocacy, and courtroom track records, awarding up to six gold stars for best practices in categories like “require a warrant for content,” “tell users about government data demands,” and “publish transparency reports.” “Transparency reports have become an industry standard practice among major technology companies since we started issuing this report in 2011,” said EFF Senior Staff Attorney Marcia Hofmann. “Through those reports, we’ve learned more about law enforcement requests for user data. We publish this annual report to encourage companies to let users know how data flows to the government, and to encourage companies to stand up for their users.” EFF’s report shows that more and more Internet companies are formally promising to give users notice about law enforcement requests for information unless prohibited by law or court order. We also found a dramatic increase in the number of companies publishing law enforcement guidelines for making data requests. This year, two companies-Twitter and Sonic.net-received a full six stars, while Verizon and MySpace earned no stars. top Newspapers Post Gains in Digital Circulation (NYT, 30 April 2013) - The nation’s newspapers suffered a slight decline in total circulation over the last six months compared with the same period the year before, but they benefited from an increase in digital subscriptions, which now make up nearly 20 percent of all daily circulation. “Overall circulation industrywide is flat and digital is growing,” said Neal Lulofs, an executive vice president with the Alliance for Audited Media, which released the figures on Tuesday. “Newspapers are engaging with readers in a variety of media types, wherever and whenever.” The 593 audited daily newspapers had a 0.7 percent daily circulation decline, the group reported. The Wall Street Journal had the highest circulation, at 2,378,827, a 12.3 percent jump from the same time the year before. The New York Times overtook USA Today for second place with a circulation of 1,865,318, a 17.6 percent rise from a year ago. USA Today’s circulation was down 7.9 percent, dropping to 1,674,306. The Los Angeles Times and New York Daily News followed in fourth and fifth places. The figures include both print and digital subscriptions. For the 519 Sunday newspapers audited, total circulation declined 1.4 percent. The New York Times ranked first with an average circulation of 2,322,429, a 15.9 percent increase from the same time the year before. The Houston Chronicle ranked second, despite a 5.8 percent decline to 1,042,389. The Los Angeles Times was third; its circulation remained essentially flat at 954,010. top NIST Reworks Cyber Guidelines for the Hacking Era (Nextgov, 30 April 2013) - The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats. The 457-page government computer security bible, officially called “ SP (Special Publication) 800-53 ,” has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats—infiltrations that play off human failings to linger in systems until finding sensitive data. Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments. Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by “using blind or filtered buys.” Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors. NIST broaches the controversial approach to “restrict purchases from specific suppliers or countries,” which U.S. technology firms, even those who have been hacked, say might slow installations. The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls. There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device.” Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems. NIST also advises that agencies consult the Office of the General Counsel regarding legal uncertainties, such as “requirements for conducting forensic analyses during investigations after an incident.” top US Regulators Look at Dealing with Social Media (NBC, 30 April 2013) - A week after hackers broke into The Associated Press’ Twitter feed and roiled financial markets, federal regulators say they need to find ways to deal with the impact of social media. Members of the Commodity Futures Trading Commission didn’t outline immediate action Tuesday. CFTC Commissioner Bart Chilton suggested they consider imposing tougher cybersecurity rules for investment firms and others that trade. Firms could be held accountable and sanctioned if their security systems were inadequate to prevent a breech. At a meeting of an advisory panel, Commissioner Scott O’Malia said regulators need to begin figuring out how to respond to social media. top Washington State Students Save $5.5M With Open Courseware (InsideHigherEd, 1 May 2013) - Students at the state of Washington’s 34 community and technical colleges will save hundreds of thousands of dollars a year because of low-cost textbooks produced by the state’s Open Course Library, the college system said this week. The library, which received funding from the state legislature and the Bill & Melinda Gates Foundation, spent $1.8 million to develop low-cost course material, including textbooks of no more than $30, for 81 common courses. The effort has already saved students $5.5 million since fall 2011, according to an analysis by The Student Public Interest Research Groups, an advocacy organization. top - and - Major Publishers Go MOOC (InsideHigherEd, 10 May 2013) - Several major publishers will experiment with offering free course materials to Coursera users enrolled in the Silicon Valley-based company’s massive open online courses. The partnership, which involves Cengage Learning, Macmillan Higher Education, Oxford University Press, SAGE, and Wiley will deliver material using Chegg, a company that offers an e-book platform. According to Coursera, while professors teaching MOOCs on its platform have been able to assign free high-quality content, they will now be able to work with publishers to “provide an even wider variety of carefully curated teaching and learning materials at no cost to the student.” Coursera has, however, generated some revenue from the Amazon.com affiliates program wherein users buy books suggested by professors. top Secret Bitcoin Mining Code Added to E-Sports Software Sparks Outrage (Ars Technica, 1 May 2013) - Competitive video gaming community E-Sports Entertainment Association secretly updated its client software with Bitcoin-mining code that tapped players’ computers to mint more than $3,600 worth of the digital currency, one of its top officials said Wednesday. The admission by co-founder and league administrator Eric ‘lpkane’ Thunberg came amid complaints from users that their ESEA-supplied software was generating antivirus warnings, computer crashes, and other problems. On Tuesday, one user reported usage of his power-hungry graphics processor was hovering in the 90-percent range even when his PC was idle. In addition to consuming electricity, the unauthorized Bitcoin code could have placed undue strain on the user’s hardware since the mining process causes GPUs to run at high temperatures. top ABA Opinion Cautions Judges to Avoid Ethics Pitfalls of Social Media (ABA Journal, 1 May 2013) - Judges don’t have to sit by the now-proverbial telephone hoping to make contact with the rest of the world. Instead, they may join the growing numbers of people who participate in electronic social networking. That was the conclusion reached by the ABA Standing Committee on Ethics and Professional Responsibility in its Formal Opinion 462 (Judge’s Use of Electronic Social Networking Media), issued on Feb. 21. (ABA ethics opinions are identified by the numeric order in which they are issued, but Opinion 462 (PDF) is the first one since the 1980s that does not also include a two-digit prefix designating the year of issuance.) In its opinion, the ethics committee notes that electronic social media “has become an everyday part of worldwide culture.” The opinion describes ESM as Internet-based electronic social networking sites that require an individual to affirmatively join and accept or reject connection with particular individuals. “Social interactions of all kinds, including ESM, can be beneficial to judges to prevent them from being thought of as isolated or out of touch,” states the committee, which analyzed the issue in the context of the ABA Model Code of Judicial Conduct. “When used with proper care, judges’ use of ESM does not necessarily compromise their duties under the Model Code any more than use of traditional and less public forms of social connection such as U.S. mail, telephone, email or texting.” But the opinion also urges judges to enter this particular electronic highway with extreme caution, for two primary reasons. First, while the Model Code of Judicial Conduct does not specifically address a judge’s participation in electronic social media, states the opinion, “All of a judge’s social contacts, however made and in whatever context, including ESM, are governed by the requirement that judges must at all times act in a manner ‘that promotes public confidence in the independence, integrity and impartiality of the judiciary,’ and must ‘avoid impropriety and the appearance of impropriety.’ “ Those expectations are set forth in Rule 1.2 of the Model Code. The second reason for caution is the very nature of electronic social media. “Judges must assume that comments posted to an ESM site will not remain within the circle of the judge’s connections,” states the opinion. “Comments, images or profile information-some of which might prove embarrassing if publicly revealed-may be electronically transmitted without the judge’s knowledge or permission to persons unknown to the judge or to other unintended recipients. Such dissemination has the potential to compromise or appear to compromise the independence, integrity and impartiality of the judge, as well as to undermine public confidence in the judiciary.” top Coursera Enters Teacher Professional Development Market (InsideHigherEd, 1 May 2013) - Coursera, the Silicon Valley-based provider of massive open online courses, is entering the teacher education market. The company is partnering with teachers colleges and other educational institutions to provide online professional development courses for K-12 teachers and parents. The company described the new effort as its first foray into early childhood and K-12 and its first partnerships with non-degree-bearing institutions, including art museums. With this, the company may be eyeing a professional development market that includes about 3.7 million teachers in American plus millions more across the world. “We want to help K-12 students by helping their teachers,” Coursera co-founder Andrew Ng said in a statement announcing the new program. “Many schools just don’t have the resources to provide teachers and parents the training and support they need. By providing free online courses on how to teach, we hope to improve this.” Coursera’s partners in the venture are University of Washington’s college of education; University of Virginia’s school of education; Johns Hopkins University’s school of education; Match Education’s Sposato Graduate School of Education; Peabody College of education and human development, Vanderbilt University; Relay Graduate School of Education; University of California at Irvine Extension; the American Museum of Natural History; The Commonwealth Education Trust; Exploratorium; The Museum of Modern Art; and New Teacher Center. top Colombia’s Data Protection Law Takes Effect (Steptoe, 2 May 2013) - Columbia’s data protection law, officially published on October 18, 2012, as Statute Law No. 1581, is now in effect. Modeled after the EU Data Protection Directive, the law introduces several requirements for any entity controlling or processing personal data within Colombia (with some exceptions). Colombia is the latest Latin American country to enact personal data protection laws modeled on the EU framework, joining Argentina, Costa Rica, Mexico, Peru, and Uruguay. Notably, the Colombian law (similar to some of the other Latin American laws) lacks a breach notification provision. The Colombian government expects to issue implementing regulations soon. top Florida Supreme Court Deepens Lower Court Split on Searching a Cell Phone Incident to Arrest (Volokh Conspiracy, 2 May 2013) - I recently mentioned my new short essay, Foreword: Accounting for Technological Change, 36 Harv. J. L. & Pub. Pol’y 403 (2013), about how the Supreme Court should resolve the lower court division on the Fourth Amendment rule for searching a cell phone incident to arrest. In light of that, I thought I would flag this morning’s decision by the Florida Supreme Court deepening the lower court division. In the new case, Smallwood v. State , the court ruled that the police can routinely seize a cell phone incident to arrest, but they generally need a warrant to search it absent a demonstrated risk that evidence on the phone could be destroyed after it had been seized. Here are the two key passages from Smallwood: [W]e . . . conclude that the electronic devices that operate as cell phones of today are materially distinguishable from the static, limited-capacity cigarette packet in Robinson, not only in the ability to hold, import, and export private information, but by the very personal and vast nature of the information that may be stored on them or accessed through the electronic devices. Consistent with this conclusion, we hold that the decision of the United States Supreme Court in Robinson, which governed the search of a static, non-interactive container, cannot be deemed analogous to the search of a modern electronic device cell phone. * * * top China’s Cyberspies Outwit Model for Bond’s Q (Bloomberg, 2 May 2013) - Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East. Former CIA Director George Tenet was a director of the company from 2006 to 2008 and former Pentagon spy chief Stephen Cambone headed a major division. Its U.K. parent was created as a spinoff of a government weapons laboratory that inspired Q’s lab in Ian Fleming’s James Bond thrillers, a connection QinetiQ (pronounced kin-EH-tic) still touts. QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation , hackers linked to China ‘s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed. “We found traces of the intruders in many of their divisions and across most of their product lines,” said Christopher Day, until February a senior vice president for Verizon Communications Inc. (VZ)’s Terremark security division, which was hired twice by QinetiQ to investigate the break-ins. “There was virtually no place we looked where we didn’t find them.” top ACLU, EFF Sue For License Plate Record Disclosure in Los Angeles (Ars Technica, 6 May 2013) - For months now, we’ve been following the rapid expansion of license plate readers across America. The growth is fueled by federal law enforcement grants that allow for such data to be instantly shared with federal authorities. We’ve published stories showing how people crossing the US-Mexico border are routinely subject to license plate scans, which is in turn, shared with insurance companies . An intrepid data scientist claimed to have found the location of Minneapolis’ stationary LPRs based on studying public records of the complete log file that he had requested. (Months later, the state law allowing for such access was changed .) As recently as March 2013, Piedmont, a rich Northern California town that is completely surrounded by Oakland, moved toward placing such devices at its entire city border with Oakland . On Monday, two Californian civil liberties groups filed a lawsuit against the Los Angeles Police Department (LAPD) and the Los Angeles Sheriff’s Department (LASD) in an attempt to compel these agencies to release a week’s worth of automated license plate reader (ALPR, or sometimes, LPR) data from August 2012. The non-profits claim that these agencies are required to do so under the California Public Records Act . In late July 2012, the American Civil Liberties Union and its affiliates sent requests to local police departments and state agencies across 38 states to request information on how LPRs are used. top Viewing Cached Copyrighted Content Isn’t Infringing, UK Supreme Court Says (IP Watch, 7 May 2013) - Internet users who merely read or view copyright-protected webpages enjoy a temporary copying exception under European Union and United Kingdom law and do not need permission from rights holders, the UK Supreme Court said in a 17 April ruling. The case, Public Relations Consultants Association Limited [PRCA] v. The Newspaper Licensing Agency Limited and others , “raises an important question about the application of copyright law to the technical processes involved in viewing copyright materials on the internet,” the court said: Whether looking at a cached copy of protected content, without downloading or printing it, amounts to infringement. Lower courts held that it does, a finding unanimously rejected by the Supreme Court. However, acknowledging that the “issue has a transnational dimension and that the application of copyright law to internet use has important implications for many millions of people across the EU making use of what has become a basic technical facility,” the court decided to ask the European Court of Justice for a preliminary ruling “so that “this critical point may be resolved in a manner which will apply uniformly across the European Union.” The Supreme Court judgment “is absolutely right in ensuring that acts of end users which were perfectly lawful in the analogue world remain lawful in the digital world,” said Baker & McKenzie London Head of Intellectual Property Michael Hart, who represented the PRCA. “Any other decision would have severely restricted perfectly reasonable consumer Internet use,” he said in a press release. The decision is available here [pdf]. top Is the U.S. Government Recording and Saving All Domestic Telephone Calls? (Bruce Schneier, 7 May 2013) - I have no idea if “former counterterrorism agent for the FBI” Tom Clemente knows what he’s talking about, but that’s certainly what he implies here : More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources said. Investigators may be able to recover the conversation, said Tom Clemente, a former counterterrorism agent for the FBI. “We certainly have ways in national security investigations to find out exactly what was said in that conversation,” he told CNN’s Erin Burnett on Monday, adding that “all of that stuff is being captured as we speak whether we know it or like it or not. It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her,” he said. I’m very skeptical about Clemente’s comments. He left the FBI shortly after 9/11, and he didn’t have any special security clearances. My guess is that he is speaking more about what the NSA and FBI could potentially do, and not about what they are doing right now. And I don’t believe that the NSA could save every domestic phone call, not at this time. Possibly after the Utah data center is finished, but not now. They could be saving the all the metadata now, but I’m skeptical about that too. top When Comments Turn Ugly: Newspaper Websites and Anonymous Speech (DMLP, 7 May 2013) - Dan Kennedy has reported on an interesting anonymous speech issue brewing (or perhaps already boiled over) in the town of Cohasset, Massachusetts. It seems that the board of selectpeople of Cohasset has been concerned recently about ad hominem attacks on their members, delivered through the medium of the comment sections of the websites of the Quincy Patriot Ledger and the Cohasset Mariner . The board has debated issuing a subpoena through the Town Counsel to identify the commenters, allegedly to determine whether the comments were being posted from computers owned by the own in violation of Cohasset’s computer usage policy. One can debate whether this stated motivation is a pretext for an attempt to pursue the commenters based on the content of what they wrote; according to the Patriot Ledger , Acting Cohasset Town Manager Michael Milanoski has stated that “there is no indication that any employee was using any town employee computer to blog at all.” However, the issue is potentially now moot, because GateHouse Media, owner of the Ledger and Mariner, has complied with subpoenas (see sidebar in linked story) issued in a separate libel suit filed in Quincy District Court by a former selectperson for the e-mail and IP addresses of at least some of these commenters. One imagines that the plaintiff in this suit would be willing to share the results of her subpoenas with the current board. To be sure, GateHouse was within its rights to respond to the subpoenas. The company is bound by nothing other than its own privacy policy in preserving the anonymity of its users; that policy clearly states: “We may disclose information you have provided to us if we have a good faith belief that such disclosure is necessary to ... comply with the law, government action or with legal process served on us[.]” There is no obligation on the part of GateHouse to challenge subpoenas for information about its users, and according to the Quincy District Court Civil Clerk’s Office, as of May 7, 2013, there were no documents in the court file (docket no. 13-CV-646) indicating that any attempt to quash a subpoena had been filed. We cannot tell if GateHouse nevertheless made an attempt to inform its users about the subpoenas, and the users simply failed to object. Massachusetts does not have a statute such as Virginia does, which requires an ISP that receives a subpoena for a user’s identity to notify the user in a timely manner. Nevertheless, this situation raises serious concerns. The First Amendment protects the right to speak anonymously , and that right should prevent courts from casually compelling the unmasking of anonymous or pseudonymous speakers in online forums. That right would be even more directly implicated if a government body such as a board of selectmen attempted to force disclosure of information that would lead to revelation of the users’ identity, on a basis that could easily be a pretext for content-based concerns (and one must wonder why this concern over misuse of town computers did not result in subpoenas in connection with previous comments). top Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules (Proskauer, 8 May 2013) - As a growing number of states pass legislation which will protect individuals’ social media accounts from employer scrutiny, they have encountered a surprising adversary - FINRA and other securities regulators. To date, at least six states have enacted social media employee privacy laws (which were blogged about here , here , here , and here ) and upwards of thirty-five states have considered legislation since the beginning of 2013. Washington State may soon join the ranks with SB 5211 , a bill unanimously passed by both chambers of Washington legislature on April 27, 2013, which now awaits the Governor’s signature. Social media password protection laws, although unique to each state, generally restrict employers from requesting or requiring that employees or applicants provide their social media user names, passwords, and account information. Supporters believe the laws are necessary to protect employee and prospective employee privacy and to prevent against unlawful employer action in response to an employee’s social media use. FINRA, the Financial Industry Regulatory Authority, fears that the new employee privacy laws may directly conflict with securities rules and threaten investor protection. With an increasing number of financial firms taking to Facebook and Twitter to interact with investors and give financial advice, FINRA has set forth various guidelines governing social media use. Under FINRA rules, securities firms must “adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised,” and broker-dealers must be able to “retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” FINRA Regulatory Notice 11-39 (August 2011) . According to FINRA, if the employee of a broker-dealer is engaging in business communications over a social networking site, the broker-dealer must have access to the account for general monitoring and for its records. Broker-dealers must also be able to freely follow up on red flags, or misuse of an account. FINRA fears that the adoption of social media employee privacy laws may conflict with monitoring and reporting requirements and could force some employers into a lose-lose situation-violate state law or violate a FINRA rule. FINRA worries that employers who choose the former will increase investor risk and the potential for securities fraud. FINRA has sent letters to lawmakers in approximately ten states seeking carve-outs to social media employee privacy laws for the financial services industry. Many of the laws already include narrow exemptions, which allow for employers to require disclosure if an employee’s alleged misconduct has risen to a certain level. FINRA does not appear satisfied with these exemptions, which may be too limited for broker-dealers to be in full compliance with monitoring, recording and supervision requirements. California has rejected FINRA’s request for an exception for the financial services industry, but it remains to be seen how the states will react in general. top “Newsgathering in Massachusetts” Guide Now Available Online (DMLP, 8 May 2013) - The Digital Media Law Project is pleased to announce the online release of its new legal resource, Newsgathering in Massachusetts , co-produced with the Harvard Law School Cyberlaw Clinic . Our new guide is a PDF document formatted for booklet printing, and provides background legal information on the rights of independent and institutional journalists to collect information in Massachusetts. It covers core topics in Massachusetts newsgathering law, including: open meetings and public records laws; access to courts and courtrooms; recording courtroom proceedings; recording the activities of public officials in public spaces; and protection for anonymous sources. top Cybersecurity Remains A Top Concern Facing Corporate Directors and General Counsel (Hogan Lovells, 9 May 2013) - For the second year in a row, corporate directors and general counsel have ranked cybersecurity as a top-of-mind concern. On May 8, Corporate Board Member and FTI Consulting released the results of their 2013 Law in the Boardroom survey of over 550 directors and general counsel. As the report notes, “the newest area of major concern continues a trend noted in last year’s study: data security and IT risk is one of the most significant issues for both directors and general counsel.” Hogan Lovells partner Harriet Pearson explained why cybersecurity has become a top-of-mind concern as part of her article on “ Cybersecurity: the Corporate Counsel’s Agenda ,” which presented a ten-point agenda for managing cyber risk. The survey found that data security was a close second for both directors and general counsel on the list of issues that will keep them up at night. And more than a quarter of all respondents ranked cyber risk oversight as an area that will require their attention in 2013. top Indiana U. Approves Release of Kinsey Sex App (InsideHigherEd, 9 May 2013) - Indiana University last year approved— and then quickly unapproved —the release of a sex reporting app by its Kinsey Institute, long famous for cutting-edge sex research. Using the app, individuals could report promptly (and anonymously) on their own sexual activities, potentially giving researchers new information on exactly what people do and when and how they do it. The university denied it was being prudish and said it needed only to review privacy protocols. Following months of review, the university announced Wednesday that the app has again been approved for release—with only one change. That change is that all reports will be placed on hold for geographically defined areas. Only when enough people from a given area respond so that reports could not be linked to any one individual will that information move into the database where it can be studied. top Weakness in Adobe ColdFusion Allowed Court Hackers Access to 160k SSNs (SC Magazine, 10 May 2013) - The Washington state Administrative Office of the Courts (AOC) has confirmed that attackers leveraged a previously repaired Adobe software bug to access its website and make off with hundreds of thousands of Social Security and driver’s license numbers. Court officials on Thursday revealed that hackers definitively made off with 94 Social Security numbers, but that as many as 160,000 may have been compromised, alongside one million driver’s license numbers. Wendy Ferrell, a spokeswoman for Washington state AOC, told SCMagazine.com that a previously patched vulnerability in Adobe’s ColdFusion application server was used to carry out the attack. Adobe fixed the weakness that was exploited in January. top U.S. Cyberwar Strategy Stokes Fear of Blowback (Reuters, 10 May 2013) - Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers. The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks. That’s because U.S. intelligence and military agencies aren’t buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems. The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. [Polley: The best voice on the risks here is Chris Soghoian (@csoghoian); catch his Harvard podcast on the issue cited in MIRLN 15.17 ] top MIRLN 2013-05-17T16:19:00-07:00 http://www.knowconnect.com/mirln/article/mirln_17_march_6_april_2013_v16051/ http://www.knowconnect.com/mirln/article/mirln_17_march_6_april_2013_v16051/#When:15:57:01Z MIRLN --- 7-27 April 2013 (v16.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES Payment Card Industry Security Standards Council Publishes Cloud Computing Guidelines for Cardholder Data Cybersecurity Disclosure: The Risks Of Silence U.S. Business SEC Filings Suggest Cyber Threats may be Overstated Rockefeller Asks SEC to Step Up Cybersecurity Disclosures Federal Energy Regulatory Commission (FERC) Imposes a $975,000 Civil Penalty against Entergy for 27 Violations of Reliability Standard Volunteer Opportunities for IP Professionals CRS - Drones in Domestic Surveillance Operations Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight Want to Read the Law? It’ll Cost You IRS Tracks Your Digital Footprint Hay Maker Seeks Cyberheist Bale Out How Other Companies Manage Social Media King & Spalding Blocks Employee Access to Personal Email Accounts, But Offers an Alternative Order and Liberty: The DPLA Launches Fair Use In Comparative Law Mich. Court Backs Anonymity for Former Student Who Trashed Law School Online Verizon’s 2013 Data Breach Investigations Report Google Scholar Legal Content Star Paginator You Shouldn’t Need a Copyright Lawyer to Pick a Dentist Fifth Amendment Shields Child Porn Suspect From Decrypting Hard Drives FBI Denied Permission to Spy on Hacker Through His Webcam Once Under Wraps, Supreme Court Audio Trove Now Online Sanctions Against Iran Will Hit Samsung Phone Users Businesses Take a Cautious Approach to Disclosures Using Social Media Payment Card Industry Security Standards Council Publishes Cloud Computing Guidelines for Cardholder Data (Reed Smith, 21 March 2013) - n a bid to help organisations better understand their compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS) when using cloud technology to collect, store or transmit credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement . Formed through a collaboration of more than 100 global organisations representing banks, merchants, security assessors and technology vendors, the guidelines state that the PCI DSS will still apply “if payment card data is stored, processed or transmitted in a cloud environment”. According to the PCI SSC, unless the cloud deployment model is truly private (on-site), security is a shared responsibility between the Cloud Service Provider (CSP) and its clients, with the levels of responsibility between the two depending on the type of cloud service model used. top Cybersecurity Disclosure: The Risks Of Silence (Dechert LLP, March 2013) - With the rise in targeted, sophisticated, malicious attacks on corporate America’s electronic infrastructure, companies are increasingly focused on their cybersecurity disclosure obligations. There is a growing concern that many companies - fearing reputational harm - are sitting silent, but recent disclosures from a number of companies indicate a shifting approach to cybersecurity disclosure. In addition, pronouncements from the Obama Administration and top regulators reinforce the importance of understanding cybersecurity disclosure obligations. Cybersecurity is critically important to regulators and failure to disclose cybersecurity risks or actual breaches will likely draw significant attention. This OnPoint outlines some of the reasons for companies’ increased focus on managing their cybersecurity risks. * * * top - and - U.S. Business SEC Filings Suggest Cyber Threats may be Overstated (Network World, 9 April 2013) - Of the 27 largest U.S. companies (by revenue) that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions, according to Bloomberg . Almost half the companies (12)which included Amazon, AT&T and Verizon reported the cyber attacks on their systems “had no material impact” on the companies. Another, Citigroup, reported it suffered “limited losses and expenditures” from Internet bandit activity. Note: corporations have been known to keep their cards close to their vest when it comes to reporting about intrusions into their computer systems. The reports by these companies suggest that much of the controversy being generated in the public debate over American intellectual property being ransacked by foreign powers and cyber criminals may be more steam than flame. “I find it remarkable that only 27 companies disclosed they were targeted,” Chris Peteren, founder and CTO of LogRhythm, a network security solutions provider in Boulder, Colo. told PCWorld. “Every piece of evidence that’s out there right now points to the fact than 100 out of 100 are certainly being targeted,” he maintained. However, he pointed out that what’s “material” to these companies could have a high threshold. “A million, two million, three million dollars is in the realm of immaterial for these organizations,” he said. top - and - Rockefeller Asks SEC to Step Up Cybersecurity Disclosures (The Hill, 10 April 2013) - Sen. Jay Rockefeller (D-W.Va.) is urging the Securities and Exchange Commission (SEC) to require companies to reveal more information about their ability to defend against attacks on their computer systems. In a letter sent on Tuesday to recently confirmed SEC Chairwoman Mary Jo White, Rockefeller said the agency should issue commission-level guidance to companies on their obligation to disclose cybersecurity information. In response to a request from Rockefeller in 2011, the SEC issued staff-level guidance on cybersecurity disclosures. But Rockefeller, the chairman of the Senate Commerce Committee, argued that the SEC should elevate the guidance to the commission-level. top Federal Energy Regulatory Commission (FERC) Imposes a $975,000 Civil Penalty against Entergy for 27 Violations of Reliability Standard (Nat’l Law Review, 6 April 2013) - On March 28, 2013, the Federal Energy Regulatory Commission (FERC) issued an order approving a stipulation and consent agreement between FERC’s Office of Enforcement (OE) and Entergy Services, Inc. (Entergy) to settle violations of various North American Electric Reliability Corporation (NERC) Reliability Standards. Although the basic terms of this settlement are largely unremarkable, there are unique aspects of this case to note. In a single paragraph, FERC stated: “The civil penalty amount is consistent with the Penalty Guidelines. Enforcement considered that, given the size and complexity of Entergy’s system, its violations posed a high risk that it would be unable to prevent, contain, or control a disturbance that could lead to substantial harm.” There are two other items of note about the Entergy settlement. The first is that the settlement explicitly calls out a cybersecurity violation. FERC staff found that Entergy violated Reliability Standard CIP-007-1 R1 because Entergy failed to test a firmware upgrade for a network switch prior to applying it in the production environment and because Entergy could not assess whether significant configuration changes to critical cyber assets would compromise its cybersecurity controls or those assets. Stating this finding in the public settlement departs from FERC’s and NERC’s typical practice of masking the identity of entities who have committed cybersecurity violations. [Polley: Spotted by MIRLN reader Roland Trope .] top Volunteer Opportunities for IP Professionals (Patently-O, 8 April 2013) - One common way in which lawyers give back to their community is via pro bono work. In the pro bono world, a transactional lawyer typically has a general skillset allowing him or her to cover a variety of general corporate areas for a pro bono client even if the specific question at hand does not fall directly in the lawyer’s field of practice. Similarly, litigators, who have experience in the courtroom, are equipped to handle a variety of cases brought by pro bono clients, such as small-claims court matters, housing, harassment, or immigration issues. However, patent prosecutors and in-house counsel who might specialize in interacting with the United States Patent and Trademark Office (USPTO), may not feel equipped to meet in the more common litigation or transactional needs of typical pro bono clients. Thus, it may not seem obvious to these attorneys how they can use their skill set to give back to the community. This article identifies a few ways in which intellectual property professionals can use their abilities to enhance their community. One way in which intellectual property (IP) lawyers can fulfill their pro bono hours is by getting involved with local charities and helping them with their IP needs- for example, assisting them with the filing of a trademark for their organization. As patent prosecutors have familiarity with the USPTO, this would be an ideal way to help the community. Alternatively, IP lawyers can volunteer for organizations like Lawyers for the Creative Arts or Springboard for the Arts , which provide pro bono legal assistance to clients working in the areas of art, culture, media, and entertainment, including the visual, literary, and performing arts. Example projects include working with artists on copyright, trademark, or general contract issues. For those IP lawyers interested in writing patents for under-resourced inventors and small businesses pro bono, the USPTO launched a pilot program in Minnesota last year to provide legal services to help such individuals and businesses obtain solid patent protection. Based on the success of the Minnesota program, the USPTO has instituted five new regional pro bono programs in Denver, California, Texas, Washington D.C. and New York City. top CRS - Drones in Domestic Surveillance Operations (BeSpacific, 8 April 2013) - Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney. April 3, 2013): “The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm’s way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations to protect the homeland, assist in crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation’s skies in less than 20 years.” CRS report here . top Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight (Wired, 9 April 2013) - A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect. Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located. Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location. Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI. The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location. In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location. To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list. During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden’s assertions about Verizon’s activities. top Want to Read the Law? It’ll Cost You (New Republic, 10 April 2013) - Say you live in Rhode Island and want to upgrade the ancient plumbing in your kitchen. You figure you should be able to save some cash and do it yourself, but want to make sure you’re on the up-and-up with all applicable codes and regulations. So you head over to the state’s website to read the plumbing code . Problem is, the 15-page “code” is actually just a series of modifications to a 156-page volume of standards published by the International Code Council-the 2009 edition of which , according to the introduction to the state regs, “is protected by the copyright that has been issued to the ICC. As a result, the State Building Code is not available in complete form to the public in an electronic format.” Your choice: $89 for a printed copy, or $74 for an e-copy. But why should you have to pay to read laws that you must obey? You shouldn’t, of course. Neither state nor federal law is copyrightable. Nevertheless, standards development organizations-from the American Society of Sanitary Engineers to the National Wood Window and Door Association-insist otherwise, having poured resources into developing long, technical regulations because the government didn’t have the expertise to do so. 1 Now, state and federal laws simply reference these industry codes , and allow non-profits to charge for hefty books. For decades, reading these books for free has required trekking to your state capitol, or if you’re lucky, a local library. But the Internet has created an expectation that everything be made available online, searchable, linkable, printable, and free-especially something that seems as rightfully in the public domain as the law of the land. Carl Malamud believes this more strongly than most. The open-government activist, who pushed the Securities and Exchange Commission to post corporate documents online and C-SPAN to make its video archive more widely available , has been either scanning or painstakingly re-typing and posting standards on his website Public.Resource.org for anyone to download. He started back in 2008 with California’s codes, and had posted 10,062 standards as of the end of last year. When the standards developers ask him to stop-as six have done so far-he politely refers them to the 2002 decision in Veeck vs. Southern Building Code Congress International , in which a circuit court judge ruled that “as law, the model codes enter the public domain and are not subject to the copyright holder’s exclusive prerogatives.” Malamud typically doesn’t hear back after sending his response. But the Sheet Metal and Air Conditioning Contractors Association, which publishes standards relating to ducts and ventilation, wasn’t satisfied. In February, they followed up with a letter protesting that that the 9th Circuit had ruled differently back in 1997, and the decision still holds. Malamud, with the help of the Electronic Frontier Foundation, fought back with a complaint against SMACNA, asking that a judge resolve the legal question once and for all: Does the public have the right to the law, or doesn’t it? top IRS Tracks Your Digital Footprint (MSN, 10 April 2013) - The Internal Revenue Service is collecting a lot more than taxes this year—it’s also acquiring a huge volume of personal information on taxpayers’ digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it’s never gone before. The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using “robo-audits” of tax forms and third-party data the IRS hopes will help close this so-called “tax gap.” But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of “big data” will be a key issue when the next IRS chief comes to the Senate for approval. Consumers are already familiar with Internet “cookies” that track their movements and send them targeted ads that follow them to different websites. The IRS has brought in private industry experts to employ similar digital tracking—but with the added advantage of access to Social Security numbers, health records, credit card transactions and many other privileged forms of information that marketers don’t see. The agency declined to comment on how it will use its new technology. But agency officials have been outlining plans at industry conferences, working with IBM, EMC and other private-sector specialists. In presentations, officials have said they may use the big data for: Charting and analyzing social media such as Facebook. Targeting audits by matching tax filings to social media or electronic payments. Tracking individual Internet addresses and emailing patterns. Relationship analysis based on Social Security numbers and other personal identifiers. U.S. Tax Court records show that information gathered from Facebook and eBay postings have been used by the IRS in defending tax challenges. Under a Freedom of Information Act disclosure obtained by privacy advocates at the Electronic Frontier Foundation, the group published the IRS’s 38-page manual used to train auditors to search Internet addresses, Facebook postings and other social media to back audit enforcements. top Hay Maker Seeks Cyberheist Bale Out (Krebs on Security, 13 April 2013) - An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime. On Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period. According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hay’s checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay’s lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days. Oregon, like most states, has adopted the Uniform Commercial Code , which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer. In its complaint, Oregon Hay targets Article 4A of the UCC , alleging that Community Bank’s online account security procedures were not commercially reasonable given the sophistication of today’s threats, and that the bank did not accept the fraudulent payment orders in good faith. The plaintiffs claim that the bank’s security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institution’s online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan. According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called “Multifactor Premium with Watermark,” which relied on a combination of “device IDs” - a software “cookie” that identifies the user’s computer - and “challenge/response” questions, which attempt to verify a user’s identity by asking him for answers to questions about his personal or financial history. top How Other Companies Manage Social Media (Entrepreneur, 13 April 2013) - Whether your company is just starting to dabble in social media or has a strong strategy it has been implementing for a while, you may want to know how other companies are navigating the social Web. If you’ve ever wondered how many people companies hire to manage social media, how they measure success or whether you’re the only ones getting help from interns, we have the answers you’ve been looking for. We asked 2,714 communicators how their companies use social media in our Ragan/NASDAQ OMX Corporate Solutions survey , and Go-Gulf.com highlighted some of the findings in an infographic . top King & Spalding Blocks Employee Access to Personal Email Accounts, But Offers an Alternative (ABA Journal, 16 April 2013) - Citing security concerns, a major law firm has blocked its workers from accessing their personal email on its computers. In a memo to employees on Monday, King & Spalding said it had been advised by consultants that accessing personal email accounts such as Gmail, Yahoo and Hotmail from the law firm’s computers “creates a significant security risk.” Hence, as of May 1, workers will be blocked from doing so-and should not do so, even if for some reason they are not blocked from doing so. The ban includes accessing personal email from firm laptops even if they are not using the firm’s computer system, the memo notes. However, access to personal email is not lost for those with personal laptops and electronic devices at the office, the memo points out. A special wireless network has been installed in each office that employees can use for this purpose. Some clients do require law firm personnel to use accounts such as Gmail, the memo notes, and says employees should contact the firm for help determining how best to handle such issues. top Order and Liberty: The DPLA Launches (InsideHigherEd, 18 April 2013) - I wasn’t entirely sure what the Digital Public Library of America (DPLA) would look like when the long-awaited launch date of April 18 approached. The suspense is finally over: it looks great. The DPLA is an effort to unify access to cultural assets of the nation and make them free to all. We are not the first country to try this ; in fact we’re a bit behind, perhaps because we have a tradition of local library planning and support and because we don’t have a true national library. (The Library of Congress is what its name says: it’s Congress’s library. We get to use it, and it does lots of work with copyright and cataloging that benefit libraries everywhere, but it is not a national library.) This project has been fascinating to watch as it has evolved out of democratic principles and the potential of digital sharing and collaboration. It raises all kinds of questions: what is a library? Do academic and public libraries, museums, and archives serve a common purpose? Who is it for? What does it mean for culture to be “free”? How can a digital library enable access to culture when so much of it is under copyright and not shareable except as the rights-holder allows? The DPLAs not going to be a digital version of your local public library’s collections and services - at least, not yet. It is trying to do three things right now: pull together digital assets from major national and regional digital collections into a well-organized, unified, easily searchable portal; provide digital tools and metadata that others can use to build new applications; and provide national leadership in the effort to encourage open and collective access to our shared cultural record. In other words, it will help us discover cultural assets scattered across websites and in museums, libraries, and archives. It will help us make new things with the pooled metadata. It will promote conversations we need to be having. top Fair Use In Comparative Law (MLPB, 18 April 2013) - Martin Senftleben, VU University of Amsterdam Faculty of Law, has published Comparative Approaches to Fair Use: An Important Impulse for Reforms in EU Copyright Law , in G.B. Dinwoodie (ed.), Methods and Perspectives in Intellectual Property (G. B. Dinwoodie, ed., Cheltenham, UK/Northampton, MA, Edward Elgar, (2014, Forthcoming). Here is the abstract. Fair use provisions in the field of copyright limitations, such as the U.S. fair use doctrine, offer several starting points for a comparative analysis of laws. Fair use may be compared with fair dealing. With the evolution of fair use systems outside the U.S., fair use can also be compared across different countries. The analysis may also concern fair use concepts in different domains of intellectual property. Instead of making any of these direct comparisons, the present analysis deals with another aspect of comparative analyses: the study of foreign fair use provisions as a basis for the improvement of domestic legislation. More specifically, the analysis will show that important impulses for necessary reforms in the EU system of copyright exceptions can be derived from a comparison with the flexible approach taken in the U.S. 

