MIRLN—- 23 October – 12 November 2011 (v14.15)

MIRLN—- 23 October - 12 November 2011 (v14.15)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

NEWS | NOTED PODCASTS | DIFFERENT | LOOKING BACK | NOTES

Lawmakers’ Websites Improving, Report Finds (Hillicon Valley, 24 Oct 2011) - The overall quality of congressional websites is on the rise, but many still lack basic educational and transparency features, according to a new report. House websites - including member, committee and leadership office sites - saw some degree of improvement from 2009 to 2011, while the Senate saw a small decline, according to the report released Monday outlining best practices in online communications on Capitol Hill. New members elected in 2010 were also found to have developed much better websites in their first year in office compared with their Senate counterparts, the Congressional Management Foundation (CMF) found. Roughly 61 percent of websites from House freshmen earned high marks for their sites from CMF, versus just 31 percent for new senators. The CMF singled out several lawmakers and committees for excellent online communications, with top marks going to Sen. Mark Begich (D-Alaska) for best Senate member website, and Rep. Paul Ryan (R-Wis.) for best House member website. According to the report, many member websites still do not offer basic information about their activities, the work of Congress or the legislative process. Forty percent of lawmakers did not post information on bills members have sponsored or co-sponsored in the current session of Congress, and 44 percent did not post information on the legislator’s voting record, according to the report. Forty-seven percent did not post information on how a bill becomes a law, and 67 percent did not provide guidance for communicating with the member office. Lawmakers did take better advantage of social media tools, however, as the use of such technology by congressional offices rose exponentially.

top

FBI Going to Court More Often to Get Personal Internet-Usage Data (Washington Post, 25 Oct) - The FBI is increasingly going to court to get personal e-mail and Internet usage information as service providers balk at disclosing customer data without a judge’s orders. Investigators once routinely used administrative subpoenas, called national security letters, seeking information about who sent and received e-mail and what Web sites individuals visited. The letters can be issued by FBI field offices on their own authority, and they obligate the recipients to keep the requests secret. But more recently, many service providers receiving national security letters have limited the information they give to customers’ names, addresses, length of service and phone billing records. “Beginning in late 2009, certain electronic communications service providers no longer honored” more expansive requests, FBI officials wrote in August, in response to questions from the Senate Judiciary Committee. This marked a shift from comments made last year by Obama administration officials, who asserted then that most service providers were disclosing sufficient information when presented with national security letters. Investigators seeking more expansive information over the past two years have turned to court orders called business record requests. In the first three months of this year, more than 80 percent of all business record requests were for Internet records that would previously have been obtained through national security letters, the FBI said. The FBI made more than four times as many business records requests in 2010 than in 2009: 96 compared with 21, according to Justice Department reports.

top

Nasdaq Server Breach: 3 Expected Findings (Information Week, 25 Oct 2011) - Remember the Nasdaq breach? [Reported in MIRLN 14.05 ] It’s worse than previously thought. Last week, two experts with knowledge of Nasdaq OMX Group’s internal investigation said that while attackers hadn’t directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. “God knows exactly what they have done. The long-term impact of such [an] attack is still unknown,” cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts’ findings. In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company’s website. At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying “at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.” But it wasn’t clear how long the malicious files may have resided on Nasdaq’s systems. Indeed, based on past breaches, many businesses fail to spot when they’ve been hacked, at least right away. Interestingly, Nasdaq didn’t immediately inform customers about the breach, after the FBI—which is investigating the matter, together with the National Security Agency—asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn’t publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we’ll likely see these three findings * * *

top

Make or Buy in the Age of the Free-Agent Lawyer (ABA Journal, 26 Oct 2011) - At all stages of a company’s life cycle, leadership continually asks the classic “Make or Buy” question. When should a company hire and develop expertise internally, and when does it make more sense to outsource tasks and purchase professional services? When it comes to legal needs, every company has its own pressure points. Mature companies mostly tie in-house headcount to revenue metrics or benchmark against industry norms. Start-ups are more interesting to follow with respect to make or buy decisions, because their behavior usually reflects a cultural choice. Case in point, the fastest growing company in the United States, GroupOn, didn’t hire its first General Counsel until June, 2011. Based on GroupOn’s revenue history and the huge amount of private equity in play, that’s pretty late in the game. Given GroupOn’s truly unique culture, which feeds on humor and independent thinking, I suspect that leadership was in no rush to build a law department. The need for policies and procedures does not necessarily equate to a desire for policies and procedures. Eventually, however, most $1 billion-plus companies hire at least one attorney to manage legal services delivery, and of course, many have law departments of significant size. In the “New Normal,” the make or buy question expands. For companies with law departments, the objective for chief legal officers goes well beyond the old school notion of justifying additional headcount and then lobbying for it. Instead, progressive law departments are asking simply, “how can we make more in-house?” Taking more work inside does not automatically equate to hiring more attorneys. Instead, an evolving range of options are now in play. For example, many larger law departments have developed brand new job descriptions for tech-savvy operations professionals. This is the kind of quasi-legal role envisioned by Richard Susskind in The End of Lawyers? The objective in creating this position is to incorporate large-scale cost savings via the proper use of knowledge management systems, eBilling software, content providers and more. [Editor: Interesting; Come to think of it, I guess that much of my practice is as such an “adjunct”.]

top

When Secrets Aren’t Safe With Journalists (NYT OpEd by Chris Soghoian, 26 Oct 2011) - Brave journalists have defied court orders and have even been jailed rather than compromise their ethical duty to protect sources. But as governments increasingly record their citizens’ every communication - even wiretapping journalists and searching their computers - the safety of anonymous sources will depend not only on journalists’ ethics, but on their computer skills. Sadly, operational computer security is still not taught in most journalism schools, and poor data security practices remain widespread in news organizations. Confidential information is sent over regular phone lines and via text messages and e-mail, all of which are easy to intercept. Few journalists use secure-communication tools, even ones that are widely available and easy to use. Government officials often attempt to get journalists to reveal their sources by obtaining subpoenas and compelling testimony and the required telecommunications records. But sometimes that’s not even necessary, because sources have already been exposed by their own lax communications. And then there is illicit monitoring - I believe that American journalists should assume that their communications are being monitored by their government - and possibly other governments as well. As an expert on privacy and government surveillance, I regularly speak with journalists at major news organizations, here and abroad. Of the hundreds of conversations I’ve had with journalists over the past few years, I can count on one hand the number who mentioned using some kind of intercept-resistant encrypted communication tools. Even when journalists try to do the right thing, they still make dangerous mistakes, like relying on Skype. Skype is slightly more secure than phones but is by no means safe from snooping - which can be done with commercially available interception software.

top

A “Wow”: CEO Pushes Reg FD Limits on Twitter (CorporateCounsel.net, 27 Oct 2011) - This blog from Dominic Jones of IR Web Report is a “must” read. I’m going to tease it out by excerpting the first few paragraphs below: ALAN Meckler, CEO of WebMediaBrands Inc. (NASDAQ: WEBM), may be single-handedly redefining how corporate executives in the buttoned-down world of public companies communicate with their investors. The 64-year-old media entrepreneur, whose company owns interests in a number of online businesses and blogs, has been using Twitter to talk about his micro-cap company in ways that have stunned some observers and even drawn questions from the SEC. While some in the conservative world of corporate disclosure have speculated about how Twitter might meet the SEC’s Reg FD requirements , Meckler appears to have made up his mind that Twitter is as good a channel as any to break news about everything from pending acquisitions to his next quarter’s results. The result is that investors in WEBM are being treated to a new level of access to their chief executive and board chairman, as well as unprecedented commentary and news about the company’s business in a real-time, abbreviated format that was previously unheard of.

top

Insulin Pump Hack Delivers Fatal Dosage Over the Air (The Register, 27 Oct 2011) - In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker Halted conference in Miami. It was delivered by McAfee’s Barnaby Jack, the same researcher who last year showed how to take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills. Jack’s latest hack works on most recent Medtronic insulin pumps, because they contain tiny radio transmitters that allow patients and doctors to adjust their functions. It builds on research presented earlier this year that allowed the wireless commandeering of the devices when an attacker was within a few feet of the patient, and knew the serial number of his pump. Software and a special antenna designed by Jack allows him to locate and seize control of any device within 300 feet, even when he doesn’t know the serial number.

top

NIST Publishes Guide for Monitoring Security in Information Systems (BeSpacific, 28 Oct 2011) - Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137): “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).3 Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information.”

top

Data Breach Mitigation Costs Were Cognizable Damages (CCH Financial Privacy Law Guide, 31 Oct 2011) - The U.S. Court of Appeals for the First Circuit determined that out-of-pocket mitigation costs of credit and debit card replacement and credit insurance incurred by data breach victims were reasonably foreseeable expenses and, therefore, constituted a cognizable harm under Maine law. The breach involved a Maine-based supermarket chain operator’s electronic payment processing system that resulted in the theft of 4.2 million credit and debit card numbers. The First Circuit reversed a federal district court’s dismissal of negligence and implied contract claims arising from the data breach, in which it had determined that the alleged injuries were too unforeseeable and speculative to be cognizable under Maine law. Anderson v. Hannaford Brothers Co. [Analysis by Edwards Wildman here: http://www.edwardswildman.com/newsstand/detail.aspx?news=2659&elq_mid=16289&elq_cid=996107 ]

top

Regulating Network Neutrality (Media Law Prof Blog, 31 Oct 2011) - Eric Null, Cardozo Law School, has published The Difficulty with Regulating Network Neutrality, at 29 Cardozo Arts and Entertainment Law Journal 459 (2011). Here is the abstract: Network neutrality is, and has been, an essential design element of the Internet. Increasingly, there has been pressure to move from a neutral network to a network that is optimized for particular functions (such as video streaming), and technology has responded to that call through the creation of a powerful technology called Deep-Packet Inspection. DPI allows access providers to directly violate the neutrality principle because it provides a mechanism for unequal treatment of content. The tension between network neutrality and DPI is significant - so much so that the Federal Communications Commission (“FCC”) has intervened. The FCC recently published its final Report and Order for Preserving the Open Internet in the Federal Register, which establishes a general principle that neutrality should be safeguarded. Despite this safeguard, the FCC provided for a reasonable network management exception to neutrality, which allows access providers to treat content unequally if the provider is reasonably managing its network. The reasonable network management exception is a broad exception. However, a broad exception, potentially overbroad, may not be the most prudent form for regulating network neutrality. To determine what form is appropriate for network neutrality regulation, one should engage in a rules-versus-standards analysis specifically in this context. There is no obvious choice, but context can provide useful background when determining whether to regulate with rules or standards. Network neutrality regulation should be written as a rule, not a standard. Establishing a rule-like regulation will deter non-neutral behavior by access providers, and will preserve the Internet’s neutral architecture and the benefits that equal treatment of content provides. In addition, rule-like regulations reduce the burden placed on enforcers, typically users, of the regulation. For these reasons, the reasonable network management exception should also be worded like a rule; those arguing for a broad, standard-like exception have not successfully demonstrated why a broad exception is required. Paper is here .

top

UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones (Wired, 31 Oct 2011) - Britain’s largest police force has been using covert surveillance technology that can masquerade as a mobile phone network to intercept communications and unique IDs from phones or even transmit a signal to shut off phones remotely, according to the Guardian. The system, made by Datong in the United Kingdom, was purchased by the London Metropolitan police, which paid $230,000 to Datong for “ICT hardware” in 2008 and 2009. The portable device, which is the size of a suitcase, pretends to be a legitimate cell phone tower that emits a signal to dupe thousands of mobile phones in a targeted area. Authorities can then intercept SMS messages, phone calls and phone data, such as unique IMSI and IMEI identity codes that allow authorities to track phone users’ movements in real-time, without having to request location data from a mobile phone carrier. In the case of intercepted communications, it is not clear whether the network works as a blackhole where intercepted messages go to die, or whether it works as a proper man-in-the-middle attack, by which the fake tower forwards the data to a real tower to provide uninterrupted service for the user. In addition to intercepting calls and messages, the system can be used to effectively cut off phone communication, such as in a war zone where phones might be used as a trigger for an explosive device, or for crowd control during demonstrations and riots where participants use phones to organize. A spokesman for the U.S. Secret Service verified to CNET that the agency has done business with Datong, but would not say what sort of technology it bought from the company. The FBI is known to use a similar technology called Triggerfish, which also pretends to be a legitimate cell tower base station to trick mobile phones into connecting to it. The Triggerfish system, however, collects only location and other identifying information, and does not intercept phone calls, text messages, and other data. [Related Wired article on FBI’s use of such towers here .]

top

Homeland Security Reviews Social Media Guidelines (AP, 31 Oct 2011) - The wave of uprisings across North Africa and the Middle East that have overturned three governments in the past year have prompted the U.S. government to begin developing guidelines for culling intelligence from social media networks, a top Homeland Security official said Monday. Department of Homeland Security Undersecretary Caryn Wagner said the use of such technology in uprisings that started in December in Tunisia shocked some officials into attention and prompted questions of whether the U.S. needs to do a better job of monitoring domestic social networking activity. “We’re still trying to figure out how you use things like Twitter as a source,” she said. “How do you establish trends and how do you then capture that in an intelligence product?” Wagner said the department is establishing guidelines on gleaning information from sites such as Twitter and Facebook for law enforcement purposes. Wagner says those protocols are being developed under strict laws meant to prevent spying on U.S. citizens and protect privacy, including rules dictating the length of time the information can be stored and differences between domestic and international surveillance. Wagner said the Homeland Security department, established after the 9/11 attacks, is not actively monitoring any social networks. But when the department receives information about a potential threat, contractors are then asked to look for certain references within “open source” information, which is available to anyone on the Internet.

top

- and -

CIA Following Twitter, Facebook (AP, 4 Nov 2011) - In an anonymous industrial park in Virginia, in an unassuming brick building, the CIA is following tweets - up to 5 million a day. At the agency’s Open Source Center, a team known affectionately as the “vengeful librarians” also pores over Facebook, newspapers, TV news channels, local radio stations, Internet chat rooms - anything overseas that anyone can access and contribute to openly. From Arabic to Mandarin Chinese, from an angry tweet to a thoughtful blog, the analysts gather the information, often in native tongue. They cross-reference it with the local newspaper or a clandestinely intercepted phone conversation. From there, they build a picture sought by the highest levels at the White House, giving a real-time peek, for example, at the mood of a region after the Navy SEAL raid that killed Osama bin Laden or perhaps a prediction of which Mideast nation seems ripe for revolt. Yes, they saw the uprising in Egypt coming; they just didn’t know exactly when revolution might hit, said the center’s director, Doug Naquin. The center already had “predicted that social media in places like Egypt could be a game-changer and a threat to the regime,” he said in a recent interview with The Associated Press at the center. CIA officials said it was the first such visit by a reporter the agency has ever granted. The CIA facility was set up in response to a recommendation by the 9/11 Commission, with its first priority to focus on counterterrorism and counterproliferation. But its several hundred analysts - the actual number is classified - track a broad range, from Chinese Internet access to the mood on the street in Pakistan. The center’s analysis ends up in President Barack Obama’s daily intelligence briefing in one form or another, almost every day.

top

Our Pleasure to Serve You: More Lawyers Look to Social Networking Sites to Notify Defendants (ABA Journal, Oct 2011) - Although Jessica Mpafe had not seen her husband in years, she assumed he moved back to West Africa’s Ivory Coast. Mpafe of Minnesota had no physical address to serve him with divorce papers. So she asked the court whether she could send the notice by general delivery, where the post office holds mail until the recipient calls for it. Kevin S. Burke, the Hennepin County, Minn., judge presiding over the case, thought that would be a waste of postage. “General delivery made sense 100 years ago, but let’s be real,” says Burke, implying that few use it anymore. Nor did the judge trust publishing legal notices in a trade paper when the defendant can’t be located. “Nobody, particularly poor people, is going to look at the legal newspaper to notice that their spouse wants to get divorced,” Burke says. On May 10 the judge wrote an order authorizing Mpafe to serve notice of process to her husband by email, “Facebook, Myspace or any other social networking site.” His order stated that while the court allowed service by publication in a legal newspaper, it was unlikely the respondent would see it. “The traditional way to get service by publication is antiquated and is prohibitively expensive,” Judge Burke wrote. “Service is critical, and technology provides a cheaper and hopefully more effective way of finding respondent.” It was something of a radical move. While courts in Australia, Canada, New Zealand and the United Kingdom embrace electronic legal notice, it’s rare in the United States. Many state and federal statutes disallow electronic service of process, lawyers say. In federal cases, some attorneys cite Federal Rule of Civil Procedure 4(f)(3), which allows service only for foreign defendants “by other means not prohibited by international agreement, as the court orders.” In a 2002 case, the 9th U.S. Circuit Court of Appeals at San Francisco upheld a default judgment against Rio International Interlink, a Costa Rican gambling website that was served electronically after traditional methods failed. The trademark infringement action was brought by Rio Properties Inc., a Las Vegas hotel and casino. The defendant, wrote Judge Stephen S. Trott, “had neither an office nor a door; it had only a computer terminal. ... When faced with an international e-business scofflaw playing hide-and-seek with the federal court, email may be the only means of effecting service of process.”

top

Open Secret: Cisco Site Shares Privacy Approach (ABA Journal, Oct 2011) - Safeguarding information from the onslaught of rapidly advancing technologies that track, store and share sensitive data is one of the greatest concerns among businesses and law firms. Internet giant Cisco Systems feels it has found a collaborative approach to privacy, and it’s sharing its story right out there on the Web. “Privacy is an evolving area and there’s going to be a lot of changes to come. So let’s share our best practices,” says Van Dang, Cisco’s deputy general counsel. Dang recently launched a cloud-based privacy portal on her company’s website so clients and corporations can explore Cisco’s privacy and compliance programs, as well as comment about their own best practices. The portal contains compliance reference materials such as agreement templates and security checklists, and it also promotes Cisco products. The portal hosts a community forum to encourage feedback, and it links to law firm and industry blogs on privacy and security issues. Dang hopes to eventually build a fully interactive platform that allows law firms to create and add their own content directly on the site. Developed during a nine-week flurry by Dang and a team of Cisco professionals last winter, the project is intended to help legal departments and law firms offer greater client and consumer protection with fewer resources, while creating collaborative industry standards for best practices. The Cisco privacy portal is here .

top

- and -

TRUSTe to Issue Free Privacy Policy Creation Starter Kit for Mobile Developers (ReadWriteWeb, 2 Nov 2011) - Internet privacy solutions provider TRUSTe is concerned that mobile apps do not have built-in privacy solutions. TRUSTe claims that 77% of all mobile applications lack privacy policies that can allow users to decide how they want to share data third parties. As such, TRUSTe is coming out with a free privacy policy for mobile developers later this month. Essentially what TRUSTe is coming out with is a privacy policy wizard or starter kit for mobile developers that do not have policies in place for their apps. Developers are led through a set of questions defining what their apps do and do not do in terms of privacy and at the end of the quiz, TRUSTe gives them a line of code that links to the apps privacy policy. The free version does not give a developer a certified TRUSTe privacy seal and there is potential for abuse of the system by creating a privacy policy with an app that does not follow those guidelines.

top

Keeping Up with the Joneses-How Far Does the ‘Reasonable Expectation of Privacy’ Go? (ABA Journal, by Erwin Chemerinsky, 1 Nov 2011) - One of the most difficult, and potentially most important cases of the U.S. Supreme Court term will be argued on Nov. 8. United States v. Jones involves the question of whether it is a search or seizure within the meaning of the Fourth Amendment when the police plant a GPS device on a person’s vehicle and monitor it for 24 hours a day, for 28 days. Since Katz v. United States, decided in 1967, the Supreme Court has defined the protections of the Fourth Amendment in terms of the “reasonable expectation of privacy.” But how does that apply in this situation? On the one hand, the court has long held that people have no expectation of privacy for their public activities. The police could have followed Jones’ car on public streets for a month, perhaps by using undercover officers, and no one would have contended that there was a search or seizure that required a warrant. On the other hand, people have the expectation that police are not planting a device on their car to monitor their every move. As technology develops, police are gaining more ability to follow anyone at any time. A great deal of personal information can be learned by following someone for weeks. Yet, said Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals, “There is something creepy and un-American about such clandestine and underhanded behavior.” Kozinski, dissenting from denial of en banc rehearing in the 2010 case, United States v. Pineda-Moreno, added, “To those of us who have lived under a totalitarian regime, there is an eerie feeling of déjà vu.” [Editor: excellent, readable explication of the case.]

top

- and -

Judges Weigh Phone Tracking (WSJ, 9 Nov 2011) - State and federal authorities follow the movements of thousands of Americans each year by secretly monitoring the location of their cellphones, often with little judicial oversight, in a practice facing legal challenges. Electronic tracking, used by police to investigate such crimes as drug dealing and murder, has become as routine as “looking for fingerprint evidence or DNA evidence,” said Gregg Rossman, a prosecutor in Broward County, Fla. The use of cellphone tracking by authorities is among the most common types of electronic surveillance, exceeding wiretaps and the use of GPS tracking, according to a survey of local, state and federal authorities by The Wall Street Journal. The widening practice also presents one of the biggest privacy questions in a generation: Do police need a search warrant to follow a person’s minute-by-minute movements using satellite or cellphone technology? Al Gidari, a partner at law firm Perkins Coie whose clients include mobile carriers, told Congress last year that wireless service providers receive an “astronomical” number of requests for user records-including location. “It is not uncommon for law enforcement to ask for a phone to be” tracked every 15 minutes, he said. Little is known about the practice because tracking requests are typically sealed from public view. While search warrants are generally delivered to people whose property is being searched, most people whose phones are targeted never learn about it. They typically find out only if they are charged with a crime and their tracking data are used as evidence against them. The Journal identified more than 1,000 instances of cellphone tracking in several large U.S. cities last year through open-records requests and court documents. The data showed that the practice is a widely and increasingly used police tool. Magistrate Stephen Smith of Houston, Texas, who approves such surveillance orders, has been studying the available data and estimates that federal courts alone issue 20,000 to 30,000 cellphone tracking orders annually. By comparison, federal and state courts approved 3,194 wiretaps in 2010, according to federal records.

top

Safe in the Cloud? Online Service Risks Need Care and Coverage (ABA Journal, 1 Nov 2011) - Document security, always a law practice issue, has come to the forefront as law firms and their clients consider using online-based software for business uses. Most often called cloud computing or software as a service, the process involves using the Internet to access useful applications. Rather than purchasing and installing the necessary software for a firm’s private computer system, users upload information onto the Internet-“the cloud”-where it is stored with a software service. “Certain levels of security will depend on the company you are dealing with and on the underlying cloud provider,” says Arlen Tanner, an attorney at Shook, Hardy & Bacon in Kansas City, Mo., who specializes in business records management. “Most cloud-based services are small startup companies leasing space on a large cloud, such as from Google, Amazon, Microsoft or IBM. Cloud service providers like Dropbox, for example, store your data on storage they lease from a major cloud provider.” Lawyers whose security measures prove inadequate for protecting client confidences are vulnerable to malpractice lawsuits. Liability depends on whether a lawyer has reasonable practices in place to protect against a breach of client confidences. A firm’s current malpractice insurance coverage for “errors and omission could cover some aspects of damages arising from a data breach depending on the factual circumstances, but it most likely doesn’t cover the type of expenses that can arise in the aftermath,” says Brant Weidner, a claims manager for Beazley Group in Chicago, a Lloyd’s of London syndicate offering lawyers’ professional liability insurance, including specialty lines for cyber- and data-related losses. “The fixes that clients demand or the law requires when a breach occurs are very specific and expensive.” Weidner advises asking insurers what losses are covered for cyberattacks. “Lawyers should have coverage specifically designed to deal with the losses that can arise in the event of a data breach: That means notifying clients that data has been disclosed, credit monitoring if necessary, and hiring a computer security expert to figure out why there was a breach. There is also the possibility of civil fines for violations. All of these costs can have not only financial but also professional consequences,” he says. “Beyond the costs,” Weidner says, “firms also need to consider whether they have exercised reasonable care, and they need to know what reasonable care looks like.”

top

- and -

New Study Finds 67 Percent of Cloud Servers are Perceived Vulnerable or Potentially at Risk by IT Personnel (Ponemon Institute, 2 Nov 2011) - Dome9 Security ™, the leading provider of cloud security management for public and private clouds, as well as for dedicated and virtual private servers (VPS), and the Ponemon Institute, a privacy and information management research firm, today announced the results of a first-of-its-kind cloud security study, which found that 67 percent of IT security respondents report that their organization is very vulnerable or vulnerable because cloud ports and firewalls are not adequately secured. Furthermore, 54 percent of respondents said their organizations’ IT personnel are not knowledgeable or have no knowledge about the potential risk of open firewall ports in their cloud environments. The study “Cloud Security: Managing Firewall Risks” was independently conducted by the Ponemon Institute, one of the world’s foremost authorities on data security and privacy, and was sponsored by Dome9 Security. The research was conducted to determine the challenges organizations face when managing access and securing firewalls and ports in cloud environments. The study analyzed responses from 682 IT and IT security practitioners in the United States working in organizations that use hosted or cloud servers (dedicated or virtual private servers). On average, respondents have more than 10 years of IT or IT security experience, and 40 percent come from organizations with 5,000 employees or more in globally dispersed locations. “We believe this is the first study to look at the risk to cloud security because of unsecured ports and firewalls, and the results are very revealing,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute. “It is commonly accepted that organizations believe they struggle with security in the cloud, but this study gets to a root of the problem. For example, more than half of the respondents said it is very likely or likely that administrative cloud server ports left open for access expose the organization to increased hacker attacks and security exploits. Nineteen percent say these exploits have already happened.” For a copy of the study, see: http://www.dome9.com/resources/ponemon-cloud-security-study

top

Facebook: Monitoring Juror Social Media Networking Sites; “Friending” Employees of Adverse Parties (ABA Journal, Nov 2011) - You are representing a client in a personal injury matter. During pre trial voir dire proceedings and during the trial itself, can you search for and monitor jurors’ and potential jurors’ Twitter accounts and social network Internet postings? What are your obligations should you uncover evidence of juror misconduct? You represent a client in a wrongful discharge matter against the client’s former employer. You have reason to believe that certain high-level employees of the employer are dissatisfied and may be likely to post unfavorable comments about the employer on their private social networking pages. Can you send a “friend” request to these employees to gain access to their private social media pages? Since the publication of the last Eye on Ethics column on Facebook, November of 2010, “Facebook: State Bar Opinions Address Information Gathering,” there have been some new state bar opinions that have addressed various issues that relate to social networking. The topics covered include monitoring jurors’ social network and Internet postings, and whether a lawyer can “friend” high-level employees of an adverse represented party. [Editor: usefully parses recent NY County Opinion, and another by the San Diego County Bar.]

top

- and -

Case of Fake Facebook Profile Can Proceed, Judge Rules (Law.com, 3 Nov 2011) - A woman accused of impersonating her boyfriend on a fake Facebook page and posting inflammatory comments can be prosecuted for identity theft, a judge ruled Wednesday in a case that could have wider implications for cyber-speech. Dana Thornton was indicted last year on one count of fourth-degree identity theft, a crime punishable by a maximum 18-month prison term upon conviction. Assistant Prosecutor Robert Schwartz said she created the Facebook page using photos and personal information about her ex-boyfriend, a police detective in northern New Jersey, and posted comments purported to be from him. According to grand jury testimony recited in court Wednesday, among the comments posted on the page were that the ex-boyfriend, a narcotics detective, was “high all the time,” had herpes and frequented prostitutes and escort services. At issue is a New Jersey law that makes it illegal to impersonate someone “for the purpose of obtaining a benefit for himself or another or to injure or defraud another.” Bradley Shear, a Bethesda, Md., lawyer who works on online issues, said he expects to see more cases like this one in the near future. The New Jersey case could be a difficult prosecution, he said, because of the way the state’s law is written. “This specific situation sounds like it may be better handled in civil rather than criminal court,” he said. “It’s very tough to say this is a violation of the law.” It is, however, a violation of Facebook’s terms of service, he said. So far, only California and New York have laws specifically banning online identity theft. Shear said those states are leading the way largely because of the large number of celebrities who live in them. But he said such laws can get tricky to enforce because it’s legally thorny when the alleged offender is out of state.

top

- and -

Judge Orders Exchange of Facebook and Dating Website Passwords in Custody Fight (ABA Journal, 8 Nov 2011) - A Connecticut judge has ordered lawyers representing a divorcing couple to exchange passwords to their clients’ Facebook and dating websites. Judge Kenneth Schluger ordered the password exchange in the divorce of Stephen and Courtney Gallion, according to the Forbes blog The Not-So Private Parts . The judge cautioned in a Sept. 30 order that the exchange should be carried out by the lawyers, and neither spouse may post messages purporting to be the other. Stephen Gallion’s lawyer, Gary Traystman, told the blog his client believes the social networking accounts will provide evidence about Courtney Gallion’s ability to take care of their children. Stephen Gallion is arguing for full custody. According to the story, other judges have issued similar orders. “In ‘normal’ discovery, a litigant is usually asked to turn over ‘responsive material,’ not the keys to access all that material and more,” the story says, “but it seems that judges are applying different standards to social networking accounts.”

top

Out of the Crowd: Public-Supplied Info Gains Ground in Courts (ABA Journal, 1 Nov 2011) - In past years it wasn’t uncommon for a law firm, hired to defend a lucrative patent, to send associates and law clerks on time-consuming, poorly directed missions to scour old filings and Internet databases in search of prior art to determine the origins of the invention in question. No more. Lawyers and clients are harnessing the collective search power of online global communities to uncover a single piece of existing artwork that could turn a multimillion-dollar lawsuit. They’re crowdsourcing. Article One Partners develops patent studies that typically run six weeks, and asks targeted communities of scientists and other specialists to find relevant artwork for rewards that range from $5,000 to $50,000, depending on the nature of the dispute. The company then filters the submissions, sends the top selections to the client, and announces the winner of the best entry on its website. Crowdsourcing isn’t just for the patent set. Consumer reviews on a social media website provided important evidence in a trademark dispute in June when fast-food chain Chipotle sued another establishment called Chipotles for infringement. One key factor in the court’s decision to grant the plaintiff injunctive relief was the actual confusion among consumers demonstrated on customer review sites Urbanspoon and Yelp, where reviews erroneously linked the plaintiff and defendant. “The case gives a good example of how companies (and their competitors) should be aware of how their brands appear in social media,” wrote Chicago-based intellectual property lawyer Evan Brown on Internet Cases: A Blog About Law and Technology. Although the Arkansas federal court considered consumer reviews in the Chipotle dispute, crowdsourcing for admissible evidence may be a stretch in future cases as courts are likely to find user comments posted online as hearsay, particularly online user comments with no verifiable identity attached, Brown added. And it’s unlikely that an online consumer company like Yelp would comply in a civil suit to turn over commenters’ credentials or IP addresses for verification. However, those concerns didn’t stop London’s Metropolitan Police from posting images taken from British surveillance cameras of alleged rioters on the photo-sharing website Flickr this summer, asking the public to identify people in the photos for arrest. In this way, crowdsourcing was a digital version of circulating wanted posters and collecting the responses-only on a much more visible lamppost.

top

Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the ‘Children’s Online Privacy Protection Act’ (Berkman’s community members danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey; 1 Nov 2011) - Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general-purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy-makers, particularly in light of ongoing discussions surrounding COPPA and other age-based privacy laws.

top

Feds Drop Plan to Lie in Public-Record Act Requests (Wired, 3 Nov 2011) - Bowing to political pressure, the Justice Department abruptly dropped proposed revisions to Freedom of Information Act rules Thursday that would have authorized the government to inform the public that requested records do not exist even if they do. The proposal would have granted the government a new option to state that documents relevant to a FOIA request did not exist. According to the Justice Department’s proposal, if the government believes records should be withheld, the government agency to which the request was made “will respond to the request as if the excluded records did not exist.” Under normal practice, which seems Orwellian enough, the government may assert that it can neither confirm nor deny that relevant records exist if the matter involves national security. Civil rights groups, and a host of lawmakers from both sides of the spectrum, had blasted the Justice Department’s original proposal .

top

Hyperlinks and the First Amendment (MLPB, 3 Nov 2011) - Anjali Dala, Yale University, Yale Information Society Project, has published Protecting Hyperlinks and Preserving First Amendment Values on the Internet in volume 13 of the University of Pennsylvania Journal of Constitutional Law (May 2011). Here is the abstract: Hyperlinks are critical to communication in part because they facilitate access to information. They provide visitors on one website a way to navigate to internally referenced words, phrases, arguments, and ideas. In addition to being vehicles for communication, this article contends that hyperlinks are communicative in and of themselves. They signal user preferences, democratize the national dialogue, indicate credibility, function as a signature on a virtual petition and help establish virtual associations. This Article presents the first comprehensive examination of First Amendment concerns related to hyperlinks and argues that any judicial or legislative regulation of hyperlinks should be reviewed under a strict scrutiny standard. Nearly 50 years ago, the Supreme Court recognized a constitutional privilege to disseminate information in New York Times v. Sullivan. In Sullivan, the Court extended a constitutional privilege to newspapers because of their role as an incredibly important, unique medium of communication. The same sentiment should extend to protect new media as they emerge. This Article concludes by discussing how a strict scrutiny standard should be applied to claims alleging trademark infringement, e-trespass, copyright infringement, contributory infringement, and contract violation as a result of hyperlink use. Article here .

top

Ninth Circuit Affirms Google’s Section 230 Win Over a Negative Business Review (Eric Goldman, 3 Nov 2011) - The Blacks sued Google over a negative third party review of their business published in an unspecified Google property. This lawsuit was obviously preempted by 47 USC 230 from the get-go, so I easily fit my prediction of the case’s outcome into a tweet . In August 2010, the district court dismissed the lawsuit on Section 230 grounds in an efficient opinion. The Ninth Circuit didn’t find this case any more challenging than the district court did. In a brief unpublished memo opinion, the court upheld the district court’s ruling. The main substantive sentence of the Ninth Circuit’s opinion: The district court properly dismissed plaintiffs’ action as precluded by section 230(c)(1) of the Communications Decency Act (“CDA”) because plaintiffs seek to impose liability on Google for content created by a third party. See Fair Hous. Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1162 (9th Cir. 2008) (en banc) (“Section 230 of the CDA immunizes providers of interactive computer services against liability arising from content created by third parties . . . .”); Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1122 (9th Cir. 2003) (“Through [section 230 of the CDA], Congress granted most Internet services immunity from liability for publishing false or defamatory material so long as the information was provided by another party.”). Black v. Google, Inc. , 10-16992 (9th Cir. Nov. 1, 2011).

top

Surveillance System May Have Recorded Courthouse Conversations in Violation of Federal Law (ABA Journal, 4 Nov 2011) - A security system installed in June in one or more courthouses in Baldwin County, Ala., included a number of cameras that also recorded audio placed in high-risk areas such as exits and hallways. However, until yesterday no one apparently told lawyers who routinely look for a quiet spot in public areas to confer with clients, according to the Press-Register. Local defense attorneys expressed outrage at the potential breach of attorney-client privilege and the Baldwin County Commission said it had disabled the audio portion of the cameras this week “out of an abundance of caution,” the newspaper reports. District Attorney Hallie Dixon said she learned of the audio issue last week and insisted on the shutdown. The county sheriff says the U.S. Attorney’s office and the Federal Bureau of Investigation are reviewing the matter. “Just about every lawyer I have talked to has been shocked and outraged,” said Daniel Mitchell, a local defense lawyer. “We all knew there were cameras, but no one ever notified anyone that there was more than video monitoring. Our bar association certainly didn’t know about it.”

top

Apple’s Siri Could Get You into Hot Water Behind the Wheel (SiliconValley.com, 7 Nov 2011) - Siri may be a seductively smart companion. But let the new iPhone’s voice-activated Gal Friday sit beside you as you drive up Highway 101 and you might get into trouble with the law. Or maybe not. Police say you can talk to Siri while driving. Just don’t touch her. “It’s legal to talk to Siri, as long as the phone’s not in your hand,” says San Jose police Lt. Chris Monahan. “But if you ask for directions and she puts them up on her screen for you to read, then California’s vehicle code says you’re breaking the law.” But in an example of the law being a few steps behind the technology it’s trying to address, the bill’s author says that because Siri is not “a person” the law may not apply at all. “I’m a legislator, not a judge or a law enforcement official,” said state Sen. Joe Simitian, D-Palo Alto, who wrote the hands-free and texting laws enacted in 2008 and 2009. “But I don’t see how asking Siri for driving instructions and then looking down at the text on the phone is any more of a violation of existing law than reading your GPS device. The law talks about communicating with any ‘person.’ And if there’s one thing we know for sure, it’s that Siri is not a person.”

top

FTC Settles with Online Advertiser over Flash Cookie Use (WSJ, 8 Nov 2011) - In a case that raises questions about the use of “supercookies” to track users online, the Federal Trade Commission said Tuesday that it reached a settlement with an online advertiser the commission had charged with deceiving customers by using a type of tracker called a Flash cookie. According to the FTC complaint, ScanScout, an advertising network that places video ads on websites, instructed its consumers via its privacy policy page that they could opt out of receiving targeted ads by “changing your browser settings to prevent the receipt of cookies.” That turned out not to be the case. ScanScout uses Flash cookies, technology that cannot be removed by changing browser settings for ordinary cookies. The FTC called ScanScout’s claims “deceptive.” The practice, according to the complaint, ran from at least April 2007 to December 2010. As part of the settlement ScanScout must place a prominent notice on its website saying that the company collects information about user activities, with a link that takes consumers to a mechanism that allows them to prevent the company from collecting more information about the user.

top

Employers Demanding the Right to Remotely Wipe Employees’ Phones? (Eric Goldman, 9 Nov 2011) - I got the following email from one of my students (I edited a little to increase the anonymity): “Recently, my spouse’s company announced that it is going to implement a new policy regarding those employees using their mobile devices to check company email. These phones are personal phones, and not provided by the company. What they are proposing is that my spouse sign a release that states that the Company has the right to remotely wipe the phone (restoring it to factory settings) if they feel that any of their trade secrets have been compromised, or if the spouse loses/misplaces the phone. My problem with this is that these are personal phones with personal information not connected to her work. Does her company have the right to wield such power, or is this over doing it?” This was the first time I’d ever heard of such a provision. Has this become a new standard, or is this company over-the-top hyper-protective of its trade secrets? As an employee, I would not sign such a release. Further, if I were the employer, I would be reluctant to rely on the release, even if signed, to actually wipe a former employee’s phone. If the employee challenged the wipe in court, I would imagine many judges would be reluctant to enforce the release, motivating them to look for reasons not to do so. If nothing else, there’s a major due process problem (in the equity sense, not the legal sense). The company is the judge, jury and executioner without ever proving trade secret misappropriation, and carrying out the remote wipe could cause catastrophic data losses for the employee (and possibly for a subsequent employer). This just seems like a bad idea all around. Please email me if you’ve seen a provision like this in the field before or if you know of any cases/statutes that address the situation. In the email, let me know if I can repost your email here. [Editor: I know of a few law firms that are taking a similar approach.]

top

NOTED PODCASTS

Curation: Beyond the Buzzword (IT Conversations, 26 minutes) - According to Eric Schmidt, “Between the dawn of civilization through 2003, mankind created five exabytes of information. Now that much amount of information is created every two days.” Curator Steve Rosenbaum does not seem impressed by this mass of unorganized information. According to Rosenbaum, what humans need is a way to categorize, find, and sort information qualitatively. however, we emphasizes, that this is a job that, at the moment, requires a human instead of a computer. Alluding to our reflexive need to check our emails and the tendency of Google and other search engines to give us far too much information, Rosenbaum dismisses the past standard of ‘Content is King.’ He instead stresses the importance of curation and human influence on sorting and choosing information. The problem, in his opinion, is combining this quality with computer efficiency. With his own examples of curation, which include a book and a documentary about September 11, 2001, Steve Rosenbaum stresses the importance of creating collections of information, works of art, and culture, and liberating it in a flexible architecture that allows us to consume that information in a way that most makes sense for us. He also discusses the use of modern technology and tablet technology to present new opportunities in dealing with massive amounts of information. [Editor: the idea the “books” are the end-result of terrific curation reminds me of “The Young Lady’s Illustrated Primer”, an unusual book that is the center point of Neal Stephenson’s 2000 novel “The Diamond Age”.]

top

Artificial Intelligence - A Legal Perspective (Sanford, Center for Internet & Society, 106minute podcast) - Although we are still waiting on promises of “strong AI” capable of approximating human thought, the widespread use of artificial intelligence has the potential to reshape medicine, finance, war, and other important aspects of society. The Center for Internet and Society, along with the Stanford Law and Technology Association (SLATA), and the Stanford Technology Law Review (STLR) bring together four scholars who have begun to examine the near term, short term, and long term ramifications of artificial intelligence for law and society. This panel follows up on our Legal Challenges in an Age of Robotics panel from November 2009.

top

DIFFERENT

Artists File Lawsuits, Seeking Royalties (NYT, 2 Nov 2011) - When the taxi baron Robert Scull sold part of his art collection in a 1973 auction that helped inaugurate today’s money-soused contemporary-art market, several artists watched the proceedings from a standing-room-only section in the back. There, Robert Rauschenberg saw his 1958 painting “Thaw,” originally sold to Scull for $900, bring down the gavel at $85,000. At the end of the Sotheby Parke Bernet sale in New York, Rauschenberg shoved Scull and yelled that he didn’t work so hard “just for you to make that profit.” The uproar that followed in part inspired the California Resale Royalties Act, requiring anyone reselling a piece of fine art who lives in the state, or who sells the art there for $1,000 or more, to pay the artist 5 percent of the resale price. That law is now at the center of three class-action suits brought this month by artists who include Chuck Close and Laddie John Dill and the estate of the sculptor Robert Graham. They have filed suit against the auction powerhouses Sotheby’s and Christie’s and the online auction site eBay for failure to pay royalties. The suits do not specify damages, nor do they list particular sales of art by California residents. Rather, as Eric George, the lawyer who filed them, explained, the complaints seek to force the auction houses to reveal the identities or locations of sellers, information that is often kept secret. Sotheby’s responded to the suit with a terse statement: “We believe the claim is meritless, and it will be vigorously defended.” Christie’s said that it “views the California Resale Royalties Act as subject to serious legal challenges” and that it “looks forward to addressing these issues in court.” The law has so far survived two legal challenges, and experts in art law are divided about whether it might be vulnerable on constitutional grounds. The larger issue of whether visual artists should receive a cut of future sales remains a subject of vigorous debate. Dozens of countries already have a version of a resale royalties law, generally referred to by the French phrase droit de suite. Starting in 2012, Britain and other members of the European Union will adhere to a uniform standard that applies to both living artists and those who have died within the past 70 years. Indeed, Christie’s, on its Web site, informs prospective clients that it collects the royalty mandated in Europe at the time of the sale.

top

LOOKING BACK - MIRLN TEN YEARS AGO

POLICE MAKE DOUGHNUT RUN VIA CHOPPER (AP, 5 October 2001)—Albuquerque police have taken doughnut runs to new heights, swooping down in an official helicopter for a late-night snack. “If they violated policy or procedure, they’re going to get disciplined for it,” said Lt. Bob Huntsman, department spokesman. “We’ve worked too hard to make this a professional unit to let lack of common sense tear us down.” Keith Turner, who works near a Krispy Kreme doughnut shop, said he was on a break with other people early Thursday when a police helicopter circled and landed in a dirt field nearby. “I was like, `No, they’d better not go and get doughnuts,”’ Turner said. As the helicopter idled, someone got out and went into the store, returning 10 or 15 minutes later with a Krispy Kreme box, he said. http://www.salon.com/people/wire/2001/10/05/doughnuts/index.html

top

REPORT: ONLINE BILL PAYMENT GAINING GROUND (Ecommerce Times, 15 October 2001) Although less than 9 percent of those surveyed used online bill payment services, many more are interested in using those services in the future, said a report by the Yankee Group. This year, 8.7 percent of consumers surveyed paid their bills over the Internet, up from 5.1 percent in 2000, Yankee said. “Considering the growth we’ve seen in the past, it’s not a bad growth rate,” Yankee director Paul Hughes told the E-Commerce Times. Hughes said that banks, credit-card companies and others have been pushing hard to get customers to pay their bills online, offering incentives like frequent-flyer miles and Web certificates to get people to sign up for e-billing programs. Yankee said that among consumers who used electronic bill-payment services, 28.7 percent cited the convenience of not having to write checks as the primary benefit. Another 14.9 percent said saving time was their main motivation. Hughes said BellSouth, AT&T and American Express are among large billers that have been successful at marketing their online billing services and making them easier to use. Concerns about security are “starting to wane, which is good,” said Hughes. http://www.ecommercetimes.com/perl/story/14151.html