Friday, December 30, 2005

MIRLN -- Misc. IT Related Legal News [11 - 31 Dec 2005; v8.16]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

LAW FIRMS NOT LIABLE IN ALLEGED WEB HACKING CASE (Law.com, 9 Dec 2005) -- Two law firms that allegedly surreptitiously accessed the password-protected Web site of an expert witness in order to show a judge that the witness violated a gag order cannot be held liable under the Digital Millennium Copyright Act. A District of Columbia federal judge has dismissed the suit by Boston occupational illness expert Dr. David Egilman, who accused the law firms Jones Day and Keller & Heckman of Washington, and Keller attorney Douglas Behr, of misappropriating his protected work. Egilman accused the Keller firm and Behr of hacking into his Web site by acquiring a password and sharing it with Jones Day lawyers in the midst of a 2001 landmark Colorado state toxics trial. Egilman had testified on behalf of the first four of 50 workers at Rocky Flats nuclear weapons plant who unsuccessfully claimed that the federal government colluded with the world’s largest beryllium maker, Brush Wellman Inc., to hide the health dangers of the metallic element. Despite a broad gag order by a Colorado state court judge, Frank Plaut, in Ballinger v. Brush Wellman Inc., No. 96-CV-2532, Egilman had posted critical material about Jones Day and Brush Wellman on his password-protected Web site in what Plaut ruled was a violation of the gag order. Plaut ordered jurors to disregard Egilman’s testimony as a sanction after learning from Jones Day that the posting included accusations of potential illegal conduct by Jones Day, and allegations that a Brush Wellman medical doctor was educated in Nazi Germany, according to press accounts at the time. Egilman, who has testified in dozens of toxics trials and was the expert in the recent Texas Vioxx trial that resulted in a $253 million verdict, limited Web site access to his staff and his Brown University students. He posted uncensored information on occupational illness and related litigation, including previously confidential corporate internal documents related to many toxic torts. Egilman sued Jones Day and Keller & Heckman, first in Texas and later in the District of Columbia, saying that his reputation was besmirched and his effectiveness compromised. He argued that the law firms and Behr circumvented measures installed to deny access to his copyright-protected work on the Web site, in violation of the 1978 Digital Millennium Copyright Act. U.S. District Judge Henry Kennedy Jr. in D.C. ruled that obtaining a username and password from a third party that has authorized access does not violate the DMCA. Kennedy cited the only other court to rule on improper use of a legitimate password, holding that gaining access to a third party’s legitimate password is not the same as hacking. http://www.law.com/jsp/printerfriendly.jsp?c=LawArticle&t=PrinterFriendlyArticle&cid=1134036310706

FTC HARE CONTINUES TO SPEED AHEAD OF CONGRESSIONAL TORTOISE ON INFORMATION SECURITY REGULATION (Steptoe & Johnson’s E-Commerce Law Week, 10 Dec 2005) -- When it comes to regulating industry information security practices, Congress and the Federal Trade Commission (“FTC”) seem to be reenacting Aesop’s fable of the tortoise and the hare. While Congress plods methodically along with various security-related bills, with nothing likely to be enacted before year’s end, the FTC continues to race ahead, setting de facto security standards for industry through enforcement actions based on its general authority to prevent “unfair . . . acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). On December 1, shoe retailer DSW, Inc., settled FTC charges that the company’s data security failures earlier this year -- which had allowed hackers to access the credit card, debit card information of more than 1.4 million consumers and the checking account information of 96,000 customers -- constituted an “unfair practice.” Notably, the case marks only the second time that the FTC has based a data security enforcement action on the FTC Act’s “unfairness” prong (the first being the Commission’s action against BJ’s Wholesalers this past June). In previous security breach cases, the FTC had based its allegations on the “deceptive practices” prong of the Act -- targeting, for instance, companies that failed to follow their own privacy policies, and thus allegedly deceived customers. The DSW case, like the BJ’s case before it, demonstrates the FTC’s continuing willingness to take action against companies that do not have a specific statutory obligation to safeguard personal information and have never promised customers that their personal information would be secure in the first place. In Aesop’s fable, the hare gets bored and falls asleep while the tortoise crosses the finish line. But the FTC is not likely to stop racing ahead unless and until a company refuses to settle and challenges the FTC’s statutory authority. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11414&siteId=547

D.C. CIRCUIT NARROWS FTC’S JURISDICTION UNDER GRAMM-LEACH-BLILEY (Steptoe & Johnson’s E-Commerce Law Week, 10 Dec 2005) -- Hear that wind blowing outside? No, it’s not another winter storm. It’s the entire legal profession breathing a collective sigh of relief, as it avoids the FTC’s jurisdictional claws under the Gramm Leach Bliley Act (GLBA). On December 6, the U.S. Court of Appeals for the D.C. Circuit rejected the FTC’s claim of jurisdiction under the GLBA to regulate law firms as “financial institutions.” American Bar Ass’n v. FTC (No. 04-5257). The appeals court affirmed a district court ruling that the FTC’s decision to subject attorneys to GLBA privacy requirements “exceeded the statutory authority” of the FTC and “was therefore invalid as a matter of law.” This ruling represents a rare defeat for the FTC in a jurisdictional challenge, and provides a useful reminder that there are indeed limits to the types of activities and entities that are covered by the GLBA. The D.C. Circuit’s decision also could bode well for any companies that muster the intestinal fortitude to challenge the FTC’s assertion of jurisdiction in other areas, such as its claim that it can effectively enact and enforce industry information security standards under the “unfair practices” prong of the FTC Act (as discussed above). The American Bar Association case, though not directly relevant to that issue, illustrates just how to frame a successful jurisdictional challenge. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11414&siteId=547

ARIZ. TOWN WILL GO WALL-TO-WALL WIRELESS (AP, 11 Dec 2005) -- Call it a municipal status symbol in the digital age: a city blanketed by a wireless Internet network, accessible at competitive prices throughout the town’s homes, cafes, offices and parks. Tempe, the Phoenix suburb that is home to Arizona State University, is due to have wireless Internet available for all of its 160,000 residents in February, becoming the first city of its size in the United States to have Wi-Fi throughout. Tempe officials hope that by making high-speed Internet as accessible as water or electricity across its 40 square miles, it will attract more technology and biotech companies — and the young, upwardly mobile employees they bring. An increasing number of the nation’s cities are looking at using Internet access as an economic development tool. Few cities have gotten as far as installing systems, “but most cities are realizing that it may be something that they want to do,” said Cheryl Leanza, legislative counsel for the National League of Cities. Philadelphia is developing a citywide high-speed system with EarthLink Inc. Unlike Philly or Tempe, New Orleans is building a free system, though the network speed will be limited. The Tempe network is being installed by NeoReach Wireless, a subsidiary of Bethesda, Md.-based MobilePro Corp. Roughly 400 antenna boxes mounted on light poles throughout the city will be used to stitch together the network, to which NeoReach will sell access, primarily through other providers. The network uses a so-called “mesh” setup, meaning it passes wireless signals from pole to pole and automatically reroutes transmissions if one of the transmitters breaks down. Speeds will vary depending on the number of users logged into the same access point. The network is strong enough only to be picked up outdoors or through one wall, meaning those who want service in their businesses or homes will need a box that serves as a signal booster and router. The city of Tempe gave the company access to its light poles in exchange for use of the network in transmitting data to and from city offices and vehicles, said Karrie Rockwell, a spokeswoman for NeoReach. Two hours of free access each day also will be available for Internet users on the Arizona State campus or the nearby Mill Avenue retail district, where the network began a year ago as a pilot project and has proven popular. Robert Jenkins, 50, sits at a coffee house on Mill Avenue a couple of times a week with his laptop, downloading larger files that take too long at home when he uses his mobile phone to access the Internet. NeoReach will directly sell service to outdoor users for $3.95 per hour or $29.95 per month. The resellers of NeoReach access have not yet announced pricing, but Rockwell said it will be cheaper than DSL or cable Internet access. Cable operator Cox Communications Inc. charges $49.95 per month for customers who don’t get Cox phone or TV service. Qwest Communications International Inc. charges $44.99 and $54.99 per month, depending on the speed. Tempe signed a contract with NeoReach after asking for bids — which prevented it from having to start its own utility and probably quelled potential objections to the city’s involvement in a WiFi network. http://news.yahoo.com/s/ap/20051211/ap_on_hi_te/wireless_city

EMPLOYEES LEAKING TRADE SECRETS VIA EMAIL: LACK OF CORPORATE POLICY REACHES WORRYING PROPORTIONS (VNUNet, 12 Dec 2005) -- A study by market research firm Radicati Group has shown that over one in 20 employees has sent company secrets to third parties via email. The Corporate Email User Habits study found that a quarter of those surveyed had forwarded corporate email to their personal accounts for later use, and nearly two thirds use their personal email for company business. “While six per cent may seem like a small number, in a 10,000-user organisation it translates to 600 employees leaking intellectual property,” said Sara Radicati, president of the Radicati Group. “Companies should take a hard look at educating their workforce on its official email policy, and put in place outbound filtering and monitoring technology that can block confidential or sensitive emails before they leave the corporate network, as well as report violations.” Only 22 per cent of companies surveyed had any policy on monitoring outgoing mail, and only half had any kind of internal policy regarding email use. http://www.vnunet.com/vnunet/news/2147460/employees-weakest-link Study at http://www.mirapoint.com/pdfs/whitepapers/End-User-Study-on-Email-Hygiene.pdf ABA’s “Employee Use of the Internet and E-Mail: A Model Corporate Policy With Commentary on Its Use in the U.S. and Other Countries” (shameless plug—I was co-editor) at http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5070395

-- and --

FIRMS COUNT THE COST OF SECURITY THREATS (ElectronicNews.net, 12 Dec 2005) -- According to the State of Information Security 2005 report from PricewaterhouseCoopers and CIO Magazine, not only are security-related events up 22.4 percent on last year’s figures, but the number of organisations reporting financial losses as a result of the attacks is also surging. Twenty-two percent of companies said they had been hit financially, compared with last year’s 7 percent. But despite the growing security threat to businesses, only 37 percent of respondents have a security plan in place, with only 24 percent saying that they expected to develop one in the coming year. However, organisations with a chief information security officer (CISO) or chief security officer (CSO) fare a little better, with 62 percent implementing a security plan. More companies are employing a CISO or CSO, with 40 percent of respondents in the survey having one on the payroll compared with 31 percent in 2004. Security spending is slightly increasing to compensate for the growing threat, accounting for 13 percent of an organisation’s IT budget this year, compared with 11 percent last year. Malicious hackers are the top culprits to carry out the attacks, with 63 percent of events attributed to them compared with 66 percent last year. However, the number of employee-related attacks is also up, at 33 percent compared with 2004’s 28 percent. Former employees remain a likely source of the security threats, representing 20 percent of events. Meanwhile, computer viruses still top the charts as the most common type of attack, rising to 59 percent of attacks from 53 percent the previous year. http://www.enn.ie/frontpage/news-9658009.html

MICHIGAN CONSIDERS REQUIRING HIGH-SCHOOL STUDENTS TO TAKE AT LEAST ONE ONLINE COURSE (Chronicle of Higher Education, 13 Dec 2005) -- The Michigan State Board of Education is set to approve a new graduation requirement today that would make every high-school student in the state take at least one online course before receiving a diploma. The new requirement would appear to be the first of its kind in the nation. Mike Flanagan, the Michigan state superintendent of public instruction, said he proposed the online-course requirement, along with other general requirements, to make sure students were prepared for college and for jobs, which are becoming more technology-focused. While most high-school students are adept at using the Internet, Mr. Flanagan said, few of them take courses online. But today’s high-school students are increasingly likely to encounter online courses as more colleges turn to online education, he said. The online-education proposal is included with several other proposed statewide requirements -- including four years of English courses, three years of mathematics, and three years of science. Currently, the only state-required course for graduation in Michigan is a one-semester class in civics, although many of the state’s local school districts have much tougher requirements. If the state Board of Education approves the proposals, they will still need the assent of both the State Legislature and the governor. Mr. Flanagan said he already had strong support for the online proposal in the Legislature. http://chronicle.com/free/2005/12/2005121301t.htm

EUROPEAN REPORT FINDS LITTLE IMPACT FROM DATABASE DIRECTIVE (BNA’s Internet Law News, 14 Dec 2005) -- The EU DG Internal Market and Services has published an evaluation report on the EU’s Database Directive. The report acknowledges that the directive “has had no proven impact on the production of databases” and that the evidence casts doubt on the necessity of the database protection for a thriving database industry. Report at http://europa.eu.int/comm/internal_market/copyright/docs/databases/evaluation_report_en.pdf

EU PARLIAMENT ADOPTS ANTI-TERRORISM DATA RULES (Reuters, 14 Dec 2005) -- The European Parliament on Wednesday adopted new rules drawn up by the European Union to store phone and Internet data for up to two years to fight terrorism and other serious crime. But some EU lawmakers criticised the assembly saying it had caved in to pressure from member states, and arguing that the new rules would allow authorities to do what they wanted with the data. The parliament voted by 378 to 197 with 30 abstentions for a package already agreed between the assembly’s two biggest groups and member states, with European Commission backing. Earlier this month, Britain secured a deal among the EU’s 25 member states that would force telecommunications companies to store data for between six and 24 months. The rules, proposed by the European Commission in September, are part of the EU’s response to attacks in Madrid in 2004 and London this year. The version adopted on Wednesday is tougher than that recommended by the parliament’s civil liberties committee which wanted the data to be stored for one year. The committee’s recommendation was by-passed by the deal struck between member states and the assembly’s right-wing European People’s Party and socialists. The new rules still need to be formally approved by EU member states. Telecom firms have warned that the new rules will be costly to implement, but lawmakers and member states ditched a European Commission proposal that member states pay for extra data storage costs. http://uk.news.yahoo.com/14122005/80/eu-parliament-adopts-anti-terrorism-data-rules.html

IS THE PENTAGON SPYING ON AMERICANS? (MSNBC, 13 Dec 2005) – A year ago, at a Quaker Meeting House in Lake Worth, Fla., a small group of activists met to plan a protest of military recruiting at local high schools. What they didn’t know was that their meeting had come to the attention of the U.S. military. A secret 400-page Defense Department document obtained by NBC News lists the Lake Worth meeting as a “threat” and one of more than 1,500 “suspicious incidents” across the country over a recent 10-month period. The Defense Department document is the first inside look at how the U.S. military has stepped up intelligence collection inside this country since 9/11, which now includes the monitoring of peaceful anti-war and counter-military recruitment groups. “I think Americans should be concerned that the military, in fact, has reached too far,” says NBC News military analyst Bill Arkin. The Department of Defense declined repeated requests by NBC News for an interview. A spokesman said that all domestic intelligence information is “properly collected” and involves “protection of Defense Department installations, interests and personnel.” The military has always had a legitimate “force protection” mission inside the U.S. to protect its personnel and facilities from potential violence. But the Pentagon now collects domestic intelligence that goes beyond legitimate concerns about terrorism or protecting U.S. military installations, say critics. Four dozen anti-war meetings The DOD database obtained by NBC News includes nearly four dozen anti-war meetings or protests, including some that have taken place far from any military installation, post or recruitment center. One “incident” included in the database is a large anti-war protest at Hollywood and Vine in Los Angeles last March that included effigies of President Bush and anti-war protest banners. Another incident mentions a planned protest against military recruiters last December in Boston and a planned protest last April at McDonald’s National Salute to America’s Heroes — a military air and sea show in Fort Lauderdale, Fla. The Fort Lauderdale protest was deemed not to be a credible threat and a column in the database concludes: “US group exercising constitutional rights.” Two-hundred and forty-three other incidents in the database were discounted because they had no connection to the Department of Defense — yet they all remained in the database. The DOD has strict guidelines, adopted in December 1982, that limit the extent to which they can collect and retain information on U.S. citizens. Still, the DOD database includes at least 20 references to U.S. citizens or U.S. persons. Other documents obtained by NBC News show that the Defense Department is clearly increasing its domestic monitoring activities. One DOD briefing document stamped “secret” concludes: “[W]e have noted increased communication and encouragement between protest groups using the [I]nternet,” but no “significant connection” between incidents, such as “reoccurring instigators at protests” or “vehicle descriptions.” http://msnbc.msn.com/id/10454316/print/1/displaymode/1098/ DOD Guidelines at http://msnbcmedia.msn.com/i/msnbc/sections/news/DOD.1982.IntelligenceCollectionOnU.S.Persons.pdf