For this purpose, the legal traditions underlying the legislation on copyright limitations in the EU (civil law) and the U.S. (common law) will be outlined (section 1) before explaining the need for reforms in the current EU system (section 2). On this basis, strategies for translating lessons to be learned from the U.S. fair use approach (section 3) into the EU system will be discussed. This translation is unlikely to fail because of an inability or reluctance of civil law judges to apply open-ended norms (section 4). Under existing EU norms, however, a degree of flexibility comparable to the flexibility offered in the U.S. cannot be achieved (section 5). To establish a sufficiently flexible system, EU legislation would have to be amended (section 6 and concluding section 7). top Mich. Court Backs Anonymity for Former Student Who Trashed Law School Online (Inside Higher Ed, 22 April 2013) - A former student who created a website that harshly criticized Thomas M. Cooley Law School is protected by the First Amendment and should not have his identity revealed, a Michigan state appeals court ruled this month . Cooley, a freestanding law school in Michigan, had sued the former student in state court, saying that the site the ex-student created, Thomas M. Cooley Law School Scam, defamed the institution. Cooley officials obtained a California subpoena compelling the company that hosted the website to reveal his identity, and a lower state court refused to block the subpoena. But the appeals court ruled that Michigan law protects such speech, and sent the case back to the lower court for further review. top Verizon’s 2013 Data Breach Investigations Report (April 2013) - Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage. But rather than a synchronized chorus making its debut on New Year’s Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result-perhaps agitated by ancient Mayan doomsday predictions-a growing segment of the security community adopted an “assume you’re breached” mentality. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world. The list of partners is not only lengthy, but also quite diverse, crossing international and public/private lines. It’s an interesting mix of law enforcement agencies, incident reporting/handling entities, a research institution, and other incident response (IR)/forensic service firms. What’s more, these organizations contributed a huge amount of data to the report. All told, we have the privilege of setting before you our analysis of more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. [Polley: pretty interesting report, suggesting some trends.] top Google Scholar Legal Content Star Paginator (FutureLawyer, 23 April 2013) - Chrome Web Store - Google Scholar Legal Content Star Paginator . This free little tool is handy for legal researchers who are used to seeing page numbers inline in Westlaw or Lexis. If you use the free Google Scholar service for basic legal research (why are you paying for legal research?), this will put star pagination into your Scholar results. The first place I go for case finding is Scholar; and, often I need not go anywhere else. I particularly like the “Cited by” command, which works like a poor man’s Shepard’s Citations. It lists all cases citing your case, and gives a one line reference to the citing case. top You Shouldn’t Need a Copyright Lawyer to Pick a Dentist (Eric Goldman, 23 April 2013) - In October 2010, Robert Lee needed a dentist, pronto. He didn’t realize he needed a copyright lawyer to help him pick a dentist. In search of urgent pain relief, Lee contacted Dr. Stacy Makhnevich (a preferred provider under Lee’s insurance plan). Dr. Makhnevich’s office required Lee to sign a “Mutual Agreement to Maintain Privacy” before it would treat him. This agreement--based on a form contract sold by a North Carolina company called Medical Justice--prohibits patients from posting online reviews of the dentist; and if the patient does write a review, the agreement says the dentist owns the review’s copyright. In exchange, the dentist promises not to ask the patient if it can sell the patient’s name to marketers--a worthless promise , as HIPAA already requires the dentist to obtain patients’ permission before selling their information to marketers. (Elsewhere, I’ve explained why I think asking patients to restrict their future reviews is unethical, probably illegal , and a bad business decision ). Lee just wanted dental services, and not surprisingly he wasn’t in much of a mood to negotiate the ownership of copyrights in works that Lee hadn’t even written yet. So like hundreds of thousands of other Americans, Lee signed a Mutual Agreement to Maintain Privacy so he could get the dental services he urgently needed. Later, Lee became unsatisfied with his interactions with the dentist and posted critical online reviews to Yelp , DoctorBase and other websites. Apparently unhappy with the reviews, the dentist invoked the Mutual Agreement to Maintain Privacy and claimed copyright ownership over those reviews. The dentist sent Lee draft versions of lawsuits claiming $100,000 in copyright infringement damages. The dentist sent Lee invoices claiming copyright damages of $100 per day for his infringement. The dentist also sent takedown notices to Yelp and other websites, threatening to sue them for copyright infringement if they didn’t remove Lee’s posting. (To its credit, Yelp stood behind its user and declined to remove the review, accepting the risk of being sued for Lee’s purported copyright infringement). Lee didn’t fold under this pressure; instead, he sued the dentist to void the contract. In a recent ruling, the court rejected the dentist’s attempt to dismiss Lee’s lawsuit. The court didn’t conclude that Lee will win (that question hasn’t been raised yet), but the opinion isn’t good for the dentist. This ruling is particularly noteworthy because we almost never see legal battles involving the Mutual Agreement to Maintain Privacy. When confronted with a doctor or dentist’s threats involving the agreement, most patients quickly back down and remove their online reviews. In the rare situations where the patient doesn’t back down, some doctors and dentists acquiesce rather than test the contract’s strength in court. This case got to court only because the dentist sought so aggressively to assert the contract rights and Lee decided to fight rather than fold. Though we’ll have to see how this case turns out, the dentist probably made the wrong choice. Meanwhile, after a public interest organization (Center for Democracy & Technology) filed a complaint about Medical Justice’s practices with the Federal Trade Commission, Medical Justice unilaterally declared that it had “retired” the contract and advised its customers to stop using its form. Indeed, Medical Justice has done a complete reversal on its customers. Having persuaded its customers that patient reviews should be suppressed, Medical Justice (under a new brand, eMerit) is now selling doctors and dentists a service to help them increase the number of online reviews from patients. Medical Justice’s customers would have been much better served encouraging patient reviews from the beginning; many of those customers are now woefully behind their competition in generating a credible quantity of patient reviews. Despite Medical Justice’s credibility-defying flip, Medical Justice was so effective at persuading doctors/dentists to fear patient reviews that some doctors and dentists are still using the form agreement. Should your doctor or dentist present with such a form, you don’t need to call your copyright lawyer. Instead, refuse to sign the form , tell your doctor or dentist that the form agreement is unethical and probably illegal, and send them a copy of the recent ruling. Or, tell the doctor/dentist that you’re going to take your business to a healthcare provider with more enlightened views about patient reviews. [Polley: Particularly good post - Eric summarizes several related issues; he’s pretty passionate about this stuff.] top MIRLN 2013-04-26T15:57:01-07:00 http://www.knowconnect.com/mirln/article/mirln_17_march_6_april_2013_v1605/ http://www.knowconnect.com/mirln/article/mirln_17_march_6_april_2013_v1605/#When:15:49:00Z MIRLN --- 17 March - 6 April 2013 (v16.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | RESOURCES | BOOK REVIEW | LOOKING BACK | NOTES Investors Demand Cyber Security Transparency Are Governments Ready to be Buyers of Cybersecurity Insurance? Which Encryption Apps Are Strong Enough to Help You Take Down a Government? Court Rules That Prosecutors Can Use E-mail Sent by Personal Attorney to Employee’s Work Account Who Owns a MOOC? Justice Dept. Drops Fight Against Tougher Rules to Access E-Mail Minnesota Modifies Liberal Open Records Law to Make Car Location Data Private In Depth: The District Court’s Remarkable Order Striking Down the NSL Statute Supreme Court Sides with Bookseller in Major Copyright Ruling, Says Resale is OK Courses, Facebook, and Secret Groups Whole Internet Probed for Insecure Devices Michigan’s Internet Privacy Protection Act AP Wins Big: Why a Court Said Clipping Content Is Not Fair Use A Libertarian Nightmare: Bitcoin Meets Big Government First Amendment Protects Online Republication of Court Records The Dangers of Surveillance US Attorney Asserts Jurisdiction in International Cases Because of Computer Server Location Leading Library Journal’s Editorial Board Resigns Over Publisher’s Copyright Policy Public Cloud Service Agreements: What to Expect and What to Negotiate When Social Media at Work Don’t Create Productivity-Killing Distractions Toward an International Law of the Internet Law Firms Offer Cybersecurity Advice and Attorney-Client Privilege to Hacked Companies Social Media: SEC Issues Reg FD Guidance (In Form of Enforcement Report) If You Were 17, It Could Have Been Illegal To Read Seventeen.com Under the CFAA Law Firm Fell Victim to Phishing Scam, Precipitating $336k Overseas Wire Transfer, Bank Suit Alleges Investors Demand Cyber Security Transparency (Carlton Fields, 5 March 2013) - Almost daily we hear about a new cyber threat or information security breach. Just last week one of the world’s largest cloud services providers, Evernote, fell victim to an attack that resulted in a security breach that potentially compromised more than 50 million user accounts. As corporate America becomes better informed about the cyber threats facing U.S. companies, investors will demand more information and transparency about a company’s information security policies and practices. A recent survey conducted by Zogby Analytics raises serious concerns for C-suite managers who are simultaneously facing increased scrutiny from regulators, increased demands from investors, and a need to remain mindful of the damage negative press can have on stock prices. According to the Zogby survey, 70 percent of investors are interested in reviewing company cyber security practices and almost 80 percent would likely not consider investing in a company with a negative history of attacks. Notably, the survey also found that 66 percent of investors said corporate responses to attacks are more noteworthy than the attacks themselves. Additionally, the survey revealed investors are twice as concerned if a company had a breach of customer data (57 percent) as opposed to a theft of intellectual property (29 percent). While consumer-related data breaches grab headlines, the findings on intellectual property theft are particularly alarming. They demonstrate a fundamental misunderstanding of the damage that billions of dollars’ worth of intellectual property theft can have on a company’s bottom line. top Are Governments Ready to be Buyers of Cybersecurity Insurance? (Public CIO, 8 March 2013) - South Carolina is learning the hard way that the costs associated with a data breach can spiral upward in a hurry. Last year, hackers infiltrated a Department of Revenue computer system and swiped millions of unencrypted Social Security numbers and other personally identifiable information. The state reportedly has spent more than $20 million so far cleaning up the mess, including $12 million on credit monitoring services for affected citizens, and millions more on breach notification letters, security improvements, data forensics teams and IT consultants. And South Carolina isn’t done opening its wallet - state agencies beyond the revenue department likely will request more funding to make IT security improvements of their own. Although South Carolina’s woes are an extreme example - one security expert branded the hacking “the mother of all data breaches” - the incident shows how much an organization should expect to pay out to remediate a large-scale data breach. Other government agencies are dealing with the sticker shock. A separate high-profile breach last year of health-care data in Utah, for example, is costing millions; officials there spent hundreds of thousands of dollars alone on a crisis communications team. These figures aren’t outliers: A study conducted last year by the Ponemon Institute found that cybercrime cost the average U.S. organization $8.9 million annually. Some public-sector officials and brokers in the insurance industry think the time has come to apply these same principles in the world of government IT. A small portion of local and state governments already have purchased what’s known as “cybersecurity insurance,” and at least a few officials think it’s time to start talking about the idea more seriously. “The probabilities are such, because your networks and services are so complex and integrated now, that you can’t cover up every manhole. Sooner or later someone is going to get through,” said Dick Clark, the former CIO of Montana who retired last year, about the state’s rationale for buying cyberinsurance. Montana recently joined the few states believed to carry some form of the insurance. Clark said if Montana suffered a South Carolina-style data breach, his state would have a tough time covering the $10 million or $20 million cost. Montana likely would have to raid its general fund to cover the expense, he said. States and cities, Clark said, need to be aware that a data breach can bring a swath of unplanned costs. top Which Encryption Apps Are Strong Enough to Help You Take Down a Government? (Gizmodo, 10 March 2013) - It seems like these days I can’t eat breakfast without reading about some new encryption app that will (supposedly) revolutionize our communications - while making tyrannical regimes fall like cheap confetti. This is exciting stuff, and I want to believe. After all, I’ve spent a lot of my professional life working on crypto, and it’s nice to imagine that people are actually going to start using it. At the same time, I worry that too much hype can be a bad thing - and could even get people killed. Given what’s at stake, it seems worthwhile to sit down and look carefully at some of these new tools. How solid are they? What makes them different/better than what came before? And most importantly: should you trust them with your life? To take a crack at answering these questions, I’m going to look at four apps that seem to be getting a lot of press in this area. In no particular order, these are Cryptocat , Silent Circle [by Phil Zimmerman], RedPhone and Wickr * * * top Court Rules That Prosecutors Can Use E-mail Sent by Personal Attorney to Employee’s Work Account (Suits By Suits, 18 March 2013) - Employees use their work e-mails for all kinds of communications, from the business-related to the personal and private. When a dispute arises, however, it’s getting more difficult to keep those private e-mails from seeing the light of day. For example, last week’s Inbox highlighted one recent decision in which a New York federal court ruled that an executive had “no reasonable expectation of confidentiality or privacy” in his work e-mail. United States v. Finazzo , No. 10-CR-457 (E.D.N.Y. Feb. 19, 2013). Finazzo is different from most of the cases we cover on this blog (with the exception of this post last week ) because it is a criminal case. The defendant is Christopher Finazzo, a former executive at Aeropostale , who was indicted on charges of mail fraud and false statements to the SEC. The government based the charges on Finazzo’s undisclosed interest in one of Aeropostale’s vendors, a company called South Bay. Aeropostale found out about Finazzo’s role in South Bay when its investigator uncovered an e-mail that Finazzo’s personal attorney sent to his work account, in which the attorney listed assets to be considered for the drafting of Finazzo’s will. In the criminal case, Finazzo moved to keep the government from using the e-mail at trial, arguing that it was a privileged attorney-client communication. The court denied his motion, finding that the e-mail was not a confidential or private document. In assessing the privacy of the document, the court weighed a number of factors * * * top Who Owns a MOOC? (InsideHigherEd, 19 March 2013) - Faculty union officials in California worry professors who agree to teach free online classes could undermine faculty intellectual property rights and collective bargaining agreements. The union for faculty at the University of California at Santa Cruz said earlier this month it could seek a new round of collective bargaining after several professors agreed to teach classes on Coursera , the Silicon Valley-based provider of popular massive open online classes, or MOOCs. The union said the professors lobbied for a 12-year-old California law to guarantee that faculty—not universities—own the intellectual property rights to class lectures and course materials. But before professors can have their courses put on Coursera, they are expected to sign away those rights to the university so the university can give the professors’ work to Coursera, the union said in a March 5 letter to a top labor relations official at Santa Cruz. In these waivers, professors “irrevocably grant the university the absolute right and permission to use” their course content, name, image and likeness. The university’s own contract with Coursera remains neutral and said only that rights will “remain with the applicable instructor and university.” [Polley: implicates the informal “Faculty Exception” to the work-for-hire doctrine (see, e.g., page 30 of this AAUP document ).] top Justice Dept. Drops Fight Against Tougher Rules to Access E-Mail (Washington Post, 19 March 2013) - The Justice Department has dropped its long-standing objection to proposed changes that would require law enforcement to get a warrant before obtaining e-mail from service providers, regardless of how old an e-mail is or whether it has been read. “There is no principled basis” to treat e-mail less than 180 days old differently than e-mail more than 180 days old, Elana Tyrangiel, acting assistant attorney general in the department’s Office of Legal Policy, said Tuesday. Tyrangiel, testifying before a House Judiciary subcommittee, also said that opened e-mail should have no less protection than unopened e-mail. Current law requires law enforcement to obtain a warrant before gaining access to e-mail that is 180 days old or less if it has not been opened. But prosecutors may obtain e-mail older than 180 days, or any e-mail that has been opened, with a mere subpoena. The department’s shift means that legislative efforts to amend the 1986 Electronic Communications Privacy Act stand a better chance at succeeding. Lawmakers have drafted legislation that would impose a warrant requirement for all e-mail held by commercial providers. In practice, since a 2010 ruling by the U.S. Court of Appeals for the 6th Circuit requiring a warrant for stored e-mail, most large commercial e-mail providers, such as Google and Yahoo, have adopted that standard. top Minnesota Modifies Liberal Open Records Law to Make Car Location Data Private (ArsTechnica, 19 March 2013) - A Minnesota state agency decreed on Monday that a vehicle’s location data as captured by license plate readers , which under existing state law had been completely public, should now be kept private. This comes more than four months after a Minneapolis public committee lobbied to change the state’s policy. The new temporary measure will expire in 2015. According to the Minneapolis Star-Tribune : “The Department of Administration ruled Monday that the following data generated by license plate readers would be private: plate numbers; times, dates, and locations of vehicle scans; and vehicle photos.” As we reported earlier , Minnesota has a rather liberal open records state law known as the Data Practices Act , which makes all government data public by default. That means that anyone (up until now) could request the entire data set-including license plate data-from any law enforcement agency. In December 2012, Minneapolis mayor R.T. Rybak requested to a state committee that the data be immediately re-classified as “non-public.” The new proposal resulted from increased scrutiny of the practice in Minneapolis after a local reporter managed to track the mayor’s movements in August 2012 by filing a request with the police. top In Depth: The District Court’s Remarkable Order Striking Down the NSL Statute (EFF, 19 March 2013) - On Friday, EFF received the long-awaiting ruling on its 2011 petition to set aside a National Security Letter (NSL) issued to a telecommunications company. The petition challenged the constitutionality of one of five national security letter statutes, 18 U.S.C. § 2709 . And what a ruling it was. In a detailed and careful 24-page opinion , Judge Susan Illston of the district court for the Northern District of California methodically addressed the government’s attempted justifications for this controversial domestic surveillance tool and found that the statute failed to meet the standards of settled First Amendment law. First, a moment to underscore the importance of this ruling. Over the past decade, since the PATRIOT Act expanded its reach from foreign agents and spies to anyone whose information may be “relevant” to a national security investigation, the FBI has issued hundreds of thousands of NSLs seeking potentially intimate information about Americans. Supporters of NSLs have frequently attempted to discount privacy concerns and have characterized criticism as “ hyperbole ,” but the reality is very different. As Judge Victor Marrero of the Southern District of New York noted in his 2004 Doe v. Ashcroft NSL decision, the NSL statute grants enormous, unchecked power to pry into the private lives of people within the United States * * *. With Friday’s opinion, entitled In Re National Security Letter, not only did the court set aside this particular letter, it barred any NSLs to telecommunications providers, finding that the statute was so inherently flawed that it could not stand. The decision will likely be appealed, and the order has been stayed in order to give the government the time to file an appeal, but the federal district court deserves enormous credit for not shying away from EFF’s request and instead tackling most of the difficult issues head on. With this case, EFF follows in the strong footsteps of our friends at the ACLU. In 2008, on behalf of Nicholas Merrill , the ACLU succeeded in convincing both a district court and the Second Circuit Court of Appeals to recognize the acknowledge the serious structural problems with the NSL statute. Unfortunately, despite finding the statute unconstitutional, the Second Circuit in its Doe v. Mukasey opinion approved the continued use of NSLs if the FBI undertook certain voluntary measures aimed at curbing abuse. The district court here found similar constitutional flaws but took those problems to their rightful conclusion. The court flatly rejected the Second Circuit’s attempts to rewrite the statute and rely on voluntary FBI actions to fix it, instead striking it down. While the decision rested primarily on failings with the gag provision, the court ruled that that provision was not severable from the rest of the statute and struck the statute in its entirety. As a result, if the decision is upheld, Congress must step in and repair the structural defects to better protect First Amendment rights if it intends to continue to grant similar power to the FBI. The court made five critical findings * * * top Supreme Court Sides with Bookseller in Major Copyright Ruling, Says Resale is OK (PaidContent, 19 March 2013) - In a court ruling that has major implications for used good merchants across the country, the Supreme Court overturned a lower court decision that forbid a textbook seller from reselling textbooks that he had purchased from overseas. In a 6-3 ruling , the court rejected publisher John Wiley’s interpretation of a rule known as the “ first sale doctrine ” which prevents copyright owners from exerting rights over a product once it has been purchased legally. This rule is what allows used book and music stores to sell used items without the copyright owners permission. In recent years, copyright owners facing a wave of imported good have argued that the “first sale” only applies to goods manufactured in the United States. Lower courts have till now sided with the copyright owners which has produced considerable uncertainty about whether or not retailers good import and sells goods that they had legally bought from abroad. Writing for the majority, Justice Stephen Breyer rejected John Wiley’s argument that the phrase “lawfully made under this act” implied a geographic limitation. He also referred to library associations, used-book dealers, technology companies, consumer-goods retailers, and museums - all of which had urged the court to reject the restricted notion of “first sale.” The John Wiley ruling comes three years after the Supreme Court failed to resolve the same issue in a dispute between watch maker Omega and the retailer Costco. In that case, Omega had put little pictures on its watches and then argued that Costco infringed on its copyright when it imported them; that case produced a 4-4 tie which meant the lower ruling against Costco was upheld. The result was different this time with different judges on the bench. The ruling is likely to be a relief for used booksellers and others who feared that geographical limits on first sale would harm their business. In the case before the Supreme Court, the defendant was a college student who had arranged for his family in Asia to buy textbooks and mail them to him in America where he sold them at a profit. Justices Ginsburg, Kennedy and Scalia dissented from the ruling. To learn more about the first sale doctrine, read our background on the Wiley case here . [Polley: Dennis Crouch’s Patently-O has an analysis of the case, suggesting that it also has implications for the patent exhaustion doctrine. EFF’s take on the case is here .] top Courses, Facebook, and Secret Groups (InsideHigherEd, 21 March 2013) - Our students are leveraging the web and mobile apps to collaborate, share information, and study together.

They are sharing online resources such as videos and learning objects Khan Academy, digital textbook resources, YouTube, iTunesU, and other open online education resources.

Students are actively sharing information about study strategies and techniques designed to help each other learn the material and do well on quizzes, tests, and papers.

There is a world of social learning going on, and we (meaning us instructors, educational technologists - basically anyone employed on the instructional or administrative sides of the house), know nothing about what is going on. 

 The reason: Facebook Secret Groups. 

 To quote from the Facebook privacy option description page:

 Secret: Non-members can’t find these groups in searches or see anything about the group, including its name and member list. The name of the group will not display on the timelines of members. To join a secret group, you need to be added by a member of the group. 

What is so appealing for students about Facebook Secret Groups is that instructors, or anyone else that works for the school, can’t access the group. We can’t even know that the group exists. An enormous amount of really high quality is learning going on on our networks and our campuses, but it is completely invisible to all of us. Facebook Secret Groups for classes means that our students are taking control of their learning. Freed from instructor and administrative surveillance and judgment they are able to learn in ways that fit their needs, not ours. They can be critical of our teaching, dismissive of our learning technologies, and disparaging of assignments - all without fear of retribution by grading. top Whole Internet Probed for Insecure Devices (BBC, 21 March 2013) - A surreptitious scan of the entire internet has revealed millions of printers, webcams and set-top boxes protected only by default passwords. An anonymous researcher used more than 420,000 of these insecure devices to test the security and responsiveness of other gadgets, in a nine-month survey. Using custom-written code, they sent out more than four trillion messages. The net’s current addressing scheme accommodates about 4.2 billion devices. Only 1.3 billion addresses responded. The number of addresses responding was a surprise as the pool of addresses for that scheme has run dry. As a result, the net is currently going through a transition to a new scheme that has a vastly larger pool of addresses available. The scan found half a million printers, more than one million webcams and lots of other devices, including set-top boxes and modems, that still used the password installed in the factory, letting almost anyone take over that piece of hardware. Often the password was an easy to guess word such as “root” or “admin”. “Whenever you think, ‘That shouldn’t be on the internet, but will probably be found a few times,’ it’s there a few hundred thousand times,” wrote the un-named researcher in a paper documenting their work . HD Moore, who carried out a similar survey in 2012, told the Ars Technica news website the results looked “pretty accurate”. top Michigan’s Internet Privacy Protection Act (by MIRLN subscriber Michael Khoury , March 2013) - The tempest in the teapot for 2012 was generated when applicants at educational institutions and those searching for employment were compelled to turn over their user names and passwords for social media and other accounts. According to an April 2012 report by the Council of State Governments, “State Leaders Work to Protect the Privacy of Employees’ and Students’ Social Media Accounts,"1 the issue became significant in Michigan when a teacher’s aide was fired for refusing to provide login credentials to her social media account. Late in the 2012 legislative session, Michigan became the sixth state in the United States to enact legislation addressing the privacy of individual accounts and prohibiting employers and educational institutions from taking actions related to these accounts * * * top AP Wins Big: Why a Court Said Clipping Content Is Not Fair Use (PaidContent, 22 March 2013) - A federal court has sided with the Associated Press and the New York Times in a closely-watched case involving a company that scraped news content from the internet without paying for it. The case has important implications for the news industry and for the ongoing debate about what counts as “fair use” under copyright law. Here’s a plain English explanation of what the case is all about and what it means for content creators and free speech. The defendant in the case is Norway-based Meltwater, a service that monitors the internet for news about its clients. Its clients, which include companies and governments, pay thousands of dollars a year to receive news alerts and to search Meltwater’s database. Meltwater sends its alerts to client in the form of newsletters that include stories from AP and other sources. Meltwater’s reports include headlines, the first part of the story known as the “lede,” and the sentence in the story in which a relevant keyword first appears. The Associated Press demanded Meltwater buy a license to distribute the story excerpts and, when the service refused, the AP sued it for copyright infringement. Meltwater responded by saying it can use the stories under copyright’s “fair use” rules, which creates an exception for certain activities. Specifically, Meltwater said its activities are akin to a search engine - in the same way that it’s fair use for Google to show headlines and snippets of text in its search results, Meltwater said it’s fair use to clip and display news stories. The case has divided the tech and publishing communities. The influential Electronic Frontier Foundation filed in support of Meltwater, arguing that AP could inhibit innovation and free expression if it succeeds with the copyright claim. On the other side, the New York Times and other news outlets filed to support the AP ; they claim Meltwater was simply free-riding and that the company is undermining the ability to create the sort of journalism on which a free society depends. In a decision published Thursday in New York, U.S. District Judge Denise Cote shot down Meltwater in blunt language. While much of the 90-page ruling covers procedural issues and other defenses put forth by Meltwater, the heart of the decision is about fair use. Judge Cote rejected the fair use claim in large part because she didn’t buy Meltwater’s claim that it’s a “search engine” that makes transformative use of the AP’s content. Instead, Cote concluded that Meltwater is more like a business rival to AP: “Instead of driving subscribers to third-party websites, Meltwater News acts as a substitute for news sites operated or licensed by AP.” Cote’s rejection of Meltwater’s search engine argument was based in part on the “click-through” rate of its stories. Whereas Google News users clicked through to 56 percent of excerpted stories, the equivalent rate for Meltwater was 0.08 percent, according to figures cited in the judgment. Cote’s point was that Meltwater’s service doesn’t provide people with a means to discover the AP’s stories (like a search engine) - but instead is a way to replace them. [Polley: implications for MIRLN? Fair use, or infringement? Would it be different if I charged for MIRLN? EFF’s take on the case is here .] top A Libertarian Nightmare: Bitcoin Meets Big Government (Salon, 22 March 2013) - What’s not to like about Bitcoin, every libertarian’s favorite crypto-currency? For starters, Bitcoins are as cyberpunk as William Gibson’s wildest dream: a form of monetary exchange invented in 2009 by a mysterious character who called himself “Satoshi Nakamoto” but then disappeared from view after unleashing his virtual currency upon the world. Bitcoins are undeniably cool: marvelously “mined” from the ore of computer processing power and electricity; more ready for prime time than any previous experiment in purely digital money. And Bitcoins, increasingly, are a success. At a Thursday afternoon all-time-high valuation of $72 per Bitcoin, there were around $700 million worth of Bitcoins in circulation. People are using Bitcoins to buy real goods and services, to hedge against European financial calamity, and to score drugs. That’s money. Over the years, Bitcoin has experienced ups and downs; the currency has been targeted by hackers and thieves and botnets and been victim to more than one embarrassing software glitch. But it has persevered, and this week, one can fairly say that Bitcoin came of age. On Monday, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) released its first “ guidance ” as to how “de-centralized virtual currencies” should fit into the larger regulatory regime under which currencies of all kinds are required to operate. The word “Bitcoin” is never mentioned in FinCEN’s release, but that’s just a technicality. Everyone in the Bitcoin community knew who the guidance was aimed at. Bitcoin is a big boy now. The State is paying attention. But while some observers have applauded FinCEN’s guidance as acknowledgment that Bitcoin isn’t illegal or considered a “threat” by the government, not everyone is cheering the news. Because there’s a problem here. Bitcoin isn’t just an elegant way to create money using peer-to-peer networks and cryptography. Bitcoin is a currency with an ideology. * * * [Polley: Spotted by MIRLN reader Corinne Cooper of Professional Presence ] top First Amendment Protects Online Republication of Court Records (Eric Goldman, 23 March 2013) - The court summarizes the facts: Nieman discovered in 2009 that certain legal-search websites (such as Lexis/Nexis.com, Justia.com, Leagle.com, and VersusLaw.com) were linking copies of documents from his prior lawsuit to his name. That litigation involved a former employer and was settled in 2011. When Nieman encountered difficulty obtaining another insurance job, he suspected that potential employers had learned of his prior lawsuit online and “blacklisted” him from employment opportunities. Nieman alleged that in late 2011 he wrote to each of the defendants and asked them to delink his court cases from their online search results. The defendants declined. The court’s efficient disposition of the resulting lawsuits (citations omitted): The First Amendment privileges the publication of facts contained in lawfully obtained judicial records, even if reasonable people would want them concealed. We have explained that judicial “[o]pinions are not the litigants’ property. They belong to the public, which underwrites the judicial system that produces them.” Other legal documents included by the court as part of the public record of the judicial proceedings are also covered by the First Amendment privilege. The forprofit nature of the defendants’ aggregation websites does not change the analysis; speech is protected even when “carried in a form that is ‘sold’ for profit.” All of Nieman’s claims are based on the defendants’ republication of documents contained in the public record, so they fall within and are barred by the First Amendment privilege. The district court also relied on 47 USC 230; the Seventh Circuit doesn’t address that issue. Nieman v. VersusLaw, Inc. , 2013 WL 1150277 (7th Cir. March 19, 2013) top The Dangers of Surveillance (Harvard Law Review, 25 March 2013) - Abstract: From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our law and literature are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices, however, have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It is also gives the watcher power over the watched, creating the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance. At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. top US Attorney Asserts Jurisdiction in International Cases Because of Computer Server Location (ABA Journal, 26 March 2013) - U.S. Attorney Neil MacBride of the Eastern District of Virginia is claiming jurisdiction to pursue cases against alleged international copyright pirates and out-of-state securities fraud defendants, citing the location of computer servers in his district. The Associated Press explains. MacBride says he has jurisdiction over most securities fraud cases because the servers for the EDGAR database of the Securities and Exchange Commission are located in Alexandria. He also claimed jurisdiction to bring charges against the Hong Kong file-sharing company Megaupload because many of the servers storing its content were leased from a northern Virginia company. A lawyer for Megaupload, Ira Rothken, has questioned prosecutors’ theory that they have jurisdiction in the criminal copyright case because Internet traffic flows through their district. He is claiming a foreign corporation without U.S. offices cannot be prosecuted in this country. Megaupload officials are currently fighting extradition to the United States. [Polley: crazy, the idea of EDGAR-based jurisdiction; wrong, the idea that Megaupload is in HK - try New Zealand.] top Leading Library Journal’s Editorial Board Resigns Over Publisher’s Copyright Policy (MLPB, 26 March 2013) - The Chronicle of Higher Education reports that the editorial board of the Journal of Library Administration , a leading publication in the area of library management, has resigned en masse over the publisher’s copyright policy. The now former editor, Damon Jaggers, notes that Taylor and Francis, the publisher of the journal, did negotiate with reluctant authors who objected to its previous policy, but the new policy requires potential authors to ante up $3,000 to publish with the journal. Science Blogs reproduces the editorial board’s resignation announcement here, along with some commentary. Below is the notification from the board: The Board believes that the licensing terms in the Taylor & Francis author agreement are too restrictive and out-of-step with the expectations of authors in the LIS community. A large and growing number of current and potential authors to JLA have pushed back on the licensing terms included in the Taylor & Francis author agreement. Several authors have refused to publish with the journal under the current licensing terms. Authors find the author agreement unclear and too restrictive and have repeatedly requested some form of Creative Commons license in its place. After much discussion, the only alternative presented by Taylor & Francis tied a less restrictive license to a $2995 per article fee to be paid by the
Author. As you know, this is not a viable licensing option for authors from the LIS community who are generally not conducting research under large grants. Thus, the Board came to the conclusion that it is not possible to produce a quality journal under the current licensing terms offered by Taylor & Francis and chose to collectively resign. top Public Cloud Service Agreements: What to Expect and What to Negotiate (Cloud Standards Customer Council, 30 March 2013) - For datacenters that have already leveraged outsourced infrastructure, the value of service level objectives and their formal contracts is understood. For datacenters that are using clouds as their first entrée into outsourced infrastructure, service agreements may be totally new. IT managers are not comfortable relying on infrastructure and infrastructure management that are outside their immediate control. Therefore, they are quickly realizing that they cannot guarantee a required level of service without understanding their objectives and formalizing such service level with organizations that are on the critical path of their business services delivery. This paper provides cloud consumers with a pragmatic approach to understand and evaluate public cloud service agreements. The recommendations in this paper are based on a thorough assessment of publicly available agreements from several leading public cloud providers. In addition to this paper, a great deal of research and analysis regarding the landscape of cloud service agreements is available in the CSCC companion paper, the “Practical Guide to Cloud Service Level Agreements”. In general, we have found that the current terms proposed by public cloud providers fall short of the commitment that many businesses will require. Of course, these providers have reputations to establish or maintain, therefore they will likely employ all reasonable efforts to correct problems, restore performance, protect security, and so on. But neither the specifics of the measures they will take, nor the remedies they offer if they fall short, are currently expressed well enough in their formal agreements in most cases. Furthermore, the language about service levels is often distributed among several documents that do not follow a common industry-wide terminology. We hope that one impact of this paper will be to improve this state of affairs. [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe IT & Knowledge Management ] top When Social Media at Work Don’t Create Productivity-Killing Distractions (Bloomberg, 1 April 2013) - Workers who are encouraged to tweet, chat, like, and Skype on the job are among the most productive, new academic research says, shooting yet another hole in the managerial argument that social media in the workplace leads to goofing off and slacking on company time. Far from being a distraction, common social media tools such as Facebook, Twitter, and LinkedIn, plus Skype to chat, enable employees to answer more customer queries, and more quickly, says Joe Nandhakumar, professor of information systems at the Warwick Business School in the United Kingdom. He and his research team attribute this productivity boost to something Nandhakumar calls the “theory of virtual co-presence"-the ability to collaborate with others over long distances in relatively short, productive sessions to resolve problems or accomplish tasks. Plenty of surveys and studies have looked at the benefits of granting employees unfettered social media access in the workplace, often focusing on increased collaboration among co-workers and, at the very least, keeping companies digitally savvy enough to compete for young talent . The Warwick Business School study is unique: Over more than two years, it followed the way a company’s policy to encourage social media usage among its employees led to increased customer interaction and, eventually, higher productivity. top Toward an International Law of the Internet (BeSpacific, 2 April 2013) - Toward an International Law of the Internet, Molly Land, New York Law School, November 19, 2012, Harvard International Law Journal, Vol. 54, 2013 (Forthcoming) via SSRN : “This Article presents the first and only analysis of Article 19 of the International Covenant on Civil and Political Rights as it applies to new technologies and uses this analysis to develop the foundation for an “international law of the Internet.” Although Article 19 does not guarantee a right to the “Internet” per se, it explicitly protects the technologies of connection and access to information, and it limits states’ ability to burden content originating abroad. The principles derived from Article 19 provide an important normative reorientation on individual rights for both domestic and international Internet governance debates. Article 19’s guarantee of a right to the technologies of connection also fills a critical gap in human rights law. Protecting technology allows advocates to intervene in discussions about technological design that affect, but do not themselves violate, international human rights law. Failure to attend to these choices - to weigh in, ahead of time, on the human rights implications of software code, architecture design, and technological standards - can have significant consequences for human rights that may not be easily undone after the fact.” top Law Firms Offer Cybersecurity Advice and Attorney-Client Privilege to Hacked Companies (ABA Journal, 2 April 2013) - Law firms are getting involved as companies investigate hacker incidents, providing attorney-client privilege to shield the findings in future lawsuits. The Wall Street Journal has a story on the trend. In one example, Nationwide Insurance hired Ropes & Gray after a hacker obtained personal details about 1 million people from the insurer. In another, Alston & Bird hired a former Justice Department lawyer in January to head its security-incident and management-response team. The lawyer, Kimberly Peretti, was a senior lawyer in the department’s Computer Crime and Intellectual Property Section. Mike Dubose, who leads Kroll Advisory Solutions’ cyberinvestigations practice, advises clients to hire a law firm before it hires Kroll. He explained that a client who hires Kroll directly probably won’t be protected by attorney-client privilege. “What a company does not want is its investigation or due diligence, undertaken with the best of intentions, to be used against it in litigation,” Dubose told the Wall Street Journal. [Polley: possibly great for protecting privilege; not-so-great for solving the problem unless the hired lawyer(s) are tech-fluent and already know your business inside-out. Further, almost all such internal investigations would/should have a non-privileged component, designed for ultimate disclosure to regulators or other non-control audiences. It’s a real trick to manage a dual-track privileged/non-privileged internal investigation, and all the harder if counsel doesn’t “grok” the technology.] top Social Media: SEC Issues Reg FD Guidance (In Form of Enforcement Report) (CorporateCounsel.net, 3 April 2013) - Last month, the SEC’s Division of Investment Management issued this guidance in an effort to clarify when mutual funds must file social media messaging with the SEC. The guidance provides 5 categories of communications that IM doesn’t believe needs to be filed - and examples of communications that do. At the time, I thought Corp Fin might weigh in with its own social media guidance soon - particularly due to widespread criticism in the wake of news that Netflix had received a Wells Notice from the Division of Enforcement (see my own blog on this topic - and Prof. Joe Grundfest’s amicus curiae brief ). The answer is “yes, sort of.” Yesterday, the SEC issued this Section 21(a) Report of Investigation stating that Enforcement has decided not to go after Netflix - mostly because its 2008 “corporate use of website” guidance may not have been sufficiently clear about how it applies to social media (given that social media exploded onto the scene more recently). More importantly, the Report clarifies that the SEC’s ‘08 framework is sufficiently flexible to accommodate new “push” technologies like Facebook and Twitter - so that companies should continue to apply their own facts against whether they have created a “recognized channel of distribution” using that framework. Even though the SEC’s press release touts the new report as a greenlight for companies - the press release’s title is “SEC Says Social Media OK for Company Announcements If Investors Are Alerted” - I’m dubious that companies and their advisors will see it that way. For starters, the new guidance comes from an Enforcement report (here’s an explanation of what a Section 21(a) report is) - perhaps not the best vehicle to encourage new practices. And it doesn’t get into the nitty gritty like IM’s new guidance does. Given the slow adoption rate of social media by IR, finance and governance professionals - compared to the rest of the world - I’m not convinced this will be enough to get folks moving (for example, see this blog by Blank Rome’s Yelena Barychev and this Cooley news brief from Cydney Posner). [Polley: see also Bloomberg Adds Twitter Feeds to Financial Platform on Heels of New SEC Rules (PaidContent, 4 April 2013)] top If You Were 17, It Could Have Been Illegal To Read Seventeen.com Under the CFAA (EFF, 3 April 2013) - If you are 17 or under, a federal prosecutor could have charged you with computer hacking just for reading Seventeen magazine online-until today. It’s not because the law got any better. Earlier today, we wrote about news sites that alarmingly prohibit their youth audiences from accessing the news and the potential criminal consequences under the Computer Fraud and Abuse Act . In response, the Hearst Corporation modified the terms of service across its family of publications, including the Hearst Teen Network, which notably includes titles like Seventeen, CosmoGirl, Teen and MisQuince. Seventeen highlights the absurdity of giving terms of service the force of law under the CFAA. It boasts a readership of almost 4.5 million teen readers with an average age of 16 and a half, and yet, until today, the average reader was legally banned from visiting Seventeen.com. That’s right, for a magazine dedicated to teen fashion, the publisher’s terms explicitly restricted online access to readers 18 and older. What’s worse, the Justice Department could choose to bring the might of the government to enforce this contract against a Seventeen reader who may never have even seen the agreement. Federal prosecutors have argued in court that accessing a website in violation of terms of service is a crime. If the website’s terms, like Seventeen magazine’s previous version , explicitly state that you must be an adult to visit their sites or participate in their interactive features, then teenagers accessing the site “without authorization” under the CFAA and could be doing jail time, according to the DOJ. Hearst removed the following line from the terms for publications ranging from the Houston Chronicle to the San Francisco Chronicle, from Popular Mechanics to Seventeen: “YOU MAY NOT ACCESS OR USE THE COVERED SITES OR ACCEPT THE AGREEMENT IF YOU ARE NOT AT LEAST 18 YEARS OLD.” The revisions are dated “April 23, 2013,” but presumably they meant April 3. Thank you Hearst, we appreciate your prompt response. But the real problem is the CFAA, which allows prosecutors to use these silly terms to manufacture computer crimes. And prosecutors have plenty of opportunities, as ridiculous terms of service abound throughout the Internet. top Law Firm Fell Victim to Phishing Scam, Precipitating $336k Overseas Wire Transfer, Bank Suit Alleges (ABA Journal, 4 April 2013) - A North Carolina bank claims in a lawsuit that it isn’t responsible for a $336,600 wire transfer to Russia from a law firm account. The suit by Charlotte-based Park Sterling Bank claims the law firm of Wallace & Pittman fell victim to a phishing scam that began with a click on a link in a fraudulent email, the Charlotte Observer reports. The email claimed to be from an industry group and warned that a banking transaction had failed to clear. Because of the clicked link, hackers were able to track a user’s keystrokes and learn banking passwords used by Wallace & Pittman, the suit says. Hackers used the passwords to send $336,600 to a “Konstantin Pomogalove” in Moscow, according to legal documents cited by the newspaper. After receiving notice of the transaction, the law firm immediately sought to stop the transfer. Nevertheless, he call was too late, the story says. Park Sterling Bank initially refunded the money then told the law firm it wanted the funds returned. Before the bank could debit the amount, the law firm obtained a restraining order and closed its account. Park Sterling Bank says the law firm should have opted for a higher security level that requires two approvals for wire transfers, and says the law firm is responsible for the loss under its customer agreement. Wallace & Pittman, on the other hand, claims the international nature of the wire transfer should have raised the bank’s suspicions, and the institution should have warned of phishing scams. [Polley: nearly on-point case decided against the bank’s customer here .] top RESOURCES Cloud Ethics Opinions (ABA’s LTRC, March 2013) - There’s a compelling business case for cloud computing, but can lawyers use it ethically? We’ve compiled these comparison charts to help you make the right decision for your practice. [Polley: clickable State map, with links to opinions and other resources.] top The Fair Use/Fair Dealing Handbook (InfoJustice.org, 27 March 2013) - More than 40 countries with over one-third of the world’s population have fair use or fair dealing provisions in their copyright laws. These countries are in all regions of the world and at all levels of development. The broad diffusion of fair use and fair dealing indicates that there is no basis for preventing the more widespread adoption of these doctrines, with the benefits their flexibility brings to authors, publishers, consumers, technology companies, libraries, museums, educational institutions, and governments. Fair dealing was first developed by courts in England in the eighteenth century, and was codified in 1911. Fair dealing became incorporated into the copyright laws of the former British Imperial territories, now referred to as the Commonwealth countries. Over the past century, the fair dealing statutes have evolved in many of the Commonwealth countries, and increasingly resemble the fair use statute in the United States. Thus, although fair dealing is generally considered to be less flexible and open-ended than fair use, this is no longer the case in many Commonwealth countries. This handbook contains all the fair use and fair dealing statutes we were able to identify: The Fair Use/Fair Dealing Handbook top MIRLN 2013-04-05T15:49:00-07:00 http://www.knowconnect.com/mirln/article/mirln_24_february_16_march_2013_v1604/ http://www.knowconnect.com/mirln/article/mirln_24_february_16_march_2013_v1604/#When:14:56:00Z MIRLN --- 24 February - 16 March 2013 (v16.