MIRLN—- 27 March – 16 April 2011 (v14.05)

• Enabling Distributed Security in Cyberspace
• Long-Form Journalism Finds a Home
• Companies Pick and Choose Which Data Breaches to Report
• Public Records And Court Dockets - Portal To The World – Courtport
• Why the ABA Survey Gets it Wrong on Blogs
• Taming Information Technology Risk: A New Framework for Boards of Directors
• FBI Wants Public Help Solving Encrypted Notes From Murder Mystery
• Is Righthaven Harming the News Industry?
• Court Rules That Instant Message Conversation Modified the Terms of a Written Contract
• NSA to Investigate NASDAQ Hack
• Ninth Circuit Decides Cotterman Case, Reversing District Court on Laptop Seizure at the Border
• Amazon Strong-Arms a Third-Party Kindle Service
• App Called “Creepy” Pinpoints People‘s Location Based On Their Social Networking Activity
• Federal Courts Discuss Smartphone Policies
• Online Applications Too Risky? One Firm Takes the Plunge
• New Yorkers Hurt All Over
• French High Court Upholds Company‘s Review of Employees‘ Email
o Should Companies Restrict Web Access For Employees? Maybe a Little.
• How Can a Law Firm Touting E-Discovery Expertise Screw Up a Litigation Hold?
• The Cronon Case: Part II
• Cloud Computing and Personal Data, Round Two
• Major Law Firms Fall Victim to Cyber Attack
o Law Firms Under Siege
o Law Firm Loses $78K in Massive Malware Scheme That Was Disabled by Feds
• 2010: A Record Year for Domain Name Dispute Arbitrations
• NLRB to Press Reuters Over Reaction to Twitter Post
• Attack Sheds Light on Internet Security Holes
• Feds Defend Twitter Dragnet On WikiLeaks Supporters
• Announcing DoctoredReviews.com, a Website Against Doctors‘ Efforts to Squelch Online Patient Reviews
• Twitter In the Courtroom
• “I‘m from the NSA, and We Don‘t Get Out Much”


Enabling Distributed Security in Cyberspace (DHS, 23 March 2011) – Summary: This paper was prepared under the direction of Philip Reitinger, Deputy Under Secretary for the National Protection and Programs Directorate (NPPD), U.S. Department of Homeland Security, with support from the NPPD Cyber+Strategy Staff, the federally funded Homeland Security Systems Engineering and Development Institute (HS SEDI), and the NPPD Office of Cybersecurity and Communications (CS&C). In 2010, NPPD sponsored a government workshop to discuss a draft of this paper. Recommendations from that workshop have been incorporated. This paper explores a future – a “healthy cyber ecosystem” – where cyber devices collaborate in near‐real time in their own defense. In this future, cyber devices have innate capabilities that enable them to work together to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. This paper presents three building blocks as foundational for a healthy cyber ecosystem: automation, interoperability, and authentication. The paper then considers how these building blocks contribute to ecosystem maturity and explores incentives for creating such a system. It concludes with thoughts on the way ahead. The envisioned end‐state is focused specifically on capabilities that can be achieved in the near‐ and mid‐term by utilizing standards‐based software and information to strengthen self‐defense through automated collective action. This paper is meant to provoke discussion and further exploration of the topic. http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf

Long-Form Journalism Finds a Home (NYT, 27 March 2011) - In 2009, Evan Ratliff, a freelance writer for Wired, and Nicholas Thompson, a senior editor there, had just concluded a particularly satisfying article in which Mr. Ratliff tried to drop off the grid for a month and obscure his whereabouts in the digital age, while Wired magazine offered $5,000 to the person who could find him. It was a hit. But it was also the kind of deeply reported journalism that was going the way of the fax machine. “In the digital realm, there is infinite space, but somehow this hasn‘t resulted in a flowering of long-form content,” Mr. Ratliff said. He had long considered building a Web site that would be more hospitable to long articles, but had also been spending a fair amount of time on his subway commute reading those pieces on his iPhone. The men called Jefferson Rabb, a programmer and Web designer known for building remarkable sites for books. In bars up and down Atlantic Avenue in Brooklyn, the three talked about whether there was a way to use these devices to make the Web a friend, not an enemy, of the articles they liked to work on and read. And, in what may be the first tangible result of journalists gathered in a bar to complain about the state of reading, they did something beyond ordering another round. The result is The Atavist, a tiny curio of a business that looks for new ways to present long-form content for the digital age. All the richness of the Web — links to more information, videos, casts of characters — is right there in an app displaying an article, but with a swipe of the finger, the presentation reverts to clean text that can be scrolled by merely tilting the device. “We wanted to build something that people would pay for,” said Mr. Thompson, who has since switched to being a senior editor of The New Yorker and has had to pull back to consulting for the project. “The Web is good at creating short and snappy bits of information, but not so much when it comes to long-form, edited, fact-and-spell-checked work.” Readers who buy an article from The Atavist and read it on an iPad — there are also less media-rich versions for the Kindle and the Nook — could begin reading the piece at home and then when driving to work, toggle to an audio version. In each item, there is a timeline navigation that seems natural and simple, and a place for comments that mimics the notes that people put in the margins of complicated, interesting pieces. Since opening for business at the end of January, The Atavist has published three long pieces that are native to the tablet in concept and execution, and it has had over 40,000 downloads of its app. Writers are paid a fee to cover reporting expenses and then split revenue with The Atavist. For the time being, an article costs $2.99 for the iPad and $1.99 for the Kindle or Nook. http://www.nytimes.com/2011/03/28/business/media/28carr.html?_r=1&ref=business [Editor: I‘ve tried this, and think the package/tools are quite good, but the writing lacks.]

Companies Pick and Choose Which Data Breaches to Report (Network World, 28 March 2011) - One in 7 information technology companies have not reported data breaches or losses to outside government agencies, authorities or stockholders. In addition, only 3 out of 10 said they report all data breaches and losses suffered related to intellectual property, while 1 in 10 organizations will only report data breaches and losses that they are legally obliged to report, and no more. Six in 10 said they currently “pick and choose” the breaches and losses of sensitive data they decide to report, “depending on how they feel about them.” Those were some of the key findings from a McAfee and Science Applications International Corp. (SAIC) survey that queried 1,000 technology managers in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security. The report, entitled “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency,” said the main reasons for not disclosing data breaches are fear of media coverage, damage to the brand and shareholder value. “The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses,” the report says. http://www.networkworld.com/news/2011/032811-mcafee-underground.html?source=NWWNLE_nlt_daily_pm_2011-03-28&elq_mid=13313&elq_cid=996107

Public Records And Court Dockets - Portal To The World – Courtport (FutureLawyer, 28 March 2010) - Public records, court dockets - Free Trial - Court port. I am on a legal research and court records research roll right now. Yesterday, I showed you how to research the law cheaply and efficiently, without a subscription to an expensive legal research service. (You know who they are). Today, we shift focus to over 10,000 court records databases, including full docket searching in the entire Federal case database. Criminal records searches, records in all State, Federal, State, County, and Municipal databases. Licensing and disciplinary records for every kind of professional, and detailed records about just about anyone. For $10 a month, the lawyer can know anything that is material to his client, witness, opponent, or do complete legal research for a fraction of the cost of more expensive systems. http://futurelawyer.typepad.com/futurelawyer/2011/03/public-records-and-court-dockets-portal-to-the-world-courtport.html

Why the ABA Survey Gets it Wrong on Blogs (Robert Ambrogi, 29 March 2011) - Let me ask you a question: Where are you more likely to buy a car, at a Superbowl commercial or at your local auto dealer? Given that most people would say auto dealer, it follows that Superbowl commercials must not be effective at selling cars, right? Of course not. The question, as phrased, makes no sense. You can‘t buy a car from a TV commercial. Do Superbowl commercials help sell cars? I don‘t know, but I do know that the above question doesn‘t help me figure out the answer. Now consider the recent ABA survey that concluded that consumers do not rely on blogs to find a lawyer. If you‘ve missed the debate about this, start with Kevin O‘Keefe‘s post, making sure to read the comments from Will Hornsby and Kevin‘s replies, then read this post from Carolyn Elefant, and then this one from Scott Greenfield. Here is the question the ABA survey asked: “If you needed a lawyer for a personal legal matter, how likely would you be to use the following resources to find one?” Among the resources listed were websites, directories, social networking sites and blogs. Just fifteen percent said they were very or somewhat likely to use blogs. It follows, therefore, that blogs are ineffective as tools for client development, right? Of course not. The question makes no sense. No one would “use” a blog to find a lawyer, just as no one would “use” a Superbowl commercial to find a car. A blog is not a selection tool. It is not a directory. It is not somewhere anyone would go to “find” something. Kevin has it exactly right. “Rather than looking at blogs and social media as something new,” he writes, “look at blogs and social media as accelerators of relationships and your word of mouth reputation.” http://www.lawsitesblog.com/2011/03/why-the-aba-survey-gets-it-wrong-on-blogs.html

Taming Information Technology Risk: A New Framework for Boards of Directors (Oliver Wyman and NACD, March 2011) - A recent survey of 204 board members by Oliver Wyman‘s Global Risk Center and the National Association of Corporate Directors (NACD) finds that nearly half (47%) of board members are dissatisfied with their boards‘ ability to provide IT risk oversight. When you consider how much is riding on companies‘ ability to use technology effectively, that figure is alarming. The world‘s largest 500 companies lose more than $14 billion every year because of failed IT projects, according to an Oliver Wyman analysis. Therein lies an opportunity. Companies that receive valuable board direction and input on IT-related risk will have a significant competitive advantage over those that don‘t. http://www.oliverwyman.com/ow/pdf_files/OW_EN_GRC_2011_PUBL_Taming_IT_Risk.pdf?elq_mid=13218&elq_cid=996107

FBI Wants Public Help Solving Encrypted Notes From Murder Mystery (Network World, 29 March 2011) - The FBI is seeking the public‘s help in breaking the encrypted code found in two notes discovered on the body of a murdered man in 1999. The FBI says that officers in St. Louis, Missouri discovered the body of 41-year-old Ricky McCormick on June 30, 1999 in a field and the clues regarding the homicide were two encrypted notes found in the victim‘s pants pockets. From the FBI: “The more than 30 lines of coded material use a maddening variety of letters, numbers, dashes, and parentheses. McCormick was a high school dropout, but he was able to read and write and was said to be ‘street smart.‘ According to members of his family, McCormick had used such encrypted notes since he was a boy, but apparently no one in his family knows how to decipher the codes, and it‘s unknown whether anyone besides McCormick could translate his secret language. Investigators believe the notes in McCormick‘s pockets were written up to three days before his death.” http://www.networkworld.com/community/blog/fbi-wants-public-help-solving-encrypted-notes

Is Righthaven Harming the News Industry? (Citizen Media Law Project, 29 March 2011) - Righthaven, a copyright-enforcement entity that sues first and asks questions later, comes up a lot here at the CMLP, both on the blog and in the legal threats database. As a recent profile on CNN.com illustrates, Righthaven‘s founder Steve Gibson thinks he is simply enforcing content owners‘ rights within the digital landscape. In particular, Gibson thinks that fair use doesn‘t cover “the kinds of reproduction that Righthaven is addressing”. Fortunately for bloggers, courts seem to be taking an increasingly critical look at Gibson‘s views. Back in October, the federal court in Nevada threw out a case against a blogger who copied “only the first eight sentences of a thirty sentence news article” on fair use grounds. Just a few days ago on March 18, 2011, a different Nevada judge threw out yet another Righthaven case on fair use grounds. As Steve Green of the Las Vegas Sun reports, however, Righthaven LLC v. Center for Intercultural Organizing involved the re-posting of an entire news article. Of course, neither of these recent cases are binding legal precedent, and they may be overturned on appeal. The CMLP has written legal guides about using the works of others and fair use, which can be helpful in working through these issues. The tide may be turning against Righthaven. Indeed, as Green points out, it seems ironic that Righthaven may be undermining all newspapers‘ case for copyright protection. Green‘s analysis that Righthaven seems to have shot itself in the foot appears to be driving subsequent coverage, including analysis on websites from paid Content to Ars Technica. http://www.citmedialaw.org/blog/2011/righthaven-harming-news-industry

Court Rules That Instant Message Conversation Modified the Terms of a Written Contract (Goldman‘s blog, 29 March 2011) - CX Digital Media, Inc. v. Smoking Everywhere, Inc., 09-62020-CIV-Altonga (S.D. Fl.; Mar. 23, 2011) - As contract cases go, this one is interesting. It‘s more than interesting, it‘s awesome! The court held that an instant message exchange effectively modified a written agreement which contained a “no-oral modification clause.” This resulted in a judgment in favor of a marketing agency against the seller of electronic cigarettes to the tune of $1,235,655 (along with fees, costs, and interest)! * * * It‘s standard for contracts to restrict oral amendments. It‘s also standard for business partners to “talk” using email, IM, text messages, Twitter @replies, comments to Facebook status reports, etc., etc. The default rules should be that all of these electronically-mediated communications qualify as writings. (But see John O‘s post on an odd case from last summer). If you fear the legal effects of these communications, you could try to restrict contract amendments to terms printed on a piece of paper mutually signed in ink. But I think lawyers are fighting an uphill battle trying to denigrate the legal effect of these electronic communications. They are an integral part of the relationship, and there‘s not much we as lawyers can do to change that. http://blog.ericgoldman.org/archives/2011/03/court_rules_tha.htm

NSA to Investigate NASDAQ Hack (Wired, 30 March 2011) - The National Security Agency has been called in to help investigate recent hack attacks against the company that runs the Nasdaq stock market, according to a news report. The agency‘s precise role in the investigation hasn‘t been disclosed, but its involvement suggests the October 2010 attacks may have been more severe than Nasdaq OMX Group has admitted, or it could have involved a nation state, according to sources who spoke with Bloomberg News. “By bringing in the NSA, that means they think they‘re either dealing with a state-sponsored attack, or it‘s an extraordinarily capable criminal organization,” Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, told the publication. He added that the agency rarely gets involved in investigations of company breaches. Regarding the Nasdaq breach, in addition to the Secret Service, the FBI and the NSA, unidentified foreign intelligence agencies are also reportedly assisting in the probe. The Wall Street Journal reported in February that Nasdaq OMX Group had been repeatedly breached last year. Nasdaq later confirmed the report but insisted that computers involved in its trading platform were not compromised in the attacks. The company said the attacks were limited to a web application known as Directors Desk that allows board members of Nasdaq companies to hold online meetings and exchange confidential information — data that attackers would conceivably find useful to trade on. The Directors Desk, however, may not have been the target but simply an entry point for the hackers to gain further penetration into Nasdaq OMX‘s network. According to Bloomberg News, investigators have acknowledged they still have no idea how far into the network the attack reached or what data the attackers may have stolen. http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/

Ninth Circuit Decides Cotterman Case, Reversing District Court on Laptop Seizure at the Border (Volokh Conspiracy, 30 March 2011) - Back in 2009, I blogged about United States v. Cotterman, a fascinating Fourth Amendment case from the District of Arizona involving a forensic search of a computer seized at the U.S./Mexico border. Ninth Circuit precedent holds that the government can search a computer at the border with no suspicion under the border search exception, just like it can search any other property. The question in Cotterman was whether the government could seize the computer, bring it to a forensic specialist 170 miles away, and have the forensic specialist search the computer there two days later. Is that still a border search? Or does the delay in time, or the change in location, mean that the border search exception doesn‘t apply (or applies differently)? The District Court held that the delay in time and the moving of the computer required applying the ‘extended‘ border search doctrine, which requires reasonable suspicion, instead of the traditional border search exception, which does not. As I noted here, the Government appealed but has not argued that the search was justified by reasonable suspicion. As a result, the case presents a pure legal question: Does the Fourth Amendment require reasonable suspicion in these circumstances, or is the seizure and subsequent search permitted without any cause? In a decision released this morning, United States v. Cotterman, a divided Ninth Circuit reversed and held that the seizure and search were permitted without cause. The majority opinion by Judge Tallman, joined by Judge Rawlinson, reasons that it is clear, under Ninth Circuit precedent, that the search would have been legal if it had occurred at the border without delay. The opinion reasons that Cotterman‘s expectation of privacy is what matters, and that because Cotterman‘s computer was taken to be searched at the border, Cotterman‘s expectation of privacy is not impacted by where the computer was taken. The next question was how much delay is permitted. That is, for how long can the government hold a computer pursuant to the border search exception in order to search it? Because holding the computer was a seizure, the test was reasonableness: Specifically, whether the detention “was reasonably related in scope to the circumstances that justified the initial detention at the border.” In this case, it was: The Government proceeded quickly to bring the computer to an expert, the expert searched the computer pretty quickly, and worked through the weekend to get the search completed. Further, the fact that the computer was brought to the expert rather than the expert being brought to the computer was not only acceptable, but wise: “our common sense and experience inform us that the decision to transport the property to the laboratory, instead of transporting the laboratory to the property, resulted in a shorter deprivation.” http://volokh.com/2011/03/30/ninth-circuit-decides-cotterman-case-reversing-district-court-on-laptop-seizure-at-the-border/ http://www.ca9.uscourts.gov/datastore/opinions/2011/03/30/09-10139.pdf

Amazon Strong-Arms a Third-Party Kindle Service (Zittrain, 31 March 2011) - Amazon shut down Lendle, a popular Kindle service that allows users to lend their books to strangers, last week because it didn‘t “serve the principal purpose of driving sales of products and services on the Amazon site.” Two days later, after customers tweeted their displeasure, Amazon informed Lendle of the specific feature that got the service blocked. That feature, Book Sync, scraped the Amazon site itself to determine which books in a user‘s library were lendable (not all are). Lendle removed it and is now back up and running. Axing a company‘s service to your platform without notice or an opportunity to address the issue is a severe sanction and may intimidate service providers to comply rather than publicly balking at your demands. Here, Lendle disabled the offending feature without a row. Then again, maybe the company knew all along that Book Sync violated Amazon‘s policies. While Lendle could argue that Amazon shouldn‘t restrict harmless features of third-party services, flagrantly violating those policies could lead Amazon to boot a service. http://futureoftheinternet.org/foi-topics-and-links-of-the-week-15

App Called “Creepy” Pinpoints People‘s Location Based On Their Social Networking Activity (Boing Boing, 31 March 2011) - The creator of Creepy, Yiannis Kakavas, calls his application a “geolocation information aggregator.” It analyzes a person‘s tweets, Facebook posts, and Flickr stream to generate a map of where that person is and where he or she goes. “You can enter a Twitter or Flickr username into the software‘s interface, or use the in-built search utility to find users of interest. When you hit the ‘Geolocate Target‘ button, Creepy goes off and uses the services‘ APIs to download every photo or tweet they‘ve ever published, analysing each for that critical piece of information: the user‘s location at the time. While Twitter‘s geolocation setting is optional, images shared on the service via sites like Twitpic and Yfrog are often taken on a smartphone - which, unbeknownst to the user, records the location information in the EXIF data of the image. Creepy finds these photos, downloads them, and extracts the location data. When the software finishes its run, it presents you with a map visualising every location that it found - and that‘s when the hairs on the back of your neck go up. While the location of an individual tweet might not reveal much, visualising a user‘s history on a map reveals clusters around their home, their workplace, and the areas they hang out.” http://www.boingboing.net/2011/03/31/app-called-creepy-pi.html

Federal Courts Discuss Smartphone Policies (CMLP, 1 April 2011) - The U.S. Judicial Conference, which helps set policy for federal circuit (appeals) and district (trial) courts, has issued a memo, first reported by Wired‘s “Threat Level” blog, that is meant to help individual courts set policies on when and how smartphones and similar devices can be brought into and used in courthouses and in courtrooms. The memo outlines some of the issues that arise with smartphones and other electronic devices in courthouses, and informally surveys various federal courts‘ existing policies regarding smartphones.

The survey found that 41 of the 94 district courts allow anyone to bring the devices into their courthouses, often with some restrictions on their use. Of these 41 courts, nearly a third prohibit the public from bringing the devices in the courtroom, while the remaining two-thirds require that devices be kept off or in silent mode without the judge‘s permission. Forty-eight district courts ban devices, except for those possessed by judges, court personnel, and probation and pretrial officers, or with the express permission of a judge. Other courts ban only certain devices, such as devices that include cameras. In both types of situations, courts either check and store the devices or else simply bar individuals from entering with such a device. The memo also notes that many district courts have special policies allowing journalists to bring electronic devices into the courthouse, but also notes that only six district courts allow journalists to use these devices in courtrooms, which various restrictions. The memo notes that a consideration in adopting such a policy for journalists is “how to distinguish, if at all, between members of the traditional press and those who report solely through social media sites or other internet venues.” The memo lays out some of the arguments for and against allowing electronic devices in courthouses, including concerns about recording and broadcast of court proceedings (which the memo mistakenly states is barred in all federal district courts; more on that in this post); and the concern that “[t]hese common devices present security issues because some can be and have been converted for use as weapons, including explosives.” The Wired blog scoffs at this rationale. http://www.citmedialaw.org/blog/2011/federal-courts-discuss-smartphone-policies

Online Applications Too Risky? One Firm Takes the Plunge (ABA Journal, 1 April 2011) - Like anything new, cloud computing inspires both interest and caution in its users, and for the risk-averse legal business, even early adopters prefer to move a few applications online rather than commit entire operations to the ether. But then there‘s Bradford & Barthel. Eric Hunter, director of knowledge management at the 12-office California law firm, is among the true believers. In the fall of 2009, his firm decided to move its e-mail, calendaring, document collaboration, intranets and extranets to the cloud via Google Apps for Business, and they‘ve never looked back. Hunter cites “huge licensing cost savings,” Google‘s relentless push for innovation and the service provider‘s commitment to customer support as primary motivators for the switch, which involves a 24-month implementation period that is about halfway complete. But while the siren call of cloud computing is becoming ever more enticing, concerns about security and the loss of control over data have left much of the legal community wary of shifting computing to off-site service providers. “Think about it for a minute,” says Mike Lipps, a vice president and managing director for legal business software solutions for LexisNexis, which offers a number of cloud-based solutions for law firms. “I want you to take your most sensitive and personal data, and I want you to put it ‘out there.‘ Out there on the Internet, in the cloud, in that place where scam artists rip off old ladies with wire transfers, where predators pose as kids in chat rooms, where people swap music for free until they get sued by the RIAA. “Put your data out there and I promise it will be safe, secure and there when you need it. And if you discontinue using my service, I‘ll give it back to you nice and neat. What‘s not to love about this concept?” http://www.abajournal.com/magazine/article/online_applications_too_risky_one_firm_takes_the_plunge?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly [Editor: Wow! Sounds like an enforceable promise to me, a very, very hard one to keep. Watch for LN to walk this back, fast.]

New Yorkers Hurt All Over (Steptoe, 2 April 2011) - ... at least when it comes to online copyright infringement. New York‘s highest court has ruled in Penguin Group (USA) Inc. v. American Buddha that if a New York copyright owner‘s work is uploaded on the Internet without authorization, an infringement suit may be brought in New York regardless of where the uploading occurred or whether anyone in New York downloaded the infringing material. This decision could greatly expand the jurisdiction of both state and federal courts in the Empire States over Internet piracy cases brought by New York copyright holders. http://www.steptoe.com/publications-7507.html

French High Court Upholds Company‘s Review of Employees‘ Email (Steptoe, 2 April 2011) - France‘s highest court, the Cour de Cassation, has ruled in Securitas France v. M. X. that it was permissible for a company to fire an employee based in part on emails he had exchanged with another employee, with whom he had a personal relationship, in which the two employees referred to a supervisor in offensive terms. The court‘s decision broadens a bit the scope of permissible monitoring by employers of their employees‘ use of company networks. Companies must still exercise caution in reviewing employees‘ email in Europe, since courts there are more prone than in the U.S. to regard employees‘ emails as private in many situations. http://www.steptoe.com/publications-7507.html [Editor: this continues a slow move to employer-monitoring rights in France, begun nearly 15 years ago with a flat prohibition.]

- and -

Should Companies Restrict Web Access For Employees? Maybe a Little. (ReadWriteBiz, 6 April 2011) – Earlier today I was sitting in my office and, having crossed five tasks off the sticky note affixed to my laptop, checked in on Twitter, where amidst a slew other 140-character tidbits, lead New York Times tech blogger Nick Bilton had just shared a link to a rather interesting story in the New Yorker. The article, titled In Praise of Distraction, takes a look at the proliferation of Internet-fueled, at-the-office distractions and whether or not they pose a significant problem for businesses. Intuitively, yes, having employees spend all day on Facebook, YouTube and online shopping sites is bound to cut into productivity. But as the New Yorker article points out, some recent research suggests that restricting access to non-work-related content entirely can actually impede productivity. Additionally, as the article notes, restricting Web access “creates a tyrannical work environment” which can damage morale among employees who, let‘s face it, are more empowered than ever thanks to the Internet and social media. Many of these employees, it‘s worth remembering, are carrying around Internet-connected smart phones that operate outside the corporate firewall. Instead, some recommend a more measured approach in which employees are allotted pockets of time for browsing the Web, not unlike a coffee or smoking break. http://www.readwriteweb.com/biz/2011/04/should-companies-restrict-web-access-for-employees.php

How Can a Law Firm Touting E-Discovery Expertise Screw Up a Litigation Hold? (Ride the Lightning, 4 April 2011) - It seems that a prominent law firm in Detroit (Honigman, Miller, Schwartz and Cohn), which touts its e-discovery expertise on its “Services” page, utterly failed to institute a proper litigation hold when it was sued by a former executive assistant who had been discharged. The firm failed to institute a litigation hold after receiving an EEOC right to sue letter - and other facts suggest the firm was preparing for the lawsuit even earlier. The firm also failed to suspend the operation of an automated e-mail deletion program when the hold should have been instituted. It never surprises me when business clients fail to take the appropriate steps - often in ignorance of litigation holds and what they require. But seeing a law firm with supposed e-discovery expertise so thoroughly “get it wrong” is disturbing. Would the firm advise its clients to act as it apparently acted? I sure hope not. http://ridethelightning.senseient.com/2011/04/how-can-a-law-firm-touting-e-discovery-expertise-screw-up-a-litigation-hold.html

The Cronon Case: Part II (InsideHigherEd, 4 April 2011) - “Scholars and scientists pursue knowledge by way of open intellectual exchange. Without a zone of privacy within which to conduct and protect their work, scholars would not be able to produce new knowledge or make life-enhancing discoveries. Lively, even heated and acrimonious debates over policy, campus and otherwise, as well as more narrowly defined disciplinary matters are essential elements of an intellectual environment and such debates are the very definition of the Wisconsin Idea.” Biddy Martin, Chancellor of the University of Wisconsin-Madison wrote this passage in an open message on academic freedom. This message comes in response to the Freedom of Information Act request for the emails of historian Professor William Cronon who holds an exalted position on that campus. On March 21 of this year, The New York Times published an op-ed piece by Professor Cronon on the current events on-going in Wisconsin politics. In particular, Professor Cronon criticized Governor Walker for a lack of transparency in the unfolding of those events. That concept, transparency, seems to be in political ascendency these days, being deployed by both parties and virtually every position in between. So it is either in keeping with that thread in American politics, or just pure irony, that Professor Cronon has become the subject of a state Freedom of Information Act request. The University of Wisconsin legal counsel, John C. Dowling, has honored that request. I recommend to any one interested in this case, and how legal counsel operates within institutions to protect our missions, the letter. It is a model of professionalism and honor. http://www.news.wisc.edu/19196 In short, it explains the process by which the institution went about complying with the request, and in so doing separated protected categories of mail from that which was released. Educational records, intellectual property, professional correspondence and personal mail remained outside the scope. I would have intellectually enjoyed the sections of the letter where Mr. Dowling parses terms such as “union” and “recall” were the underlying matter not so serious. That, my friends, is the law in action: A public statute that allows for the request, legal counsel‘s response. Chancellor Martin‘s message is institutional policy at its best. http://www.insidehighered.com/blogs/law_policy_and_it/the_cronon_case_part_ii [Editor: Bravo. This is the kind of thing that makes you proud to be a lawyer.]

Cloud Computing and Personal Data, Round Two (Media Law Prof Blog, 5 April 2011) - W. Kuan Hon, Christopher Millard, and Ian Walden, all of Queen Mary University School of Law, have published Who is Responsible for ‘Personal Data‘ in Cloud Computing? The Cloud of Unknowing, Part 2. Here is the abstract: “In part one of this series, we considered what information is regulated as ‘personal data‘ in the cloud. In this part two, we develop further the argument made in part one that it is not appropriate for infrastructure cloud providers, many of which are based outside Europe, to become subject arbitrarily to obligations under the EU Data Protection Directive due to choices made by their users.

EU data protection responsibilities and liabilities are imposed primarily on the ‘controller,‘ who may employ ‘processors‘ to process data for it. We suggest, as with the concept of ‘personal data,‘ the binary nature of the controller/processor distinction is no longer tenable. In today‘s environment of complex chains of actors, end to end accountability should replace the binary distinction. While cloud computing service providers are commonly considered processors or controllers, this paper further argues that many infrastructure cloud computing providers are not even ‘processors,‘ but simply provide facilities and/or tools for use by the controller/cloud user. Infrastructure as a Service and Platform as a Service providers, and certain Software as a Service providers, who offer no more than utility infrastructure services, will often not know whether information stored or processed through their services is ‘personal data‘ or not – hence, the ‘cloud of unknowing.‘ Infrastructure cloud providers are qualitatively distinct from services such as social networking websites.” http://lawprofessors.typepad.com/media_law_prof_blog/2011/04/cloud-computing-and-personal-data-round-two.html

Major Law Firms Fall Victim to Cyber Attack (Globe & Mail, 5 April 2011) - Hackers have penetrated four major Bay Street law firms in the past seven months with highly sophisticated cyber attacks designed to destroy data or to steal sensitive documents relating to impending mergers and acquisitions. Daniel Tobok, president of Toronto-based Digital Wyzdom Inc., who investigated the attacks, would not name the firms. The attacks, which he said appeared to originate from computers in China, show that Canadian law firms are a target for hackers and potentially, state-sponsored cyber espionage. They follow similar attacks on governments and major corporations in recent years. “They were harvesting information,” Mr. Tobok said of the hackers who penetrated the computers of the four Toronto law firms. He said it was hard to say if any sensitive data actually went missing, but said the attacks were at least successful at getting inside the firms‘ systems. “This was probably one of the most sophisticated attacks we have seen.” David Craig, national information security practice leader for PricewaterhouseCoopers Canada, said law firms are a natural target for hackers because they are storehouses of information of interest to everyone from organized crime to spouses in marital disputes. But he said law firms tend to be extra careful about confidential information. Large firms usually have sophisticated IT staff and policies in place to try to keep data secure. http://www.theglobeandmail.com/report-on-business/industry-news/the-law-page/major-law-firms-fall-victim-to-cyber-attacks/article1972226/

- and -

Law Firms Under Siege (DarkReading, 6 April 2011) - Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients. Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations. Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? “Law firms are a means to an end: a defense contractor or utility” that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once. Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies. Phishing attacks against law firms are nothing new—the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms. http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229401089/law-firms-under-siege.html

- and -

Law Firm Loses $78K in Massive Malware Scheme That Was Disabled by Feds (ABA Journal, 14 April 2011) - Federal authorities say they have disabled, with the help of Microsoft Corp., a massive “botnet” that is believed to have been operating for a decade and infecting nearly 2 million computers in the United States alone. Believed to have been run from Russia, it has allegedly been used to steal perhaps $100 million, including $78,421 from an unidentified South Carolina law firm‘s bank account, according to Bloomberg. Relying on information from the Department of Justice, court filings, an internet security analyst and an unidentified agent of the FBI, the news service says the operation to shut down the so-called Coreflood botnet is the first time federal authorities have ever taken command of the network running such a scheme and sent instructions to victim computers to disable the malware. “There has been a real legal barrier to do this because essentially you are issuing instructions to someone else‘s computer,” Alex Cox of the NetWitness Corp. cyber-security firm tells the news agency. “That is very, very significant.” http://www.abajournal.com/news/article/doj_says_massive_decade-old_botnet_helped_web_thieves_steal_millions/

2010: A Record Year for Domain Name Dispute Arbitrations (NLJ, 7 April 2011) - Arbitration cases involving allegations of cybersquatting, or improper use of trademarks in Internet domain-name registrations, hit record levels last year at the two organizations that handle most of the disputes. The National Arbitration Forum reported a 24% spike in new domain name dispute filings in 2010 to 2,177, up from 1,759 cases in 2009 and up 23% from the 1,770 cases filed in 2008. Much of the spike is driven by the “sheer volumetric increase in the number of domain names being registered,” said Kristine Dorrain, the forum‘s Internet legal counsel. “The fact that the number of registrations continue to grow, means the number of disputes are going to continue to grow,” Dorrain said. The World Intellectual Property Organization reported 2,696 new case filings—a 28% spike over the 2,107 cases filed in 2009. Last year‘s case filings also exceeded 2008 filings by 16%. That year‘s 2,329 set the previous record for new WIPO cases. http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202489436357

NLRB to Press Reuters Over Reaction to Twitter Post (NYT, 7 April 2011) - In what would be the first government case against an employer involving Twitter, the National Labor Relations Board told Thomson Reuters on Wednesday that it planned to file a civil complaint accusing the company of illegally reprimanding a reporter over a public Twitter posting she had sent criticizing management. The board asserts that the company‘s Reuters news division violated the reporter‘s right to discuss working conditions when her supervisor reprimanded her for posting a message on the Twitter service that said, “One way to make this the best place to work is to deal honestly with Guild members.” The author of the post, Deborah Zabarenko, the agency‘s environmental reporter in Washington and the head of the Newspaper Guild at Reuters, sent that to a company Twitter address after a supervisor had invited employees to send postings about how to make Reuters the best place to work. “The next day the bureau chief called me at home,” Ms. Zabarenko said in an interview. “He told me that Reuters had a policy that we were not supposed to say something that would damage the reputation of Reuters News or Thomson Reuters. I felt kind of threatened. I thought it was some kind of intimidation.” http://www.nytimes.com/2011/04/07/business/media/07twitter.html?scp=1&sq=reuters%20twitter&st=cse

Attack Sheds Light on Internet Security Holes (NYT, 7 April 2011) - The Comodo Group, an Internet security company, has been attacked in the last month by a talkative and professed patriotic Iranian hacker who infiltrated several of the company‘s partners and used them to threaten the security of myriad big-name Web sites. But the case is a problem for not only Comodo, which initially believed the attack was the work of the Iranian government. It has also cast a spotlight on the global system that supposedly secures communications and commerce on the Web. The encryption used by many Web sites to prevent eavesdropping on their interactions with visitors is not very secure. This technology is in use when Web addresses start with “https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers. These sites rely on third-party organizations, like Comodo, to provide “certificates” that guarantee sites‘ authenticity to Web browsers. But many security experts say the problems start with the proliferation of organizations permitted to issue certificates. Browser makers like Microsoft, Mozilla, Google and Apple have authorized a large and growing number of entities around the world — both private companies and government bodies — to create them. Many private “certificate authorities” have, in turn, worked with resellers and deputized other unknown companies to issue certificates in a “chain of trust” that now involves many hundreds of players, any of which may in fact be a weak link. The Electronic Frontier Foundation, an online civil liberties group, has explored the Internet in an attempt to map this nebulous system. As of December, 676 organizations were signing certificates, it found. Other security experts suspect that the scan missed many and that the number is much higher. Making matters worse, entities that issue certificates, though required to seek authorization from site owners, can technically issue certificates for any Web site. This means that governments that control certificate authorities and hackers who break into their systems can issue certificates for any site at will. http://www.nytimes.com/2011/04/07/technology/07hack.html?_r=1&scp=1&sq=an%20attack%20sheds%20light&st=cse

Feds Defend Twitter Dragnet On WikiLeaks Supporters (The Register, 9 April 2011) - Federal prosecutors on Friday defended their attempts to access the Twitter records of three WikiLeaks supporters, arguing their claims that the dragnet violates their constitutional rights should be rejected. In a 19-page filing in federal court, prosecutors said a ruling issued last month should be upheld despite the claims by WikiLeaks supporters Jacob Appelbaum, Birgitta Jónsdóttir, and Rop Gonggrijp that it violates their right to free speech. The filing came in an ongoing criminal investigation into Julian Assange, founder of the whistle-blower website. The March 11 order approved the government‘s request for IP addresses the supporters used to access Twitter between November 2009 and last December and the email addresses they gave when registering with the micro-blogging website. US Magistrate Judge Theresa Buchanan said there were no constitutional violations because the information sought didn‘t involve the content of any of the Twitter subscribers‘ communications. Federal prosecutors agreed. “The subscribers‘ claim that Twitter‘s non-content records are subject to heightened protections under the First Amendment is baseless,” they wrote. The information demand was made in a confidential filing in December under the US Stored Communications Act. The Twitter users also argued that the secrecy of the motion violated their Fourth Amendment right protecting them from unreasonable searches and seizures. The government later agreed to make public most of the court documents filed in their demand, but withheld revealing one document that Buchanan said would reveal “sensitive nonpublic facts, including the identity of targets and witnesses.” Friday‘s court filing is here. http://www.theregister.co.uk/2011/04/09/twitter_dragnet_wikileaks/ [Editor: the MIRLN podcast 14.02 addresses some of this.]

Announcing DoctoredReviews.com, a Website Against Doctors‘ Efforts to Squelch Online Patient Reviews (Eric Goldman, 13 April 2011) - I‘m pleased to announce the launch of DoctoredReviews.com, a website that addresses Medical Justice‘s form contract that seeks to restrict patients‘ online reviews of doctors by taking a prospective copyright assignment in the patients‘ unwritten reviews. Medical Justice‘s practices have bothered me for years, but I never had the chance to organize my thoughts fully. Fortunately, last August, Jason Schultz of the Samuelson Law, Technology & Public Policy Clinic suggested that I could work with him and two Berkeley law students on this issue. After evaluating our options, we decided to pursue an advocacy website. Should the website fail to curb the bad practices, we may need to reconsider more aggressive options. I have given some recent talks about Medical Justice and the misuse of copyright law to manage online reputations. See my talk slides and my related academic paper. I‘d welcome the chance to discuss these issues in more detail. http://blog.ericgoldman.org/archives/2011/04/announcing_doct.htm

Twitter In the Courtroom (Media Law Prof Blog, 14 April 2011) - Adriana C. Cervantes, Hastings Law School, has published Will Twitter Be Following You in the Courtroom?: Why Reporters Should Be Allowed to Broadcast During Courtroom Proceedings, at 33 Hastings Communication & Entertainment Law Journal 133 (2010). Here is the abstract: “Thanks to micro-blogging and social networking tools, we no longer have to pick up a phone to call our friends and ask them what they are doing. Instead we turn to our laptop, BlackBerry, or iPhone to get instant information available to us through the Internet. Twitter is a key player in the Internet information exchange line-up. It has made its way into one of the oldest and most archaic forums: the courtroom. This article will discuss the history of prohibitions against broadcasting in the court, analyze the reasons why reporters should be allowed to use Twitter and other micro-blogging tools in the courtroom, and propose a solution for how their presence can be accounted for in order to maintain order in the court. This topic is significant because the digital era has presented new technology-in-the-court issues. People are entering courtrooms across America carrying electronic digital devices that can access blogging sites within seconds. The current law does not properly address whether reporters should be allowed to tweet, but this trend is becoming more prevalent. Twitter needs to be addressed with our current society in mind; a society wanting instant access to information. Legislatures and courts have both addressed the question of whether court proceedings should be broadcast differently. This note will examine whether broadcasting through websites like Twitter should be allowed during civil and criminal cases so that the public can have instant access to judicial proceedings.” http://lawprofessors.typepad.com/media_law_prof_blog/2011/04/twitter-in-the-courtroom.html

“I‘m from the NSA, and We Don‘t Get Out Much” (Lawfare, 14 April 2011) - It isn‘t every day that a representative of the National Security Agency gives a public speech on the agency‘s understanding of “Protecting Civil Liberties in a Cyber Age.” So I thought I would take good notes for Lawfare readers on Patrick Reynolds‘ speech today at the Duke Conference. Reynolds is deputy general counsel at the NSA, and he gave a brief overview on the panel of the development of surveillance law. The panel included several other distinguished speakers, but I am focusing here only on Reynolds‘ comments. It is a paraphrase, not an effort to transcribe. http://www.lawfareblog.com/2011/04/im-from-the-nsa-and-we-dont-get-out-much/ [Editor: pretty interesting, thorough, and useful historical discussion of applicable surveillance law, as against NSA‘s evolving mission. Essentially serves as a counter-point to the Stanford podcast “Data Privacy - EPCA Revisited”, noted in MIRLN 14.04.]


What Are the Ethics of Lawyer Review Sites Like Avvo? (ABA Journal, 4 April 2011; 20 minutes) - Some state attorney discipline agencies are heavily regulating how lawyers use rating sites for business development. But how do those rules jive with the less-stringent Communications Decency Act of 1996, which says users of such sites aren‘t liable for content posted by others? ABA Journal podcast moderator Stephanie Francis Ward talks with guests to discuss, among other ethics issues, whether lawyers can/should face discipline for client-written “testimonials.” http://www.abajournal.com/news/article/podcast_monthly_episode_13/ [with Vincent Buzard, Eric Goldman, and Jamie Zysk Isani)

David Brooks: The Social Animal (TED Talk, March 2011) - Tapping into the findings of his latest book, NYTimes columnist David Brooks unpacks new insights into human nature from the cognitive sciences—insights with massive implications for economics and politics as well as our own self-knowledge. In a talk full of humor, he shows how you can‘t hope to understand humans as separate individuals making choices based on their conscious awareness. http://www.ted.com/talks/david_brooks_the_social_animal.html [Editor: what a disappointment; I used to esteem Brooks, but this is trite and sophomoric—not to mention mean-spirited in his discussion of yuppie-moms. He‘s fallen such a long way – go watch instead Brooks at his best: “The Geography of American Politics”, delivered at the University of Arizona on 8 October 2003 here: ]http://www.law.arizona.edu/Events/McCormick/mccormick2004.cfm.]


The Vault (FBI, April 2011) - The Vault is our new electronic reading room, containing more than 2,000 documents that have been scanned from paper into digital copies so you can read them in the comfort of your home or office. Included here are more than 25 new files that have been released to the public but never added to this website; dozens of records previously posted on our site but removed as requests diminished; and files from our previous electronic reading room. The Vault includes several new tools and resources for your convenience. http://vault.fbi.gov/ [Editor: pretty lame – 2000 documents? Almost sounds like an April Fools joke; one of the topic headings is “Unexplained Phenomenon”, which contains a one-page 1950 memo to the Director about 3 flying saucers recovered in New Mexico.]


Harvard Law School Exams, 1871 to 1998 (Volokh Conspiracy, 4 April 2011) - This is the time during the semester in which law professors often post old exams to help students prepare for upcoming finals. Harvard Law School has done one better: It has posted all of the law school exams at Harvard from 1871 to 1998. Pretty interesting to see how exams evolved over time. http://volokh.com/2011/04/04/harvard-law-school-exams-1871-to-1998/


REBELS IN BLACK ROBES RECOIL AT SURVEILLANCE OF COMPUTERS (New York Times, 8 August 2001)—A group of federal employees who believed that the monitoring of their office computers was a major violation of their privacy recently staged an insurrection, disabling the software used to check on them and suggesting that the monitoring was illegal and unethical. This was not just a random bunch of bureaucrats but a group of federal judges who are still engaged in a dispute with the office in Washington that administers the judicial branch and that had installed the software to detect downloading of music, streaming video and pornography.


TECHNOLOGY: TRAVEL WEB SITE FACES INTENSE SCRUTINY (June 3, 2001 08:17 p.m. EDT) - Officially launching on Monday, Orbitz is probably the only Internet start-up requiring employees to attend a four-hour seminar on antitrust law. The travel Web site, which is backed by $145 million in seed money from five major airlines, faces scrutiny from rivals, consumer advocates and federal authorities. The watchfulness is only going to intensify, said chief executive Jeffrey Katz, which is why “we‘ve taken a lot of steps to make sure that we live within the bounds of the law.” Critics say Orbitz will reduce, if not eliminate, competition and pave the way for higher prices. Orbitz, which also lists vacation packages, hotel rooms and rental cars, denies the allegations. Katz said Orbitz will enhance competition by listing fares from all airlines without bias. http://www.nandotimes.com/technology/story/20212p-372327c.html