MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
**** PROGRAM ANNOUNCEMENTS ****
ABA Cyberspace Law Committee winter working meeting (January 27-28, 2006, in Wilmington, Delaware). Details at http://www.abanet.org/buslaw/committees/CL320000pub/meetings.shtml; meeting activities will be blogged at http://aba-cyberspace.blogspot.com/
DOCUMENT MANAGEMENT SYSTEMS GO TO COURT (InfoWorld, 27 Dec 2005) -- Two proposed amendments to the federal Rules of Civil Procedure, if passed by Congress, will have a major impact on corporations and their IT departments. One expert I spoke with called the situation a legal Chernobyl. The two proposals are specifically targeted at electronic discovery. First, the proposed amendments to Rule 26 will require attorneys for both parties to a litigation in Federal court to sit down prior to the proceedings to discuss their clients’ document management systems. That’s right; you read that correctly. The rule also requires each company to designate a spokesperson for its IT group. This is the first time the courts are bringing IT directly into litigation, according to Trent Dickey, attorney with Sills, Cummis, Epstein & Gross. Next up, Rule 37(f), also called a safe harbor rule, says that corporations that have lost information but have otherwise acted in good faith cannot be sanctioned. Congress is expected to take action on this rule, one way or the other, by December 2006. It is probably easiest to comprehend the importance of the changes to Rules 26 and 37(f) by looking at what happens when you don’t manage documents properly. In Zubulake v. UBS Warburg, the judge instructed the jury that it was legitimate to presume that the information Warburg could not provide due to lost backup tapes and e-mails was probably damaging to the company’s case. Zubulake was awarded $20 million. According to Dickey, both this case and the more widely known Morgan Stanley case, which resulted in fines of $1.45 billion under similar circumstances, were decided 100 percent due to technology -- or rather, due to lack of good technology. If the changes to Rule 26 pass Congress and Rule 37(f) is shot down, next year there could be an awful lot of companies in the same boat as UBS Warburg and Morgan Stanley. http://www.infoworld.com/article/05/12/27/01OPreality_1.html?source=NLC-GOV2005-12-27
2005 WORST YEAR FOR BREACHES OF COMPUTER SECURITY (USA Today, 28 Dec 2005) -- Data breaches disclosed at Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam’s Club this month capped what computer experts call the worst year ever for known computer-security breaches. At least 130 reported breaches have exposed more than 55 million Americans to potential ID theft this year. Security experts warn that wayward personal data, such as Social Security and credit card numbers, could end up in the hands of criminals and feed a growing problem. An adviser for the Treasury Department’s Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales. The breaches come at a time when the Department of Homeland Security’s research budget for cybersecurity programs was cut 7%, to $16 million, for 2005. ID theft-related bills are stalled in Congress, and data brokers such as ChoicePoint, itself a victim of fraud this year, remain unregulated, “so it is likely that many more serious breaches have gone unreported,” says Avivah Litan, a security analyst at Gartner. As a result, the Bush administration has drawn the ire of the Cyber Security Industry Alliance, which represents high-tech heavyweights Symantec, McAfee and RSA Security. “Attacks are taking place every day,” says Paul Kurtz, a former Bush administration cybersecurity official who is executive director of CSIA. http://www.usatoday.com/tech/news/computersecurity/2005-12-28-computer-security_x.htm
-- and --
COMPUTER CRIME COSTS $67 BILLION, FBI SAYS (CNET, 19 Jan 2006) -- Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. “This would be 2.8 million U.S. organizations experiencing at least one computer security incident,” according to the 2005 FBI Computer Crime Survey. “With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year.” By comparison, telecommunication fraud losses are about only $1 billion a year, according to the U.S. Secret Service. Also, the overall cost to Americans of identity fraud reached $52.6 billion in 2004, according to Javelin Strategy & Research. Other surveys have attempted to put a dollar amount on cybersecurity damages in the past, but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project. “The data set is three or four times larger than in past surveys,” he said. “It is obviously a staggering number, but that is the reality of what we see.” http://news.com.com/2100-7349_3-6028946.html
