Friday, May 26, 2006

MIRLN -- Misc. IT Related Legal News [6-26 May 2006; v9.07]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://www.dickinson-wright.com/scripts/prac2.asp?practice_area=Information%20Technology%20%26%20Security%20Law

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

IT VENDORS, PRIVACY GROUPS RELEASE RFID STANDARDS (PC Advisor, 2 May 2006) -- A set of best practices designed to help assuage consumers’ concerns about RFID (radio frequency identification) tags was released yesterday by a group of technology vendors, RFID users and consumer groups. Companies using RFID tags on products should notify customers in all cases. They should tell customers whether they can deactivate the tags and build security into the technology as a primary design requirement, the group said. The CDT’s (Center for Democracy and Technology’s) Working Group on RFID recommends that companies collecting personally identifiable information through RFID tags tell customers how that data will be used. If customers can opt out of sharing that information or destroy the tags, those options “must be readily available”, says the working group’s draft best practices report. “There should be no secret RFID tags or readers,” the report says. “Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology... as they engage in any transaction that utilises an RFID system. At the same time, it is important to recognise that notice alone does not mitigate all concerns about privacy.” The CDT hopes that the guidelines, which took over a year to develop, will serve as an example to companies rolling out the technology, said Paula Bruening, staff counsel at CDT, a privacy and civil liberties advocacy group. http://www.pcadvisor.co.uk/news/index.cfm?newsid=6078

COURT SKEPTICAL OF WIRETAP RULES (Wired, 5 May 2006) -- A U.S. appeals panel challenged the Bush administration Friday over new rules making it easier for police and the FBI to wiretap internet phone calls. One judge told the government its courtroom arguments were “gobbledygook” and invited its lawyer to return to his office and “have a big chuckle.” The skepticism expressed so openly toward the government’s case during a hearing in U.S. Circuit Court for the District of Columbia emboldened a broad group of civil liberties and education groups who argued that the U.S. improperly applied telephone-era rules to a new generation of internet services. “Your argument makes no sense,” U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. “When you go back to the office, have a big chuckle. I’m not missing this. This is ridiculous. Counsel!” At another point in the hearing, Edwards told the FCC’s lawyer his arguments were “gobbledygook” and “nonsense.” The court’s decision was expected within several months. Edwards appeared skeptical over the FCC’s decision to require that providers of internet phone service and broadband services must ensure their equipment can accommodate police wiretaps under the 1994 Communications Assistance for Law Enforcement Act, known as CALEA. The new rules go into effect in May 2007. Critics said the new FCC rules are too broad and inconsistent with the intent of Congress when it passed the 1994 surveillance law, which excluded categories of companies described as information services. http://www.wired.com/news/politics/0,70823-0.html

FREE CALLS FROM AIM (InternetNews.com, 8 May 2006) -- First came free e-mail addresses, and then came free IM accounts. Later this month, Dulles, Va.-based AOL plans to offer free phone numbers through its instant messenger (AIM). AIM Phoneline brings Internet phone calling to the more than 40 million AOL instant messenger users. Slated to begin May 16 in 50 U.S. markets, the service will offer a free base of features along with a $14.95 fee-based premium option, according to an AOL spokesperson. Based on AIM Triton, AIM Phoneline augments AOL’s TotalTalk VoIP offering. AOL will offer Phoneline users free local phone numbers enabling unlimited inbound calls from traditional phones, cell phones and PCs. Cell phone users can receive text messages alerting them when an IM-based call is received, as well as listen to Phoneline voicemail. Along with free phone numbers, AOL will provide AIM users free voicemail. Calls not answered are saved as MP3 files and sent to an AOL or AIM mailbox, according to a company statement. While the differences between AOL’s VoIP plans “are kind of subtle,” the company wants to be sure all its bases are covered, according to Joe Laszlo, analyst with JupiterResearch. http://www.internetnews.com/infra/article.php/3604556

-- and --

SKYPEOUT SERVICE FREE UNTIL THE END OF 2006 (EITB, 16 May 2006) -- Skype, eBay Inc.’s Internet telephone subsidiary, has stopped charging users for dialling up people on traditional landline and mobile phones in the US and Canada. The Internet telephone service, which has always offered free PC-to-PC calls around the world, said on Monday it will offer its SkypeOut service for free until the end of the year. Previously, Skype users paid about 2 cents a minute for calls to landline and
mobile telephones. Users who make outgoing calls to and within countries outside the US and Canada will continue to incur per-minute charges. The company also said it will continue to charge for traditional phone numbers that can be dialled from any phone to reach Skype users. Skype, which was acquired last year by online auctioneer eBay for $2.6 billion, recently announced it has 100 million registered users worldwide. http://www.eitb24.com/portal/eitb24/noticia/en/sci/tech/skype-skypeout-service-free-until-the-end-of-2006?itemId=D31463&cl=%2Feitb24%2Fnuevas_tecnologias&idioma=en

LEGALISE PERSONAL MUSIC COPYING, SAYS BPI (The Telegraph, 7 May 2006) -- The British music industry is to recommend to the Government that consumers be allowed to legally copy music without fear of prosecution. The BPI, the body that represents British record companies, believes copyright on CDs and records should be changed to allow consumers to copy music if it is for personal use. Currently, it is technically illegal for anyone to copy a CD onto their computer for the purposes of downloading music onto their own portable music player. In its submission to the Gowers Review - the independent review body set up by the Treasury to examine the UK’s intellectual property framework - the BPI has asked for the issue of this area of music copyright to be addressed. It is believed the organisation, which represents the likes of EMI and Sanctuary, prefers the option of altering copyright protections on music without the requirement for a change in legislation. http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2006/05/07/cnbpi07.xml&menuId=242&sSheet=/money/2006/05/07/ixcitytop.html

21-YEAR-OLD HACKER SENTENCED TO NEARLY 5 YEARS IN PRISON (SiliconValley.com 9 May 2006) -- A 21-year-old computer whiz was sentenced to nearly five years in federal prison for taking control of 400,000 Internet-connected computers and renting access to them to spammers and fellow hackers. Among the machines authorities said Jeanson James Ancheta infected in 2004 and 2005 were those at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va. Ancheta, of Downey, Calif., pleaded guilty in January to four felony charges. Authorities said he received more than $107,000 for downloading adware -- software that can track a user’s Internet browsing habits and deliver pop-up ads -- onto infected computers and selling access to hackers and spammers. A Web site he maintained included a schedule of prices and guidelines for the technology necessary to bring down a particular type of Web site. Prosecutors said the case was among the first to target profits derived from use of ``botnets,” large numbers of computers that hackers commandeer through software and then turn into a ``zombie” network that can be controlled by outsiders. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14537874.htm

EX-NSA CHIEF ASSAILS BUSH TAPS (Wired, 9 May 2006) -- Former National Security Agency director Bobby Ray Inman lashed out at the Bush administration Monday night over its continued use of warrantless domestic wiretaps, making him one of the highest-ranking former intelligence officials to criticize the program in public, analysts say. “This activity is not authorized,” Inman said, as part of a panel discussion on eavesdropping that was sponsored by The New York Public Library. The Bush administration “need(s) to get away from the idea that they can continue doing it.” Since the NSA eavesdropping program was unveiled in December, Inman -- like other senior members of the intelligence community -- has been measured in the public statements he’s made about the agency he headed under President Jimmy Carter. He maintained that his former colleagues “only act in accordance with law.” When asked whether the president had the legal authority to order the surveillance, Inman replied in December, “Someone else would have to give you the good answer.” But sitting in a brightly lit basement auditorium at the library next to James Risen, the New York Times reporter who broke the surveillance story, Inman’s tone changed. He called on the president to “walk into the modern world” and change the law governing the wiretaps -- or abandon the program altogether. http://www.wired.com/news/technology/0,70855-0.html?tw=rss.index

