MIRLN -- Misc. IT Related Legal News [17 June – 7 July 2006; v9.09]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC (www.dickinsonwright.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here: http://tinyurl.com/joo5y

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/. Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

U.S. DROPS PLAN TO RESTRICT FOREIGN RESEARCHERS (InfoWeek, 9 June 2006) -- The Commerce Department has withdrawn proposed changes to export rules that would have tighten restrictions on foreign researchers working in the U.S. The department’s Bureau of Industry and Security (BIS) said last week it is withdrawing two “deemed” exports proposals that originated with the Defense Department. They would have limited foreign researchers’ access to sensitive U.S. technologies. According to the Commerce Department, “An export of technology or source code (except encryption source code) is ‘deemed’ to take place when it is released to a foreign national within the United States.” The bureau said in a ruling published in the Federal Register that it “determined that the current licensing requirement based upon a foreign national’s country of citizenship or permanent residency is appropriate.” The Pentagon was seeking to tighten restrictions on deemed exports to restrict the flow of technical knowledge to potential enemies. The new restrictions would have among other things affected contracts for classified scientific research involving foreign nationals. Universities and research groups vigorously opposed the plan in comments filed with the Commerce Department. BIS said its decision to withdraw the proposals reflected most of the public comments filed in response to a proposed rulemaking. http://www.informationweek.com/story/showArticle.jhtml?articleID=188703269&cid=RSSfeed_IWK_News

HURRICANE WATCH: MARKLE PUSHES FOR E-HEALTH RECORDS (Government Health IT, 13 June 2006) -- The Markle Foundation urged the government and private-sector organizations to prepare for the 2006 hurricane season by putting systems and technologies in place to ensure that medical records and drug histories are accessible during a disaster like Hurricane Katrina, which displaced millions of people last year. The foundation spearheaded last year’s KatrinaHealth project that cobbled together patient records after the hurricane. In a related development, the Institute of Medicine plans to release three reports June 14 that are expected to be critical of the country’s emergency medical system and its ability to handle disasters. The KatrinaHealth project gave authorized users access to evacuees’ medication histories. That information came from a variety of government and commercial sources, including insurers, pharmacy benefit managers and prescription drug databases maintained by companies such as SureScripts, the country’s largest electronic prescribing service. In a report released today about the lessons learned from the KatrinaHealth project, the Markle Foundation recommended that government health leaders, health care providers, insurers and information technology companies start immediate discussions to determine when and how certain types of medical information can be shared quickly after a disaster. [A checklist then follows.] http://govhealthit.com/article94880-06-13-06-Web&RSS=yes

MONEY LOST TO CYBERCRIME DOWN--AGAIN (ZDnet, 14 June 2006) -- While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey’s findings in a presentation at the CSI NetSec conference here Wednesday. Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that’s down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent. “How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money?” Richardson asked. The 2006 survey, a final version of which is slated to be released next month, could provide some answers. Most important, perhaps, the 615 U.S. CSI members who responded to this year’s survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year. http://news.zdnet.com/2100-1009_22-6083860.html

-- but --

GARTNER BLASTS CLAIMS OF CYBER-CRIME DECLINE (VNUnet.com, 23 June 2006) -- Businesses should pay no attention to a survey from the Computer Security Institute (CSI) claiming that cyber-crime damage is on the decline, analyst firm Gartner has warned. The CSI is a professional organisation for information, computer and network security professionals. Its study carries weight because it is conducted with the FBI. The 2006 survey polled 615 CSI members about security incidents, reporting that the average loss is $168,000 per incident, down from last year’s $204,000. The results prompted the CSI to claim that the extent of today’s security threats is “overstated”. However, Gartner warned that surveys often do not portray objective reality. The analyst firm also questioned the organisation’s decision to poll security specialists. “Security administrators who want more funding tend to exaggerate problems, while those who want to show they are doing a good job may de-emphasise them. Security vendors complicate matters further by developing their own sets of statistics,” Gartner research vice president Rich Mogull wrote in a research note. The study also lacks a consistent loss model that properly reflects changes in the online security space, according to Gartner. http://www.vnunet.com/vnunet/news/2158921/gartner-blasts-security-surveys

-- and --

THREE OF FOUR FINANCIAL INSTITUTIONS SUFFERED EXTERNAL BREACH IN PAST YEAR (SC Magazine, 14 June 2006) -- More than three out of every four of the world’s largest financial institutions experienced an external security breach in the past year, a dramatic increase over 2005, a new survey has revealed. The fourth annual poll, released today by Deloitte Touche Tohmatsu, found that 78 percent of the world’s top 100 financial services organizations that responded to the survey confirmed a security breach from outside the organization, up from just 26 percent in 2005. The survey also learned that nearly half of the organizations experienced at least one internal breach, up from 35 percent in 2005. Phishing and pharming were responsible for 51 percent of the external attacks, while spyware and malware accounted for 48 percent. Meanwhile, insider fraud was responsible for 28 percent of the internal breaches and customer data leaks were to blame for 18 percent. “The extent and nature of these security breaches signal a new reality for the global financial services industry,” said Ted DeZabala, principal in Deloitte’s security services group. “Executing these types of attacks requires significant resources and coordination…Organizations not only face more sophisticated and hard-to-track attacks but are also challenged by increased risk and potential loss.” The survey did reveal some good news: Almost 88 percent of organizations said they have implemented a business continuity plan, and 49 percent placed disaster recovery as a top five security initiative. Ninety-five percent of enterprises said their information security budgets have increased in the past year. http://www.scmagazine.com/uk/news/index.cfm?fuseaction=XCK.News.Article&nNewsID=564512

-- and --

JUNE 2006 SURVEY: DATA SECURITY RECEIVES A BOOST FROM COMPLIANCE EFFORTS (Baseline.com, 14 June 2006) – Investors, not CIOs, are in a better position to judge whether Sarbanes-Oxley is improving their confidence in the numbers reported by companies. But CIOs do know a fair amount about security, and they believe that regulations are making financial, customer and employee data more secure—just what legislators hoped for. Meanwhile, compliance isn’t proving to be a drag on profitability for most companies. In short, there’s been gain without universal pain. However, for the second year in a row, 25 percent or more of respondents who comply with the Sarbanes-Oxley Act say their company has disclosed material weaknesses or significant deficiencies in internal controls. The surprisingly high number indicates that Sarbanes-Oxley is forcing companies to confront problems with their financial reporting and controls—problems that are widespread. http://www.baselinemag.com/article2/0,1397,1976568,00.asp?kc=BARSS03129TX1K0000628

-- and --

NEW STUDY FINDS THAT MORE THAN 84% OF NORTH AMERICAN ENTERPRISES SUFFERED A SECURITY BREACH IN PAST YEAR (CA Press Release, 5 July 2006) -- CA (NYSE: CA) today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security. In addition, the findings indicate that security isn’t being taken seriously enough at all levels of an organization, especially in the financial service industry. Nearly 40% of respondents indicated that their organizations don’t take IT security risk management seriously at all levels, while 37% believe their organization’s security spending is too low. Only 1% believe it is too high. Despite these findings, the survey revealed that organizations are taking steps to improve security. The three most important cited security steps were documenting security policies (88%), creating security education policies for employees (83%) and creating a Chief Information Security Officer position (68%) within the organization. The survey also found that a lack of centralized security administration is affecting employee productivity. Only 6% of the organizations were able to provide new employees or contractors with access to all the applications or systems they require on their first day of work. http://www3.ca.com/press/PressRelease.aspx?CID=90751&culture=en-us

BILL DESIGNED TO PROTECT CELL PHONE RECORDS PASSES MICHIGAN HOUSE (AP, 14 June 2006) -- Telephone records could get some protection from fraud under legislation unanimously passed Wednesday by the state House. The bill would prohibit a person or business from trying to sell or obtain confidential phone records without the customer’s permission. Supporters say the bill could protect against identify theft and help guard a customer’s privacy, particularly related to cell phone records. The legislation comes amid reports of Internet-based businesses trying to fraudulently obtain confidential cell phone records by posing as customers. The House made minor changes to the legislation, which already has passed the Senate. If the Senate agrees with House changes, the bill soon will head to Gov. Jennifer Granholm. http://www.freep.com/apps/pbcs.dll/article?AID=/20060614/NEWS12/606140500/1121

GOOGLE LAUNCHES NEW SHAKESPEARE SITE (USA Today, 14 June 2006) -- “How beauteous mankind is!” For lovers of William Shakespeare, memorizing one of Hamlet’s soliloquies or recalling whether The Tempest is a romance or a tragedy just got easier. Web search leader Google Wednesday launched a site devoted entirely to the Bard, that allows U.S. users to browse through the full texts of his 37 plays. Readers can even plug in words, such as “to be or not to be” from Hamlet, and immediately be taken to that part of the play. The site, which was introduced in conjunction with Google’s sponsorship of New York’s “Shakespeare in the Park,” also provides links to related scholarly research, Internet groups, and even videos of theater performances of Shakespeare plays. It also encourages users to “take a literary field trip” by searching for London’s Shakespeare’s Globe Theater on Google Earth, which combines satellite imagery, maps and a search engine to find historic locations around the world. http://www.usatoday.com/tech/news/2006-06-14-shakespeare-google_x.htm

-- and --

GOOGLE TO LAUNCH GOVERNMENT SEARCH SITE (Washington Post, 15 June 2006) -- It’s finally happening: The ever-expanding Google Inc. is making its move on the federal government. Today the company plans to announce a new online product aimed at being a one-stop shop for searching federal government Web sites. The launch of Google U.S. Government Search, http://usgov.google.com, targets federal employees who often need to search across several government agencies. The site is also designed to help citizens navigate convoluted pages of government-speak and tailors news feeds to their interests. Users can customize the layout of their page to remain updated on government-related news from official and commercial sources, including the White House, Department of Defense, The Washington Post and CNN. Google is also working with agencies to increase the frequency of news updates to keep content current. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402359.html?nav=rss_technology

WEB 2.0 HAS CORPORATE AMERICA SPINNING (Ecommerce Times, 17 June 2006) – Silicon Valley loves its buzzwords, and there’s none more popular today than Web 2.0. Unless you’re a diehard techie, though, good luck figuring out what it means. Web 2.0 technologies bear strange names like wikis, blogs, RSS, AJAX, and mashups. And the startups hawking them -- Renkoo, Gahbunga, Ning, Squidoo -- sound like Star Wars characters George Lucas left on the cutting-room floor. But behind the peculiarities, Web 2.0 portends a real sea change on the Internet. If there’s one thing they have in common, it’s what they’re not. Web 2.0 sites are not online places to visit so much as services to get something done -- usually with other people. From Yahoo’s photo-sharing site Flickr and the group-edited online reference source Wikipedia to the teen hangout MySpace Latest News about MySpace, and even search giant Google, they all virtually demand active participation and social interaction. If these Web 2.0 folks weren’t so geeky, they might call it the Live Web. Though these Web 2.0 services have succeeded in luring millions of consumers to their shores, they haven’t had much to offer the vast world of business. Until now. Slowly but surely they’re scaling corporate walls. “All these things that are thought to be consumer services are coming into the enterprise,” says Ray Lane, former Oracle president and now a general partner at the venture capital firm Kleiner Perkins Caufield & Byers. For all its appeal to the young and the wired, Web 2.0 may end up making its greatest impact in business. And that could usher in more changes in corporations, already in the throes of such tech-driven transformations as globalization and outsourcing Latest News about Outsourcing. Indeed, what some are calling Enterprise 2.0 could flatten a raft of organizational boundaries -- between managers and employees and between the company and its partners and customers. Says Don Tapscott, CEO of the Toronto tech think tank New Paradigm and co-author of The Naked Corporation: “It’s the biggest change in the organization of the corporation in a century.” Early signs of the shift abound. Walt Disney, investment bank Dresdner Kleinwort Wasserstein, and scores of other companies use wikis, or group-editable Web pages, to turbo-charge collaboration. Other firms are using button-down social-networking services such as LinkedIn and Visible Path to dig up sales leads and hiring prospects from the collective contacts of colleagues. Corporate blogging is becoming nearly a cliche, as executives from Sun Microsystems chief executive Jonathan Schwartz to General Motors Vice-Chairman Bob Lutz post on their own blogs to communicate directly with customers. Just as the personal computer sneaked its way into companies through the back door, so it’s going with Web 2.0 services. When Rod Smith, IBM’s vice-president for emerging Internet technologies, told the information technology chief at Royal Bank of Scotland about wikis last year, the exec shook his head and said the bank didn’t use them. But when Smith looked at the other participants in the meeting, 30 of them were nodding their heads. They use wikis indeed. “Enterprises have been ringing our phones off the hook to ask us about Web 2.0,” says Smith.
http://www.ecommercetimes.com/rsstory/51024.html [Editor: There’s more, and it’s worth reading. As they’re adopted, these processes raise important legal issues that we can help clients manage.]

