Sunday, March 26, 2006

MIRLN -- Misc. IT Related Legal News [5-25 March 2006; v9.04]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

**** ANNOUNCEMENT ****
MIRLN editor Vince Polley has joined the law firm of Dickinson Wright PLLC (www.dickinsonwright.com), and is co-chairing with Brian Balow the firm’s Information Technology & Security Law practice group. The firm’s chairman, Dennis Archer, was ABA President in 2003-2004.

GOOGLE MOVING SEARCH RECORDS OUT OF CHINA (Computer World, 1 March 2006) -- In an effort to protect users of its Google.cn Web site, Google Inc. is moving search records out of China and into the U.S., a company executive said this week. Google.cn is a version of its search engine that is hosted in China and adheres to Chinese censorship laws. It was launched in January. The Mountain View, Calif., company has decided to store search records from the site outside of China in order to prevent that government from being able to access the data without Google’s consent, said Peter Norvig, Google’s director of research, speaking Monday at a panel discussion at Santa Clara University. "We didn’t want to be in the position of having to hand over these kinds of records to the government," he said. Google retains information on the search queries performed by its users, along with the IP addresses associated with queries, to better understand how its search engine is being used, Norvig said. http://computerworld.com/developmenttopics/websitemgmt/story/0,10801,109117,00.html

-- and --

U.S. LIMITS DEMANDS ON GOOGLE (New York Times, 16 March 2006) -- After the Justice Department drastically reduced its request for information from Google, a federal judge said on Tuesday that he intended to approve at least part of that request. The government first subpoenaed Web data from Google last August, as part of its defense of an online pornography law. At a hearing in Federal District Court here, Judge James Ware said that in supporting the government’s more limited request, he would nonetheless pay attention to Google’s concerns about its trade secrets and the privacy of its users. The government is now requesting a sample of 50,000 Web site addresses in Google’s index instead of a million, which it was demanding until recently. And it is asking for just 5,000 search queries, compared with an earlier demand for an entire week of queries, which could amount to billions of search terms. A Justice Department lawyer said at the hearing that the government would review just 10,000 Web sites and 1,000 search queries out of those turned over. It intends to use the data in a study to measure the effectiveness of software that filters out pornographic Web sites. The government says it is not seeking information that would "personally identify" individuals. "It is my intent to grant some relief to the government," Judge Ware said, "given the narrowing that has taken place with the request and its willingness to compensate Google for whatever burden that imposes." He said, however, that he was well aware that the request for individual search terms from Google had raised privacy concerns. He appeared to be less troubled about the release of Web site addresses. He said he was particularly concerned about perceptions by the public that Web searches could be subject to government scrutiny, "so I’ll pay particular attention to that part of it." The judge said that he would issue a full decision shortly, but did not give a date. Three of Google’s competitors in Internet search technology — the America Online unit of Time Warner, Yahoo and MSN, Microsoft’s online service — have complied with subpoenas in the case. None of those companies have indicated how much data was turned over to the government. Albert Gidari, a lawyer representing Google at the hearing, said in an interview afterward that he had been surprised by the large reduction in the number of Web site addresses, or U.R.L.’s, and search queries the government was requesting. http://www.nytimes.com/2006/03/15/technology/15google.html?ex=1300078800&en=c701e37ac929f3dc&ei=5090&partner=rssuserland&emc=rss and http://www.siliconvalley.com/mld/siliconvalley/14104319.htm

-- and --

GOOGLE MUST GIVE INDEX DATA, NOT QUERIES, TO GOV’T (Computerworld, 19 March 2006) -- In a highly anticipated decision, a federal judge ruled Friday that Google Inc. has to provide the U.S. government with information about its search engine’s index, but denied a request for a sample of search queries. The case highlights the tension between online user privacy and law-enforcement needs. Judge James Ware, of the U.S. District Court for the Northern District of California, wrote in his decision that Google must provide the government with 50,000 Web addresses in its search engine index. Google should "confer" with the government to develop a protocol to randomly select and provide the URLs from its index, but to comply with this order Google doesn’t have to disclose proprietary information about its Web site address database, the judge wrote. Moreover, the government needs to pay Google for the cost of producing this data, and the data will be kept under wraps by the court’s order. Finally, the government’s request for a sample of search queries filed by Google users was denied. "This is a clear victory for our users. The subpoena has been drastically limited; most importantly the order excludes search queries," said Nicole Wong, Google’s associate general counsel, in a statement Friday. http://www.computerworld.com/printthis/2006/0,4814,109718,00.html

OMB: AGENCY COMPLIANCE WITH CYBERSECURITY LAW IMPROVING (GovEXEC.com, 2 March 2006) -- Agencies improved slightly in fiscal 2005 at meeting computer security standards, according to a report released Wednesday by the Office of Management and Budget. The percentage of agency information technology systems certified and accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005, just short of an administration goal of 90 percent, OMB stated. Furthermore, the number of systems with tested contingency plans increased from 57 percent to 61 percent over that same period, the report to Congress on the implementation of the 2002 Federal Information Security Management Act found. The number of agency IT systems also grew in that time, rising 19 percent from 8,623 to 10,289. Contractors or other non-government organizations manage 1,105 of those systems on behalf of the government. The Defense Department, which houses 3,583 IT systems, went from 58 percent of systems certified and accredited to 82 percent, though the Pentagon inspector general gave the department a "poor" certification and accreditation rating in the OMB report. The Veterans Affairs Department, which reported 14 percent of its systems as certified and accredited in fiscal 2004, reported that all 585 of its systems were certified and accredited the next year. None of the inspectors general rated the certification and accreditation process as failing, but eight rated it as "poor." Four agency inspectors general rated it as "good," while the Social Security Administration IG was the only one to rate it as "excellent." Included in the report were goals needed to maintain a "green" status -- the highest available grade -- in e-government on the Bush administration’s quarterly management score card. They involved certifying and accrediting all IT systems by July 1, installing and maintaining all systems with proper security configurations and including continuity of operations provisions in the agency’s infrastructure. http://www.govexec.com/story_page.cfm?articleid=33498&printerfriendlyVers=1&

-- but --

D+ FOR FED SECURITY -- AGAIN (FCW.com, 16 March 2006) -- Federal agencies once again received a D+ overall on their 2005 computer security report cards from the House Government Reform Committee based on reports required by the Federal Information Security Management Act. Agencies on the frontline of the war on terror received failing grades. The overall grade for the 2004 federal security report card was also a D+. “If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’” Rep. Tom Davis (R-Va.), the chairman of the committee, said today at a hearing on computer security. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the frontline in the war on terror — remained unacceptably low or dropped precipitously.” Of those four departments, DHS remained level with its 2004 grade of an F, according to the committee’s rating. The other departments fell in grades. Defense went from a D to an F, Justice dropped from a B- to a D and State fell from a D+ to an F. Five agencies – the U.S. Agency for International Development, the Environmental Protection Agency, the Labor Department, the Office of Personnel Management and the Social Security Administration -- received an A+ from the committee. http://www.fcw.com/article92642-03-16-06-Web

FTC, Is THAT A PACHYDERM IN YOUR PARLOR, OR ARE YOU JUST GLAD TO SUE ME? (Steptoe & Johnson’s E-Commerce Law Week, 4 March 2006) -- There’s a huge elephant hiding in plain sight in the Federal Trade Commission’s (FTC) living room. Yet companies are still acting like it doesn’t exist, preferring to join the Commission for tea and biscuits rather than be so rude as to point out the pachyderm’s presence. The elephant we’re referring to is the fact that the FTC has made itself the de facto regulator of industry data security practices on the basis of its authority to police "unfair ... practices in or affecting commerce." Companies continue to roll over and subject themselves to 20 years of government oversight rather than suggest that the FTC’s claim of jurisdiction might be a tad of a stretch. The latest example involves CardSystems Solutions, which recently settled FTC charges that its failure to take "appropriate security measures" to protect consumers’ sensitive information was an unfair practice in violation of the FTC Act. And as was the case with earlier FTC settlements with companies like BJ’s Wholesale and DSW, the FTC’s proposed consent order will require CardSystems (and its successor company, "Pay By Touch") to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11991&siteId=547

E-MAIL DELIVERY ‘TAX’ CRITICISED (BBC, 6 March 2006) -- Plans to charge to deliver e-mail have come under fire from non-profit groups who said it could cripple fundraising. Net giant AOL is introducing the charges to stop spammers as those who pay will bypass junk mail filters. More than fifty groups including Oxfam America, Gun Owners of America and the AFL-CIO trade union have banded together to condemn the charging plan. In a concession to the groups, AOL has said non-profit organisations will be exempt from the charges. http://news.bbc.co.uk/2/hi/technology/4778136.stm

WAL-MART ENLISTS BLOGGERS IN P.R. CAMPAIGN (New York Times, 7 March 2006) -- Brian Pickrell, a blogger, recently posted a note on his Web site attacking state legislation that would force Wal-Mart Stores to spend more on employee health insurance. "All across the country, newspaper editorial boards — no great friends of business — are ripping the bills," he wrote. It was the kind of pro-Wal-Mart comment the giant retailer might write itself. And, in fact, it did. Several sentences in Mr. Pickrell’s Jan. 20 posting — and others from different days — are identical to those written by an employee at one of Wal-Mart’s public relations firms and distributed by e-mail to bloggers. Under assault as never before, Wal-Mart is increasingly looking beyond the mainstream media and working directly with bloggers, feeding them exclusive nuggets of news, suggesting topics for postings and even inviting them to visit its corporate headquarters. But the strategy raises questions about what bloggers, who pride themselves on independence, should disclose to readers. Wal-Mart, the nation’s largest private employer, has been forthright with bloggers about the origins of its communications, and the company and its public relations firm, Edelman, say they do not compensate the bloggers. Companies of all stripes are using blogs to help shape public opinion. Before General Electric announced a major investment in energy-efficient technology last year, company executives first met with major environmental bloggers to build support. Others have reached out to bloggers to promote a product or service, as Microsoft did with its Xbox game system and Cingular Wireless has done in the introduction of a new phone. What is different about Wal-Mart’s approach to blogging is that rather than promoting a product — something it does quite well, given its $300 billion in annual sales — it is trying to improve its battered image. http://www.nytimes.com/2006/03/07/technology/07blog.html?ex=1299387600&en=d732c2af6bf280b8&ei=5090&partner=rssuserland&emc=rss

CD-SWAP NETWORK TO SLIP THROUGH COPYRIGHT LOOPHOLE? (CNET, 7 March 2006) -- A new online music service called La La Media aims to offer full-length CDs for $1 by letting users trade discs, in a bid to avoid legal pitfalls that face online song trading. Backed with $9 million in funding by Bain Capital and Ignition Partners, La La works like an online music co-op by enabling members to trade physical CDs they own for physical CDs they want, Bill Nguyen, co-founder of La La, said ahead of the Tuesday announcement. With 1.8 million album titles available, members trade the CDs in prepaid envelopes, much like the way popular mail-order DVD service Netflix operates. La La founders argue that, unlike underground online file-sharing services, which have been sued for copyright infringement, La La is protected under an exception to the U.S. Copyright Act. They argue that the owner of a CD can transfer a legally acquired copy without permission or payment of additional royalties. A member will pay $1 to La la for facilitating the trade once he or she receives the disc from the other member, plus a 49 cent shipping charge. La La said it will set aside 20 percent of its trading revenue for recording artists. La La said it is currently talking with the world’s major music labels to obtain licenses for the sale of digital music. http://news.com.com/2100-1025_3-6046817.html

ONLINE JOB APPLICANT RULE POSES NEW CHALLENGES (Chronicle of Higher Education, 8 March 2006) -- A new rule from the Department of Labor’s Office of Federal Contract Compliance Programs threatens to cause a number of new administrative headaches for federal contractors, which includes most colleges and universities. Federal statutes require contractors to gather demographic data, including race, gender, and ethnicity, about job applicants and report it to the Office of Federal Contract Compliance Programs, which monitors the data to ensure compliance with affirmative action and antidiscrimination laws. The rule defines who is considered an applicant for a job, given the growing use of electronic tools for job recruitment and hiring. Under the rule, which went into effect February 6, individuals are considered applicants if they express interest through electronic media, have the qualifications for the job, or are considered for the position, as they would be through an employer’s searching a database of resumes. Given that many employers accept electronic or hard-copy applications, the task of keeping track of applicant data becomes much more complicated under the new rule. Also, the rule requires employers to keep track of every search they perform of a database of resumes. The result is a potentially onerous job of keeping accurate records of all necessary data. The Office of Federal Contract Compliance Programs is giving contractors a 90-day grace period before enforcing the new rule. (sub. req’d) http://chronicle.com/daily/2006/03/2006030803n.htm

SPY’S-EYE VIEW (The Atlantic Magazine, March 2006, article by Jim Fallows) – As best I can figure, I have spent 35,000 to 40,000 hours of my life sitting at a computer. This knowledge does not improve my mood or self-esteem. But it brings into sharp relief the handful of moments at the keyboard I can distinctly remember, each involving a time when I realized that the computer had just done something important and new. In the late 1970s, I marveled at the discovery that I could use my very first computer (a Processor Technology SOL-20) to save something I had drafted, then change it later on without having to retype the whole thing. In the early 1980s, I watched a message I had written go to its destination electronically, through a 300-baud modem I clamped onto a telephone handset. In 1993, I tried a program called Mosaic, one of the very first browsers, and was amazed to see pictures and documents stored on someone else’s computer show up on my own screen. In 1995, I entered a few words into a search box and within seconds got back some more-or-less relevant information, via the early search engine AltaVista. That was it for truly memorable moments, until last year when I first tried Google Earth. [Editor: much more, and pretty interesting.] http://www.theatlantic.com/doc/200603/google-earth

MAAWG ISSUES FIRST SPAM METRICS REPORT (BNA’s Internet Law News, 9 March 2006) -- The Messaging Anti-Abuse Working Group, a group of leading ISPs, has developed its first metrics report on the size and scope of the spam problem. The MAAWG data confirms that 80 percent of Internet traffic is abusive email. The group is tracking at least 100 million email boxes. Report at http://www.maawg.org/about/FINAL_4Q2005_Metrics_Report.pdf

OPEN SOURCE LEGAL FIRM COUNTERS GPL SOX CONCERNS (Computer Business Online, 8 March 2006) -- Eben Moglen’s open source legal services firm, Software Freedom Law Center, has hit out at suggestions that users of the GNU General Public License are at any additional risk of criminal liability under the Sarbanes-Oxley Act. The center was set up in February 2005 by Moglen, who is professor of law and legal history at Columbia Law School and general counsel for the Free Software Foundation, to provide legal services to open source software projects and developers. It has been moved to issue a paper on SOX and the GPL in order to counter reports indicating that companies using GPL-licensed software, such as the Linux operating system, might be breaking federal securities laws. "Recent discussion regarding the GPL and SOX have been wrought with false information and have prompted the SFLC to issue its position on the topic," said Moglen, SFLC chairman. While the SFLC did not pinpoint the reports it considered to be erroneous, a recent study from network storage software vendor Wasabi Systems Inc, appears to have raised concerns. The Wasabi report was released in January with a statement that "many companies using Linux for embedded applications many be unwittingly violating the Linux license and even breaking federal securities laws." Norfolk, Virginia-based Wasabi’s argument was that SOX requires public companies to disclose certain information, including intellectual property ownership. "Thus, if a company is violating the GPL, executives who do not disclose the cheating are violating the Sarbanes-Oxley Act, because they are not truthfully disclosing that they do not lawfully own their intellectual property," the Wasabi report argued. http://www.cbronline.com/article_news.asp?guid=5AAFDCD7-7DB9-4F64-A90D-7EA88BB45572

MD. HOUSE APPROVES PAPER BALLOTS (Washington Post, 10 March 2006) -- The Maryland House of Delegates unanimously passed legislation yesterday to ditch the state’s touch-screen voting machines for the coming election in favor of a system that uses paper ballots. The 137 to 0 vote in the House and the endorsement of the plan this week by Republican Gov. Robert L. Ehrlich Jr. represents a stunning turnaround for a state that was on the leading edge of touch-screen voting in 2001, and it reflects a national shift toward machines that provide a paper record. The touch-screen system, for which Maryland has committed more than $90 million, would be put aside for one year while the state spends at least $13 million to lease optical scan machines. "It’s critically important for voters to know their vote was cast and that it will be counted correctly," said Del. Obie Patterson (D-Prince George’s). The fate of the plan in the Senate is less certain, and Ehrlich has not set aside money in his budget to lease the new machines. Senate President Thomas V. Mike Miller Jr. (D-Calvert) yesterday defended the record of the state’s touch-screen machines and said that changing systems six months before an election would cause headaches for local administrators and lead to long lines and late returns. http://www.washingtonpost.com/wp-dyn/content/article/2006/03/09/AR2006030902339.html

POLICE BLOTTER: EX-EMPLOYEE FACES SUIT OVER FILE DELETION (CNET, 10 March 2006) -- Jacob Citrin was once employed by International Airport Centers and given a laptop to use in his company’s real estate related business. The work consisted of identifying "potential acquisition targets." At some point, Citrin quit IAC and decided to continue in the same business for himself, a choice that IAC claims violated his employment contract. Normally that would have been a routine business dispute. But the twist came when Citrin dutifully returned his work laptop--and IAC tried to undelete files on it to prove he did something wrong. IAC couldn’t. It turned out that (again according to IAC) Citrin had used a "secure delete" program to make sure that the files were not just deleted, but overwritten and unrecoverable. In most operating systems, of course, when a file is deleted only the reference to it in the directory structure disappears. The data remains on the hard drive. But a wealth of programs like PGP, open-source programs such as Wipe, and a built-in feature in Apple Computer’s OS X called Secure Empty Trash will make sure the information has truly vanished. Inevitably, perhaps, IAC sued. The relevance for Police Blotter readers is that the company claimed that Citrin’s alleged secure deletion violated a federal computer crime law called the Computer Fraud and Abuse Act. That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable. The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin’s implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract. http://news.com.com/2102-1030_3-6048449.html?tag=st.util.print

A BRACKET YOU WON’T SEE ELSEWHERE (Inside Higher Ed, 14 March 2005) -- It’s tourney time. March Madness. The big dance. Thousands of college students will muster energy never before seen in lecture halls to cheer one of 65 college basketball teams to the national championship. Television rights to the tournament account for 90 percent of the National Collegiate Athletic Association’s annual revenue. A national outplacement consulting firm, Challenger, Gray & Christmas, estimates that businesses will lose $237 million a day as people follow the tournament during working hours. What if that tidal wave of frenzied enthusiasm was directed at applauding the graduation rates of basketball players, rather than their tourney prowess? Inside Higher Ed invites readers to come down a different March Madness road. Next stop … the graduation zone. In our bracket (which we’d recommend rotating once you open it in Adobe Acrobat), teams advance based on their NCAA Graduation Success Rate, as compiled by the Institute for Diversity and Ethics in Sport, at the University of Central Florida, which released its annual report on the academic performance of college sports teams on Sunday. http://insidehighered.com/news/2006/03/14/tournament [Editor: since I’m tied for last place in the office March Madness pool, I’m more attracted to this kind of story. Go Florida!]

CONSUMER GROUPS RAIL AGAINST PROPOSED DATA-BREACH NOTIFICATION LAW (Computer World, 16 March 2006) -- Consumer and privacy advocacy groups are up in arms over a proposed federal data-breach notification bill that today was approved by the House Financial Services Committee. The bill, which passed by a 48-16 vote, is H.R. 3997 -- otherwise known as the Financial Data Protection Act of 2005. It is designed to give financial services companies a national standard for securing sensitive personal information and notifying consumers in the event of a data breach. Outraged opponents of the bill say that H.R. 3997 would gut stronger state laws already in place and would give companies far too much leeway when it comes to disclosing breaches involving the compromise of sensitive data. One major problem with the bill is that it sets a notification trigger that would give companies too much flexibility in disclosing data breaches. Unlike state laws, such as California’s SB 1386, which requires companies to notify consumers whenever there is a data breach, H.R. 3997 would require companies to do so only if they think there is a reasonable risk of harm. http://www.computerworld.com/securitytopics/security/story/0,10801,109619,00.html?source=NLT_AM&nid=109619

ENTERPRISES: CYBERCRIME COSTS US DEARLY (CNET, 17 March 2006) -- Chief information officers see cybercrime as a greater threat than physical crime, according to an IBM survey of manufacturing, financial, health care and retail enterprises. Fifty-seven percent of the 600 U.S. businesses surveyed said they are losing more money through cybercrime--by way of lost income, the loss of current and potential customers, and decreased employee productivity--than from conventional crime. Three quarters of American IT executives surveyed said some of the threat to their corporate security came from inside their own organizations, while 84 percent believed that criminal hacker groups were increasingly replacing lone hackers as the perpetrators of cybercrime. Businesses from 16 countries outside the United States, including the United Kingdom, were also surveyed, with similar results. Fifty-eight percent of chief information officers across international businesses surveyed said cybercrime was costing them more than physical crime. Only 53 percent of the international respondents thought they had adequate safeguards in place to combat organized cybercrime--though U.S. respondents were more bullish, with 83 percent saying they were well-prepared. http://news.com.com/2100-7350_3-6050875.html

LAW PROFESSOR BANS LAPTOPS IN CLASS, OVER STUDENT PROTEST (USA Today, 21 March 2006) -- A group of University of Memphis law students are passing a petition against a professor who banned laptop computers from her classroom because she considers them a distraction in lectures. On March 6, Professor June Entman warned her first-year law students by e-mail to bring pens and paper to take notes in class. "My main concern was they were focusing on trying to transcribe every word that was I saying, rather than thinking and analyzing," Entman said Monday. "The computers interfere with making eye contact. You’ve got this picket fence between you and the students." The move didn’t sit well with the students, who have begun collecting signatures against the move and tried to file a complaint with the American Bar Association. The complaint, based on an ABA rule for technology at law schools, was dismissed. "If we continue without laptops, I’m out of here. I’m gone; I won’t be able to keep up," said student Cory Winsett, who said his hand-written notes are incomplete and less organized. http://www.usatoday.com/tech/news/2006-03-21-professor-laptop-ban_x.htm?POE=TECISVA

CREATIVE COMMONS LICENSE UPHELD BY COURT (CNET, 21 March 2006) -- A court in the Netherlands has ruled that a Creative Commons license is binding, in a case brought against a Dutch gossip magazine by an ex-MTV star. This is one of the first times that the license--which offers more flexibility than traditional copyright licenses--has been tested in a court of law, according to legal Web site Groklaw. "The Creative Commons licenses are quite new, so there has been very little in the way of case law so far, so this is a significant development," Groklaw reported. Former MTV VJ Adam Curry sued Weekend, a Dutch gossip magazine, for copyright infringement after the magazine published photos of Curry’s daughter without his authorization. The photos, which Curry had posted on the Flickr photo-sharing site, were covered by the Creative Commons Attribution-NonCommercial-ShareAlike 2.0 license, which states that while the licensed content can be used freely for noncommercial purposes as long as the source is made clear, the content cannot be used for commercial purposes unless the creator of the content agrees to waive the conditions. The court ruled that Weekend must not use Curry’s pictures again or it would face fines of 1,000 euros (about $1,200) for each photo used without permission, Curry said in his blog. Audax, the publisher of Weekend, had argued that it was misled by the notice posted on Flickr near Curry’s photos stating that they were "public" and that the link to the license was not obvious. But the court rejected this defense, stating that Audax should have carried out due diligence before publishing the photos, according to Creative Commons Canada, which published a translation of the court ruling. Creative Commons Canada said the ruling is important as it makes it clear that it is the user’s responsibility to find out about and adhere to the license. http://news.com.com/2100-1030_3-6052292.html

ISRAELI FIRM ABANDONS PURCHASE OVER U.S. SECURITY OBJECTIONS (SiliconValley.com, 23 March 2006) -- A leading Israeli software company abandoned its plans Thursday to buy a smaller U.S. rival in a $225 million deal because of national security objections by the Bush administration. Check Point Software Technologies Ltd. in Ramat Gan, Israel, formally withdrew its proposal near the conclusion of a rare, full-blown investigation by a U.S. review panel over the company’s plans to buy a smaller rival, Sourcefire Inc. Check Point had been told U.S. officials feared the transaction could endanger some of government’s most sensitive computer systems. Lawyers for Check Point offered to attach conditions to the sale that executives believed were onerous but were intended to satisfy the concerns expressed by the review panel, the Committee on Foreign Investments in the United States, said one person familiar with the process. But no agreement could be reached. The Treasury Department, which oversees the committee, formally accepted Check Point’s request to withdraw from the review process. This ensures the panel will not be required to submit recommendations to President Bush whether to block the deal. The committee has concluded only 25 full-blown investigations in more than 1,600 business transactions it has reviewed since 1988. In roughly half the investigations, companies pulled out of the deal rather than face imminent rejection. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14172266.htm

BRITTANICA HITS BACK AGAINST WIKIPEDIA COMPARISON (BNA’s Internet Law News, 24 March 2006) -- Encyclopedia Brittanica has fired back at an article in the science journal Nature that likened its accuracy to that of Wikipedia, the Internet site that lets anyone contribute. Britannica said in a 20-page statement this week that "almost everything about the journal’s investigation...was wrong and misleading." It has demanded a retraction. Britannica response at http://corporate.britannica.com/britannica_nature_response.pdf

NSA MIGHT LISTEN TO LAWYER CALLS (Wired, 25 March 2006) -- The National Security Agency could have legally monitored ordinarily confidential communications between doctors and patients or attorneys and their clients, the Justice Department said Friday of its controversial warrantless surveillance program. Responding to questions from Congress, the department also said that it sees no prohibition to using information collected under the NSA’s program in court. "Because collecting foreign intelligence information without a warrant does not violate the Fourth Amendment and because the Terrorist Surveillance Program is lawful, there appears to be no legal barrier against introducing this evidence in a criminal prosecution," the department said in responses to questions from lawmakers released Friday evening. http://www.wired.com/news/wireservice/0,70500-0.html?tw=rss.index

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, March 04, 2006

MIRLN -- Misc. IT Related Legal News [13 February – 4 March 2006; v9.03]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

**** PROGRAM ANNOUNCEMENT ****
ABA Cyberspace Law Committee spring meeting (April 6-9, 2006, in Tampa, Florida). Details at http://www.abanet.org/buslaw/2006spring/index.html; Cyberspace committee activities will be blogged at http://aba-cyberspace.blogspot.com/

US GROUP IMPLANTS ELECTRONIC TAGS IN WORKERS (Financial Times, 12 Feb 2006) -- An Ohio company has embedded silicon chips in two of its employees - the first known case in which US workers have been “tagged” electronically as a way of identifying them. CityWatcher.com, a private video surveillance company, said it was testing the technology as a way of controlling access to a room where it holds security video footage for government agencies and the police. Embedding slivers of silicon in workers is likely to add to the controversy over RFID technology, widely seen as one of the next big growth industries. Sean Darks, chief executive of CityWatcher, said the glass-encased chips were like identity cards. They are planted in the upper right arm of the recipient, and “read” by a device similar to a cardreader. http://news.ft.com/cms/s/ec414700-9bf4-11da-8baa-0000779e2340.html

MORGAN STANLEY OFFERS $15M FINE FOR E-MAIL VIOLATIONS (Computerworld, 14 Feb 2006) -- U.S. investment bank Morgan Stanley has offered to pay $15 million to resolve an investigation by U.S. regulators into its failure to retain e-mail messages, according to a regulatory filing. The Wall Street firm said it had reached “an agreement in principle” with the U.S. Securities and Exchange Commission’s Division of Enforcement to resolve an investigation into its preservation of e-mails. The fine would be one of the largest penalties ever imposed on a Wall Street firm for failing to preserve records. Morgan Stanley said the proposal has yet to be presented to the SEC, and no assurance can be given that it will be accepted. The investigation has been ongoing, with Morgan Stanley last April saying that SEC staff had recommended actions against the firm for failing to comply with a 2002 order relating to retention of e-mails. E-mail played a central role in a $1.58 billion judgment against Morgan Stanley and in favor of Ronald Perelman, the billionaire investor who said he was defrauded by the Wall Street company over the sale of a business and focused on the firm’s inability to produce documents. The judge in that case, frustrated by Morgan Stanley’s inability to produce e-mail documents demanded by Perelman’s lawyers -- the firm said backup tapes had been overwritten -- took the unusual step of switching the burden of proof so that Morgan Stanley had to prove its innocence. http://www.computerworld.com/printthis/2006/0,4814,108687,00.html

UTAH SUP CT RULES STATE CAN’T REGULATE OUT-OF-STATE SPAMMERS (BNA’s Internet Law News, 14 Feb 2006) -- The Utah Supreme Court on Friday dealt a parting blow to a defunct anti-spam statute, reinstating a lower court’s finding that Utah never had jurisdiction over out-of-state violators. The Legislature had repealed the Unsolicited Commercial and Sexually Explicit Email Act in February 2004, just one month after Brittney Fenn sued Arizona-based MLeads Enterprises Inc. Decision at http://www.utcourts.gov/opinions/supopin/Fenn021006.pdf

JUDGE: FIRM NOT NEGLIGENT IN FAILURE TO ENCRYPT DATA (CNET, 14 Feb 2006) -- A federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen. Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution. But U.S. District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other “proper safeguards” for customers’ information and that it acted “with reasonable care” even without encrypting the database. http://news.com.com/2100-1030_3-6039645.html But, also see STRICT LIABILITY FOR DATA BREACHES? (SecurityFocus, 20 Feb 2006; article by Mark Rasch) -- http://www.securityfocus.com/columnists/387/1

MIT MEDIA LAB CO-FOUNDER STEPS DOWN (ZDNet, 15 Feb 2006) -- Nicholas Negroponte has stepped down as chairman of the Massachusetts Institute of Technology’s Media Lab to pursue his $100 computer initiative, and entrepreneur Frank Moss has been named the lab’s new director, the university said Wednesday. Negroponte left the Media Lab, which he co-founded in 1985, to devote his time to a nonprofit called One Laptop Per Child that is working to develop the low-cost laptops. In September, Negroponte detailed the specifications for a $100 windup-powered laptop, meant to improve the education of children in developing countries. That plan has gained the endorsement of the United Nations. Lab director Walter Bender is also taking a two-year leave of absence from MIT to serve as president for software and content development at One Laptop Per Child. Moss, who will replace Bender, founded Tivoli Systems and Bowstreet, two software companies that were acquired by IBM. He also worked for a few years at Boston-area biotechnology companies. http://news.zdnet.com/2100-9584_22-6039808.html

YAHOO ON NSA SURVEILLANCE: NO COMMENT (CNET, 15 Feb 2006) -- Under cross-examination during a congressional hearing, Yahoo’s top lawyer refused on Wednesday to say whether the company opens its records for government surveillance without a court order. Michael Callahan, Yahoo’s senior vice president and general counsel, declined five times to answer that question from Rep. Brad Sherman, a California Democrat who was probing whether the Internet company had cooperated with the National Security Agency’s domestic surveillance efforts. “It wouldn’t be appropriate for me to comment,” said Callahan, who was testifying under oath. He added that Yahoo would “only turn over information if it’s required by law.” But Callahan refused to say whether a demand from the NSA--not backed by a court order--qualifies as required by law. No law or regulation prohibits Yahoo from answering the question. In a survey published last week by CNET News.com, companies as varied as BellSouth, Comcast, EarthLink and T-Mobile answered in the negative. Rep. John Conyers, a Michigan Democrat, has posed similar questions to those companies, and AT&T has been sued for allegedly turning information over to the NSA in violation of privacy laws. http://news.com.com/2100-1030_3-6040129.html

FBI WANTS BUSINESSES’ HELP TO FIGHT CYBERCRIME (CNET, 16 Feb 2006) -- The FBI needs more help from private businesses to stay ahead of the curve in the fight on cybercrime, said FBI Director Robert Mueller. “Those of you in the private sector are our first line of defense,” Mueller said Wednesday, during a speech to attendees of the RSA Conference 2006 here. “We recognize that in certain areas we lack the expertise that you possess. We lack the specific knowledge of threats that affect individual businesses every day.” The advent of the information age has made the world smaller and smarter, but the threats have become equally more diverse and dangerous, Mueller said. “We need your help, and we continue to ask for your cooperation,” he said. Information technology has become a “force multiplier for criminals,” with threats including online fraud, identity theft and botnets, Mueller said. “It is not easy for law enforcement and private industry alike to stay ahead of the curve when it comes to these ever-evolving threats.” The FBI has taken steps to improve its own abilities to investigate cybercrime. Four years ago, it created its own Cyber Division, and the agency has set up specially trained cybersquads across the U.S. The bureau has several initiatives to work with private businesses, such as its InfraGard program, which has about 3,000 members. These efforts have helped identify new attacks and track down attackers, Mueller said. For example, in collaboration with Microsoft, the FBI found the alleged creators of the Mytob and Zotob worms. Still, there has been some apprehension in working with law enforcement, especially when it comes to reporting cybercrime. “Most companies that experience computer intrusions or breaches of security do not report the incidents to law enforcement,” Mueller said. That may be because they fear negative publicity or the loss of a competitive advantage, he said. http://news.com.com/2100-7348_3-6040521.html

FUR FLIES OVER GOOGLE DESKTOP PRIVACY (CNET, 16 Feb 2006) -- Google Desktop’s new search-across-computers feature could put sensitive data at risk and violate federal data-privacy regulations, say IT administrators at a public university and a large manufacturing company. Both are banning it from their networks. Last week, Google unveiled Google Desktop 3, a free, downloadable program that includes an option to let users search across multiple computers for files. To do that, the application automatically stores copies of files, for up to a month, on Google servers. From there, copies are transferred to the user’s other computers for archiving. The data is encrypted in transmission and while stored on Google servers. The Electronic Privacy Foundation urged consumers to boycott the software, warning that Google could be forced to turn over the data to the government if subpoenaed, even if the data is stored on Google servers only temporarily. Any amount of time that data is stored on an outside server is too long for institutions that must comply with US laws such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), which provide strict guidelines for protecting student and medical data, respectively, said Michael Holstein, security administrator at Cleveland State University. “We have to be careful about where our data ends up,” he said on Tuesday. “There is no effective way to manage [Google Desktop 3] from a technology policy standpoint, so we have resorted to instituting a policy that it is not to be installed on any university computers.” http://www.zdnet.co.uk/print/?TYPE=story&AT=39252738-39020375t-10000007c

STAKES RISE, AS ANOTHER DATA SECURITY BREACH LEADS TO CLASS ACTION (Steptoe & Johnson’s E-Commerce Law Week, 18 Feb 2006) -- No good deed goes unpunished, the old saying goes. That’s what the lawyers at Providence Health System must be thinking. After discovering the theft of 365,000 unencrypted patient records from an employee’s car in the Portland, Oregon, area in early January, the health-care provider apparently decided to do the right thing and notified affected patients and employees on its own, since Oregon does not (yet) have a security breach notification law. But now Providence finds itself the subject of an investigation by the Oregon State Attorney General into whether it violated consumer protection laws by failing to take reasonable measures to protect medical records. And as if that weren’t enough to worry about, on January 30, a former Providence patient filed a class action complaint against the company in the Oregon Circuit Court, Multnomah County, alleging that Providence was negligent in failing to safeguard health information. So now it’s not just the Federal Trade Commission and State AGs companies need to worry about, but private plaintiffs and the plaintiffs’ bar, too. And if they want to minimize their legal risks, companies need to have an effective plan to prevent and, if necessary, respond to a security breach, and ensure that relevant employees are trained to carry it out. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11837&siteId=547

IS YOUR COMPANY DOING ENOUGH TO PROTECT ITSELF... AND YOU? (Silicon.com, 20 Feb 2006) -- Conflicting reports out today on the subject of IT security agree on at least one fact - that companies are failing to get a handle on the issue. Figures from Computer Economics suggest some of the world’s largest companies are among the worst offenders, while a report from MessageLabs offers some consolation in suggesting the companies with the most to lose are at least doing better than others in securing their data. The past week has seen a number of stories about companies failing to address security issues - for example, training staff in basic best practice and understanding the threats of emerging technologies such as wi-fi and removable storage units such as iPods. The Computer Economics report suggests 65 per cent of companies do not provide even basic periodic security training for staff while 67 per cent of companies fail to carry out regular software audits of desktops to ascertain whether unauthorised programs - such as peer-to-peer software - are being used within the enterprise. The Computer Economics report also suggested larger companies are actually lagging behind their smaller counterparts in terms of security-specific spending and staffing. http://software.silicon.com/security/0,39024655,39156605,00.htm

EU APPROVES LANDMARK DATA RETENTION LAW (UPI, 21 Feb 2006) -- European Union justice ministers Tuesday approved a controversial new law requiring telecom operators to store phone and Internet data to help fight terrorism. The so-called data retention directive has been the subject of a heated political debate in Brussels for over a year, with supporters saying it is needed to track down terrorists, pedophiles and criminal gangs, and civil liberties campaigners arguing it is an intrusion on basic rights. Under the directive, telecom operators in all 25 EU states will be required to keep records of all phone calls and Internet communications for a period of six months to two years. The measure already has the backing of the European Parliament, which succeeded in watering down the original proposal. http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060221-104633-9768r The latest version of the directive is available here: http://register.consilium.eu.int/pdf/en/05/st03/st03677.en05.pdf.

ARE USENET FANS VULNERABLE TO COPYRIGHT LAWSUITS? (CNET, 26 Feb 2006) -- In a new series of lawsuits, Hollywood studios for the first time are targeting companies that provide access to Usenet newsgroups. This corner of the Internet, largely a leftover from the days before the Web exploded into the mainstream, rarely gets much attention. It’s still primarily a forum for text discussions (and overwhelming amounts of spam), where techies help one another with Windows and driver problems, and animal lovers share cat stories. But in the last few years, a handful of technologies have emerged that have made newsgroups a much more fertile place for downloading copies of movies, music and software. Here’s a quick primer on what happens there and what the Motion Picture Association of America has done… http://news.com.com/Are+Usenet+fans+vulnerable+to+copyright+lawsuits/2100-1025_3-6043057.html?tag=html.alert

CORPORATIONS FAIL TO ENFORCE INTERNET ACCEPTABLE USAGE POLICIES (Business Wire, 27 Feb 2006) -- Employees are ignoring Internet Acceptable Usage Policies (AUPs) according to a survey published today by network security provider SmoothWall. Despite the recognition by seven out of 10 companies that a AUP is crucial to the security of IT systems, 38 percent of employees that are governed by a policy are unaware of its contents. Personal email (such as Hotmail and Gmail) is used by more than 61 percent of respondents at work, while 41 percent admit to using instant messaging applications such as Microsoft Messenger and Yahoo! Messenger to communicate with friends and family. The rapidly growing popularity of Skype is highlighted by that fact that 23 percent of respondents use Skype at work and presumably have loaded the Skype client on to their employers’ computers. http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20060227005778&newsLang=en [Editor: see e.g., “Employee Use of the Internet and E-Mail: A Model Corporate Policy”, by ABA press (August 2002) at http://abastore.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5070395)

ONLINE COLLEGES RECEIVE A BOOST FROM CONGRESS (New York Times, 1 March 2006) -- It took just a few paragraphs in a budget bill for Congress to open a new frontier in education: Colleges will no longer be required to deliver at least half their courses on a campus instead of online to qualify for federal student aid. That change is expected to be of enormous value to the commercial education industry. Although both for-profit colleges and traditional ones have expanded their Internet and online offerings in recent years, only a few dozen universities are fully Internet-based, and most of them are for-profit ones. http://www.nytimes.com/2006/03/01/national/01educ.html?ex=1298869200&en=4a6bc48fbe560ce0&ei=5090&partner=rssuserland&emc=rss

**** RESOURCES ****
TOP CYBERSPACE IP CASES OF 2005 (TechLawAdvisor blog, 26 Feb 2006; compiled by John Ottaviani) -- http://techlawadvisor.com/2006/02/26/top_cyberspace_ip_cases_of_2005.html

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.