Sunday, February 12, 2006

MIRLN -- Misc. IT Related Legal News [22 January – 12 February 2006; v9.02]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

**** PROGRAM ANNOUNCEMENTS ****
ABA Cyberspace Law Committee spring meeting (April 6-9, 2006, in Tampa, Florida). Details at http://www.abanet.org/buslaw/2006spring/index.html; Cyberspace committee activities will be blogged at http://aba-cyberspace.blogspot.com/

NEW OPEN-SOURCE LICENSE DRAFT LESS CONTROVERSIAL THAN FEARED FOR BUSINESS (Information Week, 16 Jan 2006) -- The first draft of the General Public License 3 is less controversial and more pro-business than expected, observers say. Unveiled at a conference at Massachusetts Institute of Technology on Monday, the Free Software Foundation’s much anticipated GPL3 extends license compatibility to other open source licenses, prevents commercial firms from imposing unfair patent restrictions on open source software and contains provisions to remove loopholes that could enable commercial vendors to hijack the GPL for its own purposes. Yet the GPL 3 falls far short of the draconian treatise some had feared, observers said. As proposed, the document will not force Google or eBay to distribute source code along with binary source code, as rumored, or undermine commercial vendors with large patent portfolios such as Linux-proponent IBM, observers said. “It will be less controversial than some thought. It’s measured,’ said Ciaran O’Riordan, the Brussels representative of the Free Software Foundation Europe. “The new patent protection and DRM clause is quite reasonable.” Slated to be finished sometime in 2007, version 3 will be the first significant revision of the general public license in 14 years. GPL 2, which debuted in 1991, governs open source software development and is used by leading projects such as Linux, Samba, and MySQL. The GPL 3’s terms announced on Monday are part of the first draft and are subject to change. Nevertheless, Richard Stallman, founder and president of the Free Software Foundation, said the intent is to ensure users and developers with continued rights to use, copy, modify and share open source code, while also not imposing “harsh” restrictions that interrupt commercial use. GPL3 also includes a narrow kind of patent “retaliation” that would prohibit a situation in which a company modifies a version of GPL-covered program, gets a patent and then threatens to take legal action anyone else that makes such a modified version. Version 3 states that any company attempting such control would lose its right to make any further modifications under the GPL and thus its commercial viability. http://www.informationweek.com/story/showArticle.jhtml?articleID=177100643&cid=RSSfeed_IWK_news

FILLING IN GAPS IN INTERNET COVERAGE -- ENHANCED POLICIES OFFER PROTECTION NOT FOUND IN STANDARD FORMS (Business Insurance, 16 Jan 2006) -- The increasing reliance on the Internet exposes many businesses to risks not previously associated with their traditional risk profiles, including computer hacking, liability for trademark and copyright infringement, defamation and privacy claims. Unfortunately, traditional insurance forms such as property and commercial general liability and standard technology errors and omissions insurance policies do not cover many of the risks associated with cyberspace. The following is a brief summary of how some of these insurance policies do-and do not-respond to such risks:
• Property policies cover only tangible property and not data. Additionally, property policies tend to focus on the perils that are typically involved in losses to tangible property, such as fire, explosion and wind. Business interruption insurance that is sold as part of such property policies tends to define property and perils similarly. While the form may cover the loss of income when a business sustains a fire loss, it will not cover the loss of electronic revenues due to a distributed denial of service.
• Standard crime forms safeguard only against losses resulting from fraud related to or the theft of money, securities or other tangible property. Computer fraud and information theft that results in damage or deleted information assets are deemed intangible and, therefore, are not covered.
• Commercial general liability policies cover claims for physical injury to tangible property, including the loss of the use of such property. They also cover claims for the loss of the use of tangible property that has not been physically damaged. CGL policies do not cover property damage to or the loss of the use of intangible property, nor do they cover the loss of the use of tangible property that has not been physically injured when the loss of the use arises out of a defect, deficiency, inadequacy or dangerous condition in the insured’s product. Additionally, while the standard CGL policy includes coverage for personal and advertising injury, coverage does not apply if the insured is in the business of advertising, broadcasting, publishing, telecasting, telemarketing, etc. Any information on a Web site, including banner ads, can create legal third-party exposure to alleged libel, slander or defamation, copyright, title or trademark infringement or invasion of privacy.
Most standard technology errors and omissions forms provide coverage for property damage to or the loss of use of intangible property and the loss of use of tangible property that has not been physically damaged when the loss of use arises out of a defect, deficiency, inadequacy or dangerous condition in an insured’s product. However, E&O forms typically exclude losses arising from breaches of security and/or failures to prevent unauthorized access. A breach of network security can result in claims from customers whose client information was stolen and denial of service claims from customers who could not access a site, as well as claims from anyone to whom a deadly computer virus was transmitted. With respect to the additional exposures created by the use of the Internet, a specialized sector of the insurance industry has developed enhanced forms to fill the gaps in the property, CGL and technology E&O forms. The forms are nonstandard in approach, yet most will offer some of the following components [more online] http://www.businessinsurance.com/cgi-bin/article.pl?articleId=18200&print=Y

THE iPOD TOOK MY SEAT (LA Times, 17 Jan 2006) -- Americ Azevedo taught an “Introduction to Computers” class at UC Berkeley last semester that featured some of the hottest options in educational technology. By visiting the course’s websites, the 200 enrolled students could download audio recordings or watch digital videos of the lectures, as well as read the instructor’s detailed lecture notes and participate in online discussions. But there was one big problem: So many of the undergraduates relied on the technology that, at times, only 20 or so actually showed up for class. Skipping classes, particularly big lectures where an absence is likely to go undetected, is a time-honored tradition among college undergraduates who party too late or swap notes with friends. These days, however, some professors are witnessing a spurt in absenteeism as an unintended consequence of adopting technologies that were envisioned as learning aids. Already, even as many academics embrace the electronic innovations, others are pushing back. To deter no-shows, they are reverting to lower-tech tactics such as giving more surprise quizzes or slashing their online offerings. “Too much online instruction is a bad thing,” said Terre Allen, a communication studies scholar and director of a center that provides teaching advice to professors at Cal State Long Beach. This last term, Allen experimented with posting extensive lecture notes online for her undergraduate course, “Language and Behavior.” One goal was to relieve students of the burden of furiously scribbling notes, freeing them to focus on the lectures’ substance. Yet the result, Allen said, was that only about one-third of her 154 students showed up for most of the lectures. In the past, when Allen put less material online, 60% to 70% of students typically would attend. http://www.latimes.com/technology/la-me-noshow17jan17,1,3883942.story

COMPUTER CRIME COSTS $67 BILLION, FBI SAYS (CNET, 19 Jan 2006) -- Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. http://news.com.com/2100-7349_3-6028946.html

YAHOO! WINS BY LOSING IN LATEST ROUND OF NAZI PARAPHERNALIA CASE (Steptoe & Johnson’s E-Commerce Law Week, 21 January 2006) -- Yahoo!’s long-running battle against a French court order requiring Yahoo! to restrict access to Nazi paraphernalia and propaganda in France has been marked by twists, turns, and tactical retreats on both sides for more than five years. At issue is how globally accessible Internet portals deal with content restrictions in foreign countries that would violate the First Amendment in the United States. This issue has been popping up a lot lately, particularly with regard to China and its effort to censor the speech of media outlets and dissidents, and is sure to remain a hot topic in 2006. But the Yahoo! case was the first to bring this issue to the fore, so its seeming dénouement may be instructive on the broader issue. On January 12, the Ninth Circuit, sitting en banc, narrowly decided that Yahoo!’s request for a declaratory judgment that the French court’s order violated the First Amendment should be dismissed. The court vote was 6-5, but the majority couldn’t agree on a single rationale: three judges believed dismissal was appropriate for lack of personal jurisdiction over the French defendants, while three others thought the case was not ripe for judicial review. Despite superficial appearances, this case is not really a loss for Yahoo! All it means is that conflicts over content restrictions are unlikely to be resolved by any neat legal solutions in the near future, but instead will be decided by a murky mix of business considerations and customer sentiment. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11583&siteId=547

EDITING TIPS FROM THE NSA (CNET, 25 Jan 2006) -- Hiding confidential information with black marks works on printed copy, but not with electronic documents, the National Security Agency has warned government officials. The agency makes the point in a guidance paper on editing documents for release, published last month following several embarrassing incidents in which sensitive data was unintentionally included in computer documents and exposed. The 13-page paper is called: “Redacting with confidence: How to safely publish sanitized reports converted from Word to PDF. “Instead of covering up digital text with black boxes, it is better to delete any information you don’t want to share, the NSA suggested. “The key concept for understanding the issues that lead to...inadvertent exposure is that information hidden or covered in a computer document can almost always be recovered,” the NSA wrote in the Information Assurance Division paper, dated Dec. 13 but only recently posted to the Web. “The way to avoid exposure is to ensure that sensitive information is not just visually hidden or made illegible, but is actually removed.” There are a number of pitfalls for people trying to amend a sensitive Word document for public release as a PDF. Covering text, charts, tables or diagrams with black rectangles, or highlighting text in black...is not effective, in general, for computer documents distributed across computer networks (i.e. in “softcopy” format). The most common mistake is covering text with black. Covering up parts of an image with separate graphics such as black rectangles, or making images “unreadable” by reducing their size, has also been used for redaction of hardcopy printed materials. It is generally not effective for computer documents distributed in softcopy form. In addition to the visible content of a document, most office tools, such as (Microsoft) Word, contain substantial hidden information about the document. This information is often as sensitive as the original document, and its presence in downgraded or sanitized documents has historically led to compromise. The unintended disclosure of metadata, resulting in high-profile leaks of secrets, has led to red faces at businesses and government bodies in the past. In March 2004, a gaffe by the SCO Group revealed which companies it had considered targeting in its legal campaign against Linux users. More recently, pharmaceutical giant Merck was put in the hot seat because of changes made to a document regarding the painkiller Vio. xxThere have also been document data leaks at the White House, the Pentagon, the United Nations and others, according to compiled research from Workshare, a maker of software that strips tell-tale hidden data out of files. http://news.com.com/2102-1029_3-6030745.html?tag=st.util.print; NSA guidance paper at http://www.nsa.gov/snac/vtechrep/I333-TR-015R-2005.PDF

COURT RULES GOOGLE CACHE CONSTITUTES FAIR USE (BNA’s Internet Law News, 26 Jan 2006) -- A federal district court in Nevada has ruled that the Google Cache feature does not infringe U.S. copyright law. The ruling clarifies the legal status of several common search engine practices and could influence future court cases, including the lawsuits brought by book publishers against the Google Library Project. Case name is Field v. Google. Decision at http://www.eff.org/IP/blake_v_google/google_nevada_order.pdf

CHOICEPOINT TO PAY $15 MILLION FOR DATA BREACH (InfoWorld.com, 26 Jan 2006) -- ChoicePoint Inc., the data broker that set off a national debate after disclosing a data breach early in 2005, will pay US$15 million in fines and other penalties for lax security standards, the U.S. Federal Trade Commission (FTC) announced Thursday. ChoicePoint’s $10 million fine is the largest civil fine in the FTC’s history, the FTC said. Under a settlement with the FTC, the Georgia company will also set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and the company has agreed to implement new security measures and have an independent auditor review its security every other year until 2026, said FTC Chairwoman Deborah Platt Majoras. http://www.infoworld.com/article/06/01/26/74829_HNchoicepointfine_1.html

THE CRUMBS YOU LEAVE BEHIND (New York Times, 28 Jan 2006) -- The Justice Department may not prevail in its effort to force Google to hand over its raw search data to help the government solve the mystery of how people find pornography on the Internet. But the issue has raised the surfing public’s awareness, and in the last couple of weeks, the idea has widely circulated that on the Internet, there really is no privacy. Even if the government does not find out what you do online, lots of other people may. But there are measures that Net users can take to protect themselves. Wired News (Wired.com) offers a FAQ, “How to Foil Search Engine Snoops,” that declares the first priority of the privacy-minded should be cookie management. Cookies are pieces of software that many Web sites load onto your computer. They are used to save passwords and other data, and can also be used to track where you go and what you do online. Unless you sign up for something on the site using your real name, it is unlikely that anyone would tie your Internet activity to your identity, but it is possible. “Those who want to avoid a permanent record should delete their cookies at least once a week” according to Wired News. “Other options might be to obliterate certain cookies when a browser is closed and avoid logging in to other services, such as Web mail, offered by a search engine.” As the article notes, however, eliminating cookies means you cannot save your preferences, and you have to log in every time you revisit the site. Search Engine Watch (searchenginewatch.com) offers a useful guide, “Protecting Your Search Privacy: A Flowchart to Tracks You Leave Behind,” that takes a comprehensive look at search privacy, from your computer to your Internet service provider to the search engine itself to third parties that traffic in search information. Also on Search Engine Watch: “Private Searches Versus Personally Identifiable Searches,” which explains that “there’s an important difference between private information and private information that can be actually linked to an individual with confidence.” http://www.nytimes.com/2006/01/28/technology/28online.ready.html?ex=1296104400&en=42f30f1982abc258&ei=5090&partner=rssuserland&emc=rss

WHO’S THE LEAD AGENCY FOR CYBERSECURITY? DHS? GUESS AGAIN. (Steptoe & Johnson’s E-Commerce Law Week, 28 Jan 2006) -- For three years, we’ve been waiting for the Department of Homeland Security (DHS) to give us a sense of how it plans to fulfill the cybersecurity responsibilities assigned to it by Congress and the President, including tasks such as promoting public awareness and outreach and improving public/private information sharing. But while DHS continues to dither and dawdle, the Federal Trade Commission (FTC) has quietly but effectively made itself into a cybersecurity powerhouse. The FTC’s enforcement actions against companies that it deems to have “inadequate” information security have begun to create a de facto standard for industry, which in turn is influencing legislation in Congress and in state capitals. On January 10, the FTC unveiled a new element in its cybersecurity campaign: a comprehensive website, dubbed “OnGuard Online,” that provides “practical tips” on how to “guard against Internet fraud, secure your computer, and protect your personal information.” This is a joint endeavor by the FTC with several other agencies and private sector entities. It’s not the substance of the site that we find noteworthy. Rather, it is the fact that, with this effort, the FTC has established itself as a key player in the cliché-ridden but still important realm of “public-private partnerships” and simultaneously as a focal point for interagency cybersecurity efforts. In Washington, DC, those two roles give the FTC a legitimate claim on a leadership role, and make it the player to watch in 2006. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11612&siteId=547

BLOG-AHOLICS (The Atlantic, Jan/Feb 2006) -- Most of us will admit to wasting some time at work. But three new studies suggest that more time is lost now than ever before. According to a survey by the magazine Advertising Age, a leading culprit is Weblogs. The survey indicates that one in four U.S. workers reads blogs regularly while at work, losing, on average, some nine percent of the workweek. This amounts to 551,000 years of labor lost in 2005 alone. If only the bloggers whose words seem so compelling were the ones sending us e-mail: 34 percent of workers surveyed by Information Mapping, Inc. reported wasting thirty to sixty minutes a day trying to interpret “ineffectively” written messages. A third study offers comfort—or at least a way to pass the buck for all the lost time. Having examined productivity in nine countries, it concludes that 37 percent of the time spent at work is wasted—but that poor management and inadequate supervision are largely to blame. http://www.theatlantic.com/doc/200601/primarysources/2

PATENT SPAT FORCES BUSINESSES TO UPGRADE OFFICE (CNET, 30 Jan 2006) -- Microsoft has begun e-mailing its corporate customers worldwide, letting them know that they may need to start using a different version of Office as a result of a recent legal setback. The software maker said Monday that it has been forced to issue new versions of Office 2003 and Office XP, which change the way Microsoft’s Access database interacts with its Excel spreadsheet. The move follows a verdict last year by a jury in Orange County, Calif., which found in favor of a patent claim by Guatemalan inventor Carlos Armando Amado. Microsoft was ordered to pay $8.9 million in damages for infringing Amado’s 1994 patent. That award covered sales of Office between March 1997 and July 2003. “It was recently decided in a court of law that certain portions of code found in Microsoft Office Professional Edition 2003, Microsoft Office Access 2003, Microsoft Office XP Professional and Microsoft Access 2002 infringe a third-party patent,” Microsoft said in an e-mail to customers. “As a result, Microsoft must make available a revised version of these products with the allegedly infringing code replaced.” Although existing customers can keep using older versions on current machines, any new installations of Office 2003 will require Service Pack 2, released by Microsoft in September. Office XP will need to be put into use with a special patch applied. Microsoft is also recommending that customers update their existing software with the new code. http://news.com.com/Patent+spat+forces+businesses+to+upgrade+Office/2100-1014_3-6032870.html?tag=nefd.lede

UK: ICO PUBLISHES GOOD PRACTICE NOTE ON EMPLOYMENT REFERENCES (Hunton & William’s Privacy & E-Commerce Alert, 31 Jan 2006) -- In early January, the Information Commissioner’s Office released a guide including good practice recommendations to help employers understand how the Data Protection Act applies to employee references. In particular, it clarifies when employment references should and should not be released. For further information, please consult: http://www.ico.gov.uk/cms/DocumentUploads/Subject_access_and_employment_references.pdf

GROUP SUES AT&T OVER ALLEGED SURVEILLANCE (AP, 31 Jan 2006) -- A civil liberties group sued AT&T Inc. on Tuesday for its alleged role in helping the National Security Agency spy on the phone calls and other communications of U.S. citizens without warrants. The class-action lawsuit, filed in U.S. District Court in San Francisco by the Electronic Frontier Foundation, seeks to stop the surveillance program that started shortly after the 2001 terrorist attacks. It also seeks billions of dollars in damages. The EFF claims the San Antonio-based telecommunications company not only provided direct access to its network that carries voice and data but also to its massive databases of stored telephone and Internet records that are updated constantly. President Bush has acknowledged authorizing the super-secret NSA to eavesdrop on international phone calls and e-mails of people within U.S. borders without the approval of a court, as required by existing surveillance and wiretapping laws. The White House has vigorously defended the program, saying the president acted legally under the constitution and a post-Sept. 11 congressional resolution that granted him broad power to fight terrorism. Democrats and civil libertarians disagree with the program’s defenders, and it has already resulted in lawsuits against the federal government and plans for congressional hearings. In its lawsuit, the EFF claims AT&T violated U.S. law and the privacy of its customers as part of the “massive and illegal program to wiretap and data-mine Americans’ communications.” The group said it identified AT&T through news reports and its own investigation. Michael Balmoris, an AT&T spokesman, said the company does not comment on matters of national security or on pending litigation. http://news.yahoo.com/s/ap/20060201/ap_on_hi_te/domestic_spying_lawsuit

DHS WANTS TO IMPROVE SOFTWARE SECURITY (FCW.com, 1 Feb 2006) -- The Homeland Security Department wants public comment on two draft documents that are part of a federal program to improve software security, according to today’s Federal Register. The documents are part of the Software Assurance Program that DHS created as part of the National Strategy to Secure Cyberspace. The program is designed to reduce vulnerabilities and exploitation of weaknesses to improve software security, particularly in software that critical infrastructure uses. One document, “Security in the Software Lifecycle,” aims to help developers and project managers of software applications establish strategies to make sure new software products are more secure. The second, “Secure Software Assurance – Common Body of Knowledge,” would help colleges and the private sector create curricula to train people in software assurance. Comments on the two documents are due by Feb. 21. http://www.fcw.com/article92172-02-01-06-Web

IRS COMPUTERS CAN’T HANDLE GATES’ TAXES (Forbes.com, 2 Feb 2006) -- The annual headache of doing our taxes is one that fills most citizens with customary, chronic foreboding. But if the idea of endless form-filling and number crunching seems bad, spare a thought for the poor souls at the Internal Revenue Service. America’s principal bean counters must regularly face the gargantuan monstrosity that is Bill Gates’ tax return, an undertaking of such magnanimously complex proportions that the agency has had to keep the information of the billionaire’s vast fortune on a “special computer.” The perpetrator himself, Microsoft co-founder and Chairman Gates revealed all at a conference in Lisbon: “Their normal computers can’t deal with the numbers,” he said of the hapless taxmen. “So I am constantly getting these notices telling me I haven’t paid something, when really it is just on the wrong computer.” Gates explained the glitch is then followed by charade of correspondence: “Then they will send me another notice telling me how bad they feel, that they sent me a notice that was a mistake.” According to an IRS spokeman, the agency’s main computers do not use the Windows operating system. http://www.forbes.com/facesinthenews/2006/02/02/gates-irs-microsoft-cx_po_0202autofacescan03.html?partner=rss

COMPUTER BUSINESS RECORDS WITHOUT FOUNDATION? (ABA Cyberspace Committee blog, 3 Feb 2006) -- A recent decision out of the 9th Circuit (sitting as the U.S. Bankruptcy Appellate Panel) should be of interest to Cyberspace lawyers. While all of us are familiar with the usual litany of how to get business records admitted under the relevant exception to the hearsay rule, many of us have long wondered if there was too much of a leap of faith in the process where the records were computerized. Well, the naysayers finally have a case to lean on. In In re Vinhnee, (2005 WL 3609376) the district court had refused to admit evidence proffered by a credit card company regarding the debtor’s credit card transactions. The refusal was on the ground of defective evidentiary foundation. The trial court suggested that determining the authenticity of proffered electronic records “necessitated, in addition to the basic foundation for a business record, an additional authentication foundation regarding the computer and software utilized in order to assure the continuing accuracy of the records.” Even after the proponent was given a second bite at the apple (by being allowed to file a post-trial declaration to lay sufficient foundation), the court found the witness statements to be overly conclusory and the witnesses themselves to be of unproven qualifications. On that basis, the evidence was not admitted, the proponent lost its case because of the evidence issue, and the appeal ensued. The appeal affirmed the decision (notably on an abuse of discretion standard, which the court said might allow for a “trial court that is finicky about settled authentication requirements [to be] sustained...”). The court noted some scholarship on point, equating computer evidence to be a form of scientific evidence, and suggested that the problem is more complex than it seems. “The ‘built-in safeguards to ensure accuracy and identify errors’ ... subsume details regarding computer policy and system control procedures, including control of access to the database, control of access to the program, recording and logging of changes, backup practices, and audit procedures to assure the continuing integrity of the records.” In this instance, the best the proponent of the evidence could come up with (even after being allowed to go home and do its homework!) was to list off the brand of computers and software the business used, and restate a conclusory opinion that the system was reliable. The trial court determined that this did not meet its requirements for foundation, and the evidence was tossed. http://aba-cyberspace.blogspot.com/2006/02/computer-business-records-without.html

NIST ISSUES GUIDELINES FOR DATA REMOVAL (Government Computer News, 6 Feb 2006) -- Wonder no longer about how to remove sensitive data from the hard drives and optical disks you are about to toss. The National Institute of Standards and Technology has issued a set of draft guidelines on how to safely remove information from obsolete forms of storage. Matthew Scholl, Richard Kissel, Steven Skolochenko and Xing Li of the NIST Information Technology Laboratory authored Special Publication 800-88, “Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology,” which was sponsored by the Homeland Security Department. “When storage media are transferred, become obsolete or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical or electrical representation of data that has been deleted is not easily recoverable,” the guidelines stated. Although the publication summarizes the ways to remove data, it emphasizes that a proper disposal methodology should not be based on the type of storage being disposed, but rather on the confidentiality of the material the medium contains. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=38206 NIST Guidelines at http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

SENATORS CAUGHT REWRITING WIKIPEDIA (NewsFactor.com, 9 Feb 2006) -- Online reference compendium Wikipedia has found that employees working in the U.S. Congress have made several changes to political biographies, removing facts considered negative and tweaking language to portray politicians in a better light. Wikipedia began an investigation after a Democratic representative, Marty Meehan, admitted that he had spiffed up his online biography page. It was found that articles on other senators had been changed, sometimes significantly, and that the edits could be traced to computers on Capitol Hill. Although Wikipedia is a collectively run reference, and can be edited by any of its users, those who run the site attempt to police changes to make sure they adhere to fact and not opinion or prejudice. In its investigation, Wikipedia examined the public edit history on the political biography pages in question. Researchers discovered the links to the U.S. Senate and began checking the biographies that had been visited. Half a dozen pages were changed, according to Wikipedia, including those of California Senator Dianne Feinstein, Iowa Senator Tom Harkin, and Minnesota Senator Norm Coleman. Senator’s Coleman staff confirmed the changes, noting that they had made several changes, such as a description of the senator in college. Where he had once been described as a “liberal,” the staff edited the listing to dub him an “activist.” Staff members of Senator Harkin removed a paragraph noting that Harkin had claimed falsely to have been in combat in North Vietnam, a claim he later recanted. http://news.yahoo.com/s/nf/20060209/bs_nf/41526

‘CSI EFFECT’ ON CROOKS SEEN BY PROSECUTORS (National Law Journal, 9 Feb 2006) -- District attorneys across the nation are grumbling about a new kind of “CSI effect” that makes their jobs tougher. Not only are juries requiring more sophisticated scientific evidence linking defendants to crimes, but suspects have learned how to destroy that evidence by watching the CBS “crime scene investigation” TV shows, according to prosecutors. Techniques such as bleaching away DNA, scrubbing away fingerprints-even those on a neck limp from strangulation-and torching bodies and crimes scenes top the list. Christie Stanley, a Santa Barbara County, Calif., assistant district attorney, said that as a result of such shows, the increasing sophistication of defendants in destroying crime-scene evidence requires more rigorous investigations, more preparation on the part of prosecutors, additional experts and longer trials. http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1139479512222 (Subscription required)

PRIVACY FEARS HIT GOOGLE SEARCH (BBC, 10 Feb 2006) -- The Electronic Frontier Foundation said the latest version of Google Desktop posed a risk to privacy. This is because a feature in the software lets Google keep personal data on its servers for up to 30 days. Google says it plans to encrypt all data transferred from users’ hard drives and restrict access. The new version of its desktop search software comes as Google is battling efforts by the US Department of Justice to force it to hand over data about what people are looking for. The case has focused attention on the issue of personal information held by internet companies. “Coming on the heels of serious consumer concern about government snooping into Google’s search logs, it’s shocking that Google expects its users to now trust it with the contents of their personal computers,” said EFF staff attorney Kevin Bankston. “Unless you configure Google Desktop very carefully, and few people will, Google will have copies of your tax returns, love letters, business records, financial and medical files, and whatever other text-based documents the desktop software can index. “The government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things from your home or business,” he said. http://news.bbc.co.uk/2/hi/technology/4700002.stm [Editor: Not sure I understand/believe this story, but if it’s true that your desktop search-index is exported outside your machine, that would be very bad. SEE also Robert Ambrogli’s blog on this, and it’s implications vis a vis attorney confidentiality obligations at http://www.legaline.com/2006/02/lawyers-beware-googles-desktop-search.html]

DHS WEATHERS CYBER STORM (TechWeb.com, 10 Feb 2006) -- The U.S. Department of Homeland Security still has to evaluate how well it fared through a series of simulated cyber attacks this week, but government and private companies avoided real-world damage and complications during their preparedness exercise. More than 100 public, private and international groups participated in mock attacks replicating the invasion of a utility company’s computer system and the disruption of power grids. The exercise, called Cyber Storm, was designed to test the abilities of private companies and government agencies to deal with a major cyber security incident. DHS announced the completion of the exercise on Friday but has yet to fully evaluate how effectively the groups communicated, cooperated and responded. John Sabo, director of security and privacy initiatives for CA, said he believes the initiative benefits his company and the public. “We’re forming industry sector-to-sector relationships and also bridging IT attacks and physical attacks,” he said during an interview Friday. Sabo, also the president of the International Security, Trust and Privacy Alliance and Vice President of the Information Technology-Information Sharing and Analysis Center, said that the groups involved will continue examining ways to improve operations, communications and “situational awareness capabilities,” through training exercises. http://news.yahoo.com/s/cmp/20060211/tc_cmp/179103522

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: