Monday, May 23, 2005

MIRLN -- Misc. IT Related Legal News [23 April – 21 May 2005; v8.06]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and in the public materials section of the Cyberspace Committee’s collaboration space at

**************End of Introductory Note***************

FRENCH DATA PROTECTION AUTHORITY ALLOWS SOFTWARE DEVELOPERS TO MONITOR P2P NETWORKS (DM Europe, 18 April 2005) -- The French data protection authority has announced that it is to allow the Syndicat des Editeurs de Logiciels de Loisi (SELL) - the French software developers’ trade association - to monitor data traffic over peer-to-peer file-sharing networks. The Commission nationale de l’informatique et des libertés (CNIL) has permitted SELL to send warning messages to users uploading illegally copied software and then locate and use the IP addresses of such individuals in legal proceedings.

E-COMMERCE SITES FORCED TO ADOPT SECURITY STANDARDS (Ecommerce Times, 23 April 2005) -- Online retailers will be forced to tighten security and improve their handling of customer data under new rules being introduced by the credit card industry to stop identity theft. From June 30, all e-commerce sites with internal systems that process, store or transmit cardholder information will have to comply with the Payment Card Industry (PCI) Data Security Standard or face significant fines. In extreme cases, online merchants could be banned from processing transactions using payment cards. Backed by MasterCard, Visa, American Express (NYSE: AXP) Latest News about American Express, Diners Club and JCB Cards, the standard requires Internet retailers to carry out a 12-step security audit, which will be certified annually and checked every three months.

-- and --

SOVEREIGN BLAMES RETAILER IN ID THEFT SCAM (Philadelphia Business Journal, 11 Feb 2005) -- Sovereign Bank is trying to blame BJ’s Wholesale Club Inc. in an identity theft scheme that victimized hundreds of the bank’s debit cardholders last year. The bank said last June that a computer hacker had stolen account information from at least 700 debit card customers and that it was forced to reissue 80,000 new debit cards. But it offered no other details at the time. But in January, Sovereign filed a civil lawsuit in Berks County Court of Common Pleas saying the account information was stolen from BJ’s after bank customers made purchases from the retailer, which has its headquarters in Natick, Mass. In its lawsuit, Sovereign said that under rules established by Visa, which issued the Sovereign cards, BJ’s was supposed to delete cardholder information from its computers after the transaction was complete.’s

FEDS RETHINKING RFID PASSPORT (Wired, 26 April 2005) -- Following criticism from computer security professionals and civil libertarians about the privacy risks posed by new RFID passports the government plans to begin issuing, a State Department official said his office is reconsidering a privacy solution it rejected earlier that would help protect passport holders’ data. The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport’s chip. It would also encrypt data as it’s transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit. Frank Moss, deputy assistant secretary for passport services, told Wired News on Monday that the government was “taking a very serious look” at the privacy solution in light of the 2,400-plus comments the department received about the e-passport rule and concerns expressed last week in Seattle by participants at the Computers, Freedom and Privacy conference. Moss said recent work on the passports conducted with the National Institute of Standards and Technology had also led him to rethink the issue. “Basically what changed my mind was a recognition that the (reading distance) may have actually been able to be more than 10 centimeters, and also recognition that we had to do everything possible to protect the security of people,” Moss said.,1848,67333,00.html

MICROSOFT TO ADD ‘BLACK BOX’ TO WINDOWS (CNET, 26 April 2005) -- In a move that could rankle privacy advocates, Microsoft said Monday that it is adding the PC equivalent of a flight data recorder to the next version of Windows, in an effort to better understand and prevent computer crashes. The tool will build on the existing Watson error-reporting tool in Windows but will provide Microsoft with much deeper information, including what programs were running at the time of the error and even the contents of documents that were being created. Businesses will also choose whether they want their own technology managers to receive such data when an employee’s machine crashes. “Think of it as a flight data recorder, so that any time there’s a problem, that ‘black box’ is there helping us work together and diagnose what’s going on,” Microsoft Chairman Bill Gates said during a speech at the Windows Hardware Engineering Conference here. For consumers, the choice of whether to send the data, and how much information to share, will be up to the individual. Though the details are being finalized, Windows lead product manager Greg Sullivan said users will be prompted with a message indicating the information to be sent and giving them an option to alter it, such as removing the contents of the e-mail they were writing when the machine crashed. Also, such reporting will also be anonymous. With businesses, however, IT managers typically set the policy. If they wanted total information, they could configure systems so that they’d know not only that a user was running Internet Explorer, for example, but also that he or she was watching a video from Or, they might find out not only that a worker was running Instant Messenger but also that he or she was talking to a co-worker about getting a new job. And consumers could have a tough time knowing just what information they were sending. Though they’ll be able to see the contents of a document, they may not recognize the significance of the technical data--such as register settings--that’s being sent.