-- and --

GROWING WIKIPEDIA REVISES ITS ‘ANYONE CAN EDIT’ POLICY (New York Times, 17 June 2006) -- Wikipedia is the online encyclopedia that “anyone can edit.” Unless you want to edit the entries on Albert Einstein, human rights in China or Christina Wikipedia’s come-one, come-all invitation to write and edit articles, and the surprisingly successful results, have captured the public imagination. But it is not the experiment in freewheeling collective creativity it might seem to be, because maintaining so much openness inevitably involves some tradeoffs. At its core, Wikipedia is not just a reference work but also an online community that has built itself a bureaucracy of sorts — one that, in response to well-publicized problems with some entries, has recently grown more elaborate. It has a clear power structure that gives volunteer administrators the authority to exercise editorial control, delete unsuitable articles and protect those that are vulnerable to vandalism. Those measures can put some entries outside of the “anyone can edit” realm. The list changes rapidly, but as of yesterday, the entries for Einstein and Ms. Aguilera were among 82 that administrators had “protected” from all editing, mostly because of repeated vandalism or disputes over what should be said. Another 179 entries — including those for George W. Bush, Islam and Adolf Hitler — were “semi-protected,” open to editing only by people who had been registered at the site for at least four days. (See a List of Protected Entries) While these measures may appear to undermine the site’s democratic principles, Jimmy Wales, Wikipedia’s founder, notes that protection is usually temporary and affects a tiny fraction of the 1.2 million entries on the English-language site. “Protection is a tool for quality control, but it hardly defines Wikipedia,” Mr. Wales said. “What does define Wikipedia is the volunteer community and the open participation.” http://www.nytimes.com/2006/06/17/technology/17wiki.html?ex=1308196800&en=646d3cf9d4e68f36&ei=5090&partner=rssuserland&emc=rss

JUSTICE DEPT. WANTS NSA SUITS CONSOLIDATED FOR D.C. COURT (CNET, 20 June 2006) -- The U.S. Department of Justice wants to consolidate at least two dozen lawsuits against the government and Verizon Communications that involve the National Security Agency’s alleged access to telephone customer records. The government on Monday filed a motion supporting Verizon’s request that 20 class action lawsuits accusing the company of helping the foreign intelligence surveillance program be combined in a single court in Washington. “Given the national security concerns in this case, the District of Columbia would be the most logical and convenient forum,” the filing said. The Justice Department also asked that five other lawsuits against the U.S. government related to the surveillance program be consolidated and coordinated with the Verizon proceeding. Government lawyers said they planned to seek dismissal of the lawsuits against Verizon by asserting military and state secrets privileges under U.S. law. http://news.com.com/2100-1028_3-6085874.html

CREATIVE COMMONS COMES TO MICROSOFT OFFICE (CNET, 20 June 2006) -- Microsoft and the Creative Commons on Wednesday plan to release a free tool that will let people attach a Creative Commons copyright license to Microsoft Office documents. Creative Commons is a nonprofit organization that has written licenses that allow content creators to share information while retaining some rights. Currently, some Web-based tools let people associate a Creative Commons license with information. But Microsoft is the first vendor to embed a license-selection option inside its applications, said Lawrence Lessig, the founder of the Creative Commons and a Stanford Law School professor. “This is important to us because a huge amount of creative work is created inside the Office platform. Having a simple way to add Creative Commons licenses obviously helps us spread those licenses much more broadly,” Lessig said. Once installed, the license-selection software will appear as a menu option in the Microsoft Office application. It will generate a Creative Commons logo, a short summary of the license chosen, and a hyperlink to the Creative Commons Web site. People can download the software from the Creative Commons Web site or from Microsoft Office Online. Microsoft and Creative Commons have collaborated on other projects, but the Office tool is the most significant effort to date, said Tom Rubin, associate general counsel at Microsoft. “We very much share a common belief that creators of works should be able to express their intentions with regard to subsequent use, and Creative Commons has created exciting ways to have works shared freely or have works reused by others,” Rubin said. http://news.com.com/2100-1032_3-6086018.html

SPAM FILTER NO EXCUSE FOR ATTORNEY FAILURE TO MEET DEADLINE (BNA’s Internet Law News, 22 June 2006) -- BNA’s Electronic Commerce & Law Report reports on an Arkansas Court of Appeals decision which rejected an attorney’s attempt to argue that spam filters caused him to miss a filing deadline. The court concluded that “even if we could say that appellant’s counsel received neither email, we could not conclude that counsel acted with due diligence in keeping up with the status of the case.” Case name is Moody v. Farm Bureau Mutual Ins. Co. of Arkansas Inc. Article at http://pubs.bna.com/ip/bna/eip.nsf/eh/a0b2x3k0n8 (subscription required)

COMPANY COMPUTER USAGE POLICIES DON’T COUNT UNLESS THEY’RE ENFORCED, COURT SAYS (Steptoe & Johnson’s E-Commerce Law Week, 17 June 2006) -- As if employers didn’t already have enough reasons to monitor their employees, computer usage, the U.S. District Court for the Eastern District of New York recently gave them yet another one. In Curto v. Medical World Communications, Inc., Judge Denis R. Hurley affirmed a magistrate judge’s finding that the extent to which a company actually enforces its computer usage policy is relevant to the issue of whether an employee waived the attorney-client privilege by sending and storing communications on company-owned laptops. The court upheld the magistrate’s ruling that the employee, despite violating the company’s policy prohibiting personal use of company computers, had not waived her right to assert attorney-client privilege for emails and documents on company laptops. Although this decision dealt with the narrow issue of waiver of attorney-client privilege, its reasoning could affect how courts treat employees’ claims that their employers violated their privacy by monitoring their communications and computer usage. The message to employers is: if you’ve got a computer usage policy, you’d better enforce it or it might not do you any good. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=12599&siteId=547 Decision at http://www.steptoe.com/publications/409h.pdf. [Editor: Here, the court reasoned that failure to enforce the company policy created a sense of security, lulling employees into believing the policy wasn’t a real policy. Thus, the policy’s statement that employees had no expectation of privacy when using company-provided computers was without effect, at least with respect to information otherwise covered by the attorney-client privilege. There are other, important distinctions in this opinion.]

SMALL COMPANIES UNPREPARED FOR DISASTERS: AT&T SURVEY (InfoWeek, 20 June 2006) -- Slide Inc. Chairman and CEO Max Levchin has been thinking a lot these days about implementing a better disaster recovery plan as his fledgling media sharing site grows into a multibillion-dollar business. Finding the cash to invest in servers and software isn’t the issue for the 34-person startup. After all, Levchin co-founded PayPal with Peter Thiel, which they sold to eBay Inc. for $1.5 billion in 2002. Executives at many small companies like Slide say they don’t have the time or the resources to organize and build a detailed plan. “If I experiment by turning off all power in the data center for 24 hours, what would happen to Slide as a result wouldn’t be pretty,” Levchin said. “We would recover, but not smoothly.” Levchin isn’t alone. AT&T Inc.’s fifth-annual Business Continuity Survey released Tuesday, which polled about 1,000 CIOs and IT executives at U.S. companies with more than $10 million in annual revenue, reveals that 28 percent do not have adequate plans in place to cope with natural or other disasters. Nearly 30 percent of executives who participated in the survey said their company has suffered from a disaster. Eighty-one percent of executives said cyber security is part of their overall business plan for interruptions in 2006, up from 75 percent in 2005. Eight out of 10 companies have revised plans in the past 12 months, including 48 percent that say they’ve been updated in the past six months. Of those companies with plans in place, 40 percent say they have not tested their plan in the past year. Companies in Los Angeles, Miami, New York and Washington, D.C. were among the most prepared and made their disaster recovery plan a high priority, compared with those less prepared in Detroit, St. Louis and Seattle. http://www.informationweek.com/story/showArticle.jhtml?articleID=189600062&cid=RSSfeed_IWK_News

UNAUTHORISED APPS BIGGER THREAT THAN MALWARE (The Register, 21 June 2006) -- Mozilla’s Firefox 1.0.7 has taken top spot in a list of vulnerable applications likely to be lurking in corporate IT systems released by Bit9. The endpoint security vendor contends that malware is less of a threat to companies than unpatched off-the-shelf applications deployed throughout their organisations. Firefox 1.0.7 is number one on its list, with vulnerabilities including “memory corruptions, buffer overflows, and running of arbitrary HTML and Javascript code that in many cases allow the execution of arbitrary code”. Apple’s iTunes 6.0.2 and Quicktime 7.0.3 come second, with Skype Internet Phone 1.4 third, Acrobat Reader 7.02/6.03 fourth, and Sun’s Java Run-Time Environment 5.0 rounding out the top five. Security hounds may be surprised that Microsoft doesn’t make an appearance till number nine, with Microsoft Windows/MSN messenger 5.0. Then again, Microsoft’s software could be a bit more widespread than anything else in the top 15. It should be said that Bit9 doesn’t make it clear if it has ranked the apps by their popularity or their level of vulnerability. http://www.theregister.co.uk/2006/06/21/bit9_vuln_list/

JUSTICE, FTC REDUCE PAPERWORK, MAINTAIN CONFIDENTIALITY (FCW, 20 June 2006) -- The Justice Department’s Antitrust Division and the Federal Trade Commission announced today an electronic filing system that will allow merging companies to submit pre-merger notification filings, as required by the Hart-Scott-Rodino Act, via the Internet, eliminating the time and expense of duplicating and submitting written documents. The new system ends the requirement to submit to Justice and the FTC paper copies of the required pre-merger notification form and attachments, according to a DOJ announcement. http://www.fcw.com/article94969-06-20-06-Web

U.S. POLICE USING DATA BROKERS (Security Focus, 20 June 2006) -- Police and government officials in the U.S. have been bypassing the need for subpoenas and warrants by gathering personal information made available through private data brokers. The data brokers, which advertise heavily on the Internet, have at times admitted to using deception and illegal practices themselves, according to a new report by the Associated Press. Law enforcement agencies including the FBI, the Department of Homeland Security, the U.S. Justice Department, the U.S. Marshal’s Service, and local police in various states have been using data brokers to obtain detailed personal phone records, credit histories, and other information on their suspects. The records are often obtained much faster and more easily than using the standard subpoena and warrant process - often taking hours rather than days or weeks. While the data brokers normally charge customers for the information, it is believe that law enforcement agencies are rarely charged for this service. It is being reported that some of the information sold by brokers was obtained illegally, but this fact is not likely being conveyed to law enforcement using the information, and officials appear to be undeterred. http://www.securityfocus.com/brief/233

EMERGENCY DATA STANDARD RATIFIED (GCN, 21 June 2006) -- A new open IT standard, capable of facilitating data sharing across local, regional, national and international governments and organizations, has been ratified by the Organization for the Advancement of Structured Information Standards. The Emergency Data Exchange Language Distribution Element (EDXL-DE) Version 1.0 has been designated a standard by Oasis, which serves as the de facto international standards body. Chip Hines, acting director for the Homeland Security Department’s Office for Interoperability and Compatibility, hailed the new standard’s ability to help transmit a wide variety of data content, from files to technical data exchange information. EDXL-DE is a header, meant to identify to whom and under what circumstances emergency information is being sent, Oasis said. The group’s Emergency Management Technical Committee is still working to develop other components of the new emergency standard. In addition to message routing instructions such as the DE standard, EDXL will address resource questions and requests, situation reports, damage assessments and other functionality issues for cross-jurisdictional emergency communications. Hines, who said the standard provides immediate capability to the emergency response community, called on industry to work the standard into their products. “EDXL-DE will facilitate the implementation of a host of standards which will lead to fully interoperable sharing of information in emergency related applications,” Hines said in the consortium’s statement announcing the standard. DHS was involved in the creation of the standard and worked with private sector partners to develop it and bring the standard to Oasis, where the group’s Emergency Management Technical Committee refined it and helped get it ratified. http://www.gcn.com/online/vol1_no1/41113-1.html?CMP=OTC-RSS

AT& T CLAIMS RIGHTS TO DATA ON CUSTOMERS (Washington Post, 22 June 2006) -- AT&T Inc., the nation’s largest telephone company, updated its privacy policy, saying personal account information is owned by the company and may be shared to investigate “potential threats.” “While your account information may be personal to you, these records constitute business records that are owned by AT&T,” according to the policy, which takes effect today. “As such, AT&T may disclose such records” to “investigate, prevent or take action regarding illegal activities, suspected fraud” and “situations involving potential threats to the physical safety of any person” as required or permitted by law. AT&T spokesman Marc Bien said there is “no linkage” between the updated policy and lawsuits claiming that AT&T violated customers’ privacy rights by giving the U.S. government access to their phone call and e-mail records. The intention is “to make our policy much easier to read, with more common language and less legalese,” he said. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/21/AR2006062102268.html

DOJ PUMPS UP INTELLECTUAL PROPERTY EFFORTS (Computerworld, 20 June 2006) -- The Department of Justice has fulfilled or exceeded all recommendations made by an intellectual property task force in October 2004, including new computer crime investigations units in 12 cities, Attorney General Alberto Gonzales announced Tuesday. Since the DOJ’s task force made 31 recommendations for protecting intellectual property, the DOJ has launched Computer Hacking and Intellectual Property (CHIP) units in seven more cities than the task force recommended. The DOJ now has 25 CHIP units across the U.S., and among the newest 12 are units in Washington, D.C., Baltimore, Denver, Detroit and Philadelphia. The DOJ, which released a progress report on the initiative Tuesday, has also stationed an experienced prosecutor to work on intellectual property enforcement in Southeast Asia, and will add a prosecutor in Eastern Europe. Those DOJ prosecutors will help train foreign prosecutors, investigators and judges about intellectual property investigations, the DOJ said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001312&taxonomyId=17 [Editor: the list of CHIP offices, and personnel, is at http://www.cybercrime.gov/CHIPlist.htm; although this page is labeled “For Official Law Enforcement Use Only”, it’s findable by a simple search for “CHIP list” at the DOJ cybercrime public site, http://www.cybercrime.gov/]

KY. BLOCKS STATE WORKERS’ ACCESS TO BLOG (AP, 23 June 2006) -- Kentucky officials are blocking state employees’ Internet access to a political blog that has been critical of Gov. Ernie Fletcher, who was indicted earlier this year in connection with a state hiring scandal. The blocked Web sites include entertainment and humor sites, online auctions and blogs, but Mark Nickolas, operator of http://www.bluegrassreport.org, said he believes his site was targeted for its political content. “It’s outrageous; it shows that we are in the People’s Republic of Kentucky now - that government will block political speech that it does not approve of,” Nickolas said. State Finance Cabinet spokeswoman Jill Midkiff said officials were not targeting particular sites but entire categories to prevent inappropriate employee access. She said the sites were blocked following a review about two weeks ago of the sites most accessed by state government. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/14886321.htm

MICROSOFT TO PUBLISH ITS PRIVACY RULES (CNET, 23 June 2006) -- Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products. The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft. The privacy rules offer guidelines on providing people with proper notification and options in certain situations--for example, when a software application is about to send information via the Internet to its maker, Cullen said. Microsoft believes it is the first major software company to publish these guidelines. “This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’” he said. “The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’” While the release of the guidelines will likely not have any immediate effect on consumer privacy, it is a positive development, privacy watchers said. “Microsoft is advancing the dialog about how privacy issues are addressed by the technology providers,” said James Van Dyke, an analyst at Javelin Strategy & Research. “This will force other technology firms to similarly comply, rebut or propose alternative positions, all of which will move us closer to deciding acceptable use of private information through technology.” The company has a single, global privacy policy, Cullen said. This means that the same policy applies even in countries that have limited or no privacy regulation. http://news.com.com/2100-1029_3-6087538.html

BUSINESS ROUNDTABLE ISSUES WARNING ON LACK OF PREPARATION TO RECOVER THE INTERNET FOLLOWING A CATASTROPHIC CYBER DISRUPTION (Business Roundtable, 23 June 2006) -- The United States is ill-prepared for a cyber catastrophe, with significant ambiguities in public and private sector responses that would be needed to restore and recover the Internet following a disaster, according to a new Business Roundtable report released today. “Our nation’s Internet and cyber infrastructure serve as a critical backbone for the exchange of information vital to our security and our economy, but our analysis has exposed a significant weakness that could paralyze the economy following a disaster,” said Edward B. Rust Jr., Chairman and CEO, State Farm Insurance Companies and head of the Roundtable Security Task Force’s working group on cyber security. “If there’s a cyber disaster, there is no emergency number to call – and no one in place to respond because our nation simply doesn’t have the kind of coordinated plan in place that we need to restart and restore the Internet,” Rust added. “Government and industry must work together to beef up our cyber-security and recovery efforts.” The report – Essential Steps Toward Strengthening America’s Cyber Terrorism Preparedness – is the culmination of a year’s work by top businesses led by the Roundtable, an association of 160 CEOs of the nation’s leading companies. Identifying ways to harden the Internet has been one of the main priorities of the Roundtable’s Security Task Force because a properly functioning Internet is essential to the continuity of the nation’s economy. The report identifies cyber shortfalls similar to the disaster response problems that occurred following Hurricane Katrina, highlighting three significant gaps in response plans to restore the Internet:
* Inadequate Early Warning System – The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.
* Unclear and Overlapping Responsibilities – Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.
* Insufficient Resources – Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)’s funding is targeted for support of cyber recovery. It concludes that the U.S. is not sufficiently prepared for a major attack, software incident or natural disaster that would lead to disruption of large parts of the Internet. “If our nation is hit by a cyber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place to restart and restore the Internet,” said John J. Castellani, President of the Roundtable. “A cyber disaster could have immediate and nationwide consequences to our nation’s security and economy, and we need to be better prepared. That’s why advance copies of this report have been given to the Department of Homeland Security and Congressional leaders.” The report offers recommendations for government and business to improve identification and assessment of cyber disruptions, to coordinate responsibilities for Internet reconstitution, and to make needed investments in institutions with critical roles in Internet recovery. [Report at http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf] http://www.businessroundtable.org/newsroom/Document.aspx?qs=5936BF807822B0F1AD2428022FB51711FCF50C8 and http://www.gcn.com/online/vol1_no1/41172-1.html

LAW LORDS TO RULE ON INTERNET DEFAMATION (The Times Online, 26 June 2006) -- A test case comes before the law lords, Britain’s highest court, today that will determine how far newspapers and other internet publishers are open to lawsuits from people alleging that they have been libeled in any part of the world. In a landmark ruling last year, the Court of Appeal ruled that internet publishers could not be sued in the English courts unless there had been a “substantial” publication in England. The ruling came in an action brought by Yousef Jameel, a Saudi Arabian who sought to sue the United States-based Dow Jones, the publisher of The Wall Street Journal, in London. The Court of Appeal threw out the libel action against the online publication, saying that only five people in England had read the allegedly defamatory item, but Mr Jameel is appealing in a case that could lead to new guidelines on when publishers can rely on the so-called Reynolds defense, a defense of “public interest” or qualified privilege. http://www.timesonline.co.uk/article/0,,200-2243300,00.html

DEPLOYMENT OF CORPORATE WEBLOGS WILL DOUBLE IN 2006, SAYS JUPITERRESEARCH (Tekrati, 26 June 2006) -- Market research by JupiterResearch shows that 35 percent of large companies plan to institute corporate Weblogs this year. Combined with the existing deployed base of 34 percent, nearly 70 percent of all corporate website operators will have implemented corporate blogs by the end of 2006. The analysts find that weblogs are underused for generating word-of-mouth marketing buzz. JupiterResearch estimates that 64 percent of executives spend less than $500,000 to deploy and manage corporate Weblogs. “Site operators should leverage existing Web content management best practices and functionality to decrease total cost of ownership, promote unified branding and increase site security,” said Greg Dowling, Analyst at JupiterResearch and author of the report. “They can also realize considerable cost savings while mitigating deployment, management and maintenance concerns inherent in implementing additional stand-alone Weblog authoring systems.” The new research finds that Weblogs are underused for generating word-of-mouth (WoM) marketing opportunities. Only 32 percent of marketing executives said they use corporate Weblogs to generate WoM around their company’s products or services. http://www.tekrati.com/research/News.asp?id=7353

US MILITARY TURNS TO “BLOG ANALYSIS” FOR INTELLIGENCE (ARS Technica, 5 July 2006) -- Somewhere between journalism’s two worlds of “hard news” and “secondhand rumor” lies a third category: “your tax dollars at work.” These stories generally combine the veracity of real news with the craziness of watercooler gossip, making them especially tasty at the end of a long workday. To that end, let’s talk a little about the Defense Department’s interest in blogs. Imagine yourself as a military planner for the US, someone charged with thinking about “information analysis” and “actionable information.” Where would you go to learn things that the world’s most expensive military does not already know? If you said “the blogosphere,” please consider a new career with the Air Force Office of Scientific Research, which is currently funding a US$450,000 study that attempts to mine blogs for “invaluable help in fighting the war of terror.” How is this going to work? The study’s name is cryptic; it’s called an “Automated Ontologically-Based Link Analysis of International Web Logs for the Timely Discovery of Relevant and Credible Information” (“Ontologically-based”? Aren’t we all?). The three-year project will seek to separate the wheat from the chaff using a radical new approach to information processing: counting the number of hyperlinks that point to a source. As the press release points out, “Within blogs, hyperlinks act like reference citations in research papers thereby allowing someone to discover the most important events bloggers are writing about in just the same way that one can discover the most important papers in a field by finding which ones are the most cited in research papers.” This Brand New Approach™, one with no similarities to that used by the world’s largest search engine, will help analysts learn what topics are most popular among bloggers. Basically a Google Trends focused on blogs, the research hopes to clue warfighters into topics that have not yet made it onto the military’s radar screen, things like the Danish cartoon controversy that outraged the Muslim world, which was discussed on the blogosphere before it made headline news. http://arstechnica.com/news.ars/post/20060705-7197.html

LAWYERS CONTINUE TO MOVE TOWARD THE “PAPERMORE” OFFICE? (Dennis Kennedy blog, 28 June 2006) -- At least ten years ago, Nicholas Negroponte was talking about the move from a world of atoms (stuff) to a world of bits (data or electrons). In the world of electronic discovery, speakers constantly refer to a study that suggests that 93% of documents created today will never be printed on paper. You see concern everywhere about the amount of trees being cut down to produce paper. On the other hand, lawyers love their paper. In that context, it was a little sad to run across this item on the ABA’s Site-Tation that says, well, just let me quote this: According to the 2006 Legal Technology Survey Report, 61% of attorneys save email related to a case or client matter by printing out a hard copy. As John McEnroe might say, “you cannot be serious.” Actually, it’s probably a good thing that we didn’t find the percentage of lawyers who later scan those printouts of emails as TIFFs to reconvert them to digital form. http://www.denniskennedy.com/blog/2006/06/lawyers_continue_to_move_toward_the_papermore.html

NEW ISO/IEC STANDARD TO HELP DETECT IT INTRUDERS (ISO, 30 June 2006) -- ISO/IEC 18043:2006, Information technology – Security techniques – Selection, deployment and operations of intrusion detection system, focuses on the security principles behind the intrusion of computer systems by outsiders or unauthorized employees, and how organizations can establish a framework to enable a comprehensive intrusion detection system. An Intrusion Detection System (IDS) is an important tool for security management used to predict and identify intrusions in computer systems and to raise appropriate alarms during an intrusion attempt. The system enables local collection of information on intrusions, and subsequent consolidation and analysis, as well as analysis of an organization’s normal IT patterns of behaviour and usage. “One of the problems that businesses have is being able to detect when their systems are being intruded upon in order that effective action can be taken to prevent harm or loss to their assets,” said Ted Humphreys, convenor of the ISO/IEC working group that has developed the standard. “The development of ISO/IEC 18043:2006 is an important step forward in dealing with the growing problem of intrusions and provides a good basis for progressing solutions and implementations.” Organizations are vulnerable to various kinds of security threats, such as unauthorized computer access, denial of service attacks and hackers. Typical misuse takes advantage of vulnerabilities in system configuration, user neglect and carelessness, as well as design flaws in software, protocols and operating systems. Outsiders, as well as insiders – disgruntled employees, inside trading, and temporary employees – can exploit these vulnerabilities. ISO/IEC 18043:2006 provides guidelines to assist organizations in preparing to deploy Intrusion Detection Systems. In particular, it addresses the selection, deployment and operation of IDS. It also provides background information from which these guidelines are derived. http://www.iso.ch/iso/en/commcentre/pressreleases/2006/Ref1017.html

ONLINE FILE-SHARING THRIVES A YEAR AFTER GROKSTER RULING (SiliconValley.com, 30 June 2006) -- File-swapping software seemed in peril a year ago when the U.S. Supreme Court gave the entertainment industry a legal bullet: Its ruling reopened the door for lawsuits over programs used to share music, movies and other copyright files. The Supreme Court, reversing lower court rulings, said developers of such programs could indeed be held liable for unauthorized sharing by their users -- if the technology companies were somehow encouraging customers to steal music and movies. Andrew Lack, then chief executive at Sony BMG Music Entertainment, predicted at the time: ``We will no longer have to compete with thieves in the night whose businesses are built on larceny.” Yet a year later, peer-to-peer, or P2P, sharing continues to thrive, with firms behind favorite applications such as eDonkey, LimeWire, Morpheus and Kazaa, among others, still in business. Although the threat of litigation did force the operators of BearShare, WinMX and i2Hub to shut down, the number of people using file-sharing services has gone up. The average number of simultaneous file-sharing users was about 9.7 million worldwide in May, with about 6.7 million from the United States, according to BigChampagne LLC, which tracks file-sharing activity. In the same period last year, BigChampagne tracked 8.6 million average users globally and 6.2 million in the United States. http://www.siliconvalley.com/mld/siliconvalley/14941434.htm

VA GIVES CIO IT SECURITY AUTHORITY (GCN, 30 June 2006) -- Veterans Affairs secretary James Nicholson has given the VA CIO broad authority over information security policies and procedures, including enforcement, effective immediately. Previously, the CIO did not have that authority; the CIO could only seek compliance from the heads of VA’s health, benefits and burial administrations. Congress and security experts have cited VA’s decentralization as a major factor in VA’s failing grade on the annual report card for adherence to the Federal Information Security Management Act and a contributing factor in the recent theft of sensitive data of up to 26.5 million veterans and others. Nicholson announced yesterday at a hearing of the Veterans Affairs Committee that the stolen laptop and hard drive containing the data were [recovered], and added that he was optimistic that the culprits did not access the sensitive data. House Veterans Affairs Committee chairman Steve Buyer (R-Ind.) praised Nicholson for his action, saying that at times he has not been well-served by others. “I commend you for taking bold action to change the culture at VA and definitively granting [the] CIO the authority to manage and enforce VA’s information systems,” he said. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=41230

EFF DEFENDS LIBERTIES IN HIGH-TECH WORLD (Washington Post, 4 July 2006) -- In March 1990, when few people had even heard of the Internet, U.S. Secret Service agents raided the Texas offices of a small board-game maker, seizing computer equipment and reading customers’ e-mail stored on one machine. A group of online pioneers already worried about how the nation’s laws were being applied to new technologies became even more fearful and decided to intervene. And thus the Electronic Frontier Foundation was born _ 16 years ago this Monday _ taking on the Secret Service as its first case, one the EFF ultimately won when a judge agreed that the government had no right to read the e-mails or keep the equipment. Today, after expanding into such areas as intellectual property and moving its headquarters twice along with its focus, the EFF is re-emphasizing its roots of trying to limit government surveillance of electronic communications, while keeping a lookout for emerging threats even as the Internet and digital technologies become mainstream. “They are the lawyers for the open vision of the Internet,” said Peter Swire, the Clinton administration privacy counselor who sometimes tussled with the EFF. [Editor: nice story about good people doing important work. Running it on the 4th of July seems right.] http://www.washingtonpost.com/wp-dyn/content/article/2006/07/04/AR2006070400695.html

CUSTOMER DATA ABUSE RIFE AMONG UK COMPANIES (Silicon.com, 4 July 2006) -- Nearly half of UK companies could be breaching the Data Protection Act (DPA) through the misuse of customer data, according to research published on Monday. The study involved 100 UK IT directors, and found 44 per cent use genuine customer data when developing and testing applications. This is a breach of the second principle of the DPA, which states data should not be used for purposes other than that for which it was collected. The research, conducted by Vanson Bourne, also found 48 per cent are only “vaguely familiar” with the detail of the Act itself. Clarke said: “Lots of companies have taken stringent measures around the protection of customer data in the live production environment. But the numbers of people with no security clearance who can be exposed to that data can quadruple in the test environment.” Compuware said it was also concerned that 86 per cent of those surveyed admitted sending live customer data offshore, often for development and test purposes, with nothing more than a non-disclosure agreement (NDA). The DPA is enforced by the Information Commissioner, which warned organisations need to take effective security precautions at all times, including when testing new systems. A spokeswoman for the Office of the Information Commissioner said: “The use of live customer data for test purposes runs the real risk that personal details can be corrupted or fall into the wrong hands. Organisations are well advised to avoid using live customer details for test purposes to help ensure that they treat people’s personal details properly and in compliance with the DPA.” Clarke said problems often arise with artificial data because “masking out parts of the data means you can’t test some fields”. This means many companies have resorted to using live data samples to make sure the test environment will mirror the processes that will inevitably link the live environment with other mission-critical applications. http://management.silicon.com/government/0,39024852,39160080,00.htm

MICROSOFT FACES SECOND WGA LAWSUIT (CNET, 5 July 2006) -- Microsoft has been named in a second lawsuit over its antipiracy Windows Genuine Advantage program, which plaintiffs allege acts as “spyware” on their systems. Engineered Process Controls, Univex and several other parties filed a class action lawsuit Friday in U.S. District Court in Seattle, alleging Microsoft installed “spyware” on their computers as a “critical security update.” The suit comes days after another complaint containing similar allegations was filed in U.S. District Court in Los Angeles. In this most recent lawsuit, the parties allege Microsoft violated the Computer Fraud and Abuse Act, the Consumer Protection Act, the Computer Spyware Act, and also engaged in intentional misrepresentation of the software program. Microsoft, however, contends the two lawsuits do not present a fair picture of WGA. “The two lawsuits appear to be similar in the claims and both are without merit,” said Jim Desler, a Microsoft spokesman. “They distort our antipiracy program…and the harm piracy brings to Microsoft and to customers.” Although the WGA feature is designed to validate the authenticity of Windows software installed on a user’s PC, it recently raised the ire of some users when Microsoft began delivering the WGA prerelease as a “high priority” item automatically built into Windows updates. The software, which scans users’ hardware and software for information such as their Internet Protocol address, was initially designed to transmit information back to Microsoft every time users booted up their computers. But the software giant has since scaled back the frequency of the transmissions to twice a month and informed users about ways to disable the WGA alerts. http://news.com.com/2100-1014_3-6090651.html and http://www.macworld.com/news/2006/07/05/wga/index.php?lsrc=mwrss

THE INTERNET KNOWS WHAT YOU’LL DO NEXT (New York Times, 5 July 2006) -- A few years back, a technology writer named John Battelle began talking about how the Internet had made it possible to predict the future. When people went to the home page of Google or Yahoo and entered a few words into a search engine, what they were really doing, he realized, was announcing their intentions. Google Trends keeps track of Internet search terms, letting users postulate future behavior. It also allows comparisons of relative popularity. They typed in “Alaskan cruise” because they were thinking about taking one or “baby names” because they were planning on needing one. If somebody were to add up all this information, it would produce a pretty good notion of where the world was headed, of what was about to get hot and what was going out of style. Mr. Battelle, a founder of Wired magazine and the Industry Standard, wasn’t the first person to figure this out. But he did find a way to describe the digital crystal ball better than anyone else had. He called it “the database of intentions.” The collective history of Web searches, he wrote on his blog in late 2003, was “a place holder for the intentions of humankind — a massive database of desires, needs, wants, and likes that can be discovered, subpoenaed, archived, tracked, and exploited to all sorts of ends.” “Such a beast has never before existed in the history of culture, but is almost guaranteed to grow exponentially from this day forward,” he wrote. It was a nice idea, but for most of us it was just an abstraction. The search companies did offer glimpses into the data with bare-bones (and sanitized) rankings of the most popular search terms, and Yahoo sold more detailed information to advertisers who wanted to do a better job of selling their products online. But there was no way for most people to dig into the data themselves. A few weeks ago, Google took a big step toward changing this — toward making the database of intentions visible to the world — by creating a product called Google Trends. It allows you to check the relative popularity of any search term, to look at how it has changed over the last couple years and to see the cities where the term is most popular. And it’s totally addictive. You can see, for example, that the volume of Google searches would have done an excellent job predicting this year’s “American Idol,” with Taylor Hicks (the champion) being searched more often than Katharine McPhee (second place), who in turn was searched more often than Elliot Yamin (third place). Then you can compare Hillary Clinton and Al Gore and discover that she was more popular than he for almost all of the last two years, until he surged past her in April and stayed there. http://tinyurl.com/jvd28

THE HIDDEN DANGERS OF INSTANT MESSAGING (CIO Today, 5 July 2006) -- Human nature may not change, but technology sure does. Gone are the days when employees saved their juicy gossip for periodic water cooler visits. Instant venting about difficult managers, annoying coworkers, and even questionable ethical practices is now as quick and easy as clicking an instant message (IM) screen name. But unlike water-cooler chatter, IMs leave a trail -- one that can be tracked by employers, regulators, and law-enforcement officials. And like e-mail, IMs are considered legal documents. Public companies can be subpoenaed for IMs that may indicate Sarbanes-Oxley violations. Trial lawyers can demand IM records for workplace harassment lawsuits. The American Medical Assn. can cull through health-care-provider IMs for evidence of violations of the Health Insurance Portability & Accountability Act, a law aimed at ensuring access to health-insurance coverage for people who change jobs. Regulatory breaches via IM are not the only concern for today’s employer. In a lawsuit filed early this year, Yahoo! alleged that a group of ex-employees used IM to distribute confidential business and technical data for use with their new employer, a competing startup. Records of this IM correspondence became a key piece of evidence in the case. A 2004 survey by the Pew Internet & American Life Project found that 4 out of every 10 adult Internet users in the U.S. use IM. First and foremost, employers and their I.T. teams must remember that IM -- similar to e-mail -- leaves a paper trail and should therefore be continually logged, stored, and readily accessible. Recently investment bank Morgan Stanley agreed to pay $15 million to settle an investigation by the Securities & Exchange Commission into the bank’s failure to preserve e-mails. http://www.cio-today.com/story.xhtml?story_id=44275

CONSULTANT BREACHED FBI’S COMPUTERS (Washington Post, 6 July 2006) -- A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused. The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon’s “curiosity hacks” nonetheless exposed sensitive information. Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions. An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a “comprehensive and proactive security program” that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training. http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html?nav=rss_technology

EBAY: GOOGLE CHECKOUT DOESN’T; BANS IT (MarketingVOX, 7 July 2006) -- As anticipated, eBay has banned its sellers from requesting payment via the Google Checkout online payment service, reports AuctionBytes.com. eBay updated its Safe Payments policy this week, adding Google Checkout to the list of unapproved payment methods. eBay this week also renamed its “Safe Payments Policy” to “Accepted Payments Policy,” apparently implying that Checkout is not unsafe - merely unacceptable. eBay “clarified” the policy change in an announcement, saying, “Please note that eBay’s evaluation relates only to whether a particular service is appropriate for the eBay marketplace. These payment methods may, in fact, be useful services for consumers in other contexts.” The eBay policy states that a payment service must have a “substantial historical track record of providing safe and reliable financial and/or banking related services.” Google has said that its Google Checkout is not a beta product. “Google has a long history in billing and payments for AdWords and for premium services, such as Google Video,” according to a Google spokesperson. http://www.marketingvox.com/archives/2006/07/07/ebay_google_checkout_doesnt_bans_it/

**** RESOURCES ****
“The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments,” Marc Rotenberg, editor (EPIC 2005). Price: $40. -- The Privacy Law Sourcebook, which has been called the “Physician’s Desk Reference” of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. http://www.epic.org/bookstore/pls2004/

PODCASTING LEGAL GUIDE (Creative Commons, June 2006) -- The purpose of this Guide is to provide you with a general roadmap of some of the legal issues specific to podcasting. EFF has produced a very practical and helpful guide for issues related to blogging generally (http://www.eff.org/bloggers/). This Guide is not intended to duplicate efforts by EFF, and in many cases refers you to that guide for where crossover issues are addressed. Our goal is to complement EFF’s Bloggers FAQ and address some of the standalone issues that are of primary relevance to podcasters, as opposed to bloggers. http://wiki.creativecommons.org/Podcasting_Legal_Guide

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.