-- and --

PENTAGON WILL REVIEW DATABASE ON U.S. CITIZENS (Washington Post, 15 Dec 2005) -- Pentagon officials said yesterday they had ordered a review of a program aimed at countering terrorist attacks that had compiled information about U.S. citizens, after reports that the database included information on peace protesters and others whose activities posed no threat and should not have been kept on file. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/14/AR2005121402528.html

BETTING ON BIRD FLU (Salon, 13 Dec 2005) -- On Nov. 1, Intrade, a Web site that allows people to bet on the likelihood of future events, issued a press release titled “Trading on Bird Flu -- 65% probability of U.S. case by March 2006!” The release announced that the trading activity on the exchange’s bird flu contracts -- offering savvy “investors” a chance to gamble on when the first strain of the deadly H5N1 will be confirmed in the United States -- had doubled in the last month. The report, put out by Intrade P.R. executive Mike Knesevitch, ended with an ominous, sobering claim: “Can these markets give us insight into global events like pandemics, hurricanes and politics? In the short history Intrade has put together, the answer is YES.” If these predictive markets are as startlingly accurate as they say, this spring the U.S. will get its first case of bird flu and some of us may die. Intrade launched its two bird flu contracts -- one predicting that the potentially deadly, pandemic-causing Asian bird flu will hit the U.S. in December, the other that it will hit in March -- on Oct. 18. (The December contract is now trading at 6, meaning the market is currently predicting a 6 percent chance of the flu hitting the U.S. on or before Dec. 31, the March at 29.6.) Now, with close to $34,000 worth of investor money wrapped up in them, the bird flu contracts are among the most popular on the futures markets site, and company spokesman Brian Keating says he expects betting on the bird flu only to increase as the contracts’ closing dates -- Dec. 31 and March 31, respectively -- approach and as more cases of the bird flu crop up around the world. Contracts on the Intrade exchange can be bought or sold between other members, just as with any other stock exchange, but if an investor chooses to hold on to a contract price until closing, that investor can lose the entire amount invested -- or make a tidy profit. In the five years since its inception, Intrade has been accurate in predicting elections, the new pope, the impact of Hurricane Katrina, and the capture of Saddam Hussein. A recent example occurred on Oct. 21 with Supreme Court nominee Harriet Miers’ confirmation contract. At approximately 8:30 that morning, traders monitoring the Harriet Miers confirmation process began aggressively selling contracts betting against her confirmation -- dropping her stock price 42 points in early trading. The following Thursday, Miers withdrew her nomination from the high court. The Intrade market allows, even thrives, on insider information. Knesevitch confirms that a lot of the market’s members work for government entities and often have the ability to move the market on national events well before news of them has filtered through the media. Dave Saigel, from the Centers for Disease Control, who says he was not aware of the bird flu market, concedes that it might be a useful prediction tool -- and may also help build awareness of the dangers of the disease and its spread. What’s more, he says, the markets have “picked great months for their contracts. December and March are prime flu months.” Jack Marshall, president of Pro Ethics, a consulting firm used to educate organizations on ethical dilemmas in the workplace, agrees that futures markets -- and betting on things like the bird flu -- may be more beneficial than hurtful to society. “It would be different if, say, after 9/11 people are betting on where the next person’s remains would be found, but this is far less sinister than that,” he says. “In postmodernist America we have a black humor and a detachment from a lot of catastrophe anyway. Betting on an abstract event, buying futures in abstraction doesn’t necessarily make things any worse.” Marshall argues that even the New York Stock Exchange allows people to profit from other people’s misery. And Marshall says he loves the whole “wisdom of crowds” aspect of futures markets. He says these types of markets offer valid projections about events and do so without any sort of bias -- and he finds more credibility in these markets than any kind of scientific facts. http://www.salon.com/ent/feature/2005/12/13/birdflu/

BEIJING CASTS NET OF SILENCE OVER PROTEST (New York Times, 14 Dec 2005) -- One week after the police violently suppressed a demonstration against the construction of a power plant in China, leaving as many as 20 people dead, an overwhelming majority of the Chinese public still knows nothing of the event. In the wake of the biggest use of armed force against civilians since the Tiananmen massacre in 1989, Chinese officials have used a variety of techniques - from barring reports in most newspapers outside the immediate region to banning place names and other keywords associated with the event from major Internet search engines, like Google - to prevent news of the deaths from spreading. Beijing’s handling of news about the incident, which was widely reported internationally, provides a revealing picture of the government’s ambitions to control the flow of information to its citizens, and of the increasingly sophisticated techniques - a combination of old-fashioned authoritarian methods and the latest Internet technologies - that it uses to keep people in the dark. http://www.nytimes.com/2005/12/14/international/asia/14china.html?ex=1292216400&en=fe07535b1db7c3a1&ei=5090&partner=rssuserland&emc=rss

BUSH LETS U.S. SPY ON CALLERS WITHOUT COURTS (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible “dirty numbers” linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. “This is really a sea change,” said a former senior official who specializes in national security law. “It’s almost a mainstay of this country that the N.S.A. only does foreign searches.” Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation’s legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. http://select.nytimes.com/gst/abstract.html?res=F00F1FFF3D540C758DDDAB0994DD404482 [Editor: This is the story-of-the-decade for me; separation of powers and Article II supremacy. I’m astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren’t two centuries of statutory, regulatory, and case-law gloss.] Related story at http://www.salon.com/news/feature/2005/12/23/bamford/print.html ; interesting legal analysis/blog at http://balkin.blogspot.com/#113526050457460564.

-- but --

OUR DOMESTIC INTELLIGENCE CRISIS (by Judge Richard Posner, Washington Post, 21 Dec 2005) -- We’ve learned that the Defense Department is deeply involved in domestic intelligence (intelligence concerning threats to national security that unfold on U.S. soil). The department’s National Security Agency has been conducting, outside the framework of the Foreign Intelligence Surveillance Act, electronic surveillance of U.S. citizens within the United States. Other Pentagon agencies, notably the one known as Counterintelligence Field Activity (CIFA), have, as described in Walter Pincus’s recent articles in The Post, been conducting domestic intelligence on a large scale. Although the CIFA’s formal mission is to prevent attacks on military installations in the United States, the scale of its activities suggests a broader concern with domestic security. Other Pentagon agencies have gotten into the domestic intelligence act, such as the Information Dominance Center, which developed the Able Danger data-mining program. These programs are criticized as grave threats to civil liberties. They are not. Their significance is in flagging the existence of gaps in our defenses against terrorism. The Defense Department is rushing to fill those gaps, though there may be better ways. The collection, mainly through electronic means, of vast amounts of personal data is said to invade privacy. But machine collection and processing of data cannot, as such, invade privacy. Because of their volume, the data are first sifted by computers, which search for names, addresses, phone numbers, etc., that may have intelligence value. This initial sifting, far from invading privacy (a computer is not a sentient being), keeps most private data from being read by any intelligence officer. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/20/AR2005122001053.html

CAN-SPAM WORKING - FTC (The Register, 21 Dec 2005) -- Legal action and email filtering are helping to minimise the nuisance of spam, according to US federal regulators. In a report (PDF) to Congress on the effectiveness of the US Federal CAN-SPAM Act, the Federal Trade Commission (FTC) concludes that technology has reduced the amount of junk email reaching consumers’ in-boxes. Meanwhile rigorous law enforcement has had a deterrent effect on spammers. “Consumers are receiving less spam now than they were receiving in 2003” when the CAN-SPAM Act was enacted, the FTC concludes. The regulators’ upbeat assessment that the war against spam - if not won - is going in the right direction is supported by figures from some security vendors cited in its report. According to email firm MX Logic, spam accounted for 67 per cent of the email it processed in the first eight months of 2005, down nine percentage points from the 76 per cent spam-rate MX faced in the same period last year. The FTC has brought 21 cases under CAN-SPAM compared to 62 cases against spammers it filed before the enactment of the law. Several important steps can be taken to improve the efficacy of the CAN-SPAM Act, the FTC advises. Laws and needed to help the FTC and other regulators in their quest to trace spammers and sellers who operate outside of the US. Improved user education on spam prevention and continued improvement in filtering tools and techniques to trace spammers will also assist in the fight against junk mail, the FTC reckons. http://www.theregister.co.uk/2005/12/21/can-spam/ Report at http://www.ftc.gov/reports/canspam05/051220canspamrpt.pdf

3RD CIRCUIT UPHOLDS PRIVATE SUITS FOR ECPA VIOLATIONS (BNA’s Internet Law News, 20 Dec 2005) -- The 3rd Circuit Court of Appeals has ruled that a private right action exists for violation of the Electronic Communications Privacy Act. Case name is DirecTV v. Pepe. Decision at http://caselaw.findlaw.com/data2/circs/3rd/044333p.pdf

FRENCH PARLIAMENT VOTES TO LEGALIZE P2P FILE SHARING (Reuters, 23 Dec 2005) -- The lower house of the French parliament voted to legalize peer-to-peer (P2P) file sharing of movies and music via the Internet. It is a vote that is certain to reverberate around the globe and draw severe criticism from the nation’s film and music industries as well as from actors and recording artists. The vote has been called a revolt again Culture Minister Renaud Donnedieu de Vabres’ draft legislation that would have established steep penalties for individuals convicted of pirating copyrighted materials with a fine of $360,000 and as much as three years of jail time. Several days prior to the matter being taken up on the floor of the parliament, consumer activists delivered a petition with 110,000 signatures criticizing the draft proposal to Vabres. A small group of legislators attached two amendments to Vabres’ bill to establish a monthly global licensing fee of 7 euros (around $8.50). The subscription charge would entitle users to unlimited downloads and legalize what most Western countries have heretofore considered a modern-day scourge. The amendment passed with a small majority, 30 to 28, with only 10 percent of the 577 assembly members actually present. The measure has yet to pass in the upper house. “We are trying to bring the law up to date with reality,” Patrick Bloche, a Socialist representative from Paris who co-authored the amendments, told the New York Times. “It is wrong to describe the eight million French people who have downloaded music from the Internet as delinquents.” http://news.yahoo.com/s/nf/20051223/bs_nf/40473

FLA. ATTORNEY GENERAL SAYS HIS E-MAILS AREN’T SPAM (Reuters, 24 Dec 2005) -- Florida’s attorney general has spearheaded an aggressive campaign against unsolicited e-mails, or spam. But as a candidate for governor, he appears to be generating some unwanted Internet clutter himself. Charlie Crist was a staunch defender of a tough anti-spam law passed by the state legislature last year, under which violators can be fined up to $500 for every e-mail they send. But a report in Thursday’s St. Petersburg Times said Crist, a Republican gubernatorial candidate, had annoyed some residents of the state by sending them unwanted e-mails promoting his candidacy and soliciting campaign donations. Joe Spooner, a 41-year-old investment adviser, told the newspaper he had no idea how the Crist campaign got his e-mail address but repeatedly tried to unsubscribe. After his fifth request to be removed, Spooner sent the Crist campaign an e-mail of his own. He accused Crist of hypocrisy because of the way he seemed to have forgotten all about his vocal crackdown on spammers. ‘Do I need to file a complaint with the attorney general’s office?” Spooner wrote. The newspaper quoted other people who had received unsolicited e-mails from Crist’s campaign. Crist was not immediately available for comment. http://news.yahoo.com/s/nm/20051223/wr_nm/email_dc

SOUTH KOREA: UR INDICTED. BCNU. (New York Times, 27 Dec 2005) -- South Koreans may look at their cellphones with some trepidation in the new year because prosecutors will start telling people they have been indicted via text messages. In a country where about 75 percent of the population carry cellphones, prosecutors felt it was time to move away from sending legal notices on paper and send them electronically instead, said Lee Young Pyo, an administrative official. “This is a more definite way for the individuals to know they have received a legal notice,” he said. http://www.nytimes.com/2005/12/27/international/27briefs.html

US MILITARY FINDS SOLDIERS’ BLOGS TOO CLOSE FOR COMFORT (Sydney Morning Herald, 28 Dec 2005) – Anyone wanting to hear daily insights into what it is like to be in a convoy hit by an explosion or ordered to pick up the body parts of comrades dismembered by a suicide bomber does not have to be there in person any more. Instead they just need to log on to the internet from the safety of their home or office. In a development that is worrying US military commanders in Iraq, a growing number of US soldiers - 200 at the last count - have set up their own blogs, or internet diaries, and are updating them from the battlefield. The phenomenon, helped by internet cafes at almost all US camps to permit soldiers regular contact with home, has for the first time allowed personal reports of the reality of combat to be read as they happen. Most of the sites started as simple diaries intended to keep in touch with friends and family. But some quickly developed a fan base of thousands. Websites now exist to direct viewers to blogs from specific units or locations. It is a phenomenon that has inevitably raised concern among commanders. In April the US military published its first policy memorandum on websites maintained by soldiers, requiring them to have official approval before starting internet postings. In July the first soldier was punished for publishing information considered sensitive, which includes mention of incidents under investigation or names of servicemen killed or wounded. http://www.smh.com.au/news/world/us-military-worried-by-soldiers-blogs/2005/12/27/1135445571736.html

**** RESOURCES ****
Chris Hoofnagle is the West Coast Director for EPIC. This is his consumer privacy top 10 – http://west.epic.org/archives/2005/11/hoofnagles_cons.html

“The new law of information security: What companies need to do now.” – good article by Thomas Smedinghoff -- http://www.technologyexecutivesclub.com/PDFs/ArticlePDFS/infosecurity.pdf

**** IN MEMORIAM ****
My father, Ira Polley, passed away last week at the age of 88. I’ll miss his laugh, outlook, and guidance. More information at http://www.vip-law.com/irapolleyobit.htm

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Sunday, December 11, 2005

MIRLN -- Misc. IT Related Legal News [20 Nov – 10 Dec 2005; v8.15]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

A CONSTANT STATE OF INSECURITY (InfoWorld, 4 Nov 2005) --For the past few months an acquaintance of mine has been sniffing various public wireless and wired networks around the world, looking to see what plain text passwords are visible. It was an eye-opening experiment. She used a bunch of different tools, but mostly Cain. At the moment, it collects 18 different passwords or password representations, including plain text passwords sent over HTTP, FTP, ICQ, and SIP protocols, and will automatically collect the user’s log-in name, password (or password representation), and access location. Other than a few simple validity reviews and summary counts, my friend doesn’t look at the log-in names or passwords, and she deletes any collected information after obtaining the counts. She hasn’t used ARP (Address Resolution Protocol) poisoning or done anything other than to count plain text passwords passing by her traveling laptop’s NIC when she’s in a hotel, airport, or other public network. Although some -- including me -- might question her ethics, the information she shared is useful in understanding our true state of insecurity. She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other’s passwords. She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords. As a security professional, my friend often attends security conferences and teaches security classes. She noted that the number of passwords she collected in these venues was higher on average than in non-security locations. The very people who are supposed to know more about security than anyone appeared to have a higher-than-normal level of remote access back to their companies, but weren’t using any type of password protection. Another interesting issue my friend noticed was how many HTTPS-enabled Web sites did not implement SSL correctly -- users’ log-in names and passwords were being sent in clear text. This included communications to remotely accessed security devices, portals, and firewalls. The lesson here is never to trust the browser’s padlock icon when connecting to a new Web site or protected device. Sniff yourself and confirm. I did this last year and discovered my awesome anti-spam appliance’s SSL connection wasn’t working. [Commentator: This article shows how poorly even security professionals protect authentication information. I consider this a “must read.”] http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html

POLITICOS WARY OF CHANGES TO COPYRIGHT LAW (CNET, 16 Nov 2005) -- Politicians on Wednesday voiced reluctance to rewrite laws and allow people to bypass, in the name of fair use, copy-protection mechanisms on goods such as CDs and software. The statements came at a hearing here convened by a U.S. House of Representatives subcommittee that deals with commerce, trade and consumer protection. A provision of standard copyright law known as fair use allows for permission-free reproduction of certain copyright works, provided it’s for certain noncommercial purposes, such as teaching, news reporting, criticism and research. But fair use gets no mention in the Digital Millennium Copyright Act of 1998, a law that broadly prohibits cracking copy-protection technology found in products such as DVDs, computer software and electronic books. Critics say that omission eats away at consumers’ rights to use the works in ways standard fair use rights would otherwise permit. The law’s supporters, including the entertainment industry, counter that any changes would lead to rampant piracy. Some members of Congress have been trying for years to pass legislation that would build fair use into the DMCA. That’s one of the major goals of their latest effort, called the Digital Media Consumers’ Rights Act. The measure was reintroduced in March by Rep. Rick Boucher, a Virginia Democrat, and backed by Rep. Joe Barton, the Texas Republican who chairs the House Energy and Commerce Committee. http://news.com.com/2100-1030_3-5956328.html

SCIENCE BODY URGES DATA SHARING (BBC, 20 Nov 2005) -- Sharing government-held personal information could bring huge medical and social benefits, a government group has said. The new Council for Science and Technology has recommended pooling data to deliver better targeted public services and improve policymaking. But it said safeguards needed to be in place to protect people’s privacy. The government also needed to start a dialogue with the public on what was being proposed, it said. Information is frequently shared between medical researchers and the private sector. Report author Dr Mark Walport, who heads medical charity the Wellcome Trust, said he had seen the benefit of using databases for researching links between diseases and social conditions. Studies can also monitor the effectiveness of treatments or of the impact of adopting certain policies. However, the owner of the biggest collection of datasets in the country - the UK government - uses the information at its disposal at a fraction of its potential, according to Dr Walport. Personal data is guarded by government departments because of concern about misuse and invasions of privacy. But Dr Walport argued that with more creative thinking the government could improve medical and other social policy-making while at the same time protecting the privacy of individuals. http://news.bbc.co.uk/2/hi/technology/4455306.stm

CT. RULES THAT CDA S. 230 SHIELDS ISP BREACH OF PROMISE (BNA’s Internet Law News, 21 Nov 2005) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Oregon has ruled that the statutory immunity provision found in CDA S.230 applies to a claim alleging that an ISP breached its own promise to remove unauthorized content in response to a complaint. The dispute involved counterfeit Yahoo! profiles and failure by Yahoo! to remove the profiles. Case name is Barnes v. Yahoo!. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b1z6t5x9

STUDY: SECURITY STILL TOP IT SPENDING PRIORITY (Computerworld, 21 Nov 2005) -- A recent survey of 100 IT executives predicts that IT spending will decrease slightly in 2006 as more businesses worry about global economic conditions, but security software and enterprise IT upgrades remain top concerns. Macroeconomic factors such as high oil prices and a devastating hurricane season in the U.S. have caused 40% of the executives surveyed by Goldman, Sachs & Co. to consider reducing their 2006 IT budgets, according to survey results released Friday. Most executives, 52%, believe IT spending will be unchanged in 2006. Security software has been a long-running priority among the executives on Goldman’s survey panel, and nothing has changed that mind-set based on the current results. Spending on antivirus products has eased up after a flurry of activity, but CIOs continue to focus on improving security in areas like identity management and regulatory compliance, the survey said. Other enterprise software priorities include enterprise resource management and customer relationship management systems, with CIOs upgrading those two categories to top priorities. When Goldman polled its panel in April, ERP and CRM software were considered only medium priorities. http://www.computerworld.com/printthis/2005/0,4814,106422,00.html

SCHOOL RADIO STATIONS FACE COMPETITION OVER LICENSES (New York Times, 23 Nov 2005) -- The week before classes started in August 2004 at Franklin Central High School here, Steve George stopped in to prepare the school radio station for the coming year. As the faculty adviser to WRFT, he wanted to make sure his students were writing and producing public-service announcements. He had to contact a few of Franklin Central’s football rivals to arrange for WRFT to broadcast away games. He was pricing replacements for a 20-year-old remote unit. Then, on Mr. George’s way to the station’s studio, the principal intercepted him to pass along an unexpected piece of mail. It was a petition to the Federal Communications Commission asking that WRFT be denied its license, which was due for renewal, and that its frequency be given to an outfit called the Hoosier Public Radio Corporation. Through his 34 years in commercial radio, the career he left to become a teacher, Mr. George had never once been on a station confronted in this way. He could not imagine why anyone would want to take over WRFT in particular, a 50-watt station with an annual budget of $4,200 and inoffensive programs like “Wakin’ Up in a Flash,” a talk show run by two seniors at the local Chick-fil-A restaurant. “I thought, ‘Is this fiction?’ “ Mr. George recalled. “Who could do this?” He has since learned the answer. Hoosier Public Radio is largely the enterprise of one man, Martin Hensley, a former radio engineer who now describes his occupation as “serving God.” And the effort by Mr. Hensley to take the F.C.C. license from WRFT, or at least force it to share broadcast time with him, offers but one example of a series of similar conflicts involving student radio stations. At least 20 high school stations, and a handful of college ones, have been fending off challenges to their licenses by Christian broadcasters in the last year. This flurry of action, which seemed so inexplicable to Mr. George, actually has a fierce logic to it. A loophole in commission regulations makes educational stations unusually vulnerable to takeover attempts. Moreover, their frequencies are a lucrative commodity, a bargain-basement way to get onto the air. The commission rarely auctions new frequencies on the crowded radio dial, and existing ones sell for $200,000 or so for a 50-watt operation like WRFT’s to more than $10 million for a major commercial station. “It’s opportunistic,” said Mark Goodman, executive director of the Student Press Law Center, an organization based in Arlington, Va., that provides legal assistance for student journalists. “People see this as a way to go after stations that are of value and of use. In the process, student voices can be lost, and the entire society loses. From teen pregnancy to school testing, we understand our world better and our teenagers better when we hear them.” http://www.nytimes.com/2005/11/23/nyregion/23education.html?ex=1290402000&en=a509d60b6ca4aecf&ei=5090&partner=rssuserland&emc=rss

STUDY SUGGESTS DMCA TAKEDOWN REGS ABUSED (SecurityFocus, 25 Nov 2005) -- One third of all requests to Internet service providers to remove stolen copyrighted material from their servers could likely be defeated in court, according to a study of some 900 notices by two legal experts. The survey examined takedown notices served to Google and another large Internet provider under the Digital Millennium Copyright Act (DMCA) Section 512. Two provisions of that section require that hosting providers and search providers remove content and links to content in order to gain exemption from possible copyright lawsuits. The music and movie industry typically use a different provision of the section to ask for suspected infringers to be cut off from the Internet. According to the study, thirty percent of the notices could be readily challenged in court on clear grounds, such as a substantial fair-use argument and the likelihood that the material is uncopyrightable. One out of 11 notices had such a significant legal flaw--such as not identifying the infringing material--as to render the notice unusable. Moreover, more than half of the notices for link removal that were sent to Google were sent by businesses targeting apparent rivals, the report said. While the authors of the study admit it uses a small sample set, the conclusions support contentions that the DMCA has been used to hobble expression on the Internet, even among security researchers, who have an explicit exemption in the law. http://www.securityfocus.com/brief/62

GENERAL ASSEMBLY ADOPTS CONVENTION ON ELECTRONIC COMMUNICATIONS IN CONTRACTING (UN, 25 Nov 2005) -- Updating international trade law to take account of new technologies, the United Nations General Assembly has adopted a new convention on using electronic communications in international contracting, superseding law negotiated before the development of e-mail and the Internet. The new Convention, approved on Wednesday, will assure companies and traders worldwide that contracts negotiated electronically are as valid and enforceable as traditional paper-based transactions. The provisions deal with such issues as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Other provisions contain criteria establishing functional equivalence between electronic communications and paper documents, including “original” paper documents, and between electronic authentication methods and hand-written signatures. The UN Commission on International Trade Law (UNCITRAL) Working Group on Electronic Commerce prepared the document from 2002 to late 2004 and adopted it at its 38th Session in Vienna, Austria, in July. The Convention complements and builds upon earlier instruments prepared by UNCITRAL, the core legal body of the UN system in the field of international trade law, including the UNCITRAL Model Law on Electronic Commerce and the UNCITRAL Model Law on Electronic Signatures. The Convention will be open for signature by all States at UN Headquarters from next 16 January to 16 January 2008. A signature event could take place during UNCITRAL’s 39th session in New York next year, from 19 June to 7 July, to promote State participation. http://www.un.org/apps/news/story.asp?NewsID=16685&Cr=general&Cr1=assembly

DUTCH COMPANY STARTS NEW INTERNET ADDRESS SYSTEM (Computerworld, 28 Nov 2005) -- A Dutch company has launched a new Internet addressing service that does away with the most common top-level domains (TLDs), such as .com and .edu, and allows organizations and individuals to register Internet addresses that end with the name of their business, or virtually any other word they choose. UnifiedRoot S & M BV, based in Amsterdam, said its system allows its customers to use more intuitive Internet addresses that are easier to remember. They can combine the TLDs with second-level domains for categories of products and services, such as fruit.supermarket and vegetables.supermarket, for example. The company has set up 13 master root servers around the world to run its Domain Name System (DNS), which it said will run “in parallel” with the Internet’s principle DNS, run by the Internet Corporation for Assigned Names and Numbers (ICANN). To avoid conflicts, UnifiedRoot won’t register TLDs already registered by ICANN, it said. Its success will depend partly on cooperation from ISPs, which will have to update their DNS server directories in order for them to include UnifiedRoot’s DNS servers. European ISP Tiscali SpA has made the change, according to Seeboldt, along with several local ISPs in Turkey. Without the cooperation of ISPs, end users will have to reconfigure their own PCs to recognize the UnifiedRoot TLDs, which the company acknowledged could be tricky for some users. http://www.computerworld.com/news/2005/story/0,11280,106559,00.html

THIRD CIRCUIT OFFERS A TUTORIAL ON THE CFAA AS A CIVIL CAUSE OF ACTION (Steptoe & Johnson’s E-Commerce Law Week, 26 Nov 2005) -- A recent decision by the US Court of Appeals for the Third Circuit in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, clarified that injunctive relief is available in civil suits brought under the Computer Fraud and Abuse Act (CFAA ), 18 U.S.C. § 1030, and that a civil suit can be brought not just where access to a computer causes damage, but also where something of value is allegedly taken from that computer. This clarification was necessitated by a district court’s utter confusion over the terms of the CFAA, including whether it even offered a basis for a civil claim. This just goes to show how novel civil suits over security breaches still are. Nevertheless, despite feeling compelled to give the district court a primer on the CFAA, the Third Circuit upheld the lower court’s denial of a preliminary injunction on the ground that the plaintiffs had failed to allege what precisely the defendants had taken from their computers, an essential element of a claim based on § 1030(a)(4). So apparently the district court wasn’t the only one that needed to be taken to school. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11317&siteId=547

PENTAGON’S URBAN RECON TAKES WING (Wired, 29 Nov 2005) -- A leading defense contractor has successfully demonstrated a system that lets foot soldiers command unmanned aerial vehicles, or UAVs, to see real-time overhead images on their handheld computers while fighting in urban battle zones. Individual war fighters can receive video-surveillance data on a target of interest by moving a cursor over the subject, as part of a Northrop Grumman system to automate reconnaissance, surveillance and target acquisition, or RSTA, within urban environments. UAVs have already proven their worth in the kinds of urban battle zones that produce daily headlines out of Iraq -- places like Falluja and Najaf, where the drones can navigate the labyrinth of streets or stealthily peer into buildings. But ground troops don’t currently have direct access to this surveillance and reconnaissance data, and they have no control of the aircraft that deliver it. That’s what HURT, for Heterogeneous Urban RSTA, promises to change. Northrop demonstrated the system this fall on the former site of Georgia Air Force Base in Victorville, California, on a grid of abandoned streets and buildings used to train soldiers in urban combat. Two fixed-wing UAVs, a Raven and a Pointer, along with an Rmax rotorcraft, were put aloft under the control of the system. Participants on the ground were able to view wide-area surveillance of the battle zone on handheld monitors, but could also send one of the UAVs in for a closer look at a suspected enemy position by merely moving over the subject with their cursor. http://www.wired.com/news/technology/0,1282,69612,00.html

PLAN TO PUT COMPANY REPORTS ON THE WEB (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. “Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily,” Christopher Cox, the S.E.C. chairman, said at a meeting. “The percentage of investors with Internet access is even higher.” The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.’s corporate finance division. http://www.nytimes.com/2005/11/30/business/30regulate.html?ex=1291006800&en=1b09ce18cb246bdc&ei=5090&partner=rssuserland&emc=rss

ANGRY BELLSOUTH WITHDREW DONATION, NEW ORLEANS SAYS (Washington Post, 3 Dec 2005) -- Hours after New Orleans officials announced Tuesday that they would deploy a city-owned, wireless Internet network in the wake of Hurricane Katrina, regional phone giant BellSouth Corp. withdrew an offer to donate one of its damaged buildings that would have housed new police headquarters, city officials said yesterday. According to the officials, the head of BellSouth’s Louisiana operations, Bill Oliver, angrily rescinded the offer of the building in a conversation with New Orleans homeland security director Terry Ebbert, who oversees the roughly 1,650-member police force. City officials said BellSouth was upset about the plan to bring high-speed Internet access for free to homes and businesses to help stimulate resettlement and relocation to the devastated city. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/02/AR2005120201853.html

EUROPEAN LEGAL MINEFIELD FOR SOX WHISTLEBLOWER PROGRAMS (Steptoe & Johnson’s E-Commerce Law Week, 3 Dec 2005) -- Every so often unexploded ordnance from as far back as World War I is discovered in Europe, particularly in France. But for companies in Europe -- especially those that are subject to the US Sarbanes-Oxley Act (“SOX”) -- a more dangerous minefield appears to be the legal one that is emerging from the conflict between SOX whistleblower obligations and European data protection law. And (sacré bleu!) again the problem is most acute in France. The Commission Nationale de l’Informatique et des Libertés, the French data protection authority, has just released guidelines on the implementation of whistleblower reporting hotlines in France (“Guidelines”). Combined with a court decision in Germany earlier this year regarding the interaction of works councils and whistleblower hotlines, the Guidelines create a very confusing European legal environment for whistleblower programs. It now appears that European Union authorities will also jump into the controversy, and that the issue is also likely to spread to other European countries. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11361&siteId=547 [EDITOR: inter alia, the Guidelines protect supervisors’ reputations against anonymous complaints, thereby conflicting with the whistleblower rules.]

UPLOAD, STORE, PLAY AND SHARE IN A FEW CLICKS (New York Times, 3 Dec 2005) -- In Hollywood, young screenwriters have “elevator pitches” always at the ready--pithy descriptions of their screenplays, intended to capture the imagination of passing movie executives. You know: “It’s ‘Titanic’ on a spaceship.” “It’s a female ‘Harry Potter.’” “It’s ‘Raising Arizona’ meets ‘Leaving Las Vegas.’” Most of the time, high-tech companies can describe their products with equal efficiency, but not always. Take, for example, Glide Effortless, a new Web service that went live Wednesday. “What is Glide Effortless?” its news release asks. “It is a compatible browser-based online solution with integrated software and service environments, providing powerful file management, creation, communication, sharing and e-commerce capabilities.” Here’s another stab: It’s a personal Web site to which you can upload your favorite photos, MP3 files, video clips and even Word, PowerPoint or PDF documents. (A separate companion program speeds the uploading process by letting you drag and drop big batches of files at once.) Once everything’s posted on the Web site, you can do two things with it: manage it or share it. http://news.com.com/Upload%2C+store%2C+play+and+share+in+a+few+clicks/2100-1038_3-5978421.html?tag=nefd.top [Editor: Collaboration spaces (like wikis) are important elements of my Knowledge Management practice; Glide’s offering is at one end of the capabilities-spectrum, which is being elongated in some interesting ways. Commoditization won’t be too far off.]

-- and --

SNARED IN THE WEB OF A WIKIPEDIA LIAR (New York Times, 4 December 2005) -- According to Wikipedia, the online encyclopedia, John Seigenthaler Sr. is 78 years old and the former editor of The Tennessean in Nashville. But is that information, or anything else in Mr. Seigenthaler’s biography, true? The question arises because Mr. Seigenthaler recently read about himself on Wikipedia and was shocked to learn that he “was thought to have been directly involved in the Kennedy assassinations of both John and his brother Bobby.” Mr. Seigenthaler discovered that the false information had been on the site for several months and that an unknown number of people had read it, and possibly posted it on or linked it to other sites. If any assassination was going on, Mr. Seigenthaler (who is 78 and did edit The Tennessean) wrote last week in an op-ed article in USA Today, it was of his character. The case triggered extensive debate on the Internet over the value and reliability of Wikipedia, and more broadly, over the nature of online information. Wikipedia is a kind of collective brain, a repository of knowledge, maintained on servers in various countries and built by anyone in the world with a computer and an Internet connection who wants to share knowledge about a subject. Literally hundreds of thousands of people have written Wikipedia entries. Mistakes are expected to be caught and corrected by later contributors and users. The whole nonprofit enterprise began in January 2001, the brainchild of Jimmy Wales, 39, a former futures and options trader who lives in St. Petersburg, Fla. He said he had hoped to advance the promise of the Internet as a place for sharing information. It has, by most measures, been a spectacular success. Wikipedia is now the biggest encyclopedia in the history of the world. As of Friday, it was receiving 2.5 billion page views a month, and offering at least 1,000 articles in 82 languages. The number of articles, already close to two million, is growing by 7 percent a month. And Mr. Wales said that traffic doubles every four months. Still, the question of Wikipedia, as of so much of what you find online, is: Can you trust it? And beyond reliability, there is the question of accountability. Mr. Seigenthaler, after discovering that he had been defamed, found that his “biographer” was anonymous. He learned that the writer was a customer of BellSouth Internet, but that federal privacy laws shield the identity of Internet customers, even if they disseminate defamatory material. And the laws protect online corporations from libel suits. He could have filed a lawsuit against BellSouth, he wrote, but only a subpoena would compel BellSouth to reveal the name. In the end, Mr. Seigenthaler decided against going to court, instead alerting the public, through his article, “that Wikipedia is a flawed and irresponsible research tool.” http://www.nytimes.com/2005/12/04/weekinreview/04seelye.html?ex=1291352400&en=6a97402d6595c6f1&ei=5090&partner=rssuserland&emc=rss and http://news.com.com/Is+Wikipedia+safe+from+libel+liability/2100-1025_3-5984880.html?tag=nefd.lede

CAL. APPELLATE CT. RULES AGAINST EARTHLINK FORUM CLAUSE (BNA’s Internet Law News, 5 Dec 2005) -- A California appeals court has held that Earthlink’s arbitration and forum selection clauses in its DSL click through agreement are unenforceable under California law. The case arose as part of a class action suit, with the court ruling that “a forum selection clause that discourages legitimate claims by imposing unreasonable geographical barriers is unenforceable under well-settled California law.” Decision at http://www.courtinfo.ca.gov/opinions/documents/B177146.PDF

9/11 PANEL FAULTS GOVERNMENT ON CYBERSECURITY (CNET, 6 Dec 2005) -- The federal government is not making enough progress in protecting critical infrastructures such as communications networks and the Internet, said former members of the commission that investigated the attacks of Sept. 11, 2001. Progress also is lacking in airline security and providing radio spectrum to first responders, according to the 9/11 Public Discourse Project, which is made up of the 10 individuals--five Republicans and five Democrats--who served on the Sept. 11 commission. The 9/11 Public Discourse Project on Monday issued a report card with an A- for battling terrorist financing, but all 40 of the other grades (see PDF) were lower. “There are far too many C’s, D’s and F’s in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted,” the project leaders said in a statement. Critical infrastructure protection initiatives received a D: No risk and vulnerability assessments have been made; no national priorities have been established; and no recommendations have been made on allocation of scarce resources, according to the report. “All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some,” the former commissioners wrote. The shortcomings are “shocking” and “scandalous,” according to the 9/11 Public Discourse Project. The government also was faulted for a lack of agency information-sharing that’s needed to strengthen intelligence, members said. The former commissioners also critiqued the work on new, more secure ID cards according to the Real ID Act. New standards for issuing birth certificates continue to be delayed until at least early 2006. “Without movement on the birth certificate issue, state-issued IDs are still not secure,” according to the report. In addition, Congress has failed to take a leading role in passport security, the report said. http://news.com.com/911+panel+faults+government+on+cybersecurity/2100-7348_3-5984743.html?tag=nefd.top

WEB OF LIES (InsideHigherEd, 6 Dec 2005) -- When several of his colleagues expressed doubts about whether they would eventually want to tenure him, William Bradford, an associate professor of law at Indiana University in Indianapolis, went public with his complaints. He posted on blogs, he talked on the radio, he talked to this Web site, he hit “The O’Reilly Factor.” His message: Liberal faculty members were pushing him out because he is conservative, a war veteran and a Native American who didn’t fit a liberal mold for Native Americans. But as Bradford’s complaints grew louder, his story unraveled. It has now become clear that Bradford lied about, among other things, his military service. University officials confirmed Monday that Bradford — who did not respond to e-mail and voice messages and who hasn’t commented on the latest events — has resigned, effective January 1. Bradford appeared on the national radar this summer, after five faculty members on a review committee, which did authorize his reappointment, said they did not think he deserved tenure at the time. Bradford, whose degrees include one each from Northwestern and Harvard Universities, railed against what he claimed was a liberal conspiracy against him. http://insidehighered.com/news/2005/12/06/bradford [Editor: Mr. Bradford has some interesting ideas; I’ve heard him deliver an impassioned argument for the Bush administration’s “pre-emptive war” doctrine; some thought it (and the doctrine) over-the-top.]

OK, OK, MAYBE PIRACY IS BAD (Wired, 8 Dec 2005) -- Software piracy is rampant and hampering economic growth, and it is increasingly in the hands of organized groups which are regarded as legitimate businesses in some countries. The global piracy rate is currently around 35 percent, coming down only 1 percent a year, research group IDC found in a study commissioned by the Business Software Allliance, which represents around 50 software firms. The study, covering 70 countries which represent 99 percent of the world’s information technology spending, said that a worldwide reduction of software piracy by 10 percentage points to 25 percent could generate 2.4 million jobs and $400 billion of economic growth. The battle against software piracy has been relatively successful over the last 15 years, with the piracy rate in Europe dropping to 35 percent from almost 80 percent in 1992 when the European authorities adopted special legislation. Still, a 35 percent piracy rate is more than 20 times higher than the percentage that retail stores lose through shoplifting. At its worst, piracy runs as high as 90 percent in China and 87 percent in Russia. The United States has a modest 21 percent piracy rate. China is already one of the world’s biggest personal computer markets, but does not even make it into the top 20 of software markets because so much software is illegally copied. http://www.wired.com/news/business/0,1367,69785,00.html

EFF MOVES TO BLOCK CERTIFICATION OF E-VOTING SYSTEMS (CNET, 9 Dec 2005) -- The Electronic Frontier Foundation filed a complaint aimed at blocking North Carolina’s recent certifications of voting machines, saying state elections officials failed to meet legal requirements before signing off on the systems. The complaint, filed in Wake County Superior Court by the EFF and a Raleigh lawyer on behalf of a local voters’ advocate, calls for a judge to void certifications that the Board of Elections issued last week to Diebold, ES&S and Sequoia Voting Systems. It also requests a restraining order that would prevent elections officials from certifying any new systems until they comply fully with state election laws. The state legislature modified those laws this summer, setting new standards for e-voting machines and requiring that existing systems be decertified. State elections officials “exceeded their statutory authority” in signing off on the systems, because they disregarded the law in two areas, the complaint charges. First, they failed to complete a comprehensive review of various security features on the systems, and second, they neglected to obtain every bit of source code associated with software on the devices--one of the new legal requirements. E-voting machines continue to generate security concerns and calls for reform. During the 2004 presidential election, officials acknowledged that glitches in some systems led to lost votes in a few states’ tallies--including 4,500 in one North Carolina county. Diebold, an Ohio-based company that makes automatic-teller machines as well, is also no stranger to controversy. Last year, California officials questioned the company on the integrity of its systems and recommended banning Diebold machines from the state. http://news.com.com/EFF+moves+to+block+certification+of+e-voting+systems/2100-1028_3-5988243.html?tag=nefd.top EFF Complaint at http://www.eff.org/Activism/E-voting/EFF_Mandamus_Complaint_TRO_20051208140945.pdf

WORKER PRIVACY: YOU HAVE NONE (Wired, 9 Dec 2005) -- If you have internet access at work, there’s a very good chance your employer has a system in place to monitor your online activities. So, if you’re concerned about privacy, take heed. Under current U.S. law, there’s little you can do to protect the confidentiality of your internet use on the job. Here’s a rundown of the rights you don’t have at work. Notice of monitoring: Only two states (Connecticut and Delaware) require that employers inform workers if they are monitoring online activity, according to Jeremy Gruber, legal director, the National Workrights Institute. Federal legislation requiring such disclosure has been proposed but not enacted. That said, most employers do provide notice to employees if they track workplace web use. In an employer survey conducted this year by the American Management Association and the ePolicy Institute, 89 percent of respondents said they notify employees if their web usage is being tracked. Privacy outside the office: More workers are telecommuting these days, often using laptops and other portable devices provided by their employer. But leaving the office doesn’t guarantee freedom from internet surveillance. Using the company laptop to remotely access its network is, from a monitoring legality standpoint, generally the same as working from the office, said Mark Schreiber, a partner at Edwards Angell Palmer & Dodge, who advises firms regarding internet use policies. People who are entering the company network from home, even from their personal computer, should be aware that online activities may be monitored. To protect privacy, Gruber’s recommends investing in your own equipment: “Use your own system that is in no way, shape, or form connected through the employer’s network,” he said. The right to blog: People who like to blog -- especially about their employer -- should refrain from doing so at work. “The computer system is the property of the employer, and the employer has the right to monitor all internet activity,” said Nancy Flynn, executive director of the ePolicy Institute. “That would include blog posts and all e-mail and internet transmissions.” Flynn estimates that hundreds of people have been fired for their blog content in recent years. In the AMA/ePolicy survey, 26 percent of respondents said they had fired workers for misusing the internet. A quarter of employers also said they’d terminated workers for e-mail misuse. Weekend work without monitoring: If you’re laboring overtime and taking work home for the weekend, employers are likely still monitoring your online activities if you use their equipment or network, says Gruber. That means employees might want to be careful about personal web-surfing or e-mail activities until they’ve logged off the company server. http://www.wired.com/news/privacy/0,1848,69732,00.html

LIVE TRACKING OF MOBILE PHONES PROMPTS COURT FIGHTS ON PRIVACY (New York Times, 10 Dec 2005) -- Most Americans carry cellphones, but many may not know that government agencies can track their movements through the signals emanating from the handset. In recent years, law enforcement officials have turned to cellular technology as a tool for easily and secretly monitoring the movements of suspects as they occur. But this kind of surveillance - which investigators have been able to conduct with easily obtained court orders - has now come under tougher legal scrutiny. In the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing “probable cause” to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants. The rulings, issued by magistrate judges in New York, Texas and Maryland, underscore the growing debate over privacy rights and government surveillance in the digital age. With mobile phones becoming as prevalent as conventional phones (there are 195 million cellular subscribers in this country), wireless companies are starting to exploit the phones’ tracking abilities. For example, companies are marketing services that turn phones into even more precise global positioning devices for driving or allowing parents to track the whereabouts of their children through the handsets. Not surprisingly, law enforcement agencies want to exploit this technology, too - which means more courts are bound to wrestle with what legal standard applies when government agents ask to conduct such surveillance. Cellular operators like Verizon Wireless and Cingular Wireless know, within about 300 yards, the location of their subscribers whenever a phone is turned on. Even if the phone is not in use it is communicating with cellphone tower sites, and the wireless provider keeps track of the phone’s position as it travels. The operators have said that they turn over location information when presented with a court order to do so. http://www.nytimes.com/2005/12/10/technology/10phone.html?ex=1291870800&en=2019ce35d6b47983&ei=5090&partner=rssuserland&emc=rss

**** RESOURCES ****
THE SHIDLER JOURNAL OF LAW, COMMERCE & TECHNOLOGY is pleased to announce the recent publication of Volume 2, Issue 2. Abstracts for each of the articles in the current issue are provided below. Simply click on an article title to access a full text version of the article, or visit the Journal’s home page at www.lctjournal.washington.edu. The website also includes articles from past issues of the Journal. Recent titles are: “The FACT Act of 2003: Securing Personal Information In an Age of Identity Theft”; “Liability Under the Americans with Disabilities Act for Private Web Site Operators”; “Streamlined Sales and Use Tax Agreement: Is Your Business Ready for Compliance?”; “Proposed Federal Definition of ‘Internet Job Applicant’ Suggests Need for Revised Human Resource Policies”; and “‘I Didn’t Know My Client Wasn’t Complying!” - The Heightened Obligation Lawyers Have to Ensure Clients Follow Court Orders in Litigation Matters”.

The GAO now supplies reports and testimony via RSS – click the RSS button on http://www.gao.gov/

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.