GROUP WANTS ENCRYPTION BANS OVERTURNED (CNET, 27 April 2005) -- An international security consortium plans to push governments around the world to withdraw restrictions on the use of encryption. Countries including China, Israel, Russia and Saudi Arabia have strict rules governing the use of encryption tools, and in some cases they have banned these tools. The Jericho Forum, which is looking to move away from the perimeter model for cybersecurity toward an approach that would make data totally secure, hinted that such policies could cause problems for e-commerce. The Jericho Forum, whose membership includes many chief security officers from FTSE 100 companies, will push for the removal of encryption restrictions within the next three to five years.

SPIDERS CAN ENTER CONTRACTS TOO! (Steptoe & Johnson’s E-Commerce Law Week, 28 April 2005) -- It wouldn’t be unheard-of for a web surfer to accept the terms of a Terms of Use or “click-through” agreement without actually reading it ... and then for a court to hold him to the terms of that agreement. So is there a difference if his automated software tool does the “clicking” -- also without actually reading the agreement? Not according to the US District Court for the Northern District of California. In Cairo, Inc. v. CrossMedia Services, Inc., the court held that automated software tools called “spiders” can legally consent to the terms of use or terms of service agreements on websites they visit -- thereby committing their operators to the terms of those agreements and subjecting them to liability for violations. (The case breaks new legal ground, but the court designates its opinion as “unpublished,” which usually means that the ruling has little or no precedential impact. In this case, it may mean that the court lacks confidence in its judgment -- or simply that no one has yet asked the court to publish the opinion.)

WIRETAPS IN U.S. JUMP 19 PERCENT IN 2004 (, 28 April 2005) -- The number of court-authorized wiretaps jumped 19 percent last year as investigators pursued drug and other cases against increasingly tech-savvy suspects. Every surveillance request made by authorities was granted. Federal and state judges approved 1,710 applications for wiretaps of wire, oral or electronic communications last year, and four states — New York, California, New Jersey and Florida — accounted for three of every four surveillance orders, according to the Administrative Office of the U.S. Courts. That agency is required to collect the figures and report them to Congress. The numbers, released Thursday, do not include court orders for terror-related investigations under the Foreign Intelligence Surveillance Act, known as FISA, which reached a record 1,754 warrants last year, according to the Justice Department. In non-terrorist criminal investigations, federally approved wiretaps increased 26 percent in a year, to 730 applications, while state judges approved 980 wiretaps, an increase of 13 percent. Department of Justice spokesman Kevin Madden said the numbers reflect “an increase in the resources geared toward targeting very serious federal and state offenses for which electronic surveillance is often the most, and sometimes the only, effective investigative method.” Timothy Edgar, legislative counsel for the American Civil Liberties Union, said traditional law enforcement work is catching up with increases in anti-terror wiretaps. “We’re still seeing a huge trend toward increased surveillance,” said Edgar.

U.S. CRITICIZES WORLD IN SPECIAL 301 IP REPORT (BNA’s Internet Law News, 3 May 2005) -- The U.S. Trade Representative has released its annual Special 301 report on the IP policies of countries from around the world. A long list of countries face criticism - for example, Canada is criticized for its proposed copyright reform, India and Israel on pharmaceuticals, and Taiwan for lack of enforcement. Special 301 report at
Canadian report at
Taiwan report at
India report at,0002.htm
Israel report at

YOUR IDENTITY, OPEN TO ALL (Wired, 6 May 2005) -- A search for personal data on -- one of the most comprehensive personal-data search engines on the net -- tends to elicit one of two reactions from first-timers: terror or curiosity. Which reaction often depends on whether you are searching for someone else’s data, or your own. ZabaSearch queries return a wealth of info sometimes dating back more than 10 years: residential addresses, phone numbers both listed and unlisted, birth year, even satellite photos of people’s homes. ZabaSearch isn’t the first or only such service online. Yahoo’s free People Search, for example, returns names, telephone numbers and addresses. But the information is nothing more than what’s been available for years in the White Pages. Far more personal information is available from data brokers, including aliases, bankruptcy records and tax liens. That access typically requires a fee, however, which has always been a barrier to the casual snooper. But ZabaSearch makes it easier than ever to find comprehensive personal information on anyone. ZabaSearch may give away some data for free, but it charges for additional information -- like background checks and criminal history reports, which may or may not be accurate. The company also plans to sell ads and other services on the search site, much like Google or Yahoo.,1848,67407,00.html

EU CLARIFIES “FOURTH WAY” FOR FOREIGN DATA TRANSFERS (Steptoe & Johnson’s E-Commerce Law Week, 7 May 2005) -- Global companies trying to cope with Europe’s data protection laws have traditionally had three options if they wanted to move personal information out of Europe. They could get the consent of everyone whose data would be moved. They could execute a web of agreements among the receiving and sending companies, essentially guaranteeing that European protections would follow European data. Or they could move the data only to the handful of countries whose data protection laws had been approved by European authorities – Argentina, Canada, Guernsey, Isle of Man and Switzerland – and the US, at least for companies that have joined the US-EU Safe Harbor. Now there’s a fourth way. In a pair of documents issued in mid-April – a Model Checklist for Approval of Binding Corporate Rules (at and a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From “Binding Corporate Rules” (at – the EU Article 29 Data Protection Working Party set out procedures for approval of “binding corporate rules” (“BCRs”), adopted by a multinational company or other entity, that require compliance with the requirements of the Data Protection Directive and provide for redress by data subjects for violations of their data protection rights. The BCRs approach supplements the other three main options for transfer of personal data outside of the European Economic Area in accordance with Articles 25 and 26 of the Data Protection Directive.

GUARDING INFORMATION (, May 2005) -- The United States loses billions of dollars every year to cyber-crimes, such as identify theft. Yet when it comes to developing a cadre of highly educated and trained cyber-security experts to combat this growing crime wave, we look the other way. Professor Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University, points out that each year, fewer than 100 people graduate with a Ph.D. in cyber-security in the United States. Purdue, which has one of the largest graduate programs for information security in the country, issues only about 15 doctoral degrees in the field every year. Spafford, who also serves on the President’s Information Technology Advisory Committee (PITAC) and acts as security adviser to more than a dozen federal agencies and major corporations, believes strong cyber-security policies not only benefit information assurance and trust in cyber-space, but also can act as a bulwark against terrorist actions as well. But Spafford -- who chairs the U.S. Public Policy Committee of the Association for Computing Machinery, an agency that advises legislators and regulators about the impact of policy on computing technology and vice versa -- is worried about the ongoing lack of support for fighting this growing problem. He took time to speak with Government Technology’s Public CIO about his concerns, the nature of cyber-security, protecting information systems against intrusion and training security professionals.[interview then follows]

SUN MICROSYSTEMS TO DOUBLE INDIAN R&D STAFF (CNET, 6 May 2005) -- Sun Microsystems, which makes network computers and related software, said on Friday it would double the number of staff at its Indian engineering center to 2,000 over the next two to three years. Officials of U.S.-based Sun, which spends an annual $1.9 billion on research and development, said they would expand engineering centers in Russia, China, the Czech Republic and India, while holding back growth in the United States. Stephen Pelletier, senior vice-president of global engineering at Sun, told reporters at a news conference that India and China were important both for new software development and their high-growth economies that have yielded big customers. “You can say Sun software products are all made in India,” he said. “It is obviously cheaper to do business here. But we expect in the next five years the wages to converge more.” The U.S. engineering team is still the biggest for Sun, but the company’s current plans are to grow the R&D centers in Bangalore, Beijing, St. Petersburg and Prague, Pelletier said. The Beijing center is about half the size of the Indian one, which has grown five-fold from 200 staff about three years ago. Officials did not give staff sizes for the other centers.

MISSING BACKUP TAPES SPUR ENCRYPTION AT TIME WARNER (Computer World, 6 May 2005) -- Time Warner Inc. this week said it will “quickly” begin encrypting all data saved to backup tapes after 40 tapes with personal information on about 600,000 current and former employees were lost in transit to a storage facility. The incident is among the biggest in a string of recent data-security mishaps that have also affected companies such as ChoicePoint Inc., Bank of America Corp. and Reed Elsevier Group PLC’s LexisNexis Group unit. A shipping container that held the 40 data tapes was lost on March 22 during a routine shipment to an off-site facility by records management and storage firm Iron Mountain Inc., Time Warner spokeswoman Kathy McKiernan said. She wouldn’t provide more details. However, McKiernan did say Time Warner is trying to convince officials at Boston-based Iron Mountain to change some of their handling procedures. She declined to expand on the status of those discussions. The $42 billion New York-based media giant also said it has provided the affected employees with resources to monitor their credit reports. The lost tapes didn’t include data about Time Warner customers, the company said.,4814,101589,00.html

-- and --

DATA-SECURITY LAWS SPROUT IN WAKE OF BREACHES (TechWeb, 13 May 2005) -- Laws at the federal and state levels are altering the landscape for sharing and protecting sensitive customer information, just as widely publicized breaches at companies like Bank of America, ChoicePoint, DSW Shoe Warehouse, and LexisNexis have focused attention on the problem of ID theft. Several states, including Arkansas, Georgia, Montana, and North Dakota, have implemented ID-theft laws patterned after a law in California, and many other states have legislation pending. Observers say a national ID-theft-protection bill also is likely to be enacted. In March several federal agencies--the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Office of Thrift Supervision--jointly issued the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidelines state that financial institutions should implement a response program to address security breaches involving customer information, including procedures to notify customers about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer. The guidelines also provide that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, it should conduct a reasonable investigation to determine whether the information has been or will be misused. The interagency guidelines apply only to financial institutions or businesses that are regulated by the agencies that issued them. Morgan Stanley’s Discover Card division, for example, is covered, while its broker-dealer business isn’t, said Howard Lipper, executive director of the technology, intellectual property, and E-commerce group at Morgan Stanley. Lipper spoke at an information security session hosted by law firm Steptoe & Johnson in New York on Friday. The Securities and Exchange Commission, however, is likely to adopt the guidelines verbatim, Lipper said. Brokerage firms are likely to “face some very tough questions on information security practices during their next audit.” The Federal Trade Commission is likely to adopt many provisions of the interagency guidelines as it seeks to extend data-privacy protection across all industries. “The FTC wants to be the traffic cop on information security, but the problem is a traffic cop can’t be everywhere,” said Emily Hancock, an attorney in Steptoe & Johnson’s Washington office. She noted that California and Arkansas are the only states so far to have adopted provisions requiring both notification of breaches and “reasonable security” to prevent breaches. A patchwork of state and federal laws, each with different standards of notification, could raise the compliance costs without providing corresponding increases in data security, said Mark MacCarthy, senior VP of public policy at Visa U.S.A. “Simply passing a new bill isn’t going to make these things go away.” He suggested that market forces, such as the impact on a company’s reputation, would compel companies to adopt tighter security procedures.

PENTAGON CUT AND PASTE (Asia Times, 5 May 2005) -- Talk about rebel technology: the Pentagon this week was not overwhelmed by a dirty bomb or a jet converted into a missile, but by a simple cut and paste job. Like anyone else, the Pentagon uses Adobe Acrobat. At first, the 42 pages of the report which would supposedly shed some light on the March 4 killing of Italian secret agent Nicola Calipari and the wounding of kidnapped journalist Giuliana Sgrena in Baghdad showed up on the Centcom website as a PDF file heavily censored with large sections blacked out - including the significant omission, among others, of the names of all the soldiers involved in the shooting, as well as entire pages. But because the Pentagon failed to save the file properly, all it took was for someone to cut and paste the document into a word-processing application to give Italy and the rest of the world access to the full, uncensored version.

USE OF TRADEMARKS IN INTERNET SEARCHES: GOOGLE CASES LEAD TO CONFLICTING RESULTS (Wilmer, Cutler analysis, 11 May 2005) -- Stemming from its AdWords program, Google Inc. has recently faced a spate of litigation in the United States and France. The AdWords program allows advertisers to bid on keywords, including trademarked terms, which result in the display of the advertisers’ sponsored links when users perform searches using the keywords. This controversial service has caused several companies to file lawsuits against Google. Examples of recent litigation, both foreign and domestic, as well as an overview of the company’s current trademark policies, are described ... (at

ONLINE DATABASE WILL HOLD THE MIRROR UP TO ‘HAMLET,’ GATHERING EVERY COMMENTARY ON THE PLAY (Chronicle of Higher Education, 10 May 2005) -- More has been written about Hamlet than about any other Shakespeare play, and attitudes toward the work’s main character have shifted over time, says Eric C. Rasmussen, a professor of English at the University of Nevada at Reno. “Victorians saw Hamlet as a wilted wallflower, but in the 60s he was sort of the prototypical angry young man,” says Mr. Rasmussen, who is also the university’s director of graduate studies. “The way people think about Hamlet seems to be a mirror for the way we view our current cultural moment.” Mr. Rasmussen should know. He has spent the past 10 years working with a team of scholars to compile every piece of scholarship and criticism about the play, and then to link it, line by line, to the text in an online database. The mammoth project, supported by some $1-million in grants from the National Endowment for the Humanities, is nearing completion -- although editors plan to add to it as they find more material. “If you are interested in a particular line of the play, to be able to see 400 years’ worth of commentary on that line is pretty remarkable,” he says. About half of the group’s work is available on a free Web site. But readers won’t find commentary for most of the play’s most famous lines yet, because notes for the first half of the script have not yet been uploaded. The scholars hope to have notes for all 3,474 lines up in the next few months, at which point visitors can better discover the meaning of “To be, or not to be,” among other passages.

GILLETTE REPORTEDLY DELETED E-MAIL EVIDENCE (Messaging Pipeline, 12 May 2005) -- In what is apparently another incident of intentional e-mail destruction, Proofpoint reported today that Gillette has disclosed in a filing in Massachusetts Superior Court that senior executives may have deleted e-mails that are subject to a subpoena from Massachusetts Secretary of State William F. Galvin. It was reported in the Boston Globe and the Cincinnatti Business Courier that the company is currently under investigation regarding shareholder allegations that Gillette may have sold out to Procter & Gamble at an unacceptably low price. Galvin has called the incident an embarrassing “dog ate my homework” defense because e-mails at the company are saved on multiple machines. Normal backup mechanisms in large corporations generally make complete deletion very difficult. In a comment on the incident, Proofpoint notes that while 74.4 percent of surveyed large corporations have adopted formal e-mail retention policies, only 18.1 percent have deployed technology to enforce such policies.;jsessionid=KL3XYTWANPZDWQSNDBGCKHSCJUMEKJVN

IBM BACKS FIREFOX IN-HOUSE (CNET, 13 May 2005) -- IBM is encouraging its employees to use Firefox, aiding the open-source Web browser’s quest to chip away at Microsoft’s Internet Explorer. Firefox is already used by about 10 percent of IBM’s staff, or about 30,000 people. Starting Friday, IBM workers can download the browser from internal servers and get support from the company’s help desk staff. IBM’s commitment to Firefox is among its most prominent votes of confidence from a large corporation. Based on development work by the nonprofit Mozilla Foundation, Firefox has been downloaded by more than 50 million people since it debuted in November. Internet Explorer still dominates the overall market by far, though, with Firefox’s share in the single digits. For IBM, the move is a significant step in lessening dependence on a product from rival Microsoft. By supporting Firefox internally, IBM is also furthering its commitment to open-source products based on industry standards, said Brian Truskowski, chief information officer at IBM. “This is a real good example of walking the talk when it comes it comes to open standards and open source,” Truskowski said.

LAWYER VS. LAWYER OVER WEB SITE (ABA Journal, 13 May 2005) -- One New York personal injury law firm is suing another personal injury firm in the state, alleging a Web site noting a state bar panel’s probe of the first firm violates the state’s civil rights act. According to the lawsuit, the firm Moran & Kufta of Rochester posted a headline with a hyperlink on its Web site that told readers that Cellino & Barnes, with offices in Buffalo and Rochester, was being investigated by the New York State Bar Association grievance committee. The headline in question was part of the “Hot Topics” portion of Moran & Kufta’s Web site. It referred readers to a March 11 story in The Buffalo News, “Cellino & Barnes Investigated,” and added: “State Court to Rule on Complaints by Former Clients.” That Web site has since been taken down. On April 18, Cellino & Barnes filed suit in the Supreme Court of New York in Erie County. The suit named James J. Moran and the law firm as defendants, and alleges Moran & Kufta violated section 50 of the New York Civil Rights Law. That law provides in part: “A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person … is guilty of a misdemeanor.”

TRADEMARKS BLINDSIDE GOOGLE (Steptoe & Johnson’s E-Commerce Law Week, 14 May 2005) -- Search engines make a remarkable amount of money selling ads that are triggered by the search terms you enter. Type in “American music” and Google serves you an ad for Type in “American clothes” and Google serves you an ad for Type in “American blinds” and Google, well, Google gets served with a lawsuit. That’s because there’s a company called American Blind & Wallpaper Factory, which claims that its trademarked name allows it to prevent the use of “American blinds” as a trigger for ads for any other company. This is a controversial claim, to say the least, but it has proven surprisingly strong in the courts. The most recent court to buy into the cause of trademark maximalism, at least preliminarily, is the US District Court for the Northern District of California, which denied Google’s motion to dismiss American Blind’s trademark counterclaims. The court found that when search engines use a trademarked name to trigger ads for competing companies, the search engines have used the trademark in commerce, a use that supports a claim of trademark infringement. This is bad news for search engines and consumers but good news for companies with aggressive trademark programs.

NEW YORK TIMES TO CHARGE FOR ARCHIVES, EDITORIALS (Reuters, 16 May 2005) -- The New York Times Co. on Monday said it plans to charge for some of its editorial columns and its archive of stories online to boost subscription sales, even as it invests in its free service. The New York-based publisher of the namesake newspaper and The Boston Globe said the new product, TimeSelect, will debut in September and cost $49.95 for an annual subscription. The company said most of its stories will still be available online for free. TimeSelect underscores the paper’s push to create more Web products, both free and for a fee, to offset an uncertain advertising market for its print newspapers. The New York Times purchased Web site for about $410 million earlier this year to increase its online advertising inventory. The paper’s print subscribers will have free access to the paper’s columnists online, including those written by Times staffers and International Herald Tribune writers. TimeSelect will also give subscribers access to its archives dating back initially to 1980. The company plans to eventually extend its archives back to the 1850s, a spokesman said.

CARDS LET METRO COLLECT DATA ON RIDERS, TRACK TRIPS (Washington Times, 17 May 2005) -- Metro’s SmarTrip fare cards allow the transit agency to monitor passengers’ travel with little regard for privacy concerns, a group focused on privacy issues says. The SmarTrip fare card, which includes an embedded radio frequency identification (RFID) chip, tracks each rider’s travel and can be matched with the rider’s name, address and credit-card number, according to the District-based nonprofit Electronic Privacy Information Center (EPIC). “Our basic point is that there is a lot of detailed information being collected,” said Marc Rotenberg, executive director of EPIC, a public-interest group established in 1994 to focus attention on emerging threats to civil liberties. “The privacy protections, in our opinion, are inadequate.”

IS YOUR BOSS MONITORING YOUR E-MAIL? (CNET, 18 May 2005) -- If you’re working for a U.S. company, there’s a good chance you’re being watched--and you may get fired for how you use your computer or office phone. That’s the gist of a study on electronic monitoring and surveillance released Wednesday by the American Management Association and the ePolicy Institute. The report found that companies increasingly are “putting teeth in technology policies.” About a quarter of employers have fired workers for misusing the Internet; another 25 percent have terminated employees for e-mail misuse; and 6 percent have fired employees for misusing office telephones, according to the report. “Concern over litigation and the role electronic evidence plays in lawsuits and regulatory investigations has spurred more employers to implement electronic technology policies,” Nancy Flynn, executive director of the ePolicy Institute, said in a statement. Although liability and regulatory issues may be convincing companies to peek in on their employees, such surveillance raises privacy concerns. Employers can monitor workers to a greater degree these days, thanks to newer technologies such as keystroke-logging software and satellite global positioning systems that can track a cell phone user’s whereabouts. The survey, which involved 526 U.S. companies, found that 5 percent use GPS technology to monitor cell phones and 8 percent use GPS to track company vehicles. About 75 percent of companies monitor workers’ Web site connections, and 65 percent use software to block connections to inappropriate Web sites. Computer monitoring takes various forms, according to the study, with 36 percent of employers tracking “content, keystrokes and time spent at the keyboard.” Another 50 percent of companies store and review employees’ computer files, according to the report.

PERSONAL DATA FOR THE TAKING (New York Times, 18 May 2005) – Senator Ted Stevens wanted to know just how much the Internet had turned private lives into open books. So the senator, a Republican from Alaska and the chairman of the Senate Commerce Committee, instructed his staff to steal his identity. “I regret to say they were successful,” the senator reported at a hearing he held last week on data theft. His staff, Mr. Stevens reported, had come back not just with digital breadcrumbs on the senator, but also with insights on his daughter’s rental property and some of the comings and goings of his son, a student in California. “For $65 they were told they could get my Social Security number,” he said. That would not surprise 41 graduate students in a computer security course at Johns Hopkins University. With less money than that, they became mini-data-brokers themselves over the last semester. They proved what privacy advocates have been saying for years and what Senator Stevens recently learned: all it takes to obtain reams of personal data is Internet access, a few dollars and some spare time. Working with a strict requirement to use only legal, public sources of information, groups of three to four students set out to vacuum up not just tidbits on citizens of Baltimore, but whole databases: death records, property tax information, campaign donations, occupational license registries. They then cleaned and linked the databases they had collected, making it possible to enter a single name and generate multiple layers of information on individuals. Each group could spend no more than $50.

PLAN WOULD BROADEN F.B.I.’S TERROR ROLE (New York Times, 19 May 2005) -- The Bush administration and Senate Republican leaders are pushing a plan that would significantly expand the F.B.I.’s power to demand business records in terror investigations without obtaining approval from a judge, officials said on Wednesday. The proposal, which is likely to be considered next week in a closed session of the Senate intelligence committee, would allow federal investigators to subpoena records from businesses and other institutions without a judge’s sign-off if they declared that the material was needed as part of a foreign intelligence investigation. The proposal, part of a broader plan to extend antiterrorism powers under the law known as the USA Patriot Act, was concluded in recent days by Republican leaders on the Senate Select Committee on Intelligence in consultation with the Bush administration, Congressional officials said. Administration and Congressional officials who support the idea said the proposal would give the F.B.I. a much-needed tool to track leads in terrorism and espionage investigations that would be quicker and less cumbersome than existing methods. They pointed out that the administrative subpoena power being sought for the F.B.I. in terror cases was already in use in more than 300 other types of crimes, including health care fraud, child exploitation, racketeering and drug trafficking.

US TECH CO’S WANT CLICKWRAPS OUT OF HAGUE CONVENTION (BNA’s Internet Law News, 19 May 2005) -- BNA’s Electronic Commerce & Law Report reports that U.S. ISPs and other technology companies have urged State Department negotiators to exclude “clickwrap” agreements from the Draft Hague Convention on Exclusive Choice of Court Provisions in B2B Agreements. Negotiators are set to meet next month at the Hague Conference on Private International Law to discuss the convention. Article at

ISRAELI COURT RULES DIRECTORS HAVE COPYRIGHT IN THEIR MOVIES (BNA’s Internet Law News, 19 May 2005) -- After a protracted five-year legal battle, the Tel Aviv District Court recently ruled that directors have copyrights to movies they have directed, as they have contributed their creativity to the productions. This is viewed as a landmark decision because until now no court had ruled on the question of directors’ copyrights to their works.

**** RESOURCES ****
A RARE NEWSBITES BOOK REVIEW: SILENCE ON THE WIRE (SANS NewsBytes, 27 April 2005) -- We rarely do book reviews, but this is an extraordinary collection of information on passive reconnaissance and the publisher is fairly unknown, so if we didn’t bring “Silence on the wire” to your attention it might get missed. If you are involved in information warfare, or in charge of security at an organization with high value assets you should be aware of this book:

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. The Ifra Trend Report,
8. Crypto-Gram,
9. David Evan’s “Internet and Computer News”,
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: