MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
SARBOX: YEAR 2 (CFO.com 15 Sept 2005) -- First, the good news: Most companies have endured and survived their initial foray into Sarbanes-Oxley. And while it often proved a costly and occasionally frenzied experience, it has, many companies say, improved the controls that govern corporate operations. On the other side of the ledger, unfortunately, it appears that year two won’t be the autopilot repeat that companies had hoped for. The first year taught many lessons that have yet to be embedded in most compliance programs, making the second year potentially more labor-intensive than the first. One of the biggest lessons learned concerns the role that IT plays in supporting financial processes, which caught many companies off-guard. But some best practices are emerging, from both a technology and a management perspective, that can help companies address the compliance burden in year two and beyond without massive expense and perpetual panic. Going forward, companies should establish a multidisciplinary governance council or steering committee to set the scope of compliance and resolve issues quickly. Such a council “is essential to making [compliance] go smoothly in year two,” says John Hagerty, vice president and analyst at AMR Research Inc. in Boston. It puts IT, finance, and other business management on the same page and helps provide badly needed guidance. “IT people overprepared in 2004. They had little or no guidance and felt they did a lot of stuff they didn’t need to do,” says Hagerty. (Many would say the same about auditors, as we reported in the last issue. See “Sarbox Surprises” and “Survey Says,” Summer 2005.) The council or committee should ideally include the CFO or other high-level finance executive, someone from the internal audit department, the CIO or other IT executive, and a representative from business operations. The group should be designed to make rapid decisions so compliance issues don’t linger for months. Hagerty says AMR recently ran a forum on Sarbox, and the half dozen or so companies that had implemented such a council reported that it was a key to their success in compliance efforts. http://www.cfo.com/article.cfm/4390933?f=home_featured
IN-HOUSE ATTORNEYS BECOME IT GATEKEEPERS (Law.com, 4 Oct 2005; subscription required) -- Sylvia Kerrigan remembers when she first tackled electronic discovery at her company about two years ago. The assistant general counsel at Houston-based Marathon Oil Corp. says it was like slowly easing herself into a pool of water. Then she started to swim -- talking with outside counsel and vendors, exploring services and looking at fancy new software. Finally, she took a tour of Marathon’s information technology department, and that’s when the staggering depth of the problem hit her: “I realized what I considered to be a pool was actually an ocean.” When it comes to e-discovery, many in-house counsel still find themselves in over their heads. To be sure, over the past decade, embarrassing e-mails have figured prominently in a number of high-profile lawsuits, like the U.S. Department of Justice’s landmark antitrust case against Microsoft Corp. in the late ‘90s. But despite electronic data’s notoriety, recent surveys show that an alarming percentage of corporate attorneys and their companies still aren’t up to speed. A study by Cohasset Associates Inc., a Chicago-based records management firm, showed that 46 percent of the companies surveyed don’t have a formal system for holding records, and 65 percent don’t include electronic documents when they retain documents. The e-discovery stakes have also risen dramatically. This year, plaintiffs have been winning huge awards by going after e-mails found through e-discovery. In August a jury returned a $253 million verdict against Merck & Co. Inc., when a top scientist’s crucial e-mail suggested that the company knew two years before it put Vioxx on sale that the painkiller might cause heart problems. (Merck has denied this and is appealing.) That verdict came only months after a Florida state jury, finding that investment bank Morgan Stanley botched its e-discovery in the case, awarded financier Ronald Perelman $1.45 billion in a default judgment. Look no further than the headlines for more examples: UBS Warburg, Enron Corp., WorldCom Inc. and Marsh & McLennan Cos. Inc., to name a few companies where execs got caught with their e-mails exposed. So common is New York Attorney General Eliot Spitzer’s demand for e-discovery that he reportedly began a recent speech in front of Wall Street execs with the quip that he was really glad to be there, because he wanted to put faces to the e-mails. For e-discovery, there’s a classic disconnect between technology and the law, and the law hasn’t fully caught up. Slowly, however, the legal system is coming to grips with it. Bar associations, corporate lawyers and judges are working together on the federal and state levels to bring some coherence and predictability to e-discovery requests. The most prominent of these efforts, an Arizona think tank called the Sedona Conference, recently issued guidelines that have led to proposals to change the Federal Rules of Civil Procedure. Some proposed rules would, for example, provide for leniency if a company makes a good-faith effort to produce electronic data. But some savvy in-house lawyers, usually the front line in e-discovery wars, aren’t waiting around for the new rules. They’re scrambling to get their digital houses in order, and in the process are creating new roles for themselves and their department. For example, Pfizer Inc. has hired a senior counsel to work full time with consultants to build a new e-discovery system from the ground up. And Marathon Oil’s Kerrigan is placing a dedicated e-discovery coordinator at every corporate subsidiary. http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1128342926735
DHS HAS PORTAL FOR SECURITY TOOLS, TIPS FOR SOFTWARE DEVELOPERS (Washington Post, 6 Oct 2005) -- The Homeland Security Department has launched a secure portal to provide best practices, tools and other resources for creating more reliable and secure software for developers and security professionals. The new Web site, Build Security In, was developed in conjunction with the Carnegie Mellon Software Engineering Institute. It was unveiled at a software assurance forum this week co-hosted by DHS and the Defense Department. The site takes a building-block approach, with content areas separated into different phases of the software development life cycle such as architecture and design, systems analysis and testing, and implementation. Within each area, articles are compiled discussing best practices for that particular aspect of software development. http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=wtdaily-test&story.id=27118 Build-Security site at https://buildsecurityin.us-cert.gov/portal/
U.S. CYBERSECURITY DUE FOR FEMA-LIKE CALAMITY? (ZDnet, 7 Oct 2005) -- In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government’s cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA’s internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be “unprepared” for emergencies. “When you look at the events of Katrina, you kind of have to ask yourself the question, ‘Are we ready?’” said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. “Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no.” The department, not surprisingly, begs to differ. “Cybersecurity has been and continues to be one of the department’s top priorities,” said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department’s cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that’s worrying experts and industry groups. The department is charged with developing a “comprehensive” plan for securing key Internet functions and “providing crisis management in response to attacks”--but it’s been more visible through press releases such as one proclaiming October to be “National Cyber Security Awareness Month.” Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. http://news.zdnet.com/2100-1009_22-5891219.html
SOFTWARE LICENSES: VENDORS HAPPY, CUSTOMERS NOT SO HAPPY (Information Week, 11 Oct 2005) -- Software vendors are a lot more satisfied with the licensing agreements they offer than their customers are, a finding that spells trouble for vendors that are not tuned in to their customers’ needs, says Fred Amoroso, CEO of Macrovision, which sponsors an annual study on software licensing trends. Business software managers are looking for more flexible license structures that allow them to pay only for what they use. Instead they are frequently locked into contracts that push them toward paying peak usage prices, he said. In August and September, the Software and Information Industry Association along with Macrovision, a supplier of software to manage software licenses, sponsored a survey of 500 SIIA members on their satisfaction with existing licensing arrangements. Two-thirds of the vendors interviewed said they had adjusted their licensing and 57% said they were satisfied with the results. Only 28% of customers said they were satisfied with their licenses. As software vendors get larger, their satisfaction with their own license offerings drop, Amoroso said. He interpreted that result as indicating large software firms realize their limited licensing schemes are causing customer dissatisfaction but don’t feel able to propagate more license arrangements. Amoroso said more license arrangements are needed “that work the way the software in enterprises works.” Some vendors offer a concurrent number of users license that allows any set of users up to a certain limit to make use of the software. The arrangement frees the software from use only by fixed named users. Some vendors allow the concurrent user license to float on an enterprise network, so users in the different parts of the world can use the software as one shift comes on and another goes home. But many software package licenses are based on number of CPUs in the server or number of named users. Since CPU usage fluctuates, companies are forced to buy for maximum usage. Average usage can be much lower. The study, “Key Trends in Software Pricing and Licensing,” was the second conducted by Macrovision and SIIA. The study shows that software vendors “need to embrace the new models in order to keep customers happy,” said Ken Wasch, president of SIIA, in a statement. Other findings include:
• 72% of businesses manually track their license compliance or don’t track it at all.
• 50% of businesses would like a way to automatically track software use and ensure compliance with their licenses. The figure is up 6% from last year.
• Subscription models, where customers pay a monthly fee for software instead of a one-time purchase price, have caught on with 40% of vendors. The figure is 7% higher than last year. The number is expected to jump to 60% in 2006. • 53% of businesses prefer concurrent pricing models to per-server licenses. The figure is up 11% from last year.
• Despite some large vendors’ “aggressive efforts to license per processor,” only 6% of businesses prefer this approach. With the advent of dual-core processors, some vendors are counting two cores, as in upcoming chips from Intel Corp. and Advanced Micro Devices, as two processors. Customers are still seeing one processor. Oracle recently took a step back from such a stance, saying it will count each unit of a dual-core processor as 0.75% of a processor.
EXPERT: HOLD DEVELOPERS LIABLE FOR FLAWS (CNET, 12 Oct 2004) -- Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser. Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don’t have the skills needed to write secure code. “In software development, we need to have personal quality assurances from developers that the code they write is secure,” said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL. “They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say, ‘Is this completely secure?’” Schmidt said. Schmidt also referred to a recent survey from Microsoft finding that 64 percent of software developers were not confident that they could write secure applications. For him, better training is the way forward. “Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally, Web application development has been measured in mouse clicks--how to make users click through,” Schmidt said. Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them. http://news.com.com/2100-1002_3-5893849.html [Editor: In September 2002 Mr. Schmidt rebuffed suggestions that developers should bear this kind of responsibility when he was writing the National Strategy to Secure Cyberspace. His thinking is evolving, and the courts won’t be too far behind.]
-- and --
SUE COMPANIES, NOT CODERS (Wired, 20 Oct 2005) -- At a security conference last week, Howard Schmidt, the former White House cybersecurity adviser, took the bold step of arguing that software developers should be held personally accountable for the security of the code they write. He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits. To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software -- extra developers, fewer features, longer time to market -- against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The result is what you see all around you: lousy software. Companies find that it’s cheaper to weather the occasional press storm, spend money on PR campaigns touting good security, and fix public problems after the fact than to design security right from the beginning. http://www.wired.com/news/print/0,1294,69247,00.html [Editor: Actually, Schmidt didn’t propose that individual programmers be held individually liable. Schneier’s comments in this Wired article are still useful.]
SURVEY: LITIGATION SKYROCKETING AMONG TECH COMPANIES (EEtimes, 12 Oct 2005) -- Technology and communications companies rank third on the list of U.S. and U.K. industries with the most litigation, according a new survey of manufacturing companies. The survey by the law firm Fulbright & Jaworski, a leading intellectual-property litigator based in New York and Houston, found that the average U.S. manufacturer currently faces 40 lawsuits. Of those, an average of 18 were initiated in the last year. While product liability remains the largest generator of lawsuits, the survey found that intellectual property disputes are an emerging problem, especially for technology companies. IP and patent lawsuits accounted for an estimated 13 percent of U.S. corporate litigation last year and 16 percent in the U.K. Only contract disputes, labor and employment, personal injury and product liability cases ranked higher than IP lawsuits, the law firm found. One reason litigation is soaring, the survey found, is the emergence of “electronic discovery” techniques, especially in the U.S. “Electronic discovery was the number one new litigation-related issue for companies with revenues over $100 million,” the survey found. “So far, it’s impact appears to have been felt far less in the U.K. than in the U.S.” An emerging and inexpensive tool for electronic legal research are search engines such as WaybackMachine that can take researchers to defunct Web sites. Many contain reams of archived material reseachers can search for evidence that can be used at trial. “The advent of electronic discovery, coupled with more stringent record keeping requirements, has exponentially added to the burdens imposed by litigation,” Fulbright attorney Robert Owen said in a statement. The U.S. healthcare industry has the largest number of pending lawsuits in the U.S. followed by energy companies and technology and communications companies. The study found that nearly a quarter of U.S. companies, led by technology and communications manufacturers, are spending 2 percent or more of annual gross revenues on legal expenses. IP disputes ranked as the most expensive litigation. http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=172300467
CONGRESS AGREES TO SPLIT OFF DHS CYBERSECURITY UNIT (GOVEXEC.com, 13 Oct 2005) -- Congress has agreed to split the Homeland Security Department division focused on information analysis and infrastructure protection. The move elevates the department’s cybersecurity missions. In the department’s fiscal 2006 spending measure, lawmakers agreed to divide the unit into two new components: the analysis and operations wing and the preparedness directorate. The House and Senate cleared the legislation last week, and President Bush is set to sign it into law Tuesday. Homeland Security Secretary Michael Chertoff proposed the changes in July, after a 90-day review of the department’s organization. He agreed with calls from lawmakers and industry that the cybersecurity division should be removed from information analysis and infrastructure protection and that its director should be made an assistant secretary to focus more resources and attention on cybersecurity. Congress backed the proposal, and the department’s budget next year includes $93 million for the cyber division to continue exercises and outreach with the private and public sectors. The new assistant secretary also is charged with overseeing and coordinating security of the nation’s telecommunication systems. Chertoff finalized the reorganization plan Oct. 1. http://www.govexec.com/story_page.cfm?articleid=32555&printerfriendlyVers=1&
CALLED TO ACCOUNT -- AMERICA’S LOOMING ACCOUNTING CRISIS (The New Republic, 14 Oct 2005; registration required) – Late last month William McDonough, the departing chair of the Public Company Accounting Oversight Board (PCAOB), addressed a conference on corporate reform sponsored by the American Law Institute and the European Corporate Governance Institute. Needless to say, these sorts of meetings tend to be a little dry, which may be why there were few reporters on hand to hear McDonough’s remarks. It’s a shame, because the man who was tasked in 2003 with overseeing the American accounting industry dropped what, at least in accounting circles, was a nuclear bomb. Addressing the recent settlement between KPMG and the Justice Department over the Big-Four firm’s shady tax-shelter practice, McDonough said that the government had only narrowly avoided an industry meltdown. The case, had it gone through, could have destroyed the firm, and “none of us has a clue what to do if one of the Big Four failed,” he said. Accounting may not be the sexiest profession, but it is arguably the cornerstone of American capitalism. While the government sets the rules about what companies can and can’t do, it is up to accountants to provide evidence that they are in fact following those rules: paying taxes, filing accurate earnings reports, and not, say, siphoning off profits to pay for executive party boats. And there is a limited number of firms capable of doing the sort of work required by Fortune 500 companies--four, to be precise. But as the KPMG case highlights, those same firms are hardly paragons of fiduciary virtue--like any company, they face powerful incentives to cut corners and push envelopes, and in recent years all four have come under scrutiny for either breaking the law or providing substandard reporting. No wonder McDonough resigned his post: The American accounting system, and the economic system it undergirds, is facing a seemingly intractable crisis. KPMG’s tax shelter settlement--in which the government withdrew its case in exchange for a fine, a curtailment of its tax practice, and the acceptance of government monitoring--is only its latest run-in with the law. Last year, it paid out over $100 million to settle cases in which it stood accused of overlooking fraud by some of its clients. Several of its other clients, including Fannie Mae and Royal Dutch Shell, came under fire for accounting irregularities. [Editor: Accounting for recoverable oil reserves is an important, little-understood issue; Shell and BP practices here recently have been in the news.] And the PCAOB recently released an annual report documenting auditing deficiencies at KPMG--out of 76 audits selected for review, 18 were substandard, some of which were “of such significance that it appeared to the inspection team that the Firm had not, at the time it issued its audit report, obtained sufficient competent evidential matter to support its opinion on the issuer’s financial statements.” In other words, the government found evidence that KPMG was signing off on clients’ financial statements without having a solid idea about what was actually in those statements. http://www.tnr.com/doc.mhtml?pt=3IjNCIyp76IR9gdm5lK6Z3%3D%3D
FAR COUNCIL ISSUES CYBERSECURITY REQUIREMENTS FOR GOVERNMENT CONTRACTS (Steptoe & Johnson’s E-Commerce Law Week, 15 Oct 2005) -- In the wake of the recent flood of data security breaches and network vulnerabilities, the private sector has been holding its breath, waiting to see what, if any, new cybersecurity standards the federal government plans to hold it to. While the government is still in the “mulling” stage when it comes to general cybersecurity requirements for industry, it has now spoken a bit more clearly when it comes to companies that provide information technology (IT) services for the government. On September 30, the Federal Acquisition Regulations (FAR) Council issued an interim rule outlining new steps that federal acquisition workers must take in order to ensure that IT security is incorporated into all purchases of “goods and services” from the private sector. Among other things, the rule stipulates that contracting officers must include cybersecurity requirements in acquisition planning. Although currently only relevant to companies performing government contracts, the rule may also provide a clue as to the shape of any further federal efforts to impose cybersecurity standards on the private sector. The new rule took effect immediately, but the FAR Council will accept public comment until November 29. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=10671&siteId=547 Rule at http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-19468.pdf
PHONE TAP: HOW’S THE TRAFFIC? (Wired, 15 Oct 2005) -- Driving to work, you notice the traffic beginning to slow. And because you have your cell phone on, the government senses the delay, too. A congestion alert is issued, automatically updating electronic road signs and websites and dispatching text messages to mobile phones and auto dashboards. In what would be the largest project of its kind, the Missouri Department of Transportation is finalizing a contract to monitor thousands of cell phones, using their movements to map real-time traffic conditions statewide on all 5,500 miles of major roads. It’s just one of a number of initiatives to more intelligently manage traffic flow through wireless data collection. Officials say there’s no Big Brother agenda in the Missouri project -- the data will remain anonymous, leaving no possibility to track specific people from their driveway to their destination. But privacy advocates are uneasy nonetheless. “Even though it’s anonymous, it’s still ominous,” said Daniel Solove, a privacy law professor at George Washington University and author of The Digital Person. “It troubles me, because it does show this movement toward using a technology to track people.” Cell phone monitoring already is being used by transportation officials in Baltimore, though not yet to relay traffic conditions to the public. Similar projects are getting underway in Norfolk, Virginia, and a stretch of Interstate 75 between Atlanta and Macon, Georgia. But the Missouri project is by far the most aggressive -- tracking wireless phones across the whole state, including in rural areas with lower traffic counts, and for the explicit purpose of relaying the information to other travelers. http://www.wired.com/news/wireless/0,1382,69227,00.html
-- and --
U.S. CELL PHONE TRACKING CLIPPED (Wired, 27 Oct 2005) -- Federal law enforcement attempts to use cell phones as tracking devices were rebuked twice this month by lower court judges, who say the government cannot get real time tracking information on citizens without showing probable cause. This summer, Department of Justice officials separately asked judges from Texas and Long Island, New York to sign off on orders to cellular phone service providers compelling them to turn over phone records and location information -- in real time -- on two different individuals. Both judges rejected the location tracking portion of the request in harshly worded opinions, concluding investigators cannot turn cell phones into tracking devices by simply telling a judge the information is likely “relevant” to an investigation. “When the government seeks to turn a mobile telephone into a means for contemporaneously tracking the movements of its user, the delicately balanced compromise that Congress has forged between effective law enforcement and individual privacy requires a showing of probable cause,” wrote Magistrate Judge James Orenstein of New York in the latest decision Monday. http://www.wired.com/news/technology/0,1282,69390,00.html Decision at http://www.eff.org/legal/cases/USA_v_PenRegister/celltracking_decision.pdf
POWER COMPANIES ENTER THE HIGH-SPEED INTERNET MARKET (New York Times, 17 Oct 2005) -- The idea has been around for years. In Spain and elsewhere in Europe, utility companies have long offered high-speed Internet service to consumers over their power lines. But American utilities are only now beginning to roll out broadband connections on their grid. For Jim Hofstetter, a salesman for Cadbury Schweppes, the food and beverage company, this new option was far better than the high-speed connection he used for years from his local cable provider. “I would never go back now that I have this,” said Mr. Hofstetter, who often works from his home office in the Hyde Park neighborhood of Cincinnati. He pays $30 a month for the service from Current Communications, an Internet service provider, which uses the power lines run by Cinergy, the local utility in Cincinnati. That cost is about $15 cheaper than comparable Internet access from either Cincinnati Bell or Time Warner Cable. The Current service can be piped into any electrical outlet in Mr. Hofstetter’s home, with no reduction in speed even when he, his wife and their three daughters are online at the same time. All that is needed is a baseball-size jack that plugs into the wall and is connected to a computer with an Ethernet cable. Known as broadband over power line, or B.P.L., the service is poised to challenge the cable and phone companies that dominate the high-speed Internet market. Instead of burying cables and rewiring homes, B.P.L. providers use the local power grid, which means that any home with electricity could get the service. For now, the two biggest commercial B.P.L. services in the United States are operated by Current and Cinergy in Cincinnati, and the city of Manassas, Va., which has teamed up with ComTek Communications Technology, another B.P.L. provider. Dozens of other utilities across the country are testing the service and hiring specialists like Current and ComTek to run it. While the technology is not new, the home adapters and equipment on telephone poles that transmit data over power lines as radio signals have only recently become affordable enough for companies to start selling the service. http://www.nytimes.com/2005/10/17/technology/17powerlines.html?ex=1287201600&en=bd3ca2a00df70c4a&ei=5090&partner=rssuserland&emc=rss
MESSAGING INSTANTLY AND MORE SECURELY (New York Times, 17 Oct 2005) -- About a third of all instant-messaging accounts on consumer services like AIM and MSN Messenger are used mostly for business, according to a study of the instant-messaging market. “People depend on I.M.,” said Robert Mahowald, an analyst who wrote the study for the technology market research firm IDC. “It’s quick, and you know when somebody’s available.” Mr. Mahowald said problems with consumer instant-messaging had fueled the rise of “enterprise I.M.” software intended for businesses, which currently account for about 17 percent of all instant-message traffic. The software can be integrated with a company’s other systems and is better protected than the consumer version. “It’s more secure,” Mr. Mahowald said. “Your message traffic isn’t floating out on AOL’s server in Dulles, Va. We’ve had a number of instances where I.M. logs have been hacked and the conversations have shown up on the Web, which is very embarrassing to businesses.” http://www.nytimes.com/2005/10/17/technology/17drill.html?ex=1287201600&en=2ac58a6d1da95eef&ei=5090&partner=rssuserland&emc=rss
OPEN-SOURCE SOFTWARE LICENSES PRESENT QUAGMIRE (Law.com, 17 Oct 2005; subscription required) -- According to the Open Source Initiative (OSI), a nonprofit corporation dedicated to managing and promoting open- source software, there are four “classic” open-source licenses. These are the GNU (Gnu’s Not Unix) Public License (GPL), the Limited GNU Public License (LGPL), the Berkeley System Distribution (BSD) and the Massachusetts Institute of Technology (MIT) license. Since the open-source release of the Netscape Web browser in 1998, the Mozilla Public License has also become widely used. Many other open-source licenses have been created. Currently, there are 58 open-source licenses approved by OSI, and new open-source licenses can be approved by the OSI by submitting the text of the proposed license along with comments by an attorney making reference to OSI’s 10-part definition of open source. Of all the open-source licenses currently being used, the classic GPL license is the most prevalent. Most components of the popular GNU/Linux system, including the Linux kernel itself and most system utilities and applications, are licensed under the GPL. In addition, leaders in the open-source community have urged developers to use the GPL or GPL-compatible licenses whenever possible. According to a 2002 estimate, about 90% of all open-source software was licensed under the GPL. This article will address the legal and practical risks that users of open-source software might face. Clearly identifying the risks involved with open-source software is a step toward overcoming the fear, uncertainty and doubt that might otherwise discourage its widespread adoption. Due to its prevalence, the focus here will be on the GPL. Many companies find that open-source software components provide high quality at low cost compared to commercial alternatives. This provides the natural incentive to use open-source software as a building block for proprietary products. For example, a company may wish to create a special-purpose operating system based on the Linux kernel. However, under the terms of the GPL, a licensee may be required to release its own source code if it distributes or publishes a derivative work based on the GPL-licensed program. Setting aside the obvious questions of when a work is considered “distributed” and “derived” under the terms of the GPL, companies may find themselves in the difficult position of having to either release their proprietary source code to the public or lose the permission to distribute, copy or modify the modified software. [Continues.] http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1129194312375
CAN YOUR PRINTER TELL ON YOU? (Houston Chronicle, 18 Oct 2005) -- It sounds like a conspiracy theory, but it isn’t. The pages coming out of your color printer may contain hidden information that could be used to track you down if you ever cross the U.S. government. Last year, an article in PC World magazine pointed out that printouts from many color laser printers contained yellow dots scattered across the page, viewable only with a special kind of flashlight. The article quoted a senior researcher at Xerox Corp. saying that the dots contain information useful to law-enforcement authorities, a secret digital “license tag” for tracking down criminals. The content of the coded information was supposed to be available only to agencies looking for counterfeiters. Now, the secret is out. Tuesday, the Electronic Frontier Foundation, a consumer privacy group, said it had cracked the code used in a widely used line of Xerox printers, an invisible bar code of sorts that contains the serial number as well as the date and time a page was printed. With the Xerox printers, the information appears as a pattern of yellow dots, visible only with a magnifying glass and a blue light. The EFF said it has identified similar coding on pages printed from nearly every major printer manufacturer, including Hewlett-Packard Co., though its team has so far cracked the codes for only one Xerox model. The U.S. Secret Service acknowledged that the markings, which are not visible to the human eye, are there. “It’s strictly a countermeasure to prevent illegal activity specific to counterfeiting,” agency spokesman Eric Zahren said. http://www.chron.com/cs/CDA/ssistory.mpl/nation/3403012 [Editor: a description of the technique is at http://p2pnet.net/story/6620]
ADVISORY BODY CALLS FOR MORE SECURE INTERNET BANKING (Computerworld, 18 Oct 2005) -- A federal advisory body with broad regulatory powers over banks today issued new guidelines aimed at improving security in Internet-based banking and financial services. The Federal Financial Institutions Examination Council (FFIEC) updated its guidance for how financial institutions should plan to authenticate customers’ online identities by the end of next year. The FFIEC said authentication of a customer via simple password and ID alone is “inadequate for high-risk transactions involving access to customer information or the movement of funds to other partners.” The updated guidelines are titled “Authentication in an Internet Banking Environment” and were issued due to concerns about phishing, identity theft and online fraud, the group said. http://www.computerworld.com/printthis/2005/0,4814,105519,00.html Guidelines at http://www.ffiec.gov/pdf/authentication_guidance.pdf
MAJOR BOOK PUBLISHERS SUE GOOGLE (Information Week, 19 Oct 2005) -- Google Inc. on Wednesday was sued by a major publishing association for digitizing library books without the permissions of copyright holders, the second such suit filed against the search engine giant. The Association of American Publishers, based in Washington, D.C., sued the Mountain View, Calif., company on behalf of members The McGraw-Hill Companies, Pearson Education, Penguin Group (USA), Simon & Schuster and John Wiley & Sons. The suit seeks a court declaration that Google infringes the rights of copyright holders when it scans entire books and stores the digitized versions in its massive database. The trade group also wants a court order requiring Google to first obtain permission from copyright holders. Patricia Schroeder, AAP president and a former Colorado congresswoman, said the suit was filed after talks broke down. The AAP had proposed that Google use each book’s unique ID number to determine if the work is under copyright, and then seek permission from the book’s owner. For more than 30 years, most books have carried an ISBN identification number, which is machine readable. Google, according to Schroeder, refused. “If Google can scan every book in the English language, surely they can utilize ISBNs,” Schroeder said in a statement. “By rejecting the reasonable ISBN solution, Google left our members no choice but to file this suit.” While not mentioning the negotiations, Google said in a statement that the project is an “historic effort to make millions of books easier for people to find and buy.” “Creating an easy to use index of books is fair use under copyright law and supports the purpose of copyright: to increase the awareness and sales of books directly benefiting copyright holders,” Google said. “This short-sighted attempt to block Google Print works counter to the interests of not just the world’s readers, but also the world’s authors and publishers.” http://www.informationweek.com/story/showArticle.jhtml?articleID=172302588 Complaint at http://www.publishers.org/press/pdf/40%20McGraw-Hill%20v.%20Google.pdf
-- and --
SEARCH OR SEIZURE? (Bag and Baggage, 26 Oct 2005) -- Whenever possible over the last week, I’ve been making my way through some of the avalanche of background materials and commentary concerning the two Google Print (or more specifically, Google Library) lawsuits now pending in the Southern District of New York (one brought by the Authors Guild and three individual plaintiffs, and the most recent, filed last week, brought by five publishers). Charles W. Bailey, Jr.’s extensive bibliography is an excellent starting point if you too are seeking to better comprehend what is at stake and the potential outcomes. I agree with John Battelle that this shapes up as a long and hard fought battle with ripple (or perhaps tidal wave) effects extending into many areas beyond text search. I also agree with the commentators who suspect one or both of these cases will travel through the docket of the U.S. Supreme Court before they see the finish line. In these initial stages of the proceedings, the plaintiffs and their advocates appear to be putting all their chips on the square marked “Second Circuit’s narrow interpretation of commercial fair use.” There is no telling how that gamble will pay off, or how the Supreme Court will respond if it does, but the following points are likely to be important along the way. http://bgbg.blogspot.com/2005/10/search-or-seizure.html
RECRUITMENT TOOL TARGETED (Washington Post, 19 Oct 2005) -- A national coalition of parents groups, privacy advocates and community organizations is launching a campaign today to dismantle a database of high school and college students built by the Pentagon to help target potential military recruits. In a letter being sent today to Defense Secretary Donald H. Rumsfeld, more than 100 groups charge that the database violates federal privacy laws and is collecting demographic and other personal information on young Americans that could be misused by the government and the marketing firms handling the program. “We are not in opposition to those who choose to serve in the U.S. Armed Forces,” said a draft of the letter asking that the program be shut down. But “the creation of the . . . database is in conflict with the Privacy Act, which was passed by Congress to reduce the government’s collection of personal information on Americans.” The military, which is struggling to meet recruiting goals, argues that the effort is grounded in law and is essential to maintaining strong, all-volunteer armed forces. The Pentagon is on track to spend $342.9 million on the controversial Joint Advertising, Market Research and Studies program. The effort seeks to help recruiters discover and reach more potential enlistees and to develop advertising aimed at those who typically influence young people, including parents, coaches and teachers. The money is being spent through a single contract with Mullen Advertising Inc. of Wenham, Mass., that began in 2002 and can be renewed annually until January 2007. So far, the Pentagon has spent $206.3 million, according to a military spokeswoman. Under a subcontract with Mullen, BeNow Inc., a Wakefield, Mass., firm that specializes in gathering and analyzing personal information for target marketing, is compiling and maintaining the database. BeNow has since been acquired by Equifax Inc., one of the nation’s top credit bureaus and data brokers. The Pentagon program was little known until June, when the military issued a privacy notice that it was buying lists of all high school and college students to create a database that included birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying. http://www.washingtonpost.com/wp-dyn/content/article/2005/10/17/AR2005101701529.html [Editor: EPIC played a key role in bring this story to fruition – www.epic.org. MIRLN 8.08 carried an early story -- http://www.vip-law.com/mirln808.htm]
CONSTITUTION OF THE UNITED STATES: BROWSE (GPO, 20 Oct 2005) -- The Constitution of the United States of America, Analysis and Interpretation: Analysis of Cases Decided by the Supreme Court of the United States is available in a series of browseable tables. http://www.gpoaccess.gov/constitution/browse.html
NET PIRATES WILL FACE STIFFER PUNISHMENT (CNET, 20 Oct 2005) -- Internet pirates with prerelease movies in their shared folders will face stiffer federal penalties starting Monday. The U.S. Sentencing Commission on Wednesday approved an emergency set of rules that would boost prison sentences by roughly 40 percent for people convicted of peer-to-peer infringement of copyright works “being prepared for commercial distribution. “The changes also say judges may “estimate” the number of files shared for purposes of determining the appropriate fine and sentence. Larger numbers typically yield longer sentences. This week’s sentencing adjustments arose from a law that President Bush signed in April called the Family Entertainment and Copyright Act. It gave the commission 180 days to revisit its rules to make them “sufficiently stringent to deter, and adequately reflect the nature of, intellectual property rights crimes.” http://news.com.com/2100-1028_3-5905183.html
LAB COMPUTER SIMULATES RIBOSOME IN MOTION (CNET, 21 Oct 2005) -- Using a computer to simulate the interaction of 2.6 million atoms, Los Alamos National Laboratory researchers have recreated a tiny slice of one of the most fundamental genetic processes of life. The lab simulated how a cellular machine called a ribosome follows genetic instructions to construct a complex molecule called a protein out of building blocks called amino acids. With 768 processors of LANL’s 8,192-processor ASCI Q machine running for about 260 days, the researchers created a movie of the process. Previous views had shown only static snapshots. “Experiments have been able to come up with snapshots of the ribosome. We’re trying to create a movie of what happens between those snapshots,” said Kevin Sanbonmatsu, a molecular biologist and the project’s principal investigator. The movies could be significant for research into antibiotic medicines. Antibiotics work by gumming up the ribosomes, and a movie showing a ribosome’s function could show a larger range of targets than static images, he said. The task wasn’t simple. Researchers had to model the physical interactions of each of 2.64 million atoms--about 250,000 in the ribosome itself, but most for water molecules inside and outside it. The simulation resulted in a movie that is 20 million frames long, he said. In reality, however, the ribosome behavior that they simulated takes only 2 nanoseconds, or 2 billionths of a second--too short to even be labeled as “fleeting.” http://news.com.com/Lab+computer+simulates+ribosome+in+motion/2100-11395_3-5907401.html?tag=nefd.hed
E-VOTING WON’T BE VERIFIED UNTIL 2006 (CNET, 21 Oct 2005) -- Electronic voting systems aren’t likely to be sufficiently secure even by the 2006 elections, government auditors warned Friday. Existing systems are rife with problems, the Government Accountability Office said in a 107-page document. The list of vulnerabilities included everything from easily-guessed administrator passwords and voter-verified paper-trail design flaws, to incorrect software installation and system failures on Election Day. The Election Assistance Commission, created in 2002 to help states and localities implement e-voting systems, has neglected to lay out a clear timeline for addressing those problems, the report said. It also says that it’s unrealistic to expect anything to change by next fall. Even as a dozen or more non-governmental groups have begun drafting their own standards, federal agencies are still in the process of writing their own voluntary guidelines for voting systems and procedures for certifying them, the GAO determined. The agencies are slated for early 2007 to determine if the laboratories designed to examine voting equipment are fit to do so, but the agencies haven’t started yet. They also haven’t set up a proper “clearinghouse” where election officials can share problems they’ve had with the voting systems. The agencies also haven’t updated the national reference library for voting system software--intended to help state and local election officials ensure they’re running the proper software on their machines--since the 2004 elections. http://news.com.com/E-voting+wont+be+verified+until+2006/2100-1028_3-5907036.html?tag=nefd.top GAO Report at http://reform.house.gov/UploadedFiles/GAO-05-956.pdf
WORKING THROUGH A THICKET OF E-DISCOVERY RULES (ABA Journal, 21 Oct 2005) -- The amendments to the Federal Rules of Civil Procedure dealing with electronic discovery, expected to become law in December of next year, will add to layers of regulation that already seek to govern electronic information. Administrative agency regulations and state and federal laws also address preservation of electronic documents. The result is confusion for businesses faced with the challenge of devising a system of creation, storage, retrieval, copying and destruction of such information. The rules are not always harmonious. In proposed Rule 37(f), the so-called “safe harbor” rule, a party shall not be sanctioned for a loss of electronically stored information if the loss occurs in the course of “good faith” operation. But for investment professionals, the Securities and Exchange Commission mandates the retention of all “communications” for three years. The cautionary tale of what can happen when e-mails go missing is the $1.5 billion verdict entered against Morgan Stanley & Co. in two judgments in March and May. Now the investment banking behemoth may face millions of dollars more in fines from the SEC. The case began back in 1998 when Morgan Stanley served as financial adviser to Sunbeam Corp. in the latter’s acquisition of the Coleman Co., the camping equipment company. A major part of the purchase price was Sunbeam stock, the value of which later collapsed in the wake of accounting fraud at the Florida appliance manufacturer. Coleman’s parent sued Morgan Stanley, alleging the firm knew about the accounting fraud at Sunbeam and failed to disclose material information. In an amended complaint, Coleman accused Morgan Stanley of aiding and abetting as well as conspiring with Sunbeam to commit a fraud. By 2003, Coleman requested all of Morgan Stanley’s e-mails about the Sunbeam deal, and when few records were produced, a full-scale investigation ensued. Over the next 12 months, Morgan Stanley was forced to admit in one round of embarrassing discoveries after another the existence of thousands of e-mail backup tapes in offices, storage facilities and a security room. The Florida trial court threw the “death penalty” at Morgan Stanley in a March 23 order granting a partial default judgment. http://www.abanet.org/journal/ereport/oc21email.html
GOOGLE ARGUES NEWS HEADLINES ARE NOT COPYRIGHTABLE (BNA’s Internet Law News, 27 Oct 2005) -- BNA’s Electronic Commerce & Law Report reports that Google has argued that news headlines that are purely factual and merely ten words long lack sufficient originality to preclude others from copying them. The argument comes in a brief filed in the Agence France Presse v. Google litigation. Google is seeking dismissal of Agence France Press’s claim that Google is infringing its copyrights by copying AFP news headlines for reuse on Google’s news aggregation sites. Article at http://pubs.bna.com/ip/BNA/eip.nsf/is/a0b1v5g6d1
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, firstname.lastname@example.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.