2005 PRIVACY YEAR IN REVIEW (EPIC, 1 Jan 2006) -- It’s been an eventful year in privacy, right up to the end, with revelations of government surveillance of activists, warrantless wiretaps by the National Security Agency, and a Congressional staring contest over the renewal of the Patriot Act. And the months preceding this one were no less impressive, with data security laws, RFID, and voter privacy making headlines. Here are the Top Ten Privacy Stories of 2005 from the Electronic Privacy Information Center (EPIC): [one-paragraph summaries follow each of these subjects]:
• PATRIOT Act Reauthorization Falls Short
• Security Breaches on the Rise
• Defense Department Ignores Privacy Laws
• In Federal Court, a Good E-mail Privacy Decision
• Privacy for Voters
• State Department Drops Hi-Tech Passport Plan, But Problems Remain
• NSA Domestic Spying Disclosed
• Problems Remain with Travel Screening Plans
• Credit Freeze Laws on the Rise
• Surveillance of Activists Revealed
CIA OFFSHOOT TAPS FORMER U.S. CYBERSECURITY CHIEF (CNET, 4 Jan 2006) -- Former U.S. cybersecurity chief Amit Yoran has been appointed president and CEO of In-Q-Tel, the CIA venture capital arm charged with funding and developing new technologies for the intelligence community. He took over Tuesday from previous chief Gilman Louie, who plans to start up his own San Francisco-based venture capital firm, In-Q-Tel said in a statement. Yoran resigned as director of the National Cyber Security Division of the Department of Homeland Security in late 2004, after less than one year in the post. Earlier, he was CEO of Riptech, a venture-backed network security company he cofounded, and then a managed security executive at Symantec. He also did a stint overseeing the vulnerability assessment program for the U.S. Computer Emergency Readiness Team (US-CERT). http://news.com.com/CIA+offshoot+taps+former+U.S.+cybersecurity+chief/2110-7350_3-6018575.html?tag=nefd.hed
GOVERNMENT WEB SITES FOLLOW VISITORS’ MOVEMENTS (CNET, 5 Jan 2006) -- Dozens of federal agencies are tracking visits to U.S. government Web sites in violation of long-standing rules designed to protect online privacy, a CNET News.com investigation shows. From the Air Force to the Treasury Department, government agencies are using either “Web bugs” or permanent cookies to monitor their visitors’ behavior, even though federal law restricts the practice. Some departments changed their practices this week after being contacted by CNET News.com. The Pentagon said it wasn’t aware that its popular Defenselink.mil portal tracked visitors--in violation of a privacy notice--and said it would fix the problem. So did the Defense Threat Reduction Agency and the U.S. Chemical Safety and Hazard Investigation Board. The practice of tracking Web visitors came under fire last week when the National Security Agency was found to use permanent cookies to monitor visitors, a practice it halted after inquiries from the Associated Press. The White House also was criticized last week for employing WebTrends’ tracking mechanism that used a tiny GIF image. http://news.com.com/Government+Web+sites+follow+visitors+movements/2100-1028_3-6018702.html?tag=nefd.lede
EMPLOYER HAD DUTY TO STOP WORKER’S PORN SURFING (ABA Journal, 6 Jan 2005) -- When an employer has actual or imputed knowledge that an employee is using a computer at work to “access pornography, possibly child pornography, [the company] has a duty to investigate … and to take prompt and effective action to stop the unauthorized activity,” a New Jersey appellate court has ruled. Doe v. XYC Corp., No. A-2909-04T2 (Dec. 27). The ruling by the Superior Court of New Jersey, Appellate Division, involved a man who later admitted he uploaded nude photographs of his stepdaughter to a child pornography Web site. But as distasteful as the crime is, several employment law experts find the decision unpalatable as well. “I think the decision is awful,” says Charles A. Sullivan, an employment law professor at Seton Hall University in Newark, N.J. “It imposes a big duty on employers, and it’s a huge infringement on employees’ privacy rights.” “It’s a horrible opinion,” concurs Laurie Leader, a professor of clinical practice at Chicago-Kent College of Law who specializes in labor and employment law. “I think this court is out on a limb. It’s almost imposing some kind of strict liability on employers.” But the plaintiff’s attorney, Kevin Kovacs of Bedminster, N.J., defends the court’s opinion as “an important decision and a good decision for potential victims of child pornography.” “The defendant argued that my position turns employers into police departments. But it doesn’t,” Kovacs says. “We never argued that there should be full-out monitoring of employees’ Internet activities. We argued that in limited circumstances, where the company has information, it has to investigate, and when there’s child pornography, it has to report it because there’s potential harm employees can do to third parties.” http://www.abanet.org/journal/ereport/j6porn.html
-- and --
YOU COULD BE LIABLE FOR YOUR EMPLOYEE’S PORN ADDICTION Steptoe & Johnson’s E-Commerce Law Week, 7 Jan 2006) -- Employers’ monitoring of their employees’ online activity is nothing new. And neither is reprimanding an employee for visiting pornography websites at the office. But thanks to a recent court decision, employers may now have a legal obligation to halt such activity by employees, or they could be liable if that activity “result[s] in harm to innocent third parties.” On December 27, in Doe v. XYC Corp., the Superior Court of New Jersey, Appellate Division, ruled that “an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity.” The court held that no privacy interest of the employee stood in the way of this duty. Although the ruling has serious implications for any company that offers Internet service in the workplace, it may be of special interest to Internet service providers -- who already have their own child pornography notification obligations under 42 U.S.C. § 13032, and who may come across illegal activity not only on the part of their employees but also on the part of their subscribers. And the court’s reasoning could extend beyond pornography to any illegal or harmful conduct engaged in by employees from their work computers. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11542&siteId=547
MICROSOFT SHUTS DOWN BLOG IN CHINA (CNN, 6 Jan 2006) -- Microsoft Corp. has shut down the Internet journal of a Chinese blogger that discussed politically sensitive issues, including a recent strike at a Beijing newspaper. The action came amid criticism by free-speech activists of foreign technology companies that help the communist government enforce censorship or silence dissent in order to be allowed into China’s market. Microsoft’s Web log-hosting service shut down the blog at the Chinese government’s request, said Brooke Richardson, group product manager with Microsoft’s MSN online division at company headquarters in Redmond, Wash. Although Beijing has supported Internet use for education and business, it fiercely polices content. Filters block objectionable foreign Web sites and regulations ban subversive and pornographic content and require service providers to enforce censorship rules. “When we operate in markets around the world, we have to ensure that our service complies with global laws as well as local laws and norms,” Richardson said. Richardson said the blog was shut down December 30 or December 31 for violating Microsoft’s code of conduct, which states that users must be in compliance with local laws in the country in which the user is based. http://www.cnn.com/2006/WORLD/asiapcf/01/06/china.blog.shutdown.ap/index.html
-- but --
CHINESE BAN ON WIKIPEDIA PREVENTS RESEARCH, USERS SAY (GlobeAndMail.com, 10 Jan 2006) -- Chinese students and intellectuals are expressing outrage at Beijing’s decision to prohibit access to Wikipedia, the fast-growing on-line encyclopedia that has become a basic resource for many in China. Wikipedia, which offers more than 2.2 million articles in 100 languages, has emerged as an important source of scholarly knowledge in China and many other countries. But its stubborn neutrality and independence on political issues such as Tibet and Taiwan has repeatedly drawn the wrath of the Communist authorities. The latest blocking of the website, the third shutdown of the site in China in the past two years, has now continued for more than 10 weeks without any explanation and without any indication whether the ban is temporary or permanent. http://www.theglobeandmail.com/servlet/story/RTGAM.20060110.gtwikipedia10/BNStory/Technology/
-- and --
INTERNET COMPANIES ‘MUST RESPECT FREE SPEECH’ (ZDnet, 10 Jan 2006) -- Reporters without Borders has called on companies such as Microsoft and Yahoo to respect human rights, even if the countries they are operating in don’t. IT companies operating in countries with repressive regimes should face tighter regulation when it comes to supporting freedom of speech, according to a leading anti-censorship organisation. Press freedom group Reporters without Borders issued a report late last week calling on the US government and US regulators to help develop a voluntary code of conduct for IT companies operating in countries such as China, Tunisia and Burma. One recommendation made by the group is that US companies should be prevented from hosting email servers in a countries with repressive regimes. This would ensure that any requests for information from the authorities of a repressive regime would have to pass through the US judicial system, the group claims. http://news.zdnet.co.uk/business/0,39020645,39246544,00.htm
QWEST THREATENS USERS WITH $5-PER-SPAM CHARGE (TechWorld, 9 Jan 2006) -- Qwest has added a new clause in its ISP contract that threatens to charge customers $5 for every spam message sent by their computer - even if they are not aware of it. The addition to a subscriber agreement [pdf] has been noticed and blown up on a Net discussion by consumer and small business users of its High Speed Internet service. The contentious paragraph in Qwest’s Acceptable Use Policy threatens to levy a $5 charge for every spam sent from a PC if this results in damages being awarded against Qwest itself. This is regardless of whether the owner of the PC was aware that their PC was sending spam, as would be the unfortunate case if it had been hijacked by a Trojan to act as a spam relay. The main provision of the agreement forbids the sending of unsolicited e-mail, as is normal in such ISP agreements. However, it goes an important step further in its wording. “You will pay Qwest’s actual damages in any way arising from, or related to, any spam transmitted by, or in any way connected to, you, to the extent that such damages can be calculated,” the document states. “If actual damages cannot be calculated reasonably, you agree to pay Qwest liquidated damages of five US dollars ($5.00) for each piece of spam transmitted from or otherwise connected with your account.” Users are believed to have been notified of the agreement in recent weeks, though they would need to delve into the 14-page agreement carefully to notice the addition. http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5116
CREATE AN E-ANNOYANCE, GO TO JAIL (CNET, 9 Jan 2006) -- It’s no joke. Last Thursday, President Bush signed into law a prohibition on posting annoying Web messages or sending annoying e-mail messages without disclosing your true identity. In other words, it’s OK to flame someone on a mailing list or in a blog as long as you do it under your real name. Thank Congress for small favors, I guess. This prohibition, which would likely imperil much of Usenet, is buried in the so-called Violence Against Women and Department of Justice Reauthorization Act. Criminal penalties include stiff fines and two years in prison. “The use of the word ‘annoy’ is particularly problematic,” says Marv Johnson, legislative counsel for the American Civil Liberties Union. “What’s annoying to one person may not be annoying to someone else.” Buried deep in the new law is Sec. 113, an innocuously titled bit called “Preventing Cyberstalking.” It rewrites existing telephone harassment law to prohibit anyone from using the Internet “without disclosing his identity and with intent to annoy.” http://news.com.com/Create+an+e-annoyance,+go+to+jail/2010-1028_3-6022491.html?part=rss&tag=6022491&subj=news
LEVI’S OFFERS iPOD JEANS (Macworld, 10 Jan 2006) -- Is that a joystick in your pocket? Why, yes it is. Levi’s announced its new line of RedWire DLX Jeans, available worldwide in fall 2006. The jeans feature a built-in iPod docking cradle, joystick and retractable headphones. Designed for both men and women, the jeans are designed to be compatible with most iPod systems. A special joystick is built into the jeans’ watch pocket, with four-way controls to allow the wearer to play, pause, track forward, track back and adjust the volume control without ever removing the iPod from the pocket. http://www.macworld.com/news/2006/01/10/ipodlevis/index.php?lsrc=mwrss [Editor: Sorry; couldn’t resist.]
NEW YORK CITY STARTS TO MONITOR DIABETICS (Washington Post, 11 Jan 2006) -- New York City is starting to monitor the blood sugar levels of its diabetic residents, marking the first time any government in the United States has begun tracking people with a chronic disease. Under the program, the city is requiring laboratories to report the results of blood sugar tests directly to the health department, which will use the data to study the disease and to prod doctors and patients when levels run too high. The unprecedented step is being hailed by many health experts as a bold attempt to improve care for diabetes, one of the nation’s biggest medical problems, which is burgeoning into a crisis because of the aging population and the obesity epidemic. Some public health experts, ethicists and privacy advocates, however, say that the initiative raises serious concerns about confidentiality and is an alarming government intrusion into people’s medical care. Both sides agree that the decision is probably a harbinger of a trend in which the government will apply tactics traditionally reserved primarily for infectious diseases to chronic conditions such as diabetes, heart disease, asthma and cancer, which have supplanted communicable illnesses as the most pressing public health concerns. http://www.washingtonpost.com/wp-dyn/content/article/2006/01/10/AR2006011001625.html [Editor: Has similarities with the DOJ’s subpoena of Google’s search records (reported on 20 Jan 2006). Maybe my legal instincts are off, but this continues a troubling trend of government using private industry as a proxy for collecting sensitive personal information.]
AMERICAN COMPANIES SHOW AN EDGE IN PUTTING INFORMATION TO WORK (New York Times, 12 Jan 2006) -- Productivity just keeps humming along. Growth in output per hour in the third quarter of 2005 was a striking 5.4 percent. In fact, output per hour has grown at an average annual rate of nearly 3.5 percent over the last three years. These are large numbers by historical terms. From 1974 to 1995, productivity grew at around 1.4 percent a year. Productivity growth in the United States accelerated to about 2.5 percent a year from 1995 to 2000. Since then, productivity has grown at a bit over 3 percent a year, with the last few years looking particularly strong. Unlike the United States, European countries have not seen the same surge in productivity growth in the last 10 years. Why the difference? The answer, according to Nick Bloom, Raffaella Sadun and John Van Reenen, researchers at the Center for Economic Performance at the London School of Economics, is that American companies make much more effective use of information technology than European companies. (A selection of their studies can be downloaded from http://cep.lse.ac.uk/research/innovation/ict.asp.) Nowadays, most economists agree that information technology is a significant part of the explanation for the post-1995 productivity surge in the United States. In fact, when you look at productivity statistics by industry, those industries that make and use information and communications technologies intensively in the United States have accounted for the bulk of the productivity growth, with other industries showing little change. The story is quite different in the European Union. In the late 1990’s, when productivity growth in the United States was accelerating, productivity growth in Europe was static. But Europe has access to the same information technology that the United States does, at more or less the same prices. Why didn’t those countries get the same increase in productivity? http://www.nytimes.com/2006/01/12/business/12scene.html?ex=1294722000&en=7c3cfa4784251f7b&ei=5090&partner=rssuserland&emc=rss
CREDIT CARD RIVALS TO UNITE IN DATA PROTECTION EFFORT (New York Times, 12 Jan 2006) -- Two longtime rivals in the credit card business are working together to create a private group that would set new industrywide security standards as early as the middle of this year, a MasterCard executive said yesterday. Security officials from Visa USA and MasterCard International began quietly meeting early last year to discuss the best way to improve data security. But the high-profile disclosure of a security breach at CardSystems Solutions, a tiny payment processor that left 40 million cardholder accounts exposed to fraud, has given the effort a new push. Visa and MasterCard executives have separately proposed the idea of an independent standard-setting body that can certify that member banks and merchants have met certain guidelines and standards. “We have had preliminary conversations, and it would be a good idea to have these P.C.I. standards in an open standards body,” said Chris Thom, Mastercard’s chief risk officer, referring to the payment card industry rules. “There is no reason that this shouldn’t be done.” At a Visa-sponsored security conference in October, the company’s chief executive, John Philip Coghlan, publicly floated a similar idea. Still, the extent of the proposed agency’s enforcement power, if any, is unclear, as is the potential makeup of the group’s representatives. And it is also too early to determine how the new security standards would differ from the payment card industry’s existing ones, which outline a common set of rules with slight differences among the card companies. Although Discover Financial and American Express do not appear to be participating in the discussions, Visa and MasterCard, whose cardholders are responsible for roughly 80 percent of all credit and debit transactions, may have the power to bring a new standard-setting body into being. http://www.nytimes.com/2006/01/12/business/12cards.html?ex=1294722000&en=6a33fed927e253db&ei=5090&partner=rssuserland&emc=rss
APPLE’S ITUNES UNDER FIRE FOR PRIVACY ISSUES (NewsFactor, 13 Jan 2006) -- Apple Computer has come under fire because the new version of its iTunes music software is able to monitor listening habits. The iTunes software update, which was issued on January 10, incorporates a feature that recommends songs according to the tracks you play. Critics say that Apple needs to be more transparent about user data that is being collected, especially because the iTunes song recommendations use unique identifiers for a computer and an iTunes account. In Internet postings, bloggers are warning about the data that iTunes passes back to Apple, particularly the data being transmitted to Apple that enables it to make song recommendations and uniquely identify a computer and an iTunes account. http://news.yahoo.com/s/nf/20060113/bs_nf/40917
WIKI OFFERS ANONYMOUS BLOGGING TIPS (TechWeb, 13 Jan 2006) -- A new collaborative Web site offers tips on blogging more anonymously for people who live in countries that restrict free speech -- or for those who want to write freely about their companies without the risk of getting fired. The wiki, launched this week, is called anoniblog (http://anoniblog.pbwiki.com). The site offers no guarantees of complete anonymity but bills itself as a starting point. Users, like those who visit Wikipedia, are encouraged to add and edit guidelines. It warns that bloggers can’t be completely safe, but it offers information about risks in each country and tips for minimizing risks. http://news.yahoo.com/s/cmp/20060113/tc_cmp/175804123
NSA AND BUSH’S ILLEGAL EAVESDROPPING (essay by Bruce Schneier, 15 Jan 2006) -- When President Bush directed the National Security Agency to secretly eavesdrop on American citizens, he transferred an authority previously under the purview of the Justice Department to the Defense Department and bypassed the very laws put in place to protect Americans against widespread government eavesdropping. The reason may have been to tap the NSA’s capability for data-mining and widespread surveillance. Illegal wiretapping of Americans is nothing new. In the 1950s and ‘60s, in a program called “Project Shamrock,” the NSA intercepted every single telegram coming into or going out of the United States. It conducted eavesdropping without a warrant on behalf of the CIA and other agencies. Much of this became public during the 1975 Church Committee hearings and resulted in the now famous Foreign Intelligence Surveillance Act (FISA) of 1978. The purpose of this law was to protect the American people by regulating government eavesdropping. Like many laws limiting the power of government, it relies on checks and balances: one branch of the government watching the other. The law established a secret court, the Foreign Intelligence Surveillance Court (FISC), and empowered it to approve national-security-related eavesdropping warrants. The Justice Department can request FISA warrants to monitor foreign communications as well as communications by American citizens, provided that they meet certain minimal criteria. The FISC issued about 500 FISA warrants per year from 1979 through 1995, and has slowly increased subsequently -- 1,758 were issued in 2004. The process is designed for speed and even has provisions where the Justice Department can wiretap first and ask for permission later. In all that time, only four warrant requests were ever rejected: all in 2003. (We don’t know any details, of course, as the court proceedings are secret.) The NSA’s ability to eavesdrop on communications is exemplified by a technological capability called Echelon. Echelon is the world’s largest information “vacuum cleaner,” sucking up a staggering amount of voice, fax, and data communications -- satellite, microwave, fiber-optic, cellular and everything else -- from all over the world: an estimated 3 billion communications per day. These communications are then processed through sophisticated data-mining technologies, which look for simple phrases like “assassinate the president” as well as more complicated communications patterns. Supposedly Echelon only covers communications outside of the United States. Although there is no evidence that the Bush administration has employed Echelon to monitor communications to and from the U.S., this surveillance capability is probably exactly what the president wanted and may explain why the administration sought to bypass the FISA process of acquiring a warrant for searches. Perhaps the NSA just didn’t have any experience submitting FISA warrants, so Bush unilaterally waived that requirement. And perhaps Bush thought FISA was a hindrance -- in 2002 there was a widespread but false belief that the FISC got in the way of the investigation of Zacarias Moussaoui (the presumed “20th hijacker”) -- and bypassed the court for that reason. Most likely, Bush wanted a whole new surveillance paradigm. You can think of the FBI’s capabilities as “retail surveillance”: It eavesdrops on a particular person or phone. The NSA, on the other hand, conducts “wholesale surveillance.” It, or more exactly its computers, listens to everything. An example might be to feed the computers every voice, fax, and e-mail communication looking for the name “Ayman al-Zawahiri.” This type of surveillance is more along the lines of Project Shamrock, and not legal under FISA. As Sen. Jay Rockefeller wrote in a secret memo after being briefed on the program, it raises “profound oversight issues.” It is also unclear whether Echelon-style eavesdropping would prevent terrorist attacks. In the months before 9/11, Echelon noticed considerable “chatter”: bits of conversation suggesting some sort of imminent attack. But because much of the planning for 9/11 occurred face-to-face, analysts were unable to learn details. The fundamental issue here is security, but it’s not the security most people think of. James Madison famously said: “If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary.” Terrorism is a serious risk to our nation, but an even greater threat is the centralization of American political power in the hands of any single branch of the government. [Editor: There’s more, and it’s worth reading.] http://www.schneier.com/crypto-gram-0601.html#12
HEY, BABY BELLS: INFORMATION STILL WANTS TO BE FREE (New York Times, 15 Jan 2006) – At the top of my wish list for next year’s Consumer Electronics Show is this: the introduction of broadband service across the country that is as up to date as that 103-inch flat-screen monitor just introduced by Panasonic. The digital lifestyle I see portrayed so alluringly in ads is not possible when the Internet plumbing in our homes is as pitiful as it is. The broadband carriers that we have today provide service that attains negative perfection: low speeds at high prices. It gets worse. Now these same carriers - led by Verizon Communications and BellSouth - want to create entirely new categories of fees that risk destroying the anyone-can-publish culture of the Internet. And they are lobbying for legislative protection of their meddling with the Internet content that runs through their pipes. These are not good ideas. Slow broadband seems to be our cursed lot. Until we get an upgrade - or rather an upgrade to an upgrade - the only Americans who will enjoy truly fast and inexpensive service will be those who leave the country. In California, Comcast cable broadband provides top download speeds of 6 megabits a second for a little more than $50 a month. That falls well short, however, of Verizon’s 15-megabit fiber-based service offered on the East Coast at about the same price. But what about the 100-megabit service in Japan for $25 month? And better, much better: Stockholm’s one-gigabit service - that is, 1,000 megabits, or more than 1,300 times faster than Verizon’s entry-level DSL service - for less than 100 euros, or $120, a month. One-gigabit service is not in the offing in the United States. What the network carriers seem most determined to sell is a premium form of Internet service that offers a tantalizing prospect of faster, more reliable delivery - but only if providers like Google, Yahoo and Microsoft pay a new charge for special delivery of their content. (That charge, by the way, would be in addition to the regular bandwidth-based Internet connection charges that their carriers already levy.) An executive vice president of Verizon, for example, said last week that the proliferation of video programs offered via the Internet opens a new opportunity for his company: a new class of premium online delivery for Web sites wishing to pay extra to give smooth video streams to their customers in the Verizon service area. The executive, Thomas J. Tauke, said that a fast lane for premium content providers would not reduce the quality of regular service for everyone else, and that sites could choose not to sign up without suffering retribution. “To the best of my knowledge,” he said, “there’s no negative.” From the consumer’s perspective, given the dismal state of the status quo, shouldn’t any service improvement be welcomed? The short answer is: not necessarily. http://www.nytimes.com/2006/01/15/business/yourmoney/15digi.html?ex=1294981200&en=7e187115d2191158&ei=5090&partner=rssuserland&emc=rss
FEDS AFTER GOOGLE DATA (SiliconValley.com, 19 Jan 2006) -- The Bush administration on Wednesday asked a federal judge to order Google to turn over a broad range of material from its closely guarded databases. The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. The law was meant to punish online pornography sites that make their content accessible to minors. The government contends it needs the Google data to determine how often pornography shows up in online searches. In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for 1 million random Web addresses and records of all Google searches from any one-week period. The Mountain View-based search and advertising giant opposes releasing the information on a variety of grounds, saying it would violate the privacy rights of its users and reveal company trade secrets, according to court documents. Nicole Wong, an associate general counsel for Google, said the company will fight the government’s effort ``vigorously.” ``Google is not a party to this lawsuit, and the demand for the information is overreaching,” Wong said. The case worries privacy advocates, given the vast amount of information Google and other search engines know about their users. http://www.siliconvalley.com/mld/siliconvalley/13657386.htm
Good New York Times story at: http://www.nytimes.com/2006/01/20/technology/20google.html?ex=1295413200&en=66c6a0f87da7e56d&ei=5090&partner=rssuserland&emc=rss
DOJ application at: http://www.siliconvalley.com/multimedia/mercurynews/news/GoogleMcElvain.pdf
**** RESOURCES ****
A CHRONOLOGY OF DATA BREACHES REPORTED SINCE THE CHOICEPOINT INCIDENT (Privacy Rights Clearinghouse, 17 Jan 2006). http://www.privacyrights.org/ar/ChronDataBreaches.htm
ANTI-SPYWARE STRATEGIES, PART 1: CLEAN OUT YOUR SYSTEM (Information Week, 6 Jan 2006) – [Reasonably straightforward 5-step process for finding and removing various kinds of spyware on your PC. Alternative approach: use a Macintosh.] http://www.informationweek.com/shared/printableArticle.jhtml?articleID=175802722
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, firstname.lastname@example.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.