Monday, August 02, 2004

MIRLN -- Misc. IT Related Legal News [5-31 July 2004; v7.10]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and in the public materials section of the Cyberspace Committee’s collaboration space at

**************End of Introductory Note***************

!*!*!*!*! ABA Annual Meeting, 6-10 August 2004 (Atlanta, Georgia). The Cyberspace Law Committee will be producing or so-sponsoring 4 CLE programs, and two mini-programs on subjects such as VoIP, Gift/Stored-Value Cards, Search Engines and Trademarks, and CAN-SPAM. Registration information is at !*!*!*!*! Follow the Committee’s activities in Atlanta at our blog --

U.N. AIMS TO BRING SPAM UNDER CONTROL WITHIN TWO YEARS (, 6 July 2004) -- The United Nations is aiming to bring a ``modern day epidemic” of junk e-mail under control within two years by standardizing legislation to make it easier to prosecute offenders, a leading expert said Tuesday. ``(We have) an epidemic on our hands that we need to learn how to control,” Robert Horton, the acting chief of the Australian communications authority, told reporters. ``International cooperation is the ultimate goal.” The International Telecommunications Union is hosting a meeting on spam in Geneva this week that brings together regulators from 60 countries as well as various international organizations, including the Council of Europe and the World Trade Organization. The U.N. agency said it would put forward examples of anti-spam legislation which countries can adopt to make cross-border cooperation easier. Many states currently have no anti-spamming laws in place, making it difficult to prosecute the international phenomenon. Top priority is ``pornographic material ... that may come to the attention of children,” said Horton, who is running the meeting. ``I think it’s time we did something formally about this. We will have to come to some sort of general understanding.” As much as 85 percent of all e-mail may be categorized as spam, the ITU said, compared to an estimated 35 percent just one year ago. The vast majority is generated by a few hundred people, but authorities are not able to prosecute many of them under current legislation. Spam and anti-spam protection cost computer users some $25 billion last year, according to the United Nations.

SOFTWARE PIRACY LOSSES DOUBLE (CNET, 7 July 2004) -- Software manufacturers lost $29 billion to piracy in 2003, more than double the previous year’s losses, according to an industry survey released Wednesday. About 36 percent of software installations worldwide are pirated copies, the study by trade group Business Software Alliance and market researcher IDC showed. In dollar terms, the losses were greatest in Western Europe, where piracy cut revenue by $9.6 billion in 2003, followed by Asia and North America. The Business Software Alliance blamed the rapid spread of piracy on so-called peer-to-peer networks, where Internet users illegally swap software and other files such as music for free or at discounted prices. “Peer-to-peer file-sharing services are becoming a huge problem for us,” said Jeffrey Hardee, the Business Software Alliance’s Asia-Pacific director. Vietnam and China had the world’s highest rates, with pirated versions accounting for 92 percent of all computer software installed in each country, followed by the Ukraine with 91 percent, Indonesia at 88 percent, and Zimbabwe and Russia with 87 percent each.

-- AND --

SOFTWARE PIRACY: HOW MUCH OF A PROBLEM? (International Herald Tribune, 19 July 2004) -- The pronouncements and position papers of trade groups are usually regarded as predictably self-serving and dull. But a study released two weeks ago by the Business Software Alliance, which estimated the yearly losses from software piracy at $29 billion worldwide, has managed to stir real passion. The piracy study has become an issue because of a copyright bill, introduced in the U.S. Senate last month, that is strongly supported by the business alliance. The bill is the latest legislative proposal to grapple with digital piracy of music, movies and software, especially the use of peer-to-peer file-sharing networks like Grokster, Morpheus and Kazaa. Opponents of the copyright bill see the trade group’s study as an overt political act intended to increase support for the proposed legislation by portraying software piracy as a rapidly growing problem that is far more costly than was previously thought. The trade group’s previous estimate of software piracy losses was $13 billion a year.

IRS EYES NET PHONE TAXES (CNET, 6 July 2004) -- A “temporary” tax created to pay for the Spanish-American War may result in higher fees for Internet telephone calls. In a notice published Friday, the IRS and Treasury Department said they are considering whether an existing 3 percent federal excise tax on phone calls should be reinterpreted “to reflect changes in technology” used in “telephonic or telephonic quality communications.” Although the notice does not mention Net phone services, industry advocates warned it could lead to new taxes on fast-growing voice-over-Internet Protocol (VoIP) technology, depending on how it’s interpreted. The IRS and the Treasury Department have suggested that an existing federal excise tax on phone calls should be interpreted to apply to Internet telephone calls. “They’re looking at VoIP and any other potential technologies that are flying under the radar,” said Glenn Richards, a partner at the law firm Shaw Pittman in Washington who represents VoIP companies. “Clearly they’re trying to extend their jurisdiction to apply the excise tax to as many ‘calls’ as they can. It’s got to be a revenue issue for them. If everyone starts migrating to new platforms, they’re facing a decrease in excise taxes.”

ITS OFFICIAL -- YOU DON’T HAVE TO READ YOUR BOSS’S EMAILS (Steptoe & Johnson’s Ecommerce Law Week, 3 July 2004) -- Yet another reason why a paperless society continues to remain just beyond reach: A federal court in Massachusetts has ruled that an employer can’t rely solely on a mass e-mail to tell employees about a change in company policy, at least not if it expects the policy change to stick. In Campbell v. General Dynamics Government Systems Corporation, the court held that giving employees e-mail notice is not sufficient to bind them to a key policy change, even if there is a record that the e-mail recipient opened the message. The court left open the possibility that a company could bind employees by sending an email notice of the change and then requiring employees to respond or to somehow indicate that they have received and read the email. In any event, the court’s ruling means that companies may need to re-evaluate how they communicate with their employees.

ANALYST: IPODS A NETWORK SECURITY RISK (CNET, 7 July 2004) -- Companies should consider banning portable storage devices such as Apple’s iPod from corporate networks, as they can be used to introduce malware or steal corporate data, according to an analyst. Small portable storage products can bypass perimeter defenses like firewalls and introduce malware such as Trojans or viruses onto company networks, research company Gartner said in a report issued this week. Analysts have warned for some time of the dangers of using portable devices, but the report points out these also now include “disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.” Another potential danger is that the devices--which typically make use of USB and FireWire--could be used to steal large amounts of company data, as they are faster to download to than CDs. Additionally, the size of the portable devices means they can be easily misplaced or stolen. Gartner advises companies to forbid the use of uncontrolled, privately owned devices with corporate PCs and to adopt personal firewalls to limit activity on USB ports. “Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB ‘keychain’ drives,” the report states. “This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation.”

DON’T COUNT ON E-SIGN TO MAKE YOUR ELECTRONIC DOCUMENTS LEGAL (Steptoe & Johnson’s Ecommerce Law Week, 3 July 2004) -- Banks have widely implemented electronic record retention systems for contracts and other records pursuant to the E-Sign Act of 2000. But according to a new warning from the Office of the Comptroller of the Currency (OCC), the Act does not ensure the admissibility of these contracts and records in court. As a result, the documents ultimately may not be enforceable. According to an OCC advisory letter issued June 21, the Act’s general standards need further development and interpretation to ensure that electronic records can fulfill their intended purposes. In the meantime, banks should take steps to ensure that their electronic record retention systems have sufficient accuracy, accessibility, and integrity to accomplish the essential functions of specific records.

DEUTSCHE TELEKOM VENTURES INTO GLOBAL WI-FI ROAMING (InfoWorld, 8 July 2004) -- The more, the merrier. That’s the motto of a new roaming service that T-Systems International GmbH, a unit of Deutsche Telekom AG, is targeting at providers of wireless Internet services worldwide. T-Systems is currently linking together thousands of wireless LAN (WLAN) hotspots into one virtual network, allowing users to access any network regardless of their home provider, said T-Systems product manager Christian Wollner in a telephone interview. “The more operators we can connect, the easier it is to attract new ones, and the wider the coverage is for users,” he said. The roaming service is ideal for business travelers who seek high-speed wireless Net access, also known as Wi-Fi, without the hassle of having to sign up and pay separately every time they log on to a hotspot of another service provider, according to Wollner. The service, he said, is similar to the international roaming agreements between mobile phone companies, allowing customers to make calls on networks outside their own. For its part, T-Systems remains invisible to end users. “We are providing a wholesale roaming service,” Wollner said. “We don’t sell directly to corporations or consumers but rather to mobile phone operators, hotspot operators and other telecommunications service providers, which can market the service as they please.” The business model works like this: T-System buys access to hotspots from so-called wireless Internet service providers (WISPs) and resells this access to online companies, mobile operators and other WISPs seeking to extend their coverage. The German company clears traffic between its partners and handles internal billing.

DMCA HAMMER COMES DOWN ON TECH SERVICE VENDOR (LawGeek, 9 July 2004) -- A district court in Boston has used the DMCA to grant a preliminary injunction against a third party service vendor who tried to fix StorageTek tape library backup systems for legitimate purchasers of the system. How is this a DMCA violation? Well, it turns out that StorageTek allegedly uses some kind of algorithmic “key” to control access to its “Maintenance Code”, the module that allows the service tech to debug the storage system. The court found that third party service techs who used the key without StorageTek’s permission “circumvented” to gain access to the copyrighted code in violation of the DMCA, even though they had the explicit permission of the purchasers to fix their machines. What does this ruling mean? If it stands up on appeal, it means StorageTek has a monopoly on service for all of its machines. No independent vendor will be able to compete with them for service contracts because no independent vendor will be authorized to “access” the maintenance code necessary to debug the machine.

