Friday, October 20, 2006

MIRLN -- Misc. IT Related Legal News [1-21 October 2006; v9.14]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

**** CONFERENCES ****
EMERGING TRENDS IN INFORMATION SECURITY AND THE LAW: “PLAUSIBLE DENIABILITY IS DEAD”, November 9-10, 2006, in Washington, D.C., by Georgetown University Law Center and the Information Systems Security Association. CEOs, CIOs, CISOs and legal professionals need to understand the developments in regulations and statutes that have led to convergence of issues between information security and in-house and outside counsel. Business planning must consider the business drivers of the legal and security factors to be successful. This two-day conference is designed for CxOs and legal counsel together with a combination of panels, presentations and interactive sessions to highlight key success strategies for the transparency required for business integrity, security and compliance. For more information or to register, please visit https://www.law.georgetown.edu/cle/showEventDetail.cfm?ID=145 or call (202) 662-9890.

**** NEWS ****

NO END IN SIGHT: DATA BREACH TALLY APPROACHES 100 MILLION (TechNewsWorld, 25 Sept 2006) – The Privacy Rights Clearinghouse (PRC) says its running tally of data breaches shows nearly 94 million instances of data being exposed in less than two years of tracking such events, a veritable red flag of private information at risk. The PRC said its tally shows the total number of records containing sensitive personal information involved in security Get the Facts on BlackBerry Business Solutions breaches now stands at 93,754,333. All of those instances came after the February, 2005 disclosure from ChoicePoint that apparent identity thieves had created bogus user IDs and infiltrated its database of consumer information. The updated tally includes thousands of instances of data exposure in the past month alone, including 9,250 customer credit card numbers exposed by apparel retailer Life is Good, and hundreds of student records exposed at several colleges and universities across the country. Meanwhile, government agencies continued to be a major source of concern for privacy advocates in the area of data security, with published reports saying that some 1,100 laptop computers belonging to the U.S. Commerce Department have gone missing since 2001, including almost 250 from the Census Bureau that could contain names, incomes and Social Security numbers. http://www.technewsworld.com/story/53222.html

PAYPAL IN SETTLEMENT DEAL WITH 28 STATES (Reuters, 28 Sept 2006) -- PayPal, the online payments unit of EBay Inc. has agreed with attorneys general from 28 U.S. states to improve how it notifies users of their consumer rights, the company said on Thursday. Under the deal, PayPal will also pay $1.7 million to the states. In addition, PayPal said it reached a settlement in a proposed class action lawsuit by PayPal customers in a U.S. federal court in Brooklyn. PayPal agreed to set up a settlement fund of $3.5 million, less court costs and attorneys fees. PayPal said it will, among other things, shorten and streamline its user agreement and communicate more information relating to its protection programs. The company said it has already complied with many of the voluntary deal’s terms. Changes include shortening the user notice that PayPal customers agree to when signing up for the company’s services. PayPal also agreed to clarify the buyer protections consumers have when conducting online financial transactions. http://today.reuters.com/news/articlenews.aspx?type=businessNews&storyID=2006-09-28T185335Z_01_WEN6100_RTRUKOC_0_US-EBAY-PAYPAL.xml

JUDGE DISMISSES SUIT AGAINST GOOGLE OVER TRADEMARKED TERMS IN ADS (Mercury News, 29 Sept 2006) -- A federal judge granted Google a significant victory Thursday, ruling that the search engine did not violate federal law when it sold trademarked terms in an online advertising auction. Judge Norman Mordue, of the U.S. District Court, northern district of New York, dismissed a suit brought against Google by Rescuecom, a computer repair and consulting business. In a suit filed September 2004, Rescuecom had claimed that Google violated its trademarked name by selling it as an advertising keyword to competitors. When a keyword is entered by someone using Google’s search engine, it triggers small text-based ads that run alongside search results. Google’s policy on the use of trademarks to trigger online ads placed by competitors has rankled a number of advertisers, including insurance giant Geico, which settled a similar suit against Google last year, and American Blind & Wallpaper Factory, whose case is pending. Of the three biggest search engines, only Google allows advertisers to purchase a competitors’ trademarks. ``They needed a green light from the legal system to run their business,” said Eric Goldman, director of the High Tech Law Institute at Santa Clara University. ``They’ve been operating under a cloud of doubt.” The ruling states that Google’s use of trademarked terms to trigger online advertisements doesn’t violate trademark law because ``there is no allegation that the defendant places plaintiff’s trademark on any goods, containers, displays, or advertisements, or that its internal use is visible to the public.” http://www.mercurynews.com/mld/mercurynews/news/local/15643188.htm

CALIFORNIA GOVERNOR SIGNS ‘PRETEXTING’ BILL (SiliconValley.com, 1 Oct 2006) -- In the wake of the spying scandal at Hewlett-Packard Co., Gov. Arnold Schwarzenegger signed a bill Friday that makes it clear that it is illegal to gain access to individual phone records through fraud or deceit. The new law, sponsored by state Sen. Joe Simitian, D-Palo Alto, goes into effect on Jan. 1. It passed both the Assembly and Senate before the HP scandal erupted, but its signing during high-profile congressional hearings on the issue highlights what many considered to be a hole in California privacy regulations. Penalties for a first offense could include a fine of up to $2,500 and up to a year in county jail. Subsequent violations could result in a $10,000 fine and a year in jail. Six other states have similar laws, according to Simitian’s office. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15658513.htm

U.S., E.U. MISS DEADLINE ON DATA-SHARING AGREEMENT (Washington Post, 1 Oct 2006) -- The United States and the European Union failed to meet a Saturday deadline to conclude a permanent new agreement on the sharing of airline passenger data, an issue that has raised serious privacy concerns in Europe. But both sides said talks will continue and flights will not be affected. In the aftermath of Sept. 11, 2001, terrorist attacks, the U.S. government began requiring all airlines flying to the United States to share passenger data, such as name, address and credit card information, with Customs and Border Protection. The European Court of Justice, the highest European court, annulled the deal on a technicality in May but gave the E.U. and the United States until yesterday to replace it. Homeland Security Department Secretary Michael Chertoff on Saturday said in a statement that he had initialed a draft formal agreement that “ensures the appropriate security information will be exchanged and counter-terrorism information collected by the department will be shared, as necessary, with other federal counter-terrorism agencies.” Under the post-Sept. 11 data-sharing agreement, Europe allowed the United States to keep the data for up to 3 1/2 years, but the United States wants to be able to hold onto the information longer. Europe also allowed the United States to share the data, part of a database called the Passenger Name Record, with other U.S. counterterror agencies on a restricted, case-by-case basis. The United States wants to be able to share the data more liberally. The United States has said it could take steps, including fining airlines $6,000 per passenger or revoking landing rights, if data are not turned over. http://www.washingtonpost.com/wp-dyn/content/article/2006/09/30/AR2006093001022.html

SECURITY LACKING IN NETWORKS CONTROLLING CRITICAL INFRASTRUCTURE (Atlanta Statesman.com, 2 Oct 2006) -- In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline. It was no bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former Air Force secretary and National Security Council member. The virus took over the computers controlling valves and pumps, increasing pressure until a blast equal to 3,000 tons of TNT ripped apart the pipeline. The secret attack was one of the first known hacker strikes on a Supervisory Control and Data Acquisition network. Computer security experts say it won’t be the last. SCADA computers monitor and control the flow of electricity across the nation’s power grids. They turn pump switches on and off to make oil and gas and water pipelines flow. They make sure robots, mixing machines and other factory equipment do what they are supposed to do. Despite its importance, SCADA security is often an afterthought for corporate cybersecurity departments. That’s because, so far, the networks haven’t attracted computer hackers like financially oriented e-mail and online billing systems and corporate Web sites have. “It’s kind of like out of sight, out of mind,” said Brian Davison, manager of operations engineering for Austin Energy. Austin Energy is considered on the forefront of SCADA security. In the past two years alone, it has made five major security upgrades to its system, Davison said. At many utilities, though, “management has been away from the table,” Davison said. “They say they haven’t seen anything major yet, so it can’t be too bad. But if somebody wanted to do harm to our industry, they could do it.” Government regulators are beginning to pay more attention to SCADA security. Recently, the North American Electric Reliability Council started working on rules require the electricity industry to audit and monitor its SCADA networks and take steps that are basic for any personal computer user, like installing software patches in a timely fashion. Even so, power companies wouldn’t have to meet the rules for several years. Many in the industry say the rules are so vague and open to interpretation that they’ll be ineffective. The power industry actually is considered further along in SCADA security than other critical industries. http://www.statesman.com/news/content/news/stories/nation/10/02/2scada.html

INTERNET LAWYER DIRECTORY PARTICIPATION (Texas Bar Opinion 573) – Under the Texas Disciplinary Rules of Professional Conduct, what requirements must be met in order for a Texas lawyer to participate in a privately sponsored Internet service that obtains information over the Internet from potential clients about their legal problems and forwards the information to lawyers who have paid to participate in the Internet service? Opinion at http://www.texasbar.com/Template.cfm?Section=Texas_Bar_Journal1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15929 [Editor: as interesting for what it does not say about techniques of search engine optimization, practiced by savvy webmasters, who manage to promote their firm’s apparent relevance/ranking.]

NIST HIGHLIGHTS RFID RISKS (FCW, 3 Oct 2006) -- A draft publication from the National Institute for Standards and Technology highlights some of the security and privacy risks associated with radio frequency identification technology. Some of the risks involved can be serious. The threat can extend from the RFID tags to central databases on an agency’s network, according to the report. But NIST experts are not trying to scare agencies from using the technology. “Like any new technology, RFID presents new security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer,” the report states. One danger is that an unauthorized user with a RFID reader, which is also called an interrogator, could gather information about the contents of a container, making it easier to decide what to steal. So agencies need to decide how much information to include on the tags and how to protect it. Even if a tag contains nothing more than identifier, it can reveal more than agencies realize. For example, observers could monitor tagged materials as they arrive at their destination, giving them information about the quantity of tagged products. “Adversaries could obtain valuable intelligence from the mere existence of a tag,” the report states. http://www.fcw.com/article96300-10-03-06-Web NIST publication at http://csrc.nist.gov/publications/drafts/800-98/Draft-SP800-98.pdf

U.S. PUSHES RUSSIA IN WTO TALKS TO CLOSE MP3 SITE (CNET, 5 Oct 2006) -- Russia should shut down a pirate music Web site that is robbing U.S. recording companies of sales if it wants to become a member of the World Trade Organization, the top U.S. trade official said on Wednesday. “I have a hard time imagining Russia becoming a member of the WTO and having a Web site like that up and running that is so clearly a violation of everyone’s intellectual property rights,” U.S. Trade Representative Susan Schwab told reporters after a speech to a services industry organization. Schwab’s call for the allofmp3.com Web site to be closed came as the United States and Russia are trying once again to reach a deal on Moscow’s 13-year-old bid to join the WTO. Those talks failed in July, primarily because of agricultural issues and U.S. concerns that Russia was not doing enough to stop piracy and counterfeiting of American goods. Schwab’s office earlier this year identified allofmp3.com as one the world’s most notorious marketplaces for pirated goods. Last week, she singled out the Web site as the “poster child” for illegal music sales over the Internet. http://news.com.com/2100-1028_3-6122879.html

-- and --

VISA HALTS ITS SERVICE FOR ALLOFMP3.COM (CNET, 18 Oct 2006) -- Credit card company Visa International said Wednesday that it has suspended service to music download site allofmp3.com, the latest setback for the Russian company accused in the U.S. of pirating music. “It’s no longer permitted to accept Visa cards,” said Simon Barker, a Visa International spokesman. “The action we’ve taken is in line with legislation passed in Russia and international copyright law.” The news comes as allofmp3.com launches a public relations campaign to counter claims by the U.S. government that the site is an outlaw operation. On Tuesday, allofmp3.com announced plans to give away hundreds of thousands of albums for free, according to a story in the International Herald Tribune. http://news.com.com/2100-1027_3-6127168.html

IM CONVERSATIONS CAN LINGER FOR YEARS (AP, 5 October 2006) -- Instant-messaging conversations, though quick, aren’t always fleeting. Rep. Mark Foley’s salacious chats with teenage pages emerged along with e-mails last week, as the Florida Republican abruptly resigned. ABC News, which broke the story, has said former pages were the source of the revelations about IMs from 2003. Most likely, the pages who corresponded with Foley either manually saved messages or used IM software with built-in logging capabilities, allowing time-stamped chat sessions to be kept indefinitely on one’s computer. The programs vary in whether the features are initially on or off and how well they notify users. “Computers are really, really good at saving things, unlike a dumb telephone,” said Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics. “If you don’t want something to get out, don’t put it in any computer form at all.” Chat programs from Yahoo Inc. and Microsoft Corp. are among those with logging capabilities. Microsoft’s installs with the “off” button initially selected, while Yahoo’s automatically records chats but clears them when a user signs off (users can choose to turn it off or record forever). AOL Instant Messenger, the most popular IM service in the United States, doesn’t offer logging in its current consumer versions but does in its business-oriented AIM Pro software. AOL’s service also can be accessed by Trillian and other third-party software with built-in logging. Computer-indexing programs such as Google Desktop also have options to retain chats on a personal computer. Some computers also may have keystroke-recording programs secretly installed by a boss or a spouse. In some cases, the services themselves retain chats. Google Inc. offers users the ability to store such conversations online, so they can be accessed just like e-mail. You need a password to see conversations, although Google and other service providers typically disclose such information to law enforcement when issued a subpoena or court order. http://news.yahoo.com/s/ap/20061005/ap_on_hi_te/foley_chat_forensics_3

-- and --

THOSE IMS AREN’T AS PRIVATE AS YOU THINK (Wall Street Journal, 4 Oct 2006) -- It’s already a workplace maxim that employees should be careful what they say in their emails from company computers. But fewer office workers know to apply caution to their use of instant-messaging services. These immensely popular computer programs, which let users exchange short text messages with online buddies in real time, are no haven for private chatter. Companies and government agencies can monitor and log IM conversations conducted on company-network computers. And though it seems that IM conversations disappear into a cyber-vacuum when a session is over, that isn’t always true. Most companies are just beginning to wake up to the popularity of IM in the workplace. While more than a third of employees use instant-messaging services at work, only 31% of organizations have policies in place that specifically restrict the use of IM, according to a survey on workplace monitoring by the American Management Association and the ePolicy Institute. But the issue has caught the attention of leading industries. The National Association of Securities Dealers requires member firms to “supervise” the use of instant messaging the same way they do written and electronic communications and to retain electronic copies of instant messages for at least three years. The survey found that only 13% of companies have started logging IM records, but the crackdown is starting to take effect: About 2% of employers have fired employees for something they said over IM. By comparison, the study said, 26% of companies have terminated employees for misuse of email. http://online.wsj.com/public/article/SB115991992052181850-rsE_LDex9_brLa3x3R30f_WjIOw_20071005.html?mod=tff_main_tff_top

EX-ETHICS COUNSEL INDICTED IN HP PRIVACY SCANDAL (ABA Journal, 6 October 2006) -- Hewlett-Packard’s former chief ethics counsel is among five individuals swept up in an indictment filed this week by California Attorney General Bill Lockyer. Kevin T. Hunsaker, a former in-house counsel and ethics chief for the Palo Alto-based technology company, is alleged to have overseen the now infamous internal investigation to ferret out boardroom leaks to the media. The scandal involves pretexting, in which HP-hired investigators are alleged to have used false pretenses beginning in 2005 to obtain phone records and Social Security numbers of HP board members, a journalist and their relatives. The indictment claims Hunsaker became aware of the ruse, but nonetheless gave investigators home and office numbers for company officials to help in the investigation. He later reviewed the phone records they obtained, the indictment says. Eventually, HP director George Keyworth acknowledged he was the source of a leak and resigned from the board in September. The indictment of Hunsaker and the reported involvement of other key lawyers advising Hewlett-Packard has legal ethicists “dumbfounded, shocked and astonished,” according to Los Angeles legal ethics expert Diane Karpman. In a statement released Thursday, Hunsaker’s lawyer, Michael Pancer of San Diego, said: “It will be clear, when all of the facts are aired in this case, Mr. Hunsaker is not guilty of any of the charges. Neither Kevin Hunsaker nor HP ever authorized, encouraged or knew of any unlawful activity.” Pancer further stated that Hunsaker didn’t act without authorization from his superiors and advice from outside counsel. Outside lawyers repeatedly told HP that the investigative practices they were using were legal and “not generally unlawful,” the statement said. Karpman, a former president of the Association of Professional Responsibility Lawyers, says the unfolding HP scandal “has left us all shaking our heads.” “This is not a gray area,” she says. “To me this is black and white, and yet it seems to be fairly prevalent” in the profession, especially in family law. Legal ethics expert Lucian T. Pera of Memphis, Tenn., says he’s not sure how often lawyers engage in pretexting or deceit to obtain information. But he expects to have a better idea real soon, thanks to the HP scandal. “I think it’s going to be a wake-up call for lawyers to be a lot more careful about activities like this.” http://www.abanet.org/journal/ereport/oc6hp.html

SPAM MAKER SEES TRADEMARK BID CANNED (CNET, 5 Oct 2006) -- Hormel Foods, which owns the trademark for the spiced-ham food product Spam, has failed in its attempt to register “spam” as a European Union-wide trademark when used to designate unsolicited e-mails. Hormel attempted to register spam as a trademark when used to refer to “services to avoid or suppress unsolicited e-mails” and the “creation and maintenance of computer software; technical consultancy, particularly in combination with network services; (and) providing of expertise, engineering services and technical consulting services (related to junk e-mail).” Hormel argued in an appeal to the Office of Harmonisation for the Internal Market (OHIM), the EU trademark body, that the general public would not immediately recognize the use of the word spam as pertaining to junk e-mail but would instead associate it with “a kind of spicy ham” food product. OHIM disagreed and dismissed the appeal. Products aimed at tackling the problem of spam were aimed at IT professionals who would not confuse junk e-mail with the meat product, it maintained. In addition, a Google search returned more hits for spam junk e-mail than for the canned meat, which satisfied OHIM that the word was also in use by the general public to refer to unsolicited mail. http://news.com.com/2100-1030_3-6123095.html

GOOGLE TO SUBPOENA YAHOO, MICROSOFT ON BOOK SCANNING (Blooomberg, 5 Oct 2006) -- Google Inc. will subpoena information from Yahoo! Inc., Microsoft Corp. and Amazon.com Inc. to help fight copyright lawsuits over its book-scanning project. Google, the world’s most-used search engine, is seeking information on rival projects by the companies, including book lists, costs, estimated sales, dealings with publishers and possible benefit or harm to copyright owners, according to papers filed in U.S. District Court in New York. Publishers and authors have sued Google, claiming the Mountain View, California-based company doesn’t have the right to make copies of books without permission. Google says it is complying with copyright law because the search engine shows only ``snippets” of protected books to the public. Google said it would keep subpoenaed information confidential. ``We have also made clear to these organizations that we will work with them to address any concerns about their confidential information,” Google spokeswoman Megan Lamb said in an e-mail. The judge in the case has issued a protective order to restrict who can see confidential documents, she said. Google also said it will work with the companies to address concerns about their confidential information. Microsoft spokesman Jack Evans, Amazon spokeswoman Patty Smith and Yahoo spokeswoman Mary Osako didn’t have immediate comments. http://www.bloomberg.com/apps/news?pid=20601103&sid=amfuMLMq__H8&refer=news

ANTI-U.S. ATTACK VIDEOS SPREAD ON WEB (New York Times, 6 Oct 2006) -- Videos showing insurgent attacks against American troops in Iraq, long available in Baghdad shops and on Jihadist Web sites, have steadily migrated in recent months to popular Internet video-sharing sites, including YouTube and Google Video. Many of the videos, showing sniper attacks against Americans and roadside bombs exploding under American military vehicles, have been posted not by insurgents or their official supporters but apparently by Internet users in the United States and other countries, who have passed along videos found elsewhere. Among the scenes being viewed daily by thousands of users of the sites are sniper attacks in which Americans are felled by snipers as a camera records the action and of armored Humvees or other military vehicles being hit by roadside bombs. In some videos, the troops do not appear to have been seriously injured; in one, titled “Sniper Hit” and posted on YouTube by a user named 69souljah, a serviceman is knocked down by a shot but then gets up to seek cover. Other videos, however, show soldiers bleeding on the ground, vehicles exploding and troops being loaded onto medical evacuation helicopters. At a time when the Bush administration has restricted photographs of the coffins of military personnel returning to the United States and the Pentagon keeps close tabs on videotapes of combat operations taken by the news media, the videos give average Americans a level of access to combat scenes rarely available before, if ever. Their availability has also produced some backlash. In recent weeks, YouTube has removed dozens of the videos from its archives and suspended the accounts of some users who have posted them, a reaction, it said, to complaints from other users. More than four dozen videos of combat in Iraq viewed by The New York Times have been removed in recent days, many after The Times began inquiries. But many others remain, some labeled in Arabic, making them difficult for American users to search for. In addition, new videos, often with the same material that had been deleted elsewhere, are added daily. http://www.nytimes.com/2006/10/06/technology/06tube.html?ex=1317787200&en=55cccc0463c7b4b6&ei=5090&partner=rssuserland&emc=rss

HACKERS FIND USE FOR GOOGLE CODE SEARCH (ComputerWorld, 6 Oct 2006) -- Google Inc. has inadvertently given online attackers a new tool. The company’s new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn’t have been posted to the Internet in the first place, security experts said Friday. Unlike Google’s main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback. “The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it,” said Mike Armistead, vice president of products with source-code analysis provider Fortify Software Inc. Attackers could also search code for vulnerabilities in password mechanisms, or to search for phrases within software such as “this file contains proprietary,” possibly unearthing source code that should never have been posted to the Internet. Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering. Skilled hackers may already be able to do this type of search with Google’s Web search engine, but Code Search is “another tool that makes it a tad easier for the attacker,” said Johnny Long, a security researcher with Computer Sciences Corp, in an e-mail interview. For its part, Google did not have much to say about possible misuse of its new product. “Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately,” the company said in a statement. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003938&source=NLT_SEC&nlid=38 Google Code Search is at http://www.google.com/codesearch

COMPUTER SYSTEM UNDER ATTACK (Washington Post, 6 Oct 2006) -- Hackers operating through Chinese Internet servers have launched a debilitating attack on the computer system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month, Commerce officials said yesterday. The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market. This marked the second time in recent months that U.S. officials confirmed that a major attack traced to China had succeeded in penetrating government computers. A source familiar with the security breach said the hackers had penetrated the computers with a “rootkit” program, a stealthy form of software that allows attackers to mask their presence and then gain privileged access to the computer system. The attacks were traced to Web sites registered on Chinese Internet service providers, Commerce officials said. “We determined they were owned by the Chinese,” a senior Commerce official said. He did not say who in China was responsible or whether officials had even been able to identify the culprits. Although bureau employees were informed of the problem in July, commerce officials declined to say when the attacks were discovered and how long they had been going on. Only over time did bureau officials realize the extent of the damage from the breach. http://www.washingtonpost.com/wp-dyn/content/article/2006/10/05/AR2006100501781_pf.html

DATA BREACH SETTLEMENTS HELP DEFINE “REASONABLE CARE” (Steptoe & Johnson’s E-Commerce Law Week, 7 Oct 2006) -- When it comes to data breaches, the Federal Trade Commission is no longer the only active regulator. As two recent cases demonstrate, other authorities, both inside and outside of the U.S., also play a role in setting and enforcing data security standards. At the state level, the Oregon State Attorney General announced last month that Providence Health Systems would pay $95,764 to a consumer protection fund -- as well as whatever sum is necessary to continue providing credit monitoring and restoration services and make good on patients’ claims for “direct financial loss” -- to settle claims stemming from a data breach that occurred late last year. And in Canada, the Alberta Office of the Information and Privacy Commissioner last month released the results of its investigation into a breach by MD Management Ltd., recommending that the financial services company take several steps to better protect personal information. These actions should serve to remind U.S. companies -- especially those that do business abroad -- that they need look beyond the FTC when attempting to determine what constitute “reasonable” data security measures. Both actions also highlight the importance of encrypting personal data stored on mobile devices. http://www.steptoe.com/publications-3882.html

LAW BLOGS RAISING PRICKLY ETHICAL ISSUES (Nat’l Law Journal, 6 Oct 2006) -- For many lawyers, blogs have become a popular marketing tool to catapult their firms’ names into the World Wide Web. For others, they have become a convenient mechanism for discussing an array of topics from feminism to federalism. And while many blogs lie somewhere between unabashed advertising and pure political speech, the amorphous quality of these online logs are creating uneasiness about their ethical implications. “It all involves speech, but the distinctions are not clear,” said Larry Ribstein, a professor at the University of Illinois College of Law who authors Ideoblog, on the Internet. Many states are in the process of revamping their attorneys ethics rules, and part of that process involves the prickly issue of whether blogs should be regulated as advertising. On one hand, states want to protect consumers from unscrupulous lawyer advertising presented under the guise of an online diary. On the other, they want to preserve the free flow of ideas-and valuable legal information presented in a public forum-that the new technology has fostered. Ribstein, a corporate and constitutional law professor, maintains that whether blog content is deemed advertising or fully protected political speech is an issue that could become the quintessential test of the bounds of commercial speech doctrine. “It doesn’t get any hazier than blogs,” he said. The proliferation of blogs-short for Web logs-has exploded in the last two years. In general, they are logged, online postings written by lawyers discussing current rulings, political events or media coverage related to a particular area of the law. They usually encourage readers to weigh in on topics and post their entries as well. Many blogs, however, are more personal in nature and include observations on a vast number of topics. Still others are marketing focused and are maintained with the intent of attracting clients but may be informational nonetheless. Developed at first primarily by small-firm practitioners and legal scholars, blogs have caught on among larger law firms, some of which, on their Web sites, link to blogs authored and edited by their individual practitioners. A few of the bigger firms with lawyers who write blogs include Akin