Friday, June 16, 2006

MIRLN -- Misc. IT Related Legal News [27 May – 16 June 2006; v9.08]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://www.dickinson-wright.com/scripts/prac.asp

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box, MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

UNIVERSITY SERVER IN HACKERS’ HANDS FOR A YEAR (CNET, 21 May 2006) -- An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university’s computer services department. Bill Sams, Ohio University’s chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers. In a disclosure that hasn’t been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com. At least one security expert was astonished that a compromise could go undetected for so long. “That’s unbelievable,” said Avivah Litan, security analyst with research firm Gartner. “I have never heard of that much of a delay. Why would it take a year to discover this? It doesn’t make any sense.” What’s also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities. Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school’s servers. Litan estimates that a third of all data leaks are at universities. She says information bandits are preying on the nation’s colleges for three reasons. First, the schools possess Social Security numbers and other information useful in committing identity theft. Secondly, she says universities don’t take security serious enough. “They don’t want to spend money on it,” Litan said. Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks. http://news.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html?tag=newsmap

COMPANY STAKING CLAIM ON NEW SPIN ON ‘CYBERSQUATTING’ (bizjournals, 22 May 2006) -- Interested in comparing video cameras, taking a vacation in Las Vegas or buying some lawn furniture? There are sites on the Web -- with names like videocamera.com, lasvegasvacations.com and lawnfurniture.com -- that seem tailor-made Visit the sites, however, and you’ll find they consist of little more than advertising links. That may not be an obvious draw for consumers. But a growing number of local companies and investors are betting that Web sites like these have enormous potential to generate ad revenue -- and they’re hoarding hundreds of thousands of them in vast portfolios. In recent weeks, Maveron LLC, the Seattle venture capital firm founded by Starbucks Chairman Howard Schultz and investment banker Dan Levitan, put money on a Houston startup called Internet REIT, which owns some 400,000 domain names. A new Los Angeles-based company called Demand Media, flush with $120 million from investors, is building its own domain-name empire, and just acquired a Bellevue, Wash.-based domain-name registrar called eNom. Seattle-based Marchex Inc. was an early player in this emerging industry. The Internet services company bought 100,000 domain names in late 2004 and boasts a total of 200,000 today. http://www.bizjournals.com/losangeles/stories/2006/05/22/daily1.html?from_rss=1

GLOBAL SOFTWARE PIRACY COSTING $34BN (vnunet.com, 23 May 2006) -- The annual global PC software piracy study from the Business Software Alliance (BSA), conducted by IDC, has reported that over a third of all packaged software installed on PCs worldwide in 2005 was illegal. But the report noted improvements in a number of markets suggesting that education, enforcement and policy efforts are beginning to pay off in emerging economies such as China, Russia, India, Central/Eastern Europe and the Middle East & Africa. “The progress made in reducing PC software piracy in several emerging markets provides some encouragement, but much more needs to be done,” said BSA president and chief executive Robert Holleyman. “With more than one in three copies of PC software obtained illegally, piracy continues to threaten the future of software innovation, resulting in lost jobs and tax revenues.” Piracy rates decreased “moderately” in more than half of the 97 countries covered in this year’s study, and increased in only 19 countries. http://www.vnunet.com/vnunet/news/2156665/software-piracy-costing-34bn

COMPANY: HACKERS CAN CRACK TOP ANTIVIRUS PROGRAM (CNN, 26 May 2006) -- Symantec Corp.’s leading antivirus software, which protects some of the world’s largest corporations and U.S. government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files or implant malicious programs, researchers said Thursday. A spokesman, Mike Bradshaw, said the company was examining the reported flaw but described it as “so new that we don’t have any details.” Researchers from eEye Digital Security Inc. of Aliso Viejo, California, discovered the vulnerability and provided evidence to Symantec engineers this week, said eEye’s chief hacking officer, Marc Maiffret. He demonstrated the attack for The Associated Press. eEye said it appeared consumer versions of Symantec’s Norton Antivirus software -- sold at retail outlets around the country -- were not vulnerable to the flaw, though consumers who are provided Symantec’s corporate edition antivirus software by their employers for use at home may be affected. Maiffret’s company -- which has discovered hundreds of similar flaws in other software products -- also produces intrusion-protection software, called “Blink,” that he said already blocks such attacks and can operate alongside Symantec’s antivirus products. Maiffret published a note about the company’s discovery on its Web site but pledged not to reveal details publicly that would help hackers attack Internet users until after Symantec repairs its antivirus software. eEye said it intends to describe the problem in detail privately for some of its largest customers. The reported flaw comes at an awkward time for Symantec. Its chief executive, John Thompson, has campaigned in recent months to convince consumers they should trust Symantec -- not Microsoft Corp. -- to protect their personal information. http://www.cnn.com/2006/TECH/internet/05/25/antivirus.flaw.ap/index.html

AM I MY CONTRACTOR’S KEEPER? WHEN IT COMES TO SECURITY, YES (Steptoe & Johnson’s E-Commerce Law Week, 27 May 2006) -- One of the most common security breach scenarios involves a contractor accidentally losing sensitive data stored on a laptop, a disk, or a backup tape. So given the potential for an enforcement action by the Federal Trade Commission, a state AG investigation, or a contract or tort action arising from such breaches, the question is: what responsibility do companies have for the actions or omissions of their contractors that lead to a security breach? Or, put another way, what constitutes “reasonable care” when it comes to a company’s selection and oversight of a contractor such that it will not be held liable for a contractor-caused security breach? There is no easy answer, but clues continue to emerge from various sources. The most recent contribution comes from the New Jersey Supreme Court ‘s Advisory Committee on Professional Ethics, which issued an opinion stating that those practicing law in New Jersey may “entrust[] documents to an outside provider” when they have “come to the prudent professional judgment” that the provider both has “an enforceable obligation to preserve confidentiality and security” and will make use “of available technology to guard against reasonably foreseeable attempts to infiltrate data.” While only applicable to lawyers, and not directly addressing liability, this opinion is consistent with the theme struck by the FTC that a company should exercise due care in dealing with contractors -- both in establishing up front what contractors’ security practices will be and in ensuring continued compliance. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12501&siteId=547

SOFTWARE TAPS EXPERTS AMONG YOUR FRIENDS (New York Times, 29 May 2006) -- For anyone who has hesitated before making a purchase on a Web site, uncertain which brand is preferable, Tacit Software is preparing to introduce an online service that will make it simple to pick the brains of friends and colleagues for opinions and expertise. Tacit plans to start testing the service, called Illumio, next month. The service allows the user to mine the data on the computers of friends, business associates and others with shared interests on any subjects. However, Illumio is not a search engine, like Google or Yahoo. The system works by transparently distributing a request for information on questions like “Who knows John Smith?” and “Are Nikon digital cameras better than Olympus?” to the computers in a network of users. The questions can then be answered locally based on a novel reverse auction system that Illumio uses to determine who the experts are. The system is intended to extend a growing category of software that helps groups collaborate and work together more efficiently. Efforts to create systems that augment the intellectual power of work groups go back to the earliest days of computing technology development. The widespread availability of networks and Web browsers, however, has made such technologies far more accessible in recent years. “The collaboration space is big and busy,” said David L. Gilmour, president and chief executive of Tacit. “We don’t consider ourselves a collaboration environment, rather we are about communication and search.” Software such as Illumio is representative of the rapid emergence of new markets for digital information, said Michael Schrage, a researcher at the Massachusetts Institute of Technology Sloan School of Management. “This represents the eBayification of organizations,” he said. “The reality is that organizations are run off of informal connections and tools such as this facilitate gray markets in information and interpersonal exchange.” Tacit’s top achievement in its software for connecting people and expertise may be in a design that keeps personal information private. The Illumio software uses a reverse auction model to restrict the answer to the best expert. In a reverse auction, sellers compete for the right to provide goods or services. For example, in response to the question, “Who knows John Smith?” each Illumio local system would independently determine who had the best relationship in the network based on parameters such as who had recently exchanged the most e-mail with John Smith. If the local system found a strong relationship, the local Illumio client software would pop up a request on that user’s screen asking whether the user wished to respond to the person asking the question. Initially only the strongest candidates would be notified locally of the query. If that user ignored the request, the reverse auction system would, in effect, lower the bar to ask the person with the next strongest relationship. Then, if there were no responses, the bar would be again lowered until an expert responded. It is possible that difficult questions would find no experts. The system insures that experts remain anonymous until they agree to answer the query. When a user answers, the connection is made either through the Illumio system, by e-mail or by other channels such as instant messaging or telephone. The potential of Illumio lies in its ability to help small groups of friends and associates tap expertise that they might otherwise not know existed, said Esther Dyson, publisher of Release 1.0, a CNET Networks editor at large and a computer industry newsletter and an Illumio investor. “This is searching your friends’ heads as reflected in what’s on their computers,” Dyson said. http://news.com.com/Software+taps+experts+among+your+friends/2100-1012_3-6077730.html?tag=nefd.top

EU COURT ANNULS DATA DEAL WITH US (BBC, 30 May 2006) -- The European Court of Justice has annulled an EU-US agreement requiring airlines to transfer passenger data to the US authorities. The court said the decision to hand over the data, including addresses and credit card details, lacked an “appropriate legal basis”. The US says the information helps identify potential terrorists. Stewart Baker, an assistant secretary of state for the US Department of Homeland Security, said: “I am confident that we will find a solution that will keep the data flowing and the planes flying.” The US demanded tighter airline security worldwide after the 11 September 2001 attacks on New York and Washington by suicide hijackers. The European Parliament argued that the US did not guarantee adequate levels of data protection and that handing over the data violated passengers’ privacy. http://news.bbc.co.uk/2/hi/europe/5028918.stm and http://news.com.com/2100-1029_3-6077893.html

TERRORISM INVOKED IN ISP SNOOPING PROPOSAL (CNET, 30 May 2006) -- In a radical departure from earlier statements, Attorney General Alberto Gonzales has said that requiring Internet service providers to save records of their customers’ online activities is necessary in the fight against terrorism, CNET News.com has learned. Gonzales and FBI Director Robert Mueller privately met with representatives of AOL, Comcast, Google, Microsoft and Verizon last week and said that Internet providers--and perhaps search engines--must retain data for two years to aid in anti-terrorism prosecutions, according to multiple sources familiar with the discussion who spoke on condition of anonymity on Tuesday. Gonzales’ acknowledgement represents a departure from earlier statements that emphasized how mandatory data retention would help thwart child exploitation. http://news.com.com/2100-1028_3-6078229.html and http://news.com.com/2100-1028_3-6077654.html

JUDGE: BLOGGERS ENTITLED TO IMMUNITY UNDER COMMUNICATIONS ACT (Law.com, 2 June 2006) -- Bloggers cannot be hit with libel suits on the basis of anonymous postings on their Web sites because federal law grants them immunity by explicitly stating that they cannot be treated as the “publisher” of such comments, a federal judge has ruled. In his 22-page opinion in DiMeo v. Max, U.S. District Judge Stewart Dalzell held that the pre-emption clause of Section 230 of the Communications Decency Act -- a provision that remains intact despite court rulings that struck down some of its key provisions -- effectively “overrides the traditional treatment of publishers under statutory and common law.” DiMeo’s lawsuit stems from a series of anonymous postings on the messageboards of Max’s Web site that discussed a Dec. 31, 2005, party thrown by Renamity -- DiMeo’s publicity firm -- that Dalzell describes as “the New Year’s Eve party from hell.” In his lawsuit, DiMeo claimed that six of the postings were libelous. Although DiMeo conceded that Max had not authored the comments himself, the suit alleged that Max was nonetheless liable because he had published them. The suit also alleged a claim under Section 223(a)(1)(3), a federal criminal statute that prohibits anonymously using a telecommunications device to harass someone. Now Dalzell has sided with the defense team and held that the CDA grants immunity to a blogger in such a case -- even if the blogger admits that he exercises some editorial control over the anonymous postings. Dalzell found that Congress enacted Section 230 for two reasons -- to “promote the free exchange of information and ideas over the Internet,” and to “encourage service providers to self-regulate the dissemination of offensive material over their services.” Dalzell concluded that the purpose of Section 230 was to provide immunity from libel suits for Internet providers -- including bloggers. Without such immunity, Dalzell said, the freewheeling nature of speech on the Internet would suffer. http://www.law.com/jsp/article.jsp?id=1149152717145

CLEANING UP DATA BREACH COSTS 15X MORE THAN ENCRYPTION (Techweb, 2 June 2006) -- Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Tuesday. Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach. She recently testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities. “A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Litan said in an accompanying statement. “Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach,” she added. Litan recommended encryption as the first step enterprises and government agencies should take to protect customer/citizen data. If that’s not feasible, organizations should deploy host-based intrusion prevention systems (HIPS), she said, and/or conduct security audits to validate that the company or agency has satisfactory controls in place. “None of these options are mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach,” Litan said. http://www.techweb.com/wire/188702019

APPEALS COURT LEAVES CONSTITUTIONALITY OF NSLS UNDECIDED (Steptoe & Johnson’s E-Commerce Law Week, 3 June 2006) -- If your company were served with a burdensome or legally troubling National Security Letter, could you successfully object on constitutional grounds? Given that the government issued over 9,000 NSLs last year, according to a Justice Department report, the question is far from academic. ISPs, banks, credit card companies, and telecommunications companies are all likely recipients of these administrative subpoenas, whose scope was dramatically expanded by the USA PATRIOT Act. Over the past two years, federal judges in two cases -- one in the Southern District of New York (SDNY) and the other in Connecticut -- found that the NSL’s gag order provision violates the First Amendment. The judge in New York also ruled that the FBI’s implementation of NSLs violated the Fourth Amendment’s prohibition against unreasonable searches and seizures. The government appealed the rulings in both cases, and on May 23 the U.S. Court of Appeals for the Second Circuit issued a per curiam decision on the consolidated appeal, vacating and remanding the decision in the New York case and dismissing the government’s appeal in the Connecticut case. The court’s action leaves alive the First Amendment challenges to NSL gag orders, to be addressed by the SDNY on remand. But it disposes of the Fourth Amendment challenge to NSLs for now. So while the playing field has changed a bit, the game is far from over on NSLs. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12529&siteId=547 [Editor: This is a real problem for in-house lawyers; the ABA Cyberspace Law Committee may undertake a project to produce guidance and “best practices” for those who receive NSLs.]

ON A RUSSIAN SITE, CHEAP SONGS WITH A BACKBEAT OF ILLEGALITY (New York Times, 5 June 2006) -- Rising consumer popularity is turning AllofMP3.com, a music downloading service based in Moscow, into a global Internet success story, but with a catch. The site may well be illegal. Operating through what music industry lobbyists say is a loophole in Russia’s copyright law, AllofMP3.com offers a vast catalog of music that includes artists not normally authorized for sale online — like the Beatles and Metallica — at a fraction of the cost of services like the iTunes Music Store owned by Apple Computer. The songs are sold by the megabyte instead of individually, and an album of 10 songs or so on AllofMP3 can cost the equivalent of less than $1, compared with 99 cents a song on iTunes. And unlike songs purchased on iTunes and other commercial services, songs downloaded with AllofMP3’s software can be copied without restrictions. It is an offer that may seem too good to be true, but in Russia — a country that is frequently cited by news media and content owners as rife with digital piracy and theft of intellectual property — courts have so far allowed the site to operate, despite efforts by the record labels Warner, Universal and EMI to aid prosecutors there. So great is the official level of concern about AllofMP3 that United States trade negotiators warned that the Web site could jeopardize Russia’s long-sought entry into the World Trade Organization. AllofMP3.com says on the site that it can legally sell to any user based in Russia and warns foreign users to verify the legality within their countries for themselves. The site also features a wide selection of Russian music, but it is in English, with prices listed in American dollars. AllofMP3 asserts its legality by citing a license issued by a royalty collecting society, the Russian Multimedia and Internet Society, known as R.O.M.S. for its Russian initials. In most countries, the collecting societies that receive royalty payments for the sale or use of artistic works need reciprocal agreements with overseas copyright holders, according to agencies that represent rights holders. According to Russia’s 1993 copyright law, however, collecting societies are permitted to act on behalf of rights holders who have not authorized them to do so. The result is that numerous organizations in Russia receive royalties for the use of foreign artistic works, but never pass on that money to the artists or music companies, according to the International Confederation of Societies of Authors and Composers, the umbrella organization for collecting societies. http://www.nytimes.com/2006/06/05/technology/05music.html?ex=1307160000&en=f975d40a589dd622&ei=5090&partner=rssuserland&emc=rss

EMPLOYERS PUT UP BARRIERS TO NET SURFING ON THE JOB (SiliconValley.com, 5 June 2006) -- The Web can be a great waste of time at work. From catching up on the latest weird videos to planning a wedding, millions of people use the Internet every day. But much of that surfing is done from a cubicle, leading to hours of questionable productivity and strained resources. In response, workplace Internet policies are getting stricter. Companies are starting to ban Web access, block instant messaging services to squash discreet conversations among chatty co-workers and prohibit employees from watching sporting events on their computers. ``If you’re watching video, you’re probably not working,” said Vimal Solanki, director of product marketing at McAfee, a software vendor whose products to block Web access are selling briskly. In fact, the Web has become so addictive that 54 percent of men said they would rather give up their morning coffee than lose their personal Internet fix at work, according to a recent survey. And 47 percent of women said they would do the same. ``The Internet has become the modern day equivalent of the phone,” said Richard Chaifetz, chief executive officer of ComPsych, a Chicago-based provider of employee assistance programs. ``The difference is the phone is more obvious, you know when someone is talking. But the Internet is more stealth. It can be hard to tell when someone is online.” http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14745697.htm

-- and --

YOU’VE GOT SOMEONE READING YOUR E-MAIL (New York Times, 12 June 2006) -- More than a third of American companies with 1,000 or more workers say they employ people to read through other employees’ outbound e-mail. And nearly half of those companies regularly go through outbound e-mail in search of rule-breaking, according to a recent survey of 294 companies done by Forrester Consulting for Proofpoint, a maker of e-mail security products. Companies look through e-mail for leaked trade secrets, improperly disclosed financial information or illegally released health records. Often, they find them: 32.1 percent of the companies surveyed reported that they had fired someone within the last year for breaking e-mail rules. Nearly 45 percent of the companies said they used software to search through their employees’ messages for offensive words. Companies are turning their attention to employee e-mail because it is increasingly the subject of lawsuits. About 21 percent of the companies surveyed said they had had their employees’ e-mail subpoenaed over the last 12 months, a rate that has doubled since last year. http://www.nytimes.com/2006/06/12/technology/12drill.html?ex=1307764800&en=6b4c4d63fcca3c86&ei=5090&partner=rssuserland&emc=rss

AUSTRIALIAN POLICE TO GET PASSWORD POWERS (AustralianIT.com, 6 June 2006) -- Queensland Police are to be given power to force suspects to hand over passwords and encryption codes. Civil libertarians warn the laws could allow corrupt police to fake evidence, because they will have access to suspects’ digital signatures. The legislation, to come into force in July, covers mobile phones, PCs, handhelds and other electronic devices. Non-compliance carries up to 12 months’ jail. The amendments to the Police Powers and Responsibilities Act will make Queensland the only state with legislation preventing suspects from claiming the right to silence concerning passwords and computer encryption. NSW and federal police have similar powers under the federal Crimes Act. While police have software tools to crack encryption, Queensland Police Minister Judy Spence said the powers, which required a warrant, would save time and resources. “Police are spending hundreds of hours trying to crack codes from seized electronic equipment to retrieve data,” Ms Spence said. “This law prevents criminals from withholding electronic evidence by forcing them to give police access to data from their computers, mobile phones and other electronic storage devices.” http://australianit.news.com.au/articles/0,7204,19373433%5E26199%5E%5Enbv%5E15306-15319,00.html

CT RULES THAT LIGHTLY GUARDED SITE DOESN’T VIOLATE THE SCA (BNA’s Internet Law News, 8 June 2006) -- BNA’s Electronic Commerce & Law Report reports that the 11th Circuit Court of Appeal has ruled that unauthorized access of an online message board, which was protected only by a clickwrap affirmation that the user was not affiliated with DirecTV, does not violate the Stored Communications Act. The court ruled that the weak protections placed on the Web site were not enough to make it inaccessible to the general public, a requirement for SCA protection. Decision at http://caselaw.findlaw.com/data2/circs/11th/0513687p.pdf

TIVO TUNES IN TO NET DOWNLOADS (CNET, 7 June 2006) -- TiVo unveiled on Wednesday broadband video downloads, marking the latest move by the digital video recorder company to expand its Internet-related services. Through the new TiVoCast service, people can download broadband video clips to their TiVo boxes for free from a handful of Internet sites, such as woman-oriented iVillage, technology-focused CNET.com (a CNET News.com sister site), entertainment-grooved Heavy.com, The New York Times, the National Basketball Association and Women’s National Basketball Association, and news and political video blog site Rocketboom. “Television is still the preferred platform for watching video,” Tara Maitra, TiVo general manger of programming, said in a statement. “The TiVoCast service captures mainstream and specialty-based content on the Web, delivering programming that is not otherwise available through the TV today.” TiVo plans to expand the number of Web sites and videos it offers, Maitra added in a telephone interview, although there is no specific target for such launches. TiVo and its partners plan to make money by integrating advertising within the content. That could bode well for TiVo, which has been under pressure to differentiate itself amid growing competition from companies offering DVR service to industry titans such as Cisco Systems and Motorola, which are adding digital recording features to their cable set-top boxes. http://news.com.com/2100-1041_3-6080955.html

NEW CD SWAP SITE TO GIVE BACK TO ARTISTS (CNET, 7 June 2006) -- A new Web site that aims to transform music industry economics is set to go live on Thursday, giving musicians a major cut of the proceeds while largely freezing out record labels and other intermediaries. Lala.com, which allows fans to trade music discs for just $1, plus shipping, pledges to give a fifth of its sales to all the musicians, including lesser known session studio players, involved in the making of CDs exchanged on its site. In a move that is certain to stoke controversy with music promoters, the founder of Silicon Valley start-up said Lala will circumvent traditional copyright and royalty payment systems to compensate identifiable working musicians. The site works something like an eBay auction exchange as it encourages consumers who sign up for the service to list all the CDs they may want to exchange as well as ones they would be interested in receiving. Once an exchange is arranged, the recipient pays $1.49, of which 49 cents pays for shipping the disc, leaving $1 for the company for musicians, administrative costs and its own cut. Lala said 20 cents of each $1 will go into a charitable fund for the musicians. It is looking to pay the musicians via a charitable organization it has set up called the Z Foundation. It plans on keeping 20 to 30 cents for itself, with the remainder going on administration. http://news.com.com/2100-1027_3-6081321.html [Peerflix mediates DVD swapping -- see www.peerflix.com]

LAWYERS AS “SERVICE PROVIDERS” UNDER THE GRAMM-LEACH-BLILEY ACT (Davis, Wright & Tremaine blog, 8 June 2006) -- Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not “financial institutions” under the Gramm-Leach-Bliley Act (“GLBA”) and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are “services provides” for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass’n v. Federal Trade Comm’n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation. The Federal Trade Commission—one of the federal agencies authorized to make rules implementing the GLBA—already requires financial institutions to oversee their service providers by “taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue,” and “require service providers by contract to implement and maintain such safeguards.” (16 C.F.R. § 314.4(d)). The good news? A service provider’s obligations under GLBA extend only to the safeguard rules and not the privacy rule. Furthermore, the legal profession, with its longstanding professional duty to protect client confidentiality, should already be providing information security measures necessary to meet the safeguard rules under GLBA. A prudent law firm may also circumvent its GLBA obligation by including language in its retention letter to the effect that its representation of the financial institution does not require access to nonpublic personal information. http://www.privsecblog.com/archives/financial-institutions-lawyers-as-service-providers-under-the-grammleachbliley-act.html [Editor: the underlying source for this article appears to be a presentation by Michael Fleming at the ABA/Tampa meeting in April 2004. See http://www.larkinhoffman.com/news/news_detail.cfm?NEWS_ID=99]

APPEALS COURT UPHOLDS NET-WIRETAPPING RULES (CNET, 9 June 2006) -- The Bush administration’s plans to force Internet providers to comply with extensive wiretapping rules received a boost on Friday, when a federal appeals court upheld the controversial regulations. A three-judge panel of the U.S. Court of Appeals in Washington, D.C., refused to overturn the Internet surveillance regulations, saying the Federal Communications Commission made a “reasonable policy choice” when approving them last fall. FCC Chairman Kevin Martin, a Republican, applauded the ruling (click for PDF), saying it “will ensure that law enforcement agencies’ ability to conduct lawful court-ordered electronic surveillance will keep pace with new who had called the FCC’s arguments “gobbledygook” and “nonsense” during oral arguments before the appeals court last month, dissented. He said the 1994 Communications Assistance for Law Enforcement Act, or CALEA, does not give the FCC “unlimited authority to regulate every telecommunications service that might conceivably be used to assist law enforcement.” The organizations behind the lawsuit say Congress never intended CALEA to force broadband providers--and networks at corporations and universities--to build in central surveillance hubs for the police. The list of organizations includes Sun Microsystems, Pulver.com, the American Association of Community Colleges, the Association of American Universities and the American Library Association. Even without the FCC rules that are scheduled to take effect in May 2007, police have the legal authority to conduct Internet wiretaps--that’s precisely what the FBI’s Carnivore system was designed to do. Still, the FBI has claimed, the need for “standardized broadband intercept capabilities is especially urgent in light of today’s heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication.” http://news.com.com/Appeals+court+upholds+Net-wiretapping+rules/2100-1028_3-6082085.html?tag=nefd.lede

A PUBLIC (ON THE WORLD WIDE WEB) SCOLDING (ABA Journal, 9 June 2006) -- Don’t make the judge mad. That’s the lesson some would take from Judge Katherine Stolz’s opinion in Saldivar v. Momah, No. 04-026677-3 (May 24). But the Seattle attorney who appears to have made the judge mad, Harish Bharti, is unrepentant. “I believe in the system,” Bharti says. “It’s made a big mistake, and it’s going to be corrected. You think the court of appeals will let this order stand for five minutes?” “This order” is part of an opinion in which Stolz, a superior court judge in Tacoma, Wash., found that Bharti helped his client fabricate tales of sexual assault by a defendant physician during an exam. Stolz ordered the client to pay the defendant, Dr. Dennis Momah, more than $2.8 million (plus attorney fees and costs) on his counterclaim for intentional infliction of emotional distress. She also ordered Bharti to pay a $250,000 sanction to Momah, in addition to $50,000 in sanctions to the court for his role in the case. But that’s not all. Stolz also ordered Bharti to post her blistering opinion on his firm’s Web site under a headline she dictated: “Result in First Civil Case Tried Against Charles and Dennis Momah.” Legal experts say they’ve never seen a sanction like the Web posting, and they’re not convinced it’s proper. “I think it’s egregious,” says Marilyn J. Berger, a professor at Seattle University School of Law and director of its trial advocacy program. “I have no problem with the monetary penalties. If everything [in Stolz’s findings of fact and conclusions of law are] true, they don’t seem to be ludicrous. “But I do take exception with tampering with somebody’s reputation and ordering him to use his own Web site to post that he lost. Imagine every time you lose a case, you’re told that you should have known that your client was lying and you must post your loss on your Web site. It’s the modern equivalent of a scarlet letter, and it chills other attorneys from bringing these cases.” http://www.abanet.org/journal/ereport/jn9site.html

ABA TASK FORCE TO EXAMINE SIGNING STATEMENTS (ABA Journal, 9 June 2006) -- After reports emerged that the Bush administration has significantly expanded the use of presidential signing statements, some say as an alternative to the line-item veto, the ABA has formed a task force to examine the practice. Pledging to take a comprehensive and historical view of presidential signing statements, the 10-member Task Force on Presidential Signing Statements and the Separation of Powers Doctrine is on a tight schedule and is expected to come up with a report and recommendations in time for the ABA Annual Meeting this August in Honolulu. ABA President Michael S. Greco of Boston says he asked the Board of Governors, which met in New Orleans last weekend, to approve the task force because the use of presidential signing statements has created separation-of-powers issues. Greco emphasized that the issue is not limited to the current administration but also dates back to the Reagan era. The use of signing statements by Reagan, George H.W. Bush and Bill Clinton pales in comparison to the practice by President George W. Bush, who is reported to have used signing statements at least 750 times during his two terms in office, more than all previous presidents combined. “This squarely presents a separation-of-powers issue,” Greco says. “There are those who worry that what the president is doing is to assume the role of Congress of enacting or not enacting legislation that he disagrees with.” Chaired by Miami lawyer Neal R. Sonnett, the task force includes former FBI Director William S. Sessions (who was hired by Reagan and fired by Clinton); Patricia M. Wald, former chief judge of the U.S. Court of Appeals for the District of Columbia Circuit (appointed to the court by President Jimmy Carter); former U.S. Rep. Mickey Edwards, R-Okla.; George Washington University law professor Stephen A. Saltzburg; and Bruce Fein, who was associate deputy attorney general under Reagan. Sonnett says the task force will examine whether signing statements do damage to the constitutional system of checks and balances, how or if they should be used, and whether there have been abuses of signing statements in this administration or others. Fein, who was part of the effort to expand the use of signing statements under Reagan, says there are appropriate signing statements and inappropriate ones. He views appropriate signing statements as those designed to resolve ambiguities and ensure that the president is a partner in the drafting of statutes. But when a president uses the signing statement more like a line-item veto, to announce that something is unconstitutional or won’t be enforced, Fein has problems with the use. “The president has an obligation in his official capacity to honor and defend the Constitution,” he says. “He shouldn’t sign a law he thinks is unconstitutional.” Asked about being invited to join the task force despite being a frequent critic of the ABA, Fein says that “on these issues, there’s a commonality.” “It’s not a time to have grudges out and play partisan here,” Fein says. “This is the Constitution of the United States. This is of vital concern to everybody, especially lawyers.” http://www.abanet.org/journal/ereport/jn9sign.html

-- and --

A LEAP OF FAITH, OFF A CLIFF (New York Times Editorial, 15 June 2006) -- On Monday, the Bush administration told a judge in Detroit that the president’s warrantless domestic spying is legal and constitutional, but refused to say why. The judge should just take his word for it, the lawyer said, because merely talking about it would endanger America. Today, Senator Arlen Specter wants his Judiciary Committee to take an even more outlandish leap of faith for an administration that has shown it does not deserve it. Mr. Specter wants the committee to approve a bill he drafted that tinkers dangerously with the rules on wiretapping, even though the president has said the law doesn’t apply to him anyway, and even though Mr. Specter and most of the panel are just as much in the dark as that judge in Detroit. The bill could well diminish the power of the Foreign Intelligence Surveillance Act, known as FISA, which was passed in 1978 to prevent just the sort of abuse that Mr. Bush’s program represents. Mr. Specter’s bill * * * is fatally flawed and should not go to the Senate floor. He is trying to change the system for judicial approval of government wiretaps in a way that suggests Congress is facing a technical problem with a legislative solution, when in fact it is a constitutional showdown. Mr. Specter says his bill would impose judicial review on domestic spying by giving the special court created by FISA power to rule on the constitutionality of the one program that Mr. Bush has acknowledged. But the review would be optional. Mr. Specter’s bill would eliminate the vital principle that FISA’s rules are the only legal way to eavesdrop on Americans’ telephone calls and e-mail. It would give the president power to conduct surveillance under FISA “or under the constitutional authority of the executive.” That merely reinforces Mr. Bush’s claim that he is the sole judge of what powers he has, and how he exercises them. Mr. Specter’s lawyers have arguments for many of these criticisms, and say the bill is being improved. But the main problem with the bill, like most of the others, is that it exists at all. This is not a time to offer the administration a chance to steamroll Congress into endorsing its decision to ignore the 1978 intelligence act and shred constitutional principles on warrants and on the separation of powers. This is a time for Congress to finally hold Mr. Bush accountable for his extralegal behavior and stop it. http://www.nytimes.com/2006/06/15/opinion/15thurs1.html?ex=1308024000&en=ce6b8ef97b46c43d&ei=5090&partner=rssuserland&emc=rss

-- and --

THE ETERNAL VALUE OF PRIVACY (Wired News, Editorial by Bruce Schneier, 14 May 2006) -- The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: “If you aren’t doing anything wrong, what do you have to hide?” Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.” Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest -- or just blackmail -- with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies -- whoever they happen to be at the time. Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance. http://www.wired.com/news/columns/1,70886-0.html [Editor: there’s more to the editorial, and it’s worth reading.]

FOR SOME, ONLINE PERSONA UNDERMINES A RÉSUMÉ (New York Times, 11 June 2006) -- When a small consulting company in Chicago was looking to hire a summer intern this month, the company’s president went online to check on a promising candidate who had just graduated from the University of Illinois. Tien Nguyen, a college senior, signed up for job interviews but said he was seldom contacted until he withdrew a satirical online essay. At Facebook, a popular social networking site, the executive found the candidate’s Web page with this description of his interests: “smokin’ blunts” (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. It did not matter that the student was clearly posturing. He was done. “A lot of it makes me think, what kind of judgment does this person have?” said the company’s president, Brad Karsh. “Why are you allowing this to be viewed publicly, effectively, or semipublicly?” Many companies that recruit on college campuses have been using search engines like Google and Yahoo to conduct background checks on seniors looking for their first job. But now, college career counselors and other experts say, some recruiters are looking up applicants on social networking sites like Facebook, MySpace, Xanga and Friendster, where college students often post risqué or teasing photographs and provocative comments about drinking, recreational drug use and sexual exploits in what some mistakenly believe is relative privacy. When viewed by corporate recruiters or admissions officials at graduate and professional schools, such pages can make students look immature and unprofessional, at best. “It’s a growing phenomenon,” said Michael Sciola, director of the career resource center at Wesleyan University in Middletown, Conn. “There are lots of employers that Google. Now they’ve taken the next step.” At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development. “The term they’ve used over and over is red flags,” Ms. Steinfeld said. “Is there something about their lifestyle that we might find questionable or that we might find goes against the core values of our corporation?” Facebook and MySpace are only two years old but have attracted millions of avid young participants, who mingle online by sharing biographical and other information, often intended to show how funny, cool or outrageous they are. On MySpace and similar sites, personal pages are generally available to anyone who registers, with few restrictions on who can register. Facebook, though, has separate requirements for different categories of users; college students must have a college e-mail address to register. Personal pages on Facebook are restricted to friends and others on the user’s campus, leading many students to assume that they are relatively private. But companies can gain access to the information in several ways. Employees who are recent graduates often retain their college e-mail addresses, which enables them to see pages. Sometimes, too, companies ask college students working as interns to perform online background checks, said Patricia Rose, the director of career services at the University of Pennsylvania. http://www.nytimes.com/2006/06/11/us/11recruit.html?hp&ex=1150084800&en=3886d00a08e539b5&ei=5094&partner=homepage

RIAA CHIEF SAYS ILLEGAL SONG-SHARING ‘CONTAINED’ (USA Today, 12 June 2006) -- Nearly a year after the Supreme Court issued a landmark ruling against online music file-sharing services, the CEO of the Recording Industry Association of America says unauthorized song swapping has been “contained.” “The problem has not been eliminated,” says association CEO Mitch Bainwol. “But we believe digital downloads have emerged into a growing, thriving business, and file-trading is flat.” The RIAA has sued just over 18,000 individuals for sharing songs online, with 4,500 settling for about $4,000 per case. Album sales are still down — about 3% this year. But Bainwol says digital sales — up 77% — make up for the shortfall. The wide availability of legitimate alternatives to file-sharing services has helped wean computer users away, says Russ Crupnick, president of the music group for market tracker NPD Group. Apple’s iTunes has sold more than 1 billion songs to consumers, and online stores Rhapsody and Napster are gaining traction. Crupnick says digital store purchases have “almost doubled” while file-sharing is flat among computer users in 12,000 homes in an NPD survey. Meanwhile, the RIAA is suing XM Satellite Radio, which introduced a portable $399 player (from Pioneer and Samsung) that lets subscribers record songs. Bainwol says he doesn’t mind consumers acquiring songs on the device — it’s just that XM hasn’t licensed the songs for download. http://www.usatoday.com/tech/products/services/2006-06-12-riaa_x.htm

ITC TO INVESTIGATE APPLE, SAYS CREATIVE (CNET, 14 June 2006) -- The U.S. International Trade Commission plans to launch an investigation into Apple Computer’s popular iPod digital music player for possible patent infringement, Creative Technology said Wednesday. The ITC is an independent federal agency that reviews patent disputes for possible infringement and unfair trade practices. The commission’s decision to review the matter follows two lawsuits filed last month by Singapore-based Creative and its U.S. subsidiary, Creative Labs. Creative, maker of the rival Zen portable digital media player, alleges that Apple’s iPod infringed on its user interface patent for its Zen and Nomad digital media player. Creative alleges that Apple’s iPod, iPod Nano and iPod Mini infringe on Creative’s patents and is seeking a permanent cease-and-desist order. The commission will refer the matter to an administrative law judge, who will make an initial determination about whether a violation occurred. The ITC will then review that decision. Typically, the agency issues a ruling 12 to 15 months after an investigation is instituted. http://news.com.com/2100-1047_3-6083590.html [Editor: the ITC increasingly is being used as an alternative patent enforcement venue.]

MONITORED WHOIS ACTIVITY? (credible MIRLN contributor, 15 June 2006): “This is a fascinating thread: http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=943423. http://www.domibot.info/ has some background info and summary of the problem. I had some issues about a year ago with this Unasi character -- Can’t say where it all went, but I confirm that this is real.”

**** RESOURCES ****
CAPITAL MARKETS AND E-FRAUD - POLICY NOTE AND CONCEPT PAPER FOR FUTURE STUDY (The World Bank, February 2005) – Excellent historical and policy analysis of financial market cyber threats (and implications). File is 6+ megabytes, but only 25 pages. Online at http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/CapitalMarketsandE-fraud/$FILE/Capital+Markets+and+E-fraud.pdf

HOW TO GET THROUGH HAVING YOUR IDENTITY STOLEN (The Consumerist, 3 May 2006) – Guide recommended by Bruce Schneier as “Really good advice, step by step, on how to survive identity theft.” -- http://www.consumerist.com/consumer/top/how-to-get-through-having-your-identity-stolen-171194.php

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.