GEOLOCATION TECH SLICES, DICES THE WEB (, 9 July 2004) -- Type ``dentist” into Google from New York, and you’ll get ads for dentists in the city. Try watching a Cubs baseball game from a computer in Chicago, and you’ll be stymied. Pre-existing local TV rights block the webcast. The same technology is also being used by a British casino to keep out the Dutch and by online movie distributors to limit viewing to where it’s permitted by license, namely the United States. The World Wide Web experience is becoming less and less worldwide: What you see and what you are allowed to do these days can depend greatly on where and even who you are. As so-called geolocation technology improves, Web sites are increasingly blocking groups of visitors and carving the Web into smaller chunks -- in some cases, down to a ZIP code or employer. To privacy advocates like Jason Catlett, that technology can detect users’ whereabouts isn’t the most disturbing aspect of this trend. Rather, it’s the fear that Web sites will try to mislead visitors. A company, for instance, might show different prices when competitors visit; a political candidate might highlight crime-fighting in one area, jobs in another. ``The technical possibilities do allow a company to be two-faced or even 20-faced based on who they think is visiting,” Catlett said. Alan Davidson, associate director for the Washington-based Center for Democracy and Technology, worries that governments will try to employ the technology to enforce their laws within artificial borders they erect. Such concerns, not entirely new, have grown with the technology’s reliability, he said. A French court considered geolocation when it directed Yahoo Inc. in 2000 to prevent French Internet users from seeing Nazi paraphernalia on its auction pages. America Online Inc. sees geolocation as one way to comply with the French Nazi ban as well as a Pennsylvania child porn law.

MOVIE AND SOFTWARE FILE SHARING OVERTAKES MUSIC (, 12 July 2004) -- Music no longer accounts for the majority of traffic on internet file-sharing networks, according to a new study. It suggests file traders now swap more video and software content. The report was published by the Organization for Economic Cooperation and Development (OECD) based in Paris, France, on Monday. It indicates that music accounted for 49% of all data swapped globally through file sharing networks in 2003, a steep drop from 62% in 2002. Audio files are still swapped more frequently than anything else. But video and software files are usually much larger - on average video files are about 20 times bigger. The OECD’s figures also indicate that trading in video and software is more popular in Europe than the US. In Germany, for example, 35% of swapped files are video, compared to 24% in the US. The report does not distinguish between illegal sharing of in copyrighted songs, films and software and trading in content that is free to copy. However, the movie industry is clearly concerned about the trend.

CODE NAME: TROUBLE (ABA Journal, 9 July 2004) -- Computer programmers, according to a recent survey, consider using existing computer code to create new software programs an acceptable practice. That may come as a surprise to those code developers’ employers, since code borrowing could create a copyright nightmare., a British online and print publication, surveyed the habits of more than 3,000 computer programmers. One statistic that jumped out of survey results published in June was that 75 percent of all coders use blocks of computer code they have appropriated from other software. The survey did not dig deep enough to find out whether these blocks of code were from copyrighted sources or public domain code. Code copying is a hot topic these days. In fact, code borrowing is at the heart of the biggest lawsuit in the tech industry. Software company SCO filed suit against IBM for $3 billion last year for allegedly putting some of SCO’s copyrighted source code into an operating system known as Linux. Linux is a tech darling because it is created as a group effort and distributed for free under what is called the General Public License. And it has recently gained attention for its use in computer servers and its possible role as a free platform for use by governments across the globe. Though SCO is fighting the Linux crowd, the company says there is nothing inherently wrong with open source projects. “SCO still participates in open source efforts. Some open source projects are rigid in their analysis and the code is properly vetted,” says Chris Sontag, SCO’s senior vice president and general manager.

FRANCE LENDS SUPPORT TO NEW OPEN-SOURCE LICENSE (InfoWorld, 9 July 2004) -- Researchers at three French government-funded research organizations this week revealed something they hope will increase the spread of free, open source software in the country: a new license they say is compatible with the Free Software Foundation Inc.’s GNU General Public License (GPL). Plenty of free software licenses exist already, but they are mostly written in English, from the point of view of the U.S. legal system, which can pose a problem in countries where the legal system is based on different assumptions. The new license, known as CeCILL, is intended to make free software more compatible with French law in two areas where it differs significantly from U.S. law: copyright and product liability. Under French law, consumer product manufacturers cannot decline all responsibility for their products -- yet the would-be developers of many open source projects, without corporate backing, cannot afford to expose themselves to unlimited financial risk. CeCILL offers a way around this: by declaring that software offered under the license is intended for knowledgeable users, it allows software developers to limit their responsibility under French law, said GĂ©rard Giraudon, head of development and industrial partnerships at INRIA. Nevertheless, they must take some responsibility, which is reassuring for software’s users, he said. Copyright is another area that differs under French and U.S. law. In France, software copyright is governed by laws relating to artistic and literary creations, not commercial intellectual property. However, unlike most works of art, where the copyright belongs to the author, copyright in a piece of software belongs to the company paying for the work. Some aspects of CeCILL were necessary to take this into account, Giraudon said. Like some other open-soucre licenses, CeCILL is designed so that CeCILL-protected works “contaminate” other software in which they are incorporated, so that that work too must be released under the CeCILL license, Giraudon said. In that respect, it is much like the GPL, he said. In addition, CeCILL includes a term that explicitly says that any work released under CeCILL may also be incorporated into works released under the GPL, and subsequently released under the GPL, he said. CeCILL is the first in a family of licenses, he added. Others variations planned will have different characteristics, making them more like French versions of the LGPL (Lesser GPL) or BSD open source licenses, which allow the use or inclusion of open source code with commercial works under certain conditions.

-- and --

INDIAN PRESIDENT CALLS FOR OPEN SOURCE IN DEFENSE (CNET, 7 July 2004) -- In another public-sector boost to open-source software, Indian President A.P.J. Abdul Kalam called for his country’s military to use such nonproprietary technology to ward off cybersecurity threats. “Software maintenance and software upgrade is an important issue for defense,” Kalam said at a meeting of Indian Navy’s Weapons and Electronic System Engineering Establishment in New Delhi last week. Without naming any proprietary software products, the president asked defense engineers to develop and implement on open platforms. “Even though the required software for the equipment could be developed by the private industry, it is essential that the technical know-how and the architecture is fully available with these services for ensuring provision of lifetime support for the software which may or may not be forthcoming from the trade.” Kalam, a former head of India’s defense research and development organization and architect of the guided missile program, has been a supporter of open-source software. Under the Indian constitution, the president is also the supreme commander of the armed forces--army, navy and air force. Linux, an open-source operating system, has been winning support from government leaders and local authorities in some countries. Recently the city of Bergen, Norway, decided to replace Windows and Unix with Linux operating systems, citing costs and reliability as reasons. Another European city, Munich, has decided to continue using Linux at the end of a yearlong trial.

OUTSOURCING’S EXPLOSIVE SUCCESS IS TRANSFORMING INDIA (EcommerceTimes, 11 July 2004) -- The Forrester report projected that the greatest outsourcing growth during the next 18 months will come from companies already doing it. The firm also said that by 2008, more than half of Fortune 1000 companies will be sending work abroad, up from about one-third now. India’s outsourcing industry hopes to seize new work by anticipating customer needs rather than just taking orders.

PLAN TO COLLECT FLIER DATA CANCELED COLOR-CODED SYSTEM SEEN AS PRIVACY THREAT (USA Today, 16 July 2004) -- A controversial government plan to collect personal information from airline passengers and rank travelers according to terrorist risk level is being dismantled because of concerns over privacy and effectiveness, Homeland Security Secretary Tom Ridge said Wednesday. Ridge said security leaders have all but scrapped plans for the Computer Assisted Passenger Prescreening System, known as CAPPS II. The program was never officially begun, even though the government has spent more than $100 million on its planning. Once touted as a key tool for keeping U.S. skies safe from terrorists, the system has been under relentless criticism from privacy advocates and some members of Congress who called it an unwarranted intrusion into passengers’ privacy. Asked Wednesday whether the program could be considered dead, Ridge jokingly gestured as if he were driving a stake through its heart and said, “Yes.” He cited the privacy concerns, particularly those arising from recently proposed regulations that would have required airlines to hand over information about passengers as part of a test of the program. Critics in Congress also complained that terrorists using fake identities could easily evade the system. Under CAPPS II, each passenger would have been required to give an airline or travel agent his or her full name, date of birth, address and telephone number. The government would verify a passenger’s identity through a database of terrorist watch lists, as well as public records and mail marketing lists.

COURT RULES EMAIL SERVICE NOT SUFFICIENT IN DOMAIN SUIT (BBA’s Internet Law News, 15 July 2004) -- A federal court in Connecticut has denied an attempt by Pfizer to serve the defendants in a suit against two websites - and - by email. The court said it was not convinced email was the only method of serving the defendants. Case name is Pfizer v. Domains By Proxy. Decision at

CHIP IMPLANTED IN MEXICO JUDICIAL WORKERS (AP, 14 July 2004) -- Security has reached the subcutaneous level for Mexico’s attorney general and at least 160 people in his office — they have been implanted with microchips that get them access to secure areas of their headquarters. It’s a pioneering application of a technology that is widely used in animals but not in humans. Mexico’s top federal prosecutors and investigators began receiving chip implants in their arms in November in order to get access to restricted areas inside the attorney general’s headquarters, said Antonio Aceves, general director of Solusat, the company that distributes the microchips in Mexico. Attorney General Rafael Macedo de la Concha and 160 of his employees were implanted at a cost to taxpayers of $150 for each rice grain-sized chip. More are scheduled to get “tagged” in coming months, and key members of the Mexican military, the police and the office of President Vicente Fox (news - web sites) might follow suit, Aceves said. Fox’s office did not immediately return a call seeking comment. A spokeswoman for Macedo de la Concha’s office said she could not comment on Aceves’ statements, citing security concerns. But Macedo himself mentioned the chip program to reporters Monday, saying he had received an implant in his arm. He said the chips were required to enter a new federal anti-crime information center. “It’s only for access, for security,” he said. The chips also could provide more certainty about who accessed sensitive data at any given time. In the past, the biggest security problem for Mexican law enforcement has been corruption by officials themselves. Aceves said his company eventually hopes to provide Mexican officials with implantable devices that can track their physical location at any given time, but that technology is still under development.

60 E-MAILS SENT INTO FORUM STATE CONFERRED JURISDICTION (BNA’s Computer Law Alert, subscription required, 16 July 2004) -- In an action alleging false advertising, defamation, commercial disparagement, intentional interference with existing and prospective business relationships, and antitrust violations brought by a Massachusetts musical instrument maker against a Texas competitor, personal jurisdiction could be exercised in Massachusetts based on the Texas firm’s sending of 60 e-mails to persons with Massachusetts mailing addresses, the federal district court in Boston has ruled. The requirements of both due process and the Massachusetts long-arm statute were met. Because the e-mails were the subject of the suit, the requirement that the contacts with the forum be causally connected to the cause of action easily was met. The purposeful availment element was satisfied because the Texas firm was aware that the e-mails would be sent to Massachusetts. The firm sent the e-mails to persons on a list that it maintained and controlled, and it acted with the intent to purposefully avail itself of the benefits and protections of Massachusetts law. Case is First Act, Inc. v. Brook Mays Music Co.

-- and --

11TH CIRCUIT RULES ON COPYRIGHT JURISDICTION (BNA’s Internet Law News, 16 July 2004) -- The 11th Circuit Court of Appeals has ruled that it can assert jurisdiction over a copyright infringement case based on several connections with the U.S. While the disputed work was created in France, the court found that the importation of copies of the work to the U.S. was sufficient to convey jurisdiction. Case name is Palmer v. Braun. Decision at

AMSTERDAM INSTITUTE FOR INFORMATION LAW PUBLISHES SPAM REPORT (Hunton & Williams Privacy & Ecommerce Alert, 16 July 2004) -- The Institute for Information Law (IViR), which is part of the Faculty of Law of the University of Amsterdam, has released the results of a comprehensive study carried out between September 2003 and March 2004. This research project analyzes the legal framework regulating unsolicited commercial e-mail (spam) in the European Union. In particular, it presents and assesses recent legislative initiatives against spam in EU Member States further to the adoption of Directive 2002/58 on privacy and electronic communications of July 12, 2002. The study can be downloaded from: Further information on IViR is available at: (For subscription information, email Anne Ruwet at:

EUROPEAN COMMISSION SUGGESTS UK’S DATA PROTECTION ACT IS DEFICIENT (, 15 July 2004) -- The European Commission has called upon the UK Government to justify its approach to data protection law – because it fears that it does not comply with the European Data Protection Directive. The concerns are believed to focus on a court’s definition of what constitutes “personal data” in Michael Durant’s landmark case against the UK’s Financial Services Authority and subsequent guidance on the case from the UK’s Information Commissioner. But “personal data” is not the only problem. Jonathan Todd, European Commission Spokesman on the Internal Market, told OUT-LAW yesterday: “I can confirm that the Commission has sent a letter of formal notice to the UK Government about the conformity of several aspects of the 1998 Data Protection Law with the EU data protection Directive of 1995.” The detail of the letter – which is said to run to 20 pages – has not been made public by the European Commission: it is for the UK Government to decide whether or not to make it public. However, OUT-LAW understands that the failure of the UK Government to guarantee the right of access to personal data is likely to be a strong feature of the letter. Other concerns appear to include insufficient controls on international transfers of data and a lack of investigative powers given to the Commissioner.

ACTRESS TRIES TO SLAP GAWKERS (Wired, 16 July 2004) -- Gawker Media’s sex-centric blog Fleshbot is considering permanently removing a hyperlink to a website selling a video in which actress Cameron Diaz is seen topless. The possible move comes after the star’s attorneys sent the leading blogging outfit a cease and desist letter last week. Last November, Los Angeles Superior Court Judge Alan Haber granted Diaz’s request for an injunction against John Rutter Productions, the company that made and is selling the Diaz video. But Gawker Media only got involved last week when Fleshbot, following on widely posted links in the blogosphere, first posted a link to the video, an S&M film made in 1992 starring a then-unknown Diaz. “Whether or not Fleshbot or any of the Gawker sites link to (the video’s) site, it’s still there,” said Fleshbot editor John d’Addario. “We didn’t host the video, we’re not selling the video, and we didn’t link to the video itself. There are a lot of blogs out there ... putting it on their sites. It’s not hard to find.”,1284,64248,00.html

BIG COMPANIES EMPLOYING SNOOPERS FOR STAFF EMAIL (, 19 July 2004) -- Large companies are now so concerned about the contents of the electronic communications leaving their offices that they’re employing staff to read employees’ outgoing emails. According to research from Forrester Consulting, 44 per cent of large corporations in the US now pay someone to monitor and snoop on what’s in the company’s outgoing mail, with 48 per cent actually regularly auditing email content. The Proofpoint-sponsored study found the motivation for the mail paranoia was mostly due to fears that employees were leaking confidential memos and other sensitive information, such as intellectual property or trade secrets, with 76 per cent of IT decision makers concerned about the former and 71 per cent concerned about the latter.

STUDY: MASTERCARD, OTHERS UNWITTINGLY HELP ‘PHISHERS’ (InfoWorld, 19 July 2004) -- Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as “phishing scams” in recent months. But companies, including MasterCard International Inc., may be unwittingly helping phishers trick online shoppers, says a new report from a U.K. Web developer. A test of leading financial services Web sites, including sites run by MasterCard, NatWest and Reuters Group PLC revealed that many sites have loosely protected features that scam artists can use to mask their own malicious Web sites, hijacking the name and Web address of established institutions, said Sam Greenhalgh, who is 19 and operates the Web site Greenhalgh is responsible for discovering a vulnerability in Microsoft Corp.’s Internet Explorer Web browser known as the “%01” vulnerability. That security hole, since closed by Microsoft, was widely used in phishing scams to disguise the location of phishing Web sites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at on his latest findings. The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh said. Indeed, the trick works with most popular Web browsers. Instead, poorly designed and insecure features on leading Web sites that contain “cross-site scripting” vulnerabilities are to blame, he said. Greenhalgh uses the example of an “ATM Locator” feature on MasterCard’s Web site. The ATM Locator was designed to help MasterCard holders locate cash machines that accept MasterCard. Users input a location, including a country and street address, and the Web site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability in the feature, Greenhalgh was able to inject his own HTML (Hypertext Markup Language) into the fields used by the ATM Locator, causing the site to display his content, including a mock form that could be used to harvest information. [Editor: Shouldn’t site operators implement “best-practice” security in such websites? Otherwise, shouldn’t they be held responsible for losses?]

JUDGE: FEDS, NOT STATES, SHOULD GOVERN VOIP (CNET, 20 July 2004) -- State utility commissions can have very little control over Net phone companies, a New York federal judge wrote in an order that hands another victory to Vonage and similar upstarts. State utility commissions will be able to work with Vonage to rectify customer complaints but won’t be able to regulate or tax the company, according to U.S. District Judge Douglas Eaton. Eaton’s order, released within the past few days, strikes at the heart of a debate between federal regulators, which want to exercise a hands-off approach to voice over Internet Protocol (VoIP) to let the young industry grow, and states, which rely on tax revenues to pay for public programs. The Federal Communications Commission, which in the process of drafting Net phone rules, will have the upper hand in how to approach VoIP in New York, Eaton wrote. “On balance, the Public Service Commission has not demonstrated state public interests, which require the immediate exercise of state common-carrier regulations,” the judge wrote. But the New York state PSC can collect complaints from Net phone customers, refer the complaints to Net phone providers and even offer nonbinding arbitration as a way to settle any disputes, Eaton said. Eaton is the second judge to dismiss attempts to force Net phone providers to follow state telephone rules and tax regimes.

DUKE U. WILL GIVE IPOD MUSIC PLAYERS TO ALL NEW FRESHMEN IN A ‘SEE WHAT HAPPENS’ PROJECT (Chronicle of Higher Education, 20 July 2004) -- This fall’s crop of freshmen at Duke University will get a snazzy digital toy along with their campus maps, dormitory-room keys, and orientation booklets: a brand-new iPod, paid for by the university. Duke announced on Monday that it would distribute iPods to all of its 1,650 freshmen. An additional 150 will be given to faculty members or lent to upperclassmen for use in courses. The university will spend approximately $500,000 on the project, officials say, for hardware and staff support. That money will come from a fund for incorporating information technology into instruction. The goal of the giveaway is education, not entertainment, Duke officials say. Students might use their iPods, for instance, to listen to assigned songs or audio clips in music or foreign-language courses. And students in some courses will be given microphones so they can record lectures or field interviews with the devices. Lynne M. O’Brien, director of the Duke Center for Instructional Technology, said that she has spoken with an instructor in Spanish who plans to use the iPods to record and distribute assignments. A professor of environmental studies is interested in using iPods to record interviews in the field.

-- and --

VERIZON’S NET PHONE SERVICE TAKES WING (CNET, 22 July 2004) -- Verizon Communications on Thursday began offering VoiceWing, its long-awaited broadband phone service expected to challenge AT&T, Vonage and other top providers of Internet phone calls. The unlimited local and long-distance service, available nationwide, costs about the industry average: $35 for the first six months, then goes up to $40 a month, the carrier said. If a Verizon DSL subscriber signs up, VoiceWing costs $30 a month for the first six months, then $35 a month, according to Verizon. For Verizon, Net phone plans will serve as an enticement to attract new broadband customers or keep old ones, executives said Thursday. The company has also been slashing the prices of its broadband plans recently. Verizon’s move had been expected and was perhaps hastened by cable companies, which recently embraced the same voice over Internet Protocol (VoIP) technology that Verizon is using. Also, some analysts believe that Verizon’s launch was also spurred by AT&T, which recently completed its own nationwide VoIP rollout weeks earlier than anticipated.

JUDGE FINES PHILIP MORRIS FOR DELETION OF E-MAIL (, 20 July 2004) -- A federal judge fined tobacco giant Philip Morris USA and its parent company, Altria Group Inc., $2.7 million Wednesday for deleting e-mails that may be relevant in the government’s lawsuit against the cigarette industry. ``A monetary sanction is appropriate,” U.S. District Judge Gladys Kessler said in her ruling. ``It is particularly appropriate here because we have no way of knowing what, if any, value those destroyed e-mails had to plaintiff’s case.” In a statement, Philip Morris called the loss of e-mails ``inadvertent” and said it was ``studying its legal options.” Shortly after the government filed its civil racketeering case against the tobacco industry in 1999, the court ordered the parties to preserve all documents and records containing information that might be relevant to the case. However, Philip Morris officials deleted e-mails that were over 60 days old on a monthly basis for at least two years after that order was issued. Court records show Philip Morris notified the court it was out of compliance with the court order in June 2002, a few months after becoming aware of the problem.

CANADA: WORRYING ABOUT THE LONG ARM OF THE PATRIOT ACT (Steptoe & Johnson’s E-Commerce Law Week, 17 July 2004) -- Could privacy groups’ campaign against the USA PATRIOT Act (Patriot Act) become a campaign against outsourcing to US companies? The Department of Justice recently released a report singing the praises of the Patriot Act for helping the FBI crack down on terror suspects and child porn rings. But some of our neighbors to the north now want to know: Just how long is the arm of the law under the Patriot Act? The British Columbia Office of Information and Privacy Commissioner has requested comment on whether US authorities can use section 215 of the Patriot Act to obtain personal information outsourced for data processing to Canadian affiliates of US companies. The Privacy Commissioner also wants to know what the Patriot Act’s implications are for BC public bodies -- government entities required under the BC Freedom of Information and Protection Act (FOIPP) to protect personal information in its custody or control. For now, at least, the BC government seems to be alone in harboring these concerns, but the issue could feed on Canadian dislike of Bush Administration policies in the war on terror.

CT RULES ON eBAY LIABILITY FOR DEFAMATORY USER POSTINGS (BNA’s Internet Law News, 23 July 2004) -- A California appellate court has ruled that a release provision in eBay’s user agreement relieved the company of liability for the allegedly defamatory comments made by one of its users against another user. The court added, however, that the law would not protect eBay for distributing information that it knew or had reason to believe was false thus leading to a likely appeal to the California Supreme Court. Case name is Grace v. eBay. Coverage at Decision at

REPORT FAULTS CYBER-SECURITY (WashingtonPost, 23 July 2004) -- The Department of Homeland Security’s efforts to battle computer-network and Internet attacks by hackers and other cyber-criminals suffer from a lack of coordination, poor communication and a failure to set priorities, according to an internal report released yesterday. The report, by the department’s inspector general, said the shortcomings of the National Cyber Security Division leave the country vulnerable to more than mere inconvenience to businesses and consumers. The division “must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks,” the report said. “The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk.” Among the report’s recommendations is that the division develop a process for overseeing efforts of federal, state and local governments to better protect their systems. The report cited progress in some areas since the division was formed in June 2003 as part of the federal reorganization that created the DHS. It praised the creation of a cyber-security coordination center called US-CERT, and an alert system that includes a Web site and automated notification to tech-security professionals of security threats making their way through cyberspace. But the report comes at a time of heightened frustration among technology company executives and members of Congress that cyber-security is not getting enough attention and is poorly understood by some senior department officials. The issue is not just the possibility of a broad cyber-terrorist attack, those people say, but the daily attacks that are costing U.S. businesses and computer users hundreds of millions of dollars a year and countless hours of lost productivity.

MOVEON MOVES UP IN THE WORLD (Wired, 26 July 2004) -- It’s the stuff of political legend. In 1998, appalled by Congress’ drawn-out, taxpayer-funded preoccupation with protein stains on a Gap dress, Joan Blades and Wes Boyd wanted to send a message to Congress to censure the president already and move on. They sensed that other people might feel the same way, so they built a website and sent e-mail to about 100 friends asking them to sign an online petition to send to Congress. Within a week 100,000 people responded. Eventually, the number grew to half a million. Thus a national movement was born. “That was the key moment for them,” said Joe Trippi, former campaign manager for one-time presidential candidate Howard Dean, whose online campaign techniques were inspired by MoveOn’s success. “But they’ve had many moments since.” From that petition six years ago, has become a powerhouse, grass-roots organization that has helped re-energize politics in the United States and force Washington lawmakers to pay attention to voices outside the capital beltway. Today, with no office and no formal organization other than a website and a handful of staff members spread around the country, MoveOn has amassed more than 2 million members and raised millions of dollars for candidates. In addition to igniting the populist-fueled Dean campaign, MoveOn has helped elect congressional representatives who are in alignment with members’ values and who pass legislation on Capitol Hill. They’ve committed to raising $50 million this season to support more candidates. And that’s just the beginning. Last week, the organization filed a complaint with the Federal Trade Commission accusing Fox News of false advertising under its “fair and balanced” slogan. They’ve sponsored a TV ad to get Secretary of Defense Donald Rumsfeld fired. And now they’re addressing electronic voting machines, asking the government to require a voter-verified paper trail for digital voting machines. But MoveOn founders Blades and Boyd never intended to get involved in politics or take on Bill O’Reilly and George Bush. Blades, an attorney mediator, and Boyd, a computer programmer, met more than 20 years ago while playing soccer. The husband-and-wife team became known for flying toasters when, as founders of Berkeley Systems, they helped develop the After Dark screensavers, which included the Magritte-esque winged toasters that flew across thousands of computer screens in the early ‘90s.,1283,64340,00.html?tw=wn_tophead_2

FRENCH INTERNET PROVIDERS JOIN PIRACY CRACKDOWN (, 28 July 2004) -- French Internet service providers agreed Wednesday to cooperate in a crackdown against Web surfers who illegally download music online. In a government-backed charter also signed by record labels and musicians’ groups, France’s leading Internet companies agreed to pull the plug on pirates and step up cooperation with copyright prosecutions. The agreement was signed by representatives of Internet service providers Free, Noos, Club-Internet, Wanadoo and Tiscali France. Christine Levet, Club-Internet CEO and head of France’s Association of Internet Service Providers, stressed that companies like her own ``will cut subscriptions only upon the decision of a judge.” Nevertheless, the charter also calls on music copyright holders to launch and publicize ``targeted civil and criminal” court action against pirates by the end of the year. By agreeing to help in the crackdown on pirates, French Internet companies hope they can head off the need for tough legislation such as the 1998 Digital Millennium Copyright Act in the United States -- which holds service providers financially liable if they don’t immediately remove copyright material posted by their users when requested to do so.

DONATING YOUR SOCIAL SECURITY NUMBER TO SCIENCE (Steptoe & Johnson’s E-commerce Law Week, 24 July 2004) -- The Appellate Court of Illinois in Chicago has issued a decision that no privacy violation occurred when mobile phone service providers disclosed customer information -- including names, addresses, wireless telephone numbers, and Social Security numbers -- to a private research firm studying the possible link between wireless phones and cancer. Under Illinois law, the court found, this information is not considered private. Consumers may find this result unnerving, but companies may have reason to be cautiously optimistic. A court ruling that a Social Security number is not private has the potential to reduce the risk of wide ranging liability for companies under common law.

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. The Ifra Trend Report,
8. Crypto-Gram,
9. David Evan’s “Internet and Computer News”,
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: