Saturday, October 29, 2005

MIRLN -- Misc. IT Related Legal News [9-29 October 2005; v8.13]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

SARBOX: YEAR 2 (CFO.com 15 Sept 2005) -- First, the good news: Most companies have endured and survived their initial foray into Sarbanes-Oxley. And while it often proved a costly and occasionally frenzied experience, it has, many companies say, improved the controls that govern corporate operations. On the other side of the ledger, unfortunately, it appears that year two won’t be the autopilot repeat that companies had hoped for. The first year taught many lessons that have yet to be embedded in most compliance programs, making the second year potentially more labor-intensive than the first. One of the biggest lessons learned concerns the role that IT plays in supporting financial processes, which caught many companies off-guard. But some best practices are emerging, from both a technology and a management perspective, that can help companies address the compliance burden in year two and beyond without massive expense and perpetual panic. Going forward, companies should establish a multidisciplinary governance council or steering committee to set the scope of compliance and resolve issues quickly. Such a council “is essential to making [compliance] go smoothly in year two,” says John Hagerty, vice president and analyst at AMR Research Inc. in Boston. It puts IT, finance, and other business management on the same page and helps provide badly needed guidance. “IT people overprepared in 2004. They had little or no guidance and felt they did a lot of stuff they didn’t need to do,” says Hagerty. (Many would say the same about auditors, as we reported in the last issue. See “Sarbox Surprises” and “Survey Says,” Summer 2005.) The council or committee should ideally include the CFO or other high-level finance executive, someone from the internal audit department, the CIO or other IT executive, and a representative from business operations. The group should be designed to make rapid decisions so compliance issues don’t linger for months. Hagerty says AMR recently ran a forum on Sarbox, and the half dozen or so companies that had implemented such a council reported that it was a key to their success in compliance efforts. http://www.cfo.com/article.cfm/4390933?f=home_featured

IN-HOUSE ATTORNEYS BECOME IT GATEKEEPERS (Law.com, 4 Oct 2005; subscription required) -- Sylvia Kerrigan remembers when she first tackled electronic discovery at her company about two years ago. The assistant general counsel at Houston-based Marathon Oil Corp. says it was like slowly easing herself into a pool of water. Then she started to swim -- talking with outside counsel and vendors, exploring services and looking at fancy new software. Finally, she took a tour of Marathon’s information technology department, and that’s when the staggering depth of the problem hit her: “I realized what I considered to be a pool was actually an ocean.” When it comes to e-discovery, many in-house counsel still find themselves in over their heads. To be sure, over the past decade, embarrassing e-mails have figured prominently in a number of high-profile lawsuits, like the U.S. Department of Justice’s landmark antitrust case against Microsoft Corp. in the late ‘90s. But despite electronic data’s notoriety, recent surveys show that an alarming percentage of corporate attorneys and their companies still aren’t up to speed. A study by Cohasset Associates Inc., a Chicago-based records management firm, showed that 46 percent of the companies surveyed don’t have a formal system for holding records, and 65 percent don’t include electronic documents when they retain documents. The e-discovery stakes have also risen dramatically. This year, plaintiffs have been winning huge awards by going after e-mails found through e-discovery. In August a jury returned a $253 million verdict against Merck & Co. Inc., when a top scientist’s crucial e-mail suggested that the company knew two years before it put Vioxx on sale that the painkiller might cause heart problems. (Merck has denied this and is appealing.) That verdict came only months after a Florida state jury, finding that investment bank Morgan Stanley botched its e-discovery in the case, awarded financier Ronald Perelman $1.45 billion in a default judgment. Look no further than the headlines for more examples: UBS Warburg, Enron Corp., WorldCom Inc. and Marsh & McLennan Cos. Inc., to name a few companies where execs got caught with their e-mails exposed. So common is New York Attorney General Eliot Spitzer’s demand for e-discovery that he reportedly began a recent speech in front of Wall Street execs with the quip that he was really glad to be there, because he wanted to put faces to the e-mails. For e-discovery, there’s a classic disconnect between technology and the law, and the law hasn’t fully caught up. Slowly, however, the legal system is coming to grips with it. Bar associations, corporate lawyers and judges are working together on the federal and state levels to bring some coherence and predictability to e-discovery requests. The most prominent of these efforts, an Arizona think tank called the Sedona Conference, recently issued guidelines that have led to proposals to change the Federal Rules of Civil Procedure. Some proposed rules would, for example, provide for leniency if a company makes a good-faith effort to produce electronic data. But some savvy in-house lawyers, usually the front line in e-discovery wars, aren’t waiting around for the new rules. They’re scrambling to get their digital houses in order, and in the process are creating new roles for themselves and their department. For example, Pfizer Inc. has hired a senior counsel to work full time with consultants to build a new e-discovery system from the ground up. And Marathon Oil’s Kerrigan is placing a dedicated e-discovery coordinator at every corporate subsidiary. http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1128342926735

DHS HAS PORTAL FOR SECURITY TOOLS, TIPS FOR SOFTWARE DEVELOPERS (Washington Post, 6 Oct 2005) -- The Homeland Security Department has launched a secure portal to provide best practices, tools and other resources for creating more reliable and secure software for developers and security professionals. The new Web site, Build Security In, was developed in conjunction with the Carnegie Mellon Software Engineering Institute. It was unveiled at a software assurance forum this week co-hosted by DHS and the Defense Department. The site takes a building-block approach, with content areas separated into different phases of the software development life cycle such as architecture and design, systems analysis and testing, and implementation. Within each area, articles are compiled discussing best practices for that particular aspect of software development. http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=wtdaily-test&story.id=27118 Build-Security site at https://buildsecurityin.us-cert.gov/portal/

AOL REVISES PRIVACY POLICY (CNET, 7 Oct 2005) -- America Online won’t sell or rent members’ home addresses anymore, but under changes to take effect in November, it will track member activity on AOL.com and Web searches to offer personalized content and targeted ads. The Web search monitoring will allow AOL to offer customized search results based on a user’s past searches. Members can opt out on a search-by-search basis--or entirely. Other portals track how their users navigate around the Web site, AOL spokesman Andrew Weinstein said. AOL said it will not use any information about where members go on the Web when they are off the AOL service. Other search sites are offering services that keep track of user Web searches. Yahoo does it, MSN said it plans to do it and Google applied for a patent on technology related to the practice, AOL said. Two privacy experts gave the AOL changes mixed reviews, praising the halt to selling address lists, but complaining about the tracking aspects. “Looks like a fairly standard privacy policy, with the usual weasel words and wiggle room where they say, ‘We collect information about what you do on our service and we can use it for pretty much any business reason we can dream up,’” said Kevin Bankston, staff attorney at the Electronic Frontier Foundation. Weinstein pointed out that AOL’s privacy policy--including not reading e-mail, monitoring members outside the service or selling personal information to other companies--limits the company’s ability to gather and use member information. Marc Rotenberg, president of the Electronic Privacy Information Center, said: “I’m glad they’re not doing Gmail-like e-mail scanning and the fact that they’re not renting their lists anymore is a positive. On the down side, customized searches are a real privacy problem.”AOL stopped sharing member address lists a year ago but decided to codify that move into policy in what the company said was the first significant revision to its privacy policy since 1998, Weinstein said. The changes will be implemented on Nov. 10. http://news.com.com/AOL+revises+privacy+policy/2100-1038_3-5891298.html?tag=html.alert

U.S. CYBERSECURITY DUE FOR FEMA-LIKE CALAMITY? (ZDnet, 7 Oct 2005) -- In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government’s cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA’s internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be “unprepared” for emergencies. “When you look at the events of Katrina, you kind of have to ask yourself the question, ‘Are we ready?’” said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. “Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no.” The department, not surprisingly, begs to differ. “Cybersecurity has been and continues to be one of the department’s top priorities,” said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department’s cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that’s worrying experts and industry groups. The department is charged with developing a “comprehensive” plan for securing key Internet functions and “providing crisis management in response to attacks”--but it’s been more visible through press releases such as one proclaiming October to be “National Cyber Security Awareness Month.” Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. http://news.zdnet.com/2100-1009_22-5891219.html

SOFTWARE LICENSES: VENDORS HAPPY, CUSTOMERS NOT SO HAPPY (Information Week, 11 Oct 2005) -- Software vendors are a lot more satisfied with the licensing agreements they offer than their customers are, a finding that spells trouble for vendors that are not tuned in to their customers’ needs, says Fred Amoroso, CEO of Macrovision, which sponsors an annual study on software licensing trends. Business software managers are looking for more flexible license structures that allow them to pay only for what they use. Instead they are frequently locked into contracts that push them toward paying peak usage prices, he said. In August and September, the Software and Information Industry Association along with Macrovision, a supplier of software to manage software licenses, sponsored a survey of 500 SIIA members on their satisfaction with existing licensing arrangements. Two-thirds of the vendors interviewed said they had adjusted their licensing and 57% said they were satisfied with the results. Only 28% of customers said they were satisfied with their licenses. As software vendors get larger, their satisfaction with their own license offerings drop, Amoroso said. He interpreted that result as indicating large software firms realize their limited licensing schemes are causing customer dissatisfaction but don’t feel able to propagate more license arrangements. Amoroso said more license arrangements are needed “that work the way the software in enterprises works.” Some vendors offer a concurrent number of users license that allows any set of users up to a certain limit to make use of the software. The arrangement frees the software from use only by fixed named users. Some vendors allow the concurrent user license to float on an enterprise network, so users in the different parts of the world can use the software as one shift comes on and another goes home. But many software package licenses are based on number of CPUs in the server or number of named users. Since CPU usage fluctuates, companies are forced to buy for maximum usage. Average usage can be much lower. The study, “Key Trends in Software Pricing and Licensing,” was the second conducted by Macrovision and SIIA. The study shows that software vendors “need to embrace the new models in order to keep customers happy,” said Ken Wasch, president of SIIA, in a statement. Other findings include:
• 72% of businesses manually track their license compliance or don’t track it at all.
• 50% of businesses would like a way to automatically track software use and ensure compliance with their licenses. The figure is up 6% from last year.
• Subscription models, where customers pay a monthly fee for software instead of a one-time purchase price, have caught on with 40% of vendors. The figure is 7% higher than last year. The number is expected to jump to 60% in 2006. • 53% of businesses prefer concurrent pricing models to per-server licenses. The figure is up 11% from last year.
• Despite some large vendors’ “aggressive efforts to license per processor,” only 6% of businesses prefer this approach. With the advent of dual-core processors, some vendors are counting two cores, as in upcoming chips from Intel Corp. and Advanced Micro Devices, as two processors. Customers are still seeing one processor. Oracle recently took a step back from such a stance, saying it will count each unit of a dual-core processor as 0.75% of a processor.
http://www.informationweek.com/story/showArticle.jhtml?articleID=172300193&cid=RSSfeed_IWK_news

EXPERT: HOLD DEVELOPERS LIABLE FOR FLAWS (CNET, 12 Oct 2004) -- Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser. Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don’t have the skills needed to write secure code. “In software development, we need to have personal quality assurances from developers that the code they write is secure,” said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL. “They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say, ‘Is this completely secure?’” Schmidt said. Schmidt also referred to a recent survey from Microsoft finding that 64 percent of software developers were not confident that they could write secure applications. For him, better training is the way forward. “Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally, Web application development has been measured in mouse clicks--how to make users click through,” Schmidt said. Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them. http://news.com.com/2100-1002_3-5893849.html [Editor: In September 2002 Mr. Schmidt rebuffed suggestions that developers should bear this kind of responsibility when he was writing the National Strategy to Secure Cyberspace. His thinking is evolving, and the courts won’t be too far behind.]

-- and --

SUE COMPANIES, NOT CODERS (Wired, 20 Oct 2005) -- At a security conference last week, Howard Schmidt, the former White House cybersecurity adviser, took the bold step of arguing that software developers should be held personally accountable for the security of the code they write. He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits. To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software -- extra developers, fewer features, longer time to market -- against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The result is what you see all around you: lousy software. Companies find that it’s cheaper to weather the occasional press storm, spend money on PR campaigns touting good security, and fix public problems after the fact than to design security right from the beginning. http://www.wired.com/news/print/0,1294,69247,00.html [Editor: Actually, Schmidt didn’t propose that individual programmers be held individually liable. Schneier’s comments in this Wired article are still useful.]

SURVEY: LITIGATION SKYROCKETING AMONG TECH COMPANIES (EEtimes, 12 Oct 2005) -- Technology and communications companies rank third on the list of U.S. and U.K. industries with the most litigation, according a new survey of manufacturing companies. The survey by the law firm Fulbright & Jaworski, a leading intellectual-property litigator based in New York and Houston, found that the average U.S. manufacturer currently faces 40 lawsuits. Of those, an average of 18 were initiated in the last year. While product liability remains the largest generator of lawsuits, the survey found that intellectual property disputes are an emerging problem, especially for technology companies. IP and patent lawsuits accounted for an estimated 13 percent of U.S. corporate litigation last year and 16 percent in the U.K. Only contract disputes, labor and employment, personal injury and product liability cases ranked higher than IP lawsuits, the law firm found. One reason litigation is soaring, the survey found, is the emergence of “electronic discovery” techniques, especially in the U.S. “Electronic discovery was the number one new litigation-related issue for companies with revenues over $100 million,” the survey found. “So far, it’s impact appears to have been felt far less in the U.K. than in the U.S.” An emerging and inexpensive tool for electronic legal research are search engines such as WaybackMachine that can take researchers to defunct Web sites. Many contain reams of archived material reseachers can search for evidence that can be used at trial. “The advent of electronic discovery, coupled with more stringent record keeping requirements, has exponentially added to the burdens imposed by litigation,” Fulbright attorney Robert Owen said in a statement. The U.S. healthcare industry has the largest number of pending lawsuits in the U.S. followed by energy companies and technology and communications companies. The study found that nearly a quarter of U.S. companies, led by technology and communications manufacturers, are spending 2 percent or more of annual gross revenues on legal expenses. IP disputes ranked as the most expensive litigation. http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=172300467

CONGRESS AGREES TO SPLIT OFF DHS CYBERSECURITY UNIT (GOVEXEC.com, 13 Oct 2005) -- Congress has agreed to split the Homeland Security Department division focused on information analysis and infrastructure protection. The move elevates the department’s cybersecurity missions. In the department’s fiscal 2006 spending measure, lawmakers agreed to divide the unit into two new components: the analysis and operations wing and the preparedness directorate. The House and Senate cleared the legislation last week, and President Bush is set to sign it into law Tuesday. Homeland Security Secretary Michael Chertoff proposed the changes in July, after a 90-day review of the department’s organization. He agreed with calls from lawmakers and industry that the cybersecurity division should be removed from information analysis and infrastructure protection and that its director should be made an assistant secretary to focus more resources and attention on cybersecurity. Congress backed the proposal, and the department’s budget next year includes $93 million for the cyber division to continue exercises and outreach with the private and public sectors. The new assistant secretary also is charged with overseeing and coordinating security of the nation’s telecommunication systems. Chertoff finalized the reorganization plan Oct. 1. http://www.govexec.com/story_page.cfm?articleid=32555&printerfriendlyVers=1&

CALLED TO ACCOUNT -- AMERICA’S LOOMING ACCOUNTING CRISIS (The New Republic, 14 Oct 2005; registration required) – Late last month William McDonough, the departing chair of the Public Company Accounting Oversight Board (PCAOB), addressed a conference on corporate reform sponsored by the American Law Institute and the European Corporate Governance Institute. Needless to say, these sorts of meetings tend to be a little dry, which may be why there were few reporters on hand to hear McDonough’s remarks. It’s a shame, because the man who was tasked in 2003 with overseeing the American accounting industry dropped what, at least in accounting circles, was a nuclear bomb. Addressing the recent settlement between KPMG and the Justice Department over the Big-Four firm’s shady tax-shelter practice, McDonough said that the government had only narrowly avoided an industry meltdown. The case, had it gone through, could have destroyed the firm, and “none of us has a clue what to do if one of the Big Four failed,” he said. Accounting may not be the sexiest profession, but it is arguably the cornerstone of American capitalism. While the government sets the rules about what companies can and can’t do, it is up to accountants to provide evidence that they are in fact following those rules: paying taxes, filing accurate earnings reports, and not, say, siphoning off profits to pay for executive party boats. And there is a limited number of firms capable of doing the sort of work required by Fortune 500 companies--four, to be precise. But as the KPMG case highlights, those same firms are hardly paragons of fiduciary virtue--like any company, they face powerful incentives to cut corners and push envelopes, and in recent years all four have come under scrutiny for either breaking the law or providing substandard reporting. No wonder McDonough resigned his post: The American accounting system, and the economic system it undergirds, is facing a seemingly intractable crisis. KPMG’s tax shelter settlement--in which the government withdrew its case in exchange for a fine, a curtailment of its tax practice, and the acceptance of government monitoring--is only its latest run-in with the law. Last year, it paid out over $100 million to settle cases in which it stood accused of overlooking fraud by some of its clients. Several of its other clients, including Fannie Mae and Royal Dutch Shell, came under fire for accounting irregularities. [Editor: Accounting for recoverable oil reserves is an important, little-understood issue; Shell and BP practices here recently have been in the news.] And the PCAOB recently released an annual report documenting auditing deficiencies at KPMG--out of 76 audits selected for review, 18 were substandard, some of which were “of such significance that it appeared to the inspection team that the Firm had not, at the time it issued its audit report, obtained sufficient competent evidential matter to support its opinion on the issuer’s financial statements.” In other words, the government found evidence that KPMG was signing off on clients’ financial statements without having a solid idea about what was actually in those statements. http://www.tnr.com/doc.mhtml?pt=3IjNCIyp76IR9gdm5lK6Z3%3D%3D

FAR COUNCIL ISSUES CYBERSECURITY REQUIREMENTS FOR GOVERNMENT CONTRACTS (Steptoe & Johnson’s E-Commerce Law Week, 15 Oct 2005) -- In the wake of the recent flood of data security breaches and network vulnerabilities, the private sector has been holding its breath, waiting to see what, if any, new cybersecurity standards the federal government plans to hold it to. While the government is still in the “mulling” stage when it comes to general cybersecurity requirements for industry, it has now spoken a bit more clearly when it comes to companies that provide information technology (IT) services for the government. On September 30, the Federal Acquisition Regulations (FAR) Council issued an interim rule outlining new steps that federal acquisition workers must take in order to ensure that IT security is incorporated into all purchases of “goods and services” from the private sector. Among other things, the rule stipulates that contracting officers must include cybersecurity requirements in acquisition planning. Although currently only relevant to companies performing government contracts, the rule may also provide a clue as to the shape of any further federal efforts to impose cybersecurity standards on the private sector. The new rule took effect immediately, but the FAR Council will accept public comment until November 29. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=10671&siteId=547 Rule at http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-19468.pdf

PHONE TAP: HOW’S THE TRAFFIC? (Wired, 15 Oct 2005) -- Driving to work, you notice the traffic beginning to slow. And because you have your cell phone on, the government senses the delay, too. A congestion alert is issued, automatically updating electronic road signs and websites and dispatching text messages to mobile phones and auto dashboards. In what would be the largest project of its kind, the Missouri Department of Transportation is finalizing a contract to monitor thousands of cell phones, using their movements to map real-time traffic conditions statewide on all 5,500 miles of major roads. It’s just one of a number of initiatives to more intelligently manage traffic flow through wireless data collection. Officials say there’s no Big Brother agenda in the Missouri project -- the data will remain anonymous, leaving no possibility to track specific people from their driveway to their destination. But privacy advocates are uneasy nonetheless. “Even though it’s anonymous, it’s still ominous,” said Daniel Solove, a privacy law professor at George Washington University and author of The Digital Person. “It troubles me, because it does show this movement toward using a technology to track people.” Cell phone monitoring already is being used by transportation officials in Baltimore, though not yet to relay traffic conditions to the public. Similar projects are getting underway in Norfolk, Virginia, and a stretch of Interstate 75 between Atlanta and Macon, Georgia. But the Missouri project is by far the most aggressive -- tracking wireless phones across the whole state, including in rural areas with lower traffic counts, and for the explicit purpose of relaying the information to other travelers. http://www.wired.com/news/wireless/0,1382,69227,00.html

-- and --

U.S. CELL PHONE TRACKING CLIPPED (Wired, 27 Oct 2005) -- Federal law enforcement attempts to use cell phones as tracking devices were rebuked twice this month by lower court judges, who say the government cannot get real time tracking information on citizens without showing probable cause. This summer, Department of Justice officials separately asked judges from Texas and Long Island, New York to sign off on orders to cellular phone service providers compelling them to turn over phone records and location information -- in real time -- on two different individuals. Both judges rejected the location tracking portion of the request in harshly worded opinions, concluding investigators cannot turn cell phones into tracking devices by simply telling a judge the information is likely “relevant” to an investigation. “When the government seeks to turn a mobile telephone into a means for contemporaneously tracking the movements of its user, the delicately balanced compromise that Congress has forged between effective law enforcement and individual privacy requires a showing of probable cause,” wrote Magistrate Judge James Orenstein of New York in the latest decision Monday. http://www.wired.com/news/technology/0,1282,69390,00.html Decision at http://www.eff.org/legal/cases/USA_v_PenRegister/celltracking_decision.pdf

POWER COMPANIES ENTER THE HIGH-SPEED INTERNET MARKET (New York Times, 17 Oct 2005) -- The idea has been around for years. In Spain and elsewhere in Europe, utility companies have long offered high-speed Internet service to consumers over their power lines. But American utilities are only now beginning to roll out broadband connections on their grid. For Jim Hofstetter, a salesman for Cadbury Schweppes, the food and beverage company, this new option was far better than the high-speed connection he used for years from his local cable provider. “I would never go back now that I have this,” said Mr. Hofstetter, who often works from his home office in the Hyde Park neighborhood of Cincinnati. He pays $30 a month for the service from Current Communications, an Internet service provider, which uses the power lines run by Cinergy, the local utility in Cincinnati. That cost is about $15 cheaper than comparable Internet access from either Cincinnati Bell or Time Warner Cable. The Current service can be piped into any electrical outlet in Mr. Hofstetter’s home, with no reduction in speed even when he, his wife and their three daughters are online at the same time. All that is needed is a baseball-size jack that plugs into the wall and is connected to a computer with an Ethernet cable. Known as broadband over power line, or B.P.L., the service is poised to challenge the cable and phone companies that dominate the high-speed Internet market. Instead of burying cables and rewiring homes, B.P.L. providers use the local power grid, which means that any home with electricity could get the service. For now, the two biggest commercial B.P.L. services in the United States are operated by Current and Cinergy in Cincinnati, and the city of Manassas, Va., which has teamed up with ComTek Communications Technology, another B.P.L. provider. Dozens of other utilities across the country are testing the service and hiring specialists like Current and ComTek to run it. While the technology is not new, the home adapters and equipment on telephone poles that transmit data over power lines as radio signals have only recently become affordable enough for companies to start selling the service. http://www.nytimes.com/2005/10/17/technology/17powerlines.html?ex=1287201600&en=bd3ca2a00df70c4a&ei=5090&partner=rssuserland&emc=rss

MESSAGING INSTANTLY AND MORE SECURELY (New York Times, 17 Oct 2005) -- About a third of all instant-messaging accounts on consumer services like AIM and MSN Messenger are used mostly for business, according to a study of the instant-messaging market. “People depend on I.M.,” said Robert Mahowald, an analyst who wrote the study for the technology market research firm IDC. “It’s quick, and you know when somebody’s available.” Mr. Mahowald said problems with consumer instant-messaging had fueled the rise of “enterprise I.M.” software intended for businesses, which currently account for about 17 percent of all instant-message traffic. The software can be integrated with a company’s other systems and is better protected than the consumer version. “It’s more secure,” Mr. Mahowald said. “Your message traffic isn’t floating out on AOL’s server in Dulles, Va. We’ve had a number of instances where I.M. logs have been hacked and the conversations have shown up on the Web, which is very embarrassing to businesses.” http://www.nytimes.com/2005/10/17/technology/17drill.html?ex=1287201600&en=2ac58a6d1da95eef&ei=5090&partner=rssuserland&emc=rss

OPEN-SOURCE SOFTWARE LICENSES PRESENT QUAGMIRE (Law.com, 17 Oct 2005; subscription required) -- According to the Open Source Initiative (OSI), a nonprofit corporation dedicated to managing and promoting open- source software, there are four “classic” open-source licenses. These are the GNU (Gnu’s Not Unix) Public License (GPL), the Limited GNU Public License (LGPL), the Berkeley System Distribution (BSD) and the Massachusetts Institute of Technology (MIT) license. Since the open-source release of the Netscape Web browser in 1998, the Mozilla Public License has also become widely used. Many other open-source licenses have been created. Currently, there are 58 open-source licenses approved by OSI, and new open-source licenses can be approved by the OSI by submitting the text of the proposed license along with comments by an attorney making reference to OSI’s 10-part definition of open source. Of all the open-source licenses currently being used, the classic GPL license is the most prevalent. Most components of the popular GNU/Linux system, including the Linux kernel itself and most system utilities and applications, are licensed under the GPL. In addition, leaders in the open-source community have urged developers to use the GPL or GPL-compatible licenses whenever possible. According to a 2002 estimate, about 90% of all open-source software was licensed under the GPL. This article will address the legal and practical risks that users of open-source software might face. Clearly identifying the risks involved with open-source software is a step toward overcoming the fear, uncertainty and doubt that might otherwise discourage its widespread adoption. Due to its prevalence, the focus here will be on the GPL. Many companies find that open-source software components provide high quality at low cost compared to commercial alternatives. This provides the natural incentive to use open-source software as a building block for proprietary products. For example, a company may wish to create a special-purpose operating system based on the Linux kernel. However, under the terms of the GPL, a licensee may be required to release its own source code if it distributes or publishes a derivative work based on the GPL-licensed program. Setting aside the obvious questions of when a work is considered “distributed” and “derived” under the terms of the GPL, companies may find themselves in the difficult position of having to either release their proprietary source code to the public or lose the permission to distribute, copy or modify the modified software. [Continues.] http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1129194312375

CAN YOUR PRINTER TELL ON YOU? (Houston Chronicle, 18 Oct 2005) -- It sounds like a conspiracy theory, but it isn’t. The pages coming out of your color printer may contain hidden information that could be used to track you down if you ever cross the U.S. government. Last year, an article in PC World magazine pointed out that printouts from many color laser printers contained yellow dots scattered across the page, viewable only with a special kind of flashlight. The article quoted a senior researcher at Xerox Corp. saying that the dots contain information useful to law-enforcement authorities, a secret digital “license tag” for tracking down criminals. The content of the coded information was supposed to be available only to agencies looking for counterfeiters. Now, the secret is out. Tuesday, the Electronic Frontier Foundation, a consumer privacy group, said it had cracked the code used in a widely used line of Xerox printers, an invisible bar code of sorts that contains the serial number as well as the date and time a page was printed. With the Xerox printers, the information appears as a pattern of yellow dots, visible only with a magnifying glass and a blue light. The EFF said it has identified similar coding on pages printed from nearly every major printer manufacturer, including Hewlett-Packard Co., though its team has so far cracked the codes for only one Xerox model. The U.S. Secret Service acknowledged that the markings, which are not visible to the human eye, are there. “It’s strictly a countermeasure to prevent illegal activity specific to counterfeiting,” agency spokesman Eric Zahren said. http://www.chron.com/cs/CDA/ssistory.mpl/nation/3403012 [Editor: a description of the technique is at http://p2pnet.net/story/6620]

ADVISORY BODY CALLS FOR MORE SECURE INTERNET BANKING (Computerworld, 18 Oct 2005) -- A federal advisory body with broad regulatory powers over banks today issued new guidelines aimed at improving security in Internet-based banking and financial services. The Federal Financial Institutions Examination Council (FFIEC) updated its guidance for how financial institutions should plan to authenticate customers’ online identities by the end of next year. The FFIEC said authentication of a customer via simple password and ID alone is “inadequate for high-risk transactions involving access to customer information or the movement of funds to other partners.” The updated guidelines are titled “Authentication in an Internet Banking Environment” and were issued due to concerns about phishing, identity theft and online fraud, the group said. http://www.computerworld.com/printthis/2005/0,4814,105519,00.html Guidelines at http://www.ffiec.gov/pdf/authentication_guidance.pdf

MAJOR BOOK PUBLISHERS SUE GOOGLE (Information Week, 19 Oct 2005) -- Google Inc. on Wednesday was sued by a major publishing association for digitizing library books without the permissions of copyright holders, the second such suit filed against the search engine giant. The Association of American Publishers, based in Washington, D.C., sued the Mountain View, Calif., company on behalf of members The McGraw-Hill Companies, Pearson Education, Penguin Group (USA), Simon & Schuster and John Wiley & Sons. The suit seeks a court declaration that Google infringes the rights of copyright holders when it scans entire books and stores the digitized versions in its massive database. The trade group also wants a court order requiring Google to first obtain permission from copyright holders. Patricia Schroeder, AAP president and a former Colorado congresswoman, said the suit was filed after talks broke down. The AAP had proposed that Google use each book’s unique ID number to determine if the work is under copyright, and then seek permission from the book’s owner. For more than 30 years, most books have carried an ISBN identification number, which is machine readable. Google, according to Schroeder, refused. “If Google can scan every book in the English language, surely they can utilize ISBNs,” Schroeder said in a statement. “By rejecting the reasonable ISBN solution, Google left our members no choice but to file this suit.” While not mentioning the negotiations, Google said in a statement that the project is an “historic effort to make millions of books easier for people to find and buy.” “Creating an easy to use index of books is fair use under copyright law and supports the purpose of copyright: to increase the awareness and sales of books directly benefiting copyright holders,” Google said. “This short-sighted attempt to block Google Print works counter to the interests of not just the world’s readers, but also the world’s authors and publishers.” http://www.informationweek.com/story/showArticle.jhtml?articleID=172302588 Complaint at http://www.publishers.org/press/pdf/40%20McGraw-Hill%20v.%20Google.pdf

-- and --

SEARCH OR SEIZURE? (Bag and Baggage, 26 Oct 2005) -- Whenever possible over the last week, I’ve been making my way through some of the avalanche of background materials and commentary concerning the two Google Print (or more specifically, Google Library) lawsuits now pending in the Southern District of New York (one brought by the Authors Guild and three individual plaintiffs, and the most recent, filed last week, brought by five publishers). Charles W. Bailey, Jr.’s extensive bibliography is an excellent starting point if you too are seeking to better comprehend what is at stake and the potential outcomes. I agree with John Battelle that this shapes up as a long and hard fought battle with ripple (or perhaps tidal wave) effects extending into many areas beyond text search. I also agree with the commentators who suspect one or both of these cases will travel through the docket of the U.S. Supreme Court before they see the finish line. In these initial stages of the proceedings, the plaintiffs and their advocates appear to be putting all their chips on the square marked “Second Circuit’s narrow interpretation of commercial fair use.” There is no telling how that gamble will pay off, or how the Supreme Court will respond if it does, but the following points are likely to be important along the way. http://bgbg.blogspot.com/2005/10/search-or-seizure.html

RECRUITMENT TOOL TARGETED (Washington Post, 19 Oct 2005) -- A national coalition of parents groups, privacy advocates and community organizations is launching a campaign today to dismantle a database of high school and college students built by the Pentagon to help target potential military recruits. In a letter being sent today to Defense Secretary Donald H. Rumsfeld, more than 100 groups charge that the database violates federal privacy laws and is collecting demographic and other personal information on young Americans that could be misused by the government and the marketing firms handling the program. “We are not in opposition to those who choose to serve in the U.S. Armed Forces,” said a draft of the letter asking that the program be shut down. But “the creation of the . . . database is in conflict with the Privacy Act, which was passed by Congress to reduce the government’s collection of personal information on Americans.” The military, which is struggling to meet recruiting goals, argues that the effort is grounded in law and is essential to maintaining strong, all-volunteer armed forces. The Pentagon is on track to spend $342.9 million on the controversial Joint Advertising, Market Research and Studies program. The effort seeks to help recruiters discover and reach more potential enlistees and to develop advertising aimed at those who typically influence young people, including parents, coaches and teachers. The money is being spent through a single contract with Mullen Advertising Inc. of Wenham, Mass., that began in 2002 and can be renewed annually until January 2007. So far, the Pentagon has spent $206.3 million, according to a military spokeswoman. Under a subcontract with Mullen, BeNow Inc., a Wakefield, Mass., firm that specializes in gathering and analyzing personal information for target marketing, is compiling and maintaining the database. BeNow has since been acquired by Equifax Inc., one of the nation’s top credit bureaus and data brokers. The Pentagon program was little known until June, when the military issued a privacy notice that it was buying lists of all high school and college students to create a database that included birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying. http://www.washingtonpost.com/wp-dyn/content/article/2005/10/17/AR2005101701529.html [Editor: EPIC played a key role in bring this story to fruition – www.epic.org. MIRLN 8.08 carried an early story -- http://www.vip-law.com/mirln808.htm]

CONSTITUTION OF THE UNITED STATES: BROWSE (GPO, 20 Oct 2005) -- The Constitution of the United States of America, Analysis and Interpretation: Analysis of Cases Decided by the Supreme Court of the United States is available in a series of browseable tables. http://www.gpoaccess.gov/constitution/browse.html

NET PIRATES WILL FACE STIFFER PUNISHMENT (CNET, 20 Oct 2005) -- Internet pirates with prerelease movies in their shared folders will face stiffer federal penalties starting Monday. The U.S. Sentencing Commission on Wednesday approved an emergency set of rules that would boost prison sentences by roughly 40 percent for people convicted of peer-to-peer infringement of copyright works “being prepared for commercial distribution. “The changes also say judges may “estimate” the number of files shared for purposes of determining the appropriate fine and sentence. Larger numbers typically yield longer sentences. This week’s sentencing adjustments arose from a law that President Bush signed in April called the Family Entertainment and Copyright Act. It gave the commission 180 days to revisit its rules to make them “sufficiently stringent to deter, and adequately reflect the nature of, intellectual property rights crimes.” http://news.com.com/2100-1028_3-5905183.html

LAB COMPUTER SIMULATES RIBOSOME IN MOTION (CNET, 21 Oct 2005) -- Using a computer to simulate the interaction of 2.6 million atoms, Los Alamos National Laboratory researchers have recreated a tiny slice of one of the most fundamental genetic processes of life. The lab simulated how a cellular machine called a ribosome follows genetic instructions to construct a complex molecule called a protein out of building blocks called amino acids. With 768 processors of LANL’s 8,192-processor ASCI Q machine running for about 260 days, the researchers created a movie of the process. Previous views had shown only static snapshots. “Experiments have been able to come up with snapshots of the ribosome. We’re trying to create a movie of what happens between those snapshots,” said Kevin Sanbonmatsu, a molecular biologist and the project’s principal investigator. The movies could be significant for research into antibiotic medicines. Antibiotics work by gumming up the ribosomes, and a movie showing a ribosome’s function could show a larger range of targets than static images, he said. The task wasn’t simple. Researchers had to model the physical interactions of each of 2.64 million atoms--about 250,000 in the ribosome itself, but most for water molecules inside and outside it. The simulation resulted in a movie that is 20 million frames long, he said. In reality, however, the ribosome behavior that they simulated takes only 2 nanoseconds, or 2 billionths of a second--too short to even be labeled as “fleeting.” http://news.com.com/Lab+computer+simulates+ribosome+in+motion/2100-11395_3-5907401.html?tag=nefd.hed

E-VOTING WON’T BE VERIFIED UNTIL 2006 (CNET, 21 Oct 2005) -- Electronic voting systems aren’t likely to be sufficiently secure even by the 2006 elections, government auditors warned Friday. Existing systems are rife with problems, the Government Accountability Office said in a 107-page document. The list of vulnerabilities included everything from easily-guessed administrator passwords and voter-verified paper-trail design flaws, to incorrect software installation and system failures on Election Day. The Election Assistance Commission, created in 2002 to help states and localities implement e-voting systems, has neglected to lay out a clear timeline for addressing those problems, the report said. It also says that it’s unrealistic to expect anything to change by next fall. Even as a dozen or more non-governmental groups have begun drafting their own standards, federal agencies are still in the process of writing their own voluntary guidelines for voting systems and procedures for certifying them, the GAO determined. The agencies are slated for early 2007 to determine if the laboratories designed to examine voting equipment are fit to do so, but the agencies haven’t started yet. They also haven’t set up a proper “clearinghouse” where election officials can share problems they’ve had with the voting systems. The agencies also haven’t updated the national reference library for voting system software--intended to help state and local election officials ensure they’re running the proper software on their machines--since the 2004 elections. http://news.com.com/E-voting+wont+be+verified+until+2006/2100-1028_3-5907036.html?tag=nefd.top GAO Report at http://reform.house.gov/UploadedFiles/GAO-05-956.pdf

WORKING THROUGH A THICKET OF E-DISCOVERY RULES (ABA Journal, 21 Oct 2005) -- The amendments to the Federal Rules of Civil Procedure dealing with electronic discovery, expected to become law in December of next year, will add to layers of regulation that already seek to govern electronic information. Administrative agency regulations and state and federal laws also address preservation of electronic documents. The result is confusion for businesses faced with the challenge of devising a system of creation, storage, retrieval, copying and destruction of such information. The rules are not always harmonious. In proposed Rule 37(f), the so-called “safe harbor” rule, a party shall not be sanctioned for a loss of electronically stored information if the loss occurs in the course of “good faith” operation. But for investment professionals, the Securities and Exchange Commission mandates the retention of all “communications” for three years. The cautionary tale of what can happen when e-mails go missing is the $1.5 billion verdict entered against Morgan Stanley & Co. in two judgments in March and May. Now the investment banking behemoth may face millions of dollars more in fines from the SEC. The case began back in 1998 when Morgan Stanley served as financial adviser to Sunbeam Corp. in the latter’s acquisition of the Coleman Co., the camping equipment company. A major part of the purchase price was Sunbeam stock, the value of which later collapsed in the wake of accounting fraud at the Florida appliance manufacturer. Coleman’s parent sued Morgan Stanley, alleging the firm knew about the accounting fraud at Sunbeam and failed to disclose material information. In an amended complaint, Coleman accused Morgan Stanley of aiding and abetting as well as conspiring with Sunbeam to commit a fraud. By 2003, Coleman requested all of Morgan Stanley’s e-mails about the Sunbeam deal, and when few records were produced, a full-scale investigation ensued. Over the next 12 months, Morgan Stanley was forced to admit in one round of embarrassing discoveries after another the existence of thousands of e-mail backup tapes in offices, storage facilities and a security room. The Florida trial court threw the “death penalty” at Morgan Stanley in a March 23 order granting a partial default judgment. http://www.abanet.org/journal/ereport/oc21email.html

GOOGLE ARGUES NEWS HEADLINES ARE NOT COPYRIGHTABLE (BNA’s Internet Law News, 27 Oct 2005) -- BNA’s Electronic Commerce & Law Report reports that Google has argued that news headlines that are purely factual and merely ten words long lack sufficient originality to preclude others from copying them. The argument comes in a brief filed in the Agence France Presse v. Google litigation. Google is seeking dismissal of Agence France Press’s claim that Google is infringing its copyrights by copying AFP news headlines for reuse on Google’s news aggregation sites. Article at http://pubs.bna.com/ip/BNA/eip.nsf/is/a0b1v5g6d1

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, October 08, 2005

MIRLN -- Misc. IT Related Legal News [18 September – 8 October 2005; v8.12]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

NAVY: DON’T ACCESS PERSONAL E-MAIL AT WORK (FCW, 9 Sept 2005) -- Navy employees can no longer access personal e-mail accounts, including Yahoo Mail and Microsoft Hotmail, from the service’s networks without approval. That is one of six rules in the Navy’s new acceptable use of information technology policy issued in July. The “Effective Use of Department of Navy IT Resources,” states that the service’s military, civilian and contractor users cannot:
* Automatically forward official Navy e-mail to a commercial account or use a commercial account for official government business without approval.
* Install or modify computer hardware or software without approval.
* Circumvent or disable security measures, countermeasures or safeguards, such as firewalls, content filters and antivirus programs.
* Participate in or contribute to activity that causes a disruption or denial of service.
* Write, code, compile, store, transmit, transfer or introduce malicious software, programs or code.
* Use peer-to-peer (P2P) file sharing applications, such as Kazaa, Shareaza and OpenP2P without approval and only in support of Navy missions.
“This policy is intended to promote effective and secure use of IT resources within the Department of the Navy and is an integral part of the department’s information assurance efforts,” according to the policy released by the Navy Department’s Chief Information Officer’s Office. http://www.fcw.com/article90710-09-09-05-Web&RSS=yes

WORD BLUNDER EXPOSES U.K. SPLIT ON TERRORISM (CNET, 16 Sept 2005) -- The U.K. government is in trouble over dodgy document management, with an apparent split within the government over new antiterrorism laws exposed by a letter from Home Secretary Charles Clarke. The letter, sent via e-mail as a Word document to the members of the opposing Conservative party, appeared to back controversial plans to hold terrorism suspects for up to three months without trial. However, anybody applying the Microsoft “track changes” function was able to see Clarke’s original wording, which expressed concerns over such measures. http://news.com.com/2110-1029_3-5869260.html [At this point, don’t you think people should be charged with knowledge about these kinds of risks?]

PLAN LETS USERS BE THE JUDGE OF FLAWS (CNET, 16 Sept 2005) -- A plan to make it easier for companies to determine how hard they could be hit by security flaws is ready for prime time, according to its backers. The Common Vulnerability Scoring System plan calls for a unified approach to rating vulnerabilities in software, to replace the proprietary methods many technology companies and security vendors use when determining the impact of a flaw. “We want to bring order to the chaos,” said Mike Caudill, chairman of the Forum of Incident Response and Security Teams, or FIRST, which is pushing for adoption of the new Common Vulnerability Scoring System. “The ultimate goal is to have a system that will help the user appropriately react to a vulnerability.” The Common Vulnerability Scoring System, or CVSS, was developed under the auspices of the National Infrastructure Advisory Council, which advises President Bush about the security of information systems for critical infrastructure. FIRST, a worldwide consortium of security incident response teams such as the United States Computer Emergency Readiness Center, coordinates further CVSS development. On Monday, FIRST plans to announce a push for wide-scale adoption of CVSS. Backers believe the rating system is ready to move into more general use after being a work-in-progress for the past year and a half. It was released publicly in late February, when a group of about 30 companies started testing it. “Now is the time to move to the next phase of deploying CVSS and getting additional vendors on board,” Gerhard Eschelbeck, one of the designers of the rating scheme and chief technology officer at vulnerability management company Qualys, said Friday. CVSS goes beyond today’s severity ratings, such as the familiar “critical” and “important” found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritize patches. In addition to letting companies add their own environmental metric to the risk equation, CVSS also takes into account factors such as the availability of attack code and security patches, which can have an impact on the risk posed by a vulnerability. Current rating schemes typically are limited only to certain aspects of the vulnerability--for example, whether an attacker could remotely compromise a system and how easily a flaw can be exploited. http://news.zdnet.com/2102-1009_22-5869923.html?tag=printthis

-- and --

TROJAN RIDES IN ON 5-MONTH-OLD UNPATCHED OFFICE FLAW (CNET, 30 Sept 2005) -- A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned. The malicious code takes advantage of a flaw in Microsoft’s Jet Database Engine, a lightweight database used in the company’s Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem. “Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office,” a company representative said in a statement sent via e-mail on Friday. The software maker is investigating the issue and will take “appropriate action,” the representative said. http://news.com.com/Trojan+rides+in+on+unpatched+Office+flaw/2100-1002_3-5886543.html?tag=nefd.top [Editor: How long is too-long to fix known vulnerabilities?]

RULING PROTECTS FREE SPEECH ON NET, LAWYERS SAY (Toronto Star, 16 Sept 2005) -- In a decision hailed as a victory for freedom of expression, an appeal court has thrown out a lawsuit brought by a former United Nations official trying to sue the Washington Post in Ontario over stories published three years before he moved to the province - and where the newspaper had just seven subscribers. There is no “real and substantial connection” between the province of Ontario and Cheickh Bangoura’s $10 million lawsuit against the Post and three of its reporters, the Ontario Court of Appeal said today in a 3-0 decision. The lawsuit pitted Bangoura against the Post and a coalition of 50 media organizations from around the world. Members of the coalition, which included the New York Times, CNN and major Canadian and European newspapers, were afraid that if the case were allowed to proceed in Ontario, they would be forced to block access to their websites and online databases, which, in turn, would dramatically shrink the scope of the Internet. They feared that if Bangoura could sue in Ontario for stories published in Washington, D.C., they, too, could be sued for Internet stories read in countries far removed from their place of publication. In one story, published on Jan. 5, 1997, the Post examined allegations that Bangoura was involved in sexual harassment, financial improprieties and nepotism while head of the U.N.’s drug program in East Africa. It also examined allegations he had been protected by ties to then secretary-general Boutros Boutros-Ghali. A second story on Jan. 19, 1997 reported that Bangoura had been removed from his job. At the time, the Post had only seven subscribers in Ontario and over 95 per cent of its newspapers were sold in Washington, D.C. Bangoura moved to the Brampton area three years later. The Post’s stories were available online for 14 days after publication. After that, they were available through a paid archive, but Bangoura’s lawyer was the only person in Ontario to obtain them this way. Last year, an Ontario Superior Court judge ruled that Bangoura’s case could proceed to trial. The Post should have reasonably foreseen that the impact of its two Jan. 1997 stories about Bangoura, which were also published on the Internet, would have followed him wherever he resided, said Justice Romain Pitt. http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&call_pageid=971358637177&c=Article&cid=1126907414358&DPL=IvsNDS%2f7ChAX&tacodalogin=yes

NO TRESPASSING . . . ON MY CYBER CHATTELS (Steptoe & Johnson’s E-Commerce Law Week, 17 Sept 2005) -- Who needs new laws to combat spyware, when old-fashioned tort claims with funny names will do just fine? Once thought confined to the dustbin of 19th Century legal history, “trespass to chattels” -- or trespass to personal property -- has been resurrected in recent years as a cause of action against Internet spammers and spyware companies. The latest such case is Sotelo v. DirectRevenue, LLC, in which the U.S. District Court for the Northern District of Illinois, Eastern Division, on August 29, allowed a class-action suit against several spyware distributors to proceed based on a claim of damages flowing from an alleged trespass to chattels -- i.e., the plaintiff’s computer. In reinvigorating an obscure and largely dormant cause of action, the court demonstrated that the common law may well already contain remedies for computer security and privacy breaches that have until recently been seen as unsusceptible to tort suits for one reason or another. And by allowing the case to proceed as a class action, the decision could make such claims more economically attractive to plaintiffs’ lawyers. After all, one of the spyware defendants in this case claims access to over 12 million computers in the U.S. through its software, creating a potentially large class of annoyed litigants. So a legal tool that was first used by Internet service providers against spammers may now become a favored tool for individual computer users, as long as there’s a deep pocket on the other end. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=10494&siteId=547

BUILDING THE GREAT FIREWALL OF CHINA, WITH FOREIGN HELP (New York Times, 18 Sept 2005) -- In April 2004, a few weeks before the 15th anniversary of Beijing’s massacre of protesters in Tiananmen Square, the top-ranking staff members of The Contemporary Business News in Hunan were called into a meeting. An editor read a message from the Communist Party’s propaganda department warning that protests or media coverage of the anniversary would not be tolerated as June 4 approached. Though the message was routine, the reporters were warned not to take notes. But Shi Tao, one of the journalists, did. He e-mailed them to a Chinese dissident in America, who posted them on the Web. A few months later, Mr. Shi was arrested. This April, he was given 10 years in prison, a sentence the judge called lenient, for disseminating state secrets abroad. How did the police find Mr. Shi? His newly published verdict states that the prosecution relied in part on information given to the government by Mr. Shi’s e-mail provider, Yahoo. America has a bipartisan human rights policy in China. It is called trade. The idea is that Western companies will bring Western values - especially when they develop the Internet, supposedly an unstoppable force for openness. But Mr. Shi’s fate is the latest piece of evidence that it’s not working out that way. China now has more than 100 million Internet users, more than any nation but the United States. But as the Internet booms, China is growing more politically closed. Its government has used the Internet masterfully as a steam valve, allowing Chinese to participate in a world that is modern in all senses but one. A controlled Internet may seem like an oxymoron, but China has one. Sophisticated filters block access for users in China to ideas about democracy, human rights, Taiwan, Tiananmen and other sensitive subjects. Type in “democracy” on a search engine in China and you get a limited choice of government-approved sites, or nothing at all, or a warning that the word is prohibited. If you use one of these words in an e-mail message, chat room or blog, you will be censored, and possibly arrested. American companies like Microsoft and Cisco have all sold China security tools and firewalls that China has turned into political controls. The companies argue that it is not their fault if China misuses standard politically neutral technology. They are right, but many foreign Internet companies in China have gone beyond neutrality. Some, including Yahoo, signed a pledge of “self-discipline” in 2002, promising to follow China’s censorship laws. Many Internet portals actively censor their Chinese Web sites. [Editor: there’s more to this editorial.] http://www.nytimes.com/2005/09/18/opinion/18sun3.html?ex=1284696000&en=0a85c3297d4fcec7&ei=5090&partner=rssuserland&emc=rss

SECRECY POWER SINKS PATENT CASE (Wired, 20 Sept 2005) -- When New England inventor Philip French had his epiphany 15 years ago, he didn’t dream it would lead to an invention that would be pressed into service in a top-secret government project, or spawn an epic court battle over the limits of executive power. He was just admiring a tennis ball. The ball’s seam, with its two symmetrical halves embracing each other in a graceful curve, intrigued him. “I thought, my god, I bet you can do something with that kind of shape,” he recalls. He was right. French and two colleagues went on to design and patent a device now called the Crater Coupler, a simple, foolproof connector for linking one pipe or cable to another without nut threads or bolted flanges. The device is interesting on its own, but the broader legal legacy of the invention may be more important. In a little-noticed opinion this month, a federal appeals court ruled against the Crater Coupler patent holders and upheld a sweeping interpretation of the controversial “state secrets privilege” -- an executive power handed down from the English throne under common law that lets the government effectively kill civil lawsuits deemed a threat to national security, even if the state is not a party to the suit. The ruling is notable as a rare appellate interpretation of the state secrets privilege as it applies to patent holders. As such, it is a potentially worrying development for inventors -- particularly those developing weapons, surveillance and anti-terror technologies for government contractors -- who may find infringement claims dismissed without a hearing under the auspices of national security. It also offers a fascinating, if limited, view into the machinery of official secrecy at a time when the privilege is being exercised as never before. Never passed by Congress, the privilege has its roots in English common law and was cemented into American jurisprudence by a landmark 1953 Supreme Court case titled U.S. v. Reynolds. In Reynolds, the widows of three men who died in a mysterious Air Force crash sued the government, and U.S. officials tried to quash the lawsuit by claiming that they couldn’t release any information about the accident without endangering national security. The Supreme Court upheld the claim, establishing a legal precedent that today allows the executive branch to block the release of information in any civil suit -- even if the government isn’t the one being sued. According to research by an associate professor of political science at the University of Texas, the government invoked the privilege only four more times in the next 23 years. But following the Watergate scandal, the executive branch began applying state secrecy claims more liberally. Between 1977 and 2001, there were at least 51 civil lawsuits in which the government claimed the state secrets privilege -- in every case successfully. Under Reynolds, the head of a federal agency must personally intervene to invoke the privilege. In Crater v. Lucent, it was Richard J. Danzig, then-secretary of the Navy, who did the honors. In a March 1999 declaration, Danzig claimed that permitting Crater to pursue a legal inquiry into the government’s alleged use of their coupler would tip off U.S. adversaries to certain highly classified government operations and “could be expected to cause extremely grave damage to national security.” http://www.wired.com/news/technology/0,1282,68894,00.html

CT. RULES SMS EMAIL SPAM COVERED BY TCPA (BNA’s Internet Law News, 22 Sept 2005) -- An Arizona court has ruled that email spam that was converted into an SMS message can be treated as a call for the purposes of the Telephone Consumer Protection Act. Case name is Joffe v. Acacia Mortgage Corp. Decision at http://www.cofad1.state.az.us/opinionfiles/CV/CV020701.pdf Coverage at http://www.azdailysun.com/non_sec/nav_includes/story.cfm?storyID=115849

ITAA BACKS BREACH NOTIFICATION LAW (FCW, 21 Sept 2005) -- Congress should pass a law that outlines when government and the private sector must notify the public about cybersecurity breaches that compromise confidential information, an information technology industry group said today. The theft of millions of personal records from ChoicePoint and other companies has made breach notification “the most pressing cybersecurity issue on the minds of Congress right now,” said Greg Garcia, vice president of information security programs and policy at the IT Association of America. Congress is more likely to pass a breach notification law than any other cybersecurity-related bill this term, Garcia said. As of August, 17 state bills have been passed into law, and eight of them have taken effect, Garcia said. The ITAA supports a national standard for breach notification with rational guidelines of when to notify the public, Garcia said. The law should establish a clear definition of breaches, specify means and methods of notification and identify information to publish, Garcia said. It should also describe exceptions when information cannot be given, such as in national security matters. http://www.fcw.com/article90869-09-21-05-Web

FRENCH GOVERNMENT-SPONSORED GUIDE AIMS TO HELP BLOGGERS BEAT CENSORSHIP (SiliconValley.com, 22 Sept 2005) -- A Paris-based media watchdog has released a free guide with tips for bloggers and dissidents to sneak past Internet censors in countries from China to Iran. Reporters Without Borders’ ``Handbook for Bloggers and Cyber-Dissidents” is partly financed by the French Foreign Ministry and includes technical advice on how to remain anonymous online. It was launched at the Apple Expo computer show in Paris on Thursday and can be downloaded for free in Chinese, Arabic, Persian, English and French. ``Bloggers are often the only real journalists in countries where the mainstream media is censored or under pressure,” Julien Pain, head of the watchdog’s Internet Freedom desk, writes in the introduction. In a bid to inspire budding Web diarists around the world, the 87-page booklet gives advice on setting up and running blogs, and on using pseudonyms and anonymous proxies, which can be used to replace easily traceable home computer addresses. ``With a bit of common sense, perseverance and especially by picking the right tools, any blogger should be able to overcome censorship,” Pain writes. The advice varies depending on the user’s level of paranoia -- from changing cyber-cafes to sending cryptographically signed messages via specially formatted e-mail. The guide explains circumvention technologies that can break through government filters but warns bloggers to check how severe the penalty will be if they are caught using them. http://www.siliconvalley.com/mld/siliconvalley/business/technology/12714408.htm [Handbook at http://www.rsf.org/rubrique.php3?id_rubrique=542]

IPOD MAPS DRAW LEGAL THREATS (Wired, 26 Sept 2005) -- Transit officials in New York and San Francisco have launched a copyright crackdown on a website offering free downloadable subway maps designed to be viewed on the iPod. IPodSubwayMaps.com is the home of iPod-sized maps of nearly two dozen different transit systems around the world, from the Paris Metro to the London Underground. The site is run by New Yorker William Bright, who said he fell into transit bureaucracy crosshairs after posting a digitized copy of the New York City subway system map on Aug. 9. “I got it on Gawker the day after it started, and the site exploded,” he said. More than 9,000 people downloaded the map, which was viewable on either an iPod or an iPod nano, before Bright received a Sept. 14 letter from Lester Freundlich, a senior associate counsel at New York’s Metropolitan Transit Authority, saying that Bright had infringed the MTA’s copyright and that he needed a license to post the map and to authorize others to download it. http://www.wired.com/news/mac/0,2125,68967,00.html

EU DATA PROTECTION CHIEF WARNS AGAINST ANTI-TERRORISM PLANS (SiliconValley.com, 26 Sept 2005) -- The European Union’s data protection supervisor Monday criticized EU plans to retain phone and e-mail data for use in anti-terrorism investigations, saying they failed to protect civil liberties and gave a free hand to national intelligence services. Peter Hustinx said the proposals -- one drafted by EU governments, the other by the European Commission -- did not prove the need for EU-wide data retention rules. He added that the rush to push through the bills following the London bombings in July would come at the cost of civil liberties. He highlighted the proposal drafted by EU governments which could see data like times of phone calls retained for up to three years. He warned that ``a time limit (on keeping data) beyond one year would be disproportionate.” British Home Secretary Charles Clarke, who is chairing the EU negotiations, has called for the 25 governments to look at curbing some civil liberties to allow for improved police investigations into suspected terror groups. EU governments have been working hard to agree on data retention rules, in particular how long such data should be retained and who should pay for the added cost of keeping the records. Telecommunications companies are opposed to being left with the costs. http://www.siliconvalley.com/mld/siliconvalley/business/technology/12746814.htm

WIRETAP RULES FOR VOIP, BROADBAND COMING IN 2007 (ZDnet, 26 Sept 2005) -- Broadband providers and Internet phone services have until spring 2007 to follow a new and complex set of rules designed to make it easier for police to seek wiretaps, federal regulators have ruled. It’s clear from the Federal Communications Commission’s 59-page decision, released late Friday evening, that any voice over Internet Protocol, or VoIP, provider linking with the public telephone network must be wiretap-ready. That list would include companies such as Vonage, SkypeOut and Packet 8. But what remains uncertain is what the Communications Assistance for Law Enforcement Act (CALEA) ruling means for companies, universities, nonprofits--and even individuals offering wireless or other forms of Internet access. “Because of that very fundamental difference between the Internet and the public switched network, the commission has had a hard time defining who, exactly, is covered, and they have in this order completely punted on the question of who is responsible for what,” Jim Dempsey, executive director of the Center for Democracy and Technology, said Monday. http://news.zdnet.com/2100-1035_22-5883032.html FCC decision at http://www.fcc.gov/FCC-05-153A1.pdf [Editor: DTF - doomed to fail. Telcos and classic VoIP providers are centralized entities that the government can compel, but internet-enabled telephony may evolve to follow a distributed P2P model, where individuals create ad hoc “connections” for each conversation. How will CALEA apply then?]

MEDIATION BEGINS IN MUSIC COPYRIGHT TRIAL (ABC News, 27 Sept 2005) -- Four music giants and their local subsidiaries have entered mediation with Baidu.com, China’s largest Internet search engine, over the recording companies’ claims of copyright infringement. No agreement was reached after more than five hours of discussions that began Monday at the Beijing No. 1 Intermediate People’s Court, the official China Daily newspaper said. A judge would resolve the issue if there is no resolution. It is the second time this month that Baidu, whose share price went as high as $153.98 after an initial public offering at $27 on the Nasdaq Stock Market in August, was in a Chinese court dealing with accusations of copyright violations. Universal, EMI, Warner, Sony BMG and local subsidiaries claim that Baidu made it easy for its users to illegally download copies of 137 of their songs through the mp3.baidu.com search page. The music companies are seeking 1.67 million yuan, or $206,000, in compensation, the China Daily newspaper said. http://abcnews.go.com/Technology/wireStory?id=1163082

AT GOOGLE, THE WORKERS ARE PLACING THEIR BETS (New York Times, 26 Sept 2005) -- Like all search engines, Google helps people sort through information from the past. But a new service, being used inside the company, tries to forecast the future. Google has created a predictive market system, basically a way for its employees to bet on the likelihood of possible events. Such markets have long been used to predict world events, like election results. Intrade, part of the Trade Exchange Network, allows people to bet on elections, stock market indexes and even the weather, for example. In Google’s system, employees can bet on how the company will perform in the future, forecasting things like product introduction dates and new office openings. It was devised under a program that allows engineers to spend one day a week on a project of their choice. To help develop the system, Google consulted Hal R. Varian, an economist at the University of California, Berkeley. Professor Varian (who also writes the Economic Scene column for The New York Times) said that the final product was not entirely what he anticipated. “I was a little surprised,” Professor Varian said. “I expected this to be accurate because there’s a lot of literature and experience with these systems. But this has been even better than I expected.” Google has not offered precise data on the system’s accuracy, but a chart posted on the company’s blog last week showed that, in the words of its accompanying entry, prices set for events through employees’ wagering were a “pretty close” indication of the probability of events. http://www.nytimes.com/2005/09/26/business/26google.html?ex=1285387200&en=c171e8934faa7fc1&ei=5090&partner=rssuserland&emc=rss

GOOGLE ENDS BOYCOTT OF NEWS.COM (SiliconValley.com, 28 Sept 2006) -- Google Inc.’s boycott of News.com appears to have ended quietly, less than three months after company executives told the technology news site that they would stop speaking with its reporters for a year. Google CEO Eric Schmidt this week granted an interview to News.com’s Elinor Mills, the reporter whose article in July about privacy issues raised by Google’s search engine apparently offended the company. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/12764875.htm

POLL: COMPANIES UNPREPARED FOR NEXT SARBANES-OXLEY DEADLINE (TechWeb, 26 Sept 2005) -- Nearly half of public companies that filed for extensions to meet Sarbanes-Oxley requirements are likely to miss the next deadline, according to a poll by Akonix Systems Inc. The poll, released Monday, found that 45 percent of public companies will not have archiving systems in place for their e-mail and instant messaging by July 15, 2006. Executives can face fines and jail time for failing to meet the deadlines. Akonix, which produces instant messaging, security and management solutions, reported that only 29 percent of executives at 157 public companies believed their messages would be archived on time. Another 26 percent said they were unsure of whether they would meet the deadline. Most stated that cost was the major obstacle. AMR Research reports that U.S. businesses will spend more than $6.5 billion on products and services related to Sarbanes-Oxley requirements. http://www.techweb.com/wire/ebiz/171200636;jsessionid=41STIHEK3RNDEQSNDBNCKHSCJUMEKJVN

FTC LAUNCHES AGGRESSIVE CAMPAIGN TO EDUCATE ONLINE CONSUMERS (TechNewsWorld, 27 Sept 2005) – Saying a consumer that is aware of online threats is essential to a strong U.S. economy, the Federal Trade Commission Latest News about Federal Trade Commission (FTC) has launched its most ambitious effort yet to educate Americans on the dangers lurking on the Web. The FTC joined with cybersecurity experts in government and the private sector, consumer protection groups and online companies to launch an interactive campaign that leans heavily on the Web. The FTC said it had established a standalone Web site, onguardonline.gov, where consumers can learn how to avoid online scams and buy online with confidence. FTC Chairman Deborah Platt Majoras said the effort is “all about consumer confidence,” which in turn drives the U.S. economy. The Web page features basic tutorials on topics such as spam, phishing attacks, spyware and secure shopping, with information presented in a number of formats. The site also includes links to forms for reporting possible fraud or attacks. http://www.technewsworld.com/story/46373.html

COMMISSION UNVEILS PLANS FOR EUROPEAN DIGITAL LIBRARIES (European Commission, 30 Sept 2005) -- The European Commission today unveiled its strategy to make Europe’s written and audiovisual heritage available on the Internet. Turning Europe’s historic and cultural heritage into digital content will make it usable for European citizens for their studies, work or leisure and will give innovators, artists and entrepreneurs the raw material that they need. The Commission proposes a concerted drive by EU Member States to digitise, preserve, and make this heritage available to all. It presents a first set of actions at European level and invites comments on a series of issues in an online consultation (deadline for replies 20 January 2006). The replies will feed into a proposal for a Recommendation on digitisation and digital preservation, to be presented in June 2006. http://europa.eu.int/rapid/pressReleasesAction.do?reference=IP/05/1202&format=HTML&aged=0&language=en&guiLanguage=en

-- and --

YAHOO TO DIGITIZE PUBLIC DOMAIN BOOKS (CNET, 2 Oct 2005) -- Yahoo is launching a library-digitization project to rival Google’s controversial program. Yahoo is working with the Internet Archive, the University of California and others on a project to digitize books in archives around the world and make them searchable through any Web search engine and downloadable for free, the group was set to announce Monday. “If we get this right so enough people want to participate in droves, we can have an interoperable, circulating library that is not only searchable on Yahoo but other search engines and downloadable on handhelds, even iPods,” said Brewster Kahle, founder of the Internet Archive. The project, to be run by the newly formed Open Content Alliance (OCA), was designed to skirt copyright concerns that have plagued Google’s Print Library Project since it was begun last year. http://news.com.com/2100-1038_3-5887374.html

NEW RULE SAYS AGENCIES MUST BUILD CYBER SECURITY INTO ACQUISITION PLANNING (SANS NewsBytes, 30 September 2005) As of September 30, 2005, contracting officers at federal agencies are required to incorporate cyber security requirements in their acquisition planning. The Federal Acquisitions Regulation Council issued an interim rule and will accept comments on the rule through November 29, 2005. The rule says that acquisition professionals must get advice from IT security specialists, requires contracting officers to abide by FIPS standards and to incorporate “appropriate agency security policy and requirements in IT acquisition.” http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37162 http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-19468.htm

DIGITAL MUSIC SALES SURGE AMID BROADER DECLINE (CNET, 3 Oct 2005) -- The music industry cheered a tripling of digital music sales in the first half of 2005 that was spurred by mobile phone ring tones and online services and offset persistent declines in overall sales. Digital music now makes up 6 percent of total sales, or about $790 million, according to first-half figures released on Monday by the International Federation of the Phonographic Industry (IFPI) trade group. Sales of CDs and other physical formats continued a long decline, which the music industry has blamed mainly on piracy, falling to $13.2 billion from $13.4 billion a year earlier. “It feels as if the decline is lessening,” said IFPI Chairman and Chief Executive John Kennedy, who has predicted that full-year sales will be roughly flat. The IFPI said that lower CD prices, flagging DVD music video sales and competition from other entertainment sectors also contributed to the decline. http://news.com.com/2100-1027_3-5887586.html

SARB-OX MISSTEPS HELP IT EXECS FINE-TUNE PLANS (ComputerWorld, 3 Oct 2005) -- Executives who oversaw the first round of Sarbanes-Oxley Act compliance for their companies said last week that in hindsight, they likely would have done things a bit differently. The changes they would make include better educating workers about the steps that need to be taken, assigning dedicated staffers to assess and monitor critical controls, and automating a greater portion of repairs to deficient IT controls, said attendees at the Sarbanes-Oxley Conference & Exhibition here. Neil Frieser, vice president of internal controls at Viacom Inc. in New York, said his early experiences taught him that “you want to start the process early, to educate as many people as possible.” Frieser said Viacom conducted a staggering 19,600 tests on 1,560 business controls and 540 IT controls last year to meet Section 404 of the law. The work covered 116 business processes and 75 IT applications throughout the media company, whose divisions include CBS Broadcasting Inc., MTV Networks Co. and Nickelodeon Networks. One of the best lessons Viacom executives learned and acted on during the process was to identify and test internal controls centrally rather than hand the work off to each of a dozen business unit leaders, Frieser said. “We developed a lot of guidance centrally instead of having a lot of guesswork in each of the business units,” he said. “We weren’t perfect in 2004, but we got more right than we got wrong.” Michael Hultberg, executive director at Time Warner Inc. Image Credit: The Institute for Financial Excellence Michael Hultberg, executive director at Time Warner Inc. in New York, said officials at the media giant discovered during the first round of Section 404 compliance efforts that “many of the key controls we’d identified actually weren’t that key.” Time Warner spent a mind-numbing 350,000 man-hours identifying, evaluating and testing its financial and IT controls, but it discovered a higher proportion of IT control deficiencies in areas such as security and change management, he said. http://computerworld.com/governmenttopics/government/legislation/story/0,10801,105116,00.html

FINNISH “STAR TREK” SPOOF PROSPERS ON INTERNET (Reuters, 5 Oct 2005) -- A Finnish spoof of the sci-fi classic “Star Trek” has boldly gone where no feature film has gone before, relying on free distribution over the Internet to reach more than 450,000 viewers in less than a week. “Star Wreck: In the Pirkinning” is a full-length feature in Finnish with English subtitles. It was made over seven years by a group of students and other amateur film makers with a bare-bones budget and a few home computers to create elaborate special effects. “We took a conscious decision not to go to the theatres as the movie was done mostly on a voluntary basis,” said Timo Vuorensola, who directed the film. “Through the Internet and DVD it will probably get the widest possible viewership. We are hoping to reach one million downloads by the end of the year.” The success of “Star Wreck” comes as Hollywood grapples with the threats and opportunities of the Internet. Movie studios are fearful of the rampant piracy that has ravaged their music label counterparts, but are also hoping to use the Internet to cut distribution costs and open up new markets. http://news.yahoo.com/s/nm/20051005/wr_nm/media_internet_starwreck_dc

E-MAIL TO LAWYERS: E-DISCOVERY RULES ON THE WAY (ABA Journal, 7 Oct 2005) -- The Judicial Conference of the United States, making “the biggest change … in a generation or two,” has approved changes to the Rules of Civil Procedure to govern discovery of electronic communications, including e-mails and digitally stored documents. The amendments were developed by the conference’s Advisory Committee on Civil Rules, chaired by U.S. District Judge Lee Rosenthal of the Southern District of Texas. After a six-month period for comments, the Committee on Rules of Practice and Procedure adopted the e-discovery rules at a meeting of the Judicial Conference, the administrative policy arm of the federal courts, on Sept. 20. The rules must still be approved by the U.S. Supreme Court, though this is considered a formality. Then, if Congress does not disapprove them, they are expected to take effect by Dec. 1, 2006. Some experts are predicting the rules will represent the proverbial “paradigm shift” in the practices of many attorneys. “The amendments are the biggest change to the Rules of Civil Procedure in a generation or two,” says George Paul, a Phoenix-based attorney who co-wrote the upcoming ABA book The Discovery Revolution. “Lawyers are going to have to think about whether their clients have information on laptops, desktops, servers and personal digital assistants. You’re going to have to know what you’re doing well enough to talk to your client and opponent about electronic discovery.” Under the proposed amendment to Rule 26(f), a pretrial conference will include discussion of issues related to discovery of electronically stored information. “The topics to be discussed include the form of producing electronically stored information, a distinctive and recurring problem in electronic discovery resulting from the fact that unlike paper, electronically stored information may exist and be produced in a number of different forms,” says the Summary of the Report of the Judicial Conference Committee on Rules of Practice and Procedure. http://www.abanet.org/journal/ereport/oc7rules.html [Report summary at http://www.uscourts.gov/rules/Reports/ST09-2005.pdf ]

AND IT CAME 2 PASS (New York Times, 7 Oct 2005) -- “In da Bginnin God cre8d da heavens & da earth.” That’s according to a new version of the Bible translated into the text message language of cell phone users. The Bible Society in Australia on Thursday launched its translation of all 31,173 verses of the Bible in the modern, abbreviated language of text messages. The verses can be accessed over the Internet for free so that they can be spread by cell phone to family and friends, said society spokesman Michael Chant. The society used the International Contemporary English Version of the Bible and remained faithful to the grammar, changing just the spelling of words, Chant said. Sending the entire Bible by text message would take more than 30,000 dispatches, he said. http://www.nytimes.com/2005/10/07/international/asia/07brief-australia.html?adxnnl=1&adxnnlx=1128708480-hLsNnKHGs6YjvklLsU7OhA

HAVE RECESSIONS ABSOLUTELY, POSITIVELY BECOME LESS PAINFUL? (New York Times, 8 Oct 2005) – The nearly empty Airbus 310 was coasting through the Alabama night sky when a message flashed in the cockpit. "DIVERT," it said, before using code to order the plane to land in Atlanta. The pilot banked the jet to the east and a half-hour later it was on the ground. There, its cargo door opened up to a group of waiting FedEx employees who began filling it with 17,000 pounds of cargo. It had been a busy day for Georgia businesses, and FedEx's regular nightly flights from Atlanta to the company's Memphis hub were overbooked with packages. So the local crew made a call to a sprawling, low-slung room here at headquarters, where people hunch over computer screens showing weather maps and flight plans, and asked for help from the five empty FedEx jets that roam over the United States every night. The recent birth of that small fleet, at a multimillion-dollar price tag, explains a lot about how the nation's economy has become so much more resilient. Think of it as the FedEx economy, a system that constantly recalibrates itself to cope with surprises. The United States has endured an almost biblical series of calamities in recent years - wars, hurricanes, financial scandals, soaring oil prices and rising interest rates - but the economy keeps chugging along at an annual growth rate of roughly 3 percent. It has been able to do so with the help of technology that allows businesses to react ever more quickly to changes. But with little notice, those reactions have also created a new feature of the business cycle: the micro-recession. When one of them strikes, activity slows for a few weeks, sometimes in just certain sectors or regions, as companies adjust to a dip in demand. It has happened much more often in the last few years than in earlier expansions, but growth has picked up each time, thanks in part to the adjustments that businesses have made. No company embodies this change, for better and worse, quite like FedEx. The company's around-the-world flights - fuller coming from Asia than going to it - are the shipping lanes of the global economy, bringing goods from Chinese factories to American shelves in just days. FedEx technology helps Procter & Gamble managers send more Crest to Wal-Mart whenever somebody buys a tube, and the managers can then watch the replacement move through the supply chain from their computer screens. All this - combined with financial innovations that allow companies to hedge their bets and, some say, the deregulation of pivotal transportation industries - has helped mute the economy's swings. The business cycle has certainly not been eliminated, as some dreamers suggested during the 1990's boom, but recessions really do seem to happen less often. Besides Las Vegas, the flying spares leave from Duluth, Minn.; Laredo, Tex.; Fort Myers, Fla.; and Portland, Me. All take circuitous paths to Memphis, passing near major cities like Dallas, Denver and St. Louis. On a typical night, one of the five makes an unexpected stop to collect an overflow of packages, one lands to bail out a plane needing a repair, and three arrive in Memphis as empty as they were when they took off. Until a year ago, FedEx used just one flying spare, leaving from Las Vegas, but executives decided they needed an even larger reserve army to fight uncertainty. Every night, the company also keeps about 10 percent of planes half empty, allowing them to make unplanned stops and pick up more cargo. Changes like this, not just at FedEx but at its rival United Parcel Service and many other companies, have helped foster the recent economic stability. The amount of inventory that companies keep in their warehouses, in case demand suddenly surges or some boxes become stuck in Oakland, has steadily fallen. http://www.nytimes.com/2005/10/08/business/08fedex.html?ex=1286424000&en=bd7eae6d58092b0b&ei=5090&partner=rssuserland&emc=rss

**** CURIOSITIES ****
HURRICANE RITA (22-25 September 2005) – The editor’s blog, from the apparent bullseye. http://vpolleyhurricanerita.blogspot.com/

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.