Saturday, March 09, 2013

Next Friday!
A seminar presented by the Privacy Foundation.
REGISTRATION: Contact Privacy Foundation Administrator Cindy Goldberg at or call 303.871.6628
.Seminar & lunch free for all DU Faculty, Alumni & Students. All others: Seminar/CLE ($20) or Seminar/CLE/Lunch ($40)

Could give us a look at Best(?) Practices in action.
Back in January, there were reports that Genesco might sue card issuers over their response to the firm’s malware breach in 2010. Now dmarsteller reports that Genesco has, indeed, sued VISA. The lawsuit was filed Thursday in Nashville. dmarsteller explains:
VISA later fined Fifth Third Bank and Wells Fargo $5,000 each and levied another $13.3 million in assessments, saying they were liable for the breach because they did not comply with industry-wide security standards. The banks paid, taking the money from Genesco’s accounts and assigning any recovery efforts to Genesco.
Genesco contends VISA overreacted because there was no evidence that the hackers stole any cardholder information. The retailer said regular rebooting of its computer servers erased any data before hackers could retrieve it.
Genesco also contends VISA violated its contracts with the banks by not following the required procedure before issuing the fines and assessments. The card company’s actions also are unfair business practices under California law, the suit contends.
Read more on The Tennessean.

So the court requires TSA to be suspicious before a forensic search, even if those in dissent think TSA won't know if they are suspicious or not... Note: DoJ won this case, so they will have a hard time appealing it...
Orin Kerr on today’s Ninth Circuit en banc opinion in United States v. Cotterman, a case involving border searches of laptops.
Today the Ninth Circuit announced a special rule for computer searches: Although a “review of computer files” can occur without reasonable suspicion, the “forensic examination” of a computer at the border requires reasonable suspicion because it is “akin to reading a diary line by line looking for mention of criminal activity—plus looking at everything the writer may have erased.” Here’s the key part of the analysis:
The relevant inquiry, as always, is one of reasonableness. But that reasonableness determination must account for differences in property. Unlike searches involving a reassembled gas tank, or small hole in the bed of a pickup truck, which have minimal or no impact beyond the search itself—and little implication for an individual’s dignity and privacy interests—the exposure of confidential and personal information has permanence. It cannot be undone. Accordingly, the uniquely sensitive nature of data on electronic devices carries with it a significant expectation of privacy and thus renders an exhaustive exploratory search more intrusive than with other forms of property.
After their initial search at the border, customs agents made copies of the hard drives and performed forensic evaluations of the computers that took days to turn up contraband. It was essentially a computer strip search. An exhaustive forensic search of a copied laptop hard drive intrudes upon privacy and dignity interests to a far greater degree than a cursory search at the border. It is little comfort to assume that the government—for now—does not have the time or resources to seize and search the millions of devices that accompany the millions of travelers who cross our borders. It is the potential unfettered dragnet effect that is troublesome.
We have confidence in the ability of law enforcement to distinguish a review of computer files from a forensic examination. We do not share the alarm expressed by the concurrence and the dissent that the standard we announce will prove unmanageable or give border agents a “Sophie’s choice” between thorough searches and Bivens actions.
In dissent, Judge M. Smith responds:
While I share some of the majority’s concerns about the steady erosion of our personal privacy in this digital age, the majority’s decision to create a reasonable suspicion requirement for some property searches at the border so muddies current border search doctrine that border agents will be left to divine on an ad hoc basis whether a property search is sufficiently “comprehensive and intrusive” to require reasonable suspicion, or sufficiently “unintrusive” to come within the traditional border search exception. Requiring border patrol agents to determine that reasonable suspicion exists prior to performing a basic forensic examination of a laptop or other electronic devices discourages such searches, leaving our borders open to electronicallysavvyterrorists and criminals who may hereafter carry their equipment and data across our borders with little fear of detection. In fact, the majority opinion makes such a legal bouillabaisse out of the previously unambiguous border search doctrine, that I sincerely hope the Supreme Court will grant certiorari, and reverse the holding in this case regarding the level of suspicion necessary to search electronic devices at the border, for the sake of our national security, and the consistency of our national border search law.
And Judge Callahan adds:
Regrettably the majority, dispensing with these wellsettled, sensible, and binding principles [from Supreme Court caselaw], lifts our anchor and charts a course for muddy waters. Now border agents, instead of knowing that they may search any and all property that crosses the border for illegal articles, must ponder whether their searches are sufficiently “comprehensive and intrusive,” to require reasonable suspicion, and whether they have such suspicion. In most cases the answer is going to be as clear as, well, mud. We’re due for another course correction.
Read Orin’s commentary on The Volokh Conspiracy.

Also interesting...
"Ars Technica reports that the Obama Administration has filed a brief in support of a Maryland photojournalist who says he was arrested and beaten after he took photographs of the police arresting two other men. The brief by the Justice Department argues that the U.S. Constitution protects the right to photograph the actions of police officers in public places and prohibits police officers from arresting journalists for exercising those rights. [What about us second class (non-journalist) citizens? Bob] Context: 'Garcia says that when Officer Christopher Malouf approached him, Garcia identified himself as a member of the press and held up his hands to show he was only holding a camera. But Malouf "placed Mr. Garcia in a choke hold and dragged him across the street to his police cruiser," where he "subjected him to verbal and physical abuse." According to Garcia's complaint, Malouf "forcibly dragged Mr. Garcia across the street, throwing him to the ground along the way, inflicting significant injuries." Garcia says Malouf "kicked his right foot out from under him, causing Mr. Garcia to hit his head on the police cruiser while falling to the ground." Garcia claims that Malouf took the video card from Garcia's camera and put it in his pocket. The card was never returned. Garcia was charged with disorderly conduct. In December 2011, a judge found Garcia not guilty.'"

Another resource...
Thanks to Danielle Citron, who reminds us that the 2013 edition of Dan Solove and Paul Schwartz’s Privacy Law Fundamentals is out now.

Google will soon settle with the attorneys general representing more than 30 U.S. states over its Street View cars collecting data from unsecured Wi-Fi networks, multiple sources said.
Google is to pay $7 million, to be distributed among the attorneys general, according to a person familiar with the matter. That person said the agreement is close to being finalized, and should be announced early next week.
Read more on AllThingsD
If people are using unsecured WiFi, I’m not sure Google should be paying anything at all. Don’t users assume some risk or responsibility for the risk if they’re using unsecured WiFi? [Not if it's election season... Bob]

(Related) Is this court recognizing the “Streisand Effect?”
A Wisconsin woman trying to protect her “wholesome” image failed to persuade a federal appeals court to hold Google Inc liable because searches for her name could lead people to advertisements for drugs to treat sexual dysfunction.
The 7th U.S. Circuit Court of Appeals in Chicago said on Wednesday Beverly Stayart did not show that Google violated Wisconsin privacy laws by misusing her name to generate advertising revenue.
Read more on Business Insider.
[From the article:
Stayart claimed that a search for "bev stayart" on the world's largest search engine generates a recommended search for "bev stayart levitra," which can direct users to websites that offer treatments for male erectile dysfunction.
… Circuit Judge Ann Claire Williams wrote that the search "bev stayart levitra" was a matter of public interest because Stayart had made it one by suing Google, and by previously suing rival Yahoo Inc over similar claims, which she lost.
The case is Stayart v. Google Inc, 7th U.S. Circuit Court of Appeals, No. 11-03012

Raises a couple of questions. Shouldn't the schools be thinking of this rather than Microsoft? How expensive will Microsoft's Cloud be if they forgo advertising revenue?
An anonymous reader points out a story at The Register about a Microsoft-backed bill proposed by Massachusetts state representative Carlo Basil which seems aimed directly at Google's cloud apps. The bill, if it should be enacted, would require that
"[a]ny person who provides a cloud computing service to an educational institution operating within the State shall process data of a student enrolled in kindergarten through twelfth grade for the sole purpose of providing the cloud computing service to the educational institution and shall not process such data for any commercial purpose, including but not limited to advertising purposes that benefit the cloud computing service provider."

This is why you only go to these sites using your “.edu” accounts... (Why would they want all the IP addresses?)
"Notorious copyright troll Prenda Law has sent a subpoena to WordPress attempting to force the disclosure of all IP addresses related to two WordPress-hosted sites that specialize in monitoring and encouraging action against copyright trolling. The sites in question are and These sites state their aims as: 'To keep the public and fellow victims informed and to ensure that through activism, trolls make as little money as possible.' These are goals which almost anyone (bar a copyright troll, or lawyer acting for one) might well applaud. Prenda Law's demand is not for a subset of addresses that might have posted in a manner that could be construed as legally defamatory but for all IP addresses that have accessed these sites, irrespective of the use made of them. Prenda Law has filed three defamation lawsuits already against the individuals who run Fightcopyrighttrolls, and one has been dismissed (PDF). Dietrolldie released the following warning: 'As there is a possibility that a release could occur, the public IP address (date/time stamp) could fall into the hands of Prenda. I would expect that they would then try to cross-reference the IP address with their list of alleged BitTorrent infringement IP addresses ... If you have ever gone to this site or since 1 January 2011, you may want to contact WordPress. Tell them you want them to refuse this overly broad request and at least wait until the issue of the case being moved to the Federal court is answered before releasing any information.'"

Another IP article... Looks like they are assuming the right to resell does not exist!
"The New York Times reports that Apple and Amazon are attempting to patent methods of enabling the resale of digital items like e-books and MP3s. Establishing a large marketplace for people to buy and sell used digital items has the potential to benefit consumers enormously, but copyright holders aren't happy. Scott Turow, president of the Authors Guild, 'acknowledged it would be good for consumers — "until there were no more authors anymore."' But would the resale of digital items really be much different than the resale of physical items? Or is the problem that copyright holders just don't like resale?"

For my students, but I wonder what percentage will actually protect themsleves...
March 08, 2013
EFF- How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity
EFF: "Facebook has announced that it’s teaming up with four of the world’s largest corporate data brokers to “enhance” the ad experience for users. Datalogix, Epsilon, Acxiom, and BlueKai obtain information gathered about users through online means (such as through cookies when users surf the web) as well as through offline means (such as through loyalty cards at supermarkets and product warranty cards). Through the new relationship with Facebook, companies will be able to display advertisements to Facebook users based on data that these data brokers have on individuals... We recommend you use a tool such as Ghostery (now available on Firefox, Safari, Chrome, Opera and Internet Explorer) or Abine's DoNotTrackMe (available in Firefox, Safari, Chrome and Internet Explorer) or AdBlockPlus with EasyPrivacy Lists. See more comprehensive instructions in our 4 Simple Changes to Stop Online Tracking."

The future of the “book”
Army’s First Interactive iPad Book Lets You Finger-Swipe Through Afghanistan
The Army has no shortage of battlefield maps. But until Friday, it didn’t have many that animate troop movements or enemy positions at the touch of a fingertip. Now, explains Command Sgt. Major Joe B. Parson, Jr., “if I flick a finger, you don’t change the page, you change the picture.”
That’s the added value of Vanguard of Valor, a platoon-level recent history of the Afghanistan war published by the Army’s Combined Arms Center at Fort Leavenworth, Kansas, part of the ground force’s brain trust. There’s a musty paper edition. But the Army’s more excited about the iPad edition that debuted on Friday in the iTunes store.
Vanguard of Valor is primarily a teaching tool, meant to instruct the mid-career officers who pass through the Center about the lessons learned from years of grueling war in Afghanistan. The enhanced iPad edition is a step up from previous Army digitized books: It’s the first immersive, interactive Army e-book, replacing the simple PDF-style scans with dynamic animations of the warzone. Maps shift, videos load, audio plays and pictures scroll to complement the text.

I like lists, even those in slideshow formats...
Friday, March 8, 2013
Best of the Web 2013 - Updated
This morning at NCTIES 2013 I gave an updated version of my Best of the Web presentation. As promised to everyone in the room, I've uploaded the slides to Slideshare. You can view them on Slideshare

This could be a useful tool in my website class...
See a quick table of contents for any page on the web. HTML5 Outliner is a simple Chrome extension you can click anytime to see an outline for most pages. Using the document outlining algorithm in HTML5, this plugin gives you a quick outline for almost any page – even some that don’t use HTML5.

Friday, March 08, 2013

Your government at work odds.
… So did the OIG get their findings wrong? If so, that’s a pretty big mistake that would make me question whether the OIG is competent to really investigate IT security.
You can read the full report here.

20,000 complaints from 180,000,000 texts... Why so few?
"The Federal Trade Commission today said it has filed eight court cases to stop companies who have sent over 180 million illegal or deceptive text messages to all manner of mobile users in the past year. The messages — of which the FTC said it had received some 20,000 complaints in 2012 — promised consumers free gifts or prizes, including gift cards worth $1,000 to major retailers such as Best Buy, Walmart and Target."

Another case of “We haven't really thought about it...” Has anyone compiled “Best Practices?”
The Information Commissioner’s Office (ICO) says many employers “appear to have a laissez faire attitude” to allowing staff to use their personal devices for business, which may be placing people’s personal information at risk.
ICO commissioned YouGov to question 2,150 UK adults, which found that almost half (47 percent) now use their personal smartphone, laptop or tablet for work purposes.
But less than three in ten who do so are provided with guidance on how their devices should be used in this capacity, “raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices”, said the ICO.
Read more on Computerworld UK. You can find the survey here and ICO’s guidance here.

We are not second class citizens, we are not the enemy, we are not al Qaeda... What kind of threat to the government are we?
House orders Pentagon to disclose domestic drone use
The U.S. House of Representatives voted yesterday to require the Defense Department to disclose whether military drones are being operated domestically to conduct surveillance on American citizens.
A requirement buried in a lengthy appropriations bill calls on newly confirmed Defense Secretary Chuck Hagel to disclose to Congress what "policies and procedures" are in place "governing the use" of military drones or other unmanned aerial vehicles (UAVs) domestically. The report is due no later than 90 days after the bill is signed into law.

Something to scare my Intro to IT students with...
Data companies are scooping up enormous amounts of information about almost every American. They sell information about whether you’re pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you have.
Regulators and some in Congress have been taking a closer look at these so-called data brokers — and are beginning to push the companies to give consumers more information and control over what happens to their data.
But many people still don’t even know that data brokers exist.
Here’s a look at what we know about the consumer data industry.
Read the report on ProPublica, then email it to all of your friends and family. Hell, print it out, take it to Staples, run a gadzillion copies, and hand it out to everyone you see. Maybe then people will wake up to what’s really going on.

Texas is doing this?
Privacy experts say that a pair of new mobile privacy bills recently introduced in Texas are among the “most sweeping” ever seen. And they say the proposed legislation offers better protection than a related privacy bill introduced this week in Congress.
If passed, the new bills would establish a well-defined, probable cause-driven warrant requirement for all location information. That’s not just data from GPS, but potentially pen register, tap and trace, and tower location data as well.
Read more on Ars Technica.

Oh look, a new pedophile facilitation bill! The bill requires “proper identification” so I'm sure we'd never hear, “Hello, I'm little Sally's Dad. Send me everything...”
California Assemblywoman Nora Campos proposed a bill a few weeks ago, AB 319, that would expand things so much that any sites that collect any information about anyone under the age of 18 would be required under law to reveal that personal information to parents if requested.
Now, think about that for a second. Since this is for any kids up to 18, we’re talking about most of the teenage years for most kids. These are the years in which many teens rebel against their parents, which is, in many ways, a natural part of growing up and becoming an independent adult. To think that parents should be able to find out information directly from various sites about their kids’ use of those sites seems incredibly problematic.
Read more on TechDirt while I debate whether I should add a category for “The road to Hell” legislation….

Post hoc ergo propter hoc? Even if they were involved in 4% of all Internet traffic, this is quite difficult to believe. But the source of the study is above reproach, isn't it? Note that they did not look at data from before the shutdown. Was revenue growing that fast before? Is it still growing that fast? If 15,000 out of 50,000,000 users (0.03%) were sharing movies, does that justify the shutdown? Also: This doesn't read like a WSJ article. The writing isn't as good as normal. What's going on here?
MegaUpload's closure boosts movie rentals and sales
… A new study by Carnegie Mellon's Initiative for Digital Entertainment Analytics shows that after MegaUpload's closure online movie revenue increased by between 6 percent and 10 percent, according to the Wall Street Journal. The study researched two major movie studios and the results were measured in 12 different countries, including the U.S.
"We conclude that shutting down MegaUpload and Megavideo caused some customers to shift from cyberlocker-based piracy to purchasing or renting through legal digital channels," the study's researchers told the Wall Street Journal.
… MegaUpload was one of the most popular video destinations on the Web, with reportedly 50 million users per day that shared and streamed files.
… The Carnegie Mellon study looked at digital transactions in the four months after the cyberlocker was shut down. What it found was that the weekly digital sales of movies from the two studios grew by between 10,500 and 15,300 units, according to the Wall Street Journal. Additionally, rentals also increased by between 13,700 and 24,000 units a week.
[From the WSJ Article:
Information from the two studios came through Carnegie Mellon's Initiative for Digital Entertainment Analytics, which Mr. Smith co-directs and which receives unrestricted funding from the Motion Picture Association of America. However, the researchers didn't receive any funding for their study from the Initiative or the MPAA.
[The paper:

A business model to emulate? Combining two legal services to drive the RIAA and the MPAA over the edge...
Aereo TV: Barely Legal By Design
In a post yesterday, I mentioned Aereo TV, a new Barry Diller-backed business launched last year, calling it an example of a start-up that is "barely legal by design." Since the courts are about to make a ruling that will profoundly affect its prospects, it might interest you to learn more about how its entire business is engineered to exploit existing copyright law.
First, this service takes full advantage of unchallenged U.S. law that makes over-the-air television free to anyone who puts up an antenna and connects it to a receiving device. Unlike countries such as the U.K., for example, the U.S. has no television license tax. Broadcasters in the U.S. make their money based on advertising, plain and simple.
Second, it relies on the seminal 1984 Sony Betamax case, in which the U.S. Supreme Court ruled that using a home videocassette recorder to "time shift" programming received over the air for later viewing did not violate copyright law. Even though the VCR was technically making a copy of the program without a license to do so, the Court found that copying fit into a narrow exception to the otherwise exclusive rights of the copyright holder — an exception known as a "fair use."

Only n California. “No one wants to use the local post office, so we should implement a national tax to support it!”
"The Berkeley, CA city council recently met to discuss the closing of their downtown post office, in attempt to find a way to keep it from relocating. This included talk of 'a very tiny tax' to help keep the U.S. Post Office's vital functions going. The suggestion came from Berkeley City Councilman Gordon Wozniak: 'There should be something like a bit tax. I mean a bit tax could be a cent per gigabit and they would still make, probably, billions of dollars a year And there should be, also, a very tiny tax on email.' He says a one-hundredth of a cent per e-mail tax could discourage spam while not impacting the typical Internet user, and a sales tax on Internet transactions could help fund 'vital functions that the post office serves.' We all know an e-mail tax is infeasible, and sales tax for online purchases and for digital purchases are likely unavoidable forever, but here's hoping talk of taxing data usage doesn't work its way to Washington."

Something for the reading pile... Another view of the pending “Cyber Pearl Harbor?”
Cybersecurity - A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges, GAO-13-462T, Mar 7, 2013

My day is made!
Breakfast beer causes controversy
Brewed by the Black Isle brewery in Ross-shire, Scotland, the beer has been defended by the brewery owner, David Gladwin, as being for “people who appreciate what they are drinking.”
The brewery described the beer on its website: “We think everyone can agree that good beer should have good flavour, aroma and body.
… The brewery stressed that the name “breakfast beer” was more to suggest its suitability for drinking at any time and not specifically breakfast.

Thursday, March 07, 2013

Small, and perhaps so common that they don't make in into the local newpapers.
HHIS updated its breach tool this week, adding a baker’s dozen of incidents. Significantly, 6 of the 13 involved stolen laptops while 3 others involved theft or loss of electronic devices.
Two of the 13 incidents were already known through either media coverage or reports to a state’s attorney general. In both cases, HHS’s breach tool disclosed the number of patients affected, which neither entity had done in their disclosures to media or patients:
  • Heyman HospiceCare at Floyd reported a laptop theft previously noted here. According to their disclosure to HHS, 1,819 patients had information on the stolen laptop.
  • Crescent Health Inc. – a Walgreens Company reported computer theft that affected 109,000. It’s not clear from HHS’s entry whether the 109,000 refers to patients and employees, or just patients, as both patients and employees were impacted by this breach.
I did some digging to find details for the reports where we had no previous information:
  • County of San Bernardino Department of Behavioral Health reported that limited information on 683 clients was contained in documents stolen from a County of San Bernardino Department of Human Services‘ employee’s car on January 12. The information included names, dates of birth, DBH medical record number, and indication that services were provided by DBH.
  • Catoctin Dental (Richard B. Love, D.D.S., P.A.) reported that 6,400 patients had information on a server hacked from overseas. In a February 22nd notification to patients, they write that name, address, date of birth, phone number, social security number, dental plan information, photographs and radiographic images, and some personal health information may have been accessed, as well as less than 100 e-mail addresses. In a subsequent letter, however, they note that forensics indicated that the data had neither been stolen nor read.
  • Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation in Massachusetts reported that 716 patients had information on a “portable electronic device” that was stolen between December 15 and December 17, 2012. A statement on their web site indicates that the information was on backup tapes in a safe that was stolen during an office burglary. Some of the information on the tapes included name, diagnosis, social security number, medications, Medicaid number, and other clinical information. Note that this was Kindred’s third office burglary involving theft of safes containing backup tapes. I blogged about two similar incidents they had here. I hope law enforcement and HHS are investigating how this chain had three similar breaches in less than one year.
  • Center for Pain Management, LLC in Maryland reported that 5,822 patients had information on two laptops stolen on January 22. According to a notice on their web site and patient notification letter, the laptops were stolen from their Rockville office and contained patients’ visit and procedure notes with names, dates of birth, medical history, medical diagnoses, and procedures performed, such as injections.
  • HomeCare of Mid-Missouri, Inc. reported that 4,027 patients had information on a laptop stolen on December 14. A copy of their February 14th notification letter on their web site indicates that it was stolen while being transported between the office and home care visits. Patient information on the laptop included names, dates of birth, Social Security numbers, addresses and phone numbers, and a description of services provided by the agency.
In Part 2, I’ll describe the other newly disclosed breaches. I’m just waiting for responses to some inquiries I sent out to see if I can get additional details on those incidents. Please check the site for the Part 2 post later today.


Sometimes concerns arrive before the warnings.
Although the HIPAA Omnibus Rule is a step in the right direction for protecting health information, the regulation still leaves large privacy gaps, says patient advocate Deborah Peel, M.D.
HIPAA Omnibus finally affirmed that states can pass laws that are tougher than HIPAA, and that’s really good news because HIPAA is so full of flaws and defects that we are concerned that what is being built and funded will not be trusted by the pubic,” Peel says in an interview with HealthcareInfoSecurity during the 2013 HIMSS Conference.
You can listen to the interview here.

Lawyers trying to automate the practice of law? (Moer likely, read these and see why you should hire a lawyer...)
Your Startup’s Legal Docs: Now on GitHub
GitHub is fast becoming the home of open source software development, but lawyers can use it too.
Nearly a year ago, Twitter Lawyer Benjamin Lee posted Twitter’s groundbreaking Innovators Patent Agreement to the social coding website, where it immediately received a few typo fixes and minor modifications.
Now one of Silicon Valley’s star legal firms, Fenwick & West, is posting a set of legal documents to GitHub that startups can use when lining up their first stage of venture funding. The 30 pages of “Series Seed” documents have been available in open source form for several years, but these days it only makes sense to share them on GitHub, which has become a standard tool for Silicon Valley startups, says Ted Wang, the Fenwick & West partner who released the docs.

Comparable to suing the NSA here. Should be most interesting...
"A Court of Appeal judgement released today has ruled in favor of Kim Dotcom and will let him sue the Government Communications Security Bureau (GCSB) alongside New Zealand Police. During the High Court case, it emerged that the GCSB had been illegally spying on Dotcom prior to the raid on his Coatesville mansion, on behalf of the FBI, who now wants the Megaupload millionaire extradited to face trial in the US over copyright infringements."

Completely unrelated.... Catch 22 spreads!
Feds Demand Dismissal of Dragnet-Surveillance Challenge
Citing week-old Supreme Court precedent, the President Barack Obama administration told a federal judge Wednesday that it should quash a federal lawsuit accusing the government of secretly siphoning Americans’ electronic communications to the National Security Agency without warrants.
The San Francisco federal court legal filing was in response to U.S. District Judge Jeffrey White’s written question (.pdf) to the government asking what to make of the high court’s Feb. 26 decision halting a legal challenge to a once-secret warrantless surveillance project that gobbles up Americans’ electronic communications — a program that Congress eventually legalized in 2008 and again in 2012.
In that case, known as Clapper, the justices ruled 5-4 that the American Civil Liberties Union, journalists and human-rights groups that sued to nullify the FISA Amendments Act had no legal standing to sue. The justices ruled (.pdf) the plaintiffs submitted no evidence they were being targeted by that law.

So was it mearly a trial ballon or did they actually want to do this?
"Bowing to significant unfriendly customer feedback regarding its new 'no transfer' license for Office 2013, Microsoft has reconsidered and will now allow Office 2013 licenses to be transferred between computers. Actual license language will not be reflected for a few months for shipped products, but Microsoft will allow transfer of license effective immediately. Calls to customer support will be necessary, as the activation servers won't be updated for a few months."

Perspective. When we start mining “Big Data” we're going to need big shovels...
"Virgin Atlantic is preparing for a significant increase in data as it embraces the Internet of Things, with a new fleet of highly connected planes each expected to create over half a terabyte of data per flight. IT director David Bulman said: 'The latest planes we are getting, the Boeing 787s, are incredibly connected. Literally every piece of that plane has an internet connection, from the engines, to the flaps, to the landing gear. If there is a problem with one of the engines we will know before it lands to make sure that we have the parts there. It is getting to the point where each different part of the plane is telling us what it is doing as the flight is going on. We can get upwards of half a terabyte of data from a single flight from all of the different devices which are internet connected.'"

Wednesday, March 06, 2013

Several questions based on poor reporting(?) It is difficult to judge the size (three feet wide) of an object given nothing to compare against. It could have been larger and farther away or smaller and closer. Does the report of “four propellers” suggest one of the “quad helicopters” or an airplane like a B29? But if it was a “black” helicopter, flying at “1750 feet” perhaps wiser pilots “didn't see it” because they saw what it was...
An Alitalia passenger jet pilot said he saw a drone over Brooklyn on Monday. Whether it’s true or not — the Federal Aviation Administration is investigating — we are going to be hearing more and more about drones in American skies.
I predicted two things about drones in an online essay for Stanford Law Review in December 2011. Those predictions turned out to be true. But there was something I didn’t see coming.
Read more on CNN.
[From the first CNN article:
The FBI expanded on the FAA report, saying in a statement that the Alitalia flight from Rome was roughly three miles from runway 31R when the incident occurred at an altitude of approximately 1,750 feet.
The unmanned aircraft, described by the FBI as black and no more than three feet wide with four propellers, came within 200 feet of the Boeing jetliner.

(Related) OR it could have been one of these, bouncing off the windshield...
"If you've ever watched a fly trying to find its way around a house, you might have noticed that it didn't take a particularly graceful approach – it probably bounced off a lot of windows and walls, until by process of elimination, it found a route that was clear. Well, researchers at Switzerland's EPFL Laboratory of Intelligent Systems are taking that same approach with the latest version of their autonomous AirBurr UAV – it's built to run into things, in order to map and navigate its environment."

Good news/bad news If you can predict them, you can suppress them. Good for Computer Security majors, not so good for people living under repressive governments...
This Research Paper Explains How to Predict the Next Arab Spring and Cyber Attacks
“Specific triggers for how and when instability would lead to the collapse of various regimes cannot always be known and predicted … We are not clairvoyant.”
—James Clapper, director of national intelligence, explaining to a congressional committee in February 2011 that he believed U.S. intelligence agencies had done the best they could to track the Arab Spring protests. [Believed or accepted... Bob]
… In a paper (PDF) released late last year, “Proactive Defense for Evolving Cyber Threats,” Sandia researchers Richard Colbaugh and Kristin Glass outline a computer model that they claim can monitor the Internet to identify volatile situations weeks before they go south—with “perfect accuracy.”

… very broad strokes. Why? If it was exactly 2471 requests, what impact would that number have on National Security or any individual investigation?
From Google’s blog today:
.. When conducting national security investigations, the U.S. Federal Bureau of Investigation can issue a National Security Letter (NSL) to obtain identifying information about a subscriber from telephone and Internet companies. The FBI has the authority to prohibit companies from talking about these requests. But we’ve been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11.
Starting today, we’re now including data about NSLs in our Transparency Report. We’re thankful to U.S. government officials for working with us to provide greater insight into the use of NSLs. Visit our page on user data requests in the U.S. and you’ll see, in broad strokes, how many NSLs for user data Google receives, as well as the number of accounts in question. In addition, you can now find answers to some common questions we get asked about NSLs on our Transparency Report FAQ.

Let's hope that at some point we can get ahead of those who want to capture and sell personal information. (No, I don't think so either.)
Facebook users became much more protective about who sees sensitive information about them, even as they were urged to share more about themselves on the social network, according to an unusual seven-year study by researchers at Carnegie Mellon University.
Read more on New York Times.
The study was published in Journal of Privacy and Condentiality (2012) 4, Number 2, 7-41:
Fred Stutzman, Ralph Gross, Alessandro Acquisti
Abstract. Over the past decade, social network sites have experienced dramatic growth in popularity, reaching most demographics and providing new opportunities for interaction and socialization. Through this growth, users have been challenged to manage novel privacy concerns and balance nuanced trade-offs between disclosing and withholding personal information. To date, however, no study has documented how privacy and disclosure evolved on social network sites over an extended period of time. In this manuscript we use prole data from a longitudinal panel of 5,076 Facebook users to understand how their privacy and disclosure behavior changed between 2005 — the early days of the network — and 2011. Our analysis highlights three contrasting trends. First, over time Facebook users in our dataset exhibited increasingly privacy-seeking behavior, progressively decreasing the amount of personal data shared publicly with unconnected proles in the same network. However, and second, changes implemented by Facebook near the end of the period of time under our observation arrested or in some cases inverted that trend. Third, the amount and scope of personal information that Facebook users revealed privately to other connected proles actually increased over time — and because of that, so did disclosures to “silent listeners” on the network: Facebook itself, third-party apps, and (indirectly) advertisers. These findings highlight the tension between privacy choices as expressions of individual subjective preferences, and the role of the environment in shaping those choices.

Can we extend the Second Amendment to cars or are we doomed to abandon the right to drive into one another at high speed so the government can assume yet more control? I expect this to happen by 2050 – faster if Google's lobbyists are as good as I think they are.
Cars will soon be so linked into wireless networks they will be like giant rolling smartphones — with calling systems, streaming video, cameras and applications capable of harnessing the unprecedented trove of data vehicles will produce about themselves and the humans who drive them.
The battle over who can access all this data is an awkward undercurrent amid recent announcements by car manufacturers touting their new, Internet-capable vehicle systems.
Read more on Star Tribune.

I'll use this example in my classes from now on...
“That’s some catch, that Catch-22,” he observed.
“It’s the best there is,” Doc Daneeka agreed.
Joseph Heller was writing about crazy times. The setting is World War II and flying dangerous missions over Europe has taken its toll on American pilots. Many are so compromised psychologically that they probably shouldn’t be in the cockpit. And yet none who ask will be grounded: “Anyone who wants to get out of combat duty,” after all, “isn’t really crazy.”
Last week the Supreme Court issued its opinion in Clapper v. Amnesty International, a challenge to the surveillance law that afflicts our crazy times.
Read more on The Atlantic.

Riffs on the Executive Order, but I not sure it “dumbs it down” enough for congress to understand...
March 05, 2013
The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress
  • "The federal role in cybersecurity has been a topic of discussion and debate for over a decade. Despite significant legislative efforts in the 112th Congress, no major legislation on this topic has been enacted since the Federal Information Security Management Act (FISMA) in 2002, which addressed the security of federal information systems. In February 2013, the White House issued an executive order designed to improve the cybersecurity of U.S. critical infrastructure (CI). Citing repeated cyber-intrusions into critical infrastructure and growing cyberthreats, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, attempts to enhance security and resiliency of CI through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned CI, as well as use of existing federal regulatory authorities."

OR we could drop all the unwanted phonebooks around our local politician's house! If they can't get to work, they can't screw anything else up...
"Seattle will soon shut down its popular phonebook opt-out website as a result of a costly settlement with Yellow Pages publishers. Going forward, the only way to stop unwanted phonebook deliveries will be to visit the industry's opt out site and provide them with your personal information. They will share it with their clients, most of whom are direct marketing agencies, who in turn commit not to use it improperly. The Federal Court of Appeals ruled in October that The Yellow Pages represent protected free speech of corporations (including Canada's Yellow Media Inc.); defending and settling the lawsuit cost Seattle taxpayers $781,503. The city said the program's popularity led to a reduction of 2 million pounds of paper waste annually."

A pittance...
EU Fines Microsoft $732 Million
BRUSSELS—Microsoft Corp. has been hit with a €561 million ($732.2 million) fine by European Union regulators after it broke its promise to offer millions of users of its Windows system a choice of rival Web browsers.

Think of it as a mini-Infographic...
Find Out If You’re An Average Facebook User With This Image

Potentially useful teaching stuff...
Tuesday, March 5, 2013
Four Good Alternatives to Clicker Systems
Socrative is my favorite tool for collecting anonymous feedback from students. Socrative uses cell phones and or laptops (user's choice) for gathering feedback from students. You can post as many questions as you like in a variety of formats.
Poll Everywhere is a service that allows you to collect responses from an audience via text messaging. [Very limited free plan Bob]
Mentimeter allows you to pose a question to your audience and get instant feedback on that question through cell phones, tablets, and any other Internet-connected device.
Infuse Learning is a free student response system that works with any Internet-connected device including iPads and Android tablets.

Collecting several useful Apps on one machine... Don't we all do that already?
The Amplify Tablet: A Device Custom Made For Teachers And Students
Just moments ago at SXSWedu, the edtech startup Amplify unveiled a new tablet.
… the Amplify tablet is specifically built for classrooms. Here are the bullet points to know about:
  • The teacher has the ability to monitor everything happening on the rest of the tablets in the classroom.
  • The tablet features content from Khan Academy, CK-12, Google Apps, EverFi and Desmos, and gives teachers the ability to monitor how students use the device.

Free music... There might even be something good in there...
Get 100 free MP3s from SXSW 2013
… As part of its SXSW: Live from Austin series, NPR is offering The Austin 100 -- a collection of 100 songs by 100 artists, all in MP3 format, all absolutely free.

Tuesday, March 05, 2013

Interesting that there is not a “Best Practices” website to guide you through this process. Think there would be a market for such a beast?
What to Do After You’ve Been Hacked
Evernote became the latest member of the “we’ve been hacked” club. And the thing is, what was once a pretty exclusive club now lets just about everyone in these days. I’m a member too. And as I discovered when I was hacked last year, my experience was distressingly commonplace. And yet while being hacked may be increasingly familiar, it isn’t getting any less stressful or confusing. It’s hard to know what to do, or where to begin, immediately afterward.
Whether you were hacked, phished, had malware installed or just don’t know what the heck happened but there’s somebody all up in your e-mail, here are a few good first steps to take following an incident. This is by no means comprehensive, but it’s a good start.

Yesterday, a court said the exact opposite (of course, lawyers would claim that it wasn't “exact” and for $450 per hour they would be happy to spend a few days telling you why that should be obvious.)
Two opinions issued by courts today:
In United States v. Wahchumwah, the Ninth Circuit Court of Appeals affirmed a lower court ruling that an undercover agent’s warrantless use of a concealed audio-video device in a home into which he has been invited by a suspect does not violate the Fourth Amendment. EFF had filed an amicus brief in that case that did not persuade the panel:
Finally, we reject amicus Electronic Frontier Foundation’s contention that the audio-video recording here was similar to the prolonged visual surveillance in United States v. Jones, 132 S. Ct. 945 (2012). The Jones Court rested its holding on the government’s physical trespass on Jones’s property, rather than the government’s prolonged surveillance.2 Id. at 949. Moreover, the GPS device in Jones enabled constant surveillance of a vehicle over a period of twenty-eight days, id. at 948, whereas the recording by Agent Romero lasted for only a few hours and for no longer than Romero remained an invited guest in Wahchumwah’s home.
In a footnote, they add:
Although amicus Electronic Frontier Foundation argues that Wahchumwah can show a Fourth Amendment violation under the trespass theory articulated in Jones, Wahchumwah did not raise this argument in the briefs he filed with our court. Generally, arguments not raised in a
party’s opening brief are deemed waived, Smith v. Marsh, 194 F.3d 1045, 1052 (9th Cir. 1999), and the court will not consider arguments raised only in amicus briefs. See Chaker v. Crogan, 428 F.3d 1215, 1220 (9th Cir. 2005). Because Wahchumwah has not argued that a Fourth Amendment violation under the trespass theory articulated in Jones occurred in this case, that issue is not properly before us, and we express no opinion concerning it.
Meanwhile, over in the 10th Circuit, in United States v. Barajas, the court affirmed a lower court ruling admitting evidence from GPS pinging obtained under a warrant, even though the affidavit supporting the probable cause warrant neither asked for, nor directly addressed any request for GPS pinging. It appears to be another one of those cases where the good-faith exception enables the court to avoid deciding whether evidence should be suppressed.
I’m not sure I really follow all of their reasoning, but I found this part of the opinion interesting:
Mr. Barajas suggests the agents knew or should have known the order was invalid because they knew (1) that GPS data is not typically intercepted pursuant to a wiretap order; and (2) that the affidavit did not request GPS data. Aplt. Br. 30; Aplt. R. Br. 30. We disagree.
First, we have no reason to believe the government cannot obtain GPS data through a wiretap order. Assuming pinging is a search, the burden to obtain GPS data would be no greater than a wiretap—probable cause. But even if Mr. Barajas is correct, he cannot show the agents were on notice of this fact because the law on electronic surveillance is very much unsettled. See In re Application of U.S. for an Order Directing a Provider of Electronic Commc’n Serv. to Disclose Records to the Gov’t, 620 F.3d 304, 310 n.6, 311 (3d Cir. 2010) (noting the debate among courts on the procedure for electronic surveillance and taking “no position whether a request for GPS data is appropriate under a § 2703(d) order”); see also Henderson, 595 F.3d at 1202 (officers acted in good-faith when relying on an affidavit based on a standardized form the court later determined did not establish probable cause); United States v. Rowland, 145 F.3d 1194, 1207 (10th Cir. 1998) (applying the good-faith exception to an anticipatory warrant when the law was unsettled). The agents’ knowledge of the gap between the affidavit and the order gives us more pause, but we cannot say this gap was intentional.
Yet another reason for Congress to resolve some of these controversial questions.

How to “Big Brother” a Guide for those who speak Gobbledygook...
Department of Homeland Security, Privacy Office
2012 Data Mining Report to Congress February 2013
You can access the report here (pdf).
If it were on Amazon, I can just imagine the review: “Chock-full of government-speak, this report is a must-read for acronym lovers everywhere!”
And not for nothing, but yesterday, during the Location Tracking and Biometrics conference, Judge Kozinski asked what prevents the government from purchasing commercial databases that companies like Experian sell access to. The answer is “nothing.” Read the DHS report section on Analytical Framework for Intelligence (AFI), which begins on p. 17 of the report.

(Related) Unfortunately, DHS has to counter clear, unambiguous language...
March 04, 2013
EPIC Prevails in Social Media Monitoring FOIA Suit
"EPIC has obtained a court order and an opinion in a Freedom of Information Act lawsuit against the Department of Homeland Security, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. EPIC had previously obtained several hundred pages of documents, revealing that the agency monitors the internet for reports that “reflect adversely” on the agency or the federal government. EPIC also obtained a list of very broad search terms used by the agency to monitor social media. As a result of EPIC’s findings, Congress held a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." For more information see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring."

The Italian courts appear a bit more functional than the government...
Peter Fleischer, understandably basking in a post-acquittal glow, writes:
Just before Christmas, an Italian Appeals Court over-turned the convictions of three Googlers, including myself, for allegedly violating Italian privacy law. Now, after roughly 2 months, the Court has issued its written opinion to explain its decision. The Court’s opinion is a lucid and ringing endorsement of the principles Google and I have been defending since the beginning of this prosecution 6 years ago:
  • Intermediary Liability: The Court held that Internet platforms, like Google Video or YouTube, are not responsible for user-uploaded content, absent notice of inappropriate content. These platforms also cannot—and should not—be required to pre-screen content that is uploaded to them. Any efforts to pre-screen content would raise serious risks to users’ freedom of expression. In the Court’s own words: “Imposing a duty on or granting the power to, an internet provider to carry out prior screening seems to be a step that is to be afforded particularly careful consideration, given that it is not entirely free of risk due to the possibility of a conflict arising with the principles of freedom of expression of thought”.
  • Privacy: The Court held that people who film and upload videos are responsible for compliance with data privacy laws. Internet platforms cannot possibly obtain the consent of people appearing in user-uploaded videos. In the words of the Court: ”it is patently clear that any assessment of the purpose of an image contained in a video, capable of ascertaining whether or not a piece of data is sensitive, implies a semantic, variable judgement which can certainly not be delegated to an IT process“. [Would a summary of laws that impact uploaded video or images be a worthy Law School student paper? Bob]
  • Criminal Responsibility: The Court recognized the basic legal principle that employees like me could not have the required criminal intent to violate data privacy laws when they had nothing to do with, and weren’t even aware of, the alleged criminal data privacy violation.
Read more on his blog.
Mark Eckenwiler points us to the opinion (in Italian): ttp://

For my Ethical Hackers and Computer Security students.
March 04, 2013
EFF Surveillance Self Defense - Secure Deletion
"Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again. When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately. Your operating system probably already includes software that can do this for you, and overwrite all of the "empty" space on your disk with gibberish (optionally multiple times), and thereby protect the confidentiality of deleted data. Examples include GNU Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP Pro and later)."

Tools & Tips for researchers?
March 03, 2013
Article - Twitter as a reporting tool for breaking news
"This study focuses on journalists Paul Lewis (The Guardian) and Ravi Somaiya (The New York Times), the most frequently mentioned national and international journalists on Twitter during the 2011 UK summer riots. Both actively tweeted throughout the four-day riot period and this article highlights how they used Twitter as a reporting tool. It discusses a series of Twitter conventions in detail, including the use of links, the taking and sharing of images, the sharing of mainstream media content and the use of hashtags. The article offers an in-depth overview of methods for studying Twitter, reflecting critically on commonly used data collection strategies, offering possible alternatives as well as highlighting the possibilities for combining different methodological approaches. Finally, the article makes a series of suggestions for further research into the use of Twitter by professional journalists."

For my students
March 04, 2013
OATs: Open Access Textbooks
OATs: Open Access Textbooks: "The OATs Libguide provides access to descriptions and links to known initiatives and organizations that support the development and promotion of Open Access textbooks, and to OA and low-cost e-books and textbook catalogs and databases." [Gerry McKiernan]

I wonder if my Vets would be interested?
Armchair Generals Wanted: Army Outsources Criticism of New Defense Strategy
Ever felt like you could fix U.S. national security strategy, if only the military would listen to you? The Army is ready to listen. Especially if your arguments mean a bigger role for the Army.
This is a tough time for the Army. Its reward for fighting in Iraq and Afghanistan for 12 years is to have its soldiers downsized and its budget slashed. Worse, from the ground forces’ perspective, its future relevance is in question: The defense strategy that the Obama administration unveiled in 2012 is big on robots, commandos, and air and sea power in places like Asia. Ponderous ground warfare is out.
What’s a ground warfare organization to do? If you’re the Army, commission a study on why the strategy is a looming disaster.