**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
LAW FIRMS NOT LIABLE IN ALLEGED WEB HACKING CASE (Law.com, 9 Dec 2005) -- Two law firms that allegedly surreptitiously accessed the password-protected Web site of an expert witness in order to show a judge that the witness violated a gag order cannot be held liable under the Digital Millennium Copyright Act. A District of Columbia federal judge has dismissed the suit by Boston occupational illness expert Dr. David Egilman, who accused the law firms Jones Day and Keller & Heckman of Washington, and Keller attorney Douglas Behr, of misappropriating his protected work. Egilman accused the Keller firm and Behr of hacking into his Web site by acquiring a password and sharing it with Jones Day lawyers in the midst of a 2001 landmark Colorado state toxics trial. Egilman had testified on behalf of the first four of 50 workers at Rocky Flats nuclear weapons plant who unsuccessfully claimed that the federal government colluded with the world’s largest beryllium maker, Brush Wellman Inc., to hide the health dangers of the metallic element. Despite a broad gag order by a Colorado state court judge, Frank Plaut, in Ballinger v. Brush Wellman Inc., No. 96-CV-2532, Egilman had posted critical material about Jones Day and Brush Wellman on his password-protected Web site in what Plaut ruled was a violation of the gag order. Plaut ordered jurors to disregard Egilman’s testimony as a sanction after learning from Jones Day that the posting included accusations of potential illegal conduct by Jones Day, and allegations that a Brush Wellman medical doctor was educated in Nazi Germany, according to press accounts at the time. Egilman, who has testified in dozens of toxics trials and was the expert in the recent Texas Vioxx trial that resulted in a $253 million verdict, limited Web site access to his staff and his Brown University students. He posted uncensored information on occupational illness and related litigation, including previously confidential corporate internal documents related to many toxic torts. Egilman sued Jones Day and Keller & Heckman, first in Texas and later in the District of Columbia, saying that his reputation was besmirched and his effectiveness compromised. He argued that the law firms and Behr circumvented measures installed to deny access to his copyright-protected work on the Web site, in violation of the 1978 Digital Millennium Copyright Act. U.S. District Judge Henry Kennedy Jr. in D.C. ruled that obtaining a username and password from a third party that has authorized access does not violate the DMCA. Kennedy cited the only other court to rule on improper use of a legitimate password, holding that gaining access to a third party’s legitimate password is not the same as hacking. http://www.law.com/jsp/printerfriendly.jsp?c=LawArticle&t=PrinterFriendlyArticle&cid=1134036310706
FTC HARE CONTINUES TO SPEED AHEAD OF CONGRESSIONAL TORTOISE ON INFORMATION SECURITY REGULATION (Steptoe & Johnson’s E-Commerce Law Week, 10 Dec 2005) -- When it comes to regulating industry information security practices, Congress and the Federal Trade Commission (“FTC”) seem to be reenacting Aesop’s fable of the tortoise and the hare. While Congress plods methodically along with various security-related bills, with nothing likely to be enacted before year’s end, the FTC continues to race ahead, setting de facto security standards for industry through enforcement actions based on its general authority to prevent “unfair . . . acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). On December 1, shoe retailer DSW, Inc., settled FTC charges that the company’s data security failures earlier this year -- which had allowed hackers to access the credit card, debit card information of more than 1.4 million consumers and the checking account information of 96,000 customers -- constituted an “unfair practice.” Notably, the case marks only the second time that the FTC has based a data security enforcement action on the FTC Act’s “unfairness” prong (the first being the Commission’s action against BJ’s Wholesalers this past June). In previous security breach cases, the FTC had based its allegations on the “deceptive practices” prong of the Act -- targeting, for instance, companies that failed to follow their own privacy policies, and thus allegedly deceived customers. The DSW case, like the BJ’s case before it, demonstrates the FTC’s continuing willingness to take action against companies that do not have a specific statutory obligation to safeguard personal information and have never promised customers that their personal information would be secure in the first place. In Aesop’s fable, the hare gets bored and falls asleep while the tortoise crosses the finish line. But the FTC is not likely to stop racing ahead unless and until a company refuses to settle and challenges the FTC’s statutory authority. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11414&siteId=547
D.C. CIRCUIT NARROWS FTC’S JURISDICTION UNDER GRAMM-LEACH-BLILEY (Steptoe & Johnson’s E-Commerce Law Week, 10 Dec 2005) -- Hear that wind blowing outside? No, it’s not another winter storm. It’s the entire legal profession breathing a collective sigh of relief, as it avoids the FTC’s jurisdictional claws under the Gramm Leach Bliley Act (GLBA). On December 6, the U.S. Court of Appeals for the D.C. Circuit rejected the FTC’s claim of jurisdiction under the GLBA to regulate law firms as “financial institutions.” American Bar Ass’n v. FTC (No. 04-5257). The appeals court affirmed a district court ruling that the FTC’s decision to subject attorneys to GLBA privacy requirements “exceeded the statutory authority” of the FTC and “was therefore invalid as a matter of law.” This ruling represents a rare defeat for the FTC in a jurisdictional challenge, and provides a useful reminder that there are indeed limits to the types of activities and entities that are covered by the GLBA. The D.C. Circuit’s decision also could bode well for any companies that muster the intestinal fortitude to challenge the FTC’s assertion of jurisdiction in other areas, such as its claim that it can effectively enact and enforce industry information security standards under the “unfair practices” prong of the FTC Act (as discussed above). The American Bar Association case, though not directly relevant to that issue, illustrates just how to frame a successful jurisdictional challenge. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11414&siteId=547
ARIZ. TOWN WILL GO WALL-TO-WALL WIRELESS (AP, 11 Dec 2005) -- Call it a municipal status symbol in the digital age: a city blanketed by a wireless Internet network, accessible at competitive prices throughout the town’s homes, cafes, offices and parks. Tempe, the Phoenix suburb that is home to Arizona State University, is due to have wireless Internet available for all of its 160,000 residents in February, becoming the first city of its size in the United States to have Wi-Fi throughout. Tempe officials hope that by making high-speed Internet as accessible as water or electricity across its 40 square miles, it will attract more technology and biotech companies — and the young, upwardly mobile employees they bring. An increasing number of the nation’s cities are looking at using Internet access as an economic development tool. Few cities have gotten as far as installing systems, “but most cities are realizing that it may be something that they want to do,” said Cheryl Leanza, legislative counsel for the National League of Cities. Philadelphia is developing a citywide high-speed system with EarthLink Inc. Unlike Philly or Tempe, New Orleans is building a free system, though the network speed will be limited. The Tempe network is being installed by NeoReach Wireless, a subsidiary of Bethesda, Md.-based MobilePro Corp. Roughly 400 antenna boxes mounted on light poles throughout the city will be used to stitch together the network, to which NeoReach will sell access, primarily through other providers. The network uses a so-called “mesh” setup, meaning it passes wireless signals from pole to pole and automatically reroutes transmissions if one of the transmitters breaks down. Speeds will vary depending on the number of users logged into the same access point. The network is strong enough only to be picked up outdoors or through one wall, meaning those who want service in their businesses or homes will need a box that serves as a signal booster and router. The city of Tempe gave the company access to its light poles in exchange for use of the network in transmitting data to and from city offices and vehicles, said Karrie Rockwell, a spokeswoman for NeoReach. Two hours of free access each day also will be available for Internet users on the Arizona State campus or the nearby Mill Avenue retail district, where the network began a year ago as a pilot project and has proven popular. Robert Jenkins, 50, sits at a coffee house on Mill Avenue a couple of times a week with his laptop, downloading larger files that take too long at home when he uses his mobile phone to access the Internet. NeoReach will directly sell service to outdoor users for $3.95 per hour or $29.95 per month. The resellers of NeoReach access have not yet announced pricing, but Rockwell said it will be cheaper than DSL or cable Internet access. Cable operator Cox Communications Inc. charges $49.95 per month for customers who don’t get Cox phone or TV service. Qwest Communications International Inc. charges $44.99 and $54.99 per month, depending on the speed. Tempe signed a contract with NeoReach after asking for bids — which prevented it from having to start its own utility and probably quelled potential objections to the city’s involvement in a WiFi network. http://news.yahoo.com/s/ap/20051211/ap_on_hi_te/wireless_city
EMPLOYEES LEAKING TRADE SECRETS VIA EMAIL: LACK OF CORPORATE POLICY REACHES WORRYING PROPORTIONS (VNUNet, 12 Dec 2005) -- A study by market research firm Radicati Group has shown that over one in 20 employees has sent company secrets to third parties via email. The Corporate Email User Habits study found that a quarter of those surveyed had forwarded corporate email to their personal accounts for later use, and nearly two thirds use their personal email for company business. “While six per cent may seem like a small number, in a 10,000-user organisation it translates to 600 employees leaking intellectual property,” said Sara Radicati, president of the Radicati Group. “Companies should take a hard look at educating their workforce on its official email policy, and put in place outbound filtering and monitoring technology that can block confidential or sensitive emails before they leave the corporate network, as well as report violations.” Only 22 per cent of companies surveyed had any policy on monitoring outgoing mail, and only half had any kind of internal policy regarding email use. http://www.vnunet.com/vnunet/news/2147460/employees-weakest-link Study at http://www.mirapoint.com/pdfs/whitepapers/End-User-Study-on-Email-Hygiene.pdf ABA’s “Employee Use of the Internet and E-Mail: A Model Corporate Policy With Commentary on Its Use in the U.S. and Other Countries” (shameless plug—I was co-editor) at http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5070395
-- and --
FIRMS COUNT THE COST OF SECURITY THREATS (ElectronicNews.net, 12 Dec 2005) -- According to the State of Information Security 2005 report from PricewaterhouseCoopers and CIO Magazine, not only are security-related events up 22.4 percent on last year’s figures, but the number of organisations reporting financial losses as a result of the attacks is also surging. Twenty-two percent of companies said they had been hit financially, compared with last year’s 7 percent. But despite the growing security threat to businesses, only 37 percent of respondents have a security plan in place, with only 24 percent saying that they expected to develop one in the coming year. However, organisations with a chief information security officer (CISO) or chief security officer (CSO) fare a little better, with 62 percent implementing a security plan. More companies are employing a CISO or CSO, with 40 percent of respondents in the survey having one on the payroll compared with 31 percent in 2004. Security spending is slightly increasing to compensate for the growing threat, accounting for 13 percent of an organisation’s IT budget this year, compared with 11 percent last year. Malicious hackers are the top culprits to carry out the attacks, with 63 percent of events attributed to them compared with 66 percent last year. However, the number of employee-related attacks is also up, at 33 percent compared with 2004’s 28 percent. Former employees remain a likely source of the security threats, representing 20 percent of events. Meanwhile, computer viruses still top the charts as the most common type of attack, rising to 59 percent of attacks from 53 percent the previous year. http://www.enn.ie/frontpage/news-9658009.html
MICHIGAN CONSIDERS REQUIRING HIGH-SCHOOL STUDENTS TO TAKE AT LEAST ONE ONLINE COURSE (Chronicle of Higher Education, 13 Dec 2005) -- The Michigan State Board of Education is set to approve a new graduation requirement today that would make every high-school student in the state take at least one online course before receiving a diploma. The new requirement would appear to be the first of its kind in the nation. Mike Flanagan, the Michigan state superintendent of public instruction, said he proposed the online-course requirement, along with other general requirements, to make sure students were prepared for college and for jobs, which are becoming more technology-focused. While most high-school students are adept at using the Internet, Mr. Flanagan said, few of them take courses online. But today’s high-school students are increasingly likely to encounter online courses as more colleges turn to online education, he said. The online-education proposal is included with several other proposed statewide requirements -- including four years of English courses, three years of mathematics, and three years of science. Currently, the only state-required course for graduation in Michigan is a one-semester class in civics, although many of the state’s local school districts have much tougher requirements. If the state Board of Education approves the proposals, they will still need the assent of both the State Legislature and the governor. Mr. Flanagan said he already had strong support for the online proposal in the Legislature. http://chronicle.com/free/2005/12/2005121301t.htm
EUROPEAN REPORT FINDS LITTLE IMPACT FROM DATABASE DIRECTIVE (BNA’s Internet Law News, 14 Dec 2005) -- The EU DG Internal Market and Services has published an evaluation report on the EU’s Database Directive. The report acknowledges that the directive “has had no proven impact on the production of databases” and that the evidence casts doubt on the necessity of the database protection for a thriving database industry. Report at http://europa.eu.int/comm/internal_market/copyright/docs/databases/evaluation_report_en.pdf
EU PARLIAMENT ADOPTS ANTI-TERRORISM DATA RULES (Reuters, 14 Dec 2005) -- The European Parliament on Wednesday adopted new rules drawn up by the European Union to store phone and Internet data for up to two years to fight terrorism and other serious crime. But some EU lawmakers criticised the assembly saying it had caved in to pressure from member states, and arguing that the new rules would allow authorities to do what they wanted with the data. The parliament voted by 378 to 197 with 30 abstentions for a package already agreed between the assembly’s two biggest groups and member states, with European Commission backing. Earlier this month, Britain secured a deal among the EU’s 25 member states that would force telecommunications companies to store data for between six and 24 months. The rules, proposed by the European Commission in September, are part of the EU’s response to attacks in Madrid in 2004 and London this year. The version adopted on Wednesday is tougher than that recommended by the parliament’s civil liberties committee which wanted the data to be stored for one year. The committee’s recommendation was by-passed by the deal struck between member states and the assembly’s right-wing European People’s Party and socialists. The new rules still need to be formally approved by EU member states. Telecom firms have warned that the new rules will be costly to implement, but lawmakers and member states ditched a European Commission proposal that member states pay for extra data storage costs. http://uk.news.yahoo.com/14122005/80/eu-parliament-adopts-anti-terrorism-data-rules.html
IS THE PENTAGON SPYING ON AMERICANS? (MSNBC, 13 Dec 2005) – A year ago, at a Quaker Meeting House in Lake Worth, Fla., a small group of activists met to plan a protest of military recruiting at local high schools. What they didn’t know was that their meeting had come to the attention of the U.S. military. A secret 400-page Defense Department document obtained by NBC News lists the Lake Worth meeting as a “threat” and one of more than 1,500 “suspicious incidents” across the country over a recent 10-month period. The Defense Department document is the first inside look at how the U.S. military has stepped up intelligence collection inside this country since 9/11, which now includes the monitoring of peaceful anti-war and counter-military recruitment groups. “I think Americans should be concerned that the military, in fact, has reached too far,” says NBC News military analyst Bill Arkin. The Department of Defense declined repeated requests by NBC News for an interview. A spokesman said that all domestic intelligence information is “properly collected” and involves “protection of Defense Department installations, interests and personnel.” The military has always had a legitimate “force protection” mission inside the U.S. to protect its personnel and facilities from potential violence. But the Pentagon now collects domestic intelligence that goes beyond legitimate concerns about terrorism or protecting U.S. military installations, say critics. Four dozen anti-war meetings The DOD database obtained by NBC News includes nearly four dozen anti-war meetings or protests, including some that have taken place far from any military installation, post or recruitment center. One “incident” included in the database is a large anti-war protest at Hollywood and Vine in Los Angeles last March that included effigies of President Bush and anti-war protest banners. Another incident mentions a planned protest against military recruiters last December in Boston and a planned protest last April at McDonald’s National Salute to America’s Heroes — a military air and sea show in Fort Lauderdale, Fla. The Fort Lauderdale protest was deemed not to be a credible threat and a column in the database concludes: “US group exercising constitutional rights.” Two-hundred and forty-three other incidents in the database were discounted because they had no connection to the Department of Defense — yet they all remained in the database. The DOD has strict guidelines, adopted in December 1982, that limit the extent to which they can collect and retain information on U.S. citizens. Still, the DOD database includes at least 20 references to U.S. citizens or U.S. persons. Other documents obtained by NBC News show that the Defense Department is clearly increasing its domestic monitoring activities. One DOD briefing document stamped “secret” concludes: “[W]e have noted increased communication and encouragement between protest groups using the [I]nternet,” but no “significant connection” between incidents, such as “reoccurring instigators at protests” or “vehicle descriptions.” http://msnbc.msn.com/id/10454316/print/1/displaymode/1098/ DOD Guidelines at http://msnbcmedia.msn.com/i/msnbc/sections/news/DOD.1982.IntelligenceCollectionOnU.S.Persons.pdf
-- and --
PENTAGON WILL REVIEW DATABASE ON U.S. CITIZENS (Washington Post, 15 Dec 2005) -- Pentagon officials said yesterday they had ordered a review of a program aimed at countering terrorist attacks that had compiled information about U.S. citizens, after reports that the database included information on peace protesters and others whose activities posed no threat and should not have been kept on file. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/14/AR2005121402528.html
BETTING ON BIRD FLU (Salon, 13 Dec 2005) -- On Nov. 1, Intrade, a Web site that allows people to bet on the likelihood of future events, issued a press release titled “Trading on Bird Flu -- 65% probability of U.S. case by March 2006!” The release announced that the trading activity on the exchange’s bird flu contracts -- offering savvy “investors” a chance to gamble on when the first strain of the deadly H5N1 will be confirmed in the United States -- had doubled in the last month. The report, put out by Intrade P.R. executive Mike Knesevitch, ended with an ominous, sobering claim: “Can these markets give us insight into global events like pandemics, hurricanes and politics? In the short history Intrade has put together, the answer is YES.” If these predictive markets are as startlingly accurate as they say, this spring the U.S. will get its first case of bird flu and some of us may die. Intrade launched its two bird flu contracts -- one predicting that the potentially deadly, pandemic-causing Asian bird flu will hit the U.S. in December, the other that it will hit in March -- on Oct. 18. (The December contract is now trading at 6, meaning the market is currently predicting a 6 percent chance of the flu hitting the U.S. on or before Dec. 31, the March at 29.6.) Now, with close to $34,000 worth of investor money wrapped up in them, the bird flu contracts are among the most popular on the futures markets site, and company spokesman Brian Keating says he expects betting on the bird flu only to increase as the contracts’ closing dates -- Dec. 31 and March 31, respectively -- approach and as more cases of the bird flu crop up around the world. Contracts on the Intrade exchange can be bought or sold between other members, just as with any other stock exchange, but if an investor chooses to hold on to a contract price until closing, that investor can lose the entire amount invested -- or make a tidy profit. In the five years since its inception, Intrade has been accurate in predicting elections, the new pope, the impact of Hurricane Katrina, and the capture of Saddam Hussein. A recent example occurred on Oct. 21 with Supreme Court nominee Harriet Miers’ confirmation contract. At approximately 8:30 that morning, traders monitoring the Harriet Miers confirmation process began aggressively selling contracts betting against her confirmation -- dropping her stock price 42 points in early trading. The following Thursday, Miers withdrew her nomination from the high court. The Intrade market allows, even thrives, on insider information. Knesevitch confirms that a lot of the market’s members work for government entities and often have the ability to move the market on national events well before news of them has filtered through the media. Dave Saigel, from the Centers for Disease Control, who says he was not aware of the bird flu market, concedes that it might be a useful prediction tool -- and may also help build awareness of the dangers of the disease and its spread. What’s more, he says, the markets have “picked great months for their contracts. December and March are prime flu months.” Jack Marshall, president of Pro Ethics, a consulting firm used to educate organizations on ethical dilemmas in the workplace, agrees that futures markets -- and betting on things like the bird flu -- may be more beneficial than hurtful to society. “It would be different if, say, after 9/11 people are betting on where the next person’s remains would be found, but this is far less sinister than that,” he says. “In postmodernist America we have a black humor and a detachment from a lot of catastrophe anyway. Betting on an abstract event, buying futures in abstraction doesn’t necessarily make things any worse.” Marshall argues that even the New York Stock Exchange allows people to profit from other people’s misery. And Marshall says he loves the whole “wisdom of crowds” aspect of futures markets. He says these types of markets offer valid projections about events and do so without any sort of bias -- and he finds more credibility in these markets than any kind of scientific facts. http://www.salon.com/ent/feature/2005/12/13/birdflu/
BEIJING CASTS NET OF SILENCE OVER PROTEST (New York Times, 14 Dec 2005) -- One week after the police violently suppressed a demonstration against the construction of a power plant in China, leaving as many as 20 people dead, an overwhelming majority of the Chinese public still knows nothing of the event. In the wake of the biggest use of armed force against civilians since the Tiananmen massacre in 1989, Chinese officials have used a variety of techniques - from barring reports in most newspapers outside the immediate region to banning place names and other keywords associated with the event from major Internet search engines, like Google - to prevent news of the deaths from spreading. Beijing’s handling of news about the incident, which was widely reported internationally, provides a revealing picture of the government’s ambitions to control the flow of information to its citizens, and of the increasingly sophisticated techniques - a combination of old-fashioned authoritarian methods and the latest Internet technologies - that it uses to keep people in the dark. http://www.nytimes.com/2005/12/14/international/asia/14china.html?ex=1292216400&en=fe07535b1db7c3a1&ei=5090&partner=rssuserland&emc=rss
BUSH LETS U.S. SPY ON CALLERS WITHOUT COURTS (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible “dirty numbers” linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. “This is really a sea change,” said a former senior official who specializes in national security law. “It’s almost a mainstay of this country that the N.S.A. only does foreign searches.” Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation’s legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. http://select.nytimes.com/gst/abstract.html?res=F00F1FFF3D540C758DDDAB0994DD404482 [Editor: This is the story-of-the-decade for me; separation of powers and Article II supremacy. I’m astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren’t two centuries of statutory, regulatory, and case-law gloss.] Related story at http://www.salon.com/news/feature/2005/12/23/bamford/print.html ; interesting legal analysis/blog at http://balkin.blogspot.com/#113526050457460564.
-- but --
OUR DOMESTIC INTELLIGENCE CRISIS (by Judge Richard Posner, Washington Post, 21 Dec 2005) -- We’ve learned that the Defense Department is deeply involved in domestic intelligence (intelligence concerning threats to national security that unfold on U.S. soil). The department’s National Security Agency has been conducting, outside the framework of the Foreign Intelligence Surveillance Act, electronic surveillance of U.S. citizens within the United States. Other Pentagon agencies, notably the one known as Counterintelligence Field Activity (CIFA), have, as described in Walter Pincus’s recent articles in The Post, been conducting domestic intelligence on a large scale. Although the CIFA’s formal mission is to prevent attacks on military installations in the United States, the scale of its activities suggests a broader concern with domestic security. Other Pentagon agencies have gotten into the domestic intelligence act, such as the Information Dominance Center, which developed the Able Danger data-mining program. These programs are criticized as grave threats to civil liberties. They are not. Their significance is in flagging the existence of gaps in our defenses against terrorism. The Defense Department is rushing to fill those gaps, though there may be better ways. The collection, mainly through electronic means, of vast amounts of personal data is said to invade privacy. But machine collection and processing of data cannot, as such, invade privacy. Because of their volume, the data are first sifted by computers, which search for names, addresses, phone numbers, etc., that may have intelligence value. This initial sifting, far from invading privacy (a computer is not a sentient being), keeps most private data from being read by any intelligence officer. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/20/AR2005122001053.html
CAN-SPAM WORKING - FTC (The Register, 21 Dec 2005) -- Legal action and email filtering are helping to minimise the nuisance of spam, according to US federal regulators. In a report (PDF) to Congress on the effectiveness of the US Federal CAN-SPAM Act, the Federal Trade Commission (FTC) concludes that technology has reduced the amount of junk email reaching consumers’ in-boxes. Meanwhile rigorous law enforcement has had a deterrent effect on spammers. “Consumers are receiving less spam now than they were receiving in 2003” when the CAN-SPAM Act was enacted, the FTC concludes. The regulators’ upbeat assessment that the war against spam - if not won - is going in the right direction is supported by figures from some security vendors cited in its report. According to email firm MX Logic, spam accounted for 67 per cent of the email it processed in the first eight months of 2005, down nine percentage points from the 76 per cent spam-rate MX faced in the same period last year. The FTC has brought 21 cases under CAN-SPAM compared to 62 cases against spammers it filed before the enactment of the law. Several important steps can be taken to improve the efficacy of the CAN-SPAM Act, the FTC advises. Laws and needed to help the FTC and other regulators in their quest to trace spammers and sellers who operate outside of the US. Improved user education on spam prevention and continued improvement in filtering tools and techniques to trace spammers will also assist in the fight against junk mail, the FTC reckons. http://www.theregister.co.uk/2005/12/21/can-spam/ Report at http://www.ftc.gov/reports/canspam05/051220canspamrpt.pdf
3RD CIRCUIT UPHOLDS PRIVATE SUITS FOR ECPA VIOLATIONS (BNA’s Internet Law News, 20 Dec 2005) -- The 3rd Circuit Court of Appeals has ruled that a private right action exists for violation of the Electronic Communications Privacy Act. Case name is DirecTV v. Pepe. Decision at http://caselaw.findlaw.com/data2/circs/3rd/044333p.pdf
FRENCH PARLIAMENT VOTES TO LEGALIZE P2P FILE SHARING (Reuters, 23 Dec 2005) -- The lower house of the French parliament voted to legalize peer-to-peer (P2P) file sharing of movies and music via the Internet. It is a vote that is certain to reverberate around the globe and draw severe criticism from the nation’s film and music industries as well as from actors and recording artists. The vote has been called a revolt again Culture Minister Renaud Donnedieu de Vabres’ draft legislation that would have established steep penalties for individuals convicted of pirating copyrighted materials with a fine of $360,000 and as much as three years of jail time. Several days prior to the matter being taken up on the floor of the parliament, consumer activists delivered a petition with 110,000 signatures criticizing the draft proposal to Vabres. A small group of legislators attached two amendments to Vabres’ bill to establish a monthly global licensing fee of 7 euros (around $8.50). The subscription charge would entitle users to unlimited downloads and legalize what most Western countries have heretofore considered a modern-day scourge. The amendment passed with a small majority, 30 to 28, with only 10 percent of the 577 assembly members actually present. The measure has yet to pass in the upper house. “We are trying to bring the law up to date with reality,” Patrick Bloche, a Socialist representative from Paris who co-authored the amendments, told the New York Times. “It is wrong to describe the eight million French people who have downloaded music from the Internet as delinquents.” http://news.yahoo.com/s/nf/20051223/bs_nf/40473
FLA. ATTORNEY GENERAL SAYS HIS E-MAILS AREN’T SPAM (Reuters, 24 Dec 2005) -- Florida’s attorney general has spearheaded an aggressive campaign against unsolicited e-mails, or spam. But as a candidate for governor, he appears to be generating some unwanted Internet clutter himself. Charlie Crist was a staunch defender of a tough anti-spam law passed by the state legislature last year, under which violators can be fined up to $500 for every e-mail they send. But a report in Thursday’s St. Petersburg Times said Crist, a Republican gubernatorial candidate, had annoyed some residents of the state by sending them unwanted e-mails promoting his candidacy and soliciting campaign donations. Joe Spooner, a 41-year-old investment adviser, told the newspaper he had no idea how the Crist campaign got his e-mail address but repeatedly tried to unsubscribe. After his fifth request to be removed, Spooner sent the Crist campaign an e-mail of his own. He accused Crist of hypocrisy because of the way he seemed to have forgotten all about his vocal crackdown on spammers. ‘Do I need to file a complaint with the attorney general’s office?” Spooner wrote. The newspaper quoted other people who had received unsolicited e-mails from Crist’s campaign. Crist was not immediately available for comment. http://news.yahoo.com/s/nm/20051223/wr_nm/email_dc
SOUTH KOREA: UR INDICTED. BCNU. (New York Times, 27 Dec 2005) -- South Koreans may look at their cellphones with some trepidation in the new year because prosecutors will start telling people they have been indicted via text messages. In a country where about 75 percent of the population carry cellphones, prosecutors felt it was time to move away from sending legal notices on paper and send them electronically instead, said Lee Young Pyo, an administrative official. “This is a more definite way for the individuals to know they have received a legal notice,” he said. http://www.nytimes.com/2005/12/27/international/27briefs.html
US MILITARY FINDS SOLDIERS’ BLOGS TOO CLOSE FOR COMFORT (Sydney Morning Herald, 28 Dec 2005) – Anyone wanting to hear daily insights into what it is like to be in a convoy hit by an explosion or ordered to pick up the body parts of comrades dismembered by a suicide bomber does not have to be there in person any more. Instead they just need to log on to the internet from the safety of their home or office. In a development that is worrying US military commanders in Iraq, a growing number of US soldiers - 200 at the last count - have set up their own blogs, or internet diaries, and are updating them from the battlefield. The phenomenon, helped by internet cafes at almost all US camps to permit soldiers regular contact with home, has for the first time allowed personal reports of the reality of combat to be read as they happen. Most of the sites started as simple diaries intended to keep in touch with friends and family. But some quickly developed a fan base of thousands. Websites now exist to direct viewers to blogs from specific units or locations. It is a phenomenon that has inevitably raised concern among commanders. In April the US military published its first policy memorandum on websites maintained by soldiers, requiring them to have official approval before starting internet postings. In July the first soldier was punished for publishing information considered sensitive, which includes mention of incidents under investigation or names of servicemen killed or wounded. http://www.smh.com.au/news/world/us-military-worried-by-soldiers-blogs/2005/12/27/1135445571736.html
**** RESOURCES ****
Chris Hoofnagle is the West Coast Director for EPIC. This is his consumer privacy top 10 – http://west.epic.org/archives/2005/11/hoofnagles_cons.html
“The new law of information security: What companies need to do now.” – good article by Thomas Smedinghoff -- http://www.technologyexecutivesclub.com/PDFs/ArticlePDFS/infosecurity.pdf
**** IN MEMORIAM ****
My father, Ira Polley, passed away last week at the age of 88. I’ll miss his laugh, outlook, and guidance. More information at http://www.vip-law.com/irapolleyobit.htm
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/
Friday, December 30, 2005
Sunday, December 11, 2005
MIRLN -- Misc. IT Related Legal News [20 Nov – 10 Dec 2005; v8.15]
**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
A CONSTANT STATE OF INSECURITY (InfoWorld, 4 Nov 2005) --For the past few months an acquaintance of mine has been sniffing various public wireless and wired networks around the world, looking to see what plain text passwords are visible. It was an eye-opening experiment. She used a bunch of different tools, but mostly Cain. At the moment, it collects 18 different passwords or password representations, including plain text passwords sent over HTTP, FTP, ICQ, and SIP protocols, and will automatically collect the user’s log-in name, password (or password representation), and access location. Other than a few simple validity reviews and summary counts, my friend doesn’t look at the log-in names or passwords, and she deletes any collected information after obtaining the counts. She hasn’t used ARP (Address Resolution Protocol) poisoning or done anything other than to count plain text passwords passing by her traveling laptop’s NIC when she’s in a hotel, airport, or other public network. Although some -- including me -- might question her ethics, the information she shared is useful in understanding our true state of insecurity. She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other’s passwords. She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords. As a security professional, my friend often attends security conferences and teaches security classes. She noted that the number of passwords she collected in these venues was higher on average than in non-security locations. The very people who are supposed to know more about security than anyone appeared to have a higher-than-normal level of remote access back to their companies, but weren’t using any type of password protection. Another interesting issue my friend noticed was how many HTTPS-enabled Web sites did not implement SSL correctly -- users’ log-in names and passwords were being sent in clear text. This included communications to remotely accessed security devices, portals, and firewalls. The lesson here is never to trust the browser’s padlock icon when connecting to a new Web site or protected device. Sniff yourself and confirm. I did this last year and discovered my awesome anti-spam appliance’s SSL connection wasn’t working. [Commentator: This article shows how poorly even security professionals protect authentication information. I consider this a “must read.”] http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html
POLITICOS WARY OF CHANGES TO COPYRIGHT LAW (CNET, 16 Nov 2005) -- Politicians on Wednesday voiced reluctance to rewrite laws and allow people to bypass, in the name of fair use, copy-protection mechanisms on goods such as CDs and software. The statements came at a hearing here convened by a U.S. House of Representatives subcommittee that deals with commerce, trade and consumer protection. A provision of standard copyright law known as fair use allows for permission-free reproduction of certain copyright works, provided it’s for certain noncommercial purposes, such as teaching, news reporting, criticism and research. But fair use gets no mention in the Digital Millennium Copyright Act of 1998, a law that broadly prohibits cracking copy-protection technology found in products such as DVDs, computer software and electronic books. Critics say that omission eats away at consumers’ rights to use the works in ways standard fair use rights would otherwise permit. The law’s supporters, including the entertainment industry, counter that any changes would lead to rampant piracy. Some members of Congress have been trying for years to pass legislation that would build fair use into the DMCA. That’s one of the major goals of their latest effort, called the Digital Media Consumers’ Rights Act. The measure was reintroduced in March by Rep. Rick Boucher, a Virginia Democrat, and backed by Rep. Joe Barton, the Texas Republican who chairs the House Energy and Commerce Committee. http://news.com.com/2100-1030_3-5956328.html
SCIENCE BODY URGES DATA SHARING (BBC, 20 Nov 2005) -- Sharing government-held personal information could bring huge medical and social benefits, a government group has said. The new Council for Science and Technology has recommended pooling data to deliver better targeted public services and improve policymaking. But it said safeguards needed to be in place to protect people’s privacy. The government also needed to start a dialogue with the public on what was being proposed, it said. Information is frequently shared between medical researchers and the private sector. Report author Dr Mark Walport, who heads medical charity the Wellcome Trust, said he had seen the benefit of using databases for researching links between diseases and social conditions. Studies can also monitor the effectiveness of treatments or of the impact of adopting certain policies. However, the owner of the biggest collection of datasets in the country - the UK government - uses the information at its disposal at a fraction of its potential, according to Dr Walport. Personal data is guarded by government departments because of concern about misuse and invasions of privacy. But Dr Walport argued that with more creative thinking the government could improve medical and other social policy-making while at the same time protecting the privacy of individuals. http://news.bbc.co.uk/2/hi/technology/4455306.stm
CT. RULES THAT CDA S. 230 SHIELDS ISP BREACH OF PROMISE (BNA’s Internet Law News, 21 Nov 2005) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Oregon has ruled that the statutory immunity provision found in CDA S.230 applies to a claim alleging that an ISP breached its own promise to remove unauthorized content in response to a complaint. The dispute involved counterfeit Yahoo! profiles and failure by Yahoo! to remove the profiles. Case name is Barnes v. Yahoo!. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b1z6t5x9
STUDY: SECURITY STILL TOP IT SPENDING PRIORITY (Computerworld, 21 Nov 2005) -- A recent survey of 100 IT executives predicts that IT spending will decrease slightly in 2006 as more businesses worry about global economic conditions, but security software and enterprise IT upgrades remain top concerns. Macroeconomic factors such as high oil prices and a devastating hurricane season in the U.S. have caused 40% of the executives surveyed by Goldman, Sachs & Co. to consider reducing their 2006 IT budgets, according to survey results released Friday. Most executives, 52%, believe IT spending will be unchanged in 2006. Security software has been a long-running priority among the executives on Goldman’s survey panel, and nothing has changed that mind-set based on the current results. Spending on antivirus products has eased up after a flurry of activity, but CIOs continue to focus on improving security in areas like identity management and regulatory compliance, the survey said. Other enterprise software priorities include enterprise resource management and customer relationship management systems, with CIOs upgrading those two categories to top priorities. When Goldman polled its panel in April, ERP and CRM software were considered only medium priorities. http://www.computerworld.com/printthis/2005/0,4814,106422,00.html
SCHOOL RADIO STATIONS FACE COMPETITION OVER LICENSES (New York Times, 23 Nov 2005) -- The week before classes started in August 2004 at Franklin Central High School here, Steve George stopped in to prepare the school radio station for the coming year. As the faculty adviser to WRFT, he wanted to make sure his students were writing and producing public-service announcements. He had to contact a few of Franklin Central’s football rivals to arrange for WRFT to broadcast away games. He was pricing replacements for a 20-year-old remote unit. Then, on Mr. George’s way to the station’s studio, the principal intercepted him to pass along an unexpected piece of mail. It was a petition to the Federal Communications Commission asking that WRFT be denied its license, which was due for renewal, and that its frequency be given to an outfit called the Hoosier Public Radio Corporation. Through his 34 years in commercial radio, the career he left to become a teacher, Mr. George had never once been on a station confronted in this way. He could not imagine why anyone would want to take over WRFT in particular, a 50-watt station with an annual budget of $4,200 and inoffensive programs like “Wakin’ Up in a Flash,” a talk show run by two seniors at the local Chick-fil-A restaurant. “I thought, ‘Is this fiction?’ “ Mr. George recalled. “Who could do this?” He has since learned the answer. Hoosier Public Radio is largely the enterprise of one man, Martin Hensley, a former radio engineer who now describes his occupation as “serving God.” And the effort by Mr. Hensley to take the F.C.C. license from WRFT, or at least force it to share broadcast time with him, offers but one example of a series of similar conflicts involving student radio stations. At least 20 high school stations, and a handful of college ones, have been fending off challenges to their licenses by Christian broadcasters in the last year. This flurry of action, which seemed so inexplicable to Mr. George, actually has a fierce logic to it. A loophole in commission regulations makes educational stations unusually vulnerable to takeover attempts. Moreover, their frequencies are a lucrative commodity, a bargain-basement way to get onto the air. The commission rarely auctions new frequencies on the crowded radio dial, and existing ones sell for $200,000 or so for a 50-watt operation like WRFT’s to more than $10 million for a major commercial station. “It’s opportunistic,” said Mark Goodman, executive director of the Student Press Law Center, an organization based in Arlington, Va., that provides legal assistance for student journalists. “People see this as a way to go after stations that are of value and of use. In the process, student voices can be lost, and the entire society loses. From teen pregnancy to school testing, we understand our world better and our teenagers better when we hear them.” http://www.nytimes.com/2005/11/23/nyregion/23education.html?ex=1290402000&en=a509d60b6ca4aecf&ei=5090&partner=rssuserland&emc=rss
STUDY SUGGESTS DMCA TAKEDOWN REGS ABUSED (SecurityFocus, 25 Nov 2005) -- One third of all requests to Internet service providers to remove stolen copyrighted material from their servers could likely be defeated in court, according to a study of some 900 notices by two legal experts. The survey examined takedown notices served to Google and another large Internet provider under the Digital Millennium Copyright Act (DMCA) Section 512. Two provisions of that section require that hosting providers and search providers remove content and links to content in order to gain exemption from possible copyright lawsuits. The music and movie industry typically use a different provision of the section to ask for suspected infringers to be cut off from the Internet. According to the study, thirty percent of the notices could be readily challenged in court on clear grounds, such as a substantial fair-use argument and the likelihood that the material is uncopyrightable. One out of 11 notices had such a significant legal flaw--such as not identifying the infringing material--as to render the notice unusable. Moreover, more than half of the notices for link removal that were sent to Google were sent by businesses targeting apparent rivals, the report said. While the authors of the study admit it uses a small sample set, the conclusions support contentions that the DMCA has been used to hobble expression on the Internet, even among security researchers, who have an explicit exemption in the law. http://www.securityfocus.com/brief/62
GENERAL ASSEMBLY ADOPTS CONVENTION ON ELECTRONIC COMMUNICATIONS IN CONTRACTING (UN, 25 Nov 2005) -- Updating international trade law to take account of new technologies, the United Nations General Assembly has adopted a new convention on using electronic communications in international contracting, superseding law negotiated before the development of e-mail and the Internet. The new Convention, approved on Wednesday, will assure companies and traders worldwide that contracts negotiated electronically are as valid and enforceable as traditional paper-based transactions. The provisions deal with such issues as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Other provisions contain criteria establishing functional equivalence between electronic communications and paper documents, including “original” paper documents, and between electronic authentication methods and hand-written signatures. The UN Commission on International Trade Law (UNCITRAL) Working Group on Electronic Commerce prepared the document from 2002 to late 2004 and adopted it at its 38th Session in Vienna, Austria, in July. The Convention complements and builds upon earlier instruments prepared by UNCITRAL, the core legal body of the UN system in the field of international trade law, including the UNCITRAL Model Law on Electronic Commerce and the UNCITRAL Model Law on Electronic Signatures. The Convention will be open for signature by all States at UN Headquarters from next 16 January to 16 January 2008. A signature event could take place during UNCITRAL’s 39th session in New York next year, from 19 June to 7 July, to promote State participation. http://www.un.org/apps/news/story.asp?NewsID=16685&Cr=general&Cr1=assembly
DUTCH COMPANY STARTS NEW INTERNET ADDRESS SYSTEM (Computerworld, 28 Nov 2005) -- A Dutch company has launched a new Internet addressing service that does away with the most common top-level domains (TLDs), such as .com and .edu, and allows organizations and individuals to register Internet addresses that end with the name of their business, or virtually any other word they choose. UnifiedRoot S & M BV, based in Amsterdam, said its system allows its customers to use more intuitive Internet addresses that are easier to remember. They can combine the TLDs with second-level domains for categories of products and services, such as fruit.supermarket and vegetables.supermarket, for example. The company has set up 13 master root servers around the world to run its Domain Name System (DNS), which it said will run “in parallel” with the Internet’s principle DNS, run by the Internet Corporation for Assigned Names and Numbers (ICANN). To avoid conflicts, UnifiedRoot won’t register TLDs already registered by ICANN, it said. Its success will depend partly on cooperation from ISPs, which will have to update their DNS server directories in order for them to include UnifiedRoot’s DNS servers. European ISP Tiscali SpA has made the change, according to Seeboldt, along with several local ISPs in Turkey. Without the cooperation of ISPs, end users will have to reconfigure their own PCs to recognize the UnifiedRoot TLDs, which the company acknowledged could be tricky for some users. http://www.computerworld.com/news/2005/story/0,11280,106559,00.html
THIRD CIRCUIT OFFERS A TUTORIAL ON THE CFAA AS A CIVIL CAUSE OF ACTION (Steptoe & Johnson’s E-Commerce Law Week, 26 Nov 2005) -- A recent decision by the US Court of Appeals for the Third Circuit in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, clarified that injunctive relief is available in civil suits brought under the Computer Fraud and Abuse Act (CFAA ), 18 U.S.C. § 1030, and that a civil suit can be brought not just where access to a computer causes damage, but also where something of value is allegedly taken from that computer. This clarification was necessitated by a district court’s utter confusion over the terms of the CFAA, including whether it even offered a basis for a civil claim. This just goes to show how novel civil suits over security breaches still are. Nevertheless, despite feeling compelled to give the district court a primer on the CFAA, the Third Circuit upheld the lower court’s denial of a preliminary injunction on the ground that the plaintiffs had failed to allege what precisely the defendants had taken from their computers, an essential element of a claim based on § 1030(a)(4). So apparently the district court wasn’t the only one that needed to be taken to school. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11317&siteId=547
PENTAGON’S URBAN RECON TAKES WING (Wired, 29 Nov 2005) -- A leading defense contractor has successfully demonstrated a system that lets foot soldiers command unmanned aerial vehicles, or UAVs, to see real-time overhead images on their handheld computers while fighting in urban battle zones. Individual war fighters can receive video-surveillance data on a target of interest by moving a cursor over the subject, as part of a Northrop Grumman system to automate reconnaissance, surveillance and target acquisition, or RSTA, within urban environments. UAVs have already proven their worth in the kinds of urban battle zones that produce daily headlines out of Iraq -- places like Falluja and Najaf, where the drones can navigate the labyrinth of streets or stealthily peer into buildings. But ground troops don’t currently have direct access to this surveillance and reconnaissance data, and they have no control of the aircraft that deliver it. That’s what HURT, for Heterogeneous Urban RSTA, promises to change. Northrop demonstrated the system this fall on the former site of Georgia Air Force Base in Victorville, California, on a grid of abandoned streets and buildings used to train soldiers in urban combat. Two fixed-wing UAVs, a Raven and a Pointer, along with an Rmax rotorcraft, were put aloft under the control of the system. Participants on the ground were able to view wide-area surveillance of the battle zone on handheld monitors, but could also send one of the UAVs in for a closer look at a suspected enemy position by merely moving over the subject with their cursor. http://www.wired.com/news/technology/0,1282,69612,00.html
PLAN TO PUT COMPANY REPORTS ON THE WEB (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. “Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily,” Christopher Cox, the S.E.C. chairman, said at a meeting. “The percentage of investors with Internet access is even higher.” The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.’s corporate finance division. http://www.nytimes.com/2005/11/30/business/30regulate.html?ex=1291006800&en=1b09ce18cb246bdc&ei=5090&partner=rssuserland&emc=rss
ANGRY BELLSOUTH WITHDREW DONATION, NEW ORLEANS SAYS (Washington Post, 3 Dec 2005) -- Hours after New Orleans officials announced Tuesday that they would deploy a city-owned, wireless Internet network in the wake of Hurricane Katrina, regional phone giant BellSouth Corp. withdrew an offer to donate one of its damaged buildings that would have housed new police headquarters, city officials said yesterday. According to the officials, the head of BellSouth’s Louisiana operations, Bill Oliver, angrily rescinded the offer of the building in a conversation with New Orleans homeland security director Terry Ebbert, who oversees the roughly 1,650-member police force. City officials said BellSouth was upset about the plan to bring high-speed Internet access for free to homes and businesses to help stimulate resettlement and relocation to the devastated city. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/02/AR2005120201853.html
EUROPEAN LEGAL MINEFIELD FOR SOX WHISTLEBLOWER PROGRAMS (Steptoe & Johnson’s E-Commerce Law Week, 3 Dec 2005) -- Every so often unexploded ordnance from as far back as World War I is discovered in Europe, particularly in France. But for companies in Europe -- especially those that are subject to the US Sarbanes-Oxley Act (“SOX”) -- a more dangerous minefield appears to be the legal one that is emerging from the conflict between SOX whistleblower obligations and European data protection law. And (sacré bleu!) again the problem is most acute in France. The Commission Nationale de l’Informatique et des Libertés, the French data protection authority, has just released guidelines on the implementation of whistleblower reporting hotlines in France (“Guidelines”). Combined with a court decision in Germany earlier this year regarding the interaction of works councils and whistleblower hotlines, the Guidelines create a very confusing European legal environment for whistleblower programs. It now appears that European Union authorities will also jump into the controversy, and that the issue is also likely to spread to other European countries. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11361&siteId=547 [EDITOR: inter alia, the Guidelines protect supervisors’ reputations against anonymous complaints, thereby conflicting with the whistleblower rules.]
UPLOAD, STORE, PLAY AND SHARE IN A FEW CLICKS (New York Times, 3 Dec 2005) -- In Hollywood, young screenwriters have “elevator pitches” always at the ready--pithy descriptions of their screenplays, intended to capture the imagination of passing movie executives. You know: “It’s ‘Titanic’ on a spaceship.” “It’s a female ‘Harry Potter.’” “It’s ‘Raising Arizona’ meets ‘Leaving Las Vegas.’” Most of the time, high-tech companies can describe their products with equal efficiency, but not always. Take, for example, Glide Effortless, a new Web service that went live Wednesday. “What is Glide Effortless?” its news release asks. “It is a compatible browser-based online solution with integrated software and service environments, providing powerful file management, creation, communication, sharing and e-commerce capabilities.” Here’s another stab: It’s a personal Web site to which you can upload your favorite photos, MP3 files, video clips and even Word, PowerPoint or PDF documents. (A separate companion program speeds the uploading process by letting you drag and drop big batches of files at once.) Once everything’s posted on the Web site, you can do two things with it: manage it or share it. http://news.com.com/Upload%2C+store%2C+play+and+share+in+a+few+clicks/2100-1038_3-5978421.html?tag=nefd.top [Editor: Collaboration spaces (like wikis) are important elements of my Knowledge Management practice; Glide’s offering is at one end of the capabilities-spectrum, which is being elongated in some interesting ways. Commoditization won’t be too far off.]
-- and --
SNARED IN THE WEB OF A WIKIPEDIA LIAR (New York Times, 4 December 2005) -- According to Wikipedia, the online encyclopedia, John Seigenthaler Sr. is 78 years old and the former editor of The Tennessean in Nashville. But is that information, or anything else in Mr. Seigenthaler’s biography, true? The question arises because Mr. Seigenthaler recently read about himself on Wikipedia and was shocked to learn that he “was thought to have been directly involved in the Kennedy assassinations of both John and his brother Bobby.” Mr. Seigenthaler discovered that the false information had been on the site for several months and that an unknown number of people had read it, and possibly posted it on or linked it to other sites. If any assassination was going on, Mr. Seigenthaler (who is 78 and did edit The Tennessean) wrote last week in an op-ed article in USA Today, it was of his character. The case triggered extensive debate on the Internet over the value and reliability of Wikipedia, and more broadly, over the nature of online information. Wikipedia is a kind of collective brain, a repository of knowledge, maintained on servers in various countries and built by anyone in the world with a computer and an Internet connection who wants to share knowledge about a subject. Literally hundreds of thousands of people have written Wikipedia entries. Mistakes are expected to be caught and corrected by later contributors and users. The whole nonprofit enterprise began in January 2001, the brainchild of Jimmy Wales, 39, a former futures and options trader who lives in St. Petersburg, Fla. He said he had hoped to advance the promise of the Internet as a place for sharing information. It has, by most measures, been a spectacular success. Wikipedia is now the biggest encyclopedia in the history of the world. As of Friday, it was receiving 2.5 billion page views a month, and offering at least 1,000 articles in 82 languages. The number of articles, already close to two million, is growing by 7 percent a month. And Mr. Wales said that traffic doubles every four months. Still, the question of Wikipedia, as of so much of what you find online, is: Can you trust it? And beyond reliability, there is the question of accountability. Mr. Seigenthaler, after discovering that he had been defamed, found that his “biographer” was anonymous. He learned that the writer was a customer of BellSouth Internet, but that federal privacy laws shield the identity of Internet customers, even if they disseminate defamatory material. And the laws protect online corporations from libel suits. He could have filed a lawsuit against BellSouth, he wrote, but only a subpoena would compel BellSouth to reveal the name. In the end, Mr. Seigenthaler decided against going to court, instead alerting the public, through his article, “that Wikipedia is a flawed and irresponsible research tool.” http://www.nytimes.com/2005/12/04/weekinreview/04seelye.html?ex=1291352400&en=6a97402d6595c6f1&ei=5090&partner=rssuserland&emc=rss and http://news.com.com/Is+Wikipedia+safe+from+libel+liability/2100-1025_3-5984880.html?tag=nefd.lede
CAL. APPELLATE CT. RULES AGAINST EARTHLINK FORUM CLAUSE (BNA’s Internet Law News, 5 Dec 2005) -- A California appeals court has held that Earthlink’s arbitration and forum selection clauses in its DSL click through agreement are unenforceable under California law. The case arose as part of a class action suit, with the court ruling that “a forum selection clause that discourages legitimate claims by imposing unreasonable geographical barriers is unenforceable under well-settled California law.” Decision at http://www.courtinfo.ca.gov/opinions/documents/B177146.PDF
9/11 PANEL FAULTS GOVERNMENT ON CYBERSECURITY (CNET, 6 Dec 2005) -- The federal government is not making enough progress in protecting critical infrastructures such as communications networks and the Internet, said former members of the commission that investigated the attacks of Sept. 11, 2001. Progress also is lacking in airline security and providing radio spectrum to first responders, according to the 9/11 Public Discourse Project, which is made up of the 10 individuals--five Republicans and five Democrats--who served on the Sept. 11 commission. The 9/11 Public Discourse Project on Monday issued a report card with an A- for battling terrorist financing, but all 40 of the other grades (see PDF) were lower. “There are far too many C’s, D’s and F’s in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted,” the project leaders said in a statement. Critical infrastructure protection initiatives received a D: No risk and vulnerability assessments have been made; no national priorities have been established; and no recommendations have been made on allocation of scarce resources, according to the report. “All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some,” the former commissioners wrote. The shortcomings are “shocking” and “scandalous,” according to the 9/11 Public Discourse Project. The government also was faulted for a lack of agency information-sharing that’s needed to strengthen intelligence, members said. The former commissioners also critiqued the work on new, more secure ID cards according to the Real ID Act. New standards for issuing birth certificates continue to be delayed until at least early 2006. “Without movement on the birth certificate issue, state-issued IDs are still not secure,” according to the report. In addition, Congress has failed to take a leading role in passport security, the report said. http://news.com.com/911+panel+faults+government+on+cybersecurity/2100-7348_3-5984743.html?tag=nefd.top
WEB OF LIES (InsideHigherEd, 6 Dec 2005) -- When several of his colleagues expressed doubts about whether they would eventually want to tenure him, William Bradford, an associate professor of law at Indiana University in Indianapolis, went public with his complaints. He posted on blogs, he talked on the radio, he talked to this Web site, he hit “The O’Reilly Factor.” His message: Liberal faculty members were pushing him out because he is conservative, a war veteran and a Native American who didn’t fit a liberal mold for Native Americans. But as Bradford’s complaints grew louder, his story unraveled. It has now become clear that Bradford lied about, among other things, his military service. University officials confirmed Monday that Bradford — who did not respond to e-mail and voice messages and who hasn’t commented on the latest events — has resigned, effective January 1. Bradford appeared on the national radar this summer, after five faculty members on a review committee, which did authorize his reappointment, said they did not think he deserved tenure at the time. Bradford, whose degrees include one each from Northwestern and Harvard Universities, railed against what he claimed was a liberal conspiracy against him. http://insidehighered.com/news/2005/12/06/bradford [Editor: Mr. Bradford has some interesting ideas; I’ve heard him deliver an impassioned argument for the Bush administration’s “pre-emptive war” doctrine; some thought it (and the doctrine) over-the-top.]
OK, OK, MAYBE PIRACY IS BAD (Wired, 8 Dec 2005) -- Software piracy is rampant and hampering economic growth, and it is increasingly in the hands of organized groups which are regarded as legitimate businesses in some countries. The global piracy rate is currently around 35 percent, coming down only 1 percent a year, research group IDC found in a study commissioned by the Business Software Allliance, which represents around 50 software firms. The study, covering 70 countries which represent 99 percent of the world’s information technology spending, said that a worldwide reduction of software piracy by 10 percentage points to 25 percent could generate 2.4 million jobs and $400 billion of economic growth. The battle against software piracy has been relatively successful over the last 15 years, with the piracy rate in Europe dropping to 35 percent from almost 80 percent in 1992 when the European authorities adopted special legislation. Still, a 35 percent piracy rate is more than 20 times higher than the percentage that retail stores lose through shoplifting. At its worst, piracy runs as high as 90 percent in China and 87 percent in Russia. The United States has a modest 21 percent piracy rate. China is already one of the world’s biggest personal computer markets, but does not even make it into the top 20 of software markets because so much software is illegally copied. http://www.wired.com/news/business/0,1367,69785,00.html
EFF MOVES TO BLOCK CERTIFICATION OF E-VOTING SYSTEMS (CNET, 9 Dec 2005) -- The Electronic Frontier Foundation filed a complaint aimed at blocking North Carolina’s recent certifications of voting machines, saying state elections officials failed to meet legal requirements before signing off on the systems. The complaint, filed in Wake County Superior Court by the EFF and a Raleigh lawyer on behalf of a local voters’ advocate, calls for a judge to void certifications that the Board of Elections issued last week to Diebold, ES&S and Sequoia Voting Systems. It also requests a restraining order that would prevent elections officials from certifying any new systems until they comply fully with state election laws. The state legislature modified those laws this summer, setting new standards for e-voting machines and requiring that existing systems be decertified. State elections officials “exceeded their statutory authority” in signing off on the systems, because they disregarded the law in two areas, the complaint charges. First, they failed to complete a comprehensive review of various security features on the systems, and second, they neglected to obtain every bit of source code associated with software on the devices--one of the new legal requirements. E-voting machines continue to generate security concerns and calls for reform. During the 2004 presidential election, officials acknowledged that glitches in some systems led to lost votes in a few states’ tallies--including 4,500 in one North Carolina county. Diebold, an Ohio-based company that makes automatic-teller machines as well, is also no stranger to controversy. Last year, California officials questioned the company on the integrity of its systems and recommended banning Diebold machines from the state. http://news.com.com/EFF+moves+to+block+certification+of+e-voting+systems/2100-1028_3-5988243.html?tag=nefd.top EFF Complaint at http://www.eff.org/Activism/E-voting/EFF_Mandamus_Complaint_TRO_20051208140945.pdf
WORKER PRIVACY: YOU HAVE NONE (Wired, 9 Dec 2005) -- If you have internet access at work, there’s a very good chance your employer has a system in place to monitor your online activities. So, if you’re concerned about privacy, take heed. Under current U.S. law, there’s little you can do to protect the confidentiality of your internet use on the job. Here’s a rundown of the rights you don’t have at work. Notice of monitoring: Only two states (Connecticut and Delaware) require that employers inform workers if they are monitoring online activity, according to Jeremy Gruber, legal director, the National Workrights Institute. Federal legislation requiring such disclosure has been proposed but not enacted. That said, most employers do provide notice to employees if they track workplace web use. In an employer survey conducted this year by the American Management Association and the ePolicy Institute, 89 percent of respondents said they notify employees if their web usage is being tracked. Privacy outside the office: More workers are telecommuting these days, often using laptops and other portable devices provided by their employer. But leaving the office doesn’t guarantee freedom from internet surveillance. Using the company laptop to remotely access its network is, from a monitoring legality standpoint, generally the same as working from the office, said Mark Schreiber, a partner at Edwards Angell Palmer & Dodge, who advises firms regarding internet use policies. People who are entering the company network from home, even from their personal computer, should be aware that online activities may be monitored. To protect privacy, Gruber’s recommends investing in your own equipment: “Use your own system that is in no way, shape, or form connected through the employer’s network,” he said. The right to blog: People who like to blog -- especially about their employer -- should refrain from doing so at work. “The computer system is the property of the employer, and the employer has the right to monitor all internet activity,” said Nancy Flynn, executive director of the ePolicy Institute. “That would include blog posts and all e-mail and internet transmissions.” Flynn estimates that hundreds of people have been fired for their blog content in recent years. In the AMA/ePolicy survey, 26 percent of respondents said they had fired workers for misusing the internet. A quarter of employers also said they’d terminated workers for e-mail misuse. Weekend work without monitoring: If you’re laboring overtime and taking work home for the weekend, employers are likely still monitoring your online activities if you use their equipment or network, says Gruber. That means employees might want to be careful about personal web-surfing or e-mail activities until they’ve logged off the company server. http://www.wired.com/news/privacy/0,1848,69732,00.html
LIVE TRACKING OF MOBILE PHONES PROMPTS COURT FIGHTS ON PRIVACY (New York Times, 10 Dec 2005) -- Most Americans carry cellphones, but many may not know that government agencies can track their movements through the signals emanating from the handset. In recent years, law enforcement officials have turned to cellular technology as a tool for easily and secretly monitoring the movements of suspects as they occur. But this kind of surveillance - which investigators have been able to conduct with easily obtained court orders - has now come under tougher legal scrutiny. In the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing “probable cause” to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants. The rulings, issued by magistrate judges in New York, Texas and Maryland, underscore the growing debate over privacy rights and government surveillance in the digital age. With mobile phones becoming as prevalent as conventional phones (there are 195 million cellular subscribers in this country), wireless companies are starting to exploit the phones’ tracking abilities. For example, companies are marketing services that turn phones into even more precise global positioning devices for driving or allowing parents to track the whereabouts of their children through the handsets. Not surprisingly, law enforcement agencies want to exploit this technology, too - which means more courts are bound to wrestle with what legal standard applies when government agents ask to conduct such surveillance. Cellular operators like Verizon Wireless and Cingular Wireless know, within about 300 yards, the location of their subscribers whenever a phone is turned on. Even if the phone is not in use it is communicating with cellphone tower sites, and the wireless provider keeps track of the phone’s position as it travels. The operators have said that they turn over location information when presented with a court order to do so. http://www.nytimes.com/2005/12/10/technology/10phone.html?ex=1291870800&en=2019ce35d6b47983&ei=5090&partner=rssuserland&emc=rss
**** RESOURCES ****
THE SHIDLER JOURNAL OF LAW, COMMERCE & TECHNOLOGY is pleased to announce the recent publication of Volume 2, Issue 2. Abstracts for each of the articles in the current issue are provided below. Simply click on an article title to access a full text version of the article, or visit the Journal’s home page at www.lctjournal.washington.edu. The website also includes articles from past issues of the Journal. Recent titles are: “The FACT Act of 2003: Securing Personal Information In an Age of Identity Theft”; “Liability Under the Americans with Disabilities Act for Private Web Site Operators”; “Streamlined Sales and Use Tax Agreement: Is Your Business Ready for Compliance?”; “Proposed Federal Definition of ‘Internet Job Applicant’ Suggests Need for Revised Human Resource Policies”; and “‘I Didn’t Know My Client Wasn’t Complying!” - The Heightened Obligation Lawyers Have to Ensure Clients Follow Court Orders in Litigation Matters”.
The GAO now supplies reports and testimony via RSS – click the RSS button on http://www.gao.gov/
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
A CONSTANT STATE OF INSECURITY (InfoWorld, 4 Nov 2005) --For the past few months an acquaintance of mine has been sniffing various public wireless and wired networks around the world, looking to see what plain text passwords are visible. It was an eye-opening experiment. She used a bunch of different tools, but mostly Cain. At the moment, it collects 18 different passwords or password representations, including plain text passwords sent over HTTP, FTP, ICQ, and SIP protocols, and will automatically collect the user’s log-in name, password (or password representation), and access location. Other than a few simple validity reviews and summary counts, my friend doesn’t look at the log-in names or passwords, and she deletes any collected information after obtaining the counts. She hasn’t used ARP (Address Resolution Protocol) poisoning or done anything other than to count plain text passwords passing by her traveling laptop’s NIC when she’s in a hotel, airport, or other public network. Although some -- including me -- might question her ethics, the information she shared is useful in understanding our true state of insecurity. She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other’s passwords. She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords. As a security professional, my friend often attends security conferences and teaches security classes. She noted that the number of passwords she collected in these venues was higher on average than in non-security locations. The very people who are supposed to know more about security than anyone appeared to have a higher-than-normal level of remote access back to their companies, but weren’t using any type of password protection. Another interesting issue my friend noticed was how many HTTPS-enabled Web sites did not implement SSL correctly -- users’ log-in names and passwords were being sent in clear text. This included communications to remotely accessed security devices, portals, and firewalls. The lesson here is never to trust the browser’s padlock icon when connecting to a new Web site or protected device. Sniff yourself and confirm. I did this last year and discovered my awesome anti-spam appliance’s SSL connection wasn’t working. [Commentator: This article shows how poorly even security professionals protect authentication information. I consider this a “must read.”] http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html
POLITICOS WARY OF CHANGES TO COPYRIGHT LAW (CNET, 16 Nov 2005) -- Politicians on Wednesday voiced reluctance to rewrite laws and allow people to bypass, in the name of fair use, copy-protection mechanisms on goods such as CDs and software. The statements came at a hearing here convened by a U.S. House of Representatives subcommittee that deals with commerce, trade and consumer protection. A provision of standard copyright law known as fair use allows for permission-free reproduction of certain copyright works, provided it’s for certain noncommercial purposes, such as teaching, news reporting, criticism and research. But fair use gets no mention in the Digital Millennium Copyright Act of 1998, a law that broadly prohibits cracking copy-protection technology found in products such as DVDs, computer software and electronic books. Critics say that omission eats away at consumers’ rights to use the works in ways standard fair use rights would otherwise permit. The law’s supporters, including the entertainment industry, counter that any changes would lead to rampant piracy. Some members of Congress have been trying for years to pass legislation that would build fair use into the DMCA. That’s one of the major goals of their latest effort, called the Digital Media Consumers’ Rights Act. The measure was reintroduced in March by Rep. Rick Boucher, a Virginia Democrat, and backed by Rep. Joe Barton, the Texas Republican who chairs the House Energy and Commerce Committee. http://news.com.com/2100-1030_3-5956328.html
SCIENCE BODY URGES DATA SHARING (BBC, 20 Nov 2005) -- Sharing government-held personal information could bring huge medical and social benefits, a government group has said. The new Council for Science and Technology has recommended pooling data to deliver better targeted public services and improve policymaking. But it said safeguards needed to be in place to protect people’s privacy. The government also needed to start a dialogue with the public on what was being proposed, it said. Information is frequently shared between medical researchers and the private sector. Report author Dr Mark Walport, who heads medical charity the Wellcome Trust, said he had seen the benefit of using databases for researching links between diseases and social conditions. Studies can also monitor the effectiveness of treatments or of the impact of adopting certain policies. However, the owner of the biggest collection of datasets in the country - the UK government - uses the information at its disposal at a fraction of its potential, according to Dr Walport. Personal data is guarded by government departments because of concern about misuse and invasions of privacy. But Dr Walport argued that with more creative thinking the government could improve medical and other social policy-making while at the same time protecting the privacy of individuals. http://news.bbc.co.uk/2/hi/technology/4455306.stm
CT. RULES THAT CDA S. 230 SHIELDS ISP BREACH OF PROMISE (BNA’s Internet Law News, 21 Nov 2005) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Oregon has ruled that the statutory immunity provision found in CDA S.230 applies to a claim alleging that an ISP breached its own promise to remove unauthorized content in response to a complaint. The dispute involved counterfeit Yahoo! profiles and failure by Yahoo! to remove the profiles. Case name is Barnes v. Yahoo!. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b1z6t5x9
STUDY: SECURITY STILL TOP IT SPENDING PRIORITY (Computerworld, 21 Nov 2005) -- A recent survey of 100 IT executives predicts that IT spending will decrease slightly in 2006 as more businesses worry about global economic conditions, but security software and enterprise IT upgrades remain top concerns. Macroeconomic factors such as high oil prices and a devastating hurricane season in the U.S. have caused 40% of the executives surveyed by Goldman, Sachs & Co. to consider reducing their 2006 IT budgets, according to survey results released Friday. Most executives, 52%, believe IT spending will be unchanged in 2006. Security software has been a long-running priority among the executives on Goldman’s survey panel, and nothing has changed that mind-set based on the current results. Spending on antivirus products has eased up after a flurry of activity, but CIOs continue to focus on improving security in areas like identity management and regulatory compliance, the survey said. Other enterprise software priorities include enterprise resource management and customer relationship management systems, with CIOs upgrading those two categories to top priorities. When Goldman polled its panel in April, ERP and CRM software were considered only medium priorities. http://www.computerworld.com/printthis/2005/0,4814,106422,00.html
SCHOOL RADIO STATIONS FACE COMPETITION OVER LICENSES (New York Times, 23 Nov 2005) -- The week before classes started in August 2004 at Franklin Central High School here, Steve George stopped in to prepare the school radio station for the coming year. As the faculty adviser to WRFT, he wanted to make sure his students were writing and producing public-service announcements. He had to contact a few of Franklin Central’s football rivals to arrange for WRFT to broadcast away games. He was pricing replacements for a 20-year-old remote unit. Then, on Mr. George’s way to the station’s studio, the principal intercepted him to pass along an unexpected piece of mail. It was a petition to the Federal Communications Commission asking that WRFT be denied its license, which was due for renewal, and that its frequency be given to an outfit called the Hoosier Public Radio Corporation. Through his 34 years in commercial radio, the career he left to become a teacher, Mr. George had never once been on a station confronted in this way. He could not imagine why anyone would want to take over WRFT in particular, a 50-watt station with an annual budget of $4,200 and inoffensive programs like “Wakin’ Up in a Flash,” a talk show run by two seniors at the local Chick-fil-A restaurant. “I thought, ‘Is this fiction?’ “ Mr. George recalled. “Who could do this?” He has since learned the answer. Hoosier Public Radio is largely the enterprise of one man, Martin Hensley, a former radio engineer who now describes his occupation as “serving God.” And the effort by Mr. Hensley to take the F.C.C. license from WRFT, or at least force it to share broadcast time with him, offers but one example of a series of similar conflicts involving student radio stations. At least 20 high school stations, and a handful of college ones, have been fending off challenges to their licenses by Christian broadcasters in the last year. This flurry of action, which seemed so inexplicable to Mr. George, actually has a fierce logic to it. A loophole in commission regulations makes educational stations unusually vulnerable to takeover attempts. Moreover, their frequencies are a lucrative commodity, a bargain-basement way to get onto the air. The commission rarely auctions new frequencies on the crowded radio dial, and existing ones sell for $200,000 or so for a 50-watt operation like WRFT’s to more than $10 million for a major commercial station. “It’s opportunistic,” said Mark Goodman, executive director of the Student Press Law Center, an organization based in Arlington, Va., that provides legal assistance for student journalists. “People see this as a way to go after stations that are of value and of use. In the process, student voices can be lost, and the entire society loses. From teen pregnancy to school testing, we understand our world better and our teenagers better when we hear them.” http://www.nytimes.com/2005/11/23/nyregion/23education.html?ex=1290402000&en=a509d60b6ca4aecf&ei=5090&partner=rssuserland&emc=rss
STUDY SUGGESTS DMCA TAKEDOWN REGS ABUSED (SecurityFocus, 25 Nov 2005) -- One third of all requests to Internet service providers to remove stolen copyrighted material from their servers could likely be defeated in court, according to a study of some 900 notices by two legal experts. The survey examined takedown notices served to Google and another large Internet provider under the Digital Millennium Copyright Act (DMCA) Section 512. Two provisions of that section require that hosting providers and search providers remove content and links to content in order to gain exemption from possible copyright lawsuits. The music and movie industry typically use a different provision of the section to ask for suspected infringers to be cut off from the Internet. According to the study, thirty percent of the notices could be readily challenged in court on clear grounds, such as a substantial fair-use argument and the likelihood that the material is uncopyrightable. One out of 11 notices had such a significant legal flaw--such as not identifying the infringing material--as to render the notice unusable. Moreover, more than half of the notices for link removal that were sent to Google were sent by businesses targeting apparent rivals, the report said. While the authors of the study admit it uses a small sample set, the conclusions support contentions that the DMCA has been used to hobble expression on the Internet, even among security researchers, who have an explicit exemption in the law. http://www.securityfocus.com/brief/62
GENERAL ASSEMBLY ADOPTS CONVENTION ON ELECTRONIC COMMUNICATIONS IN CONTRACTING (UN, 25 Nov 2005) -- Updating international trade law to take account of new technologies, the United Nations General Assembly has adopted a new convention on using electronic communications in international contracting, superseding law negotiated before the development of e-mail and the Internet. The new Convention, approved on Wednesday, will assure companies and traders worldwide that contracts negotiated electronically are as valid and enforceable as traditional paper-based transactions. The provisions deal with such issues as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Other provisions contain criteria establishing functional equivalence between electronic communications and paper documents, including “original” paper documents, and between electronic authentication methods and hand-written signatures. The UN Commission on International Trade Law (UNCITRAL) Working Group on Electronic Commerce prepared the document from 2002 to late 2004 and adopted it at its 38th Session in Vienna, Austria, in July. The Convention complements and builds upon earlier instruments prepared by UNCITRAL, the core legal body of the UN system in the field of international trade law, including the UNCITRAL Model Law on Electronic Commerce and the UNCITRAL Model Law on Electronic Signatures. The Convention will be open for signature by all States at UN Headquarters from next 16 January to 16 January 2008. A signature event could take place during UNCITRAL’s 39th session in New York next year, from 19 June to 7 July, to promote State participation. http://www.un.org/apps/news/story.asp?NewsID=16685&Cr=general&Cr1=assembly
DUTCH COMPANY STARTS NEW INTERNET ADDRESS SYSTEM (Computerworld, 28 Nov 2005) -- A Dutch company has launched a new Internet addressing service that does away with the most common top-level domains (TLDs), such as .com and .edu, and allows organizations and individuals to register Internet addresses that end with the name of their business, or virtually any other word they choose. UnifiedRoot S & M BV, based in Amsterdam, said its system allows its customers to use more intuitive Internet addresses that are easier to remember. They can combine the TLDs with second-level domains for categories of products and services, such as fruit.supermarket and vegetables.supermarket, for example. The company has set up 13 master root servers around the world to run its Domain Name System (DNS), which it said will run “in parallel” with the Internet’s principle DNS, run by the Internet Corporation for Assigned Names and Numbers (ICANN). To avoid conflicts, UnifiedRoot won’t register TLDs already registered by ICANN, it said. Its success will depend partly on cooperation from ISPs, which will have to update their DNS server directories in order for them to include UnifiedRoot’s DNS servers. European ISP Tiscali SpA has made the change, according to Seeboldt, along with several local ISPs in Turkey. Without the cooperation of ISPs, end users will have to reconfigure their own PCs to recognize the UnifiedRoot TLDs, which the company acknowledged could be tricky for some users. http://www.computerworld.com/news/2005/story/0,11280,106559,00.html
THIRD CIRCUIT OFFERS A TUTORIAL ON THE CFAA AS A CIVIL CAUSE OF ACTION (Steptoe & Johnson’s E-Commerce Law Week, 26 Nov 2005) -- A recent decision by the US Court of Appeals for the Third Circuit in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, clarified that injunctive relief is available in civil suits brought under the Computer Fraud and Abuse Act (CFAA ), 18 U.S.C. § 1030, and that a civil suit can be brought not just where access to a computer causes damage, but also where something of value is allegedly taken from that computer. This clarification was necessitated by a district court’s utter confusion over the terms of the CFAA, including whether it even offered a basis for a civil claim. This just goes to show how novel civil suits over security breaches still are. Nevertheless, despite feeling compelled to give the district court a primer on the CFAA, the Third Circuit upheld the lower court’s denial of a preliminary injunction on the ground that the plaintiffs had failed to allege what precisely the defendants had taken from their computers, an essential element of a claim based on § 1030(a)(4). So apparently the district court wasn’t the only one that needed to be taken to school. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11317&siteId=547
PENTAGON’S URBAN RECON TAKES WING (Wired, 29 Nov 2005) -- A leading defense contractor has successfully demonstrated a system that lets foot soldiers command unmanned aerial vehicles, or UAVs, to see real-time overhead images on their handheld computers while fighting in urban battle zones. Individual war fighters can receive video-surveillance data on a target of interest by moving a cursor over the subject, as part of a Northrop Grumman system to automate reconnaissance, surveillance and target acquisition, or RSTA, within urban environments. UAVs have already proven their worth in the kinds of urban battle zones that produce daily headlines out of Iraq -- places like Falluja and Najaf, where the drones can navigate the labyrinth of streets or stealthily peer into buildings. But ground troops don’t currently have direct access to this surveillance and reconnaissance data, and they have no control of the aircraft that deliver it. That’s what HURT, for Heterogeneous Urban RSTA, promises to change. Northrop demonstrated the system this fall on the former site of Georgia Air Force Base in Victorville, California, on a grid of abandoned streets and buildings used to train soldiers in urban combat. Two fixed-wing UAVs, a Raven and a Pointer, along with an Rmax rotorcraft, were put aloft under the control of the system. Participants on the ground were able to view wide-area surveillance of the battle zone on handheld monitors, but could also send one of the UAVs in for a closer look at a suspected enemy position by merely moving over the subject with their cursor. http://www.wired.com/news/technology/0,1282,69612,00.html
PLAN TO PUT COMPANY REPORTS ON THE WEB (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. “Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily,” Christopher Cox, the S.E.C. chairman, said at a meeting. “The percentage of investors with Internet access is even higher.” The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.’s corporate finance division. http://www.nytimes.com/2005/11/30/business/30regulate.html?ex=1291006800&en=1b09ce18cb246bdc&ei=5090&partner=rssuserland&emc=rss
ANGRY BELLSOUTH WITHDREW DONATION, NEW ORLEANS SAYS (Washington Post, 3 Dec 2005) -- Hours after New Orleans officials announced Tuesday that they would deploy a city-owned, wireless Internet network in the wake of Hurricane Katrina, regional phone giant BellSouth Corp. withdrew an offer to donate one of its damaged buildings that would have housed new police headquarters, city officials said yesterday. According to the officials, the head of BellSouth’s Louisiana operations, Bill Oliver, angrily rescinded the offer of the building in a conversation with New Orleans homeland security director Terry Ebbert, who oversees the roughly 1,650-member police force. City officials said BellSouth was upset about the plan to bring high-speed Internet access for free to homes and businesses to help stimulate resettlement and relocation to the devastated city. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/02/AR2005120201853.html
EUROPEAN LEGAL MINEFIELD FOR SOX WHISTLEBLOWER PROGRAMS (Steptoe & Johnson’s E-Commerce Law Week, 3 Dec 2005) -- Every so often unexploded ordnance from as far back as World War I is discovered in Europe, particularly in France. But for companies in Europe -- especially those that are subject to the US Sarbanes-Oxley Act (“SOX”) -- a more dangerous minefield appears to be the legal one that is emerging from the conflict between SOX whistleblower obligations and European data protection law. And (sacré bleu!) again the problem is most acute in France. The Commission Nationale de l’Informatique et des Libertés, the French data protection authority, has just released guidelines on the implementation of whistleblower reporting hotlines in France (“Guidelines”). Combined with a court decision in Germany earlier this year regarding the interaction of works councils and whistleblower hotlines, the Guidelines create a very confusing European legal environment for whistleblower programs. It now appears that European Union authorities will also jump into the controversy, and that the issue is also likely to spread to other European countries. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11361&siteId=547 [EDITOR: inter alia, the Guidelines protect supervisors’ reputations against anonymous complaints, thereby conflicting with the whistleblower rules.]
UPLOAD, STORE, PLAY AND SHARE IN A FEW CLICKS (New York Times, 3 Dec 2005) -- In Hollywood, young screenwriters have “elevator pitches” always at the ready--pithy descriptions of their screenplays, intended to capture the imagination of passing movie executives. You know: “It’s ‘Titanic’ on a spaceship.” “It’s a female ‘Harry Potter.’” “It’s ‘Raising Arizona’ meets ‘Leaving Las Vegas.’” Most of the time, high-tech companies can describe their products with equal efficiency, but not always. Take, for example, Glide Effortless, a new Web service that went live Wednesday. “What is Glide Effortless?” its news release asks. “It is a compatible browser-based online solution with integrated software and service environments, providing powerful file management, creation, communication, sharing and e-commerce capabilities.” Here’s another stab: It’s a personal Web site to which you can upload your favorite photos, MP3 files, video clips and even Word, PowerPoint or PDF documents. (A separate companion program speeds the uploading process by letting you drag and drop big batches of files at once.) Once everything’s posted on the Web site, you can do two things with it: manage it or share it. http://news.com.com/Upload%2C+store%2C+play+and+share+in+a+few+clicks/2100-1038_3-5978421.html?tag=nefd.top [Editor: Collaboration spaces (like wikis) are important elements of my Knowledge Management practice; Glide’s offering is at one end of the capabilities-spectrum, which is being elongated in some interesting ways. Commoditization won’t be too far off.]
-- and --
SNARED IN THE WEB OF A WIKIPEDIA LIAR (New York Times, 4 December 2005) -- According to Wikipedia, the online encyclopedia, John Seigenthaler Sr. is 78 years old and the former editor of The Tennessean in Nashville. But is that information, or anything else in Mr. Seigenthaler’s biography, true? The question arises because Mr. Seigenthaler recently read about himself on Wikipedia and was shocked to learn that he “was thought to have been directly involved in the Kennedy assassinations of both John and his brother Bobby.” Mr. Seigenthaler discovered that the false information had been on the site for several months and that an unknown number of people had read it, and possibly posted it on or linked it to other sites. If any assassination was going on, Mr. Seigenthaler (who is 78 and did edit The Tennessean) wrote last week in an op-ed article in USA Today, it was of his character. The case triggered extensive debate on the Internet over the value and reliability of Wikipedia, and more broadly, over the nature of online information. Wikipedia is a kind of collective brain, a repository of knowledge, maintained on servers in various countries and built by anyone in the world with a computer and an Internet connection who wants to share knowledge about a subject. Literally hundreds of thousands of people have written Wikipedia entries. Mistakes are expected to be caught and corrected by later contributors and users. The whole nonprofit enterprise began in January 2001, the brainchild of Jimmy Wales, 39, a former futures and options trader who lives in St. Petersburg, Fla. He said he had hoped to advance the promise of the Internet as a place for sharing information. It has, by most measures, been a spectacular success. Wikipedia is now the biggest encyclopedia in the history of the world. As of Friday, it was receiving 2.5 billion page views a month, and offering at least 1,000 articles in 82 languages. The number of articles, already close to two million, is growing by 7 percent a month. And Mr. Wales said that traffic doubles every four months. Still, the question of Wikipedia, as of so much of what you find online, is: Can you trust it? And beyond reliability, there is the question of accountability. Mr. Seigenthaler, after discovering that he had been defamed, found that his “biographer” was anonymous. He learned that the writer was a customer of BellSouth Internet, but that federal privacy laws shield the identity of Internet customers, even if they disseminate defamatory material. And the laws protect online corporations from libel suits. He could have filed a lawsuit against BellSouth, he wrote, but only a subpoena would compel BellSouth to reveal the name. In the end, Mr. Seigenthaler decided against going to court, instead alerting the public, through his article, “that Wikipedia is a flawed and irresponsible research tool.” http://www.nytimes.com/2005/12/04/weekinreview/04seelye.html?ex=1291352400&en=6a97402d6595c6f1&ei=5090&partner=rssuserland&emc=rss and http://news.com.com/Is+Wikipedia+safe+from+libel+liability/2100-1025_3-5984880.html?tag=nefd.lede
CAL. APPELLATE CT. RULES AGAINST EARTHLINK FORUM CLAUSE (BNA’s Internet Law News, 5 Dec 2005) -- A California appeals court has held that Earthlink’s arbitration and forum selection clauses in its DSL click through agreement are unenforceable under California law. The case arose as part of a class action suit, with the court ruling that “a forum selection clause that discourages legitimate claims by imposing unreasonable geographical barriers is unenforceable under well-settled California law.” Decision at http://www.courtinfo.ca.gov/opinions/documents/B177146.PDF
9/11 PANEL FAULTS GOVERNMENT ON CYBERSECURITY (CNET, 6 Dec 2005) -- The federal government is not making enough progress in protecting critical infrastructures such as communications networks and the Internet, said former members of the commission that investigated the attacks of Sept. 11, 2001. Progress also is lacking in airline security and providing radio spectrum to first responders, according to the 9/11 Public Discourse Project, which is made up of the 10 individuals--five Republicans and five Democrats--who served on the Sept. 11 commission. The 9/11 Public Discourse Project on Monday issued a report card with an A- for battling terrorist financing, but all 40 of the other grades (see PDF) were lower. “There are far too many C’s, D’s and F’s in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted,” the project leaders said in a statement. Critical infrastructure protection initiatives received a D: No risk and vulnerability assessments have been made; no national priorities have been established; and no recommendations have been made on allocation of scarce resources, according to the report. “All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some,” the former commissioners wrote. The shortcomings are “shocking” and “scandalous,” according to the 9/11 Public Discourse Project. The government also was faulted for a lack of agency information-sharing that’s needed to strengthen intelligence, members said. The former commissioners also critiqued the work on new, more secure ID cards according to the Real ID Act. New standards for issuing birth certificates continue to be delayed until at least early 2006. “Without movement on the birth certificate issue, state-issued IDs are still not secure,” according to the report. In addition, Congress has failed to take a leading role in passport security, the report said. http://news.com.com/911+panel+faults+government+on+cybersecurity/2100-7348_3-5984743.html?tag=nefd.top
WEB OF LIES (InsideHigherEd, 6 Dec 2005) -- When several of his colleagues expressed doubts about whether they would eventually want to tenure him, William Bradford, an associate professor of law at Indiana University in Indianapolis, went public with his complaints. He posted on blogs, he talked on the radio, he talked to this Web site, he hit “The O’Reilly Factor.” His message: Liberal faculty members were pushing him out because he is conservative, a war veteran and a Native American who didn’t fit a liberal mold for Native Americans. But as Bradford’s complaints grew louder, his story unraveled. It has now become clear that Bradford lied about, among other things, his military service. University officials confirmed Monday that Bradford — who did not respond to e-mail and voice messages and who hasn’t commented on the latest events — has resigned, effective January 1. Bradford appeared on the national radar this summer, after five faculty members on a review committee, which did authorize his reappointment, said they did not think he deserved tenure at the time. Bradford, whose degrees include one each from Northwestern and Harvard Universities, railed against what he claimed was a liberal conspiracy against him. http://insidehighered.com/news/2005/12/06/bradford [Editor: Mr. Bradford has some interesting ideas; I’ve heard him deliver an impassioned argument for the Bush administration’s “pre-emptive war” doctrine; some thought it (and the doctrine) over-the-top.]
OK, OK, MAYBE PIRACY IS BAD (Wired, 8 Dec 2005) -- Software piracy is rampant and hampering economic growth, and it is increasingly in the hands of organized groups which are regarded as legitimate businesses in some countries. The global piracy rate is currently around 35 percent, coming down only 1 percent a year, research group IDC found in a study commissioned by the Business Software Allliance, which represents around 50 software firms. The study, covering 70 countries which represent 99 percent of the world’s information technology spending, said that a worldwide reduction of software piracy by 10 percentage points to 25 percent could generate 2.4 million jobs and $400 billion of economic growth. The battle against software piracy has been relatively successful over the last 15 years, with the piracy rate in Europe dropping to 35 percent from almost 80 percent in 1992 when the European authorities adopted special legislation. Still, a 35 percent piracy rate is more than 20 times higher than the percentage that retail stores lose through shoplifting. At its worst, piracy runs as high as 90 percent in China and 87 percent in Russia. The United States has a modest 21 percent piracy rate. China is already one of the world’s biggest personal computer markets, but does not even make it into the top 20 of software markets because so much software is illegally copied. http://www.wired.com/news/business/0,1367,69785,00.html
EFF MOVES TO BLOCK CERTIFICATION OF E-VOTING SYSTEMS (CNET, 9 Dec 2005) -- The Electronic Frontier Foundation filed a complaint aimed at blocking North Carolina’s recent certifications of voting machines, saying state elections officials failed to meet legal requirements before signing off on the systems. The complaint, filed in Wake County Superior Court by the EFF and a Raleigh lawyer on behalf of a local voters’ advocate, calls for a judge to void certifications that the Board of Elections issued last week to Diebold, ES&S and Sequoia Voting Systems. It also requests a restraining order that would prevent elections officials from certifying any new systems until they comply fully with state election laws. The state legislature modified those laws this summer, setting new standards for e-voting machines and requiring that existing systems be decertified. State elections officials “exceeded their statutory authority” in signing off on the systems, because they disregarded the law in two areas, the complaint charges. First, they failed to complete a comprehensive review of various security features on the systems, and second, they neglected to obtain every bit of source code associated with software on the devices--one of the new legal requirements. E-voting machines continue to generate security concerns and calls for reform. During the 2004 presidential election, officials acknowledged that glitches in some systems led to lost votes in a few states’ tallies--including 4,500 in one North Carolina county. Diebold, an Ohio-based company that makes automatic-teller machines as well, is also no stranger to controversy. Last year, California officials questioned the company on the integrity of its systems and recommended banning Diebold machines from the state. http://news.com.com/EFF+moves+to+block+certification+of+e-voting+systems/2100-1028_3-5988243.html?tag=nefd.top EFF Complaint at http://www.eff.org/Activism/E-voting/EFF_Mandamus_Complaint_TRO_20051208140945.pdf
WORKER PRIVACY: YOU HAVE NONE (Wired, 9 Dec 2005) -- If you have internet access at work, there’s a very good chance your employer has a system in place to monitor your online activities. So, if you’re concerned about privacy, take heed. Under current U.S. law, there’s little you can do to protect the confidentiality of your internet use on the job. Here’s a rundown of the rights you don’t have at work. Notice of monitoring: Only two states (Connecticut and Delaware) require that employers inform workers if they are monitoring online activity, according to Jeremy Gruber, legal director, the National Workrights Institute. Federal legislation requiring such disclosure has been proposed but not enacted. That said, most employers do provide notice to employees if they track workplace web use. In an employer survey conducted this year by the American Management Association and the ePolicy Institute, 89 percent of respondents said they notify employees if their web usage is being tracked. Privacy outside the office: More workers are telecommuting these days, often using laptops and other portable devices provided by their employer. But leaving the office doesn’t guarantee freedom from internet surveillance. Using the company laptop to remotely access its network is, from a monitoring legality standpoint, generally the same as working from the office, said Mark Schreiber, a partner at Edwards Angell Palmer & Dodge, who advises firms regarding internet use policies. People who are entering the company network from home, even from their personal computer, should be aware that online activities may be monitored. To protect privacy, Gruber’s recommends investing in your own equipment: “Use your own system that is in no way, shape, or form connected through the employer’s network,” he said. The right to blog: People who like to blog -- especially about their employer -- should refrain from doing so at work. “The computer system is the property of the employer, and the employer has the right to monitor all internet activity,” said Nancy Flynn, executive director of the ePolicy Institute. “That would include blog posts and all e-mail and internet transmissions.” Flynn estimates that hundreds of people have been fired for their blog content in recent years. In the AMA/ePolicy survey, 26 percent of respondents said they had fired workers for misusing the internet. A quarter of employers also said they’d terminated workers for e-mail misuse. Weekend work without monitoring: If you’re laboring overtime and taking work home for the weekend, employers are likely still monitoring your online activities if you use their equipment or network, says Gruber. That means employees might want to be careful about personal web-surfing or e-mail activities until they’ve logged off the company server. http://www.wired.com/news/privacy/0,1848,69732,00.html
LIVE TRACKING OF MOBILE PHONES PROMPTS COURT FIGHTS ON PRIVACY (New York Times, 10 Dec 2005) -- Most Americans carry cellphones, but many may not know that government agencies can track their movements through the signals emanating from the handset. In recent years, law enforcement officials have turned to cellular technology as a tool for easily and secretly monitoring the movements of suspects as they occur. But this kind of surveillance - which investigators have been able to conduct with easily obtained court orders - has now come under tougher legal scrutiny. In the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing “probable cause” to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants. The rulings, issued by magistrate judges in New York, Texas and Maryland, underscore the growing debate over privacy rights and government surveillance in the digital age. With mobile phones becoming as prevalent as conventional phones (there are 195 million cellular subscribers in this country), wireless companies are starting to exploit the phones’ tracking abilities. For example, companies are marketing services that turn phones into even more precise global positioning devices for driving or allowing parents to track the whereabouts of their children through the handsets. Not surprisingly, law enforcement agencies want to exploit this technology, too - which means more courts are bound to wrestle with what legal standard applies when government agents ask to conduct such surveillance. Cellular operators like Verizon Wireless and Cingular Wireless know, within about 300 yards, the location of their subscribers whenever a phone is turned on. Even if the phone is not in use it is communicating with cellphone tower sites, and the wireless provider keeps track of the phone’s position as it travels. The operators have said that they turn over location information when presented with a court order to do so. http://www.nytimes.com/2005/12/10/technology/10phone.html?ex=1291870800&en=2019ce35d6b47983&ei=5090&partner=rssuserland&emc=rss
**** RESOURCES ****
THE SHIDLER JOURNAL OF LAW, COMMERCE & TECHNOLOGY is pleased to announce the recent publication of Volume 2, Issue 2. Abstracts for each of the articles in the current issue are provided below. Simply click on an article title to access a full text version of the article, or visit the Journal’s home page at www.lctjournal.washington.edu. The website also includes articles from past issues of the Journal. Recent titles are: “The FACT Act of 2003: Securing Personal Information In an Age of Identity Theft”; “Liability Under the Americans with Disabilities Act for Private Web Site Operators”; “Streamlined Sales and Use Tax Agreement: Is Your Business Ready for Compliance?”; “Proposed Federal Definition of ‘Internet Job Applicant’ Suggests Need for Revised Human Resource Policies”; and “‘I Didn’t Know My Client Wasn’t Complying!” - The Heightened Obligation Lawyers Have to Ensure Clients Follow Court Orders in Litigation Matters”.
The GAO now supplies reports and testimony via RSS – click the RSS button on http://www.gao.gov/
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Saturday, November 19, 2005
MIRLN -- Misc. IT Related Legal News [30 Oct - 19 Nov 2005; v8.14]
**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
MICROSOFT: WE WERE RAILROADED IN MASSACHUSETTS ON ODF (ZDnet, 17 Oct 2005) -- Those were not Microsoft’s exact words, but if you were a fly on the wall [to] recent correspondence with Microsoft’s Alan Yates regarding how Microsoft’s XML-based Office file formats ended up off of Massachusetts’ list of approved file formats (essentially pulling the state’s plug on future usage of Microsoft Office), it would be difficult to summarize his opinion in any other way. To the untrained eye, the Massachusetts decision-- formally known as that state’s Enterprise Technical Reference Model (henceforth referred to as MA ETRM)-- looks like one of those small open source victories for some European municipality looking to establish independence from big bad proprietary American technology. Such victories are important, no doubt, to that town, city, or country and even to perhaps to certain technology communities in general (e.g., open source) -- but largely peripheral to the bigger battle. But, MA ETRM is about far more than open source. Industry historians will later view it as one of the most brilliant chess moves by a handful of industry titans with a common interest in breaking Microsoft’s dominant grip. http://news.zdnet.com/2100-3513_22-5893208.html
DEALING WITH DATA THEFT: AFTER THE FACT (InternetWeek, 20 Oct 2005) -- Time and again, businesses fall short in their ability to protect their customer information as criminals looking to steal data get wiser and more creative. Whether customer data is stolen or lost through hacking, physical means such as a misplaced laptop or hijacked data tapes, or an unscrupulous employee, the results are the same: customers at risk and a huge black eye for the company. No industry grapples more with data theft and the ensuing customer relationship nightmare than the financial services sector, which will increase spending on IT security and related issues 12% this year to $1.8 billion, according to consulting firm Celent. How these companies respond to the seemingly inevitable security breach can change the way they are viewed by customers and the general public. Handle it right, and a company can flip the negative into a positive and earn customers’ respect and appreciation. Handle it wrong, and the business will forever fight the stigma of an untrustworthy organization. The good news is the financial services industry is fast making an art form out of dealing with security breaches, and its experience can serve as an invaluable guideline for any business holding sensitive customer information. http://internetweek.cmp.com/shared/article/printablePipelineArticle.jhtml?articleId=172302862
AFTER SONGS AND VIDEOS, CRIB NOTES BECOME THE LATEST OFFERING FOR IPODS (Chronicle of Higher Ed, 27 Oct 2005) -- With iPods slowly working their way into college classrooms, it was only a matter of time before someone put the devices to use as a way of cutting corners on course work. Now a pair of companies has stepped up, offering a line of iPod-ready crib notes to such literary classics as The Great Gatsby and The Scarlet Letter. The notes are taken from study guides published by SparkNotes -- a company that has marketed itself as a hipper version of CliffsNotes, the giant of the field -- and are sold by iPREPpress, a business that retails reference material that can be viewed on the digital music players. Right now about a dozen titles are available at $4.95 apiece. But the companies plan to publish digital guides for about 50 English-department cornerstones, according to Kurt Goszyk, the founder of iPREPpress. The guides basically turn the iPod into a text-based browser: Students can read biographical sketches of characters, review themes and motifs, and test themselves with study questions and answers -- all by using the iPod’s click wheel to navigate a series of hyperlinks. But students can also listen to overviews of the books’ plots and protagonists while they work out at the gym or walk from class to class. The study guides each include about six or seven minutes of audio material for students on the go, said Mr. Goszyk. “But in areas where you really have to concentrate” -- like SparkNotes’ more detailed summaries of quotations and symbolism -- “we kept it as only text,” he said. http://chronicle.com/free/2005/10/2005102702t.htm
INSURER LAUNCHES $10 MILLION OPEN-SOURCE POLICY (ZDnet, 31 Oct 2005) -- Insurance underwriter Kiln, which is a Lloyd’s of London division, and Miller Insurance Services on Monday said they will offer open-source compliance insurance. New York-based Open Source Risk Management will be the exclusive risk assessor. The insurance will cover up to $10 million in damages, including profit losses related to noncompliance with an open-source software license. The policy could, in some cases, cover the cost of repairing code that was found to infringe on open-source licenses such as the General Public License, which is used with the Linux operating system. The insurers said more than 30 legal claims in the last two years have involved infringements on open-source licenses. In each case, the plaintiffs were able to restrict the use of their code. “The emerging open-source model of worldwide collaborative technology development introduces novel business risks that traditional insurance products can, but have not, addressed,” said Matthew Hogg, an underwriter for Kiln Risk Solutions. Daniel Egger, CEO of Open Source Risk Management, said many companies inadvertently expose themselves to legal risks when they use open-source software. In particular, companies may infringe on copyright laws when distributing their own software--which could include open-source products--to business partners or customers, Egger said. http://news.zdnet.com/2100-3513_22-5924112.html [Editor: Of course, with the insurance coverage will come emergent best-practices, standards, and processes.]
U.S. MULLS NEW DIGITAL-SIGNATURE STANDARD (CNET, 1 Nov 2005) -- A team of Chinese scientists shocked the data security world this year by announcing a flaw in a widely used technique used to create and verify digital signatures in e-mail and on the Web. Now the U.S. government is trying to figure out what to do about it. The decade-old algorithm, called the Secure Hash Algorithm, or SHA-1, is an official federal standard and is embedded in every modern Web browser and operating system. Any change will be expensive and time-consuming--and a poor choice by the government would mean that the successor standard may not survive another 10 years. “We’re going to have to make a decision fairly soon about where to push people,” said John Kelsey of the National Institute of Standards and Technology (NIST), which convened a workshop here on the topic Monday. Even though NIST is only technically responsible for government standards-setting, Kelsey noted, “we’re likely to get a lot of other people to head in that direction as well.” The findings by the researchers at China’s Shangdong University, which they described in an interview with CNET News.com in March, are still of more theoretical than practical interest. But as computing speed accelerates, their discovery eventually will make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure “hash” algorithm is adopted. http://news.com.com/U.S.+mulls+new+digital+signature+standard/2100-1029_3-5924982.html?tag=nefd.lede
DATA LAWS RAISE SECURITY WORRIES (VNUnet, 2 Nov 2005) -- Regulatory compliance is now the biggest security concern for IT departments, according to international research. Nearly two-thirds of firms that responded to consultancy Ernst & Young’s survey cited complying with electronic data retention regulations such as Sarbanes-Oxley and the European Union 8th Directive on company law as their primary IT security focus. But despite senior management fears of prosecution making security a board issue, IT departments are failing to make information security an integral part of the business, says The Global Information Security Survey 2005. ‘Images of directors being taken away in orange jumpsuits and silver manacles are making firms sit up and take notice,’ said Ernst & Young partner Antony Smyth. ‘It is a chance for departments to make use of the focus that security is getting in the boardroom, but most are not doing this.’ The survey of more than 1,300 public and private sector organisations in 55 countries found 81 per cent of firms view IT security as the most important element in complying with data policies. Just 56 per cent of IT directors cited security as important for aiding other business strategies. Some 88 per cent of firms are updating policies and procedures to comply with regulations, but only 41 per cent are using the opportunity to reorganise their IT security functions or to make changes to systems architecture. The survey also suggests that organisations are not securing information and systems when they outsource their operations to third parties. One fifth of firms do not address the risks of communicating electronically with suppliers, outsourcers and partners, and 33 per cent only have informal procedures to deal with these risks. http://www.vnunet.com/computing/news/2145373/laws-raise-security-worries
MICROSOFT CALLS FOR BROAD PRIVACY LAW (Reuters, 3 Nov 2005) -- Microsoft Corp. on Thursday called for a broad national law to protect consumer privacy and a top Republican lawmaker said he planned to push such a bill next year, amid heightened consumer concerns about identity theft and online fraud. “This is the time, this is the place, we believe, for the government to adopt privacy legislation on a national basis,” Microsoft General Counsel Brad Smith said at a lunch event. Texas Republican Rep. Joe Barton, who chairs the House Energy and Commerce Committee, said at a separate event that he plans to introduce a comprehensive privacy bill next year. High-tech businesses, including Microsoft, helped block attempts to pass a national privacy law in 2001 and 2002, arguing that businesses can be trusted to handle consumer profiles responsibly. Since then, most Fortune 500 companies have developed “privacy policies” that spell out, often in dense legalese, what they do with credit-card numbers, birthdates and other information consumers give to them. Congress, meanwhile, has tackled a number of privacy issues, from “spam” e-mail to telemarketing to computer “spyware.” Lawmakers are currently wrangling over legislation that would require businesses to let consumers know when their account information has been exposed to outsiders. Still, several polls have found that privacy concerns have prompted some consumers to cut back on online purchases, and a rash of data breaches has exposed sloppy security practices at banks, universities and a wide range of other institutions. Smith said a broad privacy law spelling out how businesses handle consumer information is now needed to shore up consumer confidence and simplify a legal landscape that is becoming cluttered by conflicting state and national laws. “It’s the patchwork of state laws that is causing a lot of heartburn, not any one individual law,” he said. Any legislation should allow consumers to limit how information about them is used and should apply to online and offline businesses equally, Smith said. Online retailer eBay Inc. is also pushing for a national privacy law, a lobbyist for the company said, while computer maker Hewlett-Packard Co. has backed such a law for years. A prominent civil liberties advocate said Smith’s speech was a significant development. “This creates some momentum for really addressing privacy legislation as early as next year,” said Jerry Berman, president of the Center for Democracy and Technology. http://news.yahoo.com/s/nm/20051103/wr_nm/privacy_dc
WANT ‘WAR AND PEACE’ ONLINE? HOW ABOUT 20 PAGES AT A TIME? (New York Times, 4 Nov 2005) – In a race to become the iTunes of the publishing world, Amazon.com and Google are both developing systems to allow consumers to purchase online access to any page, section or chapter of a book. These programs would combine their already available systems of searching books online with a commercial component that could revolutionize the way that people read books. The idea is to do for books what Apple has done for music, allowing readers to buy and download parts of individual books for their own use through their computers rather than trek to a store or receive them by mail. Consumers could purchase a single recipe from a cookbook, for example, or a chapter on rebuilding a car engine from a repair manual. The initiatives are already setting off a tug of war among publishers and the potential vendors over who will do business with whom and how to split the proceeds. Random House, the biggest American publisher, proposed a micropayment model yesterday in which readers would be charged about 5 cents a page, with 4 cents of that going to the publisher to be shared with the author. The fact that Random House has already developed such a model indicates that it supports the concept, and that other publishers are likely to follow. The proposals could also become bargaining chips in current lawsuits against Google by trade groups representing publishers and authors. These groups have charged that Google is violating copyrights by making digital copies of books from libraries for use in its book-related search engine. But if those copies of older books on library shelves that have long been absent from bookstores started to produce revenue for publishers and authors, the trade groups might drop some of their objections. In a telephone interview yesterday, Paul Aiken, executive director of the Authors Guild, which filed a federal copyright infringement lawsuit against Google in September over its Google Print program, called the Amazon announcement “a positive development.” “This is the way it’s supposed to work: to give consumers access to books and have revenues flow back to publishers and authors,” Mr. Aiken said. “Conceptually, something similar might be possible for the Google program.” Amazon said yesterday that it was developing two programs that would begin some time next year. The first, Amazon Pages, is intended to work with the company’s “search inside the book” feature to allow users to search its universe of books and then buy and read online whatever pages they need of a given book. The second program, Amazon Upgrade, will allow customers to add online access to their purchase of a physical copy of a book. [Editor: Very interesting and promising developments. Let’s hope Amazon-Upgrade doesn’t echo MP3.com’s missteps; there must be more to the model than is described here.] http://www.nytimes.com/2005/11/04/technology/04publish.html?ex=1288760400&en=4ef1b1171533988d&ei=5090&partner=rssuserland&emc=rss
FRENCH GIVE A QUALIFIED ‘NON’ TO SNOOPING OF P2P IP ADDRESSES (Steptoe & Johnson’s E-Commerce Law Week, 5 Nov 2005) -- On October 24, the French data protection authority, the Commission Nationale de I’Informatique et Libertes (CNIL), dealt a blow to music industry enforcement efforts against peer-to-peer (P2P) file-sharing by announcing that it would not permit the automated monitoring of users of P2P file sharing systems. The CNIL concluded such monitoring could lead to “a massive collection of personal data” and allow “exhaustive and continuous surveillance” of P2P sites “beyond that which was necessary for the fight against piracy”. The CNIL’s stance runs counter to its own ruling in April authorizing similar P2P site surveillance by the Syndicat des Editeurs de Logiciels de Loisirs (SELL), a trade association representing French video game producers, whose members include video game industry heavyweights such as Sega, Sony, and Atari. Defending its apparent volte-face, the CNIL noted that SELL had pledged to send messages to suspected P2P site users itself, rather than asking ISPs to act as third party intermediaries, and had agreed to take an anonymous approach in communicating with suspected violators. In French, we believe that’s what is called “une distinction sans différence.” In any event, if French Culture Minister Renaud Donnedieu de Vabres is to be believed, forthcoming consideration in the French Parliament of the implementation of the EU Copyright Directive might allow the music industry anti-piracy initiative to move forward. Consideration of the EU Copyright Directive by the French Parliament is scheduled to begin in December. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11105&siteId=547
HOMELAND SECURITY’S VAGUE CYBER PLAN (CNET, 7 Nov 2005) -- A preliminary report released by the Department of Homeland Security seems to scatter cybersecurity responsibilities across the government and the private sector while sticking to generalities about future plans. In its 175-page draft of the National Infrastructure Protection Plan, or NIPP, the department outlines a broad framework for protecting the nation’s “critical infrastructure” and “key assets”--bureaucratic argot referring to everything from the power grid to dams to computer systems. President Bush first commissioned the plan in December 2003, and the Department of Homeland Security released an early version in February. According to a notice announcing the document’s availability, the latest version aims to provide greater detail. The term “cybersecurity” appears 148 times the draft, and a 16-page appendix devoted to the topic offers some suggestions for threat analysis, response readiness and training. But the rest is worded in terms of generalities. The plan asserts that cybersecurity responsibilities should ultimately lie with the Department of Homeland Security but also calls on state and local governments to come up with information security measures and to be aware of vulnerabilities in their systems. The report charges academia and research institutions with devising “best practices” for IT security and the private sector with ensuring that it is “satisfying cyberprotection standards.” The document suggests that work should be done through a “sector partnership model”--that is, informal advisory bodies composed of private-sector and governmental representatives from the same subject area. It proposes several lists of general actions that various sectors should take (for example, “set sector-specific security goals”) and allocates deadlines from the adoption of the plan to accomplish them (in that particular case, 90 days). The recommendations are often vague. For example, the suggestion that the Department of Homeland Security should lead and develop a “national cybersecurity exercise” to simulate responses to an attack is listed as an “ongoing” project with no deadline. And under a category referring to the steps the government should take to deal with “privacy and constitutional freedoms,” the department lists no suggested actions. http://news.com.com/2100-7348_3-5937715.html Draft at http://dw.com.com/redir?destUrl=http%3A%2F%2Fpolitechbot.com%2Fdocs%2Fdhs.nipp.110205.pdf&siteId=3&oId=2100-7348-5937715&ontId=1009&lop=nl.ex [Editor: Oh, for Pete’s sake! The USG has been dithering on this for more than five years; it’s time for some useful, specific proposals. E.g., tax breaks for secure software; procurement policies that reject standard ‘no-liability’ language; antitrust expemption and confidentiality assurance for ISAC operations; etc.]
HISTORY’S WORST SOFTWARE BUGS (Wired, 8 Nov 2005) -- Last month automaker Toyota announced a recall of 160,000 of its Prius hybrid vehicles following reports of vehicle warning lights illuminating for no reason, and cars’ gasoline engines stalling unexpectedly. But unlike the large-scale auto recalls of years past, the root of the Prius issue wasn’t a hardware problem -- it was a programming error in the smart car’s embedded code. The Prius had a software bug. With that recall, the Prius joined the ranks of the buggy computer -- a club that began in 1945 when engineers found a moth in Panel F, Relay #70 of the Harvard Mark II system.1The computer was running a test of its multiplier and adder when the engineers noticed something was wrong. The moth was trapped, removed and taped into the computer’s logbook with the words: “first actual case of a bug being found.” Sixty years later, computer bugs are still with us, and show no sign of going extinct. As the line between software and hardware blurs, coding errors are increasingly playing tricks on our daily lives. Bugs don’t just inhabit our operating systems and applications -- today they lurk within our cell phones and our pacemakers, our power plants and medical equipment. And now, in our cars. But which are the worst? It’s all too easy to come up with a list of bugs that have wreaked havoc. It’s harder to rate their severity. Which is worse -- a security vulnerability that’s exploited by a computer worm to shut down the internet for a few days or a typo that triggers a day-long crash of the nation’s phone system? The answer depends on whether you want to make a phone call or check your e-mail. http://www.wired.com/news/technology/bugs/0,2924,69355,00.html?tw=wn_tophead_1 [Editor: Fun story. The CIA-bug-in-Soviet-pipeline story (more at http://www.msnbc.msn.com/id/4394002), if true, isn’t the only case of such a plant.]
ARE YOU A ‘PUBLIC FIGURE’? (Wired, 9 Nov 2005) -- Can being mentioned on the net turn an ordinary citizen into a public figure with severely limited abilities to fight libel and defamation lawsuits? According to a Florida judge’s ruling -- perhaps the first of its kind in the United States -- the answer is yes. In an Oct. 21 ruling, Florida circuit court Judge Karen Cole threw out a defamation case against two TV stations because she deemed the plaintiff -- a Jacksonville woman -- to be a public figure who had been subject to “substantial” internet debate. In the eyes of the law, public figures are usually politicians or celebrities, who have limited rights to claim that they’ve been libeled or defamed, thanks to a 1964 ruling by the U.S. Supreme Court. Among other things, Cole said plaintiff Eliza Thomas had become a public figure because there had been “substantial public debate” regarding her and her husband on the internet. http://wired.com/news/politics/0,1283,69511,00.html?tw=wn_tophead_4
SONY’S ANTI-FILE-SHARING CD CAUSES A FIRESTORM OF ANGER (Houston Chronicle, 8 Nov 2005) -- Since the dawn of file-sharing in the late 1990s, the music industry has struggled with keeping its wares from being traded freely. Recording labels have tried all kinds of approaches, from suing their own customers to Draconian copy protection to changing formats. The one that has worked the best — surprise! — has been to offer a low-cost way to buy music that allows users to do pretty much what they want to do with the tunes they purchase. It’s almost as though there’s a Good Side and a Dark Side to the musical force. Over time, you’d think the business would get that the Good Side will win more converts. That is, until you see something like the strange case of the Sony rootkit. On Halloween, a developer with an Austin-based software company posted on his blog a detailed report on a troubling discovery — a CD from Sony BMG had installed software on his PC that uses the same technique for hiding itself as the most pernicious type of spyware. Mark Russinovich of Sysinternals also discovered that the software, known as a rootkit, could then be used by the creators of viruses and worms to hide their own malicious payloads. A rootkit works at the very lowest levels of the Windows operating system to cloak files. Spyware purveyors use the technique to hide their code from programs designed to find and remove it. In Sony’s case, the rootkit was part of a media player designed to restrict how a CD’s tunes are played, stored to a computer’s hard drive or copied, and was used to hide those files, making it difficult to get around the protection. The software was installed when the CD’s buyers — in Russinovich’s case, Van Zant’s Get Right with the Man — first tried to play the disc on a PC. The disc can’t be used in a PC without Sony’s player. The rootkit hid the software by looking for a particular sequence of characters in the name. Any files that included the sequence were cloaked. Russinovich had to jump through hoops to find the software, trace its source and remove it. When he did, he found the process disabled his CD drives, which were no longer visible in Windows Explorer. His report, at www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html, concluded: “The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files ... will cripple their computer if they attempt the obvious step of deleting the cloaked files.” http://www.chron.com/cs/CDA/ssistory.mpl/business/3445666
[Commentator: “Many of you have probably read about the discovery someone recently made that Sony’s new DRM has a rather dark side. Here is an EFF page that describes not only some of the ‘bad’ stuff in the software but also the onerous provisions of the EULA that comes with the CD. The EFF page has information about the ‘rootkit’ that gets installed on your machine, as well as a summary of the ‘bad’ provisions in the EULA. http://www.eff.org/deeplinks/archives/004145.php. Mark Russinovich has a detailed explanation on his blog of how the Sony DRM works and why people are claiming that it is a rootkit. I strongly recommend reading before discussing these issues. The explanation is at http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html“
-- and-- “It turns out that despite Sony’s denials, the player software that comes with the DRM’d CDs phones home each time it is launched. Mark Russinovich, the guy who originally broke the story, has detailed his proof of this. Discussion at http://malwarecle.blogspot.com/2005/11/how-much-worse-can-this-get.html“]
Also, REAL STORY OF THE ROGUE ROOTKIT (Wired, 17 Nov 2005, by Bruce Schneier) at http://www.wired.com/news/privacy/0,1848,69601,00.html; ITALIAN POLICE ASKED TO INVESTIGATE SONY DRM CODE (PCWorld, 7 Nov 2005) at http://www.pcworld.com/news/article/0,aid,123454,00.asp
[Editor: Trespass to Chattels? A perfect application of this expanded doctrine; CFAA? If mens rea can be shown; Deceptive Trade Practices? You bet! Sony has gone way over the line, and its lawyers (especially those who reviewed the EULA) have done a very poor job.]
MAN SPENDS $100,000 ON VIRTUAL SPACE STATION IN ONLINE GAME (AP, 10 Nov 2005) -- In one of the largest sales yet of property in an online game, a Miami resident has bought a virtual space station for $100,000 and wants to turn it into a cross between Jurassic Park and a disco. Jon Jacobs, a director of independent films, plans to call the space resort, in the science-fiction themed game Project Entropia, “Club Neverdie.” Like other land areas in the game that has been visited by 300,000 players, the resort grounds will spawn dinosaur-like monsters, which visitors can kill. Jacobs will take a cut of the virtual resources that the carcasses yield, like hides. Jacobs, 39, plans to hire famous disc jockeys to entertain visitors once a week or so at the resort but still reckons on netting $20,000 a month from the hunting tax and other income. “I want to operate this thing at the level of a major nightclub in a major city,” Jacobs said. Jacobs bought the property late last month from MindArk PE AB, Project Entropia’s Swedish developer. The game, which has no subscription fee, has its own currency but it’s convertible at a fixed rate to dollars. About a quarter of the purchase money came from Jacobs’ in-game earnings. Over three years playing Project Entropia, Jacobs accumulated items that later became worth thousands of dollars, like first-aid kits and powerful weapons. He sold those items last year to buy an island in Project Entropia, but was outbid - it sold for $26,500, the previous record sale in that world. He refinanced his house shortly after and considered investing some of the cash in the hot Miami real-estate market, but he realized that if he bought a rental property, it really wouldn’t generate any income beyond what he’d pay for the mortgage and repairs. So he invested the proceeds in the game. http://news.yahoo.com/s/cmp/20051110/tc_cmp/173601281
INTERNET SERVICE TO PUT CLASSIC TV ON HOME COMPUTER (New York Times, 14 Nov 2005) -- Looking for “The Fugitive?” Didn’t get enough “Eight Is Enough?” Would you like to “Welcome Back, Kotter” one more time? Warner Brothers is preparing a major new Internet service that will let fans watch full episodes from more than 100 old television series. The service, called In2TV, will be free, supported by advertising, and will start early next year. More than 4,800 episodes will be made available online in the first year. The move will give Warner a way to reap new advertising revenue from a huge trove of old programming that is not widely syndicated. Programs on In2TV will have one to two minutes of commercials for each half-hour episode, compared with eight minutes in a standard broadcast. The Internet commercials cannot be skipped. America Online, which is making a broad push into Internet video, will distribute the service on its Web portal. Both it and Warner Brothers are Time Warner units. An enhanced version of the service will use peer-to-peer file-sharing technology to get the video data to viewers. Warner, with 800 television programs in its library, says it is the largest TV syndicator. It wants to use the Internet to reach viewers rather than depend on the whims of cable networks and local TV stations, said Eric Frankel, the president of Warner Brothers’ domestic cable distribution division. “We looked at the rise of broadband on Internet and said, ‘Let’s try to be the first to create a network that opens a new window of distribution for us rather than having to go hat in hand to a USA or a Nick at Night or a TBS,’ “ Mr. Frankel said. [Editor: See? P2P has real, non-infringing uses, too.] http://www.nytimes.com/2005/11/14/business/14warner.html?ex=1289624400&en=a46d72f19b7403e3&ei=5090&partner=rssuserland&emc=rss
MORE FIND ONLINE ENCYCLOPEDIA IS HANDY (New York Times, 14 Nov 2005) -- By several measures, the user-written online encyclopedia Wikipedia (www.wikipedia.com) has exploded in popularity over the last year. The Internet traffic-measurement firm Nielsen//NetRatings found that Wikipedia had more than tripled its monthly readership in September from the same month in 2004. September may have been a month of especially heavy usage for Wikipedia: the site does better during major news events, and September saw both the aftermath of Hurricane Katrina and the confirmation of John G. Roberts Jr. as chief justice of the United States Supreme Court. But Wikipedia’s popularity is not limited to periods of big news. Intelliseek, a marketing-research firm that measures online buzz, has found that the term Wikipedia is consistently used by bloggers - about twice as often as the term “encyclopedia” - and showed up in roughly one out of every 600 blog posts last month; it was one of every 3,300 posts in October 2004. “For bloggers, it’s almost like a badge of credibility to embed Wikipedia in their blog references,” said Pete Blackshaw, chief marketing officer for Intelliseek. “There’s something about Wikipedia that confers a degree of respectability, because multiple Web users have converged on it.” http://www.nytimes.com/2005/11/14/business/14drill.html?ex=1289624400&en=73da448cea0792a2&ei=5090&partner=rssuserland&emc=rss
A COMPROMISE OF SORTS ON INTERNET CONTROL (New York Times, 16 Nov 2005) -- Representatives from the United States and nations that had sought to break up some of its control over the Internet reached an accord on Tuesday night that leaves the supervision of domain names and other technical resources unchanged. They agreed instead to an evolutionary approach to Internet management. But the accord, a document of principles that delegates from more than 100 countries worked out here after more than two years of sometimes fiery argument, also established a new international forum intended to give governments a stronger voice in Internet policy issues, including the address system, a trade-off that the Americans were willing to accept. The text of the document is to be approved at a United Nations summit meeting on information-age issues that begins Wednesday in Tunis. American delegates who had been working on the document celebrated the outcome. Only in September, the European Union had made a well-received proposal to put some of the American powers under a new agency. And in the prelude to the talks that resumed this week, increasing pressure had been brought on the Americans to share their authority. David A. Gross, coordinator of international communications and information policy in the State Department, said late Tuesday: “I didn’t think it was possible. We did not change anything about the role of the U.S. government. It’s very significant.” The United States maintained that diluting the authority of the body that now manages the Internet address structure, the Internet Corporation for Assigned Names and Numbers, known as Icann, could jeopardize the stability and security of the global network. http://www.nytimes.com/2005/11/16/technology/16net.html?ex=1289797200&en=8cef00d486e38143&ei=5090&partner=rssuserland&emc=rss Agreed text at http://lists.essential.org/pipermail/random-bits/2005-November/001305.html
SHOP-TILL-YOU-DROP SPECIALS, REVEALED HERE FIRST (New York Times, 17 Nov 2005) -- For retailers, the day after Thanksgiving is a painstakingly orchestrated affair. Prices are scientifically slashed, down to the penny. Sales begin at dawn. And glossy circulars containing the well-laid plans are distributed just a day or two ahead to keep consumers and competitors in the dark. Or at least that is how it worked before people like Michael Brim came along. From a cramped dorm room in California, Mr. Brim, an 18-year-old college freshman who dines on Lucky Charms and says he rarely shops, is abruptly pulling back the curtain on the biggest shopping day of the year. His Web site, BF2005.com, publishes the circulars for what retailers call Black Friday - the day that officially starts the holiday shopping season - weeks ahead of time. So far this year, sources have leaked advertisements to him from Toys “R” Us (showing the Barbie Fashion Show Mall, regularly $99.99, for $29.97); Sears (a Canon ZR100 MiniDV camcorder, regularly $329.99, for $249.99); and Ace Hardware (a Skil 12-volt drill, regularly $44.99, for $24.99). Mr. Brim says his motive is to educate consumers. But retailers are furious, arguing that the site jeopardizes their holiday business, and they have threatened legal action. But BF2005.com is not their only problem. There are now at least three Web sites dedicated to digging up Black Friday sales secrets, creating a fierce competition to post the ads first. It is so heated, in fact, that all three sites stamp the circulars with bright electronic watermarks to discourage rivals from stealing a scoop. http://www.nytimes.com/2005/11/17/business/17shop.html?ex=1289883600&en=ed15eb16d7a6526a&ei=5090&partner=rssuserland&emc=rss
JUDGES REJECT CELL-PHONE TRACKING (Wired, 17 Nov 2005) -- For the third time in recent months, a federal judge has balked at allowing government investigators to track a citizen via cell phone in real time without agents showing probable cause. Andrew J. Peck, a magistrate judge with the U.S. District Court for the Southern District of New York, asked the Justice Department to clarify its arguments after learning that a Long Island magistrate judge initially denied a similar request in August. All three cell-tracking requests accompanied more traditional requests to capture the dialing information of incoming and outgoing calls. Those orders only require investigators to certify that the information is likely relevant to an ongoing investigation. A Texas judge and the Long Island judge ultimately rejected the location-tracking requests in harshly worded opinions last month, concluding investigators cannot track cell phones without going through the hoops necessary for getting a traditional search warrant. Investigators normally need to prove probable cause to a judge if a tracking device reveals information about nonpublic places. http://www.wired.com/news/privacy/0,1848,69598,00.html Steptoe & Johnson’s useful discussion at http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11105&siteId=547
A COURT FIGHT TO KEEP A SECRET THAT’S NO REAL SECRET AT ALL (New York Times, 18 Nov 2005) -- As government secrets go, this one did not take long to unravel. Federal investigators did not want the public to know that they had requested confidential information about library use in Connecticut from a little-known organization called Library Connection. Revealing the organization’s identity, government lawyers warned, could compromise national security by tipping off the target of the investigation. But even as the federal government was arguing in court that it needed to keep Library Connection’s name secret, it had carelessly left its name sprinkled throughout court records. It was right there, in bold type, on Page 7 of an Aug. 16 memorandum of law, in between black splotches applied by government censors to wipe out hints of the organization’s identity. It was also on Page 18 of the memo, and it was visible in the header line on a court Web site to anyone who looked up the case using the file number. The name of the organization was so evident, both through telltale clues and explicit references, that The New York Times published it six times in news reports on the continuing court case, and it was named in other publications as well. Yet the federal government continues to argue in federal courts in Bridgeport, Manhattan and Washington that the identity of Library Connection, a consortium of libraries, must be kept secret, in the interest of rooting out potential terrorists. A decision from the United States Court of Appeals for the Second Circuit, in New York, could come soon. Library Connection, meanwhile, has been in a delicate spot: Under the USA Patriot Act, which allows the secret request for information, the organization risks prosecution if it says plainly what many already know. Its executive director, George Christian, has answered “no comment” to numerous reporters who have asked him about the case, and a member of his board who is an authority on intellectual freedom, Peter Chase, has had to decline speaking engagements - even as government officials like Kevin J. O’Connor, the United States attorney for the District of Connecticut, have been free to accept them. http://www.nytimes.com/2005/11/18/nyregion/18library.html?ex=1289970000&en=fc173cd843fa272d&ei=5090&partner=rssuserland&emc=rss
**** RESOURCES ****
WHAT IS WEX? (Cornell Law School) -- Wex is an ambitious effort to construct a collaboratively-created, public-access law dictionary and encyclopedia. It is sponsored and hosted by the Legal Information Institute at the Cornell Law School (http://www.lawschool.cornell.edu/). Much of the material that appears in Wex was originally developed for the LII’s “Law about...” pages, to which Wex is the successor. http://www.law.cornell.edu/wex/index.php/Main_Page
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
MICROSOFT: WE WERE RAILROADED IN MASSACHUSETTS ON ODF (ZDnet, 17 Oct 2005) -- Those were not Microsoft’s exact words, but if you were a fly on the wall [to] recent correspondence with Microsoft’s Alan Yates regarding how Microsoft’s XML-based Office file formats ended up off of Massachusetts’ list of approved file formats (essentially pulling the state’s plug on future usage of Microsoft Office), it would be difficult to summarize his opinion in any other way. To the untrained eye, the Massachusetts decision-- formally known as that state’s Enterprise Technical Reference Model (henceforth referred to as MA ETRM)-- looks like one of those small open source victories for some European municipality looking to establish independence from big bad proprietary American technology. Such victories are important, no doubt, to that town, city, or country and even to perhaps to certain technology communities in general (e.g., open source) -- but largely peripheral to the bigger battle. But, MA ETRM is about far more than open source. Industry historians will later view it as one of the most brilliant chess moves by a handful of industry titans with a common interest in breaking Microsoft’s dominant grip. http://news.zdnet.com/2100-3513_22-5893208.html
DEALING WITH DATA THEFT: AFTER THE FACT (InternetWeek, 20 Oct 2005) -- Time and again, businesses fall short in their ability to protect their customer information as criminals looking to steal data get wiser and more creative. Whether customer data is stolen or lost through hacking, physical means such as a misplaced laptop or hijacked data tapes, or an unscrupulous employee, the results are the same: customers at risk and a huge black eye for the company. No industry grapples more with data theft and the ensuing customer relationship nightmare than the financial services sector, which will increase spending on IT security and related issues 12% this year to $1.8 billion, according to consulting firm Celent. How these companies respond to the seemingly inevitable security breach can change the way they are viewed by customers and the general public. Handle it right, and a company can flip the negative into a positive and earn customers’ respect and appreciation. Handle it wrong, and the business will forever fight the stigma of an untrustworthy organization. The good news is the financial services industry is fast making an art form out of dealing with security breaches, and its experience can serve as an invaluable guideline for any business holding sensitive customer information. http://internetweek.cmp.com/shared/article/printablePipelineArticle.jhtml?articleId=172302862
AFTER SONGS AND VIDEOS, CRIB NOTES BECOME THE LATEST OFFERING FOR IPODS (Chronicle of Higher Ed, 27 Oct 2005) -- With iPods slowly working their way into college classrooms, it was only a matter of time before someone put the devices to use as a way of cutting corners on course work. Now a pair of companies has stepped up, offering a line of iPod-ready crib notes to such literary classics as The Great Gatsby and The Scarlet Letter. The notes are taken from study guides published by SparkNotes -- a company that has marketed itself as a hipper version of CliffsNotes, the giant of the field -- and are sold by iPREPpress, a business that retails reference material that can be viewed on the digital music players. Right now about a dozen titles are available at $4.95 apiece. But the companies plan to publish digital guides for about 50 English-department cornerstones, according to Kurt Goszyk, the founder of iPREPpress. The guides basically turn the iPod into a text-based browser: Students can read biographical sketches of characters, review themes and motifs, and test themselves with study questions and answers -- all by using the iPod’s click wheel to navigate a series of hyperlinks. But students can also listen to overviews of the books’ plots and protagonists while they work out at the gym or walk from class to class. The study guides each include about six or seven minutes of audio material for students on the go, said Mr. Goszyk. “But in areas where you really have to concentrate” -- like SparkNotes’ more detailed summaries of quotations and symbolism -- “we kept it as only text,” he said. http://chronicle.com/free/2005/10/2005102702t.htm
INSURER LAUNCHES $10 MILLION OPEN-SOURCE POLICY (ZDnet, 31 Oct 2005) -- Insurance underwriter Kiln, which is a Lloyd’s of London division, and Miller Insurance Services on Monday said they will offer open-source compliance insurance. New York-based Open Source Risk Management will be the exclusive risk assessor. The insurance will cover up to $10 million in damages, including profit losses related to noncompliance with an open-source software license. The policy could, in some cases, cover the cost of repairing code that was found to infringe on open-source licenses such as the General Public License, which is used with the Linux operating system. The insurers said more than 30 legal claims in the last two years have involved infringements on open-source licenses. In each case, the plaintiffs were able to restrict the use of their code. “The emerging open-source model of worldwide collaborative technology development introduces novel business risks that traditional insurance products can, but have not, addressed,” said Matthew Hogg, an underwriter for Kiln Risk Solutions. Daniel Egger, CEO of Open Source Risk Management, said many companies inadvertently expose themselves to legal risks when they use open-source software. In particular, companies may infringe on copyright laws when distributing their own software--which could include open-source products--to business partners or customers, Egger said. http://news.zdnet.com/2100-3513_22-5924112.html [Editor: Of course, with the insurance coverage will come emergent best-practices, standards, and processes.]
U.S. MULLS NEW DIGITAL-SIGNATURE STANDARD (CNET, 1 Nov 2005) -- A team of Chinese scientists shocked the data security world this year by announcing a flaw in a widely used technique used to create and verify digital signatures in e-mail and on the Web. Now the U.S. government is trying to figure out what to do about it. The decade-old algorithm, called the Secure Hash Algorithm, or SHA-1, is an official federal standard and is embedded in every modern Web browser and operating system. Any change will be expensive and time-consuming--and a poor choice by the government would mean that the successor standard may not survive another 10 years. “We’re going to have to make a decision fairly soon about where to push people,” said John Kelsey of the National Institute of Standards and Technology (NIST), which convened a workshop here on the topic Monday. Even though NIST is only technically responsible for government standards-setting, Kelsey noted, “we’re likely to get a lot of other people to head in that direction as well.” The findings by the researchers at China’s Shangdong University, which they described in an interview with CNET News.com in March, are still of more theoretical than practical interest. But as computing speed accelerates, their discovery eventually will make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure “hash” algorithm is adopted. http://news.com.com/U.S.+mulls+new+digital+signature+standard/2100-1029_3-5924982.html?tag=nefd.lede
DATA LAWS RAISE SECURITY WORRIES (VNUnet, 2 Nov 2005) -- Regulatory compliance is now the biggest security concern for IT departments, according to international research. Nearly two-thirds of firms that responded to consultancy Ernst & Young’s survey cited complying with electronic data retention regulations such as Sarbanes-Oxley and the European Union 8th Directive on company law as their primary IT security focus. But despite senior management fears of prosecution making security a board issue, IT departments are failing to make information security an integral part of the business, says The Global Information Security Survey 2005. ‘Images of directors being taken away in orange jumpsuits and silver manacles are making firms sit up and take notice,’ said Ernst & Young partner Antony Smyth. ‘It is a chance for departments to make use of the focus that security is getting in the boardroom, but most are not doing this.’ The survey of more than 1,300 public and private sector organisations in 55 countries found 81 per cent of firms view IT security as the most important element in complying with data policies. Just 56 per cent of IT directors cited security as important for aiding other business strategies. Some 88 per cent of firms are updating policies and procedures to comply with regulations, but only 41 per cent are using the opportunity to reorganise their IT security functions or to make changes to systems architecture. The survey also suggests that organisations are not securing information and systems when they outsource their operations to third parties. One fifth of firms do not address the risks of communicating electronically with suppliers, outsourcers and partners, and 33 per cent only have informal procedures to deal with these risks. http://www.vnunet.com/computing/news/2145373/laws-raise-security-worries
MICROSOFT CALLS FOR BROAD PRIVACY LAW (Reuters, 3 Nov 2005) -- Microsoft Corp. on Thursday called for a broad national law to protect consumer privacy and a top Republican lawmaker said he planned to push such a bill next year, amid heightened consumer concerns about identity theft and online fraud. “This is the time, this is the place, we believe, for the government to adopt privacy legislation on a national basis,” Microsoft General Counsel Brad Smith said at a lunch event. Texas Republican Rep. Joe Barton, who chairs the House Energy and Commerce Committee, said at a separate event that he plans to introduce a comprehensive privacy bill next year. High-tech businesses, including Microsoft, helped block attempts to pass a national privacy law in 2001 and 2002, arguing that businesses can be trusted to handle consumer profiles responsibly. Since then, most Fortune 500 companies have developed “privacy policies” that spell out, often in dense legalese, what they do with credit-card numbers, birthdates and other information consumers give to them. Congress, meanwhile, has tackled a number of privacy issues, from “spam” e-mail to telemarketing to computer “spyware.” Lawmakers are currently wrangling over legislation that would require businesses to let consumers know when their account information has been exposed to outsiders. Still, several polls have found that privacy concerns have prompted some consumers to cut back on online purchases, and a rash of data breaches has exposed sloppy security practices at banks, universities and a wide range of other institutions. Smith said a broad privacy law spelling out how businesses handle consumer information is now needed to shore up consumer confidence and simplify a legal landscape that is becoming cluttered by conflicting state and national laws. “It’s the patchwork of state laws that is causing a lot of heartburn, not any one individual law,” he said. Any legislation should allow consumers to limit how information about them is used and should apply to online and offline businesses equally, Smith said. Online retailer eBay Inc. is also pushing for a national privacy law, a lobbyist for the company said, while computer maker Hewlett-Packard Co. has backed such a law for years. A prominent civil liberties advocate said Smith’s speech was a significant development. “This creates some momentum for really addressing privacy legislation as early as next year,” said Jerry Berman, president of the Center for Democracy and Technology. http://news.yahoo.com/s/nm/20051103/wr_nm/privacy_dc
WANT ‘WAR AND PEACE’ ONLINE? HOW ABOUT 20 PAGES AT A TIME? (New York Times, 4 Nov 2005) – In a race to become the iTunes of the publishing world, Amazon.com and Google are both developing systems to allow consumers to purchase online access to any page, section or chapter of a book. These programs would combine their already available systems of searching books online with a commercial component that could revolutionize the way that people read books. The idea is to do for books what Apple has done for music, allowing readers to buy and download parts of individual books for their own use through their computers rather than trek to a store or receive them by mail. Consumers could purchase a single recipe from a cookbook, for example, or a chapter on rebuilding a car engine from a repair manual. The initiatives are already setting off a tug of war among publishers and the potential vendors over who will do business with whom and how to split the proceeds. Random House, the biggest American publisher, proposed a micropayment model yesterday in which readers would be charged about 5 cents a page, with 4 cents of that going to the publisher to be shared with the author. The fact that Random House has already developed such a model indicates that it supports the concept, and that other publishers are likely to follow. The proposals could also become bargaining chips in current lawsuits against Google by trade groups representing publishers and authors. These groups have charged that Google is violating copyrights by making digital copies of books from libraries for use in its book-related search engine. But if those copies of older books on library shelves that have long been absent from bookstores started to produce revenue for publishers and authors, the trade groups might drop some of their objections. In a telephone interview yesterday, Paul Aiken, executive director of the Authors Guild, which filed a federal copyright infringement lawsuit against Google in September over its Google Print program, called the Amazon announcement “a positive development.” “This is the way it’s supposed to work: to give consumers access to books and have revenues flow back to publishers and authors,” Mr. Aiken said. “Conceptually, something similar might be possible for the Google program.” Amazon said yesterday that it was developing two programs that would begin some time next year. The first, Amazon Pages, is intended to work with the company’s “search inside the book” feature to allow users to search its universe of books and then buy and read online whatever pages they need of a given book. The second program, Amazon Upgrade, will allow customers to add online access to their purchase of a physical copy of a book. [Editor: Very interesting and promising developments. Let’s hope Amazon-Upgrade doesn’t echo MP3.com’s missteps; there must be more to the model than is described here.] http://www.nytimes.com/2005/11/04/technology/04publish.html?ex=1288760400&en=4ef1b1171533988d&ei=5090&partner=rssuserland&emc=rss
FRENCH GIVE A QUALIFIED ‘NON’ TO SNOOPING OF P2P IP ADDRESSES (Steptoe & Johnson’s E-Commerce Law Week, 5 Nov 2005) -- On October 24, the French data protection authority, the Commission Nationale de I’Informatique et Libertes (CNIL), dealt a blow to music industry enforcement efforts against peer-to-peer (P2P) file-sharing by announcing that it would not permit the automated monitoring of users of P2P file sharing systems. The CNIL concluded such monitoring could lead to “a massive collection of personal data” and allow “exhaustive and continuous surveillance” of P2P sites “beyond that which was necessary for the fight against piracy”. The CNIL’s stance runs counter to its own ruling in April authorizing similar P2P site surveillance by the Syndicat des Editeurs de Logiciels de Loisirs (SELL), a trade association representing French video game producers, whose members include video game industry heavyweights such as Sega, Sony, and Atari. Defending its apparent volte-face, the CNIL noted that SELL had pledged to send messages to suspected P2P site users itself, rather than asking ISPs to act as third party intermediaries, and had agreed to take an anonymous approach in communicating with suspected violators. In French, we believe that’s what is called “une distinction sans différence.” In any event, if French Culture Minister Renaud Donnedieu de Vabres is to be believed, forthcoming consideration in the French Parliament of the implementation of the EU Copyright Directive might allow the music industry anti-piracy initiative to move forward. Consideration of the EU Copyright Directive by the French Parliament is scheduled to begin in December. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11105&siteId=547
HOMELAND SECURITY’S VAGUE CYBER PLAN (CNET, 7 Nov 2005) -- A preliminary report released by the Department of Homeland Security seems to scatter cybersecurity responsibilities across the government and the private sector while sticking to generalities about future plans. In its 175-page draft of the National Infrastructure Protection Plan, or NIPP, the department outlines a broad framework for protecting the nation’s “critical infrastructure” and “key assets”--bureaucratic argot referring to everything from the power grid to dams to computer systems. President Bush first commissioned the plan in December 2003, and the Department of Homeland Security released an early version in February. According to a notice announcing the document’s availability, the latest version aims to provide greater detail. The term “cybersecurity” appears 148 times the draft, and a 16-page appendix devoted to the topic offers some suggestions for threat analysis, response readiness and training. But the rest is worded in terms of generalities. The plan asserts that cybersecurity responsibilities should ultimately lie with the Department of Homeland Security but also calls on state and local governments to come up with information security measures and to be aware of vulnerabilities in their systems. The report charges academia and research institutions with devising “best practices” for IT security and the private sector with ensuring that it is “satisfying cyberprotection standards.” The document suggests that work should be done through a “sector partnership model”--that is, informal advisory bodies composed of private-sector and governmental representatives from the same subject area. It proposes several lists of general actions that various sectors should take (for example, “set sector-specific security goals”) and allocates deadlines from the adoption of the plan to accomplish them (in that particular case, 90 days). The recommendations are often vague. For example, the suggestion that the Department of Homeland Security should lead and develop a “national cybersecurity exercise” to simulate responses to an attack is listed as an “ongoing” project with no deadline. And under a category referring to the steps the government should take to deal with “privacy and constitutional freedoms,” the department lists no suggested actions. http://news.com.com/2100-7348_3-5937715.html Draft at http://dw.com.com/redir?destUrl=http%3A%2F%2Fpolitechbot.com%2Fdocs%2Fdhs.nipp.110205.pdf&siteId=3&oId=2100-7348-5937715&ontId=1009&lop=nl.ex [Editor: Oh, for Pete’s sake! The USG has been dithering on this for more than five years; it’s time for some useful, specific proposals. E.g., tax breaks for secure software; procurement policies that reject standard ‘no-liability’ language; antitrust expemption and confidentiality assurance for ISAC operations; etc.]
HISTORY’S WORST SOFTWARE BUGS (Wired, 8 Nov 2005) -- Last month automaker Toyota announced a recall of 160,000 of its Prius hybrid vehicles following reports of vehicle warning lights illuminating for no reason, and cars’ gasoline engines stalling unexpectedly. But unlike the large-scale auto recalls of years past, the root of the Prius issue wasn’t a hardware problem -- it was a programming error in the smart car’s embedded code. The Prius had a software bug. With that recall, the Prius joined the ranks of the buggy computer -- a club that began in 1945 when engineers found a moth in Panel F, Relay #70 of the Harvard Mark II system.1The computer was running a test of its multiplier and adder when the engineers noticed something was wrong. The moth was trapped, removed and taped into the computer’s logbook with the words: “first actual case of a bug being found.” Sixty years later, computer bugs are still with us, and show no sign of going extinct. As the line between software and hardware blurs, coding errors are increasingly playing tricks on our daily lives. Bugs don’t just inhabit our operating systems and applications -- today they lurk within our cell phones and our pacemakers, our power plants and medical equipment. And now, in our cars. But which are the worst? It’s all too easy to come up with a list of bugs that have wreaked havoc. It’s harder to rate their severity. Which is worse -- a security vulnerability that’s exploited by a computer worm to shut down the internet for a few days or a typo that triggers a day-long crash of the nation’s phone system? The answer depends on whether you want to make a phone call or check your e-mail. http://www.wired.com/news/technology/bugs/0,2924,69355,00.html?tw=wn_tophead_1 [Editor: Fun story. The CIA-bug-in-Soviet-pipeline story (more at http://www.msnbc.msn.com/id/4394002), if true, isn’t the only case of such a plant.]
ARE YOU A ‘PUBLIC FIGURE’? (Wired, 9 Nov 2005) -- Can being mentioned on the net turn an ordinary citizen into a public figure with severely limited abilities to fight libel and defamation lawsuits? According to a Florida judge’s ruling -- perhaps the first of its kind in the United States -- the answer is yes. In an Oct. 21 ruling, Florida circuit court Judge Karen Cole threw out a defamation case against two TV stations because she deemed the plaintiff -- a Jacksonville woman -- to be a public figure who had been subject to “substantial” internet debate. In the eyes of the law, public figures are usually politicians or celebrities, who have limited rights to claim that they’ve been libeled or defamed, thanks to a 1964 ruling by the U.S. Supreme Court. Among other things, Cole said plaintiff Eliza Thomas had become a public figure because there had been “substantial public debate” regarding her and her husband on the internet. http://wired.com/news/politics/0,1283,69511,00.html?tw=wn_tophead_4
SONY’S ANTI-FILE-SHARING CD CAUSES A FIRESTORM OF ANGER (Houston Chronicle, 8 Nov 2005) -- Since the dawn of file-sharing in the late 1990s, the music industry has struggled with keeping its wares from being traded freely. Recording labels have tried all kinds of approaches, from suing their own customers to Draconian copy protection to changing formats. The one that has worked the best — surprise! — has been to offer a low-cost way to buy music that allows users to do pretty much what they want to do with the tunes they purchase. It’s almost as though there’s a Good Side and a Dark Side to the musical force. Over time, you’d think the business would get that the Good Side will win more converts. That is, until you see something like the strange case of the Sony rootkit. On Halloween, a developer with an Austin-based software company posted on his blog a detailed report on a troubling discovery — a CD from Sony BMG had installed software on his PC that uses the same technique for hiding itself as the most pernicious type of spyware. Mark Russinovich of Sysinternals also discovered that the software, known as a rootkit, could then be used by the creators of viruses and worms to hide their own malicious payloads. A rootkit works at the very lowest levels of the Windows operating system to cloak files. Spyware purveyors use the technique to hide their code from programs designed to find and remove it. In Sony’s case, the rootkit was part of a media player designed to restrict how a CD’s tunes are played, stored to a computer’s hard drive or copied, and was used to hide those files, making it difficult to get around the protection. The software was installed when the CD’s buyers — in Russinovich’s case, Van Zant’s Get Right with the Man — first tried to play the disc on a PC. The disc can’t be used in a PC without Sony’s player. The rootkit hid the software by looking for a particular sequence of characters in the name. Any files that included the sequence were cloaked. Russinovich had to jump through hoops to find the software, trace its source and remove it. When he did, he found the process disabled his CD drives, which were no longer visible in Windows Explorer. His report, at www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html, concluded: “The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files ... will cripple their computer if they attempt the obvious step of deleting the cloaked files.” http://www.chron.com/cs/CDA/ssistory.mpl/business/3445666
[Commentator: “Many of you have probably read about the discovery someone recently made that Sony’s new DRM has a rather dark side. Here is an EFF page that describes not only some of the ‘bad’ stuff in the software but also the onerous provisions of the EULA that comes with the CD. The EFF page has information about the ‘rootkit’ that gets installed on your machine, as well as a summary of the ‘bad’ provisions in the EULA. http://www.eff.org/deeplinks/archives/004145.php. Mark Russinovich has a detailed explanation on his blog of how the Sony DRM works and why people are claiming that it is a rootkit. I strongly recommend reading before discussing these issues. The explanation is at http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html“
-- and-- “It turns out that despite Sony’s denials, the player software that comes with the DRM’d CDs phones home each time it is launched. Mark Russinovich, the guy who originally broke the story, has detailed his proof of this. Discussion at http://malwarecle.blogspot.com/2005/11/how-much-worse-can-this-get.html“]
Also, REAL STORY OF THE ROGUE ROOTKIT (Wired, 17 Nov 2005, by Bruce Schneier) at http://www.wired.com/news/privacy/0,1848,69601,00.html; ITALIAN POLICE ASKED TO INVESTIGATE SONY DRM CODE (PCWorld, 7 Nov 2005) at http://www.pcworld.com/news/article/0,aid,123454,00.asp
[Editor: Trespass to Chattels? A perfect application of this expanded doctrine; CFAA? If mens rea can be shown; Deceptive Trade Practices? You bet! Sony has gone way over the line, and its lawyers (especially those who reviewed the EULA) have done a very poor job.]
MAN SPENDS $100,000 ON VIRTUAL SPACE STATION IN ONLINE GAME (AP, 10 Nov 2005) -- In one of the largest sales yet of property in an online game, a Miami resident has bought a virtual space station for $100,000 and wants to turn it into a cross between Jurassic Park and a disco. Jon Jacobs, a director of independent films, plans to call the space resort, in the science-fiction themed game Project Entropia, “Club Neverdie.” Like other land areas in the game that has been visited by 300,000 players, the resort grounds will spawn dinosaur-like monsters, which visitors can kill. Jacobs will take a cut of the virtual resources that the carcasses yield, like hides. Jacobs, 39, plans to hire famous disc jockeys to entertain visitors once a week or so at the resort but still reckons on netting $20,000 a month from the hunting tax and other income. “I want to operate this thing at the level of a major nightclub in a major city,” Jacobs said. Jacobs bought the property late last month from MindArk PE AB, Project Entropia’s Swedish developer. The game, which has no subscription fee, has its own currency but it’s convertible at a fixed rate to dollars. About a quarter of the purchase money came from Jacobs’ in-game earnings. Over three years playing Project Entropia, Jacobs accumulated items that later became worth thousands of dollars, like first-aid kits and powerful weapons. He sold those items last year to buy an island in Project Entropia, but was outbid - it sold for $26,500, the previous record sale in that world. He refinanced his house shortly after and considered investing some of the cash in the hot Miami real-estate market, but he realized that if he bought a rental property, it really wouldn’t generate any income beyond what he’d pay for the mortgage and repairs. So he invested the proceeds in the game. http://news.yahoo.com/s/cmp/20051110/tc_cmp/173601281
INTERNET SERVICE TO PUT CLASSIC TV ON HOME COMPUTER (New York Times, 14 Nov 2005) -- Looking for “The Fugitive?” Didn’t get enough “Eight Is Enough?” Would you like to “Welcome Back, Kotter” one more time? Warner Brothers is preparing a major new Internet service that will let fans watch full episodes from more than 100 old television series. The service, called In2TV, will be free, supported by advertising, and will start early next year. More than 4,800 episodes will be made available online in the first year. The move will give Warner a way to reap new advertising revenue from a huge trove of old programming that is not widely syndicated. Programs on In2TV will have one to two minutes of commercials for each half-hour episode, compared with eight minutes in a standard broadcast. The Internet commercials cannot be skipped. America Online, which is making a broad push into Internet video, will distribute the service on its Web portal. Both it and Warner Brothers are Time Warner units. An enhanced version of the service will use peer-to-peer file-sharing technology to get the video data to viewers. Warner, with 800 television programs in its library, says it is the largest TV syndicator. It wants to use the Internet to reach viewers rather than depend on the whims of cable networks and local TV stations, said Eric Frankel, the president of Warner Brothers’ domestic cable distribution division. “We looked at the rise of broadband on Internet and said, ‘Let’s try to be the first to create a network that opens a new window of distribution for us rather than having to go hat in hand to a USA or a Nick at Night or a TBS,’ “ Mr. Frankel said. [Editor: See? P2P has real, non-infringing uses, too.] http://www.nytimes.com/2005/11/14/business/14warner.html?ex=1289624400&en=a46d72f19b7403e3&ei=5090&partner=rssuserland&emc=rss
MORE FIND ONLINE ENCYCLOPEDIA IS HANDY (New York Times, 14 Nov 2005) -- By several measures, the user-written online encyclopedia Wikipedia (www.wikipedia.com) has exploded in popularity over the last year. The Internet traffic-measurement firm Nielsen//NetRatings found that Wikipedia had more than tripled its monthly readership in September from the same month in 2004. September may have been a month of especially heavy usage for Wikipedia: the site does better during major news events, and September saw both the aftermath of Hurricane Katrina and the confirmation of John G. Roberts Jr. as chief justice of the United States Supreme Court. But Wikipedia’s popularity is not limited to periods of big news. Intelliseek, a marketing-research firm that measures online buzz, has found that the term Wikipedia is consistently used by bloggers - about twice as often as the term “encyclopedia” - and showed up in roughly one out of every 600 blog posts last month; it was one of every 3,300 posts in October 2004. “For bloggers, it’s almost like a badge of credibility to embed Wikipedia in their blog references,” said Pete Blackshaw, chief marketing officer for Intelliseek. “There’s something about Wikipedia that confers a degree of respectability, because multiple Web users have converged on it.” http://www.nytimes.com/2005/11/14/business/14drill.html?ex=1289624400&en=73da448cea0792a2&ei=5090&partner=rssuserland&emc=rss
A COMPROMISE OF SORTS ON INTERNET CONTROL (New York Times, 16 Nov 2005) -- Representatives from the United States and nations that had sought to break up some of its control over the Internet reached an accord on Tuesday night that leaves the supervision of domain names and other technical resources unchanged. They agreed instead to an evolutionary approach to Internet management. But the accord, a document of principles that delegates from more than 100 countries worked out here after more than two years of sometimes fiery argument, also established a new international forum intended to give governments a stronger voice in Internet policy issues, including the address system, a trade-off that the Americans were willing to accept. The text of the document is to be approved at a United Nations summit meeting on information-age issues that begins Wednesday in Tunis. American delegates who had been working on the document celebrated the outcome. Only in September, the European Union had made a well-received proposal to put some of the American powers under a new agency. And in the prelude to the talks that resumed this week, increasing pressure had been brought on the Americans to share their authority. David A. Gross, coordinator of international communications and information policy in the State Department, said late Tuesday: “I didn’t think it was possible. We did not change anything about the role of the U.S. government. It’s very significant.” The United States maintained that diluting the authority of the body that now manages the Internet address structure, the Internet Corporation for Assigned Names and Numbers, known as Icann, could jeopardize the stability and security of the global network. http://www.nytimes.com/2005/11/16/technology/16net.html?ex=1289797200&en=8cef00d486e38143&ei=5090&partner=rssuserland&emc=rss Agreed text at http://lists.essential.org/pipermail/random-bits/2005-November/001305.html
SHOP-TILL-YOU-DROP SPECIALS, REVEALED HERE FIRST (New York Times, 17 Nov 2005) -- For retailers, the day after Thanksgiving is a painstakingly orchestrated affair. Prices are scientifically slashed, down to the penny. Sales begin at dawn. And glossy circulars containing the well-laid plans are distributed just a day or two ahead to keep consumers and competitors in the dark. Or at least that is how it worked before people like Michael Brim came along. From a cramped dorm room in California, Mr. Brim, an 18-year-old college freshman who dines on Lucky Charms and says he rarely shops, is abruptly pulling back the curtain on the biggest shopping day of the year. His Web site, BF2005.com, publishes the circulars for what retailers call Black Friday - the day that officially starts the holiday shopping season - weeks ahead of time. So far this year, sources have leaked advertisements to him from Toys “R” Us (showing the Barbie Fashion Show Mall, regularly $99.99, for $29.97); Sears (a Canon ZR100 MiniDV camcorder, regularly $329.99, for $249.99); and Ace Hardware (a Skil 12-volt drill, regularly $44.99, for $24.99). Mr. Brim says his motive is to educate consumers. But retailers are furious, arguing that the site jeopardizes their holiday business, and they have threatened legal action. But BF2005.com is not their only problem. There are now at least three Web sites dedicated to digging up Black Friday sales secrets, creating a fierce competition to post the ads first. It is so heated, in fact, that all three sites stamp the circulars with bright electronic watermarks to discourage rivals from stealing a scoop. http://www.nytimes.com/2005/11/17/business/17shop.html?ex=1289883600&en=ed15eb16d7a6526a&ei=5090&partner=rssuserland&emc=rss
JUDGES REJECT CELL-PHONE TRACKING (Wired, 17 Nov 2005) -- For the third time in recent months, a federal judge has balked at allowing government investigators to track a citizen via cell phone in real time without agents showing probable cause. Andrew J. Peck, a magistrate judge with the U.S. District Court for the Southern District of New York, asked the Justice Department to clarify its arguments after learning that a Long Island magistrate judge initially denied a similar request in August. All three cell-tracking requests accompanied more traditional requests to capture the dialing information of incoming and outgoing calls. Those orders only require investigators to certify that the information is likely relevant to an ongoing investigation. A Texas judge and the Long Island judge ultimately rejected the location-tracking requests in harshly worded opinions last month, concluding investigators cannot track cell phones without going through the hoops necessary for getting a traditional search warrant. Investigators normally need to prove probable cause to a judge if a tracking device reveals information about nonpublic places. http://www.wired.com/news/privacy/0,1848,69598,00.html Steptoe & Johnson’s useful discussion at http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11105&siteId=547
A COURT FIGHT TO KEEP A SECRET THAT’S NO REAL SECRET AT ALL (New York Times, 18 Nov 2005) -- As government secrets go, this one did not take long to unravel. Federal investigators did not want the public to know that they had requested confidential information about library use in Connecticut from a little-known organization called Library Connection. Revealing the organization’s identity, government lawyers warned, could compromise national security by tipping off the target of the investigation. But even as the federal government was arguing in court that it needed to keep Library Connection’s name secret, it had carelessly left its name sprinkled throughout court records. It was right there, in bold type, on Page 7 of an Aug. 16 memorandum of law, in between black splotches applied by government censors to wipe out hints of the organization’s identity. It was also on Page 18 of the memo, and it was visible in the header line on a court Web site to anyone who looked up the case using the file number. The name of the organization was so evident, both through telltale clues and explicit references, that The New York Times published it six times in news reports on the continuing court case, and it was named in other publications as well. Yet the federal government continues to argue in federal courts in Bridgeport, Manhattan and Washington that the identity of Library Connection, a consortium of libraries, must be kept secret, in the interest of rooting out potential terrorists. A decision from the United States Court of Appeals for the Second Circuit, in New York, could come soon. Library Connection, meanwhile, has been in a delicate spot: Under the USA Patriot Act, which allows the secret request for information, the organization risks prosecution if it says plainly what many already know. Its executive director, George Christian, has answered “no comment” to numerous reporters who have asked him about the case, and a member of his board who is an authority on intellectual freedom, Peter Chase, has had to decline speaking engagements - even as government officials like Kevin J. O’Connor, the United States attorney for the District of Connecticut, have been free to accept them. http://www.nytimes.com/2005/11/18/nyregion/18library.html?ex=1289970000&en=fc173cd843fa272d&ei=5090&partner=rssuserland&emc=rss
**** RESOURCES ****
WHAT IS WEX? (Cornell Law School) -- Wex is an ambitious effort to construct a collaboratively-created, public-access law dictionary and encyclopedia. It is sponsored and hosted by the Legal Information Institute at the Cornell Law School (http://www.lawschool.cornell.edu/). Much of the material that appears in Wex was originally developed for the LII’s “Law about...” pages, to which Wex is the successor. http://www.law.cornell.edu/wex/index.php/Main_Page
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Subscribe to:
Posts (Atom)