Friday, July 28, 2006

MIRLN -- Misc. IT Related Legal News [8-28 July 2006; v9.10]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://tinyurl.com/joo5y

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s 2002-2004 experimental collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

DOD RELEASES OTD ROADMAP (NewsForge, 7 July 2006) -- The Open Source Software Institute (OSSI) has announced the release of a Department of Defense (DoD) report entitled the Open Technology Development Roadmap which focuses on how to make the use of open technology development an integral part of the Department of Defense (DoD) software acquisition and development processes. According to OSSI, “OTD methodology will enable DoD organizations and contractors to rapidly adapt and extend existing software capabilities in response to shifting threats and requirements without, being locked in to a specific vendor or held hostage to proprietary technologies.” The 79 page report defines Open Technology Development, explains the key need that it fulfills, and makes concrete recommendations on how to make its use a standard operating procedure within the DoD. http://trends.newsforge.com/article.pl?sid=06/07/07/233257&from=rss Report at http://www.oss-institute.org/NCOSPR/OTDRoadmap_v3_Final.pdf

VISA, MASTERCARD TO UNVEIL NEW SECURITY RULES (Computerworld, 7 July 2006) -- Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. One set of PCI extensions is aimed at protecting credit card data from emerging Web application security threats, said Eduardo Perez, vice president of corporate risk and compliance at Foster City, Calif.-based Visa. Other new rules will require companies to ensure that any third parties that they deal with, such as hosting providers, have proper controls for securing credit card data. Merchants who fail to comply with PCI can face fines or be excluded from processing credit cards. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001637 [Editor: FTC enforcement actions effectively have been converting these security standards—contractually applied between co-operating parties—into laws; failure to implement the standards are treated as unfair trade practices.]

YELLOW PAGES PUBLISHER FEELING THE HEAT FROM ONLINE ALTERNATIVE (ARS Technica, 7 July 2006) -- Sooner or later, all “old media” companies find themselves threatened by a site or phenomenon on the Internet. We’ve seen it happen with the music industry, TV, newspapers, and many others. Sometimes, it takes a while for the old guard to discover what’s happening—that appears to be the case with Yell, which calls itself the world’s largest yellow pages publisher. The problem—from Yell’s point of view—is Yellowikis, a wiki-based business directory available in several languages and containing listings for several different countries. The directory publisher is accusing Yellowikis of “misrepresentation,” maintaining that the site’s name “constitutes an ‘instrument of fraud.’” At first glance, it seems like a case of an elephant feeling threatened by a gnat. Yellowikis has only been operating since January 2005, has around 5,000 listings, and is run entirely by volunteers. In contrast, Yell had revenues of US$2.4 billion during 2005. However, Yellowikis offers something a telephone directory publisher cannot: dynamic, customizable content. In contrast, once a yellow pages business directory is published, that’s it until the next edition. Yell wants Yellowikis to pay damages and surrender the domain name, perhaps so it can launch a wiki-like service. As “Yellow Pages” is a trademarked name in the UK and Yellowikis refers to itself as “Yellow Pages for the 21st Century,” the small wiki may find itself embroiled in an expensive legal fight. Even if Yell wins or forces a settlement, it won’t change the fact that the business model of selling advertising, printing it in gigantic phone books, and dropping yellow pages directories off on front porches is endangered. Many directory publishers realize this and have developed an online presence that mixes paid placements in with search results. Others, like Verizon, are getting out of the yellow pages business altogether. http://arstechnica.com/news.ars/post/20060707-7208.html

UTAH FILM SANITIZERS ORDERED TO CUT IT (Salt Lake Tribune, 8 July 2006) -- It’s the kind of ending Hollywood craves. After a bitter three-year legal battle involving Utah companies that sanitize movies on DVD and VHS tape, a federal judge in Denver ruled Thursday that such editing violates U.S. copyright laws and must be stopped. In a ruling in the case involving CleanFlicks vs. 16 of Hollywood’s hottest directors, U.S. District Judge Richard P. Matsch found that making copies of movies to delete objectionable language, sex and violence hurts studios and directors who own the movie rights. “Their [studios and directors] objective . . . is to stop the infringement because of its irreparable injury to the creative artistic expression in the copyrighted movies,” the judge wrote in a 16-page decision. “There is a public interest in providing such protection. Their business is illegitimate.” Michael Apted, director of “Coal Miner’s Daughter” and president of the Director’s Guild of America, said Friday that movie directors can feel “vindicated” by the ruling. “Audiences can now be assured that the films they buy or rent are the vision of the filmmakers who made them and not the arbitrary choices of a third-party editor,” he said. [Editor: Moral Rights, anyone?] http://www.sltrib.com/ci_4026743 Decision at http://www.joegratz.net/wp-content/uploads/2006/07/CleanFlicksDistCtOpinion.pdf

EMPLOYERS SPYING ON CANADIAN WORKERS, STUDY SUGGESTS (CBC News, 10 July 2006) -- Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday. Produced by Toronto’s Ryerson University, the study called “Under the Radar” asked Canadian businesses about surveillance of their employees. Employers view closed-circuit television cameras, listen to recorded phone calls, monitor e-mails and scan magnetic information from security passes, said lead author Avner Levin. Levin, a law professor at the university, said he isn’t surprised at the methods, but was taken aback by employers’ attitudes toward employee privacy. “Nobody said this is a problem, or even something they have to deal with in a proactive way. It’s just simply under the radar,” said Levin. Human resources executives responsible for workplace privacy often have little knowledge of the potential intrusiveness of technologies at work in their own companies, he said. They rarely know what information is being collected by colleagues running company computer systems, he said. “The executives that are responsible for privacy in the workplace are not fully aware of the extent of ... the surveillance activity that is conducted,” he said. Managers often work without guidelines about how to respond if surveillance reveals an employee behaving suspiciously, said Levin. The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees’ e-mails. University of Ottawa privacy expert Michael Geist says Canadian firms are likely close behind. “I don’t have any doubt that we’re going to find more and more companies doing it,” he said. “To move directly to full-on monitoring of e-mail use is as invasive as it comes.” http://www.cbc.ca/story/canada/national/2006/07/10/privacy-workplace.html

20 INSPECTORS SUSPENDED OVER GPS (Boston.com, 11 July 2006) -- The Massachusetts public safety commissioner yesterday suspended 20 state building and engineering inspectors for refusing to accept cellphones equipped with global positioning systems. Only two inspectors accepted the phones; another two were out on vacation when Commissioner Thomas Gatzunis tried to distribute the phones, which supervisors want to use to keep track of the inspectors during the work day. ``The act of insubordination leaves me with no choice but to impose disciplinary measures, including the immediate suspension of those who refused the phone,” Gatzunis said. Kelly Nantel, spokeswoman for the Executive Office of Public Safety, said the cellphone policy ``is about accountability. ``If you’re doing your job well, there shouldn’t be any concern with it. This allows the Department of Public Safety to ensure that taxpayers’ money is being spent in an appropriate way.” http://www.boston.com/news/local/massachusetts/articles/2006/07/11/20_inspectors_suspended_over_gps/

A YEAR LATER, STILL NO DHS CYBERSECURITY CHIEF (FCW, 12 July 2006) – Some information technology industry groups and individuals are getting impatient waiting for the Homeland Security Department to fill its still-vacant assistant secretary for cybersecurity and telecommunications position, created a year ago July 13. DHS Secretary Michael Chertoff announced July 13, 2005, that he would create the position to answer calls from Congress and industry to have a senior DHS position dedicated to cybersecurity. Robert Holleyman, president and chief executive officer of the Business Software Alliance, sent a letter to Chertoff today saying, “We are hopeful that you and the [Bush] administration will soon be able to nominate a qualified individual for the assistant secretary position.” Other industry members are less polite. Although DHS “clearly has had a lot of very important priorities to manage, it is troubling that after an entire year, we still have not seen this crucial position filled,” said Paul Kurtz, executive director of the Cybersecurity Industry Alliance. “This is not a simple personnel issue,” Kurtz said. “It is indicative of the ongoing lack of attention being paid to cybersecurity at the most senior levels of government. Without strong federal leadership, our national information infrastructure remains at risk with no one clearly in charge of coordinating its security and reliability.” http://www.fcw.com/article95248-07-12-06-Web&RSS=yes

MYSPACE GAINS TOP RANKING OF US WEB SITES (Reuters, 11 July 2006) -- Online teen hangout MySpace.com ranked as the No. 1 U.S. Web site last week, displacing Yahoo’s top-rated e-mail gateway and Google Inc.’s search site, Internet tracking firm Hitwise said on Tuesday. News Corp.’s MySpace accounted for 4.46 percent of all U.S. Internet visits for the week ending July 8, pushing it past Yahoo Mail for the first time and outpacing the home pages for Yahoo, Google and Microsoft’s MSN Hotmail. Hitwise does not provide figures for the number of unique visitors to a site. MySpace, which dominates social networking on the Web, also gained share in June from other sites that aim to create virtual communities online for sharing music, photos or other interests, Hitwise said. MySpace captured nearly 80 percent of visits to online social networking sites, up from 76 percent in April. A distant second was FaceBook at 7.6 percent. Rupert Murdoch’s News Corp bought MySpace for $580 million one year ago as part of a strategy to rapidly build up the media conglomerate’s Internet presence. http://news.yahoo.com/s/nm/20060711/wr_nm/media_myspace_dc_1

OUTSOURCED DATA MUST BE PROTECTED, SAYS U.K. PRIVACY CHIEF (The Register, 12 July 2006) -- Companies are still liable for data protection breaches that happen on third party premises thousands of miles away, the Information Commissioner has warned. With more and more firms outsourcing data-intensive processes such as call centre activity, companies must be aware of their responsibilities, the Information Commissioner’s Office (ICO) has said. Any breach of security at a contractor’s site will be the responsibility of the original company. “The [Data Protection] Act requires you to take appropriate technical and organisational measures to protect the personal information you process whether you process it yourself or whether someone else does it for you,” said an ICO statement. Outsourcing data processing to foreign suppliers does not absolve firms from protecting the data once it passes to a third party. In fact, new guidance issued by the ICO seems to tighten up rules concerning a company’s responsibilities to find an outsourcer who will safeguard the data. http://www.theregister.co.uk/2006/07/12/outsourced_data_protection/print.html

OMB TIGHTENS IT SECURITY INCIDENT RULES (GCN, 13 July 2006) -- Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures. OMB also added new requirements for incorporating the cost of security in agency IT investments for fiscal 2008 IT budget submissions. The Federal Information Security Management Act of 2002 requires all agencies to report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within the Homeland Security Department. Procedures require agencies to report according to various time frames based on the type of incident. OMB has strengthened notification procedures by making the one-hour requirement standard for both electronic and physical security, and for suspected as well as confirmed security breaches. “You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches,” said Karen Evans, OMB administrator for e-government and IT in the memo dated yesterday. US-CERT will forward all agency reports to the appropriate Identity Theft Task Force point of contact, also within one hour of notification by an agency. http://www.gcn.com/online/vol1_no1/41334-1.html

GOVERNMENT CALLS FOR DISMISSAL OF SUIT OVER AT&T PHONE RECORDS (SiliconValley.com, 13 July 2006) -- Justice Department lawyers asserted a rarely used ``state secrets” privilege in federal court Thursday morning in arguing for the dismissal of a lawsuit that alleges AT&T improperly handed over massive amounts of phone records to the government. Deputy Assistant Attorney General Carl Nichols said that AT&T won’t be able to defend itself against the allegations because the government is invoking the secrets privilege, which effectively shuts down any confirmation or denial of allegations in the suit. Nichols said such information would empower terrorists and endanger national security. Because AT&T can’t present a defense, the suit, filed by Chicago author Studs Terkel among others, must be dismissed, Nichols argued. ``We are facing a threat right now from al-Qaida,” Nichols said. ``Even the smallest risk is not a risk we should tolerate.” Harvey Grossman, legal director of the American Civil Liberties Union in Illinois, answered that his clients simply want to know that AT&T is acting lawfully. ``If it’s done lawfully, we’ll walk out the door,” Grossman said. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15031674.htm

-- and --

IN TESTIMONY, GONZALES SAYS BUSH BLOCKED INQUIRY (New York Times, 18 July 2006) -- Attorney General Alberto Gonzales said Tuesday that President Bush personally blocked Justice Department lawyers from pursuing an internal probe of the warrantless eavesdropping program that monitors Americans’ international calls and e-mails when terrorism is suspected. The department’s Office of Professional Responsibility announced earlier this year it could not pursue an investigation into the role of Justice lawyers in crafting the program, under which the National Security Agency intercepts some telephone calls and e-mail without court approval. At the time, the office said it could not obtain security clearance to examine the classified program. Under sharp questioning from Senate Judiciary Committee chairman Arlen Specter, Gonzales said that Bush would not grant the access needed to allow the probe to move forward. “It was highly classified, very important and many other lawyers had access. Why not OPR?” asked Specter, R-Pa. “The president of the United States makes the decision,” Gonzales told the committee hearing, during which he was strongly criticized on a range of national security issues by Specter and Vermont Sen. Patrick Leahy, the panel’s senior Democrat. http://www.nytimes.com/2006/07/18/washington/18wire-bush.html?ex=1310875200&en=c30585c3a0aca771&ei=5090&partner=rssuserland&emc=rss

NEW MODEL FOR SCHOLARLY PUBLISHING (Inside Higher Education, 14 July 2006) -- It’s hard to attend scholarly meetings these days without someone talking about the “crisis of scholarly publishing,” which goes something like this: Libraries can’t afford to buy new scholarly books; in turn, university presses can’t afford to publish books no one can buy and so cut back on their sales of monographs; in turn, junior professors can’t get their first books published and have a tough time getting tenure. Rice University on Thursday announced a plan to shake up those interconnected problems. Rice University Press, which was killed in 1996, will be revived. But unlike every other university press, it will publish all of its books online only. People will be able to read the books for no charge and to download them for a modest fee. Editors will solicit manuscripts and peer review panels will vet submissions — all in ways that are similar to the systems in traditional publishing. Without the pressure to publish only works that can sell enough copies to justify a print run, Rice hopes to be able to publish scholarship that university presses increasingly feel they can’t afford. And by using peer review as other presses do, the university hopes to make its books “count” in tenure reviews just as any other press’s would. And Rice also announced plans Thursday to take on the textbook industry, offering print-on-demand textbook versions of scholarly resources it has been assembling — generally for less than $25. http://www.insidehighered.com/news/2006/07/14/rice

GOLDMAN SACHS GOES AFTER GOLDMANSEX.COM (CNET, 14 July 2006) -- Goldman Sachs Group, the blue chip investment bank, wants a Netherlands man to change the name of a sex-oriented Web site called Goldmansex.com. Goldman Sachs last week submitted a complaint to the National Arbitration Forum, arguing that Goldmansex, whose domain name would might be confused with its own, contained links to objectionable “adult” material. Goldmansachs.com and Goldman.com are registered domains of the bank. Rob Muller, 32, who founded Goldmansex and is its sole employee, said “Goldman” was a nickname given to him by his friends because “People thought I was always lucky in my life.” The Web site provides links to strip clubs and escort agencies. Muller said in a phone interview on Thursday from his Netherlands home in Albian that he had never heard of the world’s largest investment bank until recently. Muller said he had hired a lawyer and would fight to retain the domain name because he does not think it should cause confusion. “Would their clients really think this is some sort of new product line?” he said. http://news.com.com/2100-1030_3-6094196.html

MICROSOFT SHUTTERS WINDOWS PRIVATE FOLDERS (CNET, 14 July 2006) -- Following an outcry from corporate customers, Microsoft is removing an add-on feature to Windows that allowed users to create password-protected folders. The feature was introduced as a free download last week. Almost immediately, people raised questions over how businesses would grapple with the ability of individual workers to encrypt their data. “Private Folder 1.0 was designed as a benefit for customers running genuine Windows,” Microsoft said in a statement to CNET News.com on Friday. “However, we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback, we are removing the application today. This change will take effect shortly.” http://news.com.com/2100-1012_3-6094481.html [Editor: Over-reaction? There are lots of other, similar tools many employees already are using. What’s needed is employee education, more than a tool embargo.]

TO AGENCY INSIDERS, CYBER THEFTS AND SLOW RESPONSE ARE NO SURPRISE (Washington Post, 18 July 2006) -- Every day, an electronic wall guarding the Agriculture Department’s servers is probed for holes 2,000 times by potential hackers and data thieves. The probes usually can’t get through that wall. But on the first weekend in June, a hacker made it deep into one server, prompting an announcement late last month that personal information on 26,000 Washington area employees, contractors and retirees may have been compromised. To government officials responsible for information security and to outside experts, the intrusion -- and several recent security incidents at other agencies -- was no surprise. For the past five years, the department had received failing grades on a congressional report card for its information-security practices. The overall grade for federal agencies in 2005 was D-plus. In the past few weeks, the Agriculture incident was joined by cases of potentially compromised data at Veterans Affairs, Health and Human Services, the Federal Trade Commission, the Government Accountability Office, Housing and Urban Development, the Navy, and the Energy Department. The State Department also suffered a series of hacking attacks. The VA incident, with a loss of data on 26.5 million veterans and military personnel, drew the sharpest public attention. The data were later recovered. But officials and experts say that the frequency of the recent security incidents is not unusual, and that much more work needs to be done in the federal government to implement effective cybersecurity policies. http://www.washingtonpost.com/wp-dyn/content/article/2006/07/17/AR2006071701170.html?referrer=emailarticle

LESSONS IN CORPORATE BLOGGING (Yahoo!, 17 July 2006) -- Last week, Dell launched a corporate blog, joining the small but growing group of businesses that have embraced the trendy communication medium. You might think that the blogosphere would have rolled out the welcome mat for the newcomer. Far from it. Dell (DELL) was treated like a party crasher with bad hygiene. “Ho ho ho,” chortled one prominent blogger, ridiculing Dell’s site as “a blog in content management system name only.” Sniffed another: “Perhaps it might have been better for them to have stayed silent.”
The irony is that Dell’s blog, called “one2one,” is actually a pretty good one. It lets employees post messages and videos, in their own voices and under their own names, and it allows readers to submit comments, even negative ones. There are limits to what Dell will publish—no curse words, no defamatory rants—but the ground rules seem sensible, and they’re clearly laid out on the site. There are a few rules of thumb that can help companies reap the benefits of a blog while sidestepping the pitfalls. The first one is simple but critical: Don’t blog for blogging’s sake. Make sure you have a clear business goal for your blog—and that you stick to that goal and track how well you’re fulfilling it. Remember that, for companies, blogging isn’t an ideology—it’s a tool. Second, make sure your blog reflects your company’s desired image and supports its strategy. Dell’s blog provides a good model. By emphasizing how the blog provides a direct connection between the company and its customers, Dell reinforces its core strategy of selling gear directly to buyers, without having to go through middlemen. The blog has also been designed as part of a larger coordinated effort to rebuild the company’s reputation, which has been damaged recently by service miscues and other snafus. Third, remember that there’s no one “right way” to blog—no matter what the blogerati might say. You can certainly use blogs to let employees exchange information and ideas with customers. But you can design them more narrowly as well. Apple Computer (AAPL), for instance, doesn’t allow employees to blog on its behalf—probably because it doesn’t want to risk muddying a painstakingly designed corporate image—but it has set up a blog to promote its .Mac services. Finally, make sure you educate your employees about the legal and business risks inherent in blogging, such as the possibility that they might inadvertently disclose sensitive or regulated information. http://yahoo.businessweek.com/technology/content/jul2006/tc20060718_932217.htm; see also http://www.ft.com/cms/s/182fa894-14df-11db-b391-0000779e2340,_i_rssPage=81cea682-52a8-11da-8d05-0000779e2340.html

-- and --

SURVEY: MAJORITY OF BLOGS ARE PERSONAL (AP, 20 July 2006) -- The most high-profile blogs may be about news, politics or technology, but the vast majority of Web journals are more personal in nature, a survey found. “My life and experiences” was cited as the primary focus by 37 percent of U.S. bloggers, with politics and government a distant second at 11 percent, according to the study issued Wednesday by the Pew Internet and American Life Project. “They are about people’s personal experiences,” said Amanda Lenhart, Pew’s senior research specialist. “They don’t tend to be about one topic. It’s not just about politics. It’s about politics, your kids and going for a walk. It’s about what crosses people’s minds and what inspires them.” The study also found that most bloggers — 84 percent — consider their blog mostly a hobby, not something they spend a lot of time on. Nearly 60 percent spend only one or two hours a week on it, and half the bloggers say they do it mostly for themselves, not for an audience. Despite a greater awareness of blogs — 39 percent of U.S. Internet users surveyed in January say they have them, compared with 27 percent in September — only 8 percent of online adults keep a blog, a figure that has remained steady. http://news.yahoo.com/s/ap/20060719/ap_on_hi_te/blog_survey_1 THE TOP 10

-- and --

SECRETARY SACKED FOR BLOGGING (Sydney Morning Herald, 19 July 2006) -- A 33-year-old British secretary has launched a test case before a French employment tribunal after bring sacked from her company for writing a blog about her day-to-day life in Paris. The blog - written under the pseudonym “La Petite Anglaise” - has built up a sizeable international following over the last two years, with up to 3000 people a day reading diary-style accounts about work, relationships and the travails of single-motherhood. But in April Catherine - she refuses to give her family name - was called in by superiors at the Paris office of British accounting firm Dixon Wilson and told she was being dismissed for gross misconduct. “In the dismissal letter they told me I had brought the company into disrepute, but I never once referred to it or the people there by name,” Catherine told AFP. Managers had also discovered from reading the blog that on two occasions she had lied about having nanny problems to take the afternoon off, Catherine said. And they objected to her using the computer in office hours to write the blog. The case - one of the first of its kind in France - will be brought before the “prud’hommes” or labour tribunals later this year, and Catherine’s lawyer is pressing for an award of two years’ salary. http://www.smh.com.au/news/web/secretary-sacked-for-blogging/2006/07/19/1153166429844.html

-- and --

C.I.A. WORKER SAYS MESSAGE ON TORTURE GOT HER FIRED (New York Times, 22 July 2006) -- A contract employee working for the Central Intelligence Agency said she had been fired recently for posting a message on a classified computer server that said an interrogation technique used by the agency against some terror suspects amounted to torture. The employee, Christine Axsmith, kept the “Covert Communications” blog on a top-secret computer network used by American intelligence agencies. Ms. Axsmith was fired on Monday after C.I.A. officials objected to a message that criticized the interrogation technique called “waterboarding,” a particularly harsh practice that the C.I.A. is known to have used on Khalid Sheik Mohammed, who is widely regarded as the mastermind of the Sept. 11 attacks. The episode has opened a window into the new world of classified blogging: an experimental effort being carried out in top-secret computer forums where information and ideas are shared across the intelligence community. Intelligence officials said that since last year, more than 1,000 blogs had been set up on classified intelligence servers. Ms. Axsmith, a computer security expert with a law degree, posted the message this month, shortly after the Bush administration decided to grant some protections of the Geneva Conventions to suspected terrorists in American custody. She said that her message began, “Waterboarding is torture, and torture is wrong.” Ms. Axsmith’s firing was earlier reported on several blogs including Wonkette.com on Thursday, and in Friday’s Washington Post. “I wanted an in-house discussion,” Ms. Axsmith said in an interview on Thursday in her home in Washington. “Something where I would be educating people on the background of the Geneva Conventions.” Instead, Ms. Axsmith was fired by her employer, B.A.E. Systems, which has an information technology contract with the C.I.A. Paul Gimigliano, a C.I.A. spokesman, said that the blogs were intended to “encourage collaboration” on business issues but that postings “should relate directly to the official business of the author and readers of the Web site.” Though stripped of her security clearance, Ms. Axsmith still maintains her public, unclassified blog: econo-girl.blogspot.com. On that Web site on Friday, there were several messages supporting her, including postings from anonymous intelligence officials who said that they would miss her “Covert Communications” blog. http://www.nytimes.com/2006/07/22/washington/22intel.html?ex=1311220800&en=a8a778ad80f4c7be&ei=5090&partner=rssuserland&emc=rss

UNINTENTIONALLY WORST COMPANY URLS (Techlaw Advisor, 18 July 2006) -- Everyone knows that if you are going to operate a business in today’s world you need a domain name ... the following (legitimate) companies who deal in everyday humdrum products and services but clearly didn’t give their domain names enough consideration: [cute] http://techlawadvisor.com/2006/07/18/the_top_10_unintentionally_worst_company_urls.html

VA OFFICIAL CRITICIZED IN DATA THEFT IS LEAVING FOR PRIVATE SECTOR (SiliconValley.com, 19 July 2006) -- A top Veterans Affairs official criticized after the theft of a laptop containing 26.5 million veterans’ sensitive information is leaving to take a job in the private sector, the department said Wednesday. Tim McClain, the VA’s general counsel since 2001, is resigning effective Sept. 1 to pursue unspecified opportunities elsewhere. He is the fifth official to leave the department following the May 3 theft of a laptop from a VA data analyst’s suburban Maryland home. In recent weeks, McClain has come under fire by lawmakers of both parties who said he resisted repeated attempts in previous years to centralize authority for information security under the agency’s chief information officer. That lack of authority has been cited by auditors as a primary reason behind security weaknesses in the department that contributed to the May 3 theft, the government’s largest information security breach. Nicholson has since ordered that the CIO receive that authority. The stolen laptop and external drive containing veterans’ data have been recovered. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15074251.htm

VULNERABILITY AUCTIONS KILLING RESPONSIBLE DISCLOSURE (ZDnet, 19 July 2006) -- More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them “responsibly” to the vendor whose products are affected. At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting. “I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under “responsible disclosure” or pay off my mortgage, which one do I choose? Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder. “The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity,” said Ingram. Last week, security firm Finjan published evidence, which was compiled by the company’s Malicious Code Research Centre, that showed examples of vulnerabilities being sold online. Finjan’s chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand -- and therefore the price -- goes up. http://zdnet.com.au/news/security/soa/Vulnerability_auctions_killing_responsible_disclosure/0,2000061744,39263952,00.htm

-- and see older, related story --

EBAY PULLS VULNERABILITY AUCTION (Security Focus, 9 December 2005) -- Online auction giant eBay shut down the bidding for a vulnerability in Microsoft’s Excel spreadsheet program on Thursday, saying that the sale of flaw research violates the site’s policy against encouraging illegal activity. “The listing was immediately reviewed and pulled from the site for violating our policy against promoting illegal activity--hacking,” England said in an e-mail to SecurityFocus. “In general, research can be sold as a product. However, if the research were to violate the law or intellectual property rights then it would not be allowed.” The move comes as the idea of selling vulnerability research has gained more traction amongst the security industry and research communities. Buying flaw information is a controversial practice, but one currently supported by at least two security companies: iDefense and 3Com’s TippingPoint. Both companies have created initiatives aimed at procuring original vulnerability research from independent flaw finders. http://www.securityfocus.com/news/11363

-- and --

NO COMPENSATION FOR ‘RESPONSIBLE DISCLOSURE’: MICROSOFT (ZDnet, 20 July 2006) -- Paying independent security researchers a bounty for responsibly disclosing vulnerabilities is not the best way to protect users, according to Microsoft. Microsoft has said it will not offer money to security researchers for responsibly disclosing vulnerabilities in its products. Responsible disclosure is where a researcher discovers a vulnerability and informs the vendor but nobody else -- until a patch is available. However, Australia’s Computer Emergency Response Team (AusCERT) on Wednesday warned that crime gangs are paying big money for newly discovered vulnerabilities. This acquired knowledge is then used to develop new attack vectors in order to steal money, identities and intellectual property. Peter Watson, chief security advisor for Microsoft Australia, told ZDNet Australia that there are better ways to protect its customers than paying researchers “bug bounties”. “Microsoft works closely with numerous security researchers and security software companies and does not believe that offering compensation for vulnerability information is the best way we can help protect customers. http://www.zdnet.com.au/news/security/soa/No_compensation_for_responsible_disclosure_Microsoft/0,2000061744,39264106,00.htm

ZIMBABWE EYES PLAN TO SPY ON CITIZENS (Washington Post, 23 July 2006) -- Times are hard and getting harder in Zimbabwe, where people too proud to cry about hunger, joblessness and misrule could soon find it too dangerous to joke about them. Parliament plans to debate proposals next month to empower the secret police to eavesdrop on mail, e-mail and phones without any court approval. The government denies any sinister intent, saying it is putting its anti-terrorism legislation in line with international practice. But Zimbabwe is not on the front lines of the war on terror, and government agents could use the proposed powers to monitor the communications of the political opposition, journalists and human rights activists who are critical of President Robert Mugabe. Secret police and intelligence agents could violate attorney-client privilege, track financial transactions and negotiations, and eavesdrop on anyone’s private life. Anytime a Zimbabwean visits a Web site, makes a deal or tells a joke, Big Brother could be listening or watching. Internet and cell phone service providers would, at their own expense, have to provide the government with equipment to sort and intercept communications. The aim “is to monitor and block communications for political reasons and to use information they get to persecute opponents,” said Lovemore Madhuku, chairman of the National Constitutional Assembly, a group critical of repressive laws and actions of Mugabe’s government. Telephoned from neighboring South Africa, he said: “It is part and parcel of the process of controlling dissent and stifling democratic debate.” South Africa has quietly adopted a similar law, with the important difference that a court must approve any interception. In Zimbabwe, that authority would rest solely with Mugabe’s minister of transport and communications. http://www.washingtonpost.com/wp-dyn/content/article/2006/07/23/AR2006072300218.html

MARINES USE MYSPACE TO RECRUIT (Wired, 24 July 2006) -- Teens looking to hook up with a friend on the popular web community MySpace may bump into an unexpected buddy: the U.S. Marine Corps. So far, over 12,000 web surfers have signed on as friends of the Corps in response to the latest military recruiting tactic. Other military branches may follow. MySpace.Com, the internet’s most popular social networking site with over 94 million registered users, has helped redefine the way a generation communicates. Users, many in their teens and 20s, post personal profiles and accumulate lists of friends and contacts with common interests. The Marine Corps MySpace profile -- featuring streaming video of barking drill sergeants, fresh recruits enduring boot camp and Marines storming beaches -- underscores the growing importance of the internet to advertisers as a medium for reaching America’s youth. “That’s definitely the new wave,” said Gunnery Sgt. Brian Lancioni at a Hawaii recruiting event. “Everything’s technical with these kids, and the internet is a great way to show what the Marine Corps has to offer.” Patrick Baldwin, an 18-year-old recruit from Saratoga, New York, who linked his profile to the Marines’ site after hearing about it from a friend, said MySpace was a good place for interested teens to start learning more about the Marines. “The more information you have the better off you are,” said Baldwin, who left for boot camp a few weeks ago. The Army, which originally balked at advertising on MySpace because of well-publicized incidents of child predators using the site to meet kids, plans to soon set up its own profile page. http://www.wired.com/news/wireservice/0,71448-0.html?tw=rss.index

BSA COLLECTS OVER $2M IN SETTLEMENTS FROM U.S. COMPANIES (Computerworld, 26 July 2006) -- The Business Software Alliance (BSA), a watchdog group representing the nation’s leading software manufacturers, today announced it has collected over $2 million in settlements from 19 U.S. companies that were running illegal software. In addition to making the payments, each company agreed to delete any unlicensed copies of programs it was using, purchase any needed replacements and strengthen software management practices, the BSA said. “We hope that these announcements will encourage other businesses to re-examine and update, if necessary, their software management systems,” Jenny Blank, director of enforcement at the BSA, said in a statement. “Businesses should be certain that using fully licensed software is part of their corporate responsibility checklist.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002000&source=rss_topic146

CHAT ROOMS COULD FACE EXPULSION (CNET, 27 July 2006) -- Web sites like Amazon.com and MySpace.com may soon be inaccessible for many people using public terminals at American schools and libraries, thanks to the U.S. House of Representatives. By a 410-15 vote on Thursday, politicians approved a bill that would effectively require that “chat rooms” and “social networking sites” be rendered inaccessible to minors, an age group that includes some of the Internet’s most ardent users. Adults can ask for permission to access the sites. “Social networking sites such as MySpace and chat rooms have allowed sexual predators to sneak into homes and solicit kids,” said Rep. Ted Poe, a Texas Republican and co-founder of the Congressional Victim’s Rights Caucus. “This bill requires schools and libraries to establish (important) protections.” Even though politicians apparently meant to restrict access to MySpace, the definition of off-limits Web sites is so broad the bill would probably sweep in thousands of commercial Web sites that allow people to post profiles, include personal information and allow “communication among users.” Details [would] be left up to the Federal Communications Commission. The list could include Slashdot, which permits public profiles; Amazon, which allows author profiles and personal lists; and blogs like RedState.com that show public profiles. In addition, many media companies, such as News.com publisher CNET Networks, permit users to create profiles of favorite games and music. “While targeted at MySpace, the effects are far more wide-ranging than that, including sites like LinkedIn,” said Mark Blafkin, a representative of the Association for Competitive Technology, which counts small- to medium-size technology companies as members. “Nearly any news site now permits these types of behaviors that the bill covers.” House Republicans have enlisted the Deleting Online Predators Act, or DOPA, as part of a poll-driven effort to address topics that they view as important to suburban voters in advance of November’s elections. Republican pollster John McLaughlin surveyed 22 suburban districts and presented his research at a retreat earlier this year. DOPA was part of the result. http://news.com.com/2100-1028_3-6099414.html

MUSIC INDUSTRY ANNOUNCES A DEAL WITH KAZAA (New York Times, 27 July 2006) -- The music industry and Hollywood film studios said today that they had settled lawsuits against a longtime nemesis: Kazaa, the digital file-sharing service. The settlement frees Kazaa to transform itself into an authorized online distributor of music and movies. The owner of Kazaa — Sharman Networks, a privately held company incorporated on the Pacific island nation of Vanuatu and operated out of Australia — agreed to pay $115 million to the major record companies and movie studios, which accused Kazaa of aiding the illegal copying and distribution of movies over the Internet. The settlement follows court decisions against Kazaa in Australia and against other file-sharing services by the United States Supreme Court. Sharman Networks said the agreements clear the way “to enable distribution of the broadest range of licensed content over Kazaa.” Under the agreement announced today, Sharman Networks will pay the major record companies — Sony BMG, Universal Music Group, EMI Group and Warner Music — “in excess of $100 million,” according to John Kennedy, chief executive of the International Federation of the Phonographic Industry, the London-based association representing the record companies. The music federation said that Kazaa agreed to license music from the record industry “majors,” which control most music copyrights. Independent record labels are not included in the settlement, but would be free to pursue their own licensing deals with Kazaa, executives said. In making the switch to a licensed, royalty-paying business, Kazaa would follow Napster, one of the original file-swapping services, which was reborn as a music seller after an adverse court ruling in 2001. Kazaa said it would take steps to prevent its network from being used for unauthorized distribution of copyrighted material in the meantime. Kazaa now earns revenue primarily from advertising, and does not charge fees to users of its site. Mr. Kennedy said the recording industry would not object to Kazaa sticking with that kind of advertising-supported business model, as long as it pays the proper royalties. Such a model would differentiate Kazaa from other online music services, which typically charge users for downloads, either song by song or through a subscription fee. Digital music offerings are proliferating, including several from companies that use peer-to-peer technology.
http://www.nytimes.com/2006/07/27/technology/27cnd-kazaa.html?ex=1311652800&en=2eadfdaf4157a424&ei=5090&partner=rssuserland&emc=rss

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Friday, July 07, 2006

MIRLN -- Misc. IT Related Legal News [17 June – 7 July 2006; v9.09]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://tinyurl.com/joo5y

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

U.S. DROPS PLAN TO RESTRICT FOREIGN RESEARCHERS (InfoWeek, 9 June 2006) -- The Commerce Department has withdrawn proposed changes to export rules that would have tighten restrictions on foreign researchers working in the U.S. The department’s Bureau of Industry and Security (BIS) said last week it is withdrawing two “deemed” exports proposals that originated with the Defense Department. They would have limited foreign researchers’ access to sensitive U.S. technologies. According to the Commerce Department, “An export of technology or source code (except encryption source code) is ‘deemed’ to take place when it is released to a foreign national within the United States.” The bureau said in a ruling published in the Federal Register that it “determined that the current licensing requirement based upon a foreign national’s country of citizenship or permanent residency is appropriate.” The Pentagon was seeking to tighten restrictions on deemed exports to restrict the flow of technical knowledge to potential enemies. The new restrictions would have among other things affected contracts for classified scientific research involving foreign nationals. Universities and research groups vigorously opposed the plan in comments filed with the Commerce Department. BIS said its decision to withdraw the proposals reflected most of the public comments filed in response to a proposed rulemaking. http://www.informationweek.com/story/showArticle.jhtml?articleID=188703269&cid=RSSfeed_IWK_News

HURRICANE WATCH: MARKLE PUSHES FOR E-HEALTH RECORDS (Government Health IT, 13 June 2006) -- The Markle Foundation urged the government and private-sector organizations to prepare for the 2006 hurricane season by putting systems and technologies in place to ensure that medical records and drug histories are accessible during a disaster like Hurricane Katrina, which displaced millions of people last year. The foundation spearheaded last year’s KatrinaHealth project that cobbled together patient records after the hurricane. In a related development, the Institute of Medicine plans to release three reports June 14 that are expected to be critical of the country’s emergency medical system and its ability to handle disasters. The KatrinaHealth project gave authorized users access to evacuees’ medication histories. That information came from a variety of government and commercial sources, including insurers, pharmacy benefit managers and prescription drug databases maintained by companies such as SureScripts, the country’s largest electronic prescribing service. In a report released today about the lessons learned from the KatrinaHealth project, the Markle Foundation recommended that government health leaders, health care providers, insurers and information technology companies start immediate discussions to determine when and how certain types of medical information can be shared quickly after a disaster. [A checklist then follows.] http://govhealthit.com/article94880-06-13-06-Web&RSS=yes

MONEY LOST TO CYBERCRIME DOWN--AGAIN (ZDnet, 14 June 2006) -- While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey’s findings in a presentation at the CSI NetSec conference here Wednesday. Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that’s down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent. “How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money?” Richardson asked. The 2006 survey, a final version of which is slated to be released next month, could provide some answers. Most important, perhaps, the 615 U.S. CSI members who responded to this year’s survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year. http://news.zdnet.com/2100-1009_22-6083860.html

-- but --

GARTNER BLASTS CLAIMS OF CYBER-CRIME DECLINE (VNUnet.com, 23 June 2006) -- Businesses should pay no attention to a survey from the Computer Security Institute (CSI) claiming that cyber-crime damage is on the decline, analyst firm Gartner has warned. The CSI is a professional organisation for information, computer and network security professionals. Its study carries weight because it is conducted with the FBI. The 2006 survey polled 615 CSI members about security incidents, reporting that the average loss is $168,000 per incident, down from last year’s $204,000. The results prompted the CSI to claim that the extent of today’s security threats is “overstated”. However, Gartner warned that surveys often do not portray objective reality. The analyst firm also questioned the organisation’s decision to poll security specialists. “Security administrators who want more funding tend to exaggerate problems, while those who want to show they are doing a good job may de-emphasise them. Security vendors complicate matters further by developing their own sets of statistics,” Gartner research vice president Rich Mogull wrote in a research note. The study also lacks a consistent loss model that properly reflects changes in the online security space, according to Gartner. http://www.vnunet.com/vnunet/news/2158921/gartner-blasts-security-surveys

-- and --

THREE OF FOUR FINANCIAL INSTITUTIONS SUFFERED EXTERNAL BREACH IN PAST YEAR (SC Magazine, 14 June 2006) -- More than three out of every four of the world’s largest financial institutions experienced an external security breach in the past year, a dramatic increase over 2005, a new survey has revealed. The fourth annual poll, released today by Deloitte Touche Tohmatsu, found that 78 percent of the world’s top 100 financial services organizations that responded to the survey confirmed a security breach from outside the organization, up from just 26 percent in 2005. The survey also learned that nearly half of the organizations experienced at least one internal breach, up from 35 percent in 2005. Phishing and pharming were responsible for 51 percent of the external attacks, while spyware and malware accounted for 48 percent. Meanwhile, insider fraud was responsible for 28 percent of the internal breaches and customer data leaks were to blame for 18 percent. “The extent and nature of these security breaches signal a new reality for the global financial services industry,” said Ted DeZabala, principal in Deloitte’s security services group. “Executing these types of attacks requires significant resources and coordination…Organizations not only face more sophisticated and hard-to-track attacks but are also challenged by increased risk and potential loss.” The survey did reveal some good news: Almost 88 percent of organizations said they have implemented a business continuity plan, and 49 percent placed disaster recovery as a top five security initiative. Ninety-five percent of enterprises said their information security budgets have increased in the past year. http://www.scmagazine.com/uk/news/index.cfm?fuseaction=XCK.News.Article&nNewsID=564512

-- and --

JUNE 2006 SURVEY: DATA SECURITY RECEIVES A BOOST FROM COMPLIANCE EFFORTS (Baseline.com, 14 June 2006) – Investors, not CIOs, are in a better position to judge whether Sarbanes-Oxley is improving their confidence in the numbers reported by companies. But CIOs do know a fair amount about security, and they believe that regulations are making financial, customer and employee data more secure—just what legislators hoped for. Meanwhile, compliance isn’t proving to be a drag on profitability for most companies. In short, there’s been gain without universal pain. However, for the second year in a row, 25 percent or more of respondents who comply with the Sarbanes-Oxley Act say their company has disclosed material weaknesses or significant deficiencies in internal controls. The surprisingly high number indicates that Sarbanes-Oxley is forcing companies to confront problems with their financial reporting and controls—problems that are widespread. http://www.baselinemag.com/article2/0,1397,1976568,00.asp?kc=BARSS03129TX1K0000628

-- and --

NEW STUDY FINDS THAT MORE THAN 84% OF NORTH AMERICAN ENTERPRISES SUFFERED A SECURITY BREACH IN PAST YEAR (CA Press Release, 5 July 2006) -- CA (NYSE: CA) today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security. In addition, the findings indicate that security isn’t being taken seriously enough at all levels of an organization, especially in the financial service industry. Nearly 40% of respondents indicated that their organizations don’t take IT security risk management seriously at all levels, while 37% believe their organization’s security spending is too low. Only 1% believe it is too high. Despite these findings, the survey revealed that organizations are taking steps to improve security. The three most important cited security steps were documenting security policies (88%), creating security education policies for employees (83%) and creating a Chief Information Security Officer position (68%) within the organization. The survey also found that a lack of centralized security administration is affecting employee productivity. Only 6% of the organizations were able to provide new employees or contractors with access to all the applications or systems they require on their first day of work. http://www3.ca.com/press/PressRelease.aspx?CID=90751&culture=en-us

BILL DESIGNED TO PROTECT CELL PHONE RECORDS PASSES MICHIGAN HOUSE (AP, 14 June 2006) -- Telephone records could get some protection from fraud under legislation unanimously passed Wednesday by the state House. The bill would prohibit a person or business from trying to sell or obtain confidential phone records without the customer’s permission. Supporters say the bill could protect against identify theft and help guard a customer’s privacy, particularly related to cell phone records. The legislation comes amid reports of Internet-based businesses trying to fraudulently obtain confidential cell phone records by posing as customers. The House made minor changes to the legislation, which already has passed the Senate. If the Senate agrees with House changes, the bill soon will head to Gov. Jennifer Granholm. http://www.freep.com/apps/pbcs.dll/article?AID=/20060614/NEWS12/606140500/1121

GOOGLE LAUNCHES NEW SHAKESPEARE SITE (USA Today, 14 June 2006) -- “How beauteous mankind is!” For lovers of William Shakespeare, memorizing one of Hamlet’s soliloquies or recalling whether The Tempest is a romance or a tragedy just got easier. Web search leader Google Wednesday launched a site devoted entirely to the Bard, that allows U.S. users to browse through the full texts of his 37 plays. Readers can even plug in words, such as “to be or not to be” from Hamlet, and immediately be taken to that part of the play. The site, which was introduced in conjunction with Google’s sponsorship of New York’s “Shakespeare in the Park,” also provides links to related scholarly research, Internet groups, and even videos of theater performances of Shakespeare plays. It also encourages users to “take a literary field trip” by searching for London’s Shakespeare’s Globe Theater on Google Earth, which combines satellite imagery, maps and a search engine to find historic locations around the world. http://www.usatoday.com/tech/news/2006-06-14-shakespeare-google_x.htm

-- and --

GOOGLE TO LAUNCH GOVERNMENT SEARCH SITE (Washington Post, 15 June 2006) -- It’s finally happening: The ever-expanding Google Inc. is making its move on the federal government. Today the company plans to announce a new online product aimed at being a one-stop shop for searching federal government Web sites. The launch of Google U.S. Government Search, http://usgov.google.com, targets federal employees who often need to search across several government agencies. The site is also designed to help citizens navigate convoluted pages of government-speak and tailors news feeds to their interests. Users can customize the layout of their page to remain updated on government-related news from official and commercial sources, including the White House, Department of Defense, The Washington Post and CNN. Google is also working with agencies to increase the frequency of news updates to keep content current. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402359.html?nav=rss_technology

WEB 2.0 HAS CORPORATE AMERICA SPINNING (Ecommerce Times, 17 June 2006) – Silicon Valley loves its buzzwords, and there’s none more popular today than Web 2.0. Unless you’re a diehard techie, though, good luck figuring out what it means. Web 2.0 technologies bear strange names like wikis, blogs, RSS, AJAX, and mashups. And the startups hawking them -- Renkoo, Gahbunga, Ning, Squidoo -- sound like Star Wars characters George Lucas left on the cutting-room floor. But behind the peculiarities, Web 2.0 portends a real sea change on the Internet. If there’s one thing they have in common, it’s what they’re not. Web 2.0 sites are not online places to visit so much as services to get something done -- usually with other people. From Yahoo’s photo-sharing site Flickr and the group-edited online reference source Wikipedia to the teen hangout MySpace Latest News about MySpace, and even search giant Google, they all virtually demand active participation and social interaction. If these Web 2.0 folks weren’t so geeky, they might call it the Live Web. Though these Web 2.0 services have succeeded in luring millions of consumers to their shores, they haven’t had much to offer the vast world of business. Until now. Slowly but surely they’re scaling corporate walls. “All these things that are thought to be consumer services are coming into the enterprise,” says Ray Lane, former Oracle president and now a general partner at the venture capital firm Kleiner Perkins Caufield & Byers. For all its appeal to the young and the wired, Web 2.0 may end up making its greatest impact in business. And that could usher in more changes in corporations, already in the throes of such tech-driven transformations as globalization and outsourcing Latest News about Outsourcing. Indeed, what some are calling Enterprise 2.0 could flatten a raft of organizational boundaries -- between managers and employees and between the company and its partners and customers. Says Don Tapscott, CEO of the Toronto tech think tank New Paradigm and co-author of The Naked Corporation: “It’s the biggest change in the organization of the corporation in a century.” Early signs of the shift abound. Walt Disney, investment bank Dresdner Kleinwort Wasserstein, and scores of other companies use wikis, or group-editable Web pages, to turbo-charge collaboration. Other firms are using button-down social-networking services such as LinkedIn and Visible Path to dig up sales leads and hiring prospects from the collective contacts of colleagues. Corporate blogging is becoming nearly a cliche, as executives from Sun Microsystems chief executive Jonathan Schwartz to General Motors Vice-Chairman Bob Lutz post on their own blogs to communicate directly with customers. Just as the personal computer sneaked its way into companies through the back door, so it’s going with Web 2.0 services. When Rod Smith, IBM’s vice-president for emerging Internet technologies, told the information technology chief at Royal Bank of Scotland about wikis last year, the exec shook his head and said the bank didn’t use them. But when Smith looked at the other participants in the meeting, 30 of them were nodding their heads. They use wikis indeed. “Enterprises have been ringing our phones off the hook to ask us about Web 2.0,” says Smith.
http://www.ecommercetimes.com/rsstory/51024.html [Editor: There’s more, and it’s worth reading. As they’re adopted, these processes raise important legal issues that we can help clients manage.]

-- and --

GROWING WIKIPEDIA REVISES ITS ‘ANYONE CAN EDIT’ POLICY (New York Times, 17 June 2006) -- Wikipedia is the online encyclopedia that “anyone can edit.” Unless you want to edit the entries on Albert Einstein, human rights in China or Christina Wikipedia’s come-one, come-all invitation to write and edit articles, and the surprisingly successful results, have captured the public imagination. But it is not the experiment in freewheeling collective creativity it might seem to be, because maintaining so much openness inevitably involves some tradeoffs. At its core, Wikipedia is not just a reference work but also an online community that has built itself a bureaucracy of sorts — one that, in response to well-publicized problems with some entries, has recently grown more elaborate. It has a clear power structure that gives volunteer administrators the authority to exercise editorial control, delete unsuitable articles and protect those that are vulnerable to vandalism. Those measures can put some entries outside of the “anyone can edit” realm. The list changes rapidly, but as of yesterday, the entries for Einstein and Ms. Aguilera were among 82 that administrators had “protected” from all editing, mostly because of repeated vandalism or disputes over what should be said. Another 179 entries — including those for George W. Bush, Islam and Adolf Hitler — were “semi-protected,” open to editing only by people who had been registered at the site for at least four days. (See a List of Protected Entries) While these measures may appear to undermine the site’s democratic principles, Jimmy Wales, Wikipedia’s founder, notes that protection is usually temporary and affects a tiny fraction of the 1.2 million entries on the English-language site. “Protection is a tool for quality control, but it hardly defines Wikipedia,” Mr. Wales said. “What does define Wikipedia is the volunteer community and the open participation.” http://www.nytimes.com/2006/06/17/technology/17wiki.html?ex=1308196800&en=646d3cf9d4e68f36&ei=5090&partner=rssuserland&emc=rss

JUSTICE DEPT. WANTS NSA SUITS CONSOLIDATED FOR D.C. COURT (CNET, 20 June 2006) -- The U.S. Department of Justice wants to consolidate at least two dozen lawsuits against the government and Verizon Communications that involve the National Security Agency’s alleged access to telephone customer records. The government on Monday filed a motion supporting Verizon’s request that 20 class action lawsuits accusing the company of helping the foreign intelligence surveillance program be combined in a single court in Washington. “Given the national security concerns in this case, the District of Columbia would be the most logical and convenient forum,” the filing said. The Justice Department also asked that five other lawsuits against the U.S. government related to the surveillance program be consolidated and coordinated with the Verizon proceeding. Government lawyers said they planned to seek dismissal of the lawsuits against Verizon by asserting military and state secrets privileges under U.S. law. http://news.com.com/2100-1028_3-6085874.html

CREATIVE COMMONS COMES TO MICROSOFT OFFICE (CNET, 20 June 2006) -- Microsoft and the Creative Commons on Wednesday plan to release a free tool that will let people attach a Creative Commons copyright license to Microsoft Office documents. Creative Commons is a nonprofit organization that has written licenses that allow content creators to share information while retaining some rights. Currently, some Web-based tools let people associate a Creative Commons license with information. But Microsoft is the first vendor to embed a license-selection option inside its applications, said Lawrence Lessig, the founder of the Creative Commons and a Stanford Law School professor. “This is important to us because a huge amount of creative work is created inside the Office platform. Having a simple way to add Creative Commons licenses obviously helps us spread those licenses much more broadly,” Lessig said. Once installed, the license-selection software will appear as a menu option in the Microsoft Office application. It will generate a Creative Commons logo, a short summary of the license chosen, and a hyperlink to the Creative Commons Web site. People can download the software from the Creative Commons Web site or from Microsoft Office Online. Microsoft and Creative Commons have collaborated on other projects, but the Office tool is the most significant effort to date, said Tom Rubin, associate general counsel at Microsoft. “We very much share a common belief that creators of works should be able to express their intentions with regard to subsequent use, and Creative Commons has created exciting ways to have works shared freely or have works reused by others,” Rubin said. http://news.com.com/2100-1032_3-6086018.html

SPAM FILTER NO EXCUSE FOR ATTORNEY FAILURE TO MEET DEADLINE (BNA’s Internet Law News, 22 June 2006) -- BNA’s Electronic Commerce & Law Report reports on an Arkansas Court of Appeals decision which rejected an attorney’s attempt to argue that spam filters caused him to miss a filing deadline. The court concluded that “even if we could say that appellant’s counsel received neither email, we could not conclude that counsel acted with due diligence in keeping up with the status of the case.” Case name is Moody v. Farm Bureau Mutual Ins. Co. of Arkansas Inc. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b2x3k0n8 (subscription required)

COMPANY COMPUTER USAGE POLICIES DON’T COUNT UNLESS THEY’RE ENFORCED, COURT SAYS (Steptoe & Johnson’s E-Commerce Law Week, 17 June 2006) -- As if employers didn’t already have enough reasons to monitor their employees, computer usage, the U.S. District Court for the Eastern District of New York recently gave them yet another one. In Curto v. Medical World Communications, Inc., Judge Denis R. Hurley affirmed a magistrate judge’s finding that the extent to which a company actually enforces its computer usage policy is relevant to the issue of whether an employee waived the attorney-client privilege by sending and storing communications on company-owned laptops. The court upheld the magistrate’s ruling that the employee, despite violating the company’s policy prohibiting personal use of company computers, had not waived her right to assert attorney-client privilege for emails and documents on company laptops. Although this decision dealt with the narrow issue of waiver of attorney-client privilege, its reasoning could affect how courts treat employees’ claims that their employers violated their privacy by monitoring their communications and computer usage. The message to employers is: if you’ve got a computer usage policy, you’d better enforce it or it might not do you any good. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12599&siteId=547 Decision at http://www.steptoe.com/publications/409h.pdf. [Editor: Here, the court reasoned that failure to enforce the company policy created a sense of security, lulling employees into believing the policy wasn’t a real policy. Thus, the policy’s statement that employees had no expectation of privacy when using company-provided computers was without effect, at least with respect to information otherwise covered by the attorney-client privilege. There are other, important distinctions in this opinion.]

SMALL COMPANIES UNPREPARED FOR DISASTERS: AT&T SURVEY (InfoWeek, 20 June 2006) -- Slide Inc. Chairman and CEO Max Levchin has been thinking a lot these days about implementing a better disaster recovery plan as his fledgling media sharing site grows into a multibillion-dollar business. Finding the cash to invest in servers and software isn’t the issue for the 34-person startup. After all, Levchin co-founded PayPal with Peter Thiel, which they sold to eBay Inc. for $1.5 billion in 2002. Executives at many small companies like Slide say they don’t have the time or the resources to organize and build a detailed plan. “If I experiment by turning off all power in the data center for 24 hours, what would happen to Slide as a result wouldn’t be pretty,” Levchin said. “We would recover, but not smoothly.” Levchin isn’t alone. AT&T Inc.’s fifth-annual Business Continuity Survey released Tuesday, which polled about 1,000 CIOs and IT executives at U.S. companies with more than $10 million in annual revenue, reveals that 28 percent do not have adequate plans in place to cope with natural or other disasters. Nearly 30 percent of executives who participated in the survey said their company has suffered from a disaster. Eighty-one percent of executives said cyber security is part of their overall business plan for interruptions in 2006, up from 75 percent in 2005. Eight out of 10 companies have revised plans in the past 12 months, including 48 percent that say they’ve been updated in the past six months. Of those companies with plans in place, 40 percent say they have not tested their plan in the past year. Companies in Los Angeles, Miami, New York and Washington, D.C. were among the most prepared and made their disaster recovery plan a high priority, compared with those less prepared in Detroit, St. Louis and Seattle. http://www.informationweek.com/story/showArticle.jhtml?articleID=189600062&cid=RSSfeed_IWK_News

UNAUTHORISED APPS BIGGER THREAT THAN MALWARE (The Register, 21 June 2006) -- Mozilla’s Firefox 1.0.7 has taken top spot in a list of vulnerable applications likely to be lurking in corporate IT systems released by Bit9. The endpoint security vendor contends that malware is less of a threat to companies than unpatched off-the-shelf applications deployed throughout their organisations. Firefox 1.0.7 is number one on its list, with vulnerabilities including “memory corruptions, buffer overflows, and running of arbitrary HTML and Javascript code that in many cases allow the execution of arbitrary code”. Apple’s iTunes 6.0.2 and Quicktime 7.0.3 come second, with Skype Internet Phone 1.4 third, Acrobat Reader 7.02/6.03 fourth, and Sun’s Java Run-Time Environment 5.0 rounding out the top five. Security hounds may be surprised that Microsoft doesn’t make an appearance till number nine, with Microsoft Windows/MSN messenger 5.0. Then again, Microsoft’s software could be a bit more widespread than anything else in the top 15. It should be said that Bit9 doesn’t make it clear if it has ranked the apps by their popularity or their level of vulnerability. http://www.theregister.co.uk/2006/06/21/bit9_vuln_list/

JUSTICE, FTC REDUCE PAPERWORK, MAINTAIN CONFIDENTIALITY (FCW, 20 June 2006) -- The Justice Department’s Antitrust Division and the Federal Trade Commission announced today an electronic filing system that will allow merging companies to submit pre-merger notification filings, as required by the Hart-Scott-Rodino Act, via the Internet, eliminating the time and expense of duplicating and submitting written documents. The new system ends the requirement to submit to Justice and the FTC paper copies of the required pre-merger notification form and attachments, according to a DOJ announcement. http://www.fcw.com/article94969-06-20-06-Web

U.S. POLICE USING DATA BROKERS (Security Focus, 20 June 2006) -- Police and government officials in the U.S. have been bypassing the need for subpoenas and warrants by gathering personal information made available through private data brokers. The data brokers, which advertise heavily on the Internet, have at times admitted to using deception and illegal practices themselves, according to a new report by the Associated Press. Law enforcement agencies including the FBI, the Department of Homeland Security, the U.S. Justice Department, the U.S. Marshal’s Service, and local police in various states have been using data brokers to obtain detailed personal phone records, credit histories, and other information on their suspects. The records are often obtained much faster and more easily than using the standard subpoena and warrant process - often taking hours rather than days or weeks. While the data brokers normally charge customers for the information, it is believe that law enforcement agencies are rarely charged for this service. It is being reported that some of the information sold by brokers was obtained illegally, but this fact is not likely being conveyed to law enforcement using the information, and officials appear to be undeterred. http://www.securityfocus.com/brief/233

EMERGENCY DATA STANDARD RATIFIED (GCN, 21 June 2006) -- A new open IT standard, capable of facilitating data sharing across local, regional, national and international governments and organizations, has been ratified by the Organization for the Advancement of Structured Information Standards. The Emergency Data Exchange Language Distribution Element (EDXL-DE) Version 1.0 has been designated a standard by Oasis, which serves as the de facto international standards body. Chip Hines, acting director for the Homeland Security Department’s Office for Interoperability and Compatibility, hailed the new standard’s ability to help transmit a wide variety of data content, from files to technical data exchange information. EDXL-DE is a header, meant to identify to whom and under what circumstances emergency information is being sent, Oasis said. The group’s Emergency Management Technical Committee is still working to develop other components of the new emergency standard. In addition to message routing instructions such as the DE standard, EDXL will address resource questions and requests, situation reports, damage assessments and other functionality issues for cross-jurisdictional emergency communications. Hines, who said the standard provides immediate capability to the emergency response community, called on industry to work the standard into their products. “EDXL-DE will facilitate the implementation of a host of standards which will lead to fully interoperable sharing of information in emergency related applications,” Hines said in the consortium’s statement announcing the standard. DHS was involved in the creation of the standard and worked with private sector partners to develop it and bring the standard to Oasis, where the group’s Emergency Management Technical Committee refined it and helped get it ratified. http://www.gcn.com/online/vol1_no1/41113-1.html?CMP=OTC-RSS

AT& T CLAIMS RIGHTS TO DATA ON CUSTOMERS (Washington Post, 22 June 2006) -- AT&T Inc., the nation’s largest telephone company, updated its privacy policy, saying personal account information is owned by the company and may be shared to investigate “potential threats.” “While your account information may be personal to you, these records constitute business records that are owned by AT&T,” according to the policy, which takes effect today. “As such, AT&T may disclose such records” to “investigate, prevent or take action regarding illegal activities, suspected fraud” and “situations involving potential threats to the physical safety of any person” as required or permitted by law. AT&T spokesman Marc Bien said there is “no linkage” between the updated policy and lawsuits claiming that AT&T violated customers’ privacy rights by giving the U.S. government access to their phone call and e-mail records. The intention is “to make our policy much easier to read, with more common language and less legalese,” he said. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/21/AR2006062102268.html

DOJ PUMPS UP INTELLECTUAL PROPERTY EFFORTS (Computerworld, 20 June 2006) -- The Department of Justice has fulfilled or exceeded all recommendations made by an intellectual property task force in October 2004, including new computer crime investigations units in 12 cities, Attorney General Alberto Gonzales announced Tuesday. Since the DOJ’s task force made 31 recommendations for protecting intellectual property, the DOJ has launched Computer Hacking and Intellectual Property (CHIP) units in seven more cities than the task force recommended. The DOJ now has 25 CHIP units across the U.S., and among the newest 12 are units in Washington, D.C., Baltimore, Denver, Detroit and Philadelphia. The DOJ, which released a progress report on the initiative Tuesday, has also stationed an experienced prosecutor to work on intellectual property enforcement in Southeast Asia, and will add a prosecutor in Eastern Europe. Those DOJ prosecutors will help train foreign prosecutors, investigators and judges about intellectual property investigations, the DOJ said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001312&taxonomyId=17 [Editor: the list of CHIP offices, and personnel, is at http://www.cybercrime.gov/CHIPlist.htm; although this page is labeled “For Official Law Enforcement Use Only”, it’s findable by a simple search for “CHIP list” at the DOJ cybercrime public site, http://www.cybercrime.gov/]

KY. BLOCKS STATE WORKERS’ ACCESS TO BLOG (AP, 23 June 2006) -- Kentucky officials are blocking state employees’ Internet access to a political blog that has been critical of Gov. Ernie Fletcher, who was indicted earlier this year in connection with a state hiring scandal. The blocked Web sites include entertainment and humor sites, online auctions and blogs, but Mark Nickolas, operator of http://www.bluegrassreport.org, said he believes his site was targeted for its political content. “It’s outrageous; it shows that we are in the People’s Republic of Kentucky now - that government will block political speech that it does not approve of,” Nickolas said. State Finance Cabinet spokeswoman Jill Midkiff said officials were not targeting particular sites but entire categories to prevent inappropriate employee access. She said the sites were blocked following a review about two weeks ago of the sites most accessed by state government. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14886321.htm

MICROSOFT TO PUBLISH ITS PRIVACY RULES (CNET, 23 June 2006) -- Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products. The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft. The privacy rules offer guidelines on providing people with proper notification and options in certain situations--for example, when a software application is about to send information via the Internet to its maker, Cullen said. Microsoft believes it is the first major software company to publish these guidelines. “This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’” he said. “The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’” While the release of the guidelines will likely not have any immediate effect on consumer privacy, it is a positive development, privacy watchers said. “Microsoft is advancing the dialog about how privacy issues are addressed by the technology providers,” said James Van Dyke, an analyst at Javelin Strategy & Research. “This will force other technology firms to similarly comply, rebut or propose alternative positions, all of which will move us closer to deciding acceptable use of private information through technology.” The company has a single, global privacy policy, Cullen said. This means that the same policy applies even in countries that have limited or no privacy regulation. http://news.com.com/2100-1029_3-6087538.html

BUSINESS ROUNDTABLE ISSUES WARNING ON LACK OF PREPARATION TO RECOVER THE INTERNET FOLLOWING A CATASTROPHIC CYBER DISRUPTION (Business Roundtable, 23 June 2006) -- The United States is ill-prepared for a cyber catastrophe, with significant ambiguities in public and private sector responses that would be needed to restore and recover the Internet following a disaster, according to a new Business Roundtable report released today. “Our nation’s Internet and cyber infrastructure serve as a critical backbone for the exchange of information vital to our security and our economy, but our analysis has exposed a significant weakness that could paralyze the economy following a disaster,” said Edward B. Rust Jr., Chairman and CEO, State Farm Insurance Companies and head of the Roundtable Security Task Force’s working group on cyber security. “If there’s a cyber disaster, there is no emergency number to call – and no one in place to respond because our nation simply doesn’t have the kind of coordinated plan in place that we need to restart and restore the Internet,” Rust added. “Government and industry must work together to beef up our cyber-security and recovery efforts.” The report – Essential Steps Toward Strengthening America’s Cyber Terrorism Preparedness – is the culmination of a year’s work by top businesses led by the Roundtable, an association of 160 CEOs of the nation’s leading companies. Identifying ways to harden the Internet has been one of the main priorities of the Roundtable’s Security Task Force because a properly functioning Internet is essential to the continuity of the nation’s economy. The report identifies cyber shortfalls similar to the disaster response problems that occurred following Hurricane Katrina, highlighting three significant gaps in response plans to restore the Internet:
* Inadequate Early Warning System – The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.
* Unclear and Overlapping Responsibilities – Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.
* Insufficient Resources – Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)’s funding is targeted for support of cyber recovery. It concludes that the U.S. is not sufficiently prepared for a major attack, software incident or natural disaster that would lead to disruption of large parts of the Internet. “If our nation is hit by a cyber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place to restart and restore the Internet,” said John J. Castellani, President of the Roundtable. “A cyber disaster could have immediate and nationwide consequences to our nation’s security and economy, and we need to be better prepared. That’s why advance copies of this report have been given to the Department of Homeland Security and Congressional leaders.” The report offers recommendations for government and business to improve identification and assessment of cyber disruptions, to coordinate responsibilities for Internet reconstitution, and to make needed investments in institutions with critical roles in Internet recovery. [Report at http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf] http://www.businessroundtable.org/newsroom/Document.aspx?qs=5936BF807822B0F1AD2428022FB51711FCF50C8 and http://www.gcn.com/online/vol1_no1/41172-1.html

LAW LORDS TO RULE ON INTERNET DEFAMATION (The Times Online, 26 June 2006) -- A test case comes before the law lords, Britain’s highest court, today that will determine how far newspapers and other internet publishers are open to lawsuits from people alleging that they have been libeled in any part of the world. In a landmark ruling last year, the Court of Appeal ruled that internet publishers could not be sued in the English courts unless there had been a “substantial” publication in England. The ruling came in an action brought by Yousef Jameel, a Saudi Arabian who sought to sue the United States-based Dow Jones, the publisher of The Wall Street Journal, in London. The Court of Appeal threw out the libel action against the online publication, saying that only five people in England had read the allegedly defamatory item, but Mr Jameel is appealing in a case that could lead to new guidelines on when publishers can rely on the so-called Reynolds defense, a defense of “public interest” or qualified privilege. http://www.timesonline.co.uk/article/0,,200-2243300,00.html

DEPLOYMENT OF CORPORATE WEBLOGS WILL DOUBLE IN 2006, SAYS JUPITERRESEARCH (Tekrati, 26 June 2006) -- Market research by JupiterResearch shows that 35 percent of large companies plan to institute corporate Weblogs this year. Combined with the existing deployed base of 34 percent, nearly 70 percent of all corporate website operators will have implemented corporate blogs by the end of 2006. The analysts find that weblogs are underused for generating word-of-mouth marketing buzz. JupiterResearch estimates that 64 percent of executives spend less than $500,000 to deploy and manage corporate Weblogs. “Site operators should leverage existing Web content management best practices and functionality to decrease total cost of ownership, promote unified branding and increase site security,” said Greg Dowling, Analyst at JupiterResearch and author of the report. “They can also realize considerable cost savings while mitigating deployment, management and maintenance concerns inherent in implementing additional stand-alone Weblog authoring systems.” The new research finds that Weblogs are underused for generating word-of-mouth (WoM) marketing opportunities. Only 32 percent of marketing executives said they use corporate Weblogs to generate WoM around their company’s products or services. http://www.tekrati.com/research/News.asp?id=7353

US MILITARY TURNS TO “BLOG ANALYSIS” FOR INTELLIGENCE (ARS Technica, 5 July 2006) -- Somewhere between journalism’s two worlds of “hard news” and “secondhand rumor” lies a third category: “your tax dollars at work.” These stories generally combine the veracity of real news with the craziness of watercooler gossip, making them especially tasty at the end of a long workday. To that end, let’s talk a little about the Defense Department’s interest in blogs. Imagine yourself as a military planner for the US, someone charged with thinking about “information analysis” and “actionable information.” Where would you go to learn things that the world’s most expensive military does not already know? If you said “the blogosphere,” please consider a new career with the Air Force Office of Scientific Research, which is currently funding a US$450,000 study that attempts to mine blogs for “invaluable help in fighting the war of terror.” How is this going to work? The study’s name is cryptic; it’s called an “Automated Ontologically-Based Link Analysis of International Web Logs for the Timely Discovery of Relevant and Credible Information” (“Ontologically-based”? Aren’t we all?). The three-year project will seek to separate the wheat from the chaff using a radical new approach to information processing: counting the number of hyperlinks that point to a source. As the press release points out, “Within blogs, hyperlinks act like reference citations in research papers thereby allowing someone to discover the most important events bloggers are writing about in just the same way that one can discover the most important papers in a field by finding which ones are the most cited in research papers.” This Brand New Approach™, one with no similarities to that used by the world’s largest search engine, will help analysts learn what topics are most popular among bloggers. Basically a Google Trends focused on blogs, the research hopes to clue warfighters into topics that have not yet made it onto the military’s radar screen, things like the Danish cartoon controversy that outraged the Muslim world, which was discussed on the blogosphere before it made headline news. http://arstechnica.com/news.ars/post/20060705-7197.html

LAWYERS CONTINUE TO MOVE TOWARD THE “PAPERMORE” OFFICE? (Dennis Kennedy blog, 28 June 2006) -- At least ten years ago, Nicholas Negroponte was talking about the move from a world of atoms (stuff) to a world of bits (data or electrons). In the world of electronic discovery, speakers constantly refer to a study that suggests that 93% of documents created today will never be printed on paper. You see concern everywhere about the amount of trees being cut down to produce paper. On the other hand, lawyers love their paper. In that context, it was a little sad to run across this item on the ABA’s Site-Tation that says, well, just let me quote this: According to the 2006 Legal Technology Survey Report, 61% of attorneys save email related to a case or client matter by printing out a hard copy. As John McEnroe might say, “you cannot be serious.” Actually, it’s probably a good thing that we didn’t find the percentage of lawyers who later scan those printouts of emails as TIFFs to reconvert them to digital form. http://www.denniskennedy.com/blog/2006/06/lawyers_continue_to_move_toward_the_papermore.html

NEW ISO/IEC STANDARD TO HELP DETECT IT INTRUDERS (ISO, 30 June 2006) -- ISO/IEC 18043:2006, Information technology – Security techniques – Selection, deployment and operations of intrusion detection system, focuses on the security principles behind the intrusion of computer systems by outsiders or unauthorized employees, and how organizations can establish a framework to enable a comprehensive intrusion detection system. An Intrusion Detection System (IDS) is an important tool for security management used to predict and identify intrusions in computer systems and to raise appropriate alarms during an intrusion attempt. The system enables local collection of information on intrusions, and subsequent consolidation and analysis, as well as analysis of an organization’s normal IT patterns of behaviour and usage. “One of the problems that businesses have is being able to detect when their systems are being intruded upon in order that effective action can be taken to prevent harm or loss to their assets,” said Ted Humphreys, convenor of the ISO/IEC working group that has developed the standard. “The development of ISO/IEC 18043:2006 is an important step forward in dealing with the growing problem of intrusions and provides a good basis for progressing solutions and implementations.” Organizations are vulnerable to various kinds of security threats, such as unauthorized computer access, denial of service attacks and hackers. Typical misuse takes advantage of vulnerabilities in system configuration, user neglect and carelessness, as well as design flaws in software, protocols and operating systems. Outsiders, as well as insiders – disgruntled employees, inside trading, and temporary employees – can exploit these vulnerabilities. ISO/IEC 18043:2006 provides guidelines to assist organizations in preparing to deploy Intrusion Detection Systems. In particular, it addresses the selection, deployment and operation of IDS. It also provides background information from which these guidelines are derived. http://www.iso.ch/iso/en/commcentre/pressreleases/2006/Ref1017.html

ONLINE FILE-SHARING THRIVES A YEAR AFTER GROKSTER RULING (SiliconValley.com, 30 June 2006) -- File-swapping software seemed in peril a year ago when the U.S. Supreme Court gave the entertainment industry a legal bullet: Its ruling reopened the door for lawsuits over programs used to share music, movies and other copyright files. The Supreme Court, reversing lower court rulings, said developers of such programs could indeed be held liable for unauthorized sharing by their users -- if the technology companies were somehow encouraging customers to steal music and movies. Andrew Lack, then chief executive at Sony BMG Music Entertainment, predicted at the time: ``We will no longer have to compete with thieves in the night whose businesses are built on larceny.” Yet a year later, peer-to-peer, or P2P, sharing continues to thrive, with firms behind favorite applications such as eDonkey, LimeWire, Morpheus and Kazaa, among others, still in business. Although the threat of litigation did force the operators of BearShare, WinMX and i2Hub to shut down, the number of people using file-sharing services has gone up. The average number of simultaneous file-sharing users was about 9.7 million worldwide in May, with about 6.7 million from the United States, according to BigChampagne LLC, which tracks file-sharing activity. In the same period last year, BigChampagne tracked 8.6 million average users globally and 6.2 million in the United States. http://www.siliconvalley.com/mld/siliconvalley/14941434.htm

VA GIVES CIO IT SECURITY AUTHORITY (GCN, 30 June 2006) -- Veterans Affairs secretary James Nicholson has given the VA CIO broad authority over information security policies and procedures, including enforcement, effective immediately. Previously, the CIO did not have that authority; the CIO could only seek compliance from the heads of VA’s health, benefits and burial administrations. Congress and security experts have cited VA’s decentralization as a major factor in VA’s failing grade on the annual report card for adherence to the Federal Information Security Management Act and a contributing factor in the recent theft of sensitive data of up to 26.5 million veterans and others. Nicholson announced yesterday at a hearing of the Veterans Affairs Committee that the stolen laptop and hard drive containing the data were [recovered], and added that he was optimistic that the culprits did not access the sensitive data. House Veterans Affairs Committee chairman Steve Buyer (R-Ind.) praised Nicholson for his action, saying that at times he has not been well-served by others. “I commend you for taking bold action to change the culture at VA and definitively granting [the] CIO the authority to manage and enforce VA’s information systems,” he said. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=41230

EFF DEFENDS LIBERTIES IN HIGH-TECH WORLD (Washington Post, 4 July 2006) -- In March 1990, when few people had even heard of the Internet, U.S. Secret Service agents raided the Texas offices of a small board-game maker, seizing computer equipment and reading customers’ e-mail stored on one machine. A group of online pioneers already worried about how the nation’s laws were being applied to new technologies became even more fearful and decided to intervene. And thus the Electronic Frontier Foundation was born _ 16 years ago this Monday _ taking on the Secret Service as its first case, one the EFF ultimately won when a judge agreed that the government had no right to read the e-mails or keep the equipment. Today, after expanding into such areas as intellectual property and moving its headquarters twice along with its focus, the EFF is re-emphasizing its roots of trying to limit government surveillance of electronic communications, while keeping a lookout for emerging threats even as the Internet and digital technologies become mainstream. “They are the lawyers for the open vision of the Internet,” said Peter Swire, the Clinton administration privacy counselor who sometimes tussled with the EFF. [Editor: nice story about good people doing important work. Running it on the 4th of July seems right.] http://www.washingtonpost.com/wp-dyn/content/article/2006/07/04/AR2006070400695.html

CUSTOMER DATA ABUSE RIFE AMONG UK COMPANIES (Silicon.com, 4 July 2006) -- Nearly half of UK companies could be breaching the Data Protection Act (DPA) through the misuse of customer data, according to research published on Monday. The study involved 100 UK IT directors, and found 44 per cent use genuine customer data when developing and testing applications. This is a breach of the second principle of the DPA, which states data should not be used for purposes other than that for which it was collected. The research, conducted by Vanson Bourne, also found 48 per cent are only “vaguely familiar” with the detail of the Act itself. Clarke said: “Lots of companies have taken stringent measures around the protection of customer data in the live production environment. But the numbers of people with no security clearance who can be exposed to that data can quadruple in the test environment.” Compuware said it was also concerned that 86 per cent of those surveyed admitted sending live customer data offshore, often for development and test purposes, with nothing more than a non-disclosure agreement (NDA). The DPA is enforced by the Information Commissioner, which warned organisations need to take effective security precautions at all times, including when testing new systems. A spokeswoman for the Office of the Information Commissioner said: “The use of live customer data for test purposes runs the real risk that personal details can be corrupted or fall into the wrong hands. Organisations are well advised to avoid using live customer details for test purposes to help ensure that they treat people’s personal details properly and in compliance with the DPA.” Clarke said problems often arise with artificial data because “masking out parts of the data means you can’t test some fields”. This means many companies have resorted to using live data samples to make sure the test environment will mirror the processes that will inevitably link the live environment with other mission-critical applications. http://management.silicon.com/government/0,39024852,39160080,00.htm

MICROSOFT FACES SECOND WGA LAWSUIT (CNET, 5 July 2006) -- Microsoft has been named in a second lawsuit over its antipiracy Windows Genuine Advantage program, which plaintiffs allege acts as “spyware” on their systems. Engineered Process Controls, Univex and several other parties filed a class action lawsuit Friday in U.S. District Court in Seattle, alleging Microsoft installed “spyware” on their computers as a “critical security update.” The suit comes days after another complaint containing similar allegations was filed in U.S. District Court in Los Angeles. In this most recent lawsuit, the parties allege Microsoft violated the Computer Fraud and Abuse Act, the Consumer Protection Act, the Computer Spyware Act, and also engaged in intentional misrepresentation of the software program. Microsoft, however, contends the two lawsuits do not present a fair picture of WGA. “The two lawsuits appear to be similar in the claims and both are without merit,” said Jim Desler, a Microsoft spokesman. “They distort our antipiracy program…and the harm piracy brings to Microsoft and to customers.” Although the WGA feature is designed to validate the authenticity of Windows software installed on a user’s PC, it recently raised the ire of some users when Microsoft began delivering the WGA prerelease as a “high priority” item automatically built into Windows updates. The software, which scans users’ hardware and software for information such as their Internet Protocol address, was initially designed to transmit information back to Microsoft every time users booted up their computers. But the software giant has since scaled back the frequency of the transmissions to twice a month and informed users about ways to disable the WGA alerts. http://news.com.com/2100-1014_3-6090651.html and http://www.macworld.com/news/2006/07/05/wga/index.php?lsrc=mwrss

THE INTERNET KNOWS WHAT YOU’LL DO NEXT (New York Times, 5 July 2006) -- A few years back, a technology writer named John Battelle began talking about how the Internet had made it possible to predict the future. When people went to the home page of Google or Yahoo and entered a few words into a search engine, what they were really doing, he realized, was announcing their intentions. Google Trends keeps track of Internet search terms, letting users postulate future behavior. It also allows comparisons of relative popularity. They typed in “Alaskan cruise” because they were thinking about taking one or “baby names” because they were planning on needing one. If somebody were to add up all this information, it would produce a pretty good notion of where the world was headed, of what was about to get hot and what was going out of style. Mr. Battelle, a founder of Wired magazine and the Industry Standard, wasn’t the first person to figure this out. But he did find a way to describe the digital crystal ball better than anyone else had. He called it “the database of intentions.” The collective history of Web searches, he wrote on his blog in late 2003, was “a place holder for the intentions of humankind — a massive database of desires, needs, wants, and likes that can be discovered, subpoenaed, archived, tracked, and exploited to all sorts of ends.” “Such a beast has never before existed in the history of culture, but is almost guaranteed to grow exponentially from this day forward,” he wrote. It was a nice idea, but for most of us it was just an abstraction. The search companies did offer glimpses into the data with bare-bones (and sanitized) rankings of the most popular search terms, and Yahoo sold more detailed information to advertisers who wanted to do a better job of selling their products online. But there was no way for most people to dig into the data themselves. A few weeks ago, Google took a big step toward changing this — toward making the database of intentions visible to the world — by creating a product called Google Trends. It allows you to check the relative popularity of any search term, to look at how it has changed over the last couple years and to see the cities where the term is most popular. And it’s totally addictive. You can see, for example, that the volume of Google searches would have done an excellent job predicting this year’s “American Idol,” with Taylor Hicks (the champion) being searched more often than Katharine McPhee (second place), who in turn was searched more often than Elliot Yamin (third place). Then you can compare Hillary Clinton and Al Gore and discover that she was more popular than he for almost all of the last two years, until he surged past her in April and stayed there. http://tinyurl.com/jvd28

THE HIDDEN DANGERS OF INSTANT MESSAGING (CIO Today, 5 July 2006) -- Human nature may not change, but technology sure does. Gone are the days when employees saved their juicy gossip for periodic water cooler visits. Instant venting about difficult managers, annoying coworkers, and even questionable ethical practices is now as quick and easy as clicking an instant message (IM) screen name. But unlike water-cooler chatter, IMs leave a trail -- one that can be tracked by employers, regulators, and law-enforcement officials. And like e-mail, IMs are considered legal documents. Public companies can be subpoenaed for IMs that may indicate Sarbanes-Oxley violations. Trial lawyers can demand IM records for workplace harassment lawsuits. The American Medical Assn. can cull through health-care-provider IMs for evidence of violations of the Health Insurance Portability & Accountability Act, a law aimed at ensuring access to health-insurance coverage for people who change jobs. Regulatory breaches via IM are not the only concern for today’s employer. In a lawsuit filed early this year, Yahoo! alleged that a group of ex-employees used IM to distribute confidential business and technical data for use with their new employer, a competing startup. Records of this IM correspondence became a key piece of evidence in the case. A 2004 survey by the Pew Internet & American Life Project found that 4 out of every 10 adult Internet users in the U.S. use IM. First and foremost, employers and their I.T. teams must remember that IM -- similar to e-mail -- leaves a paper trail and should therefore be continually logged, stored, and readily accessible. Recently investment bank Morgan Stanley agreed to pay $15 million to settle an investigation by the Securities & Exchange Commission into the bank’s failure to preserve e-mails. http://www.cio-today.com/story.xhtml?story_id=44275

CONSULTANT BREACHED FBI’S COMPUTERS (Washington Post, 6 July 2006) -- A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused. The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon’s “curiosity hacks” nonetheless exposed sensitive information. Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions. An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a “comprehensive and proactive security program” that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training. http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html?nav=rss_technology

EBAY: GOOGLE CHECKOUT DOESN’T; BANS IT (MarketingVOX, 7 July 2006) -- As anticipated, eBay has banned its sellers from requesting payment via the Google Checkout online payment service, reports AuctionBytes.com. eBay updated its Safe Payments policy this week, adding Google Checkout to the list of unapproved payment methods. eBay this week also renamed its “Safe Payments Policy” to “Accepted Payments Policy,” apparently implying that Checkout is not unsafe - merely unacceptable. eBay “clarified” the policy change in an announcement, saying, “Please note that eBay’s evaluation relates only to whether a particular service is appropriate for the eBay marketplace. These payment methods may, in fact, be useful services for consumers in other contexts.” The eBay policy states that a payment service must have a “substantial historical track record of providing safe and reliable financial and/or banking related services.” Google has said that its Google Checkout is not a beta product. “Google has a long history in billing and payments for AdWords and for premium services, such as Google Video,” according to a Google spokesperson. http://www.marketingvox.com/archives/2006/07/07/ebay_google_checkout_doesnt_bans_it/

**** RESOURCES ****
“The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments,” Marc Rotenberg, editor (EPIC 2005). Price: $40. -- The Privacy Law Sourcebook, which has been called the “Physician’s Desk Reference” of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. http://www.epic.org/bookstore/pls2004/

PODCASTING LEGAL GUIDE (Creative Commons, June 2006) -- The purpose of this Guide is to provide you with a general roadmap of some of the legal issues specific to podcasting. EFF has produced a very practical and helpful guide for issues related to blogging generally (http://www.eff.org/bloggers/). This Guide is not intended to duplicate efforts by EFF, and in many cases refers you to that guide for where crossover issues are addressed. Our goal is to complement EFF’s Bloggers FAQ and address some of the standalone issues that are of primary relevance to podcasters, as opposed to bloggers. http://wiki.creativecommons.org/Podcasting_Legal_Guide

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.