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | RESOURCES | BOOKS | LOOKING BACK | NOTES Secretly Taping Johns is not a Privacy Violation, State’s Top Court Says HTC Settles Privacy Case Over Flaws in Phones Michigan Right of Publicity Law Idaho Taxes Software in the Cloud Iowa Retains Media/Non-Media Distinction, Leaving Bloggers Vulnerable ABA Issues New Opinion: Judicial Ethics and Social Media What Does Your Lawyer Want You to Know About Social Media? CRS - Cybersecurity: Authoritative Reports and Resources Federal Judge Alex Kozinski Talks About Using TOR to Surf Silk Road & The Armory for Drugs, Weapons and Hitmen More Companies Reporting Cybersecurity Incidents Newspapers Go All-In for Copyright Fight Against Clipping Service Google Offers Searchable Map of All White Space Spectrum in the US CRS - Public Access to Data from Federally Funded Research Google Releases First Data on National Security Letters FTC Staff Report Examines Growing Use of Mobile Payments Report Includes Recommendations for Industry Why We Miss the First Sale Doctrine in Digital Libraries En Banc Ninth Circuit Holds that Computer Forensic Searches Are Like “Virtual Strip Searches” and Require Reasonable Suspicion at the Border When it Comes to Getting News on Twitter, You Are Who You Follow? Small Businesses Have Big Data Breach Problems “Regulation of Social Media and Mobile Media” Talk Slides How to Make Effective Disclosures in Digital Advertising FTC Can Serve Foreign Defendants Via Facebook, Federal Judge Rules Massachusetts Supreme Judicial Court Expands Consumer Zip Code Privacy Protection Secretly Taping Johns is not a Privacy Violation, State’s Top Court Says (ABA Journal, 20 Feb 2013) - Maine’s top court has upheld the dismissal of 46 charges against a businessman accused of taping a prostitute’s sexual encounters, holding that the johns have no reasonable expectation of privacy under a state law banning recording in private places. The Maine Supreme Judicial Court dismissed the invasion of privacy charges against Mark Strong in a decision (PDF) on Friday. He was accused of videotaping people who paid to have sex with dance instructor Alexis Wright, who his was his business partner in a Zumba dance studio in Kennebunk. He still faces accusations that he promoted prostitution. “Places of prostitution and people who knowingly frequent them to engage a prostitute are not sanctioned by society,” the court said. “Accordingly, it is objectively unreasonable for a person who knowingly enters a place of prostitution for the purpose of engaging a prostitute to expect that society recognizes a right to be safe from surveillance while inside.” top HTC Settles Privacy Case Over Flaws in Phones (NYT, 22 Feb 2013) - More than 18 million smartphones and other mobile devices made by HTC, a Taiwanese company that is one of the largest sellers of smartphones in the United States, had security flaws that could allow location tracking of users against their will and the theft of personal information stored on their phones, federal officials said Friday. The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device’s microphone to record the user’s phone calls. The action is the first attempt by the commission to police a manufacturer of mobile devices. As smartphones and tablets become a common way for consumers to shop, bank and chat online, personal information and privacy will need to be guarded. HTC America, based in Bellevue, Wash., agreed to settle the civil suit with the commission by issuing software patches that close the security holes, and by creating a security program that will be monitored by an independent party for the next 20 years. The F.T.C. does not have the authority to assess fines in consumer protection cases. “The company didn’t design its products with security in mind,” Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection, wrote in a blog post . “HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.” top Michigan Right of Publicity Law (Harvard’s DMLP, 25 Feb 2013) - This page covers legal information specific to the State of Michigan. For more general information, see the Legal Guide page on Using the Name or Likeness of Another ; for other states, see State Law: Right of Publicity . Although no state appellate court in Michigan has yet explicitly recognized a common law right of publicity, the U.S. Court of Appeals for the Sixth Circuit has opined that such a right would be recognized under Michigan law. In addition, Michigan’s state appellate courts have recognized comparable protection in the nature of a property right under its “appropriation” tort. The state has no corresponding statute. Publications and political organizations concerned about infringing on a plaintiff’s right of publicity should note that state appellate courts have interpreted the First Amendment to protect a broad range of speech from appropriation claims. For more detail, consult the First Amendment section below. The Sixth Circuit has suggested that Michigan would recognize a right of publicity to protect a person’s ‘identity’ in addition to their name and likeness. It would therefore be possible to violate Michigan’s common law right of publicity without employing a person’s photo or name. In Carson v. Here’s Johnny Portable Toilets, Inc. , 698 F.2d 831 (6th Cir. 1983), the U.S. Court of Appeals for the Sixth Circuit held that the use of an identifying catchphrase ("Here’s Johnny") by a portable toilet company was enough to constitute an appropriation of Johnny Carson’s identity under Michigan law. In fact, the court in Carson noted that the use of Johnny Carson’s full name, John William Carson, would not have infringed on his right of publicity as it is distinct from his identity as celebrity. top Idaho Taxes Software in the Cloud (Westlaw Insider, 25 Feb 2013) - In a surprising and troubling move for the providers and users of “cloud” computing services, state tax authorities in Idaho ruled that software provided through cloud computing networks is subject to the state’s six percent sales tax. The Idaho ruling characterized all computer software as tangible property subject to tax no mater how it is made accessible to users. Use of cloud computing networks to make software accessible to consumers is increasingly popular. The process of providing software through computer networks is commonly referred to as, “software as a service.” Several states, including Virginia, Nebraska, Tennessee, Kansas, Rhode Island, and Wisconsin determined that software as a service is not subject to sales tax. They concluded that sales tax should only apply when a copy of software is downloaded to the possession of the end user. Most cloud computing systems provide access to shared software and do not involve downloading of copies. Other states are developing some form of sales tax specifically for application to software as a service. Those states include Washington, Texas, Indiana, New York, and Arizona. The Idaho ruling is reportedly based on the interpretation that software made accessible through cloud networks is within the “constructive” control of the end user. Idaho authorities contend that this constructive control is sufficient to make software as a service tangible property under Idaho law. Idaho is the only state, to date, that treats software in all forms as tangible property. Providers of cloud computing services fear that the Idaho action will adversely affect the popularity of cloud services by raising the costs of use. In addition to affecting the cost of software as a service, the Idaho ruling has potentially broader impact, as well. By characterizing all computer software as tangible property, Idaho has set the foundation for broad and possibly intrusive assertion of its state law against cloud service providers operating out of other jurisdictions. top Iowa Retains Media/Non-Media Distinction, Leaving Bloggers Vulnerable (Berkman’s DMLP, 26 Feb 2013) - I’ve already written several posts about the overblown predictions that a ruling involving an Oregon blogger ( now on appeal ) would have dire consequences for bloggers in that state. But a recent decision by Iowa’s Supreme Court on who can be considered “news media” under Iowa law may truly endanger bloggers and other online contributors in the Hawkeye State. The issue is that the Iowa Supreme Court decided to maintain the distinction in Iowa state law between “media” and “non-media” defendants, with the latter being easier to sue for some types of libel. Bierman v. Weier , No. 10-1503, 2013 WL 203611 (Iowa Jan. 18, 2013) is a libel suit based on Scott Weier’s memoir, Mind, Body and Soul , which focuses on Weier’s personal transformation after his divorce from plaintiff Beth Weier. In the book Scott Weier alleged that Beth suffered from mental illness because her father, plaintiff Gail Bierman, had molested her as a child. * * * top ABA Issues New Opinion: Judicial Ethics and Social Media (Ride The Lightning, 28 Feb 2013) - On February 21st, the American Bar Association released Formal Opinion 462 , Judge’s Use of Electronic Social Networking Media. It offers a new acronym, ESM, meaning electronic social media. Judges are allowed to participate in ESM so long as they “comply with the relevant provisions of the Code of Judicial Conduct and avoid any conduct that would undermine the judge’s independence, integrity or impartiality, or create an appearance of impropriety.” Nothing new there but I did note this paragraph: A judge should disclose on the record information the judge believes the parties or their lawyers might reasonably consider relevant to a possible motion for disqualification even if the judge believes there is no basis for the disqualification. For example, a judge may decide to disclose that the judge and a party, a party’s lawyer or a witness have an ESM connection, but that the judge believes the connection has not resulted in a relationship requiring disqualification. However, nothing requires a judge to search all of the judge’s ESM connections if a judge does not have specific knowledge of an ESM connection that rises to the level of an actual or perceived problematic relationship with any individual. That is indeed new. I like the practicality of that advice. In the same way, we have had judges note on the record, “I know Mr. Simek of Sensei Enterprises and have had some social interactions with him - does (the other side) have any objection to proceeding in this case with Mr. Simek as an expert?” Invariably, the answer is “No, your Honor” but I love the transparency. Judges who are active on social media will certainly want to read this opinion carefully. [Polley: the ABA Journal’s piece on the Opinion is here .] top What Does Your Lawyer Want You to Know About Social Media? (Gov’t Technology, 28 Feb 2013) - The benefits of social media have been well documented in the public sector. From soliciting new ideas and opinions on Facebook to sending out key announcements through Twitter, social networks have become vital communication mediums for government agencies. But while online tools have made interacting with the public more convenient, the legal pitfalls associated with social media have also been exposed. Chief among those concerns are the free speech rights of users, particularly if a government entity deletes comments off its social pages. Municipal attorneys recommend that agencies refrain from deleting user commentary on official government Facebook walls or Twitter if those pages are open to public posting, which could be construed as a public forum in the eyes of the law. A public forum is a venue open to all types of expression allowed under the First Amendment like parks and streets. However, there is an exception if the speech incites violence or is threatening. In those cases, removing the comments won’t subject an agency to liability on the basis of a First Amendment challenge, according to Christina Checel, senior deputy city attorney of Long Beach, Calif. But if someone posts a statement damning city services or making a political statement that’s critical of elected officials, it must remain up. That advice may seem cut and dry, but it can get murky when the commentator is an employee of or affiliated with the government agency. * * * top CRS - Cybersecurity: Authoritative Reports and Resources (Congressional Research Service, 28 Feb 2013) - Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated by individuals, as well as countries. Targets have included government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic. Congress has been actively involved in cybersecurity issues, holding hearings every year since 2001. There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics. This report provides links to selected authoritative resources related to cybersecurity issues. top Federal Judge Alex Kozinski Talks About Using TOR to Surf Silk Road & The Armory for Drugs, Weapons and Hitmen (TechDirt, 1 March 2013) - While I don’t always agree with him (who do I always agree with?), like many folks who follow legal issues, Judge Alex Kozinski, the chief judge of the court of appeals for the 9th circuit, is one of my favorite judges. Known almost as much for his ability to entertain as for his clear, well-written (and frequently funny) judicial rulings, one thing that’s always been clear is that, unlike some judges, Kozinski is both down to earth and really inquisitive when it comes to understanding how things really work, rather than just accepting common wisdom. Last night, Judge Kozinski gave a lecture at Santa Clara University on “The Two Faces of Anonymity.” As I expected, it was entertaining and insightful, with a few Kozinski-esque surprises thrown in. By far the most entertaining part of the evening was Kozinski sharing (with screenshots) his experience exploring the “hidden web.” He claims that when he told his children about the topic of the talk, they told him he needed to explore the hidden web. So, “with some trepidation,” he downloaded Tor and dove in, starting out at Silk Road, which still remains the most well known hidden website out there. As we’ve noted in the past, for all the excitement and press attention Silk Road has received for being a totally anonymous online marketplace used mainly for buying and selling drugs and other illicit goods, it still is a fairly small business . Still, Judge Kozinski detailed his exploration of the market, including checking out various drugs (including many he’d never heard of before). He also looked into the ability to buy forged documents and lots of counterfeit software. top More Companies Reporting Cybersecurity Incidents (Washington Post, 1 March 2013) - At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyber­assaults last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector. In their annual financial reports to the Securities and Exchange Commission, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions. The disclosures are significant in that for years, companies, including banks, have been loath even to acknowledge that they have been victims of such incidents. But it appears that SEC guidance issued in October 2011 making clear that companies need to report significant computerized theft or disruption, combined with greater public attention to the issue, is forcing more disclosure. Also, the fact that the banks hit by the DDOS attacks have been named in media accounts has made ignoring them more difficult. Such corporations as eBay, LinkedIn, Level 3 Communications, Chesapeake Energy and AT&T have admitted they suffered intrusions or disruptions last year. “It’s almost naive for most large companies in the critical infrastructure sector to say that they aren’t subject to attack,” said Paul Smocer, president of BITS, a financial services trade organization. top Newspapers Go All-In for Copyright Fight Against Clipping Service (Ars Technica, 3 March 2013) - A copyright battle between The Associated Press and an online news-clipping service is reaching a climax, and the case could have significant implications for fair use. AP sued Meltwater Group last year, arguing the “reputation management” company had a “parasitic business model” that violated copyright. Meltwater is defending the case, arguing that it is merely a search engine. Meltwater News is a media-monitoring service that helps corporations track what’s being said about them in press outlets online. The company boasts that it can “track keywords, phrases, and topics in over 192,000 sources from over 190 countries and 100 languages” throughout the day. It doesn’t send its subscribers full articles, but does copy snippets and headlines then provide links to full stories-like Google News. Last week, the nation’s largest newspapers lined up to tell the New York federal judge considering the case that they support the AP. An amicus brief [ PDF ] was filed by The New York Times , The McClatchy Company, Advance Publications, and the Newspaper Association of America, which represents 200 newspapers around the country. In the brief, they argue that Meltwater isn’t a search engine-it’s a competitor. Briefs have also been filed in this case by the Electronic Frontier Foundation and the Computer & Communications Industry Association [ PDF ], a tech industry trade group that includes Google as a member. Both groups are supporting Meltwater. top Google Offers Searchable Map of All White Space Spectrum in the US (ArsTechnica, 4 March 2013) - If and when White Spaces networks become a major success story, it will be a very well-organized one . Internet-capable devices will get online by accessing the empty airwaves in unused TV channels, and they’ll avoid interference with actual broadcasts by connecting to databases that keep track of all available spectrum. Google today began a public test of a White Spaces database to help make this a reality. Google isn’t the first to operate one of these databases, but it’s done so with a very Google-like approach. In addition to letting white space devices identify available spectrum, Google unveiled a browser-based tool that lets anybody find out what spectrum is available nearby. top CRS - Public Access to Data from Federally Funded Research (BeSpacific, 5 March 2013) - Public Access to Data from Federally Funded Research: Provisions in OMB Circular A-110 . Eric A. Fischer, Senior Specialist in Science and Technology. March 1, 2013 : “The results of scientific studies are often used in making government policy decisions. While the studies are often published, traditional federal research funding policies did not require the data on which they are based to be made available publicly. Such policies did, however, generally require researchers to share data and physical samples with other scientists after publication of the research. A rider, often called the Shelby Amendment or Data Access Act, that was attached to the Omnibus Appropriations Act for FY1999, P.L. 105-277, mandated the Office of Management and Budget (OMB) to amend Circular A-110 to require federal agencies to ensure that “all data produced under a [federally funded] award will be made available to the public through the procedures established under the Freedom of Information Act [FOIA].” The amendment
authorizes user fees. OMB was required to make changes and release a revised circular; subsequently, agencies that chose to do so issued their own conforming rules. The final revision was published in the Federal Register on October 8, 1999, and has not been changed in subsequent updates to the circular.” top Google Releases First Data on National Security Letters (Mashable, 5 March 2013) - Google received somewhere between zero and 999 National Security Letters requesting information about its users in each of the last four years, according to newly revealed data released by the company today. This is the first time that Google, or any other company, has published data regarding the secretive information requests. National Security Letters (NSLs), which are different from subpoenas, are used by U.S. government agencies - particularly the FBI - when investigating national security matters. Their main peculiarity is that they contain a gag order preventing the recipient from disclosing the existence of the letter itself. This means that if the FBI requests data from Google about a certain user, Google can’t notify the user of such a request. That is why we know so little about the extent of their use. According to the Electronic Communications Privacy Act, the FBI can use NSLs to seek non-content data like “the name, address, length of service, and local and long distance toll billing records.” For Google, this means that the FBI can’t ask for “Gmail content, search queries, YouTube videos or user IP addresses,” with an NSL, the company wrote in its updated FAQ . top FTC Staff Report Examines Growing Use of Mobile Payments Report Includes Recommendations for Industry (BeSpacific, 8 March 2013) - “As part of its efforts to ensure that consumers are protected in the growing mobile marketplace, the Federal Trade Commission issued a staff report today highlighting key issues facing consumers and companies as they adopt mobile payment services. The report, titled Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments , is based on a workshop held by the Commission in 2012 to examine these issues.” top Why We Miss the First Sale Doctrine in Digital Libraries (John Palfrey in TheDigitalShift, 8 March 2013) - Publishers, ebook vendors, and libraries are engaged in a “tug of war” over the lending of electronic books, according to Library Journal ’s recent ebook survey . This clash inhibits most libraries from fulfilling their important institutional missions to provide access to knowledge and preserve our cultural heritage. In the best case, this tug of war will be a temporary struggle. The best outcome is not a winner who holds all the rope and another lying on the ground with rope-burned hands. If there must be a winner of any kind, it ought to be the reading public. In this article, the fourth installment in a series on the initiative to build a Digital Public Library of America , I examine the underlying role of law in the ebook lending debate, explore potential solutions to the problems, and consider how the DPLA can contribute to solutions for those we serve. At the core of this issue is the way the copyright law works-or doesn’t-when it comes to books, libraries, and readers in the United States today and into the future. A bit of background on the relevant law helps to set the scene for the tug-of-war. In the United States, copyright law grants to the creators of original works of authorship a bundle of exclusive rights -namely, the ability to legally exclude others from copying, adapting, distributing, displaying, and performing their creations. Should an individual (or a library, for that matter) make use of a copyrighted work in a manner that implicates one of these rights, an exception to the law must apply; otherwise, the copyright owner may be able to make a successful claim for infringement. * * * top En Banc Ninth Circuit Holds That Computer Forensic Searches Are Like “Virtual Strip Searches” And Require Reasonable Suspicion At the Border (Volokh Conspiracy, 8 March 2013) - Today the Ninth Circuit handed down its long-awaited en banc decision in United States v. Cotterman , a case on the lawfulness of searching a computer at the border. (My prior posts are here , here , here , and here .) Today the Ninth Circuit announced a special rule for computer searches: Although a “review of computer files” can occur without reasonable suspicion, the “forensic examination” of a computer at the border requires reasonable suspicion because it is “akin to reading a diary line by line looking for mention of criminal activity-plus looking at everything the writer may have erased.” top When it Comes to Getting News on Twitter, You Are Who You Follow? (GigaOM, 10 March 2013) - As Nate Silver discussed earlier today at SXSW in Austin on Sunday, the polarization of cable news and politics means that if you’re a serious Rachel Maddow fan, there’s only a tiny chance that you also vote Republican, and the same is true of Sean Hannity listeners and chances they’ll go for Democrats. But as we change where we get our news and turn to places like Twitter for information and verification of facts, it’s important to ask how that polarization will translate to social media - if it will at all. Several journalists discussing the future of news dissemination (something we’ll also be discussing at paidContent Live in April) tied these issues to those of crowdsourced news, particularly in the Middle East, when the tensions between accuracy and access are most apparent. NBC correspondent Ayman Mohyeldin made an interesting argument about verification, arguing that people should be free to select the accounts they want to follow and personally decide whether to trust that information or not, just as they tune into particular cable shows in the United States and apply their own sense of skepticism to Maddow and Hannity. top Small Businesses Have Big Data Breach Problems (Ride The Lightning, 11 March 2013) - A recently released report issued by the Ponemon Institute reveals that 55 percent of U.S. small businesses have experienced at least one data breach, but only a third notified individuals that their personal information had been exposed. The companies which participated had annual revenues of less than $10 million. The survey indicated that 53 percent had multiple breaches. That last statistic should raise eyebrows. And since 46 states have data breach notification laws, it is disturbing that a third of the respondents did not notify the people affected by the breach. 70 percent of the respondents believed that sensitive data is more likely to be breached when the data is outsourced - but 62 percent do not have contracts in place requiring third parties to cover the costs associated with a breach. It is troubling that 85% share customer and employee records with third parties such as those which provide billing, payroll, employee benefits, web hosting and information technology services but obviously are not taking adequate data security precautions. top “Regulation of Social Media and Mobile Media” Talk Slides (Eric Goldman, 12 March 2013) - Last month, I spoke at the ABA Antitrust Section’s always-well-done Consumer Protection Conference . This time I was recruited as the provocateur to discuss the challenges of regulating social media and mobile media. Regular readers know where I stand on that question . top How to Make Effective Disclosures in Digital Advertising (FTC, March 2013) - In the online marketplace, consumers can transact business without the constraints of time or distance. One can log on to the Internet day or night and purchase almost anything one desires, and advances in mobile technology allow advertisers to reach consumers nearly anywhere they go. But cyberspace is not without boundaries, and deception is unlawful no matter what the medium. The FTC has enforced and will continue enforcing its consumer protection laws to ensure that products and services are described truthfully online, and that consumers understand what they are paying for. These activities benefit consumers as well as sellers, who expect and deserve the opportunity to compete in a marketplace free of deception and unfair practices. The general principles of advertising law apply online, but new issues arise almost as fast as technology develops - most recently, new issues have arisen concerning space- constrained screens and social media platforms. This FTC staff guidance document describes the information businesses should consider as they develop ads for online media to ensure that they comply with the law. top FTC Can Serve Foreign Defendants Via Facebook, Federal Judge Rules (ABA Journal, 13 March 2013) - The Hague Service Convention doesn’t expressly authorize service on foreign defendants by email or social media accounts. But, saying that a U.S. court has the power under the treaty and the Federal Rules of Civil Procedure to approve supplemental means of service, a federal judge in Manhattan has OK’d a plan for the Federal Trade Commission to serve to serve defendants in India with duplicate sets of documents both by email and via Facebook, according to Reuters . The federal courts need to keep an open mind about new technology, wrote U.S. District Judge Paul Engelmayer in his opinion (PDF) last week, to which the S.D.N.Y. Blog provides a link. The judge determined that Facebook service was authorized by Fed. Rule Civ. Pro. 4(f)(3), which provides that “a Court may fashion means of service on an individual in a foreign country, so long as the ordered means of service (1) is not prohibited by international agreement; and (2) comports with constitutional notions of due process.” He cited a 1980 decision in which a federal court in New York authorized service by Telex, as well as a recent opinion by the San Francisco-based 9th U.S. Circuit Court of Appeals approving service by email. “The court acknowledges that service by Facebook is a relatively novel concept, and that it is conceivable that defendants will not in fact receive notice by this means,” wrote Engelmayer. “But, as noted, the proposed service by Facebook is intended not as the sole method of service, but instead to backstop the service upon each defendant at his, or its, known email address. And history teaches that, as technology advances and modes of communication progress, courts must be open to considering requests to authorize service via technological means of then-recent vintage, rather than dismissing them out of hand as novel.” The unusual ruling apparently is one of the first of its kind in the United States. A 2009 article in the Federal Courts Law Review says courts in Australia and New Zealand have also OK’d service by Facebook, Reuters notes, and in 2009 the British High Court allowed service to be made via Twitter . This year, the High Court also authorized service by Facebook . top Massachusetts Supreme Judicial Court Expands Consumer Zip Code Privacy Protection (Edwards Wildman, 12 March 2013) - In a closely watched case with a somewhat unexpected result, the highest Massachusetts court decided in Tyler v. Michaels Stores that zip codes are “personal identifying information” that may not be collected and recorded as part of a credit card transaction. A consumer could establish a violation of the state’s unfair business practices statute based on retailers’ collection and entry of zip codes at the point of sale, if some distinct injury or harm was met, said the Mass. Supreme Judicial Court ("SJC"). Plaintiff’s privacy claim, which was also brought as a class action, was permitted to move forward even though the collection of zip codes did not cause the plaintiff to become a victim of identity fraud. The Court found that the plaintiff could establish a claim merely by showing that she received unwanted marketing materials from the merchant as a result of disclosing her zip code, or that the merchant sold the zip code information for a profit to a third party. With the Court’s ruling, even zip code information that does not directly identify the consumer is nevertheless “personal identifying information” because, the court noted, it can be combined with other information enabling merchants to identify the consumer’s address and telephone number through publicly available databases. top RESOURCES International Compendium of Data Privacy Laws (Baker Hostetler, March 2013) - Privacy and data protection issues confront all organizations-whether you handle employee information, credit card data, sensitive financial information, or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting obligations to a multinational enterprise. Our practitioners are experienced at guiding our clients through this maze of global privacy norms. The BakerHostetler Privacy and Data Protection Team has developed a prompt and practical approach. We have a comprehensive international network of expert service providers who are responsive when our clients require support and guidance through a data security event. This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with international data breach so that you can know what immediate steps to take, and what questions you need to ask to minimize your company’s exposure. top BOOKS A Practical Guide to Software Licensing for Licensees and Licensors (5th Edition, by Ward Classen, available thru the ABA Webstore) - [Polley: I reviewed the 4th edition in MIRLN 15.07. This new edition still contains a CD with contract language (perfect for cut-and-paste) and new chapters on FOSS, Maintenance & Support, and ancillary clauses). With a discount for ABA Business Law Section members, it’s a worthwhile addition to your library.] top LOOKING BACK Furtive Phone Photography Spurs Ban (BBC, 4 April 2003)—As camera phones become more popular, national, governments, local authorities and some businesses are starting to restrict the places they can be used. Italy’s data protection commissioner has issued stringent rules governing how the phones can be used and some other organisations, including strip clubs and gyms, have banned the phones from their premises. Picture phones are already banned in Saudi Arabia and their use is frowned upon in other Middle Eastern nations. Some people have already been prosecuted for misusing their mobile phone camera. In mid-March the Italian information commissioner, which oversees the ways that companies and individuals use data they collect about other people, issued regulations setting out what people can do with camera phones. The rules only allow images of people to be snapped for personal use, demand that the images be kept safe and require users to tell people if the image they have taken of them will appear online. The Italian data watchdog is worried that people will abuse the ease with which snaps can be taken with phones such as the Nokia 3650, SonyEricsson T68, Panasonic GD87 and Sharp GX-10. Some Middle Eastern nations are banning picture phones To head off such abuse Saudi Arabia’s Commission for Promoting Virtue and Preventing Vice has banned the phones. In the United Arab Emirates and Japan some men have already been prosecuted for using their camera phone to surreptitiously take voyeuristic pictures of women. top Use a Honeypot, Go to Prison? (SecurityFocus, 16 April 2003)—Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, a Justice Department attorney warned Wednesday. “There are some legal issues here, and they are not necessarily trivial, and they’re not necessarily easy,” said Richard Salgado, senior counsel for the Department of Justice’s computer crime unit, speaking at the RSA Conference here Wednesday. An increasingly popular technique for detecting would-be intruders, a honeypot is a type of hacker flypaper: a system that sits on an organization’s network for no other purpose than to be hacked, in theory diverting attackers away from genuinely valuable targets and putting them in an closely monitored environment where every keystroke can be analyzed. But that monitoring is what federal criminal law calls “interception of communications,” said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypot configurations, but they still leave many hacker traps in a legal danger zone. One exemption permits interception of a communication if one of the parties consents to it the monitoring. To that end, Salgado suggested that honeypots display a banner message warning that use of the computer is monitored. “You can banner your honeypot… and you’ve got the argument that they saw the banner, continued using the system, and consented to monitoring,” he said. But most hackers don’t penetrate a system through the front door—telneting in or surfing to a web page—and if they never see the banner, they haven’t consented to monitoring. “It’s not the silver bullet.” top MIRLN 2013-03-15T14:56:00-07:00 http://www.knowconnect.com/mirln/article/mirln_3_23_february_2013_v1603/ http://www.knowconnect.com/mirln/article/mirln_3_23_february_2013_v1603/#When:02:18:00Z MIRLN --- 3-23 February 2013 (v16.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink ANNOUNCEMENT | NEWS | RESOURCES | LOOKING BACK | FUN | NOTES International eDiscovery: The IT/Legal Disconnect Your Employer May Share Your Salary, and Equifax Might Sell that Data Big Firms and Contingency Fee Struggles: Parallel Networks v. Jenner & Block FBI Again Warns Law Firms About the Threat From Hackers Law Firms, “the Soft Underbelly of American Cyber Security” Florida Bar Issues Ethics Opinion On Cloud Computing Why Google’s Settlement with French Publishers is Bad for the Web Menu of [fedRAMP] Safety-Approved Cloud Products Grows to Three E-Discovery: 10 Strategic Steps for Defensible Search “Privacy Policies in the United States” Presentation Slides Yelp Defeats Legal Challenge to Its User Review Filter Privatized Lawmaking Coursera Classes for College Credit? Five Online Courses Approved for Credit Equivalency Docracy Tracks Changes In Terms of Service and Privacy Policies So You Don’t Have To We’re Getting There! It Will Be Hard To Stop The Rise Of Revenge Porn Demise of the Trial by Jury - Is Social Media to Blame? Feds Update Cybersecurity Compliance Handbook DHS Watchdog OKs ‘Suspicionless’ Seizure of Electronic Devices Along Border Speak Out and Get Sued Addressing The Problem: Keep Your Email Address Up To Date They Really Don’t Know Clouds At All National Security Experts Discuss Options for ‘Active’ Cyber Defense Survey of GCs Sees Cybersecurity Risk, Anxiety Serious Data Breaches Take Months to Spot, Analysis Finds Live Stream of Special Event for Terry Fisher’s Copyright Course: IP Protection for Fashion Is a Twitter Handle a ‘Must-Have’ for Today’s Lawyer? Not Yet Miami Herald Ends Anonymous Comments With Its Australian Court Victory, Google Moves Closer to Legitimizing Keyword Advertising Globally Europe Issues Its Own Cybersecurity Plan What (Legally) Happens to Our Social Media Accounts When We Die? More US Lawyers Move into the Boardroom ANNOUNCEMENT ABA Cybersecurity Legal Task Force . ABA President Laurel Bellows launched this task force last August, and it’s beginning to bear fruit. Three teams are addressing: (1) lawyers’/lawfirms’ cybersecurity vulnerabilities and best-practices; (2) Critical Infrastructure legal issues; and (3) International law vis a vis cyberagression. With Jill Rhodes , I’m co-chairing the team looking at lawyers/lawfirms - we have twenty-one other ABA leaders helping build a guidebook on: (a) cyber basics; (b) the impact on attorneys and lawfirms (small firms, medium sized firms, large lawfirms, in-house environments, government attorneys, and public-interest entities); (c) the client impact (e.g., ethical obligations, disclosure of breach, etc.); and (d) incident response and insurance issues. The guidebook will be published in August; look for collateral materials also to emerge (e.g., CLE programming). See related MIRLN story below here . top NEWS International eDiscovery: The IT/Legal Disconnect (IDG Connect, 31 Jan 2013) - Multinational corporations and cloud storage across the globe mean that eDiscovery (or eDisclosure depending on your jurisdiction) is a problem that is not going anywhere anytime soon. Governance and eDiscovery experts will be needed to help corporations deal with ever-increasing data volumes that are moving rapidly throughout global networks in the perfect storm of a compliance or eDiscovery nightmare. Of course, while we know there is a problem generally speaking, the larger challenge is to deconstruct the problem into a few discreet pieces. The following is in no way exhaustive of the challenges, but are a few of the ones I see as being the biggest culprits. In my mind, the greatest challenge associated with international eDiscovery and data governance issues stems from a very basic push-pull between globalization and balkanization when it comes to data. Globalization is a factor from the standpoint that data is moving around the world, quite rapidly I would add, in furtherance of global commerce and information exchanges. Truly the world has never been smaller at any point in human history. But at the same time, there is virtually no consensus internationally when it comes to data privacy issues, regulations regarding retention and destruction of data, and the like. Further complicating matters is the lack of any real international standards of conduct for retrieval of data in one country for use in legal proceedings in another country. Although there is something approaching consensus for EU member nations, the rules are still far from standardized. The most obvious implication for corporations is the tremendous financial pressures this creates when the issue becomes the focus of a legal investigation or request. Companies can quite literally find themselves between a rock and a hard place when a request for production in the United States can force them to have to process data that resides in another country. When this happens, the obligations to comply with discovery requests can be in direct conflict with the other country’s rules concerning privacy. Of course, the issue is compounded because of the rapid proliferation of cloud storage. We can store data anywhere in the world for easy on demand access; however, with that convenience there is the appurtenant tradeoff that different countries, with different legal and regulatory regimes will require compliance with multiple obligations. That is a challenge that is fraught with peril. Of course, these are precisely some of the issues the Working Group 6 of the Sedona Conference tried to address in the International Principles Discovery, Disclosure & Data Protection (December 2011). Although it is focused “principally on the relationship between U.S. preservation and discovery obligations and the EU Data Protection Directive . . . [the principles are] intended to apply broadly wherever Data Protection Laws, regardless of national origin, conflict with U.S. preservation and discovery obligations.” This is a vital primer for any company or law firm that deals with such issues. * * * [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe/IT & Knowledge Management .] top Your Employer May Share Your Salary, and Equifax Might Sell that Data (NBC, 1 Feb 2013) - The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults. Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities. “It’s the biggest privacy breach in our time, and it’s legal and no one knows it’s going on,” said Robert Mather, who runs a small employment background company named Pre-Employ.com. “It’s like a secret CIA.” Despite all the information Americans now share on social media and websites, and all the data we know companies collect on us, one piece of information is still sacred to most people: their salaries. After all, who would post their salary as a status update on Facebook or in a tweet? But salary information is also for sale by Equifax through The Work Number. Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they’ve ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually. top Big Firms and Contingency Fee Struggles: Parallel Networks v. Jenner & Block (Patently-O, 4 Feb 2013) - Joff Wild at IAM has posted some interesting reading in the ongoing dispute between the patent assertion entity, Parallel Networks and its former litigation counsel at Jenner & Block . According to the pleadings filed by Parallel Networks in Texas state court[link below], Jenner withdrew from its contingency-fee representation of Parallel Networks against Oracle after losing on summary judgment and determining that it was unlikely to win a large award. Parallel Networks then found new counsel and eventually settled the case for about $20 million. Once that case ended, Jenner returned asking for more than $10 million in attorney fees based upon its hourly rates through summary judgment. Under the representation agreement, both parties had agreed to arbitrate any dispute over fees and an arbitrator awarded Jenner with a $3 million fee. Parallel Networks has now asked the court to set aside the arbitration award - arguing that under Texas law, a contingent fee attorney cannot drop its client simply for economic reasons and then expect to receive any further compensation. The suit also alleges a host of other problems with Jenner & Block representation in both the Oracle litigation and the parallel case against QuinStreet. The bulk of those allegation stem from various internal communications at Jenner involving the risk and potential of the cases that were never communicated to Parallel Networks. The lawsuit will be interesting to follow because it offers a rare public glimpse inside big-firm contingency fee structures and the associated political struggle raised by many risk-averse firm leaders. Here, that attempted risk aversion may well cost the firm several million dollars in fees. I should note that Professor David Hricik testified on behalf of Parallel Networks in the Arbitration. Hricik is on leave from his Patently-O writing as he clerks at the Federal Circuit. I have not spoken with him about this case. top FBI Again Warns Law Firms About the Threat From Hackers (Ride The Lightning, 4 Feb 2013) - The FBI began warning law firms that they were being targeted by hackers back in 2009. That warning was repeated at LegalTech last week by the FBI’s Mary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office. As Law Technology News reported , Galligan was blunt, saying, “We have hundreds of law firms that we see increasingly being targeted by hackers.” The word “hundreds” should give law firms pause. Too many seem complacent even when faced with the unpleasant truth that their information security is sorely short of the mark. It might allay the fears of law firms to learn that the FBI does not tell people they’ve come to your firm and they don’t come in raid jackets. There’s no SWAT team and they don’t unplug your servers. As Galligan noted, “You need to run your business.” top - and - Law Firms, “the Soft Underbelly of American Cyber Security” (Lawyerist.com, 6 Feb 2013) - At Above the Law, Joe Patrice calls law firms “the soft underbelly of American cyber security.” And he is right. If you consider the sensitive nature of the information on most lawyers’ computers, plus the proud Luddites making technology decisions at most law firms, this should come as no surprise. I know plenty of lawyers who can barely set up their email, much less encrypt their hard drives . More than a few law firms continue to fall for lame 419 scams . I wouldn’t be surprised to find a few partners using their CD tray for a cup holder. Compromising the systems of lawyers like this is child’s play for hackers who can remotely. compromise a mobile phone with a single misplaced click. Lawyers need to get their acts together, and soon. Think of the information you have about your clients, stored on your computers. For starters, you almost certainly have everything necessary to steal all your clients’ identities and empty their financial accounts. If you represent businesses, you may have trade secrets. You definitely have volumes of confidential information that would make excellent extortion ammunition. top Florida Bar Issues Ethics Opinion On Cloud Computing (Future Lawyer, 4 Feb 2013) - Florida Bar Ethics Opinion 12-3 The Florida Bar has released a proposed Advisory Opinion on cloud computing. In summary, the opinion says that Florida lawyers may use cloud computing if they take “reasonable” precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution. The reasonableness standard is pretty vague, and it almost sounds like the lawyer is a guarantor of the security of the data. Whether lawyers will be comfortable enough with the language of the opinion to use cloud services for confidential data remains to be seen. top Why Google’s Settlement with French Publishers is Bad for the Web (GigaOM, 4 Feb 2013) - After much diplomatic maneuvering and a series of face-saving gestures on both sides, Google finally signed an agreement with French newspaper publishers late Friday that puts to rest a long-standing legal battle over Google’s behavior in excerpting stories on Google News, which the French have argued is copyright infringement . But while the search giant may be relieved to put the whole kerfuffle behind it, there’s an argument to be made that it has actually done more harm than good - not only to its own interests, but to the interests of the open web as well. Veteran tech blogger Lauren Weinstein describes this risk well in a recent blog post, in which he calls what the government of France is doing “extortion,” and warns of the long-term risk of Google acceding to such demands that it pay for the simple act of linking and excerpting content. top Menu of [fedRAMP] Safety-Approved Cloud Products Grows to Three (NextGov, 4 Feb 2013) - Federal agencies soon will have more options when shopping for certified cloud facilities that don’t need security tests. Following the first-ever low-risk guarantee, which was granted to Autonomic Resources in late December 2012, the Web services supplier on Friday said private networks soon will be available for instant installation. And on Thursday, the government endorsed the safety of a second company’s services - cloud rentals from CGI Federal. The offerings received seals of approval from the Federal Risk and Authorization Management Program after independent, government-approved auditors checked that the companies’ data centers, staff and other support services met federal security standards. The CGI nod marks the second accreditation out of a pool of roughly 80 FedRAMP applicants. After a product passes a one-time inspection, any agency can subscribe to the vendor’s services without expending time and money on an agency-specific assessment. Officials with Autonomic Resources, a North Carolina-based small business, said their first sanctioned service “has gained wide interest and acceptance” since the General Services Administration, which manages FedRAMP, signed off . top E- Discovery: 10 Strategic Steps for Defensible Search (BullsEye blog, 5 Feb 2013) - E-Discovery in litigation today presents a number of challenges in creating a defensible, efficient, and iterative search protocol. A defensible keyword search protocol should contain, at a minimum, the following ten strategic steps * * * top “Privacy Policies in the United States” Presentation Slides (Eric Goldman, 6 Feb 2013) - I recently guest lectured on drafting privacy policies in the United States. My presentation slides . One of my big-picture takeaway points is that privacy laws and associated industry self-regulation have gotten so extensive that drafting privacy policies is strictly for privacy experts. Unlike the good ol’ days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology. As a result, in all likelihood, I’ve already drafted the last privacy policy of my career. top Yelp Defeats Legal Challenge to Its User Review Filter (Forbes, 6 Feb 2013) - Yelp uses an automated review filter to suppress some user reviews of businesses. The review filter’s criteria aren’t publicly disclosed, and some businesses feel that legitimate positive reviews from happy customers are unfairly hidden. One business owner, an operator of three restaurants in Mammoth Lakes, California and a Yelp advertiser, got so frustrated with the review filter that he challenged Yelp’s review filter in court. Recently, the court ruled decisively in favor of Yelp, confirming that Yelp isn’t legally liable for filtering users’ reviews as it sees fit. The restaurant owner didn’t attack the review filter directly. Instead, he complained about Yelp’s marketing descriptions of its review filter, claiming that Yelp falsely advertises its trustworthiness when it uses characterizations such as “remarkable filtering process” and “most trustworthy.” Yelp responded that the lawsuit was a “SLAPP"-a lawsuit designed to suppress socially beneficial speech-and therefore should be dismissed per California’s anti-SLAPP law. (See this post for more discussion about anti-SLAPP laws). The court agreed with Yelp, finding that “statements regarding the filtering of reviews on a social media site such as yelp.com are matters of public interest.” The court also concluded that Yelp’s laudatory statements about its review filter were “ puffery ,” not factual representations. Cf. Seaton v. TripAdvisor . As a result, if the anti-SLAPP dismissal survives a likely appeal, the restaurant owner will have to pay Yelp’s legal defense costs. Case is Demetriades v. Yelp , Case No.: BC484055 (Cal. Superior Ct. Jan. 25, 2013). top Privatized Lawmaking (Volokh Conspiracy, 6 Feb 2013) - You might want to check out a new article by Dru Stevenson at South Texas Law called Costs of Codification . Dru writes the Privatization Blog - don’t confuse it with the Reason Foundation’s Privatization Blog ; I think either Dru or Reason should choose a catchier blog name. Here’s the abstract to Dru’s article, from SSRN:  “Between the Civil War and World War II, every state and the federal government shifted toward codified versions of their statutes. Academia has so far ignored the systemic effects of this dramatic change. For example, the consensus view in the academic literature about rules and standards has been that precise rules present higher enactment costs for legislatures than would general standards, while vague standards present higher information costs for courts and citizens than do rules. Systematic codification - featuring hierarchical format and numbering, topical arrangement, and cross-references - inverts this relationship, lowering transaction costs for legislatures and increasing information costs for courts and citizens, as statutes proliferate. This Article takes a first look at this problem. On the legislative side, codification makes it easier for special interest groups to obtain their desired legislation. It facilitates Coasean bargaining between legislators, and encourages legislative borrowing, which diminishes the “laboratories of democracy” phenomenon. For the courts, codification changes how judges interpret statutes, prompting them to focus more on the meaning of individual words than on the overall policy goals of enactment, and to rely more on external sources, such as legislative history. For both legislators and courts, codification functions as a Hartian rule of recognition, signaling legality for enacted rules. For the citizenry, the reduced legislative costs mean increased legislative output, yielding rapid proliferation of statutes and unmanageable legal information costs. More disturbingly, codification also fosters overcriminalization. While it may not be appropriate to revert to the pre-codified regime now, reexamining the unintended effects of codification can inform present and future choices for our legal system.” top Coursera Classes for College Credit? Five Online Courses Approved for Credit Equivalency (GigaOM, 6 Feb 2013) - Massive open online classes are moving ever closer to legitimacy. Last month, Udacity announced a partnership with San Jose State University to pilot three online classes for college credit. And on Wednesday, Coursera is set to announce that five of its courses have won approval from the American Council on Education (ACE) for credit equivalency. That doesn’t mean students of those courses will be guaranteed credit by traditional universities - institutions have the option to accept or decline the credit - but it indicates that the courses meet ACE’s standards. And, importantly, it creates the opportunity for Coursera students to not just use online classes to burnish a resume, but to potentially earn a degree. top Docracy Tracks Changes In Terms of Service and Privacy Policies So You Don’t Have To (Lifehacker, 7 Feb 2013) - Few people bother to read an entire privacy policy or terms of service for every service they use. Even less bother with the changes services make to those terms over time. Docracy Terms of Service Tracker is a webapp that tracks when words change so you can keep up to date without reading the whole thing. Docracy uses a document change analysis to track when terms of service and privacy policies are updated, so anytime a site changes their terms, Docracy knows. In most cases, it’s just a couple edits to change the language, but sometimes they’re a lot more comprehensive . Terms of Service change all the time, and while companies usually notify you of the changes, you probably don’t actually bother reading through them. This is an easy way to track what has changed so you can see if it matters to you. Of course, you’ll need to have at least skimmed the Terms of Service to begin with. [Polley: Spotted by MIRLN reader Mike McGuire of Littler .] top We’re Getting There! (InsideHigherEd, 7 Feb 2013) - Did anyone outside of New York City happen to catch this story about Baruch College? In the scope of international Internet policy it is a proverbial drop in the bucket. But for higher education information technology policy it is an important story. And a good step that administrators there made in how they handled a challenge that in the past has stymied administrators and angered students. Here is the story in a nutshell. Some students come up with software program for course registration. They do not run it by anyone in IT or Student Services, but they also do not intend for it to be destruction or shy away from identification with it. Some of student founders authenticated openly to it. Nonetheless, the program places a considerable load burden on servers, and possibly on bandwidth, as it pings over a million times to maintain current status of courses and selections. IT professionals register the spike, investigate and administrators contact the students. But instead of reading them the riot act (in the form of Responsible Use Policy), it would appear as if they educate … each other! The students to whom we will give the benefit of the doubt may not have appreciated the adverse impact that the program would have on the servers and network. The administrators to whom we will give credit did not throw the book at them. Together they learned more about students’ needs, the complexity of technological operation of a network and IT policy. [Polley: EXACTLY! Policy promulgation in a vacuum is bad - instead, entities need to engage in dialogue with users to educate each other (users, of risk; regulators, of new practices; both, of opportunities for collaboration).] top It Will Be Hard To Stop The Rise Of Revenge Porn (Business Insider, 8 Feb 2013) - There is a seedy underbelly of the internet where people post nude or otherwise compromising photos of their ex-girlfriends or boyfriends for anyone to see, sometimes to get back at a lover who jilted them. These so-called “revenge porn” sites bring up a number of questions. Why aren’t they illegal? How big is the “revenge porn” business? And what does the existence of these sites say about our culture in general? One of the more notorious of these sites in operation today is PinkMeth. The premise is pretty much identical to that of IsAnyoneUp—users submit nude photographs of people to the site and they’re posted for anyone to see. But PinkMeth seems to take this concept a step further, disclosing loads of personal data on the subjects in the photographs—their names, their birth dates, their email addresses, and even links to their social networking profiles like Twitter and Facebook. Can PinkMeth do this and still operate within the bounds of the law? However intuitively wrong revenge porn might seem, sites operate in a legal gray area due to Section 230 of the Communications Decency Act, which states websites can’t be held responsible for content submitted by a third party. We reached out to founder Robert Leshner and policy director Samantha Leland at privacy company Safe Shepherd to learn more. “Most of these sites rely exclusively on third party submissions,” they told us, “and most of those submissions are at least nominally anonymous. The sites make money by posting these images, and thus have no incentive to create policies that make it easy for victims to remove the submitted photos ... Congress could try to narrowly define an exception that would protect victims of things like revenge porn and non-consensual pornography, but they’ll likely get pushback from companies and organizations that want to keep content restrictions on the internet as minimal as possible. Striking that balance is important.” But on the other hand, some see it as unambiguously illegal. We spoke to Jason van Dyke, a Texas attorney who has handled several revenge porn cases, and he says there’s no doubt that “it’s completely illegal” when published without accompanying documentation verifying the ages of the people in the photos. top Demise of the Trial by Jury - Is Social Media to Blame? (BullsEye blog, 8 Feb 2013) - Social media and the increasingly mobile nature of electronic technology may be upsetting the delicate balance found in the U.S. jury system. As in nature, introduction of an invasive species can threaten an ecosystem, forcing it to adapt or risk extinction. As an alien species, social media is no exception. Its growing presence in the legal system is reshaping modern litigation. To what extent is social media threatening the U.S. jury process? This topic has been the subject of intense scrutiny in recent months. Last June the ABA released Proposed Model Jury Instructions to address the growing concern over jurors’ use of electronic technology to communicate about or research a case during trial. A prefatory note recommends that the instructions be provided to jurors at the end of each day prior to jurors returning home, (in addition to the beginning and close of a case), perhaps underscoring increasing tension over what transpires once jurors walk out of the courtroom. The legal community may have to come to grips with the fact that completely eliminating and regulating jurors’ use of social media may not be entirely possible. The reason is simple - sharing everything via social media and electronic technology, which is increasingly mobile and sophisticated, has become a way of life for many. * * * Two recent articles, one appearing in JD Supra Law News and another academic piece published in the University of Illinois Law Review , have questioned the practical difficulties in preventing social media in the courtroom, pointing out how a juror’s use of social media during trial can detrimentally affect the constitutional right to a jury trial. top Feds Update Cybersecurity Compliance Handbook (InformationWeek, 8 Feb 2013) - The federal government has nearly finalized its first major overhaul to the primary handbook to federal cybersecurity standards in nearly four years, and its most significant update since the initial release of that handbook in 2005. The National Institute of Standards and Technology (NIST) on Wednesday released the final public draft of the 455-page final public draft of NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and announced that it was seeking comments on the document. Special Publication 800-53 is the definitive catalog of security controls necessary to meet the federal government’s internal cybersecurity requirements such as the Federal Information Security Management Act (FISMA), and has begun to be adopted even by state and local governments and some private companies. Special Publication 800-53 is the product of a collaboration among NIST, the Department of Defense and the U.S. Intelligence Community, as well as the input of thousands of comments received from the general public after release of the first public draft of Revision 4 in February 2012. top DHS Watchdog OKs ‘Suspicionless’ Seizure of Electronic Devices Along Border (Wired, 8 Feb 2013) - The Department of Homeland Security’s civil rights watchdog has concluded that travelers along the nation’s borders may have their electronics seized and the contents of those devices examined for any reason whatsoever - all in the name of national security. The DHS, which secures the nation’s border, in 2009 announced that it would conduct a “Civil Liberties Impact Assessment” of its suspicionless search-and-seizure policy pertaining to electronic devices “ within 120 days .” More than three years later, the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings. “We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits,” the executive summary said . The DHS watchdog’s conclusion isn’t surprising, as the DHS is taking that position in litigation in which the ACLU is challenging the suspicionless, electronic-device searches and seizures along the nation’s borders. But that conclusion nevertheless is alarming considering it came from the DHS civil rights watchdog, which maintains its mission is “promoting respect for civil rights and civil liberties.” * * * The ACLU on Friday filed a Freedom of Information Act request demanding to see the full report that the executive summary discusses. Meantime, a lawsuit the ACLU brought on the issue concerns a New York man whose laptop was seized along the Canadian border in 2010 and returned 11 days later after his attorney complained. top Speak Out and Get Sued (InsideHigherEd, 10 Feb 2013) - In 2010 Dale Askey, a librarian at McMaster University in Canada, posted an essay on his personal blog referring to Edwin Mellen Press as a “vanity press.” In due time Mr. Askey and McMaster University were sued by Edwin Mellen Press and the press founder, Herbert Richardson, for more than $3 million. The suits allege libel. The “offending” blog was removed from the web. Not too long ago, International Higher Education, a publication I edit, was threatened with a lawsuit by the owner of an institution that, by every measure is a degree mill, when said institution was referenced in an International Higher Education article critical of degree mills. On advice of the university’s lawyers who were fearful of being entangled in a legal case (however questionable) in a British court where the suit was threatened, we removed the article from our website. The matter was soon forgotten. Perhaps a few anecdotes do not seem worth much attention but there are aspects of these examples that should be cause for concern. We are teetering on a very fine line between the right of scholars to express informed opinion and the right of enterprises to be protected from libel. Yet the increasing threats of lawsuits inhibit expression as scholars weigh risks before voicing opinions. There are serious consequences for academic freedom. There are some (emphasis on some ) for-profit enterprises that are involved in questionable academic endeavors. In the case of degree mills, this qualifies as fraud. In other cases, services are of substandard quality. In both cases these enterprises are “selling” a product or service in an academic marketplace where they will be judged by a range of constituents who have a vested interest in protecting the integrity of the academic enterprise. Yet the entrepreneurs who have found profit in higher education are often very touchy about any criticism at all. Sadly, they have found that threatening legal action can silence their critics who have neither the deep pockets for legal counsel to defend themselves or the inclination to become immersed in a lengthy legal proceeding. As the threat of lawsuits becomes more frequent, individuals and organizations may be more inclined to self-sensor. This will detract from important public debate that is fundamental in a free society. In the Askey case, his comments about the Edwin Mellen Press reflected his extensive experience reviewing academic journals. The observation was not capricious. Online petitions are circulating to defend his right to express this opinion. The matter has raised the question of whether the Edwin Mellen suit violates Askey’s academic freedom. top Addressing The Problem: Keep Your Email Address Up To Date (Simple Justice blog, 10 Feb 2013) - Amid the hoopla surrounding every new shiny must-have toy in the lawyer’s arsenal lurks a time bomb waiting to go off. Your email address. Most of us have a few of them, born of necessity from sources like Google, which demand the creation of an in-house email if you want to enjoy its functions. Then there are the new websites everyone has purchased because somebody, whether marketeer or youth, informed you that it’s no longer cool to have an AOL email address and marks you as a social media dinosaur. So people switch emails with abandon, keeping up with the skirt height or tie width of the internet. It’s all good fun, right? Not according to Judge Lewis Kaplan’s opinion on appeal in the Worldcom bankruptcy case :  “The rulings were entered on the electronic docket, and notice was automatically emailed to CNI’s sole counsel of record, W. Mark Mullineaux, at the email address which he previously had registered with the clerk’s office for the purpose of receiving such notifications. But that was an old email address. Mullineaux’s new email address was listed in his motion to appear pro hac vice in the case, but he hadn’t updated his profile in the electronic case files (ECF) system. As a result, Mullineaux didn’t receive the court’s notification and failed to file a timely notice of appeal.” The district court wasn’t overly concerned, and granted an extension of time to appeal, based upon the failure to get timely notice and lack of prejudice. The 2d Circuit, however, wasn’t nearly as sympathetic. District Judge Lewis Kaplan, sitting by designation, wrote, “There is nothing in the history of the rules ... to suggest that the drafters sought to provide relief when the fault lies with the litigants themselves” and that “CNI’s failure to receive Civil Rule 77(d) notice was entirely and indefensibly a problem of its counsel’s making, and Rule 4(a)(6) was not designed to reward such negligence.” Judge Kaplan makes plain that keeping transmittal information up to date is the lawyer’s responsibility, and the client will pay a heavy price for our failure. The ABA says lawyers are ethically required to stay abreast of technology, and even I agree . top They Really Don’t Know Clouds At All (Volokh Conspiracy, Stewart Baker, 11 Feb 2013) - Every new computing technology seems to bring with it a privacy flap. Cloud computing is going through that phase right now, at least outside the United States. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act. The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Union against the outsourcing of British Columbia’s health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.) After years of remission, the issue has recently returned even more virulently, when Europe’s small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a “safe haven from the reaches of the U.S. Patriot Act” in a press release that goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.” This is pretty clearly a reference to section 215 of the Patriot Act, which once allowed the FBI to “gag” recipients of 215 orders. (That authority was substantially cut back by Congress in 2005; now recipients may challenge gag orders in court annually until they are revoked. See 50 USC 1861(f)(2)(A).) As a competitive strategy, this line of attack has some problems. It assumes that, while US-owned companies can be compelled to produce data from around the world, European companies can safely refuse to comply. The argument that the US can compel global compliance is grounded in a line of cases ordering banks to produce records from foreign branches. Unfortunately for the European companies making this pitch, the line of cases is named after the unsuccessful party - the Bank of, uh, Nova Scotia - which is rather plainly not a US company and thus hardly the best case to cite if you’re arguing that people can defeat American discovery orders by giving their records to companies headquartered outside the US. Nonetheless, the argument is still shaking up customers and officials in Europe, who are understandably not comforted by the response that even European cloud companies can be compelled to produce records. I think for several reasons that this risk has been severely hyped - there are only a couple of hundred section 215 orders a year, compared to tens of thousands of criminal subpoenas, and the Justice Department discourages foreign fishing expeditions. But those reasons have been discussed by others. Instead of digging into them, I’d like to explore a point that hasn’t been discussed as widely: the utter uselessness of serving a section 215 order on a cloud computing company * * * top National Security Experts Discuss Options for ‘Active’ Cyber Defense (ABA, 11 Feb 2013) - If a cybercriminal hacks into your network and steals your files, what legal right do you have to track down the thief and perhaps hack into his network and recover or destroy the files? National security experts discussed the legality of varying degrees of such “active” cyber defense, as opposed to passive efforts to lock down information through conventional cybersecurity measures, during an ABA Midyear Meeting panel discussion Feb. 10 sponsored by the ABA Standing Committee on Law and National Security. The risk of cyber theft is faced not only by companies with valuable intellectual property and strategy documents, but also by the law firms that service such clients. Panelists agreed that while private-sector cybersecurity is as strong as ever, systems that are designed merely to keep out thieves are bound to be breached by those determined to steal information. “We have tried to defend our way out of this problem. It has failed,” said Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C., and former general counsel of the National Security Agency. This realization is why some companies are exploring the legality of more active security measures, whose legality are in question and may call for coordination between government and the private sector. As articulated by Stephen Chabinsky, chief risk officer at security firm CrowdStrike, the private sector has the technology and reach, but not the legal authority, to take an active role on cyber defense, whereas the government has the authority but not the technology or reach. Panelists agreed that such problems point to the value of the ABA Cybersecurity Legal Task Force , created by ABA President Laurel Bellows. The panelists noted that cybercrime raises a host of legal issues that the organized bar must help figure out and address. [Polley: video excerpts from the program here .] top Survey of GCs Sees Cybersecurity Risk, Anxiety (Corporate Counsel, 13 Feb 2013) - Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. “Among the most fearsome threats facing corporations in 2012 was an increasing proliferation of cybersecurity breaches of various orders of complexity and impact,” according to the “2012 General Counsel Survey,” by global consultants Consero Group. The survey, produced in partnership with Applied Discovery Inc., is based on responses from 48 general counsel in December 2012. Some 28 percent of the GCs surveyed indicated that their companies had experienced a cybersecurity breach over the last 12 months. And that figure may be low. “It’s safe to assume that a breach is a source of great anxiety and embarrassment for large companies. So there is a natural disinclination to report it,” explained attorney Paul Mandell, founder and chief executive of Consero. The group is located in Bethesda, Maryland. “But cybersecurity was clearly a very hot topic and a source of concern for the general counsel,” Mandell added. The theft of company data by employees is also a growing concern, Mandell said, and “there was quite a bit of discussion [among general counsel] about employees bringing their own devices [BYOD] to work. It’s a huge issue.” So far there is very little understanding of what the best practices are in the BYOD area, he said. Mandell explained that much of the anxiety about cybersecurity stems from “lawyers not generally being tech savvy by nature,” and the fact that no one has found a perfect solution for protecting data. The report explained that a company’s GC also must be aware of international regulatory requirements regarding digital security, while ensuring compliance and addressing breaches when they result in litigation or government action. The trend Mandell sees is for general counsel to increasingly explore the addition of tech-savvy attorneys, like those who handle intellectual property. top - and - Serious Data Breaches Take Months to Spot, Analysis Finds (Network World, 13 Feb 2013) - More than six out of ten organisations hit by data breaches take longer than three months to notice what has happened with a few not uncovering attacks for years, a comprehensive analysis of global incidents by security firm Trustwave has found. During 2012, this meant that the average time to discover a data breach for the 450 attacks looked at was 210 days, 35 more than for 2011, the company reported in its 2013 Global Security Report (publically released on 20 February). Incredibly, 14 percent of attacks aren’t detected for up to two years, with one in twenty taking even longer than that. Almost half - 45 percent - of breaches happened in retailers with cardholder data the main target. The food and beverage sector accounted for another 24 percent, hospitality 9 percent, and financial services 7 percent. Trustwave also puts it finger on a seeming paradox; investigators seem able to spot breaches that admins didn’t. Why? The part-answer seems to be that too many organisations rely on automated protection such as antivirus or a firewall that don’t fail gracefully. If attackers beat that security layer there is no other system to notice that something unusual has happened. Seventy percent of all client-side attacks were connected to the Blackhole Exploit Kit, the leviathan of the cybercrime world. Six in ten attacks targeted software flaws in Adobe’s PDF Reader Seeing what’s leaving the networks isn’t necessarily going to be easy as a quarter of data is exfiltrated (i.e. stolen) using an encrypted channel designed to hide activity. MIRLN 2013-02-22T02:18:00-07:00 http://www.knowconnect.com/mirln/article/mirln_13_january_2_february_2013_v1602/ http://www.knowconnect.com/mirln/article/mirln_13_january_2_february_2013_v1602/#When:18:36:00Z MIRLN --- 13 January - 2 February 2013 (v16.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | RESOURCES | LOOKING BACK | NOTES The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches Cyber-Insurance: Not One-Size-Fits-All Concerns Over Cyber Risks Grow, Says Zurich Spy Agency ASIO Wants Powers to Hack into Personal Computers Singapore Beefs Up Cybersecurity Law to Allow Preemptive Measures Chicago Mayor Appoints First Ever Diversity Tech Council Measuring the Success of Online Education “Social Media and Trademarks” Presentation at AALS Should a Judge Recuse Due to Facebook Friendship with Prosecutor? Florida Supremes Asked to Decide 3rd Circuit: Covenant not to Sue is a License and therefore Not Dischargeable in Bankruptcy EFF Urges Court to Protect Transformative Uses and Permit News Search Engine Red October Espionage Platform Unplugged Hours After Its Discovery Law of Armed Conflict Applied to Autonomous Weapon Systems Even if It Enrages Your Boss, Social Net Speech Is Protected Social Media Coverage of Conferences a Windfall for Legal Associations The HIPAA-HITECH Regulation, the Cloud, and Beyond Lawyer Advertising and Marketing Ethics Today FFIEC Proposes Social Media Guidance Yahoo, Like Google, Demands Warrants for User E-Mail Will Virginia Law Blogger’s Challenge to Discipline Deprive Other Blogs of First Amendment Protection? Who Owns, Controls Social Media Activity? Audit Concerns Over Cybersecurity Threats So, What is the Deal with Copyright and 3D Printing? Publication Agreements How Secure Are Your Skype Calls? Standards for Technology-Enabled Learning Whose Law Governs Communication Intercepts? CRS Report on Domestic Drones It’s Google, But is it Art? Museums Wonder Whether they Should Open their Galleries to Digitizing The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches (Mintz Levin, 3 Jan 2013) - The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company’s business also increases. In response to this ever-increasing risk, the Securities and Exchange Commission (the “SEC") is requiring greater disclosure related to data security and this trend will likely increase in 2013. The SEC issued guidance relating to public company disclosure of data security in the end of 2011. Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure . Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches. The disclosure does not only effect companies dependent on technology as a core part of its business. Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by . Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: “Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results.” This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings. Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure. SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor * * * top Cyber-Insurance: Not One-Size-Fits-All (InfoRisk, 10 Jan 2013) - Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare. Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties. “Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides,” says David Bradford , who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society (see Coming of Age of Cyber Insurance ). A 2012 survey of more than 100 global Forbes 2000 corporations by Carnegie Mellon CyLab shows that many board members and executives incorrectly believe that other types of corporate liability insurance cover losses due to data breaches, says lab official Jody Westby. “That’s pretty stunning because most corporations, especially large global corporations, should understand that cyber-risks generally are not within property and general corporate liability policies,” Westby says. Bradford estimates that 40 insurers offer cyberliability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States. Because the cyber-insurance industry continues to mature, its offerings aren’t as consistent from provider to provider as they are with other types of insurance. “There are so many material differences between the coverages available that there is no real one-size-fits-all approach,” says Richard Bortnick, an attorney at the law firm Cozen O’Connor. top - and - Concerns Over Cyber Risks Grow, Says Zurich (Insurance Age, 24 Jan 2013) - More than three in four (76%) organisations say they have become more concerned about information security and privacy over the past three years - but only 19% have purchased insurance designed to cover these exposures, according to new research commissioned by Zurich. The provider noted that only 16% of companies surveyed had designated a chief information security officer to oversee cyber risk and fewer than half (44%) had increased their budget to tackle the problem. The findings came in ‘Meeting the Cyber Risk Challenge’, a survey by Harvard Business Review Analytic Services of 152 respondents across Europe involved in risk management. [Polley: see also this WSJ posting - WSJ BLOG: Cybercrime Insurance Takes Off As Providers Target Smaller Businesses ] top Spy Agency ASIO Wants Powers to Hack into Personal Computers (NewsAU, 13 Jan 2013) - The [Australian] Attorney-General’s Department is pushing for new powers for the Australian Security Intelligence Organisation to hijack the computers of suspected terrorists. But privacy groups are attacking the “police state” plan as “extraordinarily broad and intrusive”. A spokesman for the Attorney-General’s Department said it was proposing that ASIO be authorised to “use a third party computer for the specific purpose of gaining access to a target computer”. “The purpose of this power is to allow ASIO to access the computer of suspected terrorists and other security interests,” he told News Limited. top - and - Singapore Beefs Up Cybersecurity Law to Allow Preemptive Measures (ZDnet, 14 Jan 2013) - Singapore’s Parliament has passed the amended Computer Misuse Act, which enables the government to thwart potential cyberattacks on critical infrastructure. According to a statement by The Ministry of Home Affairs (MHA) on Monday , the government organization is now allowed to order a person or organization to act against any cyberattack before it has begun. The law has also been renamed as the “Computer Misuse and Cybersecurity Act”. However, due to the severity of the threat cyberattacks can pose to the country, non-compliance with this direction, or obstructing a person from complying with the Minister’s directions to him, will be made an offense which may result in a jail term of up to 10 years and a fine of S$50,000 (US$40,753). “The proposed legislative amendments will provide the government with greater ability to work with our stakeholders to take timely actions against cyber threats to our critical information infrastructure (CII),” the statement read. It adds these enhanced powers come with important safeguards to ensure they are used in an effective and responsible manner to protect our national interests. top Chicago Mayor Appoints First Ever Diversity Tech Council (Gov’t Technology, 16 Jan 2013) - To help integrate Chicago minorities into the city’s technology economy, Mayor Rahm Emanuel has appointed Chicago’s first-ever technology industry diversity council. The 12-member council will be responsible for helping to increase the percentage of minority employees for technology firms, increase the percentage of minority-owned and -operated technology firms, and helping find ways to transition students who attend Chicago public schools and city colleges into the technology economy, according to the mayor’s office. Everyone on the council is a member of a minority group and has demonstrated leadership in promoting diversity in Chicago’s technology community. The council has been given an initial four-month period to create recommendations, after which Emanuel will develop policies based on those recommendations. CTO John Tolva said the individuals on the council represent the African American and Latino communities, and some representatives are women, since women are often a minority in the technology industry, though their working in tech startups is becoming more common. Tolva also said one of the driving factors for emphasizing the importance of diversity in technology is that public schools and colleges are currently going through a transformation—they’re integrating more science, technology, engineering and math (STEM) fields into education to better prepare students for the modern workforce. top Measuring the Success of Online Education (NYT, 17 Jan 2013) - One of the dirty secrets about MOOCs - massive open online courses - is that they are not very effective, at least if you measure effectiveness in terms of completion rates. If as few as 20 percent of students finishing an online course is considered a wild success and 10 percent and lower is standard, then it would appear that MOOCs are still more of a hobby than a viable alternative to traditional classroom education. Backers reason that the law of large numbers argues in favor of the online courses that have rapidly come to be seen as the vehicle for the Internet’s next big disruption - colleges. If 100,000 students take a free online course and only 5,000 complete it, that is still a significant number. Udacity, along with other MOOC designers, is moving rapidly away from the video lecture model of teaching toward an approach that is highly interactive and based on frequent quizzes and human “mentors” to provide active online support for students. Moreover, there are early indications that the high interactivity and personalized feedback of online education might ultimately offer a learning structure that can’t be matched by the traditional classroom. Duolingo, a free Web-based language learning system that grew out of a Carnegie Mellon University research project, is not an example of a traditional MOOC. However, the system, which now teaches German, French, Portuguese, Italian, Spanish and English, has roughly one million users and about 100,000 people spend time on the site daily. The firm’s business is based on the possibility of using students to translate documents in a crowd-sourced fashion. Seventy-five percent of the students are outside of United States, and Carnegie Mellon computer scientist Luis von Ahn notes that the foreign students are significantly more motivated and have a higher completion rate than their American counterparts. top “Social Media and Trademarks” Presentation at AALS (Eric Goldman, 17 Jan 2013) - Earlier this month, I spoke at the AALS IP Section meeting in New Orleans on the topic of “trademarks and social media.” My slides . Though I’ve written in this area (see, e.g., my Online Word of Mouth paper from 2007), I didn’t have any new academic research to report. As a result, I decided to take an anthropological approach to the subject material by recounting some of the interesting things I see in social media from a trademark perspective: Instabrands. Brands that, like the mayfly, are born, live and die within a matter of days. I gave the example of the @FiredBigBird Twitter account. Trademark law isn’t well-equipped to deal with such evanescent brands. Large-scale non-commercial activity. Trademark law tries to distingtuish [sic] between commercial and non-commercial activity (like many other areas of law), but it doesn’t really contemplate that non-commercial defendants can be using third-party brands at a commercial scale. I gave the example of @BPGlobalPR Twitter account as an example of massive non-commercial activity where the investment and distribution costs are zero and the labor is provided on a purely voluntary basis--although this isn’t an ideal example as the BPGlobalPR operators does sell T-shirts, and trademark law does know how to deal with that. Brand Self-Sabotage. Brand managers are so used to having their conversation filtered through third party editors and gatekeepers that they can make embarrassing gaffes when they actually talk directly to their consumers. I gave the infamous Kenneth Cole/Arab Spring tweet as an example, but there are many in this genre. Bashtags. Brands also aren’t used to having their consumers able to talk to each other directly. Brands are even less prepared for the fact that they can’t steer those conversations. Bashtags are an example, where malcontents and vandals can coopt a conversation between brands and their loyal customers. I gave the #McDStories hashtag as the example. * * * top Should a Judge Recuse Due to Facebook Friendship with Prosecutor? Florida Supremes Asked to Decide (ABA Journal, 17 Jan 2013) - A Florida appeals court wants guidance on an ethics issue: Should judges recuse from cases when they are Facebook friends with the prosecutor? The 4th District Court of Appeal said on Wednesday that the matter is of great importance, and the Florida Supreme Court should decide the issue, the Palm Beach Post reports. The appeals court removed Judge Andrew Siegel of Broward County from a case in September because he was Facebook friends with the prosecutor. Its decision (PDF) cited a judicial ethics opinion that judges should not friend lawyers who appear before them. According to the appeals court, the ethics pinion recognized that friending could undermine confidence in a judge’s neutrality. top 3rd Circuit: Covenant not to Sue is a License and therefore Not Dischargeable in Bankruptcy (Patently-O, 18 Jan 2013) - A recent Third Circuit decision focuses on the impact that a bankruptcy has on a patent license. In 2009, Spansion and Apple settled a patent dispute with Spansion agreeing to end its case at the ITC and to refrain from suing in district court. The agreement stated: “Provided that neither Spansion nor any successor in interest to any of the patents being asserted in the referenced ITC action do not bring an action of any nature asserting any such patent before any legal, judicial, arbitral, administrative, executive or other type of body or tribunal that has, or claims to have, authority to adjudicate such action in whole or in part against Apple or any Apple product, Apple agrees Spansion will not be disbarred as an Apple supplier as a result of the referenced ITC action.” Later that year, Spansion filed for bankruptcy and the trustee moved to reject the settlement as an executory contract. The normal rule in bankruptcy (under 11 U.S.C. § 365(a)) is that the debtor (here Spansion) can unilaterally reject executory contracts if it so chooses. Any resulting contract damages will be unsecured debts that are unlikely to receive any payout. IP law has a special exception codified in 11 U.S.C. § 365(n). Under that rule, a licensee can elect to retain its license rights despite a debtor’s rejection. On appeal, the question is whether the contract between Spansion and Apple is a license or instead merely a promise not to sue. The bankruptcy court initially held that Apple’s § 365(n) election did not apply because the agreement was not a license. Reviewing that decision, the Delaware District Court found that the agreement was a license “because it was a promise not to sue.” Now, the Third Circuit has affirmed the District Court with quotation from the Supreme Court’s 1927 decision in De Forest Radio . top EFF Urges Court to Protect Transformative Uses and Permit News Search Engine (EFF, 18 Jan 2013) - The Electronic Frontier Foundation (EFF) urged a federal judge today to protect fair use of news coverage and reject the Associated Press’ (AP’s) dangerously narrow view of what is “transformative” in a copyright court battle over a news-tracking service. In Associated Press v. Meltwater, AP claims its copyrights are infringed when Meltwater, an electronic news clipping service, includes excerpts of AP stories in search results for its clients seeking reports of news coverage based on particular keywords. In its argument, AP asks the court to accept an extraordinarily narrow view of fair use - the doctrine that allows for the use of copyrighted material for purposes of commentary, criticism, or other transformative uses - by claiming that Meltwater’s use of copyrighted excerpts cannot be “transformative” fair use unless they are also “expressive.” In an amicus brief filed today, EFF argues that AP’s theory would restrict the use and development of services that allow users to find, organize, and share public information. “There are lots of examples of important fair uses that wouldn’t fit under AP’s cramped definition of a ‘transformative’ use,” said EFF Senior Staff Attorney Kurt Opsahl. “Time-shifting - like what you do when you record something on your DVR to watch later - isn’t ‘expressive,’ but courts have found it a clear fair use. Because fair use plays such an essential role in facilitating online innovation and expression, we’re asking the court to follow the law and reject this flawed theory from AP.” For the full amicus brief:
 https://www.eff.org/document/amicus-brief-14 top Red October Espionage Platform Unplugged Hours After Its Discovery (ArsTechnica, 18 Jan 2013) - Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed. The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost. “It’s clear that the infrastructure is being shut down,” Kaspersky Lab researcher Costin Raiu told the service. “Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.” One of Red October’s innovations is a command infrastructure that uses multiple layers of servers and domains that act as proxies to camouflage the core functions in the operation. Mashable reporter Lorenzo Franceschi-Bicchierai quoted Raiu as describing the design as an “ onion with multiple skins ” with a mothership at its center that collects all the stolen data. Raiu said most of the unplugged domains and disconnected servers seen so far represent first-level proxies. He speculated the operation may go dormant for a while and then come back using different servers or domains, or even different malware altogether. Raiu said the full extent of the infrastructure likely hasn’t been uncovered yet. He estimated the campaign may use several dozen more servers. If correct, the total number would rival the command infrastructure used by Flame, the state-sponsored malware campaign that targeted sensitive networks in Iran. top Law of Armed Conflict Applied to Autonomous Weapon Systems (Lawfare, 19 Jan 2013) - The American Society of International Law has released a new “ASIL Insight” on law applicable to autonomous weapon systems. (ASIL Insights are short, descriptive pieces on topical issues meant as non-technical “backgrounders” for journalists, the general public, and anyone looking for a quick path into an international law topic; they represent solely the author’s views, but are written to give an understanding of the background legal issues.) “The Law That Applies to Autonomous Weapon Systems” is written by Jeffrey S. Thurnher, a JAG officer on faculty at the Naval War College; it is short, crisp, and a useful guide to understanding the legal issues raised by the possibility of increasingly automated weapon systems that might one day be fully autonomous. (Also recommended is Major Thurnher’s more detailed October 2012 article in Joint Force Quarterly (National Defense University, Washington DC, Vol. 67, No. 4, Oct. 2012), “No One at the Controls: Legal Implications of Fully Autonomous Targeting.” ) top Even if It Enrages Your Boss, Social Net Speech Is Protected (NYT, 21 Jan 2013) - As Facebook and Twitter become as central to workplace conversation as the company cafeteria, federal regulators are ordering employers to scale back policies that limit what workers can say online. Employers often seek to discourage comments that paint them in a negative light. Don’t discuss company matters publicly, a typical social media policy will say, and don’t disparage managers, co-workers or the company itself. Violations can be a firing offense. But in a series of recent rulings and advisories, labor regulators have declared many such blanket restrictions illegal. The National Labor Relations Board says workers have a right to discuss work conditions freely and without fear of retribution, whether the discussion takes place at the office or on Facebook. In addition to ordering the reinstatement of various workers fired for their posts on social networks, the agency has pushed companies nationwide, including giants like General Motors, Target and Costco, to rewrite their social media rules. “Many view social media as the new water cooler,” said Mark G. Pearce, the board’s chairman, noting that federal law has long protected the right of employees to discuss work-related matters. “All we’re doing is applying traditional rules to a new technology.” The decisions come amid a broader debate over what constitutes appropriate discussion on Facebook and other social networks. Schools and universities are wrestling with online bullying and student disclosures about drug use. Governments worry about what police officers and teachers say and do online on their own time. Even corporate chieftains are finding that their online comments can run afoul of securities regulators. The labor board’s rulings, which apply to virtually all private sector employers, generally tell companies that it is illegal to adopt broad social media policies - like bans on “disrespectful” comments or posts that criticize the employer - if those policies discourage workers from exercising their right to communicate with one another with the aim of improving wages, benefits or working conditions. But the agency has also found that it is permissible for employers to act against a lone worker ranting on the Internet. Several cases illustrate the differing standards. * * * As part of the labor board’s stepped-up role, its general counsel has issued three reports concluding that many companies’ social media policies illegally hinder workers’ exercise of their rights. The general counsel’s office gave high marks to Wal-Mart’s social policy, which had been revised after consultations with the agency. It approved Wal-Mart’s prohibition of “inappropriate postings that may include discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct.” But in assessing General Motors’s policy, the office wrote, “We found unlawful the instruction that ‘offensive, demeaning, abusive or inappropriate remarks are as out of place online as they are offline.’ “ It added, “This provision proscribes a broad spectrum of communications that would include protected criticisms of the employer’s labor policies or treatment of employees.” A G.M. official said the company has asked the board to reconsider. In a ruling last September, the board also rejected as overly broad Costco’s blanket prohibition against employees’ posting things that “damage the company” or “any person’s reputation.” Costco declined to comment. top Social Media Coverage of Conferences a Windfall for Legal Associations (Kevin O’Keefe, 22 Jan 2013) - Defense lawyers used to kid me that I would go to my state trial lawyer’s association and the American Association of Trial Lawyers conferences to get religion. Their point being that I learned new ideas, networked with other plaintiff’s trial lawyers and came back all enthused. I didn’t disagree. Those conferences, and what I gained by attending them, were the single biggest reason I joined the associations and continued to pay the substantial dues and conference fees. I came back telling other lawyers about the conferences and what they could gain by becoming a member. Associations no longer have to rely on members like me spreading the word about their conferences and the benefits of membership. Social media has become a powerful medium to not only make conferences more meaningful to attendees, but to also broaden a conference’s reach beyond the conference walls. Social media such as video, audio (soundcloud), blogging, Twitter, and Facebook engage an association’s target audience in real time and in a very cost effective fashion. The outcome: membership retention; more attendees at upcoming conferences; and happy exhibitors and sponsors. top The HIPAA-HITECH Regulation, the Cloud, and Beyond (Daniel Solove, 23 Jan 2013) - The new HIPAA-HITECH regulation is here. Officially titled “ Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules ,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too. The most important changes involve expanding HIPAA’s scope of coverage, to regulate business associates (BAs) and subcontractors of BAs. The regulation applies the HIPAA Security Rule and parts of the Privacy Rule to BAs, which are now directly subject to HIPAA enforcement. Subcontractors of BAs are also deemed to be BAs, and there must be a business associate agreement (BAA) between a BA and a subcontractor. In this post, I will discuss these particular changes and their implications for a wide array of businesses and cloud computing in healthcare. Before I focus on the issue of scope, I want to point out some other key changes that the regulation makes. The regulation strengthens people’s rights to receive electronic copies of their protected health information (PHI). The Breach Notification Rule is changed to presume that any impermissible access, use, or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate a low probability PHI has been compromised. Instead of focusing on harm to the individual, the focus is on the likelihood PHI has been improperly accessed or exposed. Decedent PHI is protected for 50 years after death. Previously, HIPAA protected PHI after death without any time limitation. For patients who pay for treatment out-of-pocket, patients have a right to restrict insurance companies from accessing the PHI. And as directed by the HITECH Act, the regulations provide for much stronger penalties for violations. There are many other changes too - I’m only hitting a few highlights. [Polley: Hogan Lovells also has a good analysis here .] top Lawyer Advertising and Marketing Ethics Today (Attorney At Work, 23 Jan 2013) - At the start of the new year, we asked Will Hornsby, Staff Counsel at the American Bar Association, what lawyers need to know about changes made in ethics rules regarding marketing in 2012-and what to expect in 2013. The following feature article is excerpted from Attorney at Work’s new e-guide, Really Good Marketing Ideas: How to (Really) Get More Clients This Year . The legal profession constantly struggles to set advertising policies that strike the balance between consumer protection and access to justice. What are the boundaries we impose on ourselves to make certain that people are not subject to over-reaching when lawyers are seeking clients, yet still enable people to get the information needed to make decisions about representation? We all agree on the objective, but we don’t often agree on the means to get there. In the past year, rule-makers, committees drafting ethics opinions and disciplinary agencies have all weighed in, but frequently not with the same results. Here’s an overview. top FFIEC Proposes Social Media Guidance (BankInfoSecurity, 24 Jan 2013) - The Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media . “Social Media: Consumer Compliance Risk Management Guidance,” was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter. George Tubin, a financial fraud and security expert at anti-malware vendor Trusteer, says the guidance will likely be welcomed by security and privacy officers, who have struggled to keep social media risks in check. “Employees could be using social media from different devices or from home at night,” Tubin says. “If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn’t, or posting a link that leads them to a malicious site. There certainly are a lot risks banks need to think about when they start to use social media.” The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received. top Yahoo, Like Google, Demands Warrants for User E-Mail (Wired, 25 Jan 2013) - Yahoo demands probable-cause, court-issued warrants to divulge the content of messages inside its popular consumer e-mail brands - Yahoo and Ymail, the web giant said Friday. The Sunnyvale, California-based internet concern’s exclusive comments came two days after Google revealed to Wired that it demands probable-cause warrants to turn over consumer content stored in its popular Gmail and cloud-storage Google Drive services - despite the Electronic Communications Privacy Act not always requiring warrants. “Yes, we require a probable cause warrant for e-mail content,” said Yahoo spokeswoman Lauren Armstrong, in an e-mail interview. “That is more than ECPA requires.” The nation’s other major consumer-facing e-mail provider - Microsoft - which markets the Hotmail and Outlook brands, declined comment for this story. In short, Yahoo and Google are granting their customers more privacy than the four corners of the ECPA. There’s been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never ruled on the issue. Federal and state law enforcement officials are seemingly abiding by Yahoo’s and Google’s own rules to avoid a showdown before the Supreme Court. “No, we don’t get any pushback from authorities,” Armstrong said, adding that Yahoo began the practice in “early 2011.” [Polley: Twitter also requires probably-cause warrants.] top Will Virginia Law Blogger’s Challenge to Discipline Deprive Other Blogs of First Amendment Protection? (MyShingle.com, 28 Jan 2013) - In October 2011, I blogged about a Virginia lawyer Horace Hunter’s challenge to a disciplinary charge for failing to include a disclaimer on his blog stating that results in past cases handled by the firm (and reported on the blog) are unique to the facts and do not guarantee a similar outcome in other cases. Hunter refused, arguing that his blog constituted First Amendment protected speech and therefore, a disclaimer limiting his speech rights was unconstitutional. I felt compelled to support the Hunter’s fight, though I was skeptical: to me, his blog, which was nothing more than a cherry-picked newsfeed of his firm’s highlight, seemed much more like advertising than protected speech. But I feared that if the Hunter’s blog was classified as advertising, the door would open to increased regulation even for legitimate, information-rich or opinion-based law blogs. Hunter won his case before a three judge panel which overturned the Virginia disciplinary committee’s ruling. Now, via Ben Glass and John Cord , I’ve learned that the case has made its way up to the Virginia Supreme Court. Hunter’s failure to include the disclaimer is still at issue, but as Ben Glass notes in his summary, the Virginia regulators also seek sanction because Hunter’s publication of case summaries revealed information embarrassing to his clients, without their consent. Hunter’s brief argues that his blog was First Amendment protected speech. Trouble is, there’s little that Hunter’s lawyer could do to back up that claim. Hunter’s so-called blog was basically a newsfeed (later supplemented with a few opinion pieces when the regulators came calling) of his victories; there’s no opinion or in depth analysis on the order of these criminal defense bloggers or even basic information or FAQs or how-tos to educate readers about their rights. I fear that based on the record in the case, the Virginia Supreme Court will find, as a matter of law, that blogs are commercial speech (read advertising) or at best, a hybrid of protected and commercial speech, instead of being pure First Amendment content. I’m also fully not comfortable with lawyers posting about any matters - even those of public record - without client consent. I don’t think that Hunter ought to be sanctioned (particularly when the prohibition is far from clear) or that writing about matters of public record ought to be a disciplinary offense. Rather, this is one of those types of matters where lawyers need to exert some self-control and keep in mind their obligation to protect client privacy. top Who Owns, Controls Social Media Activity? (TVNewsCheck, 29 Jan 2013) - Now that the use of social media is part of the TV newsroom norm, the industry is wrestling with the next wave of issues associated with the medium - hashing out matters ranging from who owns on-air personalities’ Facebook accounts to delineating between professional and personal tweets. Individuals on all sides of the equation, from station group owners to newsroom staffers, are pushing to add more structure to the use of social media both on and off the job, primarily so the practice doesn’t come back to bite them, industry watchers say. The lack of industrywide standards regulating social media practices also is starting to create unexpected problems, particularly for anchors and reporters who, to some degree, are winging it. Just last week, for example, Rachel Barnhart, a reporter at WHAM Rochester, N.Y. (DMA 79) who spent years building a robust Facebook following on a personally created page, publically raised one such issue when she told fans that she would start using new social media accounts during work hours in keeping with new station owner Sinclair Broadcasting’s policy of “owning” such accounts of its on-air personalities. “This raises a lot of questions for journalists about who owns your online presence and identity,” Barnhart says. Barnhart says she understands Sinclair’s rationale for requiring talent to have station-related social media accounts, as well as owning the content that’s on them. (Sinclair’s attorney was not available to discuss the matter). But having invested countless hours in personal Facebook and Twitter accounts, which together have about 20,000 followers, Barnhart says she is concerned that stations will ultimately be able to “own” their talents’ followers as well, much like a company owns a salesperson’s rolodex. Barnhart says she could see the day when those sorts of questions will be hammered out in contract talks. top Audit Concerns Over Cybersecurity Threats (FT, 29 Jan 2013) - Company audit committee members are concerned about the quality of information that they receive on cybersecurity and believe risk management programmes need to become more “dynamic”, according to a KPMG survey. The survey, based on the results of a survey of some 1,800 audit committee members in 21 countries undertaken by KPMG’s Audit Committee Institute, asked whether they were satisfied with the quality of information they receive from their company on a range of issues. Only 26 per cent of respondents said they were fully satisfied with information on cybersecurity. In the UK, just one in five respondents said they were satisfied, compared to satisfaction levels of more than 70 per cent on legal and regulatory compliance issues. The results echo those of other studies that have suggested many companies and their boards remain complacent about cybersecurity or lack detailed understanding of the threats they face. It could also help fuel demands that cybersecurity risk assessment should be part of the formal audit procedure or addressed specifically in company annual reports. Nearly half of survey respondents said their company’s risk management programme requires “substantial work”, and only a third of UK-based audit committee members said they are fully satisfied that their company’s risk management process is dynamic enough to cope with a rapidly changing environment including new technology and social media risks. top So, What is the Deal with Copyright and 3D Printing? (Public Knowledge, 30 Jan 2013) - Today Public Knowledge is happy to announce a new whitepaper: What’s the Deal with Copyright and 3D Printing? This paper is something of a follow up to our previous 3D printing whitepaper It Will Be Awesome if They Don’t Screw It Up: 3D Printing, Intellectual Property, and the Fight Over the Next Great Disruptive Technology . Unlike It Will Be Awesome , which focused on the broad connection between intellectual property law and 3D printing, What’s the Deal? takes a deeper dive into the relationship between copyright and 3D printing. A lot has changed since we released It Will Be Awesome. News outlets have discovered 3D printing. Rightsholders are issuing takedown notices. And Congress has started to take a look. At the same time, a lot has stayed the same. People are continuing to innovate to make home 3D printers better. Creators are pushing the limits as they design even more intricate 3D printed objects. And we are beginning to see the beginnings of physical remix artists. But throughout this, people seem to keep coming back to copyright. As we note in the paper, part of this is a result of years of conditioning. Years of creating music, movies, and articles on computers have trained us all to automatically associate “digital” with “copyright,” and “disruptive digital” with “potential copyright problem.” But one of the gifts of 3D printing is that it brings digital into the physical world, where its connection to copyright is weaker. While this fraying may very well lead us to a new age of innovation, first we will need to retrain ourselves to stop assuming that everything is protected by copyright. Of course, the first step in understanding what is not protected by copyright is recognizing what is protected by copyright. What’s the Deal? is designed to help mark those boundaries and draw focus to the hard - and easy - questions that the boundaries raise. Like It Will Be Awesome, What’s the Deal? is intended more as a conversation starter than a final word. Hopefully it will be a useful resource to the rapidly growing 3D printing community. top Publication Agreements (MLPB, 30 Jan 2013) - Harold Anthony Lloyd, Wake Forest University School of Law, has published Publish and Perish? Handling the Unreasonable Publication Agreement. Here is the abstract: “Using hypothetical publication agreement drafts, this article explores copyright, warranty, representation, indemnity and other traps awaiting unwary authors. Exploring legitimate concerns of both authors and publishers, this article outlines parameters of reasonable agreements.” Article here . top How Secure Are Your Skype Calls? (RideTheLightning, 30 Jan 2013) - Lawyers, especially solo and small firm lawyers, have flocked to Skype as a great way to save money. But how secure are your Skype calls? The BBC recently reported that Reporters Without Borders, the Electronic Frontier Foundation and 43 other groups have signed a letter asking Microsoft (which owns Skype) to reveal details about what information is stored and government efforts to access it. Google and Twitter have been fairly transparent on this subject, but not Microsoft - which is considering the request. Skype last referenced privacy issues last July saying that calls between two parties did not flow through its datacenters meaning it would not have access to the video or audio. Those calls are also encrypted which would make it hard for anyone listening to make sense of the data. But Microsoft did say that group calls using more than two computers do pass through its servers (to aggregate the media streams) and that text-based messages were also stored on its computers for up to 30 days in order to make sure they were synchronized across users’ devices. Based on what we KNOW today, most experts have signed off on one-to-one calls via Skype. But I would be wary of group calls - once data is stored on a company’s servers, I am leery of statements about when it is removed (and whether it might be shared at the legal request of a government). Lawyers in particular should avoid group calls involving client information. top Standards for Technology-Enabled Learning (ITU, 30 Jan 2013 - Education is a prerequisite to using information and communication technologies (ICT) - and in return, these same technologies can facilitate learning processes, taking education beyond classrooms as we know them. A Technology Watch report “Standards for technology-enabled learning,” published by ITU in September 2012, surveys emerging technologies, which, if applied in an educational context, will contribute to more efficient and more affordable education and training for all. For a number of years now, standardization bodies have been defining standards and guidelines for ICT-enhanced distance-learning. Their output is taken up in this report with a view to exploring and identifying new applications and directions for this work. top Whose Law Governs Communication Intercepts? (Steptoe, 31 Jan 2013) - The law governing the interception of customer or employee communications is only getting more muddled. Not only do different states have different laws, but courts are applying different tests to decide which state’s law should apply when there’s a conflict. A federal court in Arizona has ruled, in Xcentric Ventures, LLC v. Borodkin, that Arizona’s wiretap law, not California’s, governs a lawsuit brought by a California resident against an Arizona corporation that recorded his phone call without his consent. While California law prohibits such recordings unless all parties to the communication consent, Arizona courts have allowed interceptions where only one party consents. The ruling conflicts with an earlier decision by the California Supreme Court under similar facts, further clouding the legal picture for communications companies, websites, and employers that monitor consumer or employee communications or Internet activity. top CRS Report on Domestic Drones (Lawfare, 1 Feb 2013) - Over at Secrecy News , Steve Aftergood has posted a new Congressional Research Service report entitled, “ Integration of Drones into Domestic Airspace: Selected Legal Issues .” The summary of the report, by Alissa M. Dolan and Richard M. Thompson II, reads: “Under the FAA Modernization and Reform Act of 2012, P.L. 112-95, Congress has tasked the Federal Aviation Administration (FAA) with integrating unmanned aircraft systems (UASs), sometimes referred to as unmanned aerial vehicles (UAVs) or drones, into the national airspace system by September 2015. Although the text of this act places safety as a predominant concern, it fails to establish how the FAA should resolve significant, and up to this point, largely unanswered legal questions. For instance, several legal interests are implicated by drone flight over or near private property. Might such a flight constitute a trespass? A nuisance? If conducted by the government, a constitutional taking? In the past, the Latin maxim cujus est solum ejus est usque ad coelum (for whoever owns the soil owns to the heavens) was sufficient to resolve many of these types of questions, but the proliferation of air flight in the 20th century has made this proposition untenable. Instead, modern jurisprudence concerning air travel is significantly more nuanced, and often more confusing. Some courts have relied on the federal definition of “navigable airspace” to determine which flights could constitute a trespass. Others employ a nuisance theory to ask whether an overhead flight causes a substantial impairment of the use and enjoyment of one’s property. Additionally, courts have struggled to determine when an overhead flight constitutes a government taking under the Fifth and Fourteenth Amendments.” top It’s Google, But is it Art? Museums Wonder Whether they Should Open their Galleries to Digitizing (ABA Journal, 1 Feb 2013) - Google’s mission to digitize artwork from around the world is testing the bounds of copyright protection and the fairness of licensing contracts. Launched in February 2011, the Google Art Project provides access to more than 30,000 high-resolution images of paintings, sculptures and photographs from more than 180 museums and institutions in 40 countries, including the Metropolitan Museum of Art in New York City, the Uffizi Gallery in Florence, the de Young Museum in San Francisco and the Van Gogh Museum in Amsterdam. With the ability to zoom in to see precision details up close, the Google Art Project was designed to make artwork more widely available and to promote popular interest. But museums, while appreciating the attention, are wary about which art they share. And their lawyers are treading carefully. Troy Klyber, intellectual property manager at the Art Institute of Chicago, saw participating in the Google Art Project as a way to fulfill the museum’s mission, which is to share its works with the public. But because ownership of an art object doesn’t necessarily include ownership of the object’s copyright, the Art Institute could only include works for which it had been assigned the copyright through gift or contract, or works by artists dead for more than 70 years. As a result, the Google Art Project features fewer examples of modern and contemporary art. Protecting the Art Institute’s nonpermissioned works was labor-intensive, particularly when it came to the project’s “museum view,” in which cameras panned full galleries. In those cases, nonpermissioned artworks had to be blurred. “It was someone’s job to go through and blur the other works from every angle. In all, we had more than 6,000 blurs,” Klyber says. According to Adrienne Fields, associate counsel of the Artists Rights Society-which represents the IP rights of more than 50,000 artists and artists’ estates, including those of Picasso, Matisse and Rothko-Google has also been unwilling to enter into a working agreement with the ARS on behalf of its members. Instead, Google has placed the administrative and financial burdens on individual museums, requiring them to obtain rights from the ARS. top RESOURCES Copyright tor Librarians - the Essential Handbook ( Berkman, 11 Jan 2013) - “Copyright for Librarians” (CFL) is an online open curriculum on copyright law that was developed jointly with Harvard’s Berkman Center for Internet and Society. Re-designed as a brand new textbook, “Copyright for Librarians: the essential handbook” can be used as a stand-alone resource or as a companion to the online version which contains additional links and references for students who wish to pursue any topic in greater depth. Delve into copyright theory, understand the public domain or explore enforcement. With a new index and a handy Glossary , the Handbook is concise reading for librarians who want to hone their skills in 2013, and for anyone learning about or teaching copyright law in the information field. Free download here . top MIRLN 2013-02-01T18:36:00-07:00 http://www.knowconnect.com/mirln/article/mirln_23_december_2012_12_january_2013_v1601/ http://www.knowconnect.com/mirln/article/mirln_23_december_2012_12_january_2013_v1601/#When:15:16:00Z MIRLN --- 23 December 2012 - 12 January 2013 (v16.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | RESOURCES | LOOKING BACK | NOTES The Protection of Classified Information: The Legal Framework FTC Tightens Rules to Protect Children’s Privacy Online Cyberinsurance: Understanding the Risks Health-Care Sector Vulnerable to Hackers, Researchers Say New Mandate Would Require Military Contractors to Report Cyber Breaches Insurers Evaluating their Clients’ Risk Exposures are Advised to Monitor their Own Cybersecurity Exposures, Particularly Related to Mobile and BYOD Accessing Email Server from Canada Supported Personal Jurisdiction in the U.S. EFF: Limit Software Patents Superior Court of Ontario Allows Lawyers and Journalists to Use Electronic Media in Court 6 States Bar Employers From Demanding Facebook Passwords Punishing Hackers Even When They Do No Damage Stored Communications Act Does Not Protect Information Stored On Cell Phone Most Popular Intellectual Property and Technology Law Blogs California Rules on Ethics of Social Media Postings Defendant Not Entitled to “Delve Carte Blanche” Into Plaintiff’s Social Media Accounts Handling Disputes Over Access To Employee Social Network Accounts Postal Service to Host Cloud-Based Public-Private ID Protection Network Dinosaur Alert: Irish Newspapers Desperately Trying to Charge for Links Privacy Plaintiffs in Deep Packet Inspection Case Get No Love From the Tenth Circuit The U.S. Fair Use Defense In Other Jurisdictions Originality in Photographs According to US Court of Appeals Anonymous Petitions U.S. to See DDoS Attacks as Legal Protest The Protection of Classified Information: The Legal Framework (CRS Study, Jennifer K. Elsea, Legislative Attorney. December 17, 2012) - The publication of secret information by WikiLeaks and multiple media outlets, followed by news coverage of leaks involving high-profile national security operations, has heightened interest in the legal framework that governs security classification and declassification, access to classified information, agency procedures for preventing and responding to unauthorized disclosures, and penalties for improper disclosure. Classification authority generally rests with the executive branch, although Congress has enacted legislation regarding the protection of certain sensitive information. While the Supreme Court has stated that the President has inherent constitutional authority to control access to sensitive information relating to the national defense or to foreign affairs, no court has found that Congress is without authority to legislate in this area. This report provides an overview of the relationship between executive and legislative authority over national security information, and summarizes the current laws that form the legal framework protecting classified information, including current executive orders and some agency regulations pertaining to the handling of unauthorized disclosures of classified information by government officers and employees. The report also summarizes criminal laws that pertain specifically to the unauthorized disclosure of classified information, as well as civil and administrative penalties. Finally, the report describes some recent developments in executive branch security policies and legislation currently before Congress ( S. 3454 ). top FTC Tightens Rules to Protect Children’s Privacy Online (Washington Post, 19 Dec 2012) - Web sites and mobile apps will have to get parental permission to collect photos, videos and a wide array of other information that children expose online under federal guidelines released Wednesday. The Federal Trade Commission’s update to child online privacy laws comes after a two-year debate over how far the government should go to protect the privacy of children 12 and younger without curbing the practices of a thriving Web economy that relies on data for advertising. The amendments require companies to get permission from parents to collect a child’s photographs, videos and geolocational information - all content that social media, online games and mobile devices have made easy to share. Companies such as Google and Viacom must also have a parent’s consent before using tracking tools, such as cookies, that use IP addresses and mobile device IDs to follow a child’s Web activity across multiple apps and sites. In the end, the FTC decided that those companies would be liable only when they have “actual knowledge” that their partner sites are collecting information about children. App stores such as Apple’s iTunes and Google Play won’t be liable for the child privacy practices of its hundreds of thousands of apps, the FTC said. Others said the updates were too heavy-handed and might define a kid-oriented site too broadly. Angry Birds, for example, is a game that is largely popular among adults but is animated and may appear to be aimed at children. top Cyberinsurance: Understanding the Risks (Michigan Bar Journal, Fall 2012) - Business lawyers are often involved with risk management and insurance coverage issues. We are expected to be familiar with the types of insurance and the scope of coverage, whether in the general operation of the client’s businesses, the negotiation of contracts in which they are a vendor or a purchaser of services, or in the general assessment of risk management. Our business clients typically purchase insurance products for property, personal injury, and general commercial liability cover- age, and may also obtain coverage for certain acts of directors and officers, errors and omissions coverage, or other employee practices. When dealing with cyberinsurance, however, there is a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to pro- vide some high-level thoughts and recommendations for understanding this area. top Health-Care Sector Vulnerable to Hackers, Researchers Say (Washington Post, 25 Dec 2012) - As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems. “I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. top New Mandate Would Require Military Contractors to Report Cyber Breaches (NextGov, 26 Dec 2012) - The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence. What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing. [The] second part basically reveals to contractors, or their Internet service providers, digital footprints of malicious software so antivirus scans can block the malware. The program’s regulations state that, in exchange for this intelligence, contractors must disclose breaches they have suffered “within 72 hours of discovery.” Congress’s measure only states that contractors are mandated “to rapidly report” to the Defense Department each “successful penetration of the network or information systems” carrying military data. top Insurers Evaluating their Clients’ Risk Exposures are Advised to Monitor their Own Cybersecurity Exposures, Particularly Related to Mobile and BYOD (Insurance Networking, 28 Dec 2012) - As insurers evaluate their 2013 risk management programs, they are faced with a growing concern over the long-term effects of cybersecurity attacks. This concern is shared by some legislators in Washington, however, in November, the Cybersecurity Act of 2012 (CSA) failed to pass the U.S. Senate. The vote was portrayed as Republican obstructionism, even though five Democrats voted against the bill and four Republicans voted for it, according to the online site The Foundry . Meanwhile, the President has vowed to issue an executive order to implement at least some of the elements of the bill. Corporate board concerns are also growing, as directors are faced with a host of liabilities related to cybersecurity, not the least of which is federal reporting standards. As a result, boards are increasingly directing management to implement processes for identifying, assessing, and monitoring the ever-evolving sophistication of cybersecurity risks. Many are making cybersecurity a top-priority risk oversight issue. These events create compelling reasons to encourage commercial lines customers to include cybersecurity in their insurance portfolio, and insurers are in a scramble to evaluate and highlight the greatest risk exposures and vulnerabilities to the corporate enterprise and beyond. top Accessing Email Server from Canada Supported Personal Jurisdiction in the U.S. (Internet Cases blog, 28 Dec 2012) - MacDermid, Inc. v. Deiter , No. 11-5388 (2d Cir. December 26, 2012) The Second Circuit reversed a District Court that held it could not exercise personal jurisdiction over a Canadian defendant accused of accessing email servers located in Connecticut. Defendant lived and worked in Canada for a U.S.-based company having its principal place of business in Connecticut. She knew her company’s email servers were located in Connecticut. When she learned that she was about to be terminated from her position, she forwarded confidential company data from her work email account to her personal account. The former employer sued in the U.S. District Court for the District of Connecticut. That court dismissed the case, holding that the relevant Connecticut state statute (Conn. Gen. Stat. § 52-59b(a)) did not authorize the exercise of personal jurisdiction. The lower court found that although the statute authorized personal jurisdiction over one who “uses a computer” in the state, defendant’s alleged computer use took place exclusively in Canada. Plaintiff-employer sought review with the Second Circuit Court of Appeals. On appeal, the court reversed, holding that the state statute authorized the exercise of personal jurisdiction, and that such exercise comported with due process. top EFF: Limit Software Patents (Patently-O, 28 Dec 2012) - Since the Supreme Court’s 2010 Bilski ruling, the Federal Circuit has been consistent on only one point in its § 101 jurisprudence-and that’s on being inconsistent. In the face of the Federal Circuit’s failure to provide a workable § 101 standard, the Supreme Court issued its unanimous ruling in Mayo v. Prometheus, essentially telling the Federal Circuit to take the patentable subject matter inquiry seriously. Yet the Federal Circuit paid no heed when it issued ruled in CLS Bank v. Alice, all but ignoring the Supreme Court (for many of us court watchers, the Federal Circuit’s failure to address Mayo was shocking; even Judge Prost, in her dissent, admonished the majority for “fail[ing] to follow the Supreme Court’s instructions-not just in its holding, but more importantly in its approach."). So it really was no surprise when the Federal Circuit agreed to take CLS en banc. We, along with many others, hope that this case would provide the Court an opportunity to head the Bilski Court’s warning that: “The Information Age empowers people with new capacities to perform statistical analyses and mathematical calculations with a speed and sophistication that enable the design of protocols for more efficient performance of a vast number of business tasks. If a high enough bar is not set when considering patent applications of this sort, patent examiners and courts could be flooded with claims that would put a chill on creative endeavor and dynamic change. (130 S. Ct. at 3229).” As currently interpreted, § 101 leaves parties unable to discern a patent’s metes and bounds or assess its validity, making inadvertent infringement an unfortunate cost of doing business. This has led to a dangerous and dramatic increase in patent litigation, particularly surrounding business method patents or those covering software. For better or worse (and I think worse), the major uptick in these cases involved non-practicing entities. top Superior Court of Ontario Allows Lawyers and Journalists to Use Electronic Media in Court (SLAW, 2 Jan 2013) - The Superior Court of Justice of Ontario has issued a ‘protocol’ that will (as of February 1) allow lawyers, licensed paralegals, law students, self-represented parties, and ‘media or journalists’ to use electronic communications devices (broadly defined to include laptops and smart phones) in court without express permission. Naturally there are some conditions, including: don’t disturb the proceedings don’t distribute any information that is subject to a publication bandon’t take any pictures don’t distribute recordings (though lawyers and journalists may make recordings for their own use) However, “Members of the public are not permitted to use electronic devices in the courtroom unless the presiding judge orders otherwise.” In other words, the rules of section 136 of the Courts of Justice Act continue to apply to the general public, as they will apply to photography by those who have the general permission noted above. top 6 States Bar Employers From Demanding Facebook Passwords (Wired, 2 Jan 2013) - California and Illinois on Tuesday joined four others in becoming the union’s only states barring employers from demanding that employees fork over their social-media passwords. Congress unsurprisingly couldn’t muster the wherewithal to approve the Password Protection Act of 2012, so a handful of states have taken it upon themselves. The new laws come amid reports nationwide that employers were demanding access to their employees’ or potential employees’ personal, non-public data on Facebook, Twitter and other social-media accounts. Facebook, too, said in March that it noticed an increase in complaints about employers demanding “inappropriate access” to Facebook accounts . California’s and Illinois’ laws took force Tuesday, the first day of the year. Michigan’s and New Jersey’s became active last month and Maryland’s , in October. Delaware’s measure became law in July. top Punishing Hackers Even When They Do No Damage (Steptoe, 3 Jan 2013) - The U.S. District Court for the Northern District of Illinois has held, in Chadha v. Chopra, that a party suing under the Stored Communications Act (SCA) can recover punitive damages and attorneys’ fees without having to prove actual damages. The court noted that federal courts are split over whether a party must prove actual damages in order to recover statutory damages under the SCA. However, the court held that the statutory language also provides for recovery of punitive damages, and does not require proof of actual damages as a prerequisite to an award of punitive damages and attorneys’ fees. This will make it easier for victims to use civil suits to go after hackers. top Stored Communications Act Does Not Protect Information Stored On Cell Phone (Steptoe, 3 Jan 2013) - The Fifth Circuit has held, in Garcia v. City of Loredo, that information stored on and accessed from a cell phone is not covered by the SCA. Accordingly, an employer who accessed the contents of plaintiff’s cell phone without authorization did not violate the statute. This is the latest in a string of decisions that declined to extend SCA protection to personal computers and cell phones, and limited it to data stored by an electronic communications service provider. top Most Popular Intellectual Property and Technology Law Blogs (Barry Sookman, 3 Jan 2013) - One of the best ways to stay on top of IP/Tech legal developments is by subscribing to blogs. In the IP/Tech field, there are many very good ones to choose from. Justia’s BlawgSearch lists and ranks many of them. I subscribe to over 90. Over the holidays, and with the help of McCarthy Tetrault articling student Addison Cameron-Huff, I ranked them by popularity. There is no perfect tool for conducting this type of evaluation. I relied on RSS subscriber counts using the RSS subscriber base of Google Reader, iGoogle and Google Desktop as a proxy. I also reviewed each site’s Google PaegRank and Alexa rank which were somewhat helpful in confirming or determining popularity. Set out below is a listing of legal IP/Tech blogs ordered by popularity and geography as follows: (1) Top 10 blogs worldwide; (2) Canada; (3) UK/Australia and other Commonwealth countries; (4) EU; and (5) US. top California Rules on Ethics of Social Media Postings (Robert Ambrogi, 3 Jan 2012) - Would you consider it ethical for a lawyer to post the following to a social media site such as Facebook: “Another great victory in court today! My client is delighted. Who wants to be next?” In California, that post would violate the Rules of Professional Conduct, according to a recent ethics opinion issued by the State Bar of California’s Standing Committee on Professional Responsibility and Conduct. The opinion, issued late in December, considered the following issue: Under what circumstances would an attorney’s postings on social media websites be subject to professional responsibility rules and standards governing attorney advertising? More specifically, it considered five actual posts by an attorney to a social media site that, although not identified as such, sounds to have been Facebook. According to the opinion, the site was one where “only individuals whom the Attorney has approved to view her personal page may view this content.” It went on to say that the attorney had about 500 approved contacts, or “friends,” who were a mix of personal and professional acquaintances, “including some persons whom Attorney does not even know.” The ethics panel hinged its analysis on Rule 1-400 of California’s Rules of Professional Conduct. The ethics panel concludes its opinion with this summary: Attorney may post information about her practice on Facebook, Twitter, or other social media websites, but those postings may be subject to compliance with rule 1-400 if their content can be considered to be “concerning the availability for professional employment.” Such communications also may be subject to the relevant sections of California Business and Professions Code sections 6157 et seq. top Defendant Not Entitled to “Delve Carte Blanche” Into Plaintiff’s Social Media Accounts (InfoLawGroup, 4 Jan 2013) - A federal court in Montana has held that a plaintiff in an insurance dispute was protected from having to turn over all of her social media content to her litigation opponent. The court’s decision helps define the contours of discoverable information in cases involving social media evidence. Plaintiff was injured in an auto accident and sued defendant insurance company after it refused to pay medical bills. Defendant served a production request seeking, among other things, “a full printout of all of [plaintiff’s] social media website pages and all photographs posted thereon . . . from August 26, 2008 to the present.” Plaintiff objected to the request on grounds it was overly burdensome and harassing. Defendant moved to compel production of the social media content. The court denied the motion. The court examined a number of recent decisions in which litigants have sought broad access to their opponents’ social media content. It noted that Romano v. Steelcase, Inc. , 907 N.Y.S.2d 650 (N.Y. Sup. Ct. 2010) demonstrated how social media evidence may be relevant to claims involving a plaintiff’s alleged injuries. And it looked to E.E.O.C. v. Simply Storage Management, LLC , 270 F.R.D. 430 (S.D. Ind. 2010) to observe that such material is not protected from discovery merely because a party deems the content “private.” Defendant argued that because plaintiff alleged a “host” of injuries, her social media accounts “may very well undermine or contradict” those allegations. But defendant could not point to any publicly available content (e.g., photos showing plaintiff engaging in strenuous activity) to support that contention. The court found defendant had not come forward with evidence that plaintiff’s public postings undermined her personal injury claims. Guided by Tompkins v. Detroit Metropolitan Airport , 278 F.R.D. 387 (E.D. Mich. 2012), which held that one does not have a “generalized right to rummage” through his or her opponents’ social media content, the court held that defendant was not “entitled to delve carte blanche into the nonpublic sections of [plaintiff’s] social networking accounts.” [case is Keller v. National Farmers Union Property & Cas. Co., 2013 WL 27731 (D. Mont. January 2, 2013)] top - and - Handling Disputes Over Access To Employee Social Network Accounts (MLPB, 9 Jan 2013) - Zoe Argento, Roger Williams University School of Law, has published Whose Social Network Account? A Trade Secret Solution to Allocating Rights as Roger Williams University Legal Studies Paper No. 131 (to be published in Michigan Telecommunications and Technology Law Review). Here is the abstract. Who has the superior right to a social network account? This is the question at issue in the growing number of disputes between employers and workers over social network accounts. The problem has no clear legal precedent. Although the disputes implicate rights under trademark, copyright and privacy law, these legal paradigms fail to address the core issue. At base, disputes over social network accounts are disputes over the right to access the account’s followers - the people, sometimes numbering in the tens of thousands, who follow an account. This article evaluates the problem from the perspective of the public interest in social network use, particularly in use that blurs professional and personal roles. The article argues that the public interest is best served by resolving these disputes under a trade secret approach. top Postal Service to Host Cloud-Based Public-Private ID Protection Network (NextGov, 4 Jan 2013) - The U.S. Postal Service has been tapped to manage a yearlong trial of technology that ultimately should allow citizens to securely register for online services at multiple agencies—without obtaining multiple passwords and other digital identification for each service. Within days USPS is expected to begin hiring one or more cloud companies to host the simplified access network, according to a government notice . The so-called Federal Cloud Credentialing Exchange, or FCCX, will act as a middleman between agencies and approved popular ID providers, such as Verizon and PayPal, that already have verified the identities of many citizens for e-commerce transactions, federal officials said this week. If this service works, one day a person might be able to change an address online by logging on to USPS.gov with the same passcode or smart card that person uses to file taxes through IRS.gov and buy books from Amazon.com. The exchange is meant to be part of a larger public-private movement. So far, agencies have stumbled leading the country on a likely decade-long endeavor, called the National Strategy for Trusted Identities in Cyberspace, to ensure Internet users are who they say they are when interacting online. One concern is that the strategy relies on trusting an embryonic industry of nongovernment “credential providers” to certify sensitive personal information. To soothe nerves, the Obama administration in November 2012 decided to start small, only at the Postal Service, with a model that can be scaled up government wide later, according to a draft work order . top Dinosaur Alert: Irish Newspapers Desperately Trying to Charge for Links (PaidContent, 4 Jan 2013) -There’s plenty of experimentation going on in the media business when it comes to finding new methods of monetizing content: leaky paywalls at the New York Times and others, API licensing at The Guardian , membership models like the one Andrew Sullivan just launched , and so on. Irish newspapers, however, would apparently prefer to just charge people for linking to their content - as much as 300 Euros for each link. In a statement released on Friday , the country’s newspaper industry also confirms that it is lobbying to have Irish copyright laws define links as copyright infringement. This fight has been going on behind the scenes for some time, but recently came to light when Irish lawyer Simon McGarr wrote about attempts by the Irish newspaper industry’s licensing body to charge one of his clients (a charity called Women’s Aid) a fee for linking to newspaper content. According to McGarr, the newspaper licensing group told the charity it had to pay an annual license fee: 300 Euros for one to 5 links, 500 Euros for 6 to 10 links - with a sliding scale extending all the way to 50 links, which would theoretically cost the charity 1,350 Euros. According to the licensing body: “a licence is required to link directly to an online article even without uploading any of the content directly onto your own website.” Not surprisingly, this position has been ridiculed by a number of media-industry observers, including journalism professors Jay Rosen and Jeff Jarvis , as well as George Brock of City University in London - some Irish journalists have even apologized on Twitter for their country’s behavior. But in a press release on Friday, the group that represents most of Ireland’s papers maintained that it has every right to charge websites for links, and that it believes linking to newspaper content for commercial purposes should constitute copyright infringement. [Polley: some evidence of slight retreat on 9 Jan here .] top Privacy Plaintiffs in Deep Packet Inspection Case Get No Love From the Tenth Circuit (Eric Goldman’s blog, 7 Jan 2013) - This is an appeal from one of the many lawsuits against IAPs for implementing the ill-fated NebuAd “deep packet inspection” system. Here’s my post on the district court grant of summary judgment in favor of Embarq: Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment . Plaintiffs do not fare any better in their appeal. On the factual side, plaintiffs were not able to develop any evidence that (1) Embarq obtained or utilized any of the data extracted by NebuAd, or (2) the flow of data through Embarq’s system differed in any way from how data typically flowed through Embarq’s system (the big exception being that the data was routed in a way that allowed NebuAd to extract data regarding plaintiffs). Canvassing the ECPA’s legislative history and context, and the fact that there’s no general federal statutory liability for aiding and abetting (absent a clear Congressional directive), the court says that Embarq cannot be held liable for any alleged ECPA violations of NebuAd. Thus, the court looks to see if Embarq violated the ECPA directly. With respect to whether Embarq itself “intercepted” plaintiffs’ communications, the court notes the clunky application of the term “intercept” to the facts. “Interception” is defined as the “acquisition” of a communication’s “contents,” but the line between “access” and “acquisition” is murky at best. The court instead relies on the portion of the definition of “device” that excludes any equipment “used by a provider of wire or electronic communication services in the ordinary course of its business.” Noting there was no dispute that Embarq only acquired the same access to the data that it had as an IAP, the court concludes that Embarq falls under this exception and can’t be held liable for intercepting plaintiffs’ communications. Ouch. There were some mildly favorable facts to Embarq (the fact that it was paid an absurdly small amount of money for participating in the DPI test), but I still find the emphatic defense win somewhat remarkable. Kirch v. Embarq Management , No. 11-3275 (10th Cir. Dec. 28, 2012) top The U.S. Fair Use Defense In Other Jurisdictions (MLPB, 8 Jan 2013) - Graeme W. Austin, Victoria University of Wellington, has published The Two Faces of Fair Use at 25 New Zealand Universities Law Review 285 (2012). Here is the abstract: Responding to suggestions that the “fair use” defence in US copyright law should be exported to other jurisdictions, this article scrutinises the different ways in which the defence has been applied in decisional law. Fair use cases fall into two broad categories. First, the defence has been applied to ensure that the exercise of the copyright monopoly does not significantly fetter downstream creativity by other authors. Here, the prevailing doctrine requires that the defendant’s use be genuinely “transformative”, which, at the very least, requires the defendant to be using the plaintiff’s work in new and creative ways - transforming it into something new. Secondly, fair use has been applied to new technological innovations - such as digital search engines - that do not themselves transform the underlying works, but instead often provide new ways of disseminating copyright-protected material. The paper argues that only the first use of the fair use defence is consistent with traditional fair use doctrine. Accordingly, if policy makers anticipate that fair use should be applied in a way that shields technological entrepreneurship from copyright litigation, they ought to make that clear. Even if that approach were adopted, however, it is questionable whether fair use litigation is an appropriate vehicle for facilitating technological development. The final part of the article explores some of the problems that might arise through this kind of “economic regulation through litigation.” top Originality in Photographs According to US Court of Appeals (The 1709 blog, 9 Jan 2013) - What is original (and is thus protectable) and what is not in a photograph? Questions like these have troubled copyright lawyers (and possibly courts, too) since the invention of photography itself. As this blogger learnt from The Hollywood Reporter , the First Circuit Court of Appeals has just delivered a decision addressing this Hamlet’s dilemma, in little more than 6,000 words. The case is Donald A Harney v Sony Pictures Television, Inc, and A&E Television Networks, LLC , a fascinating appeal from the US District Court for the District of Massachusetts with an even more intriguing factual background. On a sunny spring day in 2007, freelancer Donald Harney snapped a photograph of a blonde girl in a pink coat riding piggyback on her father’s shoulders while leaving a Boston church on Palm Sunday. The picture became extremely well-known, especially when it was revealed that the father portrayed therein was a German citizen who had assumed, amongst the others, the name Clark Rockefeller (real name: Christian Gerhartsreiter). A “professional” imposter who had passed himself off as a member of the high profile Rockefeller family and whose previous false identities included descendant of British royalty, Wall Street investment advisor and rocket scientist, Gerhartsreiter abducted his daughter during a parental visit (more on this story on Vanity Fair here ). Harney’s photograph was thus used in a FBI “Wanted poster” and widely disseminated in the media. In 2010, Sony produced a TV film based on Rockfeller’s identity deception and entitled Who is Clark Rockfeller? (trailer available here ). This included an image that resembled, as far as pose and composition were concerned, Harney’s photograph, although a number of details was different. Harney thought of bringing an action for copyright infringement against Sony, but the district court eventually dismissed it. According to Circuit Judge Lipez, Harney’s photo and the image displayed in the film shared several important features. However, copying another’s work does not invariably constitute copyright infringement, as it is permissible to mimic the elements which cannot be protected because unoriginal. The inquiry into substantial similarity embraces two different types of scrutiny * * *. [Polley: for an egregious similar example under UK law, see MIRLN 15.02’s “ Similar but Not Copied; Image Found to Breach Copyright “.] top Anonymous Petitions U.S. to See DDoS Attacks as Legal Protest (CNET, 10 Jan 2013) - It’s hard to imagine a group that adheres to anarchic ideology would want its actions legalized under U.S. law. But that is exactly what Anonymous is doing. The loose-knit group of hackers submitted a petition to President Obama this week asking that distributed denial-of-service attacks be recognized as a legal form of protest. The petition , which is posted on the White House’s “We the People” Web site, claims that DDoS attacks are not illegal hacking but rather a way for people to carry out protests online. Similar to the Occupy movement when protesters pitched tents in public spaces, the petition says DDoS attacks also occupy public spaces in order to send a message. Anonymous has claimed responsibility for many DDoS attacks over the years, the majority of which had political overtones. For example, in an effort to defend WikiLeaks in 2010, the hacking group launched a slew of DDoS attacks on companies, government agencies, and organizations it believed to be “impairing” WikiLeaks’ efforts to release classified information. This year, Anonymous has also led DDoS campaigns against Syrian government Web sites for the government’s alleged shutdown of the Internet; and it has conducted a “cyberwar” against the Israeli government in protest of government attacks on Gaza. top RESOURCES EFF’s Guide to CDA 230: The Most Important Law Protecting Online Speech (EFF, 6 Dec 2012) - In 1996, while debating the intricacies of a bill that would massively overhaul the telecommunications laws of the United States, two astute Congressmen introduced an amendment that would allow the Internet to flourish. The amendment-which would become Section 230 of the Communications Decency Act (CDA 230)-stated that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” In other words, online intermediaries that host or republish speech-blogs, review sites, social networks, and more-are protected against a range of laws that might otherwise be used to hold them legally responsible for what others say and do. CDA 230 is crucial to the free flow of expression online. While the rest of the Communications Decency Act, an attempt by the government to regulate indecent content online, was found unconstitutional by the courts, Section 230 survived. As Judge Wilkinson put it in the seminal CDA 230 case, Zeran v. America Online , “Section 230 was enacted, in part, to maintain the robust nature of Internet communication, and accordingly, to keep government interference in the medium to a minimum.” Websites could edit, filter, and screen content if they wanted without being held liable for the content itself. To better inform everyone on the Internet of the importance of this law, we have created an extensive guide to CDA 230 . We feel that it is crucial for everyone to familiarize themselves the fundamental laws protecting free speech online, whether you’re a lawyer, innovator, student, entrepreneur, policymaker, or simply an Internet user. Why? Well, despite the fact that courts have affirmed time and time again how crucial CDA 230 is, states have attempted to pass laws that undercut its authority. One prominent example is in Washington state, where the state legislature attempted to make online service providers criminally liable for providing access to content posted by third parties. EFF, on behalf of the Internet Archive, successfully challenged the statute on CDA 230 and constitutional grounds, obtaining a preliminary injunction from a federal judge in July and obtaining an agreement today from the state to permanently enjoin the statute’s enforcement. We’re strong believers in the idea that a safe future for civil liberties rests in the hands of an educated and informed public. With that in mind, check out our new guide to CDA 230 . Not only will it inform you about the basics of the law, but it has some pretty nifty features: (1) Key Legal Cases ; (2) Legislative History ; (3) EFF Involvement ; (4) CDA 230 Successes ; and (5) Infographic: CDA 230’s Importance . top LOOKING BACK - MIRLN TEN YEARS AGO (note: link-rot has affected about 50% of these original URLs) ABA RELEASES NEW SURVEY OF LAWYERS’ TECHNOLOGY USAGE (ABA, 17 Sept 2003)—Lawyer use of technology to provide legal services in the United States is nearly universal. More than 98 percent of respondents to the ABA’s 2002 Legal Technology Survey indicated that they used a computer for work-related tasks. The survey is a comprehensive look at how the legal profession uses technology. More than 3,000 ABA members in private practice in the U.S. returned questionnaires relating to law office computing, litigation and courtroom technology, and Web and communications. The survey covers issues including technology training, budgeting, hardware and software purchases, as well as where and how lawyers use technology. Lawyers continue to adopt technologies common in other industries, underscoring the similar business needs lawyers have with other professions. More than 40 percent of respondents use personal digital assistants, up 10 percent from the 2001 survey. Nearly 20 percent use a laptop as their primary computer, and more than two-thirds have access to a laptop on a temporary basis. Wireless networking is slowly gaining ground, particularly among solo lawyers, of whom 6 percent report using WiFi. Broadband access is increasingly popular, with 29 percent of respondents indicating they used DSL and 25 percent using a T1 line. Only 3 percent use ISDN for Internet access, and 2 percent use a wireless connection. Fewer than 2 percent of lawyers use computers with a Macintosh operating system. Linux and Unix hold a similar slice of law firm network operating systems. Microsoft accounts for the majority of networks, with just over 14 percent of law firms still using Novell. There appear to be more law firms with local area networks this year, with 79 percent of firms indicating they have a LAN, up from 71 percent in 2001. Surprisingly, fewer than half of the law firms responding to the survey had policies regarding acceptable use of internal e-mail of computers. Just over 40 percent had disaster recovery or business continuity plans, despite an increased awareness in the susceptibility of businesses to terrorism and other threats. The legal profession remains document-centric, with word processing software available at 96 percent of law firms, although it’s only used personally by 66 percent of lawyers. E-mail software is also a staple of the modern lawyer, available at 93.5 percent of firms, and personally used by 73 percent of respondents. Microsoft Word continues as the leading word processor in law firms, in use by 72.5 percent of respondents, with 43.5 percent using Corel WordPerfect. http://www.abanet.org/media/sep03/091703.html top COURT SETS TEST FOR E-DISCOVERY REQUESTS (BNA’s Internet Law News, 15 May 2003)—A New York court has sought to establish a new test for e-discovery requests. The court said that while most courts rely considerations such as the specificity of the request, the likelihood of discovering critical information, the availability of the information from other sources, the purpose for which the data is kept, the relative benefits to the parties, the costs, and the ability of each side to pay those costs, it would add to the list of considerations of “the amount in controversy” and the “issues at stake in the litigation.” Case name is Zubulake v. UBS Warburg. http://www.law.com/jsp/article.jsp?id=1052440727620 top MIRLN 2013-01-11T15:16:00-07:00 http://www.knowconnect.com/mirln/article/mirln_1_22_december_2012_v1517/ http://www.knowconnect.com/mirln/article/mirln_1_22_december_2012_v1517/#When:16:03:00Z MIRLN --- 1-22 December 2012 (v15.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | PODCASTS | BOOKS | DIFFERENT | LOOKING BACK | NOTES TOR Operator Charged for Child Porn Transmitted Over His Servers DHS Cybersecurity Insurance Workshop: Defining Challenges to Today’s Cybersecurity Insurance Market ITU Packet Inspection Standard Raises Serious Privacy Concerns America’s Increasing Obsession with Social Media Driving Law Firm Business Why Cybersecurity Matters The 21st Century Legal Retainer Agreement Civil Litigation: A Better Way to Improve Cybersecurity? Ponemon Study Reveals Ninety-Four Percent of Hospitals Surveyed Suffered Data Breaches Timeline of NSA Domestic Spying Can Legal Publishers Collaborate With Blogs? To Yelp Or Not To Yelp? Lawsuit Puts The Chill On Bad Reviews Two More Cases Hold That Anti-SLAPP Laws Protect Consumer Reviews Copyright in Tattoo Case Judge Scheindlin Helps Demystify Foreign E-Discovery AAA Launches Tool to Create ADR Clauses The State of Intellectual Property Around the World Disability Access: Law and Policy Will Pennsylvania Shut Down the Free Internet? ‘Non-Harmful’ Phone Spoofing OK, Appeals Court Says Chicago Area Courts Ban Electronic Devices, For Some Service by Email Comes to Illinois Fourth Circuit Limits Marital Communications Privilege for Email Texas Lawyer Sues the State over His Blog’s Name and Wins Copyright Levies On Electronics Devices - 2012 Developments Feds Can Keep Data of Innocent Citizens for Five Years UK Copyright Reform Affects Fair Use, Format-shifting and Big Data Court Gives Cold Shoulder to Hot Yoga, Finding Yoga Sequences Not Copyrightable HLS1x: Copyright Devil’s in the Small Print TOR Operator Charged for Child Porn Transmitted Over His Servers (ArsTechnica, 29 Nov 2012) - An Austrian operator of Tor servers-that were used to anonymously route huge amounts of traffic over the Internet-has been charged with distributing child pornography. This comes after police detected illegal images traversing one of the nodes he maintains. William Weber, a 20-year-old IT administrator in Graz, Austria, said nine officers searched his home on Wednesday after presenting him with a court order charging him with distribution and possible production of child pornography. The crimes carry penalties of as many as 10 years in prison. Police from the Styrian Landeskriminalamt, which has jurisdiction over the Austrian state of Styria, confiscated 20 computers as well as a game console, iPads, external hard drives, USB thumb drives, and other electronics. Evidence cited in the document showed that one of seven Tor Project exit nodes he operated transported illegal images. Short for the onion router, Tor was designed by the US Naval Research Laboratory as a way to cloak the IP addresses and contents of people sending e-mail, browsing websites, and doing other online activities. It is regularly used by political dissidents, journalists, law enforcement officers, and criminals who want to keep their online activities private. Tor works by encrypting a user’s Internet traffic multiple times and funneling it through a dedicated server with its own IP address. The data is then passed to a second server, which decrypts one layer of the encryption before passing it to a third server. At that point the data is converted to its original form and sent to its final destination. Tor’s onion-like architecture makes it infeasible for the contents to be intercepted by third parties, except by those monitoring an exit node. Even then, it’s hard to know where the traffic originated. Weber isn’t the first operator of a Tor node to land in hot water as a result of the traffic traversing his server. In 2007, German police raided the home of a Dusseldorf man after bomb threats allegedly passed through his Tor server. Last year, a separate Tor operator said police confiscated hardware and software after someone misused his exit node. During interview with police later on Wednesday, Weber said there was a “more friendly environment” once investigators understood the Polish server that transmitted the illegal images was used by Tor participants rather than by Weber himself. But he said he still faces the possibility of serious criminal penalties and the possibility of a precedent that Tor operators can be held liable if he’s convicted. “Sadly we have nothing like the EFF here that could help me in this case by legal assistance, so I’m on my own and require a good lawyer,” he wrote in a blog post seeking donations . top DHS Cybersecurity Insurance Workshop: Defining Challenges to Today’s Cybersecurity Insurance Market (30 Nov 2012) - Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce Internet Policy Task Force has described cybersecurity insurance as a potentially “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack.1 Given this hope, many carriers and companies would like the cybersecurity insurance market to expand into new cyber risk areas to cover currently uninsurable risks such as cyber-related critical infrastructure failures, reputational damage, and the value of lost intellectual property and other proprietary data. Despite the appeal of cybersecurity insurance in a world where news of cyber attacks is an almost daily occurrence, the cybersecurity insurance market today faces significant challenges. While a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to companies themselves remain expensive, rare, and largely unattractive. Observers blame several factors for this phenomenon, including: (1) a lack of actuarial data which results in high premiums for first-party policies that many can’t afford; (2) the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks; and (3) fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses. Traditional insurance coverage issues such as moral hazard and adverse selection likewise play a part in discouraging market entry by these carriers. Evolving the cybersecurity insurance market to one that offers more coverage to more insureds at lower prices therefore depends on two key factors: (1) the development of common cybersecurity standards and best practices; and (2) a clearer understanding of the kinds and amounts of loss that various cyber incidents can cause. [Polley: I cannot find a public URL for this, so am sharing my copy thru my Dropbox folder. This is a very interesting report, with much useful information.] top ITU Packet Inspection Standard Raises Serious Privacy Concerns (InfoWorld, 30 Nov 2012) - The UN’s telecommunications standards organization has approved a standard for deep packet inspection (DPI) that raises serious concerns about privacy, the Center for Democracy and Technology said. That ITU-T, is showing an interest in deep packet inspection suggests some governments hope for a world where even encrypted communications may not be safe from prying eyes, according to the CDT. The adoption of the standard—officially known as “Requirements for Deep Packet Inspection in Next Generation Networks” or “Y.2770”—happened last week during the World Telecommunication Standardization Assembly (WTSA), which is held every four years and defines what the ITU-T should focus on. The biggest concern is that the standard holds very little in reserve when it comes to privacy invasion, the CDT wrote. “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology,” said Alissa Cooper, chief computer scientist at the CDT. The standard barely even acknowledges that there is a privacy risk at all, according to Cooper. “What we like to see, at the very least, is a thorough analysis of what the pros and cons are, and how you can build in mitigation for some of the more invasive aspects of the technology. But this has none of that,” Cooper said. For example, the standard document optionally requires DPI systems to support inspection of encrypted traffic, which is “antithetical to most norms, policies, and laws concerning privacy of communications,” the CDT wrote. The CDT’s concerns are backed by European digital rights group EDRi. top America’s Increasing Obsession with Social Media Driving Law Firm Business (Kevin O’Keefe, 30 Nov 2012) - Morrison & Foerster’s popular Socially Aware Blog, a LXBN network publication, is out this week with a thought-provoking infographic that delves into Americans’ increasing obsession with social media, along with their increasingly fractured attention spans. Some of the statistics MoFo has compiled might surprise you: The amount of time the average person spent monthly on social networking more than doubled between 2006 and 2011 - from 2.7 hours to 6.9 hours More than half of TV viewers are multi-tasking in front of the tube: 61% of viewers surf the Internet while watching TV; 29% use Facebook while in front of the TV Social media now accounts for 18% of time spent online The fastest growing segments of social networking users are men of all ages and people over 55 years old - both groups grew by more than 9% between July 2010 and October 2011. Facebook is the undisputed leader among social networking sites: Visitors spend an average of 6.75 hours on the site each month - nearly twice the amount of time spent on Tumblr, Pinterest, Twitter, LinkedIn, and GooglePlus combined. The percentage of Americans who have a social-networking profile has more than doubled in recent years - from 24% in 2008 to 56% in 2012. With some 15,000 subscribers, Socially Aware is a certified hit. The blog has generated major assignments for Morrison & Foerster, including representations for a leading media company, global manufacturer, major tech provider, multinational insurer and other clients in need of counsel for their own social media initiatives. top Why Cybersecurity Matters (Stewart Baker, 2 Dec 2012) - For those who think I’m a little paranoid on the subject of cybersecurity, I suggest this story - a nightmare made in China for a small US businessman. Brian Milburn’s parental control software was pirated and used in a China’s infamous Green Dam software . When he sued, hackers tied to the Chinese government attacked his networks relentlessly, nearly destroying his business: “F or three years, a group of hackers from China waged a relentless campaign of cyber harassment against Solid Oak Software Inc., Milburn’s family-owned, eight-person firm in Santa Barbara, California. The attack began less than two weeks after Milburn publicly accused China of appropriating his company’s parental filtering software, CYBERsitter , for a national Internet censoring project. And it ended shortly after he settled a $2.2 billion lawsuit against the Chinese government and a string of computer companies last April. In between, the hackers assailed Solid Oak’s computer systems, shutting down web and e-mail servers, spying on an employee with her webcam, and gaining access to sensitive files in a battle that caused company revenues to tumble and brought it within a hair’s breadth of collapse.” There are two particularly interesting, and troubling, aspects of the story. First, the hackers immediately attacked Milburn’s law firm as well as his company. This tactic is now part of the standard playbook for China’s hackers, but US law firms have not fully adapted to the threat . (emphasis added) top The 21st Century Legal Retainer Agreement (Ride the Lightning, 3 Dec 2012) - How times have changed. Once upon a time, lawyers and clients entered into a representation agreement based on a handshake. Today, that same agreement might result in an ethics complaint against the lawyer for failing to commit his fees to writing, or worse, a refusal by the client to pay the bill based on claims that the lawyer never did all the work he promised. Whether you call it a Retainer Agreement, Engagement Letter, Fee Agreement, Representation Agreement or something else, the contract between lawyer and client entered into at the outset of the relationship sets forth the terms of price of services to be rendered by the lawyer. But today, Retainer Agreements must do more than simply state terms of service and price. In the 21st Century, more lawyers seek to charge flat fees for ongoing work, and must comply with applicable ethics rules. Lawyers may need to inform clients of other matters - outsourcing, data storage or acceptance of payment by credit card. At the same time, some lawyers deliver legal services entirely online or may ask a client to execute an agreement on an iPad. In these cases, short retainer agreements that get to the heart of the matter in a couple of sentences are preferable a lengthy lawyerly tome. Today’s clients are different too. They’re accustomed to consuming information disseminated in sound-bites and 140-character streams and consequently, lack the attention span to read through a seven page retainer agreement. Clients also have access to all sorts of simple online forms, which has changed their perception of what a legal document should look like. For many clients, a lengthy retainer can be intimidating and off-putting; an added hurdle to hiring a lawyer instead of going with a DIY (do-it-yourself) product. Below is a checklist of topics that you may want to consider addressing in your retainer agreement, along with a few sample clauses * * * top Civil Litigation: A Better Way to Improve Cybersecurity? (NetworkWorld, 4 Dec 2012) - A precedent-setting case in the world of electronic banking points to a better method for securing the nation’s critical infrastructure from cyberattack, according to a former Department of Homeland Security (DHS) official. Paul Rosenzweig, former assistant secretary for policy at DHS and founder of Red Branch Law & Consulting, said the recent settlement in Patco Construction v. People’s United Bank shows how civil litigation can force banks to improve their online security practices. And if that can happen in the financial industry, it can also happen with a critical infrastructure operator, he said, and be more effective than federal cybersecurity legislation or regulation. “In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly—imposing costs on those who stint their cybersecurity efforts in an unreasonable manner,” Rosenzweig wrote in a recent post on Lawfare . In the Patco case, the company, a small property development and contractor in Sanford, Maine, sued People’s United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank’s security system had flagged each transaction as high-risk. The fraudulent transactions—six over seven days—came from a computer that had never been used before by Patco, from an IP address not recognized as from Patco, and were for amounts greater by several magnitudes than any Patco had made to third parties before. The money was going to people Patco had never before paid. The bank was able to block or recover $243,406 of that total. The First Circuit U.S. Court of Appeals ruling on July 3 was the first time a federal court found that a bank’s electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as “commercially reasonable,” putting the bank on the hook for losses due to fraud. top Ponemon Study Reveals Ninety-Four Percent of Hospitals Surveyed Suffered Data Breaches (Data Breach Press, 6 Dec 2012) - The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts, reports that healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach during the past two years; and 45 percent of organizations experienced more than five data breaches each during this same period. Data breach is an ongoing operational risk. Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually. Leading causes were lost devices, employee mistakes, third-party snafus, and criminal attacks. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices-such as mammogram imaging and insulin pumps-which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare. [Polley: I’d bet the other 6% just don’t know they’ve been breached. Kinda like the response law firms gave a few years ago.] top Timeline of NSA Domestic Spying (EFF, 6 Dec 2012) - All of the evidence found in this timeline can also be found in the Summary of Evidence we submitted to the court in Jewel v. NSA. It is intended to recall all the credible accounts and information of the NSA’s domestic spying program found in the media, congressional testimony, books, and court actions. For a short description of the people involved in the spying you can look at our Profiles page , which includes many of the key characters from the NSA Domestic Spying program. [Polley: from December 2012 stretching back to the FISA law in 1978, and a bit further. Entries on the timeline have pop-out annotations, and links to more. If you’re unfamiliar with Orwell’s 1984, you should read it, and this, while you can.] top Can Legal Publishers Collaborate With Blogs? (Kevin O’Keefe, 7 Dec 2012) - Amanda Hirsch, (@amanda_hirsch) the editor of Collaboration Central and former editorial director of PBS.org, shares that J-Lab (Institute for Interactive Journalism) just released the results of its three-year Networked Journalism pilot project that called for eight newspapers to network with local blogs. In its report, Networked Journalism: What Works , J-Lab’s executive director, Jan Schaffer, (@janjlab) outlines the problem the project was designed to explore: “With U.S. newspapers losing more than 42,000 journalists since 2007, local news coverage has suffered. At the same time, hundreds of local blogs and news sites have launched in their markets … What role can traditional news organizations play not only to expose their audiences to more news than they themselves can deliver, but also to connect new sources of information rising throughout their communities?” Per Hirsch, Schaffer concluded for a partnership between community blog partners and a legacy newsroom to work, two things are needed. First, “it is the responsibility of the hub news organization to provide their news networks with enough visibility and outbound links to drive traffic to their partners’ sites.” And second, “it is the responsibility of the community news partners to post frequently enough to be robust participants and to nab the visibility - either on the network page or the home page - that would bring them traffic.” It turns out networked publishing did work, especially in communities such as Seattle and Portland where there was a robust blogging community. Networked publishing in the law can work for the exact same reason as in news publishing. The number of legal journalists is shrinking. So are the number of publications. At the same time the community of law bloggers is skyrocketing. LexBlog’s LXBN Network alone has over 7,000 lawyer authors, including almost 70% of the AmLaw 200 law firm blogs. Though the lawyers may not be trained journalists they are experts in the areas on which they blog. Not only do the know the law, but as part of their jobs they are addressing practical issues in their area of law on a daily basis. Who better than to report and comment than those located where the rubber meets the road? top To Yelp Or Not To Yelp? Lawsuit Puts The Chill On Bad Reviews (NPR, 9 Dec 2012) - The next time you’re about to post a scathing review of a business on a site like Yelp or Angie’s List, you might want to think twice. This week, a housing contractor named Christopher Dietz sued a former customer for $750,000 in defamation charges for what she wrote in a review on Yelp. Jane Perez wrote that there was damage to her home and that jewelry was missing after she’d had work done from Dietz’s company, Dietz Development LLC. On Thursday, a judge took the unusual step of ordering Perez to take down parts of those reviews . While this isn’t the first lawsuit of this type, Santa Clara University law professor Eric Goldman tells NPR’s Rachel Martin that these cases are, so far, uncommon, because online reviews are still such a new area. “We’re still developing the rules about how to deal with consumer reviews,” Goldman says. He also says often the economics of litigation don’t support lawsuits for a single, negative review. The reality, Goldman says, is that it is extremely unlikely that a single review costs a business anything. “My perspective is that any individual review is not credible, but the aggregate affect of the reviews ... tend to paint a pretty accurate picture,” he says. A Harvard study in 2011 showed that a one-star increase on Yelp leads to a 5 to 9 percent increase in revenue. That potential revenue bump gives businesses all the more reason to fiercely protect their online reputation. The lawsuit itself, Goldman says, is a reminder that even though we have the freedom to voice our opinions on the Internet, we also own those words and can be held responsible for them. “Most people don’t realize that they’re betting their house ... every time they put their opinions out into the public discourse,” he says. “When people realize that, it becomes incredibly inhibiting.” top - and - Two More Cases Hold That Anti-SLAPP Laws Protect Consumer Reviews (Eric Goldman, 13 Dec 2012) - Every anti-SLAPP law is worded differently, but some statutes protect statements on “matters of public interest,” “issues of public concern” or something similar. This language usually doesn’t explicitly reference consumer reviews of marketplace offerings, but my position is that consumer reviews should categorically qualify as matters of public interest because they help consumers make better marketplace choices, and society benefits from more efficient marketplaces. Typically-- but not always --courts have reached this result, but sometime with more drama than necessary. Thus, it’s nice to see two clean rulings finding that consumer reviews qualify for anti-SLAPP protection * * * top Copyright in Tattoo Case (CMLP, 10 Dec 2012) - A tattoo artist sued THQ, Inc., the makers of an Ultimate Fighting Championship (UFC) themed video game, for copyright infringement. The artist tattooed a lion on fighter Carlos Condit’s torso, and claims that it was his original creation. ( Complaint at 12.) The artist alleges that he created the original design, and owns a registration for the copyright to the design. ( Compl . at 16.) He claims that by using the work in a video game, depicting Carlos Condit, THQ infringed upon his copyright in the work. A press release issued by the firm representing the artist, Christopher Escobedo, states: “People often believe that they own the images that are tattooed on them by tattoo artists,” explains Speth [Escobedo’s attorney]. “In reality, the owner of the tattoo artwork is the creator of the work, unless there is a written assignment of the copyright in the tattoo art.” Escobedo and Condit never had a written agreement. Thus, claims Escobedo in the lawsuit, he remains the owner of the copyright over the image he drew. Nothing in this statement is false, but that doesn’t mean that this gets you to the correct answer. Here is the correct answer: * * * 2. Fair Use: I see very little room to argue that THQ’s use is not fair use. THQ has the right to use Condit’s likeness. That likeness happens to have been augmented with someone else’s copyrighted work. The copyright owner can no sooner prohibit this use than he can prohibit me from using it demonstratively as I have in this piece (doubly so, since I clipped it from his complaint). THQ can’t accurately depict Condit without the tattoo. THQ can not be prohibited from depicting Condit accurately, just because the artist wants more money. That said, there might be some theoretical claims, but not against THQ. Condit himself might (I stress MIGHT) have some liability. This is a highly theoretical argument - but I presume that Condit got paid for the right to use his likeness in the video game. Let’s say that the agreement has a clause that states that Condit has the legal ability to transfer or license all relevant rights. There *might* be an argument that Condit did not have the right to assign the rights to the ink, and thus the artist gets a portion of Condit’s profits. Again, theory here, and not likely. But, if I had to save the case, I’d argue that. top Judge Scheindlin Helps Demystify Foreign E-Discovery (Law.com, 10 Dec 2012) - One of the most vexing problems for global companies and their lawyers is how to identify, collect, and use electronically stored information in e-discovery without ending up in jail or facing huge fines. The most obvious problem is that countries have very different laws about personal privacy, often developed in reaction to their unique histories - especially if that history included repressive regimes where personal information was used to identify and kill dissidents. At the Georgetown Advanced E-Discovery Institute Friday panel, “First Do No Harm: Preserving and Admitting Foreign ESI,” panelists offered analysis and advice on this challenging topic, which becomes more difficult by the day as the world becomes increasingly “smaller” with the explosion of inexpensive mobile devices and communication options. top AAA Launches Tool to Create ADR Clauses (Robert Ambrogi, 11 Dec 2012) - The American Arbitration Association has launched ClauseBuilder , a web-based tool designed to assist in drafting clear and effective arbitration and mediation agreements. The new tool provides parties with the AAA’s standard arbitration agreement, in addition to an array of options parties may consider when drafting ADR clauses, including specifying the number of arbitrators; arbitrator qualifications; locale provisions; governing law; the duration of arbitration proceedings; and whether to use arbitration, mediation, or both. As launched, ClauseBuilder can be used only to create commercial arbitration and mediation contracts. Future versions in development will address construction, international and employment contracts. ClauseBuilder can be used to create pre-dispute ADR clauses to be included in contracts as well as clauses for existing disputes that parties would like to submit to arbitration or mediation. In addition to creating ADR clauses, ClauseBuilder will allow users to preview, edit, and archive their ADR agreements. ClauseBuilder is free to use. Once you indicate the type of clause you wish to create (e.g., commercial arbitration), it shows you the basic, standard language. From there, you can select from a number of options to modify the clause. How many arbitrators will a panel include? How will they be selected? What law will govern? To what extent will pre-hearing discovery be allowed? What remedies will be available to the arbitrators. Must arbitrators provide a reasoned opinion? For these and other options, you simply click radio buttons to designate your preferences. top The State of Intellectual Property Around the World (The Atlantic, 11 Dec 2012) - Economies are slowing across the globe. But inventors across the globe apparently didn’t get that memo. Patent filings and grants have exploded in the past few years—fueled, in particular, by innovations coming out of, and into, China. And fueled, as well, by new fields—computer technologies, communications platforms—that invite inventors to make their marks on them. A new report from the World Intellectual Property Organization —the IP arm of the United Nations—has documented that proliferation of patents (and trademarks, and industrial designs) as it’s played out on the world stage. And their findings are pretty staggering. The study tracks data as of 2011, detailing IP trends on a worldwide, and country-by-country, basis. And while the report lends itself to a major headline—that China’s patent office has ousted the United States’s as the world’s largest—the real story here is the fact that innovation, overall and officially, is on the rise. Around the world. The report itself is long and wonky. But it’s full of juicy stats. So here, below, are some of the juiciest. The current state of intellectual property, around the world and by the numbers: * * * top Disability Access: Law and Policy (InsideHigherEd, 12 Dec 2012) - Dan Goldstein, attorney for National Federation of the Blind, has recently published the clearest articulation to date of the relationship between disability law and web accessibility. In short, while the Americans Disability Act, promulgated in 1990, did not explicitly speak to cyberspace, it nonetheless is the legal foundation upon which accommodations to it are required of those entities that fall under its scope, including higher education. This point is an important one to make. For some years, institutional attorneys and disability advocates have gotten tangled in discussions about whether section 508 of the Rehabilitation Act, which outlines a baseline of technical standards for web accessibility and is required for all federal agencies, is required of colleges and universities. The answer to that specific legal question is no. Receipt of federal funds does not a federal agency make of a college or university. But looking at just one tree obscured the forest and confused the how with the why. The ADA does apply to colleges and universities, public and private. Irrespective of which particular technical standards are chosen—section 508, W3C, a hybrid, etc.—mounting case law makes clear the point that accommodation must be made. Take a look yourself at this excellent document. top Will Pennsylvania Shut Down the Free Internet? (Steptoe, 13 Dec 2012) - A Hotmail user in Pennsylvania has brought a class action against Google (Brinkman v. Google, Inc.) alleging that its interception of non-Gmail users’ communications with Gmail users violates Pennsylvania’s wiretap statute. Google, of course, gets the consent of its Gmail users to intercept and scan the content of their emails in order to serve up targeted advertisements based on the users’ apparent interests. But it does not obtain the consent of non-Gmail users that communicate with the Gmail users. This raises the question of whether Google’s practices violate the laws of the dozen or so states, including Pennsylvania, that forbid interception of electronic communications without the consent of all parties to a communication. This is an issue of great importance to email providers, social media, Internet service providers, and others that review the content of online communications or monitor web activity as part of their online behavioral advertising (OBA) programs. If state all-party consent laws were interpreted in a manner that effectively brought OBA to a screeching halt, it could end the Internet as we know it. Without the revenue derived from OBA, free or low-cost Internet services that we take for granted could suddenly become expensive propositions. Moreover, companies that monitor the communications of their employees with the outside world could be subject to the same sorts of lawsuits, since they lack the consent of non-employees to interception of their communications with the company’s workers. top ‘Non-Harmful’ Phone Spoofing OK, Appeals Court Says (Wired, 13 Dec 2012) A federal appeals court is nullifying a Mississippi law that forbids phone spoofing of any type, ruling that Congress has authorized so-called “non-harmful” spoofing. Spoofing, misrepresenting the originating telephone caller’s identification to the call recipient, was outlawed entirely in Mississippi under the 2010 Caller ID Anti-Spoofing Act (ASA), punishable by up to a year in prison. The decision (.pdf) is likely a death blow to the eight states that are mulling laws similar to Mississippi’s, as well as Oklahoma and Louisiana, which already have similar statutes on the books, said Mark Del Bianco, the Maryland plaintiff’s attorney in the case. Del Bianco represented New Jersey-based Teltech Systems and Michigan-based Wonderland Rentals - companies that provide nationwide, third-party spoofing services. Teltech offers its customers the SpoofCard , which operates like a long-distance calling card with the ability to manipulate the caller ID displayed to the called party. Wonderland uses spoofing to conduct quality control for businesses by faking the phone numbers of its client customers in order to anonymously test customer service representatives. A lower federal court had sided with the companies, nullifying the law because it impacted communications outside the state. The 5th U.S. Circuit Court of Appeals, however, overturned it because it said the measure was trumped by federal law. The Truth in Caller ID Act (TCIA) of 2009 authorizes spoofing in limited instances, the appeals court ruled. top Chicago Area Courts Ban Electronic Devices, For Some (CMLP, 17 Dec 2012) - Criminal courthouses in Cook County, Illinois (Chicago and environs) will ban the public from bringing in electronic devices as of Jan. 15, under an order issued by Cook County Chief Judge Timothy Evans in mid-December. See Gen’l Admin. Order 2012-8 (Ill. Cir. Ct., Cook Cnty. Dec. 11, 2012). In a press release announcing the new policy, Evans cited concerns that people attending court proceedings were using cellphones to photograph - and intimidate—witnesses, judges, jurors, and prospective jurors, to relay courtroom testimony to upcoming witnesses, and to stream judges’ comments during trial. “The court is sending a strong message to gang members and others that any attempts to intimidate witnesses, jurors, and judges in court will not be permitted,” Evans was quoted saying in the release. “The ban will help to ensure that justice is properly done by preserving the integrity of testimony and maintaining court decorum.” The ban will apply to 12 of the 13 courthouses in county. The exception will be the Richard J. Daley Center Courthouse in Chicago, which handles civil, traffic and misdemeanor cases. Under the order, members of the news media are exempt from the ban, and will be able to use electronic devices in courtrooms under the circuit court’s pending application for to participated in the extended media coverage experiment authorized by the Illinois Supreme Court. See In re: Extended Media Coverage in the Circuit Courts of Illinois on an Experimental Basis, M.R. 2364 (Ill. Jan. 24, 2012). Others exempt from the ban include current or former judges; licensed attorneys; all law enforcement officers; all government employees; persons reporting for jury service; jurors (subject to the authority of the trial judges); building and maintenance workers, and equipment repair persons and vendors. But their use of the devices will be limited to public areas of the courthouses. top - OTOH - Service by Email Comes to Illinois (The Connected Lawyer, 19 Dec 2012) - Recently the Illinois Supreme Court adopted an amendment to Supreme Court Rule 11 , which deals with service of documents to opposing parties. This amendment, which takes effect January 1, 2013, allows attorneys to serve documents by email and it requires attorneys to provide an email address for service on all appearances and pleadings. I think this is a great change. Admittedly, I think the rule requires some refinement ( e.g. , what formats are appropriate, when is email service effective). However, on the whole, I think this is a great step forward. Not unexpectedly, however, there has been a significant outcry from members of the bar who are raising objections to this. Some of the objections that I see include the typical claims that this discriminates against attorneys who are not technologically savvy and that it provides no exemption for attorneys who do not have an email address. top Fourth Circuit Limits Marital Communications Privilege for Email (Covington, 18 Dec 2012) - The Fourth Circuit recently ruled that the marital communications privilege does not always apply to email that is sent from a work account. A federal jury convicted former Virginia state legislator Phillip A. Hamilton of federal program bribery and extortion under color of right. During trial, the court admitted email messages that Hamilton sent to his wife from his work account. On appeal, Hamilton contended that admission of those messages violated the marital communications privilege, which covers private spousal communication that was intended to remain confidential. In an opinion last week, the Fourth Circuit disagreed, concluding that Hamilton had no reason to expect that his work emails were confidential. The Court analogized Hamilton’s claim to a 1934 case in which the Supreme Court held that a defendant could not claim the marital privilege for communication that he shared with a stenographer. “Email has become the modern stenographer,” the Fourth Circuit wrote. Hamilton’s employer did not have a computer use policy when he sent the email messages, but the employer later adopted a policy stating the users have “no expectation of privacy in their use of the Computer System” and “[a]ll information created, sent[,] received, accessed, or stored in the . . . Computer System is subject to inspection and monitoring at any time.” Because Hamilton’s employer adopted this policy before the investigation of his bribery and extortion began, the Fourth Circuit concluded, Hamilton had ample time to delete any confidential email from his employer’s archives. Under the Fourth Circuit’s reasoning, a defendant still may claim the marital communications privilege for work emails if the defendant had an objectively reasonable belief in the privacy of those emails. For instance, if the employer’s computer use policy guarantees email privacy, the defendant may argue that he reasonably believed the email was confidential. top Texas Lawyer Sues the State over His Blog’s Name and Wins (ABA Journal, 19 Dec 2012) - Lubbock, Texas, lawyer John Gibson had a simple idea: Create a blog about the state’s workers’ compensation law. Luckily, “texasworkerscomplaw.com” was available, so he grabbed it. Gibson then was hit with a cease-and-desist order from the Texas Department of Insurance, which informed him that his blog violated a state law governing the use of the department’s name and purview. The state threatened to fine him $5,000 per violation per day if he continued to use the words Texas and workers and compensation in any order in any marketing or promotional efforts. Gibson sued , claiming the state was violating his First, Fifth and 14th amendment rights. He also argued that his blog was mainly informational. Last October, the 5th U.S. Circuit Court of Appeals at New Orleans agreed with Gibson, holding that “Texas made no serious attempt to justify this regulation as narrowly tailored to a substantial state interest.” The court noted that the law regarding the type of protection afforded domain names is in its infancy. “As with many new issues involving the Internet, the proper method of analysis to determine whether a domain name is commercial speech or a more vigorously protected form of speech is res nova,” Circuit Judge Edith Brown Clement wrote for the court. “A domain name, which in itself could qualify as ordinary communicative speech, might qualify as commercial speech if the website itself is used almost exclusively for commercial purposes.” Gibson’s lawyer, Robert Hogan, says the case has potential to impact other blawggers. “There are broader issues concerning what degree of First Amendment protection applies to lawyers’ blogs because there’s no clear delineation from any court of appeals as to whether lawyers’ blogs should be treated as commercial speech and get a reduced degree of First Amendment protection, or whether they deserve a higher degree of protection because of their inherent noncommercial nature.” top Copyright Levies On Electronics Devices - 2012 Developments (Bird & Bird, 20 Dec 2012) - Copyright levies are systems that impose fees on the manufacture, import and/or sale of devices and media which can be used to reproduce and/or store third party copyright works, aiming to compensate rightholders for the licence revenues they lose due to the fact that end users are allowed to undertake certain defined permitted acts of copying without the right holders’ consent. In the digital area, only private end-users are usually entitled to carry out the statutory permitted acts. 
At present, 21 out of the 27 Member States of the European Union ("EU") provide for private copying and similar end-user copying exceptions accompanied by levy schemes. The scope of the exceptions, the level of the levies and the products to which levies will pertain vary materially from Member State to Member State (please click here to see our November 2011 Copyright Levy Newsletter). However, due to the lack of harmonisation and the major changes caused by digitisation of copyright works, copyright levy schemes have come under increasing attack, and copyright levies have become a major legal, economical and political issue. In particular, the ground breaking “Padawan” judgment of the European Court of Justice ("ECJ") on 21 October 2010 is currently having a major impact on many pending cases and has triggered discussions as to whether fundamental changes to the present copyright levy regimes in Europe are needed. For more detailed information on the “Padawan” judgment, please click here to see the Bird & Bird Newsletter “ European Court of Justice questions legitimacy of existing copyright levy regimes ” dated 22 October 2010. 
The first Member States to react to this changing situation was Spain, which has abolished its copyright levy scheme. Further changes to copyright levy schemes all over Europe are likely to follow. In this Newsflash, we summarise the development in Spain as well as the status quo of copyright levy systems in Belgium, Czech Republic, Finland, France, Germany, Hungary, Italy, The Netherlands, Poland, Slovakia, Sweden and United Kingdom. top Feds Can Keep Data of Innocent Citizens for Five Years (Ride the Lightning, 20 Dec 2012) - Slate recently reported (the original source was the Wall St. Journal ) on a relatively new and very wide-ranging surveillance operation. The National Counterterrorism Center, which is located in an unmarked building in McLean, VA, now has the authority to store and monitor the data of innocent U.S. citizens for up to five years, using “predictive pattern-matching” to analyze it for suspect behavior. The Journal said that the NCTC has access to entire federal databases, including flight records, casino employee lists, the names of Americans hosting foreign-exchange students and many others. Even more alarming is the fact that this data can be given to foreign governments for analysis. Officials say the surveillance is subject to “rigorous oversight” which has always translated to, “Trust me, I’m from the government.” top UK Copyright Reform Affects Fair Use, Format-shifting and Big Data (GigaOm, 20 Dec 2012) - The British government has unveiled a comprehensive raft of measures aimed at modernizing copyright in the country. This is pretty much what it promised to do in 2011 in response to the Hargreaves Review , which it had commissioned. Some of the measures are terrifically obvious, none more so than the legalization of format-shifting - yes, copying music from a CD to your iPhone is still technically illegal in the UK, although no-one gets prosecuted for it. Others bring the UK much closer to the U.S. fair use system. For example, a copyright exemption will now be brought in for parody, caricature and pastiche. In other words, stuff like that Newport State Of Mind parody will no longer be illegal. Bafflingly, the government says it will “allow limited copying on a fair dealing basis which would allow genuine parody, but prohibit copying disguised as parody”. The Intellectual Property Office, which the reforms will put in charge of “clarifying areas where there is confusion or misunderstanding on the scope and application of copyright law”, clearly needs something to keep it busy. The reforms should have a big impact on the educational and research sectors. Again with some absurdity, the current IP regime makes it legally risky for teachers to show copyrighted material over interactive whiteboards and distance-learning systems - this will be fixed, as will the ban on allowing the copying of sound recordings, films and broadcasts for private study and non-commercial research. top Court Gives Cold Shoulder to Hot Yoga, Finding Yoga Sequences Not Copyrightable (Baker Hostetler, 20 Dec 2012) - On Friday, the Central District of California held that a series of yoga poses designed to improve health is not copyrightable, dismissing claims of copyright infringement bought by Bikram Choudhury against Evolation Yoga. This ruling followed in the footsteps of the Copyright Office’s recent announcement that it will no longer issue registration certificates for sequences of yoga poses designed to improve health. The California lawsuit was brought by Bikram Choudhury, the originator of the popular hot yoga style, Bikram Yoga. Bikram Yoga incorporates a series of 26 yoga poses and two breathing exercises performed in the same order and manner in a room of 105 degrees Fahrenheit over the course of approximately ninety minutes (the “Bikram Sequence"). Defendants are former students of Choudhury who taught the Bikram Sequence-the same 26 poses and two breathing exercises in the same order, manner, and environment-in their own studios, without Choudhury’s permission. Claiming the Bikram Sequence was copyrightable, Choudhury sued for copyright infringement and also brought claims for trademark infringement, false designation of origin, dilution, unfair competition, unfair business practices, breach of contract, inducing breach of contract. Considering a motion for partial summary judgment on the copyright claim only, the Central District of California firmly held that a series of yoga poses, including the Bikram Sequence, is not copyrightable because (1) a series of yoga poses designed to promote health, like any exercise routine, constitutes a non-copyrightable fact or idea and (2) a series of yoga poses does not fall into the enumerated categories of copyrightable works under 17 U.S.C. § 102, but is, instead, a non-copyrightable system or procedure. Key to the court’s ruling is its finding, guided by the Copyright Office’s June 2012 announcement, that yoga poses are exercises. Exercises do not fall into the enumerated categories of authorship under 17 U.S.C. § 102 and are not copyrightable. top HLS1x: Copyright (HarvardX, 20 Dec 2012) - HLS1x Copyright, an experimental course offered on edX, will explore in depth the law, theory, and practice of copyright. Approximately two thirds of the course will focus on the copyright system of the United States; the remainder will be devoted to the laws pertaining to copyright and “neighboring rights” in other countries. Considerable attention will be devoted to the relationship between copyright law and creative expression in a variety of fields: literature; music; film; photography; graphic art; software; comedy; fashion; and architecture. The course will commence on January 28, 2013, and last for 12 weeks. Enrollment in the course is limited to 500 participants, who will be selected through an application process. When admitting participants, the course organizers will seek to create a group that is diverse along many dimensions, including country of residence, age, occupation, educational background, and gender. Applicants must be at least 13 years old, have a good grasp of the English language, and be willing to devote eight hours per week to learning and discussing the material. Otherwise, however, there are no prerequisites for taking this course. In particular, no legal background is required. Several methods of instruction will be used. Participants will watch pre-recorded lectures, engage in interactive live webcasts of events in which guest speakers address especially controversial issues, discuss legal problems in online forums, and (most importantly) participate once a week in an 80-minute online seminar. Those seminars will be taught by teaching fellows, all of whom are currently students at Harvard Law School. At the conclusion of the course, each participant will take a three-hour exam, designed to assess his or her knowledge of copyright law and policy. Those exams will be graded by the teaching fellows. Participants who receive passing grades will be awarded certificates of completion and will be provided written assessments of their degree of proficiency. HLS1x Copyright is an experimental course, with four different variants that allow Prof. Fisher and his team to experiment with different combinations of teaching materials and educational technologies. Enrollment for the course is limited because we believe that high-quality legal education depends, at least in part, upon supervised small-group discussions of difficult issues. Fidelity to that principle requires confining the course to the number of participants that can be supervised effectively by our 21 teaching fellows. The limit on the enrollment does not mean, however, that we are not allowing access to the course materials; they will be made publicly available. top Devil’s in the Small Print (WSJ, 20 Dec 2012) - A book about boilerplate? That contract with the small print that you have to sign before renting a power tool? The incomprehensible “Terms of Service” agreement that Internet providers require you to claim you have read and approved? Standardized contracts are unavoidable, but they don’t seem like a subject for an important or interesting book. They are, you might think, just one more example of the background absurdities of modern life. But Margaret Jane Radin, a law professor at the University of Michigan, has given us a sophisticated and thought-provoking treatment of the boilerplate contracts that everyone signs yet few read or understand. Ms. Radin begins by arguing that boilerplate contracts-which as early as 1919 were widespread enough of a commercial practice as to be a subject of case law-aren’t really contracts at all. Because the terms aren’t bargained over, it follows that they aren’t consented to in any traditional sense; there is no meeting of the minds between the parties. Ms. Radin effectively debunks legal abstractions designed to reconcile boilerplate with contract theory. She discusses ideas like constructive, or fictional, consent, which exists when a judge believes there was a reasonable opportunity to read and assent to contractual terms that in fact were never read or agreed to. She also touches on hypothetical consent, which involves theorizing about the conditions under which a rational person would consent. In the end she concludes that neither accommodates boilerplate to the moral basis of contracts law. top MIRLN 2012-12-21T16:03:00-07:00 http://www.knowconnect.com/mirln/article/mirln_11_30_november_2012_v1516/ http://www.knowconnect.com/mirln/article/mirln_11_30_november_2012_v1516/#When:17:37:00Z MIRLN --- 11-30 November 2012 (v15.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) permalink NEWS | PODCASTS | LOOKING BACK | NOTES Annual Incident Report 2011 Megaupload Case Has Far-Reaching Implications for Cloud-Data Ownership Rights RIM Good for Secret Jobs: BlackBerry 10 Cleared for Restricted Data The Ethics of Facebook-Stalking University Applicants “Involuntary Porn” Site Tests the Boundaries of Legal Extortion Establishment Opens Door for MOOCs Terrorist Attack on Power Grid Could Cause Broad Hardship, Report Says Email Users Can’t Count On Privacy Protections When Will our Email Betray Us? An Email Privacy Primer in Light of the Petraeus Saga Google Will Not be Prosecuted for Street View Wi-Fi Sniffing in Germany Seattle’s ‘Creepy Cameraman’ Questions Our Comfort With Being Watched Fourth Amendment Implications of Using “Moocherhunter” To Locate the User of An Unsecured Wireless Network Engaging Facebook Friends Doesn’t Violate Non-Solicitation Clause Modria Launches A “Fairness Engine” For Online Dispute Resolution Corbis and the Public Domain Navigating the Legal Pitfalls of Augmented Reality Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act Pinterest’s Accounts and Terms of Service for Businesses and their Potential Impact on Sweepstakes, Contests, and Other Promotions YouTube Expands Captioning for Six New Languages Online Rain: Survey Says a Virtual Presence May Pay Unsubscribe Confirmation Texts Get FCC OK Official Syrian Web Sites Hosted in U.S. Patent Prosecutors Licensing of Copyrights for Prior Art Submissions The Mosaic Theory of the Fourth Amendment Insurance Coverage for Data Breach Claims Who’s Tracking Your Reading Habits? An E-Book Buyer’s Guide to Privacy French CNIL Publishes English Language Compliance Guides Annual Incident Report 2011 (European Network & Information Security Agency, 11 Oct 2012) - For the first time in the EU, in spring 2012, national reports about security incidents were provided to ENISA and the European Commission, under Article 13a of the Framework Directive (2009/140/EC). This is a new article in the EU legal framework for electronic communications. In this new ENISA document, we analyse the 51 received incident reports, dealing with severe outages of electronic communication networks or services. ENISA will publish a similar overview and analysis, yearly, following subsequent rounds of annual summary reporting by the NRAs in the EU Member States. The next report will be published in spring 2013, and will summarize and analyse incidents that occurred in 2012. Full report (in English) here . top Megaupload Case Has Far-Reaching Implications for Cloud-Data Ownership Rights (Wired, 7 Nov 2012) - There’s more at stake in the Megaupload case than the freedom of founder Kim Dotcom and his indicted file-sharing associates. The privacy and property rights of its 60 million users are also in jeopardy, as well as the privacy and property rights of anyone who stores data in the cloud, according to the Electronic Frontier Foundation, which is representing one of Megaupload’s users in a lawsuit against the government that could set a precedent for cloud users in general. A hearing on the issue in Virginia federal court is expected to be set any day. The problem lies in the fact that there is currently no clear process for owners to retrieve property that federal prosecutors effectively seized when they shuttered the file-sharing and cyberlocker service last January over issues of alleged copyright infringement. And even if a system is put in place for users to get back their files, it’s likely the data would first need to be reviewed by the government or a third party to determine if any of the data infringed copyrights, says EFF attorney Julie Samuels, because the government would oppose returning such data to account holders. [A]fter EFF filed papers on behalf of Kyle Goodwin, an Ohio man whose property was seized in the Megaupload case, a judge tentatively blocked the hosting company from deleting data and ordered the government, Dotcom’s legal counsel and EFF to come up with suggestions about how to return property to Megaupload users, if at all. top RIM Good for Secret Jobs: BlackBerry 10 Cleared for Restricted Data (The Register, 8 Nov 2012) - BlackBerry 10 has passed the US Federal Information Processing Standard (FIPS) certification, meaning devices based on the platform can be used to send classified data between government agents. Despite a drop in US government uptake of its kit, this is still something unique to RIM. Apple and Android have both made huge strides in security, but only RIM has ever managed to get a mobile platform through the FIPS 140-2 process, which is managed by National Institute of Standards and Technology and recognised by the US and Canadian governments. The classification permits the transit of documents up to “restricted” level, so RIM’s devices will be turning up in some halls of power, if not all of them. top The Ethics of Facebook-Stalking University Applicants (Rey Junco, Berkman, 8 Nov 2012) - Recently, Kaplan Test Prep released data from a survey showing how college admissions officers check applicant profiles in order to make admissions decisions . This isn’t a new phenomenon: since 2008, I’ve been answering questions about whether residence life, judicial affairs, and other university departments should monitor their students’ Facebook accounts. Here are some reasons why I think such evaluations of applicant Facebook profiles is unethical * * * [Polley: interesting; applicable to employers’ social media review procedures, too.] top “Involuntary Porn” Site Tests the Boundaries of Legal Extortion (ArsTechnica, 13 Nov 2012) - In the era of Polaroid cameras, you didn’t have to worry too much about a racy snapshot you took in the privacy of your bedroom becoming available to the general public. But thanks to the rise of digital cameras and the Internet, that’s now a real risk. Hackers, disgruntled exes, and other vindictive individuals who gain access to your compromising digital snapshots can share them with the world with a single click. Recently, a number of websites have sprung up to cash in on the public humiliation of others. One of the first such sites was IsAnyoneUp, which solicited nude pictures of ordinary Americans submitted by third parties. To maximize the humiliation, the photos were posted along with identifying details such as name and home town. The site’s owner, Hunter Moore, reportedly raked in thousands of dollars a month in advertising revenue, and he made the rounds on television talk shows defending his site. Moore finally shuttered the site earlier this year, but others have jumped in to fill the sordid niche he pioneered. One such site is the creatively named IsAnybodyDown. Like the original, it features naked pictures of ordinary Americans, generally submitted without the subjects’ consent, as well as personal information such as their names, hometowns, phone numbers, and screenshots of their Facebook pages. If you think IsAnyoneUp couldn’t be any sleazier, then IsAnybodyDown’s seems determined to prove you wrong. A link on IsAnybodyDown reading “Get Me Off This Site!” leads to the website of “Takedown Hammer,” an “independent third party team” that, for a modest fee of $250, will “issue a successful content removal request on your behalf.” It brags of 90 successful removals from IsAnybodyDown.com. It seems pretty obvious that “Takedown Hammer” isn’t actually independent of IsAnybodyDown. Indeed, copyright and First Amendment attorney Marc Randazza has found circumstantial evidence that IsAnybodyDown and Takedown Hammer are, in fact, both owned by a man named Craig Brittain. [Polley: see also The Guy Behind Two ‘Revenge Porn’ Sites Says Government Protects His Work (Business Insider, 29 Nov 2012)] top Establishment Opens Door for MOOCs (InsideHigherEd, 14 Nov 2012) - The clearest path to college credit for massive open online courses may soon be through credit recommendations from the American Council of Education (ACE), which announced Tuesday that it will work with Coursera to determine whether as many as 8-10 MOOCs should be worth credit. The council is also working on a similar arrangement with EdX, a MOOC-provider created by elite universities. The Bill & Melinda Gates Foundation is funding that effort as part of $3 million in new, wide-reaching MOOC-related grants, including research projects to be led by ACE , the Association of Public and Land-grant Universities (APLU) and Ithaka S+R, a research group that will team up with the University System of Maryland to test and study the use of massive open online courses across the system. Until now, MOOCs have been a source of fascination mostly because they make teaching by top-notch professors at prestigious universities free and available on the Internet to students anywhere, including in developing countries. Most MOOCs from high-profile providers such as Coursera, EdX, Udacity and Udemy feature upper-division material aimed at students looking to hone their skills or who are merely curious. Tuesday’s rollout, however, helps open the door to the courses’ use by credit-seeking students, particularly the growing adult student market. And the new round of grantees includes 10 institutions that the Gates Foundation has tapped to develop introductory and remedial courses, which often trip up low-income and first-generation college students. Perhaps most importantly, Tuesday’s announcements signal that traditional higher education (represented by ACE and APLU) and Gates, the primary force behind the national college “completion agenda,” both believe in the disruptive potential of MOOCs. top Terrorist Attack on Power Grid Could Cause Broad Hardship, Report Says (NYT, 14 Nov 2012) - Terrorists could black out large segments of the United States for weeks or months by attacking the power grid and damaging hard-to-replace components that are crucial to making it work, the National Academy of Sciences said in a report released Wednesday. While the report is the most authoritative yet on the subject, the grid’s vulnerability has long been obvious to independent engineers and to the electric industry itself, which has intermittently tried, in collaboration with the Department of Homeland Security, to rehearse responses. Of particular concern are giant custom-built transformers that increase the voltage of electricity to levels suited for bulk transmission and then reduce voltage for distribution to customers. Very few of those transformers are manufactured in the United States, and replacing them can take many months. The National Academy of Sciences report mainly refers to less sophisticated attacks but also warns of cyberattacks or infiltration of the grid’s transmission operators. “Even a few pernicious people in the wrong place are a potential source of vulnerability,” it said. The report was completed in 2007, and after reviewing it, the Department of Homeland Security decided to classify its contents. The version released on Wednesday is redacted to avoid handing terrorists a “cookbook” on how to disrupt the grid, the report said.[Polley: thanks to @RolandTrope for this story] top Email Users Can’t Count On Privacy Protections (WSJ, 14 Nov 2012) - One of the lessons from the unfolding case of the former director of the Central Intelligence Agency, David Petraeus, is that privacy protections for even the most sophisticated users of consumer-email services actually protect very little. In response to a Florida woman’s complaints that she had received threatening emails, the Federal Bureau of Investigation gained access to the emails of Paula Broadwell, a writer who allegedly set up Gmail accounts under aliases to conduct an affair with Mr. Petraeus. To do so, the FBI received search warrants from a judge, according to U.S. officials. But other clues in the FBI investigation could be garnered without a warrant in an era when personal communication has shifted to centralized websites like Google Inc. and Facebook Inc., where messages rarely get truly deleted and all online communications carry a number of digital footprints. The U.S. and foreign governments now make a regular habit of seeking data about people from Internet giants, and those requests are on the rise. Google, one of the few tech companies that discloses details about the requests, this week said that in the first half of 2012, it received 7,969 such requests from U.S. authorities-nearly 34% more than it received in the first half of 2011. Google said it complied with 90% of those requests. In the U.S., the Fourth Amendment requires government agents to obtain a warrant from a judge before searching physical property. But under a 1986 law, the Electronic Communications Privacy Act, or ECPA, a warrant isn’t typically required to access emails older than six months old because they are considered to be “abandoned.” top - and - When Will our Email Betray Us? An Email Privacy Primer in Light of the Petraeus Saga (EFF, 14 Nov 2012) - The unfolding scandal that led to the resignation of Gen. David Petraeus, the Director of the Central Intelligence Agency, started with some purportedly harassing emails sent from pseudonymous email accounts to Jill Kelley. After the FBI kicked its investigation into high gear, it identified the sender as Paula Broadwell and, ultimately, read massive amounts of private email messages that uncovered an affair between Broadwell and Petraeus (and now, the investigation has expanded to include Gen. John Allen’s emails with Kelley). We’ve received a lot of questions about how this works-what legal process the FBI needs to conduct its email investigation. The short answer? It’s complicated. * * * Compared to identifying information, ECPA provides more legal protection for the contents of your email, but with gaping exceptions. While a small but increasing number of federal courts have found that the Fourth Amendment requires a warrant for all email, the government claims ECPA only requires a warrant for email that is stored for 180 days or less. But as the Department of Justice Manual for searching and seizing email makes clear, the government believes this only applies to unopened email. Other email is fair game with only a subpoena, even if the messages are less than 180 days old. According to reports, Petraeus and Broadwell adopted a technique of drafting emails, and reading them in the draft folder rather than sending them. The DOJ would likely consider draft messages as “opened” email, and therefore not entitled to the protection of a search warrant. In a nutshell, although ECPA requires a warrant for the government to obtain the contents of an email stored online for less than 180 days, the government believes the warrant requirement doesn’t apply for email that was opened and left on the server - the typical scenario for webmail systems like Gmail - even if the messages are less than 180 days old. So, under the government’s view, so long as the emails had been opened or were saved in the “drafts” folder, only a subpoena was required to look at contents of Broadwell’s email account. * * * [Polley: there’s more here, and worth parsing.] top Google Will Not be Prosecuted for Street View Wi-Fi Sniffing in Germany (ComputerWorld, 15 Nov 2012) - The public prosecutor in Hamburg has decided not to start a criminal investigation into the way Googles’ Street View cars gathered data from unencrypted Wi-Fi networks in Germany, the lawyer who requested the inquiry said Thursday. In 2010 Google acknowledged that its Street View cars collected data such as MAC addresses and SSIDs (service set identifiers) as well as personal payload data from Wi-Fi networks. Payload data can include email, passwords and medical data. The public prosecutor’s office said it cannot pursue a criminal investigation into Google’s Street View Wi-Fi sniffing. The prosecutor’s office was unable to find any violation of criminal standards by Google in the way the company stores SSIDs, MAC addresses or payload data, it said in a letter sent *** on Thursday. top Seattle’s ‘Creepy Cameraman’ Questions Our Comfort With Being Watched (Seattle Times, 18 Nov 2012) - At first, University of Washington professor Odai Johnson thought it was some art student’s prank. One day last summer, right in the middle of class, a young man opened the door, stuck in a camera and began filming. Johnson asked him to leave. He refused. Johnson closed the door on him. He re-entered. All the while, Johnson’s drama students looked unsure and nervous, frozen in a state of unease. “I confronted the man and told him his actions were an intrusion into our space, that he had no permission to insert himself and his camera and take whatever images he was gathering for whatever uses pleased him,” Johnson told me over email. He “never stated his reasons, never asked for cooperation or permission. Just pointed and aimed and shot.” You can see the whole exchange yourself on YouTube, where the cameraman - whoever he is - has posted video of this and other, similar confrontations with unwilling subjects around Seattle. A shopper leaving a store by Almvig’s. A man on his cellphone outside a University Village Starbucks. A cab driver who, taking a wild guess as to why a camera is in his face, blurts, “I’m white! I’m not an African driver!” When asked what he’s doing, the cameraman says he’s “taking a video.” When asked why, he says, “Why not?” When told he doesn’t have permission, he says, “Oh, OK” and, to his subjects’ confusion, irritation and rage, keeps filming. Is this a social experiment or some jerk having fun? Commenters are giving mixed reviews, calling the videos everything from horrific to hilarious, and their creator everything from a moron to a genius. Let’s start with what’s legal. I was struck, watching the videos, by the rights people think they have. Apart from the classrooms, a Scientology building and what appears to be a community center, the cameraman films in public. “This is America and I have a choice that you do not take a picture of me,” a woman from a research institute tells him. But they’re on the sidewalk. Her only choice is to walk away. Renowned Seattle science fiction author Neal Stephenson has been called a technology prophet for predicting in his 1992 classic, “Snow Crash,” so much of what gadgets and the Web would make possible. In the book, characters called “gargoyles” walk around in special suits that let them record and upload everything around them, permission be damned. On a panel at the school just last month, University of Washington law professor Ryan Calo talked to Stephenson about the implications of his latest book - “REAMDE.” Calo has his own fascination with the intersection of privacy and surveillance. As it stands, privacy law can do nothing about the creepy cameraman or the pervasive public surveillance he seems to represent. But what if the law changed? That may seem counterintuitive when technology is bursting our lives wide open, and the advice from experts is to be aware of it and deal with it. But Calo cited a recent Supreme Court case involving the use of a GPS tracking device in which five justices expressed concern over continuous surveillance. He thinks change can happen. I think he might be right. top Fourth Amendment Implications of Using “Moocherhunter” To Locate the User of An Unsecured Wireless Network (Volokh Conspiracy, Orin Kerr, 19 Nov 2012) - In United States v. Stanley, 2012 WL 5512987 (W.D.Pa. Nov. 14, 2012) (Conti, J.) , the district court evaluated a novel Fourth Amendment question: Does tracing the location of a user of an unsecured wireless network constitute a Fourth Amendment search? The court’s answer: No. In this case, a Pennsylvania state police officer investigating the distribution of child pornography over peer-to-peer software learned that a computer at a particular IP address was sharing images of child pornography. The investigator, Erdley, obtained a search warrant to search the home associated with the IP address. The search was unsuccessful, however, and Erdley concluded that someone nearby was using the wireless connection from the home that had been left unsecured. With the consent of the homeowner, Kozikowski, Erdley used a software program called “Moocherhunter" to find the physical location of the individual who was accessing the network. Moocherhunter works by measuring the distance between the wireless router and the computer connecting to it: By moving the antenna of the wireless router, and knowing the MAC address of the computer connected to the wireless router, Erdley was able to trace the location of the computer connecting to the wireless router to a specific apartment. Erdley then obtained a search warrant and searched the apartment, finding child pornography on the computer of the defendant, Richard Stanley. The District Court ruled that use of Moocherhunter was not a search under Smith v. Maryland, 442 U.S. 735 (1979): Based upon Smith’s rationale, the court finds Stanley did not have a legitimate expectation of privacy in the wireless signal he caused to emanate from his computer to the Kozikowski wireless router or in the signal being sent from the router back to his computer, and therefore, Erdely’s use of Moocherhunter™ did not constitute a search in violation of the Fourth Amendment. Stanley argued that Moocherhunter was like the thermal imager in Kyllo v. United States, 533 U.S. 27 (2001), but the district court disagreed. top Engaging Facebook Friends Doesn’t Violate Non-Solicitation Clause (Eric Goldman, 19 Nov 2012) - This case involves an employer’s attempt to enforce a non-compete and a non-solicitation clause against a hair stylist. I’m especially interested in the court’s discussion about the non-solicitation clause--a provision that might even be enforceable in California. From the court’s distillation, it seems like the employer overreached quite a bit here, such as with this example: Four days after Ms. DiFonzo resigned from Invidia, David Paul Salons, her new employer, posted a “public announcement” on Ms. DiFonzo’s Facebook page, noting DiFonzo’s new affiliation with David Paul....In the comment section below that post, Ms. Kaiser [a hair salon customer] posted a comment which said, “See you tomorrow Maren [DiFonzo]!” See anything remotely resembling a solicitation here? Fortunately, the court doesn’t either. Cf. Enhanced Network Solutions v. Hypersonic Technologies. The former employer next argued “Ms. DiFonzo has become Facebook ‘friends’ with at least eight clients of Invidia.” Overall, having hair salon employees develop social media connections with customers sounds like a positive thing as it’s likely to improve customer loyalty. For example, if customers are disloyal to their hair stylist and post photos of their new haircuts, they will be outing themselves to their hair stylist. And if the hair salon employee and the customer are bona fide friends (not the fake form of friendship so rampant on Facebook), then that relationship isn’t “owned” by anyone. top Modria Launches A “Fairness Engine” For Online Dispute Resolution (TechCrunch, 19 Nov 2012) - Earlier this morning, we got an email from a lady whose account was mistakenly charged a few times too many by an online pet food store. There is little we can do about that, but it’s a clear sign that even today, resolving those kinds of online disputes is still hard. Modria wants to change this with the help of its Fairness Engine . The privately funded company, which was founded in 2011, says that its cloud-based service helps “all parties involved in an online dispute to the table quickly and lets them arrive at an equitable solution that helps save costs and increase brand loyalty.” The team behind the service already helped companies like eBay and PayPal solve more than 400 million cases. Indeed, Modria founder and CEO Colin Rule spent eight years as the Director of Online Dispute Resolution for eBay and PayPal. Modria helps businesses flag and diagnose customer issues and knows enough about the legal technicalities behind these problems to speed up the negotiation process. The tool uses four different modules for diagnosis, negotiation, mediation and arbitration. top Corbis and the Public Domain (MLPB, 20 Nov 2012) - Tanya Asim Cooper, University of Alabama School of Law, has published Corbis & Copyright?: Is Bill Gates Trying to Corner the Market on Public Domain Art? in volume 16 of the Intellectual Property Law Bulletin (2011). Here is the abstract. Art has the power to stir our emotions, evoke a physical response, and transport us to a different world. It can inspire and transform us. For all of those precious qualities, the public relies upon knowing that once the artist’s exclusive rights to the artwork elapse, the “art must ultimately belong to us all.” The notion that artwork eventually belongs to the public is paramount because art, like books and music, represents a collective experience that helps define what it means to be human. Thus, once the artist has enjoyed her exclusive rights to that art, it should belong to no one individual, but to everyone. This article argues that Corbis’s copyright claim in its digitized reproductions of public domain art is suspect and concludes by discussing the ramifications for the public domain when Corbis asserts copyright protection for its public domain digital copies. Given the power and influence that Bill Gates and his company Corbis have on the market for public domain art, it behooves the public to be aware of this issue. top Navigating the Legal Pitfalls of Augmented Reality (Mashable, 21 Nov 2012) - The power of AR, particularly for marketers, is its ability to overlay highly relevant, timely and interactive data about specific products or services within a user’s live physical environment. For example, companies are using AR to transform home or online shopping by bringing to life static, two-dimensional images ― see Ikea’s 2013 catalog and Phillips TV Buying Guide mobile app ― or leveraging geolocational data to augment users’ real-world retail experiences with instant data on pricing, reviews or special discounts (such as IBM’s personal shopping assistant ). If you’re considering whether to add an AR app to your marketing mix, be aware that traditional advertising law principles still apply, and that both federal and state regulators are keeping a watchful eye on AR’s potential impact on consumer privacy. A unique aspect of AR is that it allows retailers to give online or mobile shoppers a realistic, up-close, three-dimensional or enhanced view of their products prior to purchase (think virtual dressing rooms ). If your AR app is used to promote or drive sales for a particular product, be sure to avoid overstating or exaggerating the features, functions or appearances of the product, or leaving out material information that could sway the consumer’s purchasing decision. In September, the Federal Trade Commission (FTC) published a marketing guide for mobile app developers. It clarifies that long standing truth-in-advertising standards apply in the virtual world to the same extent as in the real world. The key takeaway: Disclosures must be clear and conspicuous. That is, you should look at your app from the perspective of the average user and ensure that disclosures are big and clear enough so that users actually notice them and understand what they say. Another rule of thumb is to keep your disclosures short and simple, and use consistent language and design features within your app. Before launching your app, carefully consider how best to make necessary disclosures visible and accessible in the AR context. You can expect more guidance on disclosures in the near future when the FTC releases its updated Dot Com Disclosures Guide . top Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act (SSRN; University of Amsterdam, 27 Nov 2012) - Abstract: Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments. top Pinterest’s Accounts and Terms of Service for Businesses and their Potential Impact on Sweepstakes, Contests, and Other Promotions (Information Law Group, 27 Nov 2012) - On November 14, 2012, Pinterest, Inc. revamped the Terms of Service ("Terms") for Pinterest.com ("Pinterest") and created new business only accounts ("Business Accounts") to be governed by the site’s new Business Terms of Service ("Business Terms"). Although commercial use of the service was always encouraged by Pinterest, its Acceptable Use Policy and prior versions of its Terms of Service seemingly prohibited commercial use of the service. The creation of Business Accounts makes clear that commercial activity is not only encouraged, but explicitly allowed on Pinterest. The new features available for Business Accounts include: * * * The primary impetus for the creation of Business Accounts appears to be a means of providing guidance on how to best use Pinterest to advertise your brand (see Pinterest’s document which explains how to maximize Pinterest features to your brand’s advantage). There is, however, limited guidance on what you can and cannot do on the service or when referencing Pinterest in marketing materials (also, Pins from Business Accounts are still subject to Pinterest’s Acceptable Use Policy and Pin Etiquette Policy ). Pinterest provides this guidance in its new Logos, Trademarks and Marketing Guidelines . top YouTube Expands Captioning for Six New Languages (Washington Post, 28 Nov 2012) - YouTube announced Wednesday that it is expanding support for its automatic captioning service for six European languages. The company said that its service will now display captions in German, Italian, French, Portuguese, Russian and Dutch. That brings the total number of languages up to 10: YouTube already generates automatic captions for English, Japanese, Korean and Spanish. As with the current languages, viewers will be able to see the captions by clicking the “CC” button in the lower right-hand corner of eligible videos. The company provides the auto-captions as a baseline transcript of what’s going in its videos. However, since speech recognition technology isn’t perfect, it also provides editing tools to improve the quality of the captions on its site. Content creators can download their automatic captions to edit them or do so right on YouTube videos. They can also upload their own scripts or transcripts to sync with videos on the site. Those interested in captioning their videos can use free sites and services to generate transcripts. The deaf community advocacy group, Telecommunications for the Deaf and Hard of Hearing, Inc. has a list of resources for people looking for online captioning tools and information. top Online Rain: Survey Says a Virtual Presence May Pay (ABA Journal, 28 Nov 2012) - The ABA’s 2012 Legal Technology Survey Report documents some good news from survey respondents who use Web 2.0 services in their practices-double-digit percentages reported they had clients who retained them directly or via referral as a result of the lawyers’ use of online services. Results from the last three years of survey reports show (in the main) continued growth in the number of positive responses to questions about gaining clients through the use of blogs; social networks including Avvo, Facebook, LawLink, Legal OnRamp, LinkedIn, Martindale-Hubbell Connected and Plaxo; and microblogs like Twitter. Among the many other details in the six-volume study, 50 percent of respondents who blog reported spending less than one hour a week maintaining their legal- topic blogs. [Polley: @edadams reports “ 11% of lawyers get business from Twitter, up from 0% 2 years ago. ”] top Unsubscribe Confirmation Texts Get FCC OK (Benton Foundation, 29 Nov 2012) - The Federal Communications Commission granted a request by SoundBite Communications, Inc. (SoundBite) and confirm that sending a one-time text message confirming a consumer’s request that no further text messages be sent does not violate the Telephone Consumer Protection Act (TCPA) or the FCC’s rules as long as the confirmation text has the specific characteristics described in the petition. The ruling will allow organizations that send text messages to consumers from whom they have obtained prior express consent to continue the practice of sending a final, one-time text to confirm receipt of a consumer’s opt-out request-a widespread practice among businesses, non-profit organizations, and governmental entities, which many parties in this proceeding, including a consumer group, assert is good consumer policy. The FCC emphasized that the ruling applies only when the sender of text messages has obtained prior express consent, as required by the TCPA and Commission rules, from the consumer to be sent text messages using an automatic telephone dialing system or “autodialer.” The ruling ensures that wireless consumers will continue to benefit from the TCPA’s protection against unwanted autodialed texts, while giving them certainty that their opt-out requests are being successfully processed. top Official Syrian Web Sites Hosted in U.S. (NYT, 29 Nov 2012) - Even as Syrians lost access to the Internet on Thursday, people outside the country could still browse the Syrian government’s many Web sites for much of the day because they are hosted in foreign countries, including the United States. By nightfall, after being contacted by The New York Times, several host companies said they were taking down those sites. They and similar companies had been identified in reports published by Citizen Lab, a research laboratory that monitors North American Web service providers that host Syrian Web sites. For example, the Web site of SANA, the Syrian state news agency, is hosted by a Dallas company, SoftLayer Technologies. It is one of a handful of Internet providers based in the United States that sell their services, often unknowingly, to Web sites operated by the government of President Bashar al-Assad. HostDime.com in Orlando, Fla., hosts the Web site of Syria’s Ministry of Religious Affairs. Jumpline.com hosts the site of the country’s General Authority for Development. The government of Hama, a city that has seen heavy clashes between rebels and government troops, operated its Web site through WeHostWebSites.com in Denver. An executive order by President Obama prohibits American companies from providing Web hosting and other services to Syria without obtaining a license from the Treasury Department. On Thursday, State Department officials confirmed that providing the services was a violation of the United States sanctions. “Our policies are designed to assist ordinary citizens who are exercising their fundamental freedoms of expression, assembly and association,” a spokesman, Mark C. Toner, said. top Patent Prosecutors Licensing of Copyrights for Prior Art Submissions (Patently-O, 29 Nov 2012) - The Copyright Clearance Center (CCC) is a collective agent for many copyright holders and serves as a one-stop-shop for folks to license copyrights for use. CCC offers licenses to many (perhaps most) of the academic publications (non-patent literature) submitted to the USPTO under the Rule 56 duty of disclosure. In recent years, CCC has implemented a buffet license approach that allows a business to use their entire catalog for a fixed negotiated price. Until recently, few patent law firms have seen any copyright infringement risk associated non-patent prior art because the copies are most typically obtained from a licensed database and the submission to the PTO and file-copies are both likely fair use and therefore would not constitute copyright infringement. Thus, most firms have developed their its patent prosecution practices with an implicit belief that its prosecution related uses of scientific journal articles are noninfringing uses of the articles. In the spring of 2012, the publisher John Wiley began suing patent law firms - taking the contrary view that (1) making file copies; (2) sharing copies with clients; and (3) submitting copies to the USPTO each constitute actionable copyright infringement. These lawsuits are ongoing. The CCC license would allow both internal copying and submitting copies to the USPTO, although it does not allow the sharing copies with clients. Of course, these actions were all previously thought to be fair use. Professor Jamie Boyle has an interesting essay from 2007 discussing the problems with this license. His main point is that once we start paying for fair use material it stops being fair use going forward and moves toward a “culture of permission” that, in his view, is normatively bad. * * * [Polley: interesting discussion; I had dealings with CCC for my corporate employer some time ago.] top The Mosaic Theory of the Fourth Amendment (Volokh Conspiracy, Orin Kerr, 29 Nov 2012) - The Michigan Law Review has posted the final version of my latest article, The Mosaic Theory of the Fourth Amendment, 111 Mich. L. Rev. 311 (2012) , on its website. Here’s the abstract: In the Supreme Court’s recent decision on GPS surveillance, United States v. Jones, five justices authored or joined concurring opinions that applied a new approach to interpreting Fourth Amendment protection. Before Jones, Fourth Amendment decisions had always evaluated each step of an investigation individually. Jones introduced what we might call a “mosaic theory” of the Fourth Amendment, by which courts evaluate a collective sequence of government activity as an aggregated whole to consider whether the sequence amounts to a search. This Article considers the implications of a mosaic theory of the Fourth Amendment. It explores the choices and puzzles that a mosaic theory would raise, and it analyzes the merits of the proposed new method of Fourth Amendment analysis. The Article makes three major points. First, the mosaic theory represents a dramatic departure from the basic building block of existing Fourth Amendment doctrine. Second, adopting the mosaic theory would require courts to answer a long list of novel and challenging questions. Third, courts should reject the theory and retain the traditional sequential approach to Fourth Amendment analysis. The mosaic approach reflects legitimate concerns, but implementing it would be exceedingly difficult in light of rapid technological change. Courts can better respond to the concerns animating the mosaic theory within the traditional parameters of the sequential approach to Fourth Amendment analysis. top Insurance Coverage for Data Breach Claims (The Corporate Counselor, Nov 2012) - The risk of a data breach is not limited to financial institutions or businesses engaged exclusively in e-commerce. Any business that accepts credit cards as a form of payment, which includes practically every business on earth, is at risk. In fact, smaller-sized brick and mortar business are frequently targets of hackers who assume, rightly or wrongly, that such businesses lack the ability to detect and prevent theft of customer data. Like any potentially catastrophic problem, insurance can be at least a partial solution. This article examines insurance coverage for data breaches. In-house counsel may be surprised to learn that coverage for data breaches is not limited to specialty policies, and can often be found under standard CGL or property insurance policies. Any time a potential data breach occurs, it is essential for an insured to consider all forms of insurance that it carries and to provide prompt notice to its insurer(s) of any policy that even potentially could apply. top Who’s Tracking Your Reading Habits? An E-Book Buyer’s Guide to Privacy (EFF, 29 Nov 2012) - The holiday shopping season is upon us, and once again e-book readers promise to be a very popular gift. Last year’s holiday season saw ownership of a dedicated e-reader device spike to nearly 1 in 5 Americans, and that number is poised to go even higher. But if you’re in the market for an e-reader this year, or for e-books to read on one that you already own, you might want to know who’s keeping an eye on your searching, shopping, and reading habits. As we’ve done since 2009, again we’ve taken some of the most popular e-book platforms and combed through their privacy policies for answers to common privacy questions that users deserve to know. In many cases, these answers were frustratingly vague and long-winded. In nearly all cases, reading e-books means giving up more privacy than browsing through a physical bookstore or library, or reading a paper book in your own home. Here, we’ve examined the policies of Google Books , Amazon Kindle , Barnes & Noble Nook , Kobo , Sony , Overdrive , Indiebound , Internet Archive , and Adobe Content Server for answers to the following questions: Can they keep track of searches for books? · Can they monitor what you’re reading and how you’re reading it after purchase and link that information back to you? Can they do that when the e-book is obtained elsewhere? · What compatibility does the device have with books not purchased from an associated eBook store? · Do they keep a record of book purchases? Can they track book purchases or acquisitions made from other sources? · With whom can they share the information collected in non-aggregated form? · Do they have mechanisms for customers to access, correct, or delete the information? · Can they share information outside the company without the customer’s consent? top French CNIL Publishes English Language Compliance Guides (Hogan Lovells, 30 Nov 2012) - France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management” , provides step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “ Measures for the Privacy Risk Treatment ”, provides practical guidance on issues such as data deletion, anonymisation, encryption, providing right of access to data subjects, handing data breaches, and protecting against cyber attacks. This second guide provides useful ross-references to security standards published by the French agency for computer security, the ANSSI . top NOTED PODCASTS How to Make Your Research Open Access (Whether You’re at Harvard or Not) (Berkman, 23 Oct 2012, 63 minutes) - How do you make your own work open access (OA)? The question comes up from researchers at schools with good OA policies (like Harvard and MIT) and at schools with no OA policies at all. We invite you to join Peter Suber and Stuart Shieber of the Harvard Open Access Project, the Berkman Center community, and Office for Scholarly Communication in an open forum on the Harvard OA policies, concrete steps for making your work OA, and questions on any aspect of OA, especially from the perspective of publishing researchers. [Polley: pretty interesting stuff, with implications for the ABA’s publishing strategies. The discussion about Reed Elsevier’s default rule on republishing/deposit was pretty surprising to me, and the idea of publishing fee impositions on the author , as a way to pay the bills, was interesting.] top LOOKING BACK - MIRLN TEN YEARS AGO (note: link-rot has affected about 50% of these original URLs) PHILIPS SAYS COPY-PROTECTED CDS HAVE NO FUTURE (Head-Fi, 2 Jan. 2002)—Philips, the inventor of the Compact Disc, does not expect controversial attempts by the music industry to introduce CD “copy protection” technologies to last very long, because of consumer complaints. Philips is opposed to the use of copy protection systems. The technology is designed to stop CDs playing or being copied on personal computers but it can also prevent them from playing on many normal systems. As inventor of the CD standard and the industry’s licensing body, Philips could refuse to license such copy protected discs as genuine CDs, or pursue some other legal obstruction to the practice. But Gary Wirtz, general manager of the Philips Copyright Office at its headquarters in the Netherlands, believes that copy protection technology will fail all by itself. “Any kind of legal action would take years and we don’t expect these [discs] to last that long,” Wirtz told New Scientist. “At the moment we are trying to reason with people rather than sue them.” Wirtz believes that consumer complaints should put music companies off the technique. He adds: “It’s not going to work, because any hacker can still make copies. It’s only going to effect legitimate consumers and we know there have already been considerable complaints.” top E-MAIL OVERLOAD IS A MYTH, STUDY SAYS (Washington Post, 9 Dec 2002)—Most American workers are not—repeat not—overwhelmed by stuffed e-mail inboxes or vast amounts of spam, according to a new study that contradicts conventional wisdom that e-mail has become a major burden on people’s lives. About 60 percent of workers surveyed for the study by the Washington-based Pew Internet & American Life Project said they receive an average of 10 or fewer messages per day. Pew’s conclusions, however, do not match the findings of other organizations that study Internet use. “It makes no sense to me,” said Maurene C. Grey, research director of Gartner Inc., a research firm in Stamford, Conn. “We’ve found workers are extremely overloaded. My gut reaction was who in the world were they interviewing? I would seriously question the results of that study.” http://www.washingtonpost.com/wp-dyn/articles/A24684-2002Dec7.html [Editor’s note (2002): Time travel—that’s the only explanation. Pew somehow interviewed email users in 1996.] top MIRLN 2012-11-30T17:37:00-07:00 http://www.knowconnect.com/mirln/article/mirln_21_october_10_november_2012_v1515/ http://www.knowconnect.com/mirln/article/mirln_21_october_10_november_2012_v1515/#When:16:27:00Z MIRLN --- 21 October - 10 November 2012 (v15.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln) permalink NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES Cyberattacks in U.S. Cost an Average $8.9 Million Annually to Clean Up, Study Says Cyber Pain is Insurers’ Gain Pacemaker Hack Can Deliver Deadly 830-Volt Jolt Outsourcing Privacy Pinterest: Fair Use of Images, Building Communities, Fan Pages, Copyright A Healthy Reminder From Amazon: You Don’t Buy Ebooks, You Rent Them FTC Recommends Best Practices for Companies That Use Facial Recognition Technologies Hebrew U. Loses Lawsuit Over Einstein’s Image The Use and the Fury: Faulkner Estate’s New Enforcement Efforts Stupid Lawyer Tricks (And How the PTO Could Help Stop Them) Risks of Data Portability Study Finds Significant Juror Interest In Internet, But No Use - Yet Court Instructs Parties to Utilize Predictive Coding, Requires Show of Cause to Avoid It MOOCs for Credit Why We Have an Open Wireless Movement EFF Launches New Transparency Project Court OKs Warrantless Use of Hidden Surveillance Cameras How to Get Your Readers to Love Paywalls Minneapolis Police Pushing for More License Plate Data Privacy Another Court Finds Online Statements With Links Are Not Defamatory Coke Gets Hacked and Doesn’t Tell Anyone New Twitter Policy Lets Users See Tweets Pulled Down for Copyright Verdict Is Out on Virtual Lawyers, But Firms Find Fewer Objections The FISA Amendments Act Authorizes Warrantless Spying on Americans Attorney SEO to be Addressed by Florida Bar Social Media, Growing in Legal Circles, Find a Role in Florida Murder Case The Lawfare Wiki Document Library Cyberattacks in U.S. Cost an Average $8.9 Million Annually to Clean Up, Study Says (Network World, 8 Oct 2012) - According to a survey of 56 corporate and governmental organizations conducted by the Ponemon Institute, the average amount they paid for all the costs associated with cyberattacks was $8.9 million during the past year. That’s up 6% from the previous year’s study. And for the first time, Ponemon expanded the survey to other countries, including the United Kingdom, Germany, Australia and Japan. Costs ascribed to cyberattacks in those locales was significantly lower: $5.9 million in Germany and $5.1 million in Japan, for example. The study, sponsored by HP Enterprise Security, offers some explanation for why the U.S. cybercrime figure is far higher. “We found that U.S. companies were much more likely to experience the most expensive types of cyber attacks, which are malicious insiders, malicious code and web-based incidents,” the report says. In the U.K. and Australia, where cybercrime costs per year were $3.2 million and $3.3 million respectively, denial-of-service attacks were more commonplace. German companies were the least likely to experience malicious code and denial-of-service, while Japanese companies least likely to experience malicious insiders and Web-based attacks. The study cited five “external” cost factors associated with cybercrime: business disruption, information loss or theft, revenue loss, equipment damages and “other.” The “internal cost” factors were detection, investigation and escalation, containment, recovery and subsequent efforts to ward off future attacks. top Cyber Pain is Insurers’ Gain (Australian Financial Review, 16 Oct 2012) - Major Australian companies are scrambling to secure cyber insurance to cover themselves for hundreds of millions of dollars in losses in the wake of the Alan Jones social media campaign and a string of shareholder class actions for data security breaches. In a flying visit to Australia, global cyber insurance practice leader at insurance giant Aon, Kevin Kalinich, has met with leading Australian companies across banking, superannuation, retail and healthcare, as they hit the panic button over new technology risks. Cyber insurance has exploded from a $200 million market just four years ago and is soon expected to reach $1 billion a year in premiums. “The top 70 advertisers for the radio station had attacks on their emails, on their social media systems, on their call centres, so the developments in technology has created new exposures that were not present 10 years ago, five years ago, even three years ago,” Mr Kalinich said. “There are a number of cases going through the courts now where insurers are denying coverage rather than willingly paying for a large catastrophic loss [unless they have specific cyber insurance],” Mr Kalinich said. The companies Aon met this week are taking up coverage of up to $100 million - the average loss in Australia for a data breach is $2.16 million - but are increasingly seeking to ensure they are covered for social media risks as well, including Facebook, Twitter and the risk of online activists. “If you can demonstrate to the underwriters that you have good training and practices with your employees, then you can cover defamation, slander, libel, copyright, trademark. They can be included in the cyber liability placement but you have to have good practices in place,” he said. top Pacemaker Hack Can Deliver Deadly 830-Volt Jolt (Computerworld, 17 Oct 2012) - Pacemakers from several manufacturers can be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away, the result of poor software programming by medical device companies. The new research comes from Barnaby Jack of security vendor IOActive, known for his analysis of other medical equipment such as insulin-delivering devices. Several medical manufacturers are now selling bedside transmitters that replace the wand and have a wireless range of up to 30 to 50 feet. In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, Jack said. With that wide transmitting range, remote attacks against the software become more feasible, Jack said. Upon studying the transmitters, Jack found the devices would give up their serial number and model number after he wirelessly contacted one with a special command. With the serial and model numbers, Jack could then reprogram the firmware of a transmitter, which would allow reprogramming of a pacemaker or ICD in a person’s body. A successful attack using the flaw “could definitely result in fatalities,” said Jack, who has notified the manufacturers of the problem but did not publicly identify the companies. In a video demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop. top Outsourcing Privacy (InsideHigherEd, 22 Oct 2012) - After several years of negotiating, a dozen colleges have reached an agreement with Microsoft that could inspire more institutions to outsource their internal communications and data storage systems to the company and its far-flung servers - even when those systems hold sensitive student and research data. Since 2010 Microsoft had been in talks with a dozen universities about drawing up a standard contract that would address colleges universities’ obligations to federal privacy laws such at the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA). The idea was to eliminate the tedium and expense of negotiating around these compliance issues with each and every university client. Now, after several years, those talks have finally born fruit, according to Tracy Futhey, the chief information officer at Duke University. Microsoft on Friday announced that it had signed up Duke, Emory and Thomas Jefferson Universities and the Universities of Iowa and Washington for its new, cloud-based e-mail and work software, Office365. The deals will save the universities on infrastructure costs by migrating various internal communication and data systems to Microsoft’s servers - a move that would have been virtually impossible without resolving FERPA and HIPAA concerns. top Pinterest: Fair Use of Images, Building Communities, Fan Pages, Copyright (Berkman’s CMLP, 22 Oct 2012) - When using Pinterest (and Flickr and YouTube and Facebook and on and on), what copyright, fair use, trademark and other issues weigh on building communities and corporate use of fan pages and social media generally? A hypothetical “Company” has plans for its Pinterest “community”, and in particular, wonders about these situations: Using Images of Identifiable People Fair Use and Images · Trademarks: When is a “Fair Use” Argument Strongest? · Why Attribution and Linking to Original Sources is Important 3 introductory questions: Question #1 : Someone used to be a paid Company sponsor or spokesperson. They are no longer. Can the Company continue to post a photo of the old sponsor to Pinterest? Short Answer: If the contract with the sponsor expressly permits it, yes. Ordinarily, the contract would specify engagement for limited time, and that would prohibit rights to use images beyond the contract period. But it really depends on what the contract says. Q uestion #2 : Can the Company post a photo of a fan of the Company? Short Answer: Express consent is required, either through a release or the fan’s agreement (whenever the photo is submitted) to terms of service. Exceptions are discussed below. Question #3 : Can the Company post a photo of a Coca-Cola bottle on its Pinterest page? Short Answer: If the use of the image does not suggest (implicitly or explicitly) endorsement or association, then yes. Below is discussion of these issues, with “Guidelines” at the end. top A Healthy Reminder From Amazon: You Don’t Buy Ebooks, You Rent Them (GigaOM, 22 Oct 2012) - Sometimes the language we use fails to capture the essence of what we’re doing when we are online, or lulls us into a false sense of security about our behavior and what it means. For example, we’ve gotten pretty used to the idea that we can “buy” ebooks from Amazon: we just click a button and pay with a credit card and there it is on our Kindle. Except that we aren’t really buying it in the traditional sense of the word; we are merely renting it, or paying for access to it under a specific set of circumstances - and a recent incident in which a woman’s account was blocked and all of her books removed without explanation is a healthy reminder of that. Norwegian technology blogger Martin Bekkelund describes how his friend Linn Jordet Nygaard found that her Amazon account had been shut down and access to all of her Kindle books (about 60 of them) had been blocked. Although some initial reports said that her books had been wiped from her device remotely - echoing an earlier incident several years ago, in which Amazon deleted copies of 1984 and Animal Farm from users’ Kindles because of a licensing error - it later emerged that Nygaard’s Kindle had malfunctioned, but she still wasn’t able to access her books even through her account. top FTC Recommends Best Practices for Companies That Use Facial Recognition Technologies (FTC, 22 Oct 2012) - The Federal Trade Commission today released a staff report “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” for the increasing number of companies using facial recognition technologies, to help them protect consumers’ privacy as they use the technologies to create innovative new commercial products and services. Facial recognition technologies have been adopted in a variety of contexts, ranging from online social networks and mobile apps to digital signs, the FTC staff report states. They have a number of potential uses, such as determining an individual’s age range and gender in order to deliver targeted advertising; assessing viewers’ emotions to see if they are engaged in a video game or a movie; or matching faces and identifying anonymous individuals in images. Facial recognition also has raised a variety of privacy concerns because - for example - it holds the prospect of identifying anonymous individuals in public, and because the data collected may be susceptible to security breaches and hacking. top Hebrew U. Loses Lawsuit Over Einstein’s Image (InsideHigherEd, 23 Oct 2012) - A federal judge has rejected a lawsuit by Hebrew University of Jerusalem against GM for the auto company’s use of an Albert Einstein image pasted onto a muscled physique, The Detroit News reported. Hebrew University said that Einstein’s will gave it rights to the use of his image. In this case GM used the image in an ad that ran in People magazine with the tag line “Ideas are sexy too.” Judge Howard Matz ruled that GM was within its rights. “[Einstein] did become the symbol and embodiment of genius. His persona has become thoroughly ingrained in our cultural heritage. Now, nearly 60 years after his death, that persona should be freely available to those who seek to appropriate it as part of their own expression, even in tasteless ads,” he ruled. top - and - The Use and the Fury: Faulkner Estate’s New Enforcement Efforts (Baker & Hostetler, 4 Nov 2012) - In a pair of lawsuits filed about a week ago, Faulkner Literary Rights, LLC ("Faulkner Literary"), the owner of the literary rights to the late William Faulkner’s works, sued Sony Picture Classics ("Sony"), as well as Northrop Grumman Corporation ("Northrop Grumman") and Washington Post Company ("Washington Post") in the federal district court for the district of Mississippi. In both cases, Faulkner Literary brought claims for copyright infringement, unfair competition under the Lanham Act and state law claims for quotations from Faulkner’s works. In the first lawsuit, Faulkner Literary claims that Woody Allen’s latest hit, Midnight in Paris uses, without authorization, a quote from the Faulkner novel Requiem for a Nun. The line in Requiem for a Nun-a book approximately 250 pages long-is “The past is never dead. It’s not even the past.” In Midnight in Paris, the lead character, Gil Pender, played by Owen Wilson, is able to time travel between current day Paris and Paris of the 1920’s. At one point he exclaims: “The past is not dead! Actually, it’s not even past. You know who said that? Faulkner. And he was right. And I met him, too. I ran into him at a dinner party.” Midnight in Paris lasts 94 minutes, and the accused dialogue only a few seconds. top - and - Stupid Lawyer Tricks (And How the PTO Could Help Stop Them) (EFF, 30 Oct 2012) - We’ve seen some absurd trademark threats in recent years, but this one sets the bar at a new low: The Village Voice is suing Yelp for trademark infringement based on Yelp’s creation of various “Best of” lists. Yes, that’s correct, the publisher behind the paper (as well as several other weeklies around the U.S.) has managed to register trademarks in the term “Best of “ in connection with several cities, including San Francisco, Miami, St. Louis and Phoenix. And it now claims that Yelp’s use of those terms infringes those trademarks and deceives consumers. Right. First, a practical question: deceives consumers about what? Trademark law is supposed to ensure that consumers can trust that the goods and services they buy come from the sources they expect, e.g., that the Pepsi you just bought really was manufactured by Pepsi. That helps consumers, because it gives mark-owners an incentive to maintain the expected level of quality. And it helps mark-owners, because they can build customer loyalty and good will. But you don’t need a survey or even a lawyer to figure out that no one actually thinks the Village Voice is associated with Yelp because both publish “best of” lists - not least because no one associates the term “Best of” with any particular news source. Second, the more important question: What is going on at the Patent and Trademark Office? For decades, folks have been complaining (with good reason) that the patent examiners need to do a better job of screening out bogus patent applications. It’s clear that the problem extends to the trademark side as well. The PTO has allowed companies and individuals to register marks in any number of obviously generic and/or descriptive terms, such as “ urban homestead ” (to refer to urban farms), “ gaymer ” (to refer to gay gamers), and “ B-24 ” (to refer to model B-24 bombers). Once a mark is registered, it is all too easy for the owner to become a trademark bully. And while companies like Yelp have the resources to fight back (as we expect it will), small companies and individuals may not. Just as dangerous, the trademark owner may go upstream, to intermediaries like Facebook who have little incentive to do anything other than take down an account or site that’s accused of infringement. top Risks of Data Portability (Bruce Schneier, 24 Oct 2012) - Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported ‘without hindrance,’ then one moment of identity fraud can turn into a lifetime breach of personal data. They have a point. If you’re going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it’s going to become an attack vector for identity theft and other malfeasance. top Study Finds Significant Juror Interest In Internet, But No Use - Yet (Berkman’s CMLP, 25 Oct 2012) - A survey of jurors from 15 trials has found that jurors generally understand instructions not to use the Internet or social media to research or communicate about trials, but also that many jurors wish they could use technology to do some sort of research about the cases they sat on. Very few, however, reported that they had violated admonishments not to research or discuss the case with others prior to deliberations, and all of these involved pre-deliberation discussions with either fellow jurors or family members. None involved the internet or social media. questioned impaneled jurors from six criminal and nine civil trials, as well as jurors from the voir dire phase (i.e., including those both ultimately chosen to serve on the jury and those that were not) of these trials plus an additional seven civil cases that settled during jury selection. In all the cases, the jurors were instructed during voir dire and trial not to use the internet or social media to research or communicate about the case. The majority of jurors reported in the survey that they understood these admonitions. Among prospective jurors, 87 percent understood that they should not use the internet or social media to communicate with friends or family or to post information about the case, and two-thirds said that researching the case online would violate the judges’ instructions. But that did not mean that they did not want to. Significant percentages of prospective jurors said they wished they could use the internet to research legal terms (44 percent), the case itself (26 percent), the parties (23 percent), the lawyers (20 percent), the judge (19 percent), the witnesses (18 percent), and fellow jurors (7 percent). Eight percent wanted to be able to e-mail family and friends about the case, five percent wanted to connect with a fellow juror online, and three percent wanted to connect with another trial participant. Three percent each wanted to be able to tweet or blog about the trial, and two percent wanted to post something about the trial on a social networking site. top Court Instructs Parties to Utilize Predictive Coding, Requires Show of Cause to Avoid It (KL Gates, 26 Oct 2012) - Following argument on partial summary judgment and a motion to dismiss in the Delaware Court of Chancery on Monday, Vice Chancellor J. Travis Laster turned to the topic of a scheduling order and, apparently without outside provocation, addressed the issue of predictive coding: The Court : Thank you. Why don’t you all talk about a scheduling order for the litigation on the counterclaims. This seems to me to be an ideal non-expedited case in which the parties would benefit from using predictive coding. I would like you all, if you do not want to use predictive coding, to show cause why this is not a case where predictive coding is the way to go. I would like you all to talk about a single discovery provider that could be used to warehouse both sides’ documents to be your single vendor. Pick one of these wonderful discovery super powers that is able to maintain the integrity of both side’s documents and insure that no one can access the other side’s information. If you cannot agree on a suitable discovery vendor, you can submit names to me and I will pick one for you. top MOOCs for Credit (InsideHigherEd, 29 Oct 2012) - Coursera, the largest provider of massive open online courses (MOOCs), has entered into a contract to license several of the courses it has built with its university partners to Antioch University, which would offer versions of the MOOCs for credit as part of a bachelor’s degree program. The deal represents one of the first instances of a third-party institution buying permission to incorporate a MOOC into its curriculum—and awarding credit for the MOOC—in an effort to lower the full cost of a degree for students. It is also a first step for Coursera and its partners toward developing a revenue stream from licensing its courses. “It’s a very different kind of arrangement than our university partnerships,” says Daphne Koller, a Coursera co-founder, who along with her co-founder Andrew Ng has signed deals to host MOOCs from 33 universities on Coursera’s platform. Antioch will pay Coursera an undisclosed amount for permission to use several courses, including ones from Duke University and the University of Pennsylvania. The company will share that revenue with the universities, which own intellectual property rights for their courses as part of their contracts with Coursera. top Why We Have an Open Wireless Movement (EFF, 30 Oct 2012) - In troubled times, it’s important to help each other out. Right now, we’re witnessing an unprecedented hurricane hitting the Eastern Seaboard of the United States, and the ensuing damage and power outages are crippling rescue efforts, businesses large and small, and personal communications. Communication is critical in time of crisis, and the Internet allows for the most effective way of getting information in and out. With readily available networks, government officials could use tools like Twitter to quickly spread information, citizen reports could help focus assistance where it is needed most, and social media updates could help reassure friends and loved ones-keeping mobile phone lines open for emergencies. To take advantage of the Internet, people should not have to attempt to skirt restrictive Terms of Service to attempt to tether their smartphones . And tethering would not be necessary if there were ubiquitous open wireless, so that anyone with a connection and power can share their network with the neighborhood. Last year, we wrote a post titled “Why We Need An Open Wireless Movement.” Today, EFF is proud to announce the launch of the Open Wireless Movement-located at openwireless.org -a coalition effort put forth in conjunction with nine other organizations: Fight for the Future, Free Press, Internet Archive, NYCwireless, the Open Garden Foundation, OpenITP, the Open Spectrum Alliance, the Open Technology Institute, and the Personal Telco Project. top - and - EFF Launches New Transparency Project (EFF, 2 Nov 2012) - From cell phone location tracking to the use of surveillance drones, from secret interpretations of electronic surveillance law to the expanding use of biometrics, EFF has long been at the forefront of the push for greater transparency on the government’s increasingly secretive use of new technologies. With the launch of our new Transparency Project , we’ve made the information we’ve received easier to access and added new tools to help you learn about the government and file your own requests for information. The new name-Transparency Project-reflects the fact that EFF’s work has expanded far beyond filing and litigating federal Freedom of Information Act requests. While that work still makes up a solid core of what our Transparency Team does, we also seek information from state and local governments, regularly report on transparency issue more broadly, and provide tools to help you find out more about our government and what it’s up to. The new Transparency Project section of our website helps to promote these goals. Some of the new features include: * * * top Court OKs Warrantless Use of Hidden Surveillance Cameras (CNET, 30 Oct 2012) - Police are allowed in some circumstances to install hidden surveillance cameras on private property without obtaining a search warrant, a federal judge said yesterday. CNET has learned that U.S. District Judge William Griesbach ruled that it was reasonable for Drug Enforcement Administration agents to enter rural property without permission—and without a warrant—to install multiple “covert digital surveillance cameras” in hopes of uncovering evidence that 30 to 40 marijuana plants were being grown. Yesterday Griesbach adopted a recommendation by U.S. Magistrate Judge William Callahan dated October 9. That recommendation said that the DEA’s warrantless surveillance did not violate the Fourth Amendment , which prohibits unreasonable searches and requires that warrants describe the place that’s being searched. Two defendants in the case, Manuel Mendoza and Marco Magana of Green Bay, Wis., have been charged with federal drug crimes after DEA agent Steven Curran claimed to have discovered more than 1,000 marijuana plants grown on the property, and face possible life imprisonment and fines of up to $10 million. Mendoza and Magana asked Callahan to throw out the video evidence on Fourth Amendment grounds, noting that “No Trespassing” signs were posted throughout the heavily wooded, 22-acre property owned by Magana and that it also had a locked gate. Callahan based his reasoning on a 1984 Supreme Court case called Oliver v. United States , in which a majority of the justices said that “open fields” could be searched without warrants because they’re not covered by the Fourth Amendment. What lawyers call “ curtilage ,” on the other hand, meaning the land immediately surrounding a residence, still has greater privacy protections. “Placing a video camera in a location that allows law enforcement to record activities outside of a home and beyond protected curtilage does not violate the Fourth Amendment,” Justice Department prosecutors James Santelle and William Lipscomb told Callahan As digital sensors become cheaper and wireless connections become more powerful, the Justice Department’s argument would allow police to install cameras on private property without court oversight—subject only to budgetary limits and political pressure. top How to Get Your Readers to Love Paywalls (PaidContent, 31 Oct 2012) - Okay, maybe “love” is too strong a word, but a new study suggests that newspapers enacting paywalls should emphasize financial need, not profit motives, when announcing them to readers. The study, “ Paying for What Was Free: Lessons from the New York Times Paywall ,” is by Columbia University associate research scientist Jonathan Cook and Indiana University assistant professor Shahzeen Attari. They surveyed 954 New York Times readers shortly after the paper announced , in March 2011, that it would enact a metered paywall, and then again 11 weeks after the paywall was implemented. In the post-paywall survey, participants read one of two “justification” paragraphs, one emphasizing a profit motive and one emphasizing financial need (that paragraph concluded, “if the NY Times does not implement digital subscriptions, the likelihood that it will go bankrupt seems high"). Participants then “rated how the information changed their support for the paywall and their willingness to pay.” The results showed that “When participants were provided with a compelling justification for the paywall - that the NYT was likely to go bankrupt without it - their support and willingness to pay increased. In contrast, when participants were provided with a justification that emphasized financial stability, their support and willingness to pay decreased.” top Minneapolis Police Pushing for More License Plate Data Privacy (ArsTechnica, 1 Nov 2012) - A Minneapolis municipal committee is now advocating on behalf of local police for a change in Minnesota’s state law concerning the right to access data collected from license plate readers (LPRs). For now, the city maintains a massive database collected from its 11 LPR readers that hold each license plate number seen, along with the corresponding GPS location data, date, and time for the previous 90 days. In a meeting Thursday, the Committee of the Whole Agenda heard discussions regarding a new proposal from the city police department that would restrict access to license plate reader records. Under the proposed rules, only the police would have access to the entire database, and a non-police individual would only be able to access the data that pertained to his or her car. Currently, a rather liberal open records state law known as the Data Practices Act makes all government data public by default. If approved by the Minneapolis city council, such changes could be put forward to the state legislature as soon as next year. As we reported earlier this year, license plate readers are largely on an unchecked rise throughout the United States. Millions of new records are collected by law enforcement agencies on a daily basis, often with little oversight. The new proposal comes after increased scrutiny over the practice in Minneapolis, after a local reporter managed to track the mayor’s movements in August 2012 by filing a request with the police. top Another Court Finds Online Statements With Links Are Not Defamatory (Eric Goldman’s blog, 1 Nov 2012) - Eric posted about Redmond v. Gawker Media , a California case where the court found that use of links by a Gawker author helped defeat a claim for defamation. This case reaches a similar result. Seldon, proceeding pro se, sued Compass Restaurant and several Jane Does (including an email address) for disseminating an email that allegedly contained multiple defamatory statements about him. You can click through to the decision to see the statements, but among other things the email calls him a “serial suer, scammer, spammer, embezzler, and revenge artist.” The email offered a few “supporting links,” including an LA Times Article, a few links from Justia, one from Pacer, and one from WIPO. The court says that in determining whether a statement is actionable or a mere statement of opinion, the court looks to the statement overall, in context. An opinion can still be actionable if it implies a basis on undisclosed facts. On the other hand, a statement of opinion that discloses background facts is not actionable. In fact, these statements are more likely to be understood by the audience as mere conjecture. The court concludes (citing to Sandals Resort v. Google ) that the statement in this case falls in the latter category. It is accompanied by articles in the form of links, and the email expressly says that it contains “supporting links”. Like the Gawker ruling Eric blogged about, this is a great result for bloggers, and anyone who traffics in links and commentary online. It’s also good illustration of how the context rule plays out online. (See also “ A Twitter Exception for Defamation? ”) top Coke Gets Hacked and Doesn’t Tell Anyone (Bloomberg, 4 Nov 2012) - FBI officials quietly approached executives at Coca-Cola Co. (KO) on March 15, 2009, with some startling news. Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time. Coca-Cola, the world’s largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees—and in some cases even from senior executives. When hackers last year waged a large-scale attack on BG Group Plc (BG/), raiding troves of sensitive data, the British energy company never made it public. Luxembourg-based steel maker ArcelorMittal (MT) also kept mum when intruders targeted, among others, its executive overseeing China. As did Chesapeake Energy Corp. (CHK), after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale. “Investors have no idea what is happening today,” says Jacob Olcott, a former cyber policy adviser to the U.S. Congress. “Companies currently provide little information about material events that occur on their networks.” In the U.S., the Securities and Exchange Commission last year said that companies are required to report any material losses from such attacks, and any information “a reasonable investor would consider important to an investment decision.” To gain access to confidential deal information, hackers often target links in a chain of outside organizations that handle such information on the company’s behalf, such as banks and law firms. China-based cyberthieves, for instance, hacked into the computer networks of seven law firms in 2010 to get more information about BHP Billiton Ltd.’s ultimately unsuccessful $40 billion bid to acquire Canadian company Potash Corp. of Saskatchewan, Inc., Bloomberg reported in January. Intruders took a similar approach last year in a breach that ultimately targeted Chesapeake Energy, the second-largest U.S. natural gas producer, according to a person familiar with the situation and computer logs viewed by Bloomberg News. The logs indicate that Comment group obtained information about Chesapeake’s efforts to sell natural-gas leases by hacking into an office of Jefferies Group Inc. (JEF) , which is advising on the sales. [ Polley : long, interesting story. The timing is co-incident with other testimony before the US Senate about the complete penetration of a US law firm’s files by Chinese actors; same event?] top New Twitter Policy Lets Users See Tweets Pulled Down for Copyright (GigaOM, 4 Nov 2012) - Twitter has made a significant shift in how it responds to copyright complaints. In the past, such complaints caused tweets to vanish without a trace but now people can see the place where a tweet once stood - and the reaction to its disappearance. The tweet announcing the policy suggested it was in the name of “#transparency.” This is consistent with other efforts by Twitter to shine light on a copyright process that critics say is susceptible to abuse by content owners. In January, for instance, Twitter published 4,410 DMCA takedown requests it received in the previous year. top Verdict Is Out on Virtual Lawyers, But Firms Find Fewer Objections (WSJ, 5 Nov 2012) - Uncertainty about the impact of the presidential election has sent Americans searching for legal advice about everything from green-card sponsorship rules to possible changes to the estate tax. To the surprise of many in the legal establishment, a growing number of those help-seekers are getting their guidance online. In recent years, Web-based attorneys have gone mainstream, with pitches aimed at the cost-conscious. And while critics question whether their advice hits the mark, they concede the online model can work in some relatively simple situations. An in-office consultation can cost as much as $1,000 an hour, though rates vary depending on location and a lawyer’s area of expertise. Attorneys on San Francisco-based Pearl.com, in contrast, charge an average of $30 to $40 to answer a range of questions, many of which are basic preliminary inquiries (example: “What’s the difference between a will and a trust?"). At Avvo.com, based in Seattle, attorneys provide advice at no cost to promote their practices, and the site makes money through advertising and enhanced listings. For the lawyers, the advantages include savings on overhead, and the possibility of luring more substantial business from customers satisfied with the short answers. Perhaps more disconcerting to purists, some leading players aren’t exclusively law-focused. Pearl.com, which says its annual revenue now tops $100 million, also offers assistance from computer technicians and relationship counselors. Avvo.com proffers legal help alongside medical and dental advice (legal questions account for about 80% of its traffic). top The FISA Amendments Act Authorizes Warrantless Spying on Americans (Stanford, 5 Nov 2012) - Next week, the lame duck Congress will take up the issue of whether to extend the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) of 2008. The House of Representatives passed a five year extension, but during the floor debate on that bill, lawmakers demonstrated a fundamental misunderstanding about how the FAA affects the privacy of Americans on American soil. Before rubber-stamping the bill, lawmakers in the Senate have the opportunity to address the misunderstanding and better protect American privacy. This post is the first in a series. * * * [ Polley : author Jennifer Granick provides a thoughtful, thorough parsing of the law. In a related vein, see “ Looking Back ” below, for 2 ten-year-old stories on the subject.] top Attorney SEO to be Addressed by Florida Bar (Lawyerist.com, 5 Nov 2012) - As reported by Gary Blankenship in Lawyers must take care on how they drive traffic to their websites : “ Using secretive techniques to lure Internet users to a law firm website with false or deceptive information is wrong, members of the Bar’s Standing Committee on Advertising agree, but the committee wants more time to research the technical issues before approving an advisory opinion. The committee met September 20 at the Bar’s Midyear Meeting in Orlando and reviewed a proposed advertising advisory opinion that addressed hidden text and meta tags (words on a webpage that are not visible to the viewer).” But there’s just one problem. These folks don’t really seem to know SEO. For example, they seem to imply that the use of the keywords meta tag can be used to optimize positions in search engine results. However, the keywords meta tag is not used by search engines (at least not by Google, at least not since 2009) to rank sites. top Social Media, Growing in Legal Circles, Find a Role in Florida Murder Case (NYT, 6 Nov 2012) - When Mark O’Mara agreed to defend George Zimmerman in the Trayvon Martin murder case, one of his first major decisions was to embrace the Internet. He set up a legal defense Web site for his client, a Twitter page and a Facebook account, all with the purpose of countering what he called the “avalanche of misinformation” about the case and Mr. Zimmerman. It was a risky move, unorthodox for a criminal defense lawyer, legal experts said, but a bold one. Late last month, the judge in the case, rebuffing the prosecution, allowed Mr. O’Mara to keep the online presence. In so doing, the judge sanctioned the use of social media in a high-profile murder case that was already steeped in the power of Facebook, Twitter and blogs. Not long after Mr. Martin was shot and killed, protesters took their cues from Facebook and demonstrated across the country. Angry words coursed through Twitter. Mr. Zimmerman, in hiding, started a Web site to raise money. The Martin family’s lawyers, who made ample use of traditional media, used Twitter to bring attention to Mr. Martin’s death. Social media is playing a role in the courtroom, too. Mr. O’Mara wants to use Mr. Martin’s Facebook page and Twitter feed to bolster Mr. Zimmerman’s claim of self-defense. But he will most likely face a protracted battle to authenticate the material, in part because Mr. Martin is no longer alive. Last month, the judge allowed Mr. O’Mara to subpoena Twitter and Facebook for the information. In ways large and small, the State of Florida v. George Zimmerman is serving as a modernized blueprint for deploying social media in a murder case. top The Lawfare Wiki Document Library (Lawfare, 8 Nov 2012) - The next big phase of Lawfare expansion involves the creation of a large document library-a kind of one-stop-shopping for primary source material in the field of national security law. We are building this library as a wiki in collaboration with the Harvard Law School National Security Research Committee (NSRC), a student practice organization that provides legal research services for academics and policymakers on a variety of national security law issues. The library will be a searchable database of primary source material built in large measure by the Lawfare reader community and curated by Lawfare and the NSRC as a research tool for the scholarly, journalistic, and research communities. Having built the technical architecture, we are now engaged in an early phase of the project-which involves seeding the wiki with a core body of important documents in the field: cases, treaties, statutes, etc. Each document will be accompanied by a summary that explains what it is and why it’s important-a summary that the reader community will then be able to edit and expand upon by adding links to major scholarly treatments and the like. We want your help with this initial phase. The more people we can get to summarize documents, the more quickly we can build a first-rate resource that we can then open up to a wider group of contributors. If you’re interested in contributing to the document wiki, send an email to Julia Lohmann , Raffaela Wakeman , or Wells Bennett , and they’ll assign you one to work on. top NOTED PODCASTS Sending Secrets: Security and Cryptography in a Quantum World (Santa Fe Institute, 2011; 70 minutes) - Caesar shifted each letter three places in the alphabet. Much of modern computer science was born in the effort to break the Nazi Enigma code, and Cold War spies used code books that fit inside a walnut. Nowadays, the cryptography we depend on every day - for instance, to send our credit card information when we buy something on the Web - relies in turn on the mathematics of prime numbers. But in 1994, Peter Shor discovered that a future quantum computer could crack our cryptosystems by breaking large numbers into their prime factors. Cris will start by describing how these cryptosystems work, and how a quantum computer could break them. (Nothing beyond high-school math, he promises!) He’ll end by giving a personal view about whether quantum computers can be built - and what kinds of cryptography could remain secure even if and when they are built. [ Polley : This has the first explanation I’ve understood describing quantum computing, and how it might enable code-breaking. I’ve just returned from a terrific symposium by the Santa Fe Institute on resilience in complex systems. The Institute is the most catholic, cross-disciplinary gathering I’ve encountered since the MIT Media Lab, and I strongly encourage you to explore possible collaboration with them.] top RESOURCES Smart Policies for Smartphones: Acceptable Online Activities During Work Hours (IBM, 17 Oct 2012) - IBM has published a social media policy that some think is exemplary for any organization that wants to pursue the dual goals of encouraging employees to engage in social media and protecting the organization’s reputation. Current IBM social computing guidelines are here . top FUN New Book: Law of Superheroes (PatentlyO, 25 Oct 2012) - The book that we’ve all been waiting for is finally out: The Law of Superheroes . I am serious here—at least that I have been waiting for this book ever since I discussed the project with co-author James Dailey a few years ago when he visited the Mizzou campus. Daily and Ryan Davidson have turned their popular blog ( lawandthemultiverse.com ) into book published by Gotham Books, a division of Penguin. Daily is a patent attorney and the book answers many IP questions that may have vexed comic book readers: · Does Batman’s use of Wayne Enterprises’ advanced technologies to stop crimes (at night) negate patentability? · Does Spiderman infringe any genetic engineering patents? · In our universe, the Beatles broke up and John Lennon died. However, there are other (far better) universes where that did not happen. What copyright laws would apply when someone wants distribute copies of the Beatles’ 40 th Anniversary Album that was brought back from that alternate universe? One of the book’s thirteen chapters focuses on intellectual property. But the book as a whole covers a host of topics ranging from Constitutional law to immigration; from criminal procedure to the legal treatment of non-human intelligence. Great work by Daily and Davidson! I am already looking for Volume II. Law students beware: the book offers a host of original hypothetical questions that would be readily used on final examinations. top LOOKING BACK - MIRLN TEN YEARS AGO (note: link-rot has affected about 50% of these original URLs) HOW FAR WILL THE FEDS GO TO PUSH FAVORABLE SURVEILLANCE LAWS? (Steptoe & Johnson’s e-Commerce law week, 7 Sept 2002)—A former member of the Justice Department’s Computer Crime and Intellectual Property Section will reveal in a forthcoming law review article that the Department purposely kept hidden a November 2000 order issued by the only federal Magistrate Judge in San Jose, California. The order determined that the old pen register/trap-and-trace provisions of federal surveillance law applied only to telephones and did not authorize government use of pen registers and trap-and-trace devices with respect to electronic communications (like e-mail). The order squarely contradicted DOJ’s view of the law. Although this particular issue was resolved in the government’s favor by the USA PATRIOT Act last fall, it shows how far the government will go to get ISPs to comply with its surveillance orders. Even though the government was aware of the order, it continued to ask ISPs to install surveillances on e-mail communications under the pen/trap provisions and never mentioned the order. This should serve as a reminder that, when presented with a surveillance order, ISPs and other companies should undertake an independent evaluation of the order’s lawfulness rather than simply relying on DOJ’s interpretation of the law. http://www.steptoe.com/webdoc.nsf/ListServEntry?OpenForm top INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT: THE BIG BROTHER THAT ISN’T (Orin S. Kerr—George Washington University Law School)—Abstract: This article argues that the common wisdom on the USA Patriot Act is wrong. Far from being a significant expansion of law enforcement powers online, the Patriot Act actually changed Internet surveillance law in only minor ways and added several key privacy protections. The article focuses on three specific provisions of the Patriot Act: the provision applying the pen register law to the Internet, the provisions relating to Carnivore, and the new computer trespasser exception to the Wiretap Act. By explaining the basic framework of surveillance law and applying it to the Patriot Act, the author shows how the Internet surveillance provisions of the Patriot Act updated the law in ways that both law enforcement and civil libertarians should appreciate. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=317501 top MIRLN 2012-11-09T16:27:00-07:00