**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://www.dickinson-wright.com/scripts/prac2.asp?practice_area=Information%20Technology%20%26%20Security%20Law
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
IT VENDORS, PRIVACY GROUPS RELEASE RFID STANDARDS (PC Advisor, 2 May 2006) -- A set of best practices designed to help assuage consumers’ concerns about RFID (radio frequency identification) tags was released yesterday by a group of technology vendors, RFID users and consumer groups. Companies using RFID tags on products should notify customers in all cases. They should tell customers whether they can deactivate the tags and build security into the technology as a primary design requirement, the group said. The CDT’s (Center for Democracy and Technology’s) Working Group on RFID recommends that companies collecting personally identifiable information through RFID tags tell customers how that data will be used. If customers can opt out of sharing that information or destroy the tags, those options “must be readily available”, says the working group’s draft best practices report. “There should be no secret RFID tags or readers,” the report says. “Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology... as they engage in any transaction that utilises an RFID system. At the same time, it is important to recognise that notice alone does not mitigate all concerns about privacy.” The CDT hopes that the guidelines, which took over a year to develop, will serve as an example to companies rolling out the technology, said Paula Bruening, staff counsel at CDT, a privacy and civil liberties advocacy group. http://www.pcadvisor.co.uk/news/index.cfm?newsid=6078
COURT SKEPTICAL OF WIRETAP RULES (Wired, 5 May 2006) -- A U.S. appeals panel challenged the Bush administration Friday over new rules making it easier for police and the FBI to wiretap internet phone calls. One judge told the government its courtroom arguments were “gobbledygook” and invited its lawyer to return to his office and “have a big chuckle.” The skepticism expressed so openly toward the government’s case during a hearing in U.S. Circuit Court for the District of Columbia emboldened a broad group of civil liberties and education groups who argued that the U.S. improperly applied telephone-era rules to a new generation of internet services. “Your argument makes no sense,” U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. “When you go back to the office, have a big chuckle. I’m not missing this. This is ridiculous. Counsel!” At another point in the hearing, Edwards told the FCC’s lawyer his arguments were “gobbledygook” and “nonsense.” The court’s decision was expected within several months. Edwards appeared skeptical over the FCC’s decision to require that providers of internet phone service and broadband services must ensure their equipment can accommodate police wiretaps under the 1994 Communications Assistance for Law Enforcement Act, known as CALEA. The new rules go into effect in May 2007. Critics said the new FCC rules are too broad and inconsistent with the intent of Congress when it passed the 1994 surveillance law, which excluded categories of companies described as information services. http://www.wired.com/news/politics/0,70823-0.html
FREE CALLS FROM AIM (InternetNews.com, 8 May 2006) -- First came free e-mail addresses, and then came free IM accounts. Later this month, Dulles, Va.-based AOL plans to offer free phone numbers through its instant messenger (AIM). AIM Phoneline brings Internet phone calling to the more than 40 million AOL instant messenger users. Slated to begin May 16 in 50 U.S. markets, the service will offer a free base of features along with a $14.95 fee-based premium option, according to an AOL spokesperson. Based on AIM Triton, AIM Phoneline augments AOL’s TotalTalk VoIP offering. AOL will offer Phoneline users free local phone numbers enabling unlimited inbound calls from traditional phones, cell phones and PCs. Cell phone users can receive text messages alerting them when an IM-based call is received, as well as listen to Phoneline voicemail. Along with free phone numbers, AOL will provide AIM users free voicemail. Calls not answered are saved as MP3 files and sent to an AOL or AIM mailbox, according to a company statement. While the differences between AOL’s VoIP plans “are kind of subtle,” the company wants to be sure all its bases are covered, according to Joe Laszlo, analyst with JupiterResearch. http://www.internetnews.com/infra/article.php/3604556
-- and --
SKYPEOUT SERVICE FREE UNTIL THE END OF 2006 (EITB, 16 May 2006) -- Skype, eBay Inc.’s Internet telephone subsidiary, has stopped charging users for dialling up people on traditional landline and mobile phones in the US and Canada. The Internet telephone service, which has always offered free PC-to-PC calls around the world, said on Monday it will offer its SkypeOut service for free until the end of the year. Previously, Skype users paid about 2 cents a minute for calls to landline and
mobile telephones. Users who make outgoing calls to and within countries outside the US and Canada will continue to incur per-minute charges. The company also said it will continue to charge for traditional phone numbers that can be dialled from any phone to reach Skype users. Skype, which was acquired last year by online auctioneer eBay for $2.6 billion, recently announced it has 100 million registered users worldwide. http://www.eitb24.com/portal/eitb24/noticia/en/sci/tech/skype-skypeout-service-free-until-the-end-of-2006?itemId=D31463&cl=%2Feitb24%2Fnuevas_tecnologias&idioma=en
LEGALISE PERSONAL MUSIC COPYING, SAYS BPI (The Telegraph, 7 May 2006) -- The British music industry is to recommend to the Government that consumers be allowed to legally copy music without fear of prosecution. The BPI, the body that represents British record companies, believes copyright on CDs and records should be changed to allow consumers to copy music if it is for personal use. Currently, it is technically illegal for anyone to copy a CD onto their computer for the purposes of downloading music onto their own portable music player. In its submission to the Gowers Review - the independent review body set up by the Treasury to examine the UK’s intellectual property framework - the BPI has asked for the issue of this area of music copyright to be addressed. It is believed the organisation, which represents the likes of EMI and Sanctuary, prefers the option of altering copyright protections on music without the requirement for a change in legislation. http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2006/05/07/cnbpi07.xml&menuId=242&sSheet=/money/2006/05/07/ixcitytop.html
21-YEAR-OLD HACKER SENTENCED TO NEARLY 5 YEARS IN PRISON (SiliconValley.com 9 May 2006) -- A 21-year-old computer whiz was sentenced to nearly five years in federal prison for taking control of 400,000 Internet-connected computers and renting access to them to spammers and fellow hackers. Among the machines authorities said Jeanson James Ancheta infected in 2004 and 2005 were those at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va. Ancheta, of Downey, Calif., pleaded guilty in January to four felony charges. Authorities said he received more than $107,000 for downloading adware -- software that can track a user’s Internet browsing habits and deliver pop-up ads -- onto infected computers and selling access to hackers and spammers. A Web site he maintained included a schedule of prices and guidelines for the technology necessary to bring down a particular type of Web site. Prosecutors said the case was among the first to target profits derived from use of ``botnets,” large numbers of computers that hackers commandeer through software and then turn into a ``zombie” network that can be controlled by outsiders. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14537874.htm
EX-NSA CHIEF ASSAILS BUSH TAPS (Wired, 9 May 2006) -- Former National Security Agency director Bobby Ray Inman lashed out at the Bush administration Monday night over its continued use of warrantless domestic wiretaps, making him one of the highest-ranking former intelligence officials to criticize the program in public, analysts say. “This activity is not authorized,” Inman said, as part of a panel discussion on eavesdropping that was sponsored by The New York Public Library. The Bush administration “need(s) to get away from the idea that they can continue doing it.” Since the NSA eavesdropping program was unveiled in December, Inman -- like other senior members of the intelligence community -- has been measured in the public statements he’s made about the agency he headed under President Jimmy Carter. He maintained that his former colleagues “only act in accordance with law.” When asked whether the president had the legal authority to order the surveillance, Inman replied in December, “Someone else would have to give you the good answer.” But sitting in a brightly lit basement auditorium at the library next to James Risen, the New York Times reporter who broke the surveillance story, Inman’s tone changed. He called on the president to “walk into the modern world” and change the law governing the wiretaps -- or abandon the program altogether. http://www.wired.com/news/technology/0,70855-0.html?tw=rss.index
USC HACKER CASE PIVOTAL TO FUTURE WEB SECURITY (Information Week, 9 May 2006) -- Eric McCarty, a 25-year-old San Diego resident, in April was charged with hacking into the University of Southern California’s computer system and accessing confidential information submitted by students applying to the school. The case, in which McCarty claims he was simply trying to warn USC of possible security flaws in its Web site, will likely be a watershed event in the area of security research, particularly if McCarty is convicted to the full extent of the law and forced to serve 10 years in a federal prison. McCarty’s case lifts the hood on Web security, exposing a number of legal, ethical, and technical questions that to date have no easy answers. No one disagrees that McCarty broke the law. Whether McCarty was wrong or unethical is an altogether different question. And then there’s the matter of the penalty for his indiscretion. A decade in a federal prison comes across as a bit extreme to many IT security pros, particularly considering McCarty’s willingness to cooperate with the FBI once the bureau began its investigation. The SQL database connected to USC’s online applicant Web site contains Social Security numbers, birth dates, and other information for more than 275,000 applicants since 1997. After finding a vulnerability in the site’s login system, McCarty staged an SQL injection attack to gain access to the database. An SQL injection takes place when a hacker enters instructions into an improperly secured Web data field in order to gain control of that application. USC’s site was subsequently shut down for two weeks during June 2005 as the university addressed the issue. McCarty made his initial appearance in U.S. District Court in Los Angeles on April 28. Many security pros agree that McCarty’s intention of improving the security of USC’s Web site was commendable, and that USC should acknowledge this. But these same security pros are negative on McCarty’s move to hack the site without first getting permission from the university. “McCarty was trying to prove a point,” says Rick Fleming, VP of security and risk management consulting for Digital Defense Inc., which offers penetration testing services. “Part of me commends him for saying, ‘Hello, wake up.’ But he crossed an ethical boundary because he didn’t have permission to test that system, and he broke the law.” Security researchers are at the most basic level guided by an online document known as RFPolicy, which unofficially lays out the process for researchers to communicate with software developers and vendors about any bugs the researchers find in the developer’s software. The purpose of RFPolicy, which was conceived by a security expert known as Rain Forest Puppy, is “to quash assumptions and clearly define intentions, so that both parties may immediately and effectively gauge the problem, produce a solution, and disclose the vulnerability.” RFPolicy, which dates back five or six years, was designed to police how researchers disclose vulnerabilities to software vendors, says Jeremiah Grossman, a former Yahoo information security officer who’s now founder and chief technology officer with Web application security provider WhiteHat Security Inc. “Everyone was intrigued that someone put a line in the sand,” he says of security researchers’ reaction to this informal edict. But RFPolicy isn’t recognized by any standards or legal entity. It also doesn’t address the crucial question of how researchers can legally go about finding flaws in Web applications running in someone else’s IT environment. http://www.informationweek.com/news/showArticle.jhtml?articleID=187201428
OVEREXPOSED? (InsideHigherEd.com, 10 May 2006) -- A lecturer at the University of Southern California said she started a blog because her students wanted “more of me after our class time has ended,” she wrote. And they got it. Diana Blaine, who lectures on feminist theory, recently linked her blog to an online photo album that has topless photos of her near a painting of a topless woman, and at Burning Man, an annual weeklong festival in Nevada where clothing is optional. After a student who has made a habit of criticizing Blaine on his blog, “ Cardinal Martini,” linked to the photos, an NBC station in Los Angeles reported that the pictures are “causing concern,” bringing Blaine even more exposure. NBC’s claim of “concern” about the photos, however, seems dubious, as Blaine said she hasn’t heard from any of her colleagues or the university about it. A USC spokesman said that no policies have been violated, so the university is not pursuing the matter. http://insidehighered.com/news/2006/05/10/usc
FTC SETTLES DATA SECURITY CASE (InfoWorld, 10 May 2006) -- Nations Holding Co. (NHC), a real-estate firm operating in 44 U.S. states, has settled a data security case after the U.S. Federal Trade Commission (FTC) accused it of allowing a common Web attack to compromise customer data, the FTC announced Wednesday. The FTC also accused NHC and its Nations Title Agency (NTA) subsidiary of disposing of home-loan applications containing customers’ personal data by throwing them into a public dumpster. NHC, a privately held company in Kansas City, Kansas, must improve its information security practices and submit to biennial audits of its security practices for the next 20 years under the FTC settlement, FTC chairwoman Deborah Platt Majoras said. The settlement bars the company and owner Christopher Likens of making deceptive claims about privacy and security policies. Majoras called NHC’s data-handling practices “careless” during a speech at a Washington, D.C., data security conference sponsored by the Progress & Freedom Foundation, a free-market think tank. “Data security has been surprisingly lax at a number of companies,” she said. “The cases we’re bringing have not been close calls.” NHC and NTA routinely obtain personal consumer information, including names, Social Security numbers, credit histories, and bank and credit card numbers, from banks, real-estate brokers and customers, the FTC said. NHC and NTA made claims about its privacy and security policies that it did not honor, the FTC said. Since 2003, the companies failed to deploy several data-protection measures, the FTC said:
-- They failed to assess risks to the information they collected and stored, both online and offline.
-- They did not implement “simple, low-cost, readily available” defenses to common Web site attacks.
-- They failed to implement “reasonable” polices in key areas such as employee screening and training, as well as the handling of personal data.
-- They did not employ reasonable measures to detect and respond to authorized access to data and did not conduct security investigations. http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/10/78177_HNftcsettlescase_1.html
NEW SECURITY GLITCH FOUND IN DIEBOLD SYSTEM (InsideBayArea.com, 10 May 2006) -- Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. “This one is worse than any of the others I’ve seen. It’s more fundamental,” said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. “In the other ones, we’ve been arguing about the security of the locks on the front door,” Jones said. “Now we find that there’s no back door. This is the kind of thing where if the states don’t get out in front of the hackers, there’s a real threat.” This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines. http://www.insidebayarea.com/ci_3805089
WHAT’S DRIVING THE NEXT TELECOM LAW (Berkman’s Filter, by David S. Isenberg, May 2006) -- The COPE (Communications, Promotion, and Enhancement) bill in the House of Representatives, and a similar, but more detailed Senate telecommunications bill are racing towards enactment by summer. The likely new law is propelled by the nation’s big telephone companies’ perceived business need to deliver video entertainment along with voice telephony and Internet services. The triple-application formula fits the old telco/cableco business model, i.e., collecting fees for delivering established applications and using these fees to subsidize the delivery network. This old model is threatened because today’s Internet can support voice and video, and infinitely more, delivered from its edges by third-party application providers. Indeed, third parties like Skype and Vonage are breaking out all over and rudimentary video services are popping up like dandelions. National TV franchising will replace thousands of local city-by-city agreements to ease telco entry into video services. This will institutionalize the voice, video and Internet service bundle so only big players, “rational competitors,” as cablecos and telcos like to call themselves, can participate. Telephone companies have been weakened by the onslaught of new technology. The number of dial-up lines, which are the foundation of their business, has been falling since 2001. In 2003, the number shrunk by 4%, and the trend is accelerating. Meanwhile, telcos have not figured out how to make money selling simple Internet connectivity, so they need de jure preservation by Congress. Until this decade, law has treated the telephone network as a public accommodation, meaning that non-discriminatory access to the network, known as network neutrality in the current policy debate, was assured. On the Internet, though, non-discriminatory access leads straight to the erosion of the telco/cableco business model by third parties that would not behave as “rational competitors.” This is why telephone companies are fighting fiercely against non-discriminatory access. Recently they have been successful in the courts and the FCC, and the current House bill contains ineffectual, hard-to-enforce non- discrimination provisions. The Internet succeeded largely due to non-discriminatory access. That is what permitted third parties to create (and find markets for) e-mail, the Web, e-commerce, chat, online music, blogging, and virtual-world gaming. With it, there’d be more of the same tomorrow. An Internet that is made discriminatory to save the telcos is likely to remind us of Bruce Springsteen’s song, “57 Channels (and Nothing On).” The problem we should be solving is not how to change the Internet to save the telcos, but how to have a growing and innovative Internet without them. http://cyber.law.harvard.edu/home/filter/ [Related powerpoint at http://cyber.law.harvard.edu/audio/uploads/47/Next_Telecom_Act.ppt]
WIKI-LAW: THE ‘WIKIPEDIA’ OF LAW (Robert Ambrogi’s blog, 10 May 2006) -- I’ve become a big fan and regular user of Wikipedia, the free, user-edited encyclopedia. Last fall, Cornell’s Legal Information Institute launched the legal dictionary and encyclopedia Wex, which, like Wikipedia, is collaboratively written and edited by users. Now, another legal wiki has launched, Wiki-Law, and its co-founder says its mission “is to become the Wikipedia of the legal world.” A wiki, according to Wikipedia, is “a type of website that allows users to easily add, remove, or otherwise edit all content, very quickly and easily, sometimes without the need for registration.” The new WikiLaw describes its purpose as being “to create a free, complete, up-to-date and reliable world-wide legal guide and resource.” Users can contribute content in any of seven categories: Dictionary, Forms, Statutes, Case Briefs, Law Firm Profiles, Law School Profiles and Law Journal Profiles, or they can write their own blog or submit an interesting law related link. Not much there yet, but I hope the idea takes off. http://www.legaline.com/2006/05/wiki-law-wikipedia-of-law.html
REPORT: U.S. SPIES ON EVERYONE (Wired, 12 May 2006) -- Congressional Democrats demanded answers from the Bush administration Thursday about a report that the government secretly collected records of ordinary Americans’ phone calls to build a database of every call made within the country. “It is our government, it’s not one party’s government. It’s America’s government. Those entrusted with great power have a duty to answer to Americans what they are doing,” said Sen. Patrick Leahy of Vermont, the ranking Democrat on the Senate Judiciary Committee. AT&T, Verizon and BellSouth telephone companies began turning over records of tens of millions of their customers’ phone calls to the National Security Agency program shortly after the Sept. 11, 2001, terrorist attacks, said USA Today, citing anonymous sources it said had direct knowledge of the arrangement. http://www.wired.com/news/wireservice/0,70878-0.html
-- and --
DOJ DROPS WIRETAP INVESTIGATION (Wired, 11 May 2006) -- The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers security clearance. The Justice Department’s Office of Professional Responsibility, or OPR, sent a fax Wednesday to Democratic Rep. Maurice Hinchey of New York saying it was closing its inquiry because without clearance it could not examine department lawyers’ role in the program. “We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program,” OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey’s office shared the letter with The Associated Press. http://www.wired.com/news/wireservice/0,70879-0.html
-- and --
BELLSOUTH DENIES GIVING CALL DATA TO NSA (Reuters, 15 May 2006) -- BellSouth, the No. 3 U.S. local telephone carrier, on Monday denied turning over customer telephone records to the National Security Agency on a large scale as part of the NSA’s call-tracking program to detect terrorist plots. USA Today reported last week that BellSouth, AT&T, and Verizon Communications had turned over tens of millions of consumers’ telephone records to the NSA so it could analyze call patterns. BellSouth said in a statement Monday that it did not have a contract with the NSA, which is tasked with eavesdropping on foreign communications and protecting U.S. government communications. “Based on our review to date, we have confirmed no such contract exists and we have not provided bulk customer calling records to the NSA,” BellSouth said in a statement. President Bush, who did not confirm or deny the USA Today report, said last week that intelligence activities he has authorized were legal and the government was not rifling through Americans’ personal lives or eavesdropping on domestic calls without court approval. Still, a Democrat commissioner on the Federal Communications Commission called for the agency to investigate whether BellSouth and the two largest U.S. telephone companies broke the law by reportedly disclosing consumers’ calling records to the NSA. “The FCC should initiate an inquiry into whether the phone companies’ involvement violated Section 222 or any other provisions of the Communications Act,” said FCC Commissioner Michael Copps, one of two Democrats on the five-member FCC. Section 222 of the 1934 Communications Act requires telecommunications carriers to protect the confidentiality of certain consumer call information, “except as required by law” or when the customer approves its release. http://news.com.com/BellSouth+denies+giving+call+data+to+NSA/2100-1028_3-6072600.html?tag=nefd.top
-- and --
THE NSA IS ON THE LINE -- ALL OF THEM (Salon.com, 15 May 2006) -- When intelligence historian Matthew Aid read the USA Today story last Thursday about how the National Security Agency was collecting millions of phone call records from AT&T, Bell South and Verizon for a widespread domestic surveillance program designed to root out possible terrorist activity in the United States, he had to wonder whether the date on the newspaper wasn’t 1976 instead of 2006. Aid, a visiting fellow at George Washington University’s National Security Archive, who has just completed the first book of a three-volume history of the NSA, knew the nation’s bicentennial marked the year when secrets surrounding another NSA domestic surveillance program, code-named Project Shamrock, were exposed. As fireworks showered New York Harbor that year, the country was debating a three-decades-long agreement between Western Union and other telecommunications companies to surreptitiously supply the NSA, on a daily basis, with all telegrams sent to and from the United States. The similarity between that earlier program and the most recent one is remarkable, with one exception -- the NSA now owns vastly improved technology to sift through and mine massive amounts of data it has collected in what is being described as the world’s single largest database of personal information. And, according to Aid, the mining goes far beyond our phone lines. The controversy over Project Shamrock in 1976 ultimately led Congress to pass the 1978 Foreign Intelligence Surveillance Act and other privacy and communication laws designed to prevent commercial companies from working in cahoots with the government to conduct wholesale secret surveillance on their customers. But as stories revealed last week, those safeguards had little effect in preventing at least three telecommunications companies from repeating history. Aid, who co-edited a book in 2001 on signals intelligence during the Cold War, spent a decade conducting more than 300 interviews with former and current NSA employees for his new history of the agency, the first volume of which will be published next year. Aid spoke with Salon about how the NSA has learned to maneuver around Congress and the Department of Justice to get what it wants. He compared the agency’s current data mining to Project Shamrock and Echelon, the code name for an NSA computer system that for many years analyzed satellite communication signals outside the U.S., and generated its own controversy when critics claimed that in addition to eavesdropping on enemy communication, the satellites were eavesdropping on allies’ domestic phone and e-mail conversations. Aid also spoke about the FBI’s Carnivore program, designed to “sniff” e-mail traveling through Internet service providers for communication sent to and from criminal suspects, and how the NSA replaced the FBI as the nation’s domestic surveillance agency after 9/11. [Editor: An extremely interesting interview follows.] http://www.salon.com/news/feature/2006/05/15/aid_interview/
-- and --
CONGRESS MAY MAKE ISPS SNOOP ON YOU (Wired, 16 May 2006) -- A prominent Republican on Capitol Hill has prepared legislation that would rewrite Internet privacy rules by requiring that logs of Americans’ online activities be stored, CNET News.com has learned. The proposal comes just weeks after Attorney General Alberto Gonzales said Internet service providers should retain records of user activities for a “reasonable amount of time,” a move that represented a dramatic shift in the Bush administration’s views on privacy. Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, is proposing that ISPs be required to record information about Americans’ online activities so that police can more easily “conduct criminal investigations.” Executives at companies that fail to comply would be fined and imprisoned for up to one year. In addition, Sensenbrenner’s legislation--expected to be announced as early as this week--also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It’s aimed at any site that might have “reason to believe” it facilitates access to child pornography--through hyperlinks or a discussion forum, for instance. http://news.com.com/Congress+may+make+ISPs+snoop+on+you/2100-1028_3-6072601.html?tag=nefd.lede
-- and --
FCC WON’T INVESTIGATE AT&T/NSA ALLEGATIONS (Broadband Reports.com, 23 May 2006) -- In a letter sent to Democrat Ed Markey, FCC chief Kevin Martin says “the classified nature of the NSA’s activities makes us unable to investigate the alleged violations.” Those violations allegedly include handing over customer phone and Internet activity records wholesale to the NSA. Markey responded to Martin in a statement: “We can’t have a situation where the FCC, charged with enforcing the law, won’t even begin an investigation of apparent violations of the law because it predicts that the administration will roadblock any investigations citing national security.” “If the FCC initiates an investigation and gets blocked by the White House, then the White House is stonewalling. But if the FCC refuses to even demand answers, then the White House never has to block the enforcement agency from getting to the bottom of this. The American people deserve answers.” http://www.dslreports.com/shownews/74740
CHINESE VERSION OF WIKIPEDIA IS LAUNCHED (SiliconVallley.com, 12 May 2006) -- China’s biggest Internet search site, Baidu.com, has launched a Chinese-language encyclopedia inspired by the cooperative reference site Wikipedia, which the communist government bars China’s Web surfers from seeing. The Chinese service, which debuted in April, carries entries written by users, but warns that it will delete content about sex, terrorism and attacks on the government. Government censors blocked access last year to Wikipedia, apparently due to concern about its references to Tibet, Taiwan and other topics. The emergence of Baidu’s encyclopedia reflects efforts by Chinese entrepreneurs to take advantage of conditions created by the government’s efforts to simultaneously promote and control Internet use. Baidu calls its site Baike - pronounced “bye kuh” - or “One Hundred Chapters.” It says users have written more than 25,000 entries in the past week alone on cooking, the stock market, Chinese tourist sites and other topics. Wikipedia, by comparison, currently has more than 2.7 million entries. Baidu said managers weren’t immediately available to answer questions about the site. But Chairman Robin Li told The Financial Times newspaper this week that it was inspired by Wikipedia, though he said he hasn’t seen the U.S.-based site. “I certainly hope our encyclopedia will be the most authoritative one for any Chinese users,” Li was quoted as saying. http://www.siliconvalley.com/mld/siliconvalley/14563324.htm
CREDIT CARD SECURITY RULES TO GET UPDATE (CNET, 15 May 2006) -- Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. “There is an increase in application level attacks,” Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more acceptable compensating and mitigating controls,” he said. http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-6072594.html?tag=nefd.top
SOCIAL NETWORKS ATTRACT NEARLY HALF OF ALL WEB USERS (TechWeb.com, 15 May 2006) -- The number of visitors to the top 10 social-networking sites soared in April, attracting nearly half of all Web users, a market research firm says. The top 10 sites collectively grew 47 percent in the United States from the same month a year ago to 68.8 million unique visitors, Nielsen/NetRatings said. The sites reached 45 percent of active Web users. MySpace, owned by News Corp. and a favorite among teens and young adults, topped the list with a year-over-year growth rate of 367 percent to 38.4 million unique users. Blogger, owned by Google Inc., was second with 18.5 million visitors and an 80 percent growth rate. Classmates Online grew 10 percent to 12.9 million visitors, and YouTube and Microsoft’s MSN Groups, which saw a 14 percent drop in visitors, rounded out the top five with 12.5 million and 10.6 million, respectively. http://news.yahoo.com/s/cmp/20060513/tc_cmp/187202833
PORN MAKER ALLOWS DOWNLOADS FOR TV VIEWING (AP, 15 May 2006) -- Hollywood has been tiptoeing its way toward letting consumers buy a movie online, burn it onto a DVD and watch it on a living-room TV. While the studios hesitate, the adult film industry is taking the leap. Starting Monday, Vivid Entertainment says it will sell its adult films through the online movie service CinemaNow, allowing buyers to burn DVDs that will play on any screen, not just a computer. It’s another first for adult film companies that pioneered the home video market and rushed to the Internet when Hollywood studios still saw it as a threat. “Leave it to the porn industry once again to take the lead on this stuff,” said Michael Greeson, founder of The Diffusion Group, a consumer electronics think tank in Plano, Texas. “The rest of Hollywood stands back and watches and lets the pornography industry work out all the bugs,” he said. Vivid says its downloads, which will cost $19.95, do not use CSS. Instead, online retailer CinemaNow is using an alternate, proprietary system that it says will protect the adult movies by preventing the burned DVD from being copied to other discs. http://news.yahoo.com/s/ap/20060515/ap_on_hi_te/porn_downloads_7
SUPREME COURT BURIES PATENT TROLLS (Forbes, 16 May 2006) -- The U.S. Supreme Court has tipped the balance in patent disputes ever so slightly toward the end users of patented technology and away from inventors, owners of intellectual property and the hated “patent trolls”--companies that make money by suing for infringement of patents they own but don’t use. In a victory for eBay, the justices ruled unanimously that federal courts must weigh several factors before barring a patent infringer from using a contested technology or business method. The online auction house had petitioned the Supreme Court to review the practice of automatically issuing a permanent injunction whenever a patent was found valid and infringed, arguing that the standard was not grounded in the law. At stake for eBay was the viability of the popular, fixed-price “Buy It Now” section of its Web site. MercExchange, a tiny Virginia-based patent-holding company, won millions of dollars in damages when it successfully sued eBay for violating one of its patents related to the fixed-price auction feature. Now the case will be sent back to the district court where eBay originally won the right to continue operating “Buy It Now” while it designs around the patents. For years now, the U.S. Court of Appeals--the Federal Circuit in Washington, D.C., which reviews all appeals of patent suits--has slapped infringers with permanent injunctions as a matter of course, except in the most extreme circumstances. But the Supreme Court ruled that traditional “principles of equity” must be taken into account before such a drastic sanction is imposed. These principles include whether the patent holder has suffered irreparable damage or whether monetary awards might be enough to compensate for the harm done to the patent holder. In this case, a district court stopped short of forcing eBay to shut down the service entirely, saying that MercExchange wouldn’t be harmed if eBay continues to offer the service while it tries to design around the patents. MercExchange hasn’t used its patents, the court wrote, and could eventually be compensated with additional monetary damages if the infringing continued. But on appeal, the Federal Circuit stuck to its rule of always handing down injunctions and reversed the decision. The high court’s decision deals a blow to patent trolls, which are notorious for using the threat of permanent injunction to extort hefty fees in licensing negotiations as well as huge settlements from companies they have accused of infringing. http://www.forbes.com/home/businessinthebeltway/2006/05/15/ebay-scotus-patent-ruling-cx_jh_0516scotus.html
RECORD LABELS SUE XM OVER PORTABLE DEVICE (New York Times, 17 May 2006) -- The recording industry on Tuesday sued XM Satellite Radio Holdings Inc., alleging its Inno device that can store music infringes on copyrights and transforms a passive radio experience into the equivalent of a digital download service like iTunes. A spokesman for the Recording Industry Association of America, comprising major labels such as Vivendi Universal’s Universal Music Group, Warner Music Group Corp., EMI Group Plc and Sony BMG, said the suit was filed on Tuesday in New York federal court. The suit accuses XM Satellite of ``massive wholesale infringement,” and seeks $150,000 in damages for every song copied by XM customers using the devices, which went on sale earlier this month. XM, with more than 6.5 million subscribers, said it plays 160,000 different songs every month. ``...Because XM makes available vast catalogues of music in every genre, XM subscribers will have little need ever again to buy legitimate copies of plaintiffs’ sound recordings,” the lawsuit says referring to the hand held ``Inno” device. The suit says that XM has touted its service’s advantages over the iPod and cites XM’s advertising literature that says “It’s not a Pod. It’s the mothership.” XM said the Inno, which is maufactured by Pioneer Corp. (6773.T), are legal devices that allow consumers to listen to and record radio just as the law has allowed for decades. While the labels are asserting the device has transformed radio broadcasts into a download service, XM said the device does not allow consumers to transfer recorded content. XM also said that content recorded from radio broadcasts like XM’s is not on demand, in contrast to the content people buy from online music stores like Apple Computer Inc.’s (AAPL.O) popular iTunes service. XM said it will vigorously defend this lawsuit on behalf of consumers and also called the lawsuit a bargaining tactic.
“ECONOMIC LOSS” RULE BARS NEGLIGENCE CLAIM IN BREACH LAWSUIT, COURT RULES (Steptoe & Johnson’s E-Commerce Law Week, 18 May 2006) -- The difficulty of proving damages can sometimes make it tricky to bring negligence lawsuits against companies that have suffered computer security breaches. And even if damages can be proven, certain damages just don’t count. That’s the gist of the common law “economic loss” rule, which bars recovery on a negligence claim for purely economic losses. According to this rule, plaintiffs must prove something more, such as physical injury or damage to personal property. And this rule applies not just to suits by individuals, but also to suits brought by plaintiff companies, according to recent federal court decisions involving suits by banks against BJ’s Wholesale Club, Inc. See Sovereign Bank v. B.J.’s Wholesale Club, Inc., and Banknorth, N.A., v. B.J.’s Wholesale Club, Inc. So while banks and other companies stand to benefit from this rule when they’re the defendants in a breach case, they could suffer from it when they’re the plaintiffs and are trying to recover for losses caused by someone else’s bad security. It remains to be seen whether the economic loss doctrine is consistently applied in the relatively new area of breach lawsuits, or whether courts begin to develop ways to allow plaintiffs to get around it. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&siteType=Office&pubItemId=12426
SYMANTEC SUES MICROSOFT OVER STORAGE TECH (CNET, 18 May 2006) -- Symantec has launched a suit charging Microsoft with misappropriating its intellectual property and with violating a license related to data storage technology. The suit, filed Thursday in U.S. District Court for the Western District of Washington in Seattle, seeks unspecified damages and an injunction barring Microsoft from using the Symantec technology, which would include a halt on Windows Vista and the Longhorn server, according to a copy of the filing. “We are accusing them of misusing certain intellectual property that they had access to...and (saying) that they misused our intellectual property in operating system products,” Michael Schallop, the director of legal affairs at the security company, said in an interview. It is the first time Microsoft and Symantec have been pitted against each other in court, he said. The complaint involves Symantec’s Volume Manager product, acquired as part of the company’s takeover of Veritas Software. Volume Manager allows operating systems to store and manipulate large amounts of data. Microsoft licensed a “light” version of Volume Manager from Veritas in 1996 and used it in Windows 2000, Schallop said. The Redmond, Wash., company then used it to develop functionality for Windows Server 2003, which competes with Veritas’ Storage Foundation for Windows, Schallop said. Microsoft also misuses Symantec’s technology in Windows Vista and the Longhorn server release, Symantec charges in its complaint. It seeks an injunction to stop Microsoft from further developing, selling or distributing Vista, Longhorn server and all other infringing products, as well as a recall of all products already in the market, according to the complaint. “The breaches of the agreement and IP violations began after Windows 2000...They were not allowed to use that intellectual property to develop products that compete against Veritas,” Schallop said. “They have used our intellectual property in terms of trade secrets and source code to develop competing products.” Additionally, Schallop said, Veritas discovered about two years ago that Microsoft had filed patent requests based on Veritas’ trade secrets. “They claimed they had invented something that they had not,” he said. Symantec and Microsoft have tried to resolve the dispute, but were unable to. “We recently agreed to disagree and let the courts help us resolve the dispute,” Schallop said. “We think that we will prevail through trial.” A Microsoft representative confirmed the dispute and the attempts to reach an agreement outside of the courts. The argument stems from a “very narrow disagreement” over the terms of a 1996 contract with Veritas, the representative said in a statement. “These claims are unfounded because Microsoft actually purchased intellectual property rights for all relevant technologies from Veritas in 2004,” the representative said. “We believe the facts will show that Microsoft’s actions were proper and are fully consistent with the contract between Veritas and Microsoft.” http://news.com.com/Symantec+sues+Microsoft+over+storage+tech/2100-1014_3-6074055.html?tag=nefd.top
EUROPE: NO PATENTS FOR SOFTWARE (CNET, 24 May 2006) -- Software patent campaigners have reacted with surprise to an apparent change in the European Commission’s stance on those patents. The Commission said last week that computer programs will be excluded from patentability in the upcoming Community Patent legislation and that the European Patent Office will be bound by this law. “The EPO would...apply and be bound by a new unitary Community law with respect to Community patents,” the Commission said in a statement. “The draft Community Patent regulation confirms in its Article 28.1(a) that patents granted for a subject matter (such as computer programs), which is excluded from patentability pursuant to Article 52 EPC, may be invalidated in a relevant court proceeding.” This statement appears to contradict one made by the EC last year, when it said that the EPO would continue to grant software patents that make a technical contribution, despite the European Parliament’s decision to reject the software patent directive. That directive would have widened the extent to which software could be patented. http://news.com.com/2100-1014_3-6076418.html
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/
Friday, May 26, 2006
Friday, May 05, 2006
MIRLN -- Misc. IT Related Legal News [15 April – 5 May 2006; v9.06]
**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
BORDER SECURITY SYSTEM LEFT OPEN (Wired, 12 April 2006) -- A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News. The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists. The Aug. 18 computer failure led to long lines at international airports in Los Angeles, San Francisco, Miami and elsewhere, while U.S. Customs and Border Protection, or CBP, officials processed foreign visitors by hand, or in some cases used backup computers, according to contemporaneous press reports. Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure. DHS CBP officials have released six pages of heavily redacted documents about the Aug. 18 computer failure. But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country. “When the virus problems appeared on (CBP) workstations Thursday evening, the decision was made to push the patch, immediately, to the ... US-VISIT workstations. Most workstations had received the patch by midnight and US-VISIT was back in operation at all locations,” reads a CBP summary of the incident. http://www.wired.com/news/technology/1,70642-0.html
UNITED STATES SUPREME COURT APPROVES ELECTRONIC DISCOVERY AMENDMENTS TO FRCP (April 14, 2006) -- On Wednesday, April 12, 2006, the United States Supreme Court approved, without comment or dissent, the entire package of proposed amendments to the Federal Rules of Civil Procedure concerning the discovery of “electronically stored information.” The package includes revisions and additions to Rules 16, 26, 33, 34, 37, and 45, as well as Form 35. The proposed amendments were transmitted to the Supreme Court last September, after the Judicial Conference unanimously approved them. The new rules and amendments have now been transmitted to Congress and will take effect on December 1, 2006, unless Congress enacts legislation to reject, modify, or defer the amendments. The amendments may be accessed on the U.S. Court’s Federal Rulemaking website at: http://www.uscourts.gov/rules/newrules6.html#cv0804
-- and --
PANEL PROVIDES PLUG FOR PRIVILEGE HOLE (ABA Journal, 5 May 2006) -- A proposal to help protect attorney-client privilege during electronic discovery has been hammered out at a conference on federal evidence rules. The proposed rule change would allow privileged documents that are released to opposing counsel inadvertently or called back under a claw-back agreement to be protected from third parties seeking the documents in other cases, including in state court proceedings. To be able to bind the states, Congress will have to adopt the proposed rule directly, under its commerce clause authority, according to a commentary to the proposed Rule 502. At the request of the chairman of the U.S. House Judiciary Committee, the Advisory Committee on Federal Rules of Evidence conducted a miniconference on proposed Rule 502 at Fordham University last month. The committee was asked to consider how privilege is handled in litigation so as not to jeopardize attorney-client privilege. In some cases, lawyers waive privilege with an understanding from opposing counsel that they can withdraw privileged documents from the record before trial. This is often known as claw-back. However, many courts have ruled that agreements giving one side the claw-back privilege do not apply to outside parties. Suddenly, litigants in different lawsuits against a company can have access to those clawed-back documents. In other situations, attorneys inadvertently disclose documents protected by the attorney-client privilege or the work product doctrine during discovery of voluminous electronic documents. For example, ExxonMobil claims its employees generate 5.2 million e-mails each day and use 65,000 desktop computers and 30,000 laptops. The storage capacity of the average computer issued to employees is 40 gigabytes, which is equal to roughly 20 million typewritten pages. Currently, courts are in conflict over whether and in what circumstances inadvertent disclosure results in a waiver of the privilege. To address the problems, proposed Rule 502(b) protects documents inadvertently disclosed in federal proceedings from use in federal or state proceedings if the holder of the privilege took reasonable precautions to avoid disclosure and took reasonably prompt measures to correct the error after its discovery. Proposed Rule 502(e) provides that parties can enter into an agreement to limit waiver of claw-back documents, and such an agreement can bind third parties if it is incorporated in a court order. http://www.abanet.org/journal/ereport/my5evidence.html
DATA EXPOSURE: COUNTIES ACROSS THE U.S. POSTING SENSITIVE INFO ONLINE (Computer World, 12 April 2006) -- Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver’s license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access. The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates. “These sites are just spoon-feeding criminals the information they need,” said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,” she said. Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.) http://www.computerworld.com/printthis/2006/0,4814,110453,00.html
JUDGES FINDS WELLS FARGO NOT NEGLIGENT IN DATA THEFT CASE (ZDnet.com, 14 April 2006) -- A US District Judge in Minnesota ruled that two people who had filed a class action lawsuit against Wells Fargo had not actually suffered any damages and were thus unable to demonstrate “reasonably certain future injury” due to the theft of computer hardware from a Wells Fargo contractor. The hardware contained unencrypted Wells Fargo customer data. The judge said the thieves never used the information and that time and effort the plaintiffs spent monitoring their credit reports “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” The judge found Wells Fargo not negligent because the information was never misused by the thieves. http://news.zdnet.com/2102-9595_22-6061400.html?tag=printthis
REPORT DETAILS DMCA MISUSES (InternetNews.com, 14 April 2006) -- A new report from the Electronic Frontier Foundation (EFF) takes aim at the Digital Millennium Copyright Act (DMCA), a controversial law enacted seven years ago to protect intellectual property in the digital age. “Unintended Consequences: Seven Years Under the DMCA” is a collection of well-known and obscure stories about the misuses of the DMCA. Among those accounts is that of J. Alex Halderman, a graduate student at Princeton University who, in the fall of 2005, discovered the existence of serious security vulnerabilities in the CD copy-protection software on dozens of Sony BMG titles. But he delayed publishing his discovery for several weeks while consulting with lawyers in order to avoid DMCA pitfalls. This left millions of music fans at risk longer than necessary. In October 2003, Halderman had been threatened with a DMCA lawsuit after publishing a report documenting weaknesses in a CD copy-protection technology developed by SunnComm. Halderman revealed that holding down the shift key on a Windows PC would render SunnComm’s copy-protection technology ineffective. SunnComm executives threatened legal action under the DMCA. Stories like these show that “rather than being used to stop piracy, the DMCA has predominantly been used to threaten and sue legitimate consumers, scientists, publishers and competitors,” said EFF senior staff attorney Fred von Lohmann. The EFF notes that the DMCA’s anti-circumvention provisions, which are contained in Section 1201 of the act, were developed in response to obligations imposed on the U.S. by the 1996 World Intellectual Property Organization (WIPO) Copyright Treaty and the concerns of copyright owners that their works would be pirated and made available for download online. Section 1201 of the DMCA contains a ban on acts of circumvention of Digital Rights Management technologies -- technological measures used by copyright owners to control access to their works -- and a ban on the distribution of tools and technologies used for circumvention. In its report, the EFF notes that the ban on acts of circumvention applies even where the purpose for circumventing copyright protection would otherwise be legitimate or strike a logical person as legitimate, such as research intended to expose serious security flaws directly caused by copyright protection programming code. http://www.internetnews.com/bus-news/article.php/3599026 [The EFF report is here: http://www.eff.org/IP/DMCA/?f=unintended_consequences.html]
EU DATA RETENTION DIRECTIVE TO TAKE EFFECT, NOT WITHOUT CONTROVERSY (Steptoe & Johnson’s E-Commerce Law Week, 15 April 2006) -- The controversial new EU Data Retention Directive (“Directive”) was published April 13 in the Official Journal of the European Union. Under the Directive, which cleared its most important hurdle when it was adopted by the European Parliament last December, ISPs and fixed-line and mobile operators will be required to retain communications data of their EU customers (not including the content of communications). The Directive will take effect 20 days after publication, but the more important deadlines come later. EU member states will have until September 15, 2007, to implement the Directive for traditional telephone services and ordinary mobile voice services. For “Internet Access, Internet telephony and Internet e-mail”, member states had the option to declare that they would reserve the right to delay implementation until March 15, 2009, and 16 member states have exercised this option -- Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, and the United Kingdom. But nine member states did not, including three of the EU’s five biggest economies -- France, Italy, and Spain -- as well as Denmark, Hungary, Ireland, Malta, Portugal, and Slovakia. For these countries, the earlier deadline of September 15, 2007, will apply to Internet services as well. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12255&siteId=547
ONE BORROWED SHARE, BUT ONE VERY REAL VOTE (New York Times, 16 April 2006) – Some investors seem to be taking advantage of a loophole in financial regulations to cast shareholder votes that are far out of proportion to the number of shares they actually own, a new academic study suggests. The study, entitled “Vote Trading and Information Aggregation,” has been circulating in academic circles for several months. Its authors are the finance professors Susan E. K. Christoffersen of McGill University in Montreal, Christopher C. Geczy and David K. Musto of the Wharton School of the University of Pennsylvania and Adam V. Reed of the University of North Carolina. The authors describe a strategy that enables any investors, no matter how few of a company’s shares they own, to profoundly affect the outcome of corporate resolutions that are put to a vote at the annual shareholder meeting. In effect, a shareholder can borrow a large number of shares for a nominal fee and use them to cast a corresponding number of votes. As the study points out, the right to vote on a corporate resolution comes from possession, not ownership, of shares. That means a trader can borrow shares and thus be temporarily eligible to vote on corporate resolutions. The number of votes he can acquire is limited only by his ability to put up collateral — which is required to be 102 percent of the value of shares borrowed — and the number of shares available on the securities lending market. This market primarily serves those who wish to borrow shares in order to sell them short, but there is nothing to prevent its use by those whose motive is to influence the outcome of corporate votes. As long as you have the collateral, borrowing shares is very inexpensive. The annual cost can be as low as 20 basis points, or two-tenths of a percentage point, on the cash that is put up. And because the borrower must hold the shares for just one day in order to have voting rights, the interest can be almost nothing. The cost to borrow $1 million of stock for one day, for example, could be less than $6, according to Professor Reed. The professors are convinced that many traders are taking advantage of this loophole. They reached this conclusion after studying what happens in the securities lending market immediately before and after the record dates for corporate votes. These are the dates when a shareholder needs to have possession of a stock in order to vote on a corporate resolution. The professors focused on 6,186 record dates for resolutions at publicly traded companies from November 1998 to October 1999. They found that on the typical record date, there was a significant spike in the number of borrowed shares. And they found an almost-as-big decline in such shares, on average, the day after those record dates. In their opinion, the only plausible explanation is that traders borrowed shares solely to acquire votes. http://www.nytimes.com/2006/04/16/business/yourmoney/16stra.html?ex=1302840000&en=2c7eea202b079dcc&ei=5090&partner=rssuserland&emc=rss Study at http://papers.ssrn.com/sol3/papers.cfm?abstract-id=686026
STITCHING UP HEALTH RECORDS: PRIVACY COMPLIANCE LAGS (eWeek, 16 April 2006) -- The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law. The bad news? All were supposed to have done so by April 2003. More bad news? The percentage hasn’t changed since last summer, meaning about 20 percent of health care companies are “unable or unwilling to implement federal privacy requirements,” according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS. And that’s just regarding the rule designed to make sure patient information isn’t sent to the wrong people or accessed by people without a right to know. Securing the data so hackers can’t force their way in is another category of compliance entirely. Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards. http://www.eweek.com/article2/0,1759,1949646,00.asp
KOREA: ONLINE COMMUNITIES TO BE MONITORED MONTHLY (AsiaMedia, 16 April 2006) -- The South Korean government plans to monitor the nation’s online communities every month, to crack down on an increasing number of personal information dealers within the virtual world. The Ministry of Information and Communication said the targets of the monthly surveillance plan would be cyber cafes, and peer-to-peer (P2P) file-sharing sites. “We have come up with this scheme as Internet-based clubs and P2P sites are recognized as the main culprits for recent woes regarding identity theft,” said Suh Byung-jo, director general at the ministry. “To straighten things out, we will check unlawful activities at sites prone to wrongdoings at least once every month from now on and will report malpractices to the police,” he said. As Suh pointed out, Internet clubs and P2P sites have been the playground for personal data dealers who gain private information like resident registration numbers, the Korean version of North American social security numbers. The identity theft issue caught Korea, the most wired country on the planet, off guard in February, when complaints piled up that hackers were stealing private data from millions of Korean people. In addition to Internet clubs and P2P sites, the ministry seeks to check the nation’s 100,000 most-visited Web sites to shield them from hackers’ attacks. http://www.asiamedia.ucla.edu/article-eastasia.asp?parentid=43284
-- and --
CHINA BANS UNLICENSED E-MAIL SERVERS (ARS Technica, 17 April 2006) -- A new provision in an anti-spam law has apparently made it illegal to run an unlicensed e-mail server in China. The Chinese Ministry of Information Industry recently promulgated rules designed to crack down on the country’s spam epidemic, but buried in the new legislation is a requirement that so-called “E-mail Service Providers” must register with the government and receive a license in order to legally operate their mail servers. Though it does not appear as though Chinese authorities are yet enforcing the law, the new regulations would make it illegal for any business to operate their own e-mail server without obtaining a government license. The licensing protocol also requires that server operators maintain logs of incoming and outgoing e-mails for 60 days, and it makes open relays illegal. While it contains some solid anti-spam provisions, the new law certainly seems designed to have a chilling effect on e-mail use. http://arstechnica.com/news.ars/post/20060417-6611.html
COURT FOLLOWS ProCD, RULES SHRINKWRAP LICENSE VALID (BNA’s Internet Law News, 20 April 2006) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a shrinkwrap agreement in which software licensing terms are disclosed within the box containing the software media is enforceable under California law. The court also held that a state-law claim for breach of the shrinkwrap license was not preempted by the Copyright Act. Case name is Meridian Project Sys. Inc. v. Hardin Construction Co. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b2r0b1z5
N.Y. COUNTY REQUIRES SECURITY FOR WIRELESS BUSINESS NETWORKS (WiliconValley.com, 20 April 2006) -- Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers’ credit card numbers or other financial information. The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures. As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic. ``There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” Spano said. ``It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t.” Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester’s are probably helpful ``because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive” to protect it. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14390363.htm
GAS GUZZLERS FIND PRICE OF FORGIVENESS (New York Times, 22 April 2006) -- To people who take the threat of global warming personally, driving a car that spews heat-trapping greenhouse gases into the atmosphere can be a guilt trip. But to help atone for that environmental sin, some drivers are turning to groups on the Internet that offer pain-free ways to assuage their guilt while promoting clean energy. It involves buying something known as a carbon offset: a relatively inexpensive way to stimulate the production of clean electricity. Just go to one of several carbon-offset Web sites, calculate the amount of carbon dioxide produced when you drive, fly or otherwise burn fossil fuels, and then buy an offset that pays for an equivalent amount of clean energy. Of course, emissions could be reduced the old-fashioned way — by flying less, turning off the air-conditioning or buying a more fuel-efficient car. But that would probably require some sacrifice and perhaps even a change in lifestyle. Instead, carbon-offset programs allow individuals to skip the sacrifice and simply pay for the right to pollute. “To some extent, it’s a way for people to buy their way into heaven,” said Chip Giller, who is president of Grist.org, an online environmental magazine. “On the other hand, this is such a big macro problem that this is one of the few things people can do to really make a difference.” While offsets do not actually eliminate pollution, they do enable groups like Carbonfund.org to use the money to stimulate the production of clean electricity, which is more costly than burning coal or oil. http://www.nytimes.com/2006/04/22/nyregion/22guilt.html?ex=1303358400&en=5d926991652f2cff&ei=5090&partner=rssuserland&emc=rss
THE CAMERA NEVER BLINKS, BUT IT MULTIPLIES (New York Times, 23 April 2006) -- IT’S spring, and a new crop of police surveillance cameras is sprouting in cities big and small. New York is installing 500 on street corners; Chicago is upgrading several thousand; and even the city of Dillingham, Alaska, has 80 — one for every 30 residents. Many of these newer cameras can pan, tilt and zoom, and are networked through the Internet, so video images can be viewed and stored centrally. They are often purchased with homeland security funds, meant for use against terrorism as well as street crime. But it is impossible for a police department to continuously monitor 2,000, 500 or even, in the case of Dillingham, 80 cameras. So other than producing mountains of visual data — and raising the inevitable questions of privacy — how useful are they? Law enforcement officials argue that just putting up a camera in plain sight can deter crime. And some see a future in which software will analyze video for possible signs of terrorist activity, like someone placing a suitcase in front of a building. “We have seen significant dividends as a result of implementing this program,” said Andrew Velasquez III, director of the Office of Emergency Management and Communications in Chicago. Drug trafficking has been reduced in areas where cameras have been installed, he said. And the city is starting a pilot program to see whether automated analysis can be effective. But some security experts say the cameras are of limited value — largely in helping investigators after a crime — and are not cost-effective. They point to a large study by the Home Office in Britain, which has perhaps the world’s most videotaped population, that found cameras to be ineffective in reducing crime, except in locations like parking garages. And even scientists involved in the development of visual recognition software acknowledge that the programs do not work well enough yet. “Cameras make people feel better,” said Bruce Schneier, an expert on security technology and the author of “Beyond Fear: Thinking Sensibly About Security in an Uncertain World.” “But they really don’t make sense. At best they move crime around a little bit.” http://www.nytimes.com/2006/04/23/weekinreview/23fountain.html?ex=1303444800&en=162661094fce8341&ei=5090&partner=rssuserland&emc=rss
JUDGE: NOT UNREASONABLE FOR CITY WORKERS TO SURF WEB (SiliconValley.com, 24 April 2006) -- Surfing the Web at the work is equivalent to reading a newspaper or talking on the phone, an administrative law judge said in recommending the lightest possible punishment for a city worker accused of disregarding warnings to stay off the Internet. The case involved Toquir Choudhri, a 14-year veteran of the Department of Education, whose office computer had been used to visit news and travel Web sites. ``It should be observed that the Internet has become the modern equivalent of a telephone or a daily newspaper, providing a combination of communication and information that most employees use as frequently in their personal lives as for their work,” Administrative Law Judge John Spooner said in recommending only a reprimand for Choudhri. The judge noted that city agencies allow workers to make personal calls if it doesn’t interfere with their work performance. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14417425.htm
DATA THEFT DISCLOSURE MEANT LESS PAIN FOR LEXISNEXIS (Computer World, 25 April 2006) -- After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims, the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. “I think that’s why we were so successful in dealing with this,” Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said. LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Fla., in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection. Attackers went after the service’s “less sophisticated customers” with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said. The company’s customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said. But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. “We tried to do the best job we could,” he said. The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said. Such laws are catching on after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration. After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said. LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said. LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people. http://www.computerworld.com/printthis/2006/0,4814,110866,00.html
STATES STRUGGLING TO DEAL WITH DIGITAL DOCUMENTS (CNET, 25 April 2006) -- Most state governments are not actively tackling the creeping problem of digital archives and long-term access to public documents, according to the head of an industry group. Apart from a handful of cases, states have not devised comprehensive strategies for retaining “born digital” documents, said Doug Robinson, the executive director of the National Association of State CIOs (NASCIO). Such documents are created in electronic format and do not exist on paper. “There are very, very few states that have enacted any legislation or directive that addresses the permanent access to records,” Robinson said. “The challenge is that states are all over the map in what format they use in archiving born-digital content.” The state of Minnesota introduced a bill last month that would mandate the use of “open data formats” in state agencies by having them use standards-based products. By avoiding proprietary products and formats, the proposal’s backers hope to ensure access to state information. The bill also spells out criteria for what qualifies as a “standard” and proposes responsibilities for different IT-related state offices. Minnesota’s move toward long-term data access through standards follows the high-profile case of Massachusetts. The office of the former chief information officer in Massachusetts caused waves across the industry when it said it had chosen the OpenDocument format among its standards for desktop applications--a format not supported by Microsoft Office. The state, which named a new CIO in January, is in the process of converting its systems in anticipation of a January, 2007 deadline. There are a couple of reasons for the lack of state strategies, Robinson suggested. Most state IT executives are dealing with problems that require immediate attention, such as security or lowering costs by consolidating their servers, he said. In addition, the jurisdiction among different agencies, both state and federal, is not always clear. In the case of Massachusetts, for example, the CIO’s office ability to set technical standards has been challenged by legislators and the office of public records. http://news.com.com/2100-1014_3-6064793.html
CHECKLIST OUTLINES NEW CYBERTHREATS (FCW.com, 25 April 2006) -- The U.S. government and industry face many cyberthreats that, until now, have not received adequate attention, according to a new checklist outlining the threats. “We’re talking about vulnerabilities where we can calculate the effects, and the effects are considerable,” said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit. The unit’s Cybersecurity Checklist looks at potential avenues for real-world cyberattacks and recommends ways to thwart them. Borg presented a draft version of the list at the GovSec conference in Washington, D.C. DHS has not yet approved the draft. The list includes 478 questions relating to cybersecurity attacks in 16 attack venues in six areas of vulnerability. The list contains recent content that reflects how the cybersecurity environment has changed in the past several years, Borg said. It uses a simpler framework than many similar checklists and is more self-consistent and easy to use, he said. The checklist provides more specific guidance for industry and recognizes economic realities, Borg said. It also includes asterisked items that are necessary but difficult and expensive to implement, he said. If the list is going to be used as a standard, it’s a practical necessity to let companies off the hook for the asterisked items, Borg said. “We don’t have the services and products to deal with them,” he said. The unit analyzed each of the 16 critical infrastructure sectors, Borg said. Many sectors say they follow international security standards but still have gaping security vulnerabilities, he said. http://www.fcw.com/article94201-04-26-06-Web
INTERNET POPULATION HITS NEW HIGH (SiliconValley.com, 26 April 2006) -- The U.S. online population has hit an all-time high: 73 percent of adults, or 147 million, now use the Internet. The figures represent an increase from 66 percent, or 133 million adults, in January 2005, according to the Pew Internet and American Life Project. But only 42 percent of all adults, or 84 million, have the home high-speed connections important for viewing video and treating the Internet as an always-on reference. Looking only at home Internet users, 62 percent have broadband. In a report Wednesday, Pew noted that Internet use still varies with age and income. Eighty-eight percent of adults under 30 go online, compared with 32 percent for those age 65 and older. Only 53 percent of adults in households earning less than $30,000 a year use the Internet, compared with 91 percent in households with annual income exceeding $75,000. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14435224.htm
NEW PHISHING SCAM MODEL LEVERAGES VOIP (Computer World, 26 April 2006) -- Small businesses and consumers aren’t the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he’s not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they’re tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O’Donnell, senior research scientist at Cloudmark. And that’s where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O’Donnell says. “They’re leveraging the same economies that make VoIP attractive for small businesses,” he says. http://www.computerworld.com/printthis/2006/0,4814,110894,00.html
RAT ON YOUR PIRATE BOSS, WIN $36,000 (CNET, 27 April 2006) -- Anti-software piracy group the Business Software Alliance is offering a $36,000 reward to anyone who informs on employers who use illegal or unlicensed software. The BSA already has an online hotline for people to report the use of illegal software within U.K. organizations, but it has now doubled the reward from 10,000 pounds ($18,000) to 20,000 pounds ($36,000) until the end of June this year. The BSA said it opened 420 investigations in the last year as a result of these hotline tip-offs, the majority of which came from people in IT. Siobhan Carroll, regional manager for Northern Europe at the BSA, told said that with all the software auditing tools and advice available, organizations no longer have any excuse for being caught using illegal software. She said: “We are doubling the reward to make software licensing a priority for managers. It might seem harsh, but at the end of the day there are 27 percent of businesses who think they can get away with it.” Carroll said disgruntled staff members are often the source of tip-offs and a YouGov poll commissioned by the BSA found that three-quarters of workers would consider reporting their company if they felt their boss had treated them unfairly, while a quarter said poor pay raises would also spur them to rat on their employer. http://news.com.com/2100-7350_3-6066049.html
POLITICAL DIRTY-TRICKSTERS ARE USING WIKIPEDIA (SiliconValley.com, 28 April 2006) -- Wikipedia, the online encyclopedia that can be altered by anyone with a computer, has proved remarkably useful for pulling political dirty tricks. Political operatives are covertly rewriting -- or defacing -- candidates’ biographical entries to make the boss look good or the opponent look ridiculous. As a result, political campaigns are monitoring the Web site more closely than ever this election year. Revisions made by Capitol Hill staffers became so frequent and disruptive earlier this year that Wikipedia temporarily blocked access to the site from some congressional Internet addresses. The pranks included bumping up the age of the Senate’s oldest member, West Virginia’s Robert Byrd, from 88 to 180, and giving crude names to other lawmakers. The entry for Democratic Rep. Jim Marshall of Georgia labeled him ``too liberal” for his state, in part because of a contribution he received from a political action committee run by Sen. Hillary Rodham Clinton. The man who doctored Marshall’s biography now works for his Republican challenger. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14454525.htm
NIST RELEASES STANDARDS FOR SECURITY LOGS (FCW.com, 28 April 2006) -- The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management, include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act. http://www.fcw.com/article94229-04-28-06-Web
F.B.I. DISCLOSES SUBPOENAS (New York Times, 29 April 2006) -- The F.B.I. secretly sought information last year on 3,501 American citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said. It was the first time the Bush administration publicly disclosed how often it had used the administrative subpoena known as a National Security Letter, which lets the executive branch obtain records about people in terrorism and espionage investigations without a judge’s approval or a grand jury subpoena. The disclosure was mandated as part of the renewal of the USA Patriot Act, the administration’s sweeping antiterror law. (AP) http://www.nytimes.com/2006/04/29/us/29brfs.html?_r=1&oref=slogin
FUNNY MONEY (New York Times Editorial, 4 May 2006) -- For most of us, there is nothing magical about withdrawing cash from an A.T.M. The money that slides out represents some aspect of our real lives — our labor, our interest, our savings. But the idea of using an A.T.M. card to withdraw real money from a virtual life — a fictional online gaming life — takes some getting used to. On Tuesday, MindArk, the makers of the popular online game called Entropia Universe, announced that it will offer A.T.M. cards that will allow players quick access to cash assets that are being held in an alternate reality. For many people, the real mind-twister here isn’t the A.T.M. card. Cash holdings in a game — where the cash is used to buy upgrades and enhancements — are no different from cash holdings in an electronic bank. Very few people ever go into a bank and ask to see their money. No, the real puzzle is the creation of an online economy based solely in fictional worlds, in which people invest assets and erect buildings and charge rent and derive real income. Entropia is only one example. Second Life is another. The population — what else can you call it? — of these virtual worlds is growing rapidly. It’s natural to think of Entropia players escaping from the real world and disappearing into a more fluid and more gratifying universe. But can it be long before their online avatars within the game begin to resent these intrusions from outside? There you are, an avatar about to close a deal on Calypso, only to discover that your real-world alter ego has drained you dry from an A.T.M. somewhere in Milwaukee. It hardly seems fair. http://www.nytimes.com/2006/05/04/opinion/04thur4.html?ex=1304395200&en=30ae00fc4dd60496&ei=5090&partner=rssuserland&emc=rss
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.
**************End of Introductory Note***************
BORDER SECURITY SYSTEM LEFT OPEN (Wired, 12 April 2006) -- A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News. The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists. The Aug. 18 computer failure led to long lines at international airports in Los Angeles, San Francisco, Miami and elsewhere, while U.S. Customs and Border Protection, or CBP, officials processed foreign visitors by hand, or in some cases used backup computers, according to contemporaneous press reports. Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure. DHS CBP officials have released six pages of heavily redacted documents about the Aug. 18 computer failure. But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country. “When the virus problems appeared on (CBP) workstations Thursday evening, the decision was made to push the patch, immediately, to the ... US-VISIT workstations. Most workstations had received the patch by midnight and US-VISIT was back in operation at all locations,” reads a CBP summary of the incident. http://www.wired.com/news/technology/1,70642-0.html
UNITED STATES SUPREME COURT APPROVES ELECTRONIC DISCOVERY AMENDMENTS TO FRCP (April 14, 2006) -- On Wednesday, April 12, 2006, the United States Supreme Court approved, without comment or dissent, the entire package of proposed amendments to the Federal Rules of Civil Procedure concerning the discovery of “electronically stored information.” The package includes revisions and additions to Rules 16, 26, 33, 34, 37, and 45, as well as Form 35. The proposed amendments were transmitted to the Supreme Court last September, after the Judicial Conference unanimously approved them. The new rules and amendments have now been transmitted to Congress and will take effect on December 1, 2006, unless Congress enacts legislation to reject, modify, or defer the amendments. The amendments may be accessed on the U.S. Court’s Federal Rulemaking website at: http://www.uscourts.gov/rules/newrules6.html#cv0804
-- and --
PANEL PROVIDES PLUG FOR PRIVILEGE HOLE (ABA Journal, 5 May 2006) -- A proposal to help protect attorney-client privilege during electronic discovery has been hammered out at a conference on federal evidence rules. The proposed rule change would allow privileged documents that are released to opposing counsel inadvertently or called back under a claw-back agreement to be protected from third parties seeking the documents in other cases, including in state court proceedings. To be able to bind the states, Congress will have to adopt the proposed rule directly, under its commerce clause authority, according to a commentary to the proposed Rule 502. At the request of the chairman of the U.S. House Judiciary Committee, the Advisory Committee on Federal Rules of Evidence conducted a miniconference on proposed Rule 502 at Fordham University last month. The committee was asked to consider how privilege is handled in litigation so as not to jeopardize attorney-client privilege. In some cases, lawyers waive privilege with an understanding from opposing counsel that they can withdraw privileged documents from the record before trial. This is often known as claw-back. However, many courts have ruled that agreements giving one side the claw-back privilege do not apply to outside parties. Suddenly, litigants in different lawsuits against a company can have access to those clawed-back documents. In other situations, attorneys inadvertently disclose documents protected by the attorney-client privilege or the work product doctrine during discovery of voluminous electronic documents. For example, ExxonMobil claims its employees generate 5.2 million e-mails each day and use 65,000 desktop computers and 30,000 laptops. The storage capacity of the average computer issued to employees is 40 gigabytes, which is equal to roughly 20 million typewritten pages. Currently, courts are in conflict over whether and in what circumstances inadvertent disclosure results in a waiver of the privilege. To address the problems, proposed Rule 502(b) protects documents inadvertently disclosed in federal proceedings from use in federal or state proceedings if the holder of the privilege took reasonable precautions to avoid disclosure and took reasonably prompt measures to correct the error after its discovery. Proposed Rule 502(e) provides that parties can enter into an agreement to limit waiver of claw-back documents, and such an agreement can bind third parties if it is incorporated in a court order. http://www.abanet.org/journal/ereport/my5evidence.html
DATA EXPOSURE: COUNTIES ACROSS THE U.S. POSTING SENSITIVE INFO ONLINE (Computer World, 12 April 2006) -- Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver’s license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access. The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates. “These sites are just spoon-feeding criminals the information they need,” said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,” she said. Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.) http://www.computerworld.com/printthis/2006/0,4814,110453,00.html
JUDGES FINDS WELLS FARGO NOT NEGLIGENT IN DATA THEFT CASE (ZDnet.com, 14 April 2006) -- A US District Judge in Minnesota ruled that two people who had filed a class action lawsuit against Wells Fargo had not actually suffered any damages and were thus unable to demonstrate “reasonably certain future injury” due to the theft of computer hardware from a Wells Fargo contractor. The hardware contained unencrypted Wells Fargo customer data. The judge said the thieves never used the information and that time and effort the plaintiffs spent monitoring their credit reports “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” The judge found Wells Fargo not negligent because the information was never misused by the thieves. http://news.zdnet.com/2102-9595_22-6061400.html?tag=printthis
REPORT DETAILS DMCA MISUSES (InternetNews.com, 14 April 2006) -- A new report from the Electronic Frontier Foundation (EFF) takes aim at the Digital Millennium Copyright Act (DMCA), a controversial law enacted seven years ago to protect intellectual property in the digital age. “Unintended Consequences: Seven Years Under the DMCA” is a collection of well-known and obscure stories about the misuses of the DMCA. Among those accounts is that of J. Alex Halderman, a graduate student at Princeton University who, in the fall of 2005, discovered the existence of serious security vulnerabilities in the CD copy-protection software on dozens of Sony BMG titles. But he delayed publishing his discovery for several weeks while consulting with lawyers in order to avoid DMCA pitfalls. This left millions of music fans at risk longer than necessary. In October 2003, Halderman had been threatened with a DMCA lawsuit after publishing a report documenting weaknesses in a CD copy-protection technology developed by SunnComm. Halderman revealed that holding down the shift key on a Windows PC would render SunnComm’s copy-protection technology ineffective. SunnComm executives threatened legal action under the DMCA. Stories like these show that “rather than being used to stop piracy, the DMCA has predominantly been used to threaten and sue legitimate consumers, scientists, publishers and competitors,” said EFF senior staff attorney Fred von Lohmann. The EFF notes that the DMCA’s anti-circumvention provisions, which are contained in Section 1201 of the act, were developed in response to obligations imposed on the U.S. by the 1996 World Intellectual Property Organization (WIPO) Copyright Treaty and the concerns of copyright owners that their works would be pirated and made available for download online. Section 1201 of the DMCA contains a ban on acts of circumvention of Digital Rights Management technologies -- technological measures used by copyright owners to control access to their works -- and a ban on the distribution of tools and technologies used for circumvention. In its report, the EFF notes that the ban on acts of circumvention applies even where the purpose for circumventing copyright protection would otherwise be legitimate or strike a logical person as legitimate, such as research intended to expose serious security flaws directly caused by copyright protection programming code. http://www.internetnews.com/bus-news/article.php/3599026 [The EFF report is here: http://www.eff.org/IP/DMCA/?f=unintended_consequences.html]
EU DATA RETENTION DIRECTIVE TO TAKE EFFECT, NOT WITHOUT CONTROVERSY (Steptoe & Johnson’s E-Commerce Law Week, 15 April 2006) -- The controversial new EU Data Retention Directive (“Directive”) was published April 13 in the Official Journal of the European Union. Under the Directive, which cleared its most important hurdle when it was adopted by the European Parliament last December, ISPs and fixed-line and mobile operators will be required to retain communications data of their EU customers (not including the content of communications). The Directive will take effect 20 days after publication, but the more important deadlines come later. EU member states will have until September 15, 2007, to implement the Directive for traditional telephone services and ordinary mobile voice services. For “Internet Access, Internet telephony and Internet e-mail”, member states had the option to declare that they would reserve the right to delay implementation until March 15, 2009, and 16 member states have exercised this option -- Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, and the United Kingdom. But nine member states did not, including three of the EU’s five biggest economies -- France, Italy, and Spain -- as well as Denmark, Hungary, Ireland, Malta, Portugal, and Slovakia. For these countries, the earlier deadline of September 15, 2007, will apply to Internet services as well. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12255&siteId=547
ONE BORROWED SHARE, BUT ONE VERY REAL VOTE (New York Times, 16 April 2006) – Some investors seem to be taking advantage of a loophole in financial regulations to cast shareholder votes that are far out of proportion to the number of shares they actually own, a new academic study suggests. The study, entitled “Vote Trading and Information Aggregation,” has been circulating in academic circles for several months. Its authors are the finance professors Susan E. K. Christoffersen of McGill University in Montreal, Christopher C. Geczy and David K. Musto of the Wharton School of the University of Pennsylvania and Adam V. Reed of the University of North Carolina. The authors describe a strategy that enables any investors, no matter how few of a company’s shares they own, to profoundly affect the outcome of corporate resolutions that are put to a vote at the annual shareholder meeting. In effect, a shareholder can borrow a large number of shares for a nominal fee and use them to cast a corresponding number of votes. As the study points out, the right to vote on a corporate resolution comes from possession, not ownership, of shares. That means a trader can borrow shares and thus be temporarily eligible to vote on corporate resolutions. The number of votes he can acquire is limited only by his ability to put up collateral — which is required to be 102 percent of the value of shares borrowed — and the number of shares available on the securities lending market. This market primarily serves those who wish to borrow shares in order to sell them short, but there is nothing to prevent its use by those whose motive is to influence the outcome of corporate votes. As long as you have the collateral, borrowing shares is very inexpensive. The annual cost can be as low as 20 basis points, or two-tenths of a percentage point, on the cash that is put up. And because the borrower must hold the shares for just one day in order to have voting rights, the interest can be almost nothing. The cost to borrow $1 million of stock for one day, for example, could be less than $6, according to Professor Reed. The professors are convinced that many traders are taking advantage of this loophole. They reached this conclusion after studying what happens in the securities lending market immediately before and after the record dates for corporate votes. These are the dates when a shareholder needs to have possession of a stock in order to vote on a corporate resolution. The professors focused on 6,186 record dates for resolutions at publicly traded companies from November 1998 to October 1999. They found that on the typical record date, there was a significant spike in the number of borrowed shares. And they found an almost-as-big decline in such shares, on average, the day after those record dates. In their opinion, the only plausible explanation is that traders borrowed shares solely to acquire votes. http://www.nytimes.com/2006/04/16/business/yourmoney/16stra.html?ex=1302840000&en=2c7eea202b079dcc&ei=5090&partner=rssuserland&emc=rss Study at http://papers.ssrn.com/sol3/papers.cfm?abstract-id=686026
STITCHING UP HEALTH RECORDS: PRIVACY COMPLIANCE LAGS (eWeek, 16 April 2006) -- The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law. The bad news? All were supposed to have done so by April 2003. More bad news? The percentage hasn’t changed since last summer, meaning about 20 percent of health care companies are “unable or unwilling to implement federal privacy requirements,” according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS. And that’s just regarding the rule designed to make sure patient information isn’t sent to the wrong people or accessed by people without a right to know. Securing the data so hackers can’t force their way in is another category of compliance entirely. Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards. http://www.eweek.com/article2/0,1759,1949646,00.asp
KOREA: ONLINE COMMUNITIES TO BE MONITORED MONTHLY (AsiaMedia, 16 April 2006) -- The South Korean government plans to monitor the nation’s online communities every month, to crack down on an increasing number of personal information dealers within the virtual world. The Ministry of Information and Communication said the targets of the monthly surveillance plan would be cyber cafes, and peer-to-peer (P2P) file-sharing sites. “We have come up with this scheme as Internet-based clubs and P2P sites are recognized as the main culprits for recent woes regarding identity theft,” said Suh Byung-jo, director general at the ministry. “To straighten things out, we will check unlawful activities at sites prone to wrongdoings at least once every month from now on and will report malpractices to the police,” he said. As Suh pointed out, Internet clubs and P2P sites have been the playground for personal data dealers who gain private information like resident registration numbers, the Korean version of North American social security numbers. The identity theft issue caught Korea, the most wired country on the planet, off guard in February, when complaints piled up that hackers were stealing private data from millions of Korean people. In addition to Internet clubs and P2P sites, the ministry seeks to check the nation’s 100,000 most-visited Web sites to shield them from hackers’ attacks. http://www.asiamedia.ucla.edu/article-eastasia.asp?parentid=43284
-- and --
CHINA BANS UNLICENSED E-MAIL SERVERS (ARS Technica, 17 April 2006) -- A new provision in an anti-spam law has apparently made it illegal to run an unlicensed e-mail server in China. The Chinese Ministry of Information Industry recently promulgated rules designed to crack down on the country’s spam epidemic, but buried in the new legislation is a requirement that so-called “E-mail Service Providers” must register with the government and receive a license in order to legally operate their mail servers. Though it does not appear as though Chinese authorities are yet enforcing the law, the new regulations would make it illegal for any business to operate their own e-mail server without obtaining a government license. The licensing protocol also requires that server operators maintain logs of incoming and outgoing e-mails for 60 days, and it makes open relays illegal. While it contains some solid anti-spam provisions, the new law certainly seems designed to have a chilling effect on e-mail use. http://arstechnica.com/news.ars/post/20060417-6611.html
COURT FOLLOWS ProCD, RULES SHRINKWRAP LICENSE VALID (BNA’s Internet Law News, 20 April 2006) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a shrinkwrap agreement in which software licensing terms are disclosed within the box containing the software media is enforceable under California law. The court also held that a state-law claim for breach of the shrinkwrap license was not preempted by the Copyright Act. Case name is Meridian Project Sys. Inc. v. Hardin Construction Co. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b2r0b1z5
N.Y. COUNTY REQUIRES SECURITY FOR WIRELESS BUSINESS NETWORKS (WiliconValley.com, 20 April 2006) -- Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers’ credit card numbers or other financial information. The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures. As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic. ``There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” Spano said. ``It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t.” Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester’s are probably helpful ``because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive” to protect it. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14390363.htm
GAS GUZZLERS FIND PRICE OF FORGIVENESS (New York Times, 22 April 2006) -- To people who take the threat of global warming personally, driving a car that spews heat-trapping greenhouse gases into the atmosphere can be a guilt trip. But to help atone for that environmental sin, some drivers are turning to groups on the Internet that offer pain-free ways to assuage their guilt while promoting clean energy. It involves buying something known as a carbon offset: a relatively inexpensive way to stimulate the production of clean electricity. Just go to one of several carbon-offset Web sites, calculate the amount of carbon dioxide produced when you drive, fly or otherwise burn fossil fuels, and then buy an offset that pays for an equivalent amount of clean energy. Of course, emissions could be reduced the old-fashioned way — by flying less, turning off the air-conditioning or buying a more fuel-efficient car. But that would probably require some sacrifice and perhaps even a change in lifestyle. Instead, carbon-offset programs allow individuals to skip the sacrifice and simply pay for the right to pollute. “To some extent, it’s a way for people to buy their way into heaven,” said Chip Giller, who is president of Grist.org, an online environmental magazine. “On the other hand, this is such a big macro problem that this is one of the few things people can do to really make a difference.” While offsets do not actually eliminate pollution, they do enable groups like Carbonfund.org to use the money to stimulate the production of clean electricity, which is more costly than burning coal or oil. http://www.nytimes.com/2006/04/22/nyregion/22guilt.html?ex=1303358400&en=5d926991652f2cff&ei=5090&partner=rssuserland&emc=rss
THE CAMERA NEVER BLINKS, BUT IT MULTIPLIES (New York Times, 23 April 2006) -- IT’S spring, and a new crop of police surveillance cameras is sprouting in cities big and small. New York is installing 500 on street corners; Chicago is upgrading several thousand; and even the city of Dillingham, Alaska, has 80 — one for every 30 residents. Many of these newer cameras can pan, tilt and zoom, and are networked through the Internet, so video images can be viewed and stored centrally. They are often purchased with homeland security funds, meant for use against terrorism as well as street crime. But it is impossible for a police department to continuously monitor 2,000, 500 or even, in the case of Dillingham, 80 cameras. So other than producing mountains of visual data — and raising the inevitable questions of privacy — how useful are they? Law enforcement officials argue that just putting up a camera in plain sight can deter crime. And some see a future in which software will analyze video for possible signs of terrorist activity, like someone placing a suitcase in front of a building. “We have seen significant dividends as a result of implementing this program,” said Andrew Velasquez III, director of the Office of Emergency Management and Communications in Chicago. Drug trafficking has been reduced in areas where cameras have been installed, he said. And the city is starting a pilot program to see whether automated analysis can be effective. But some security experts say the cameras are of limited value — largely in helping investigators after a crime — and are not cost-effective. They point to a large study by the Home Office in Britain, which has perhaps the world’s most videotaped population, that found cameras to be ineffective in reducing crime, except in locations like parking garages. And even scientists involved in the development of visual recognition software acknowledge that the programs do not work well enough yet. “Cameras make people feel better,” said Bruce Schneier, an expert on security technology and the author of “Beyond Fear: Thinking Sensibly About Security in an Uncertain World.” “But they really don’t make sense. At best they move crime around a little bit.” http://www.nytimes.com/2006/04/23/weekinreview/23fountain.html?ex=1303444800&en=162661094fce8341&ei=5090&partner=rssuserland&emc=rss
JUDGE: NOT UNREASONABLE FOR CITY WORKERS TO SURF WEB (SiliconValley.com, 24 April 2006) -- Surfing the Web at the work is equivalent to reading a newspaper or talking on the phone, an administrative law judge said in recommending the lightest possible punishment for a city worker accused of disregarding warnings to stay off the Internet. The case involved Toquir Choudhri, a 14-year veteran of the Department of Education, whose office computer had been used to visit news and travel Web sites. ``It should be observed that the Internet has become the modern equivalent of a telephone or a daily newspaper, providing a combination of communication and information that most employees use as frequently in their personal lives as for their work,” Administrative Law Judge John Spooner said in recommending only a reprimand for Choudhri. The judge noted that city agencies allow workers to make personal calls if it doesn’t interfere with their work performance. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14417425.htm
DATA THEFT DISCLOSURE MEANT LESS PAIN FOR LEXISNEXIS (Computer World, 25 April 2006) -- After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims, the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. “I think that’s why we were so successful in dealing with this,” Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said. LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Fla., in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection. Attackers went after the service’s “less sophisticated customers” with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said. The company’s customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said. But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. “We tried to do the best job we could,” he said. The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said. Such laws are catching on after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration. After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said. LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said. LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people. http://www.computerworld.com/printthis/2006/0,4814,110866,00.html
STATES STRUGGLING TO DEAL WITH DIGITAL DOCUMENTS (CNET, 25 April 2006) -- Most state governments are not actively tackling the creeping problem of digital archives and long-term access to public documents, according to the head of an industry group. Apart from a handful of cases, states have not devised comprehensive strategies for retaining “born digital” documents, said Doug Robinson, the executive director of the National Association of State CIOs (NASCIO). Such documents are created in electronic format and do not exist on paper. “There are very, very few states that have enacted any legislation or directive that addresses the permanent access to records,” Robinson said. “The challenge is that states are all over the map in what format they use in archiving born-digital content.” The state of Minnesota introduced a bill last month that would mandate the use of “open data formats” in state agencies by having them use standards-based products. By avoiding proprietary products and formats, the proposal’s backers hope to ensure access to state information. The bill also spells out criteria for what qualifies as a “standard” and proposes responsibilities for different IT-related state offices. Minnesota’s move toward long-term data access through standards follows the high-profile case of Massachusetts. The office of the former chief information officer in Massachusetts caused waves across the industry when it said it had chosen the OpenDocument format among its standards for desktop applications--a format not supported by Microsoft Office. The state, which named a new CIO in January, is in the process of converting its systems in anticipation of a January, 2007 deadline. There are a couple of reasons for the lack of state strategies, Robinson suggested. Most state IT executives are dealing with problems that require immediate attention, such as security or lowering costs by consolidating their servers, he said. In addition, the jurisdiction among different agencies, both state and federal, is not always clear. In the case of Massachusetts, for example, the CIO’s office ability to set technical standards has been challenged by legislators and the office of public records. http://news.com.com/2100-1014_3-6064793.html
CHECKLIST OUTLINES NEW CYBERTHREATS (FCW.com, 25 April 2006) -- The U.S. government and industry face many cyberthreats that, until now, have not received adequate attention, according to a new checklist outlining the threats. “We’re talking about vulnerabilities where we can calculate the effects, and the effects are considerable,” said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit. The unit’s Cybersecurity Checklist looks at potential avenues for real-world cyberattacks and recommends ways to thwart them. Borg presented a draft version of the list at the GovSec conference in Washington, D.C. DHS has not yet approved the draft. The list includes 478 questions relating to cybersecurity attacks in 16 attack venues in six areas of vulnerability. The list contains recent content that reflects how the cybersecurity environment has changed in the past several years, Borg said. It uses a simpler framework than many similar checklists and is more self-consistent and easy to use, he said. The checklist provides more specific guidance for industry and recognizes economic realities, Borg said. It also includes asterisked items that are necessary but difficult and expensive to implement, he said. If the list is going to be used as a standard, it’s a practical necessity to let companies off the hook for the asterisked items, Borg said. “We don’t have the services and products to deal with them,” he said. The unit analyzed each of the 16 critical infrastructure sectors, Borg said. Many sectors say they follow international security standards but still have gaping security vulnerabilities, he said. http://www.fcw.com/article94201-04-26-06-Web
INTERNET POPULATION HITS NEW HIGH (SiliconValley.com, 26 April 2006) -- The U.S. online population has hit an all-time high: 73 percent of adults, or 147 million, now use the Internet. The figures represent an increase from 66 percent, or 133 million adults, in January 2005, according to the Pew Internet and American Life Project. But only 42 percent of all adults, or 84 million, have the home high-speed connections important for viewing video and treating the Internet as an always-on reference. Looking only at home Internet users, 62 percent have broadband. In a report Wednesday, Pew noted that Internet use still varies with age and income. Eighty-eight percent of adults under 30 go online, compared with 32 percent for those age 65 and older. Only 53 percent of adults in households earning less than $30,000 a year use the Internet, compared with 91 percent in households with annual income exceeding $75,000. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14435224.htm
NEW PHISHING SCAM MODEL LEVERAGES VOIP (Computer World, 26 April 2006) -- Small businesses and consumers aren’t the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he’s not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they’re tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O’Donnell, senior research scientist at Cloudmark. And that’s where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O’Donnell says. “They’re leveraging the same economies that make VoIP attractive for small businesses,” he says. http://www.computerworld.com/printthis/2006/0,4814,110894,00.html
RAT ON YOUR PIRATE BOSS, WIN $36,000 (CNET, 27 April 2006) -- Anti-software piracy group the Business Software Alliance is offering a $36,000 reward to anyone who informs on employers who use illegal or unlicensed software. The BSA already has an online hotline for people to report the use of illegal software within U.K. organizations, but it has now doubled the reward from 10,000 pounds ($18,000) to 20,000 pounds ($36,000) until the end of June this year. The BSA said it opened 420 investigations in the last year as a result of these hotline tip-offs, the majority of which came from people in IT. Siobhan Carroll, regional manager for Northern Europe at the BSA, told said that with all the software auditing tools and advice available, organizations no longer have any excuse for being caught using illegal software. She said: “We are doubling the reward to make software licensing a priority for managers. It might seem harsh, but at the end of the day there are 27 percent of businesses who think they can get away with it.” Carroll said disgruntled staff members are often the source of tip-offs and a YouGov poll commissioned by the BSA found that three-quarters of workers would consider reporting their company if they felt their boss had treated them unfairly, while a quarter said poor pay raises would also spur them to rat on their employer. http://news.com.com/2100-7350_3-6066049.html
POLITICAL DIRTY-TRICKSTERS ARE USING WIKIPEDIA (SiliconValley.com, 28 April 2006) -- Wikipedia, the online encyclopedia that can be altered by anyone with a computer, has proved remarkably useful for pulling political dirty tricks. Political operatives are covertly rewriting -- or defacing -- candidates’ biographical entries to make the boss look good or the opponent look ridiculous. As a result, political campaigns are monitoring the Web site more closely than ever this election year. Revisions made by Capitol Hill staffers became so frequent and disruptive earlier this year that Wikipedia temporarily blocked access to the site from some congressional Internet addresses. The pranks included bumping up the age of the Senate’s oldest member, West Virginia’s Robert Byrd, from 88 to 180, and giving crude names to other lawmakers. The entry for Democratic Rep. Jim Marshall of Georgia labeled him ``too liberal” for his state, in part because of a contribution he received from a political action committee run by Sen. Hillary Rodham Clinton. The man who doctored Marshall’s biography now works for his Republican challenger. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14454525.htm
NIST RELEASES STANDARDS FOR SECURITY LOGS (FCW.com, 28 April 2006) -- The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management, include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act. http://www.fcw.com/article94229-04-28-06-Web
F.B.I. DISCLOSES SUBPOENAS (New York Times, 29 April 2006) -- The F.B.I. secretly sought information last year on 3,501 American citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said. It was the first time the Bush administration publicly disclosed how often it had used the administrative subpoena known as a National Security Letter, which lets the executive branch obtain records about people in terrorism and espionage investigations without a judge’s approval or a grand jury subpoena. The disclosure was mandated as part of the renewal of the USA Patriot Act, the administration’s sweeping antiterror law. (AP) http://www.nytimes.com/2006/04/29/us/29brfs.html?_r=1&oref=slogin
FUNNY MONEY (New York Times Editorial, 4 May 2006) -- For most of us, there is nothing magical about withdrawing cash from an A.T.M. The money that slides out represents some aspect of our real lives — our labor, our interest, our savings. But the idea of using an A.T.M. card to withdraw real money from a virtual life — a fictional online gaming life — takes some getting used to. On Tuesday, MindArk, the makers of the popular online game called Entropia Universe, announced that it will offer A.T.M. cards that will allow players quick access to cash assets that are being held in an alternate reality. For many people, the real mind-twister here isn’t the A.T.M. card. Cash holdings in a game — where the cash is used to buy upgrades and enhancements — are no different from cash holdings in an electronic bank. Very few people ever go into a bank and ask to see their money. No, the real puzzle is the creation of an online economy based solely in fictional worlds, in which people invest assets and erect buildings and charge rent and derive real income. Entropia is only one example. Second Life is another. The population — what else can you call it? — of these virtual worlds is growing rapidly. It’s natural to think of Entropia players escaping from the real world and disappearing into a more fluid and more gratifying universe. But can it be long before their online avatars within the game begin to resent these intrusions from outside? There you are, an avatar about to close a deal on Calypso, only to discover that your real-world alter ego has drained you dry from an A.T.M. somewhere in Milwaukee. It hardly seems fair. http://www.nytimes.com/2006/05/04/opinion/04thur4.html?ex=1304395200&en=30ae00fc4dd60496&ei=5090&partner=rssuserland&emc=rss
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Subscribe to:
Posts (Atom)