USC HACKER CASE PIVOTAL TO FUTURE WEB SECURITY (Information Week, 9 May 2006) -- Eric McCarty, a 25-year-old San Diego resident, in April was charged with hacking into the University of Southern California’s computer system and accessing confidential information submitted by students applying to the school. The case, in which McCarty claims he was simply trying to warn USC of possible security flaws in its Web site, will likely be a watershed event in the area of security research, particularly if McCarty is convicted to the full extent of the law and forced to serve 10 years in a federal prison. McCarty’s case lifts the hood on Web security, exposing a number of legal, ethical, and technical questions that to date have no easy answers. No one disagrees that McCarty broke the law. Whether McCarty was wrong or unethical is an altogether different question. And then there’s the matter of the penalty for his indiscretion. A decade in a federal prison comes across as a bit extreme to many IT security pros, particularly considering McCarty’s willingness to cooperate with the FBI once the bureau began its investigation. The SQL database connected to USC’s online applicant Web site contains Social Security numbers, birth dates, and other information for more than 275,000 applicants since 1997. After finding a vulnerability in the site’s login system, McCarty staged an SQL injection attack to gain access to the database. An SQL injection takes place when a hacker enters instructions into an improperly secured Web data field in order to gain control of that application. USC’s site was subsequently shut down for two weeks during June 2005 as the university addressed the issue. McCarty made his initial appearance in U.S. District Court in Los Angeles on April 28. Many security pros agree that McCarty’s intention of improving the security of USC’s Web site was commendable, and that USC should acknowledge this. But these same security pros are negative on McCarty’s move to hack the site without first getting permission from the university. “McCarty was trying to prove a point,” says Rick Fleming, VP of security and risk management consulting for Digital Defense Inc., which offers penetration testing services. “Part of me commends him for saying, ‘Hello, wake up.’ But he crossed an ethical boundary because he didn’t have permission to test that system, and he broke the law.” Security researchers are at the most basic level guided by an online document known as RFPolicy, which unofficially lays out the process for researchers to communicate with software developers and vendors about any bugs the researchers find in the developer’s software. The purpose of RFPolicy, which was conceived by a security expert known as Rain Forest Puppy, is “to quash assumptions and clearly define intentions, so that both parties may immediately and effectively gauge the problem, produce a solution, and disclose the vulnerability.” RFPolicy, which dates back five or six years, was designed to police how researchers disclose vulnerabilities to software vendors, says Jeremiah Grossman, a former Yahoo information security officer who’s now founder and chief technology officer with Web application security provider WhiteHat Security Inc. “Everyone was intrigued that someone put a line in the sand,” he says of security researchers’ reaction to this informal edict. But RFPolicy isn’t recognized by any standards or legal entity. It also doesn’t address the crucial question of how researchers can legally go about finding flaws in Web applications running in someone else’s IT environment. http://www.informationweek.com/news/showArticle.jhtml?articleID=187201428

OVEREXPOSED? (InsideHigherEd.com, 10 May 2006) -- A lecturer at the University of Southern California said she started a blog because her students wanted “more of me after our class time has ended,” she wrote. And they got it. Diana Blaine, who lectures on feminist theory, recently linked her blog to an online photo album that has topless photos of her near a painting of a topless woman, and at Burning Man, an annual weeklong festival in Nevada where clothing is optional. After a student who has made a habit of criticizing Blaine on his blog, “ Cardinal Martini,” linked to the photos, an NBC station in Los Angeles reported that the pictures are “causing concern,” bringing Blaine even more exposure. NBC’s claim of “concern” about the photos, however, seems dubious, as Blaine said she hasn’t heard from any of her colleagues or the university about it. A USC spokesman said that no policies have been violated, so the university is not pursuing the matter. http://insidehighered.com/news/2006/05/10/usc

FTC SETTLES DATA SECURITY CASE (InfoWorld, 10 May 2006) -- Nations Holding Co. (NHC), a real-estate firm operating in 44 U.S. states, has settled a data security case after the U.S. Federal Trade Commission (FTC) accused it of allowing a common Web attack to compromise customer data, the FTC announced Wednesday. The FTC also accused NHC and its Nations Title Agency (NTA) subsidiary of disposing of home-loan applications containing customers’ personal data by throwing them into a public dumpster. NHC, a privately held company in Kansas City, Kansas, must improve its information security practices and submit to biennial audits of its security practices for the next 20 years under the FTC settlement, FTC chairwoman Deborah Platt Majoras said. The settlement bars the company and owner Christopher Likens of making deceptive claims about privacy and security policies. Majoras called NHC’s data-handling practices “careless” during a speech at a Washington, D.C., data security conference sponsored by the Progress & Freedom Foundation, a free-market think tank. “Data security has been surprisingly lax at a number of companies,” she said. “The cases we’re bringing have not been close calls.” NHC and NTA routinely obtain personal consumer information, including names, Social Security numbers, credit histories, and bank and credit card numbers, from banks, real-estate brokers and customers, the FTC said. NHC and NTA made claims about its privacy and security policies that it did not honor, the FTC said. Since 2003, the companies failed to deploy several data-protection measures, the FTC said:
-- They failed to assess risks to the information they collected and stored, both online and offline.
-- They did not implement “simple, low-cost, readily available” defenses to common Web site attacks.
-- They failed to implement “reasonable” polices in key areas such as employee screening and training, as well as the handling of personal data.
-- They did not employ reasonable measures to detect and respond to authorized access to data and did not conduct security investigations. http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/10/78177_HNftcsettlescase_1.html

NEW SECURITY GLITCH FOUND IN DIEBOLD SYSTEM (InsideBayArea.com, 10 May 2006) -- Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. “This one is worse than any of the others I’ve seen. It’s more fundamental,” said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. “In the other ones, we’ve been arguing about the security of the locks on the front door,” Jones said. “Now we find that there’s no back door. This is the kind of thing where if the states don’t get out in front of the hackers, there’s a real threat.” This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines. http://www.insidebayarea.com/ci_3805089

WHAT’S DRIVING THE NEXT TELECOM LAW (Berkman’s Filter, by David S. Isenberg, May 2006) -- The COPE (Communications, Promotion, and Enhancement) bill in the House of Representatives, and a similar, but more detailed Senate telecommunications bill are racing towards enactment by summer. The likely new law is propelled by the nation’s big telephone companies’ perceived business need to deliver video entertainment along with voice telephony and Internet services. The triple-application formula fits the old telco/cableco business model, i.e., collecting fees for delivering established applications and using these fees to subsidize the delivery network. This old model is threatened because today’s Internet can support voice and video, and infinitely more, delivered from its edges by third-party application providers. Indeed, third parties like Skype and Vonage are breaking out all over and rudimentary video services are popping up like dandelions. National TV franchising will replace thousands of local city-by-city agreements to ease telco entry into video services. This will institutionalize the voice, video and Internet service bundle so only big players, “rational competitors,” as cablecos and telcos like to call themselves, can participate. Telephone companies have been weakened by the onslaught of new technology. The number of dial-up lines, which are the foundation of their business, has been falling since 2001. In 2003, the number shrunk by 4%, and the trend is accelerating. Meanwhile, telcos have not figured out how to make money selling simple Internet connectivity, so they need de jure preservation by Congress. Until this decade, law has treated the telephone network as a public accommodation, meaning that non-discriminatory access to the network, known as network neutrality in the current policy debate, was assured. On the Internet, though, non-discriminatory access leads straight to the erosion of the telco/cableco business model by third parties that would not behave as “rational competitors.” This is why telephone companies are fighting fiercely against non-discriminatory access. Recently they have been successful in the courts and the FCC, and the current House bill contains ineffectual, hard-to-enforce non- discrimination provisions. The Internet succeeded largely due to non-discriminatory access. That is what permitted third parties to create (and find markets for) e-mail, the Web, e-commerce, chat, online music, blogging, and virtual-world gaming. With it, there’d be more of the same tomorrow. An Internet that is made discriminatory to save the telcos is likely to remind us of Bruce Springsteen’s song, “57 Channels (and Nothing On).” The problem we should be solving is not how to change the Internet to save the telcos, but how to have a growing and innovative Internet without them. http://cyber.law.harvard.edu/home/filter/ [Related powerpoint at http://cyber.law.harvard.edu/audio/uploads/47/Next_Telecom_Act.ppt]

WIKI-LAW: THE ‘WIKIPEDIA’ OF LAW (Robert Ambrogi’s blog, 10 May 2006) -- I’ve become a big fan and regular user of Wikipedia, the free, user-edited encyclopedia. Last fall, Cornell’s Legal Information Institute launched the legal dictionary and encyclopedia Wex, which, like Wikipedia, is collaboratively written and edited by users. Now, another legal wiki has launched, Wiki-Law, and its co-founder says its mission “is to become the Wikipedia of the legal world.” A wiki, according to Wikipedia, is “a type of website that allows users to easily add, remove, or otherwise edit all content, very quickly and easily, sometimes without the need for registration.” The new WikiLaw describes its purpose as being “to create a free, complete, up-to-date and reliable world-wide legal guide and resource.” Users can contribute content in any of seven categories: Dictionary, Forms, Statutes, Case Briefs, Law Firm Profiles, Law School Profiles and Law Journal Profiles, or they can write their own blog or submit an interesting law related link. Not much there yet, but I hope the idea takes off. http://www.legaline.com/2006/05/wiki-law-wikipedia-of-law.html

REPORT: U.S. SPIES ON EVERYONE (Wired, 12 May 2006) -- Congressional Democrats demanded answers from the Bush administration Thursday about a report that the government secretly collected records of ordinary Americans’ phone calls to build a database of every call made within the country. “It is our government, it’s not one party’s government. It’s America’s government. Those entrusted with great power have a duty to answer to Americans what they are doing,” said Sen. Patrick Leahy of Vermont, the ranking Democrat on the Senate Judiciary Committee. AT&T, Verizon and BellSouth telephone companies began turning over records of tens of millions of their customers’ phone calls to the National Security Agency program shortly after the Sept. 11, 2001, terrorist attacks, said USA Today, citing anonymous sources it said had direct knowledge of the arrangement. http://www.wired.com/news/wireservice/0,70878-0.html

-- and --

DOJ DROPS WIRETAP INVESTIGATION (Wired, 11 May 2006) -- The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers security clearance. The Justice Department’s Office of Professional Responsibility, or OPR, sent a fax Wednesday to Democratic Rep. Maurice Hinchey of New York saying it was closing its inquiry because without clearance it could not examine department lawyers’ role in the program. “We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program,” OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey’s office shared the letter with The Associated Press. http://www.wired.com/news/wireservice/0,70879-0.html

-- and --

BELLSOUTH DENIES GIVING CALL DATA TO NSA (Reuters, 15 May 2006) -- BellSouth, the No. 3 U.S. local telephone carrier, on Monday denied turning over customer telephone records to the National Security Agency on a large scale as part of the NSA’s call-tracking program to detect terrorist plots. USA Today reported last week that BellSouth, AT&T, and Verizon Communications had turned over tens of millions of consumers’ telephone records to the NSA so it could analyze call patterns. BellSouth said in a statement Monday that it did not have a contract with the NSA, which is tasked with eavesdropping on foreign communications and protecting U.S. government communications. “Based on our review to date, we have confirmed no such contract exists and we have not provided bulk customer calling records to the NSA,” BellSouth said in a statement. President Bush, who did not confirm or deny the USA Today report, said last week that intelligence activities he has authorized were legal and the government was not rifling through Americans’ personal lives or eavesdropping on domestic calls without court approval. Still, a Democrat commissioner on the Federal Communications Commission called for the agency to investigate whether BellSouth and the two largest U.S. telephone companies broke the law by reportedly disclosing consumers’ calling records to the NSA. “The FCC should initiate an inquiry into whether the phone companies’ involvement violated Section 222 or any other provisions of the Communications Act,” said FCC Commissioner Michael Copps, one of two Democrats on the five-member FCC. Section 222 of the 1934 Communications Act requires telecommunications carriers to protect the confidentiality of certain consumer call information, “except as required by law” or when the customer approves its release. http://news.com.com/BellSouth+denies+giving+call+data+to+NSA/2100-1028_3-6072600.html?tag=nefd.top

-- and --

THE NSA IS ON THE LINE -- ALL OF THEM (Salon.com, 15 May 2006) -- When intelligence historian Matthew Aid read the USA Today story last Thursday about how the National Security Agency was collecting millions of phone call records from AT&T, Bell South and Verizon for a widespread domestic surveillance program designed to root out possible terrorist activity in the United States, he had to wonder whether the date on the newspaper wasn’t 1976 instead of 2006. Aid, a visiting fellow at George Washington University’s National Security Archive, who has just completed the first book of a three-volume history of the NSA, knew the nation’s bicentennial marked the year when secrets surrounding another NSA domestic surveillance program, code-named Project Shamrock, were exposed. As fireworks showered New York Harbor that year, the country was debating a three-decades-long agreement between Western Union and other telecommunications companies to surreptitiously supply the NSA, on a daily basis, with all telegrams sent to and from the United States. The similarity between that earlier program and the most recent one is remarkable, with one exception -- the NSA now owns vastly improved technology to sift through and mine massive amounts of data it has collected in what is being described as the world’s single largest database of personal information. And, according to Aid, the mining goes far beyond our phone lines. The controversy over Project Shamrock in 1976 ultimately led Congress to pass the 1978 Foreign Intelligence Surveillance Act and other privacy and communication laws designed to prevent commercial companies from working in cahoots with the government to conduct wholesale secret surveillance on their customers. But as stories revealed last week, those safeguards had little effect in preventing at least three telecommunications companies from repeating history. Aid, who co-edited a book in 2001 on signals intelligence during the Cold War, spent a decade conducting more than 300 interviews with former and current NSA employees for his new history of the agency, the first volume of which will be published next year. Aid spoke with Salon about how the NSA has learned to maneuver around Congress and the Department of Justice to get what it wants. He compared the agency’s current data mining to Project Shamrock and Echelon, the code name for an NSA computer system that for many years analyzed satellite communication signals outside the U.S., and generated its own controversy when critics claimed that in addition to eavesdropping on enemy communication, the satellites were eavesdropping on allies’ domestic phone and e-mail conversations. Aid also spoke about the FBI’s Carnivore program, designed to “sniff” e-mail traveling through Internet service providers for communication sent to and from criminal suspects, and how the NSA replaced the FBI as the nation’s domestic surveillance agency after 9/11. [Editor: An extremely interesting interview follows.] http://www.salon.com/news/feature/2006/05/15/aid_interview/

-- and --

CONGRESS MAY MAKE ISPS SNOOP ON YOU (Wired, 16 May 2006) -- A prominent Republican on Capitol Hill has prepared legislation that would rewrite Internet privacy rules by requiring that logs of Americans’ online activities be stored, CNET News.com has learned. The proposal comes just weeks after Attorney General Alberto Gonzales said Internet service providers should retain records of user activities for a “reasonable amount of time,” a move that represented a dramatic shift in the Bush administration’s views on privacy. Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, is proposing that ISPs be required to record information about Americans’ online activities so that police can more easily “conduct criminal investigations.” Executives at companies that fail to comply would be fined and imprisoned for up to one year. In addition, Sensenbrenner’s legislation--expected to be announced as early as this week--also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It’s aimed at any site that might have “reason to believe” it facilitates access to child pornography--through hyperlinks or a discussion forum, for instance. http://news.com.com/Congress+may+make+ISPs+snoop+on+you/2100-1028_3-6072601.html?tag=nefd.lede

-- and --

FCC WON’T INVESTIGATE AT&T/NSA ALLEGATIONS (Broadband Reports.com, 23 May 2006) -- In a letter sent to Democrat Ed Markey, FCC chief Kevin Martin says “the classified nature of the NSA’s activities makes us unable to investigate the alleged violations.” Those violations allegedly include handing over customer phone and Internet activity records wholesale to the NSA. Markey responded to Martin in a statement: “We can’t have a situation where the FCC, charged with enforcing the law, won’t even begin an investigation of apparent violations of the law because it predicts that the administration will roadblock any investigations citing national security.” “If the FCC initiates an investigation and gets blocked by the White House, then the White House is stonewalling. But if the FCC refuses to even demand answers, then the White House never has to block the enforcement agency from getting to the bottom of this. The American people deserve answers.” http://www.dslreports.com/shownews/74740

CHINESE VERSION OF WIKIPEDIA IS LAUNCHED (SiliconVallley.com, 12 May 2006) -- China’s biggest Internet search site, Baidu.com, has launched a Chinese-language encyclopedia inspired by the cooperative reference site Wikipedia, which the communist government bars China’s Web surfers from seeing. The Chinese service, which debuted in April, carries entries written by users, but warns that it will delete content about sex, terrorism and attacks on the government. Government censors blocked access last year to Wikipedia, apparently due to concern about its references to Tibet, Taiwan and other topics. The emergence of Baidu’s encyclopedia reflects efforts by Chinese entrepreneurs to take advantage of conditions created by the government’s efforts to simultaneously promote and control Internet use. Baidu calls its site Baike - pronounced “bye kuh” - or “One Hundred Chapters.” It says users have written more than 25,000 entries in the past week alone on cooking, the stock market, Chinese tourist sites and other topics. Wikipedia, by comparison, currently has more than 2.7 million entries. Baidu said managers weren’t immediately available to answer questions about the site. But Chairman Robin Li told The Financial Times newspaper this week that it was inspired by Wikipedia, though he said he hasn’t seen the U.S.-based site. “I certainly hope our encyclopedia will be the most authoritative one for any Chinese users,” Li was quoted as saying. http://www.siliconvalley.com/mld/siliconvalley/14563324.htm

CREDIT CARD SECURITY RULES TO GET UPDATE (CNET, 15 May 2006) -- Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. “There is an increase in application level attacks,” Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more acceptable compensating and mitigating controls,” he said. http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-6072594.html?tag=nefd.top

SOCIAL NETWORKS ATTRACT NEARLY HALF OF ALL WEB USERS (TechWeb.com, 15 May 2006) -- The number of visitors to the top 10 social-networking sites soared in April, attracting nearly half of all Web users, a market research firm says. The top 10 sites collectively grew 47 percent in the United States from the same month a year ago to 68.8 million unique visitors, Nielsen/NetRatings said. The sites reached 45 percent of active Web users. MySpace, owned by News Corp. and a favorite among teens and young adults, topped the list with a year-over-year growth rate of 367 percent to 38.4 million unique users. Blogger, owned by Google Inc., was second with 18.5 million visitors and an 80 percent growth rate. Classmates Online grew 10 percent to 12.9 million visitors, and YouTube and Microsoft’s MSN Groups, which saw a 14 percent drop in visitors, rounded out the top five with 12.5 million and 10.6 million, respectively. http://news.yahoo.com/s/cmp/20060513/tc_cmp/187202833

PORN MAKER ALLOWS DOWNLOADS FOR TV VIEWING (AP, 15 May 2006) -- Hollywood has been tiptoeing its way toward letting consumers buy a movie online, burn it onto a DVD and watch it on a living-room TV. While the studios hesitate, the adult film industry is taking the leap. Starting Monday, Vivid Entertainment says it will sell its adult films through the online movie service CinemaNow, allowing buyers to burn DVDs that will play on any screen, not just a computer. It’s another first for adult film companies that pioneered the home video market and rushed to the Internet when Hollywood studios still saw it as a threat. “Leave it to the porn industry once again to take the lead on this stuff,” said Michael Greeson, founder of The Diffusion Group, a consumer electronics think tank in Plano, Texas. “The rest of Hollywood stands back and watches and lets the pornography industry work out all the bugs,” he said. Vivid says its downloads, which will cost $19.95, do not use CSS. Instead, online retailer CinemaNow is using an alternate, proprietary system that it says will protect the adult movies by preventing the burned DVD from being copied to other discs. http://news.yahoo.com/s/ap/20060515/ap_on_hi_te/porn_downloads_7

SUPREME COURT BURIES PATENT TROLLS (Forbes, 16 May 2006) -- The U.S. Supreme Court has tipped the balance in patent disputes ever so slightly toward the end users of patented technology and away from inventors, owners of intellectual property and the hated “patent trolls”--companies that make money by suing for infringement of patents they own but don’t use. In a victory for eBay, the justices ruled unanimously that federal courts must weigh several factors before barring a patent infringer from using a contested technology or business method. The online auction house had petitioned the Supreme Court to review the practice of automatically issuing a permanent injunction whenever a patent was found valid and infringed, arguing that the standard was not grounded in the law. At stake for eBay was the viability of the popular, fixed-price “Buy It Now” section of its Web site. MercExchange, a tiny Virginia-based patent-holding company, won millions of dollars in damages when it successfully sued eBay for violating one of its patents related to the fixed-price auction feature. Now the case will be sent back to the district court where eBay originally won the right to continue operating “Buy It Now” while it designs around the patents. For years now, the U.S. Court of Appeals--the Federal Circuit in Washington, D.C., which reviews all appeals of patent suits--has slapped infringers with permanent injunctions as a matter of course, except in the most extreme circumstances. But the Supreme Court ruled that traditional “principles of equity” must be taken into account before such a drastic sanction is imposed. These principles include whether the patent holder has suffered irreparable damage or whether monetary awards might be enough to compensate for the harm done to the patent holder. In this case, a district court stopped short of forcing eBay to shut down the service entirely, saying that MercExchange wouldn’t be harmed if eBay continues to offer the service while it tries to design around the patents. MercExchange hasn’t used its patents, the court wrote, and could eventually be compensated with additional monetary damages if the infringing continued. But on appeal, the Federal Circuit stuck to its rule of always handing down injunctions and reversed the decision. The high court’s decision deals a blow to patent trolls, which are notorious for using the threat of permanent injunction to extort hefty fees in licensing negotiations as well as huge settlements from companies they have accused of infringing. http://www.forbes.com/home/businessinthebeltway/2006/05/15/ebay-scotus-patent-ruling-cx_jh_0516scotus.html

RECORD LABELS SUE XM OVER PORTABLE DEVICE (New York Times, 17 May 2006) -- The recording industry on Tuesday sued XM Satellite Radio Holdings Inc., alleging its Inno device that can store music infringes on copyrights and transforms a passive radio experience into the equivalent of a digital download service like iTunes. A spokesman for the Recording Industry Association of America, comprising major labels such as Vivendi Universal’s Universal Music Group, Warner Music Group Corp., EMI Group Plc and Sony BMG, said the suit was filed on Tuesday in New York federal court. The suit accuses XM Satellite of ``massive wholesale infringement,” and seeks $150,000 in damages for every song copied by XM customers using the devices, which went on sale earlier this month. XM, with more than 6.5 million subscribers, said it plays 160,000 different songs every month. ``...Because XM makes available vast catalogues of music in every genre, XM subscribers will have little need ever again to buy legitimate copies of plaintiffs’ sound recordings,” the lawsuit says referring to the hand held ``Inno” device. The suit says that XM has touted its service’s advantages over the iPod and cites XM’s advertising literature that says “It’s not a Pod. It’s the mothership.” XM said the Inno, which is maufactured by Pioneer Corp. (6773.T), are legal devices that allow consumers to listen to and record radio just as the law has allowed for decades. While the labels are asserting the device has transformed radio broadcasts into a download service, XM said the device does not allow consumers to transfer recorded content. XM also said that content recorded from radio broadcasts like XM’s is not on demand, in contrast to the content people buy from online music stores like Apple Computer Inc.’s (AAPL.O) popular iTunes service. XM said it will vigorously defend this lawsuit on behalf of consumers and also called the lawsuit a bargaining tactic.

“ECONOMIC LOSS” RULE BARS NEGLIGENCE CLAIM IN BREACH LAWSUIT, COURT RULES (Steptoe & Johnson’s E-Commerce Law Week, 18 May 2006) -- The difficulty of proving damages can sometimes make it tricky to bring negligence lawsuits against companies that have suffered computer security breaches. And even if damages can be proven, certain damages just don’t count. That’s the gist of the common law “economic loss” rule, which bars recovery on a negligence claim for purely economic losses. According to this rule, plaintiffs must prove something more, such as physical injury or damage to personal property. And this rule applies not just to suits by individuals, but also to suits brought by plaintiff companies, according to recent federal court decisions involving suits by banks against BJ’s Wholesale Club, Inc. See Sovereign Bank v. B.J.’s Wholesale Club, Inc., and Banknorth, N.A., v. B.J.’s Wholesale Club, Inc. So while banks and other companies stand to benefit from this rule when they’re the defendants in a breach case, they could suffer from it when they’re the plaintiffs and are trying to recover for losses caused by someone else’s bad security. It remains to be seen whether the economic loss doctrine is consistently applied in the relatively new area of breach lawsuits, or whether courts begin to develop ways to allow plaintiffs to get around it. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&siteType=Office&pubItemId=12426

SYMANTEC SUES MICROSOFT OVER STORAGE TECH (CNET, 18 May 2006) -- Symantec has launched a suit charging Microsoft with misappropriating its intellectual property and with violating a license related to data storage technology. The suit, filed Thursday in U.S. District Court for the Western District of Washington in Seattle, seeks unspecified damages and an injunction barring Microsoft from using the Symantec technology, which would include a halt on Windows Vista and the Longhorn server, according to a copy of the filing. “We are accusing them of misusing certain intellectual property that they had access to...and (saying) that they misused our intellectual property in operating system products,” Michael Schallop, the director of legal affairs at the security company, said in an interview. It is the first time Microsoft and Symantec have been pitted against each other in court, he said. The complaint involves Symantec’s Volume Manager product, acquired as part of the company’s takeover of Veritas Software. Volume Manager allows operating systems to store and manipulate large amounts of data. Microsoft licensed a “light” version of Volume Manager from Veritas in 1996 and used it in Windows 2000, Schallop said. The Redmond, Wash., company then used it to develop functionality for Windows Server 2003, which competes with Veritas’ Storage Foundation for Windows, Schallop said. Microsoft also misuses Symantec’s technology in Windows Vista and the Longhorn server release, Symantec charges in its complaint. It seeks an injunction to stop Microsoft from further developing, selling or distributing Vista, Longhorn server and all other infringing products, as well as a recall of all products already in the market, according to the complaint. “The breaches of the agreement and IP violations began after Windows 2000...They were not allowed to use that intellectual property to develop products that compete against Veritas,” Schallop said. “They have used our intellectual property in terms of trade secrets and source code to develop competing products.” Additionally, Schallop said, Veritas discovered about two years ago that Microsoft had filed patent requests based on Veritas’ trade secrets. “They claimed they had invented something that they had not,” he said. Symantec and Microsoft have tried to resolve the dispute, but were unable to. “We recently agreed to disagree and let the courts help us resolve the dispute,” Schallop said. “We think that we will prevail through trial.” A Microsoft representative confirmed the dispute and the attempts to reach an agreement outside of the courts. The argument stems from a “very narrow disagreement” over the terms of a 1996 contract with Veritas, the representative said in a statement. “These claims are unfounded because Microsoft actually purchased intellectual property rights for all relevant technologies from Veritas in 2004,” the representative said. “We believe the facts will show that Microsoft’s actions were proper and are fully consistent with the contract between Veritas and Microsoft.” http://news.com.com/Symantec+sues+Microsoft+over+storage+tech/2100-1014_3-6074055.html?tag=nefd.top

EUROPE: NO PATENTS FOR SOFTWARE (CNET, 24 May 2006) -- Software patent campaigners have reacted with surprise to an apparent change in the European Commission’s stance on those patents. The Commission said last week that computer programs will be excluded from patentability in the upcoming Community Patent legislation and that the European Patent Office will be bound by this law. “The EPO would...apply and be bound by a new unitary Community law with respect to Community patents,” the Commission said in a statement. “The draft Community Patent regulation confirms in its Article 28.1(a) that patents granted for a subject matter (such as computer programs), which is excluded from patentability pursuant to Article 52 EPC, may be invalidated in a relevant court proceeding.” This statement appears to contradict one made by the EC last year, when it said that the EPO would continue to grant software patents that make a technical contribution, despite the European Parliament’s decision to reject the software patent directive. That directive would have widened the extent to which software could be patented. http://news.com.com/2100-1014_3-6076418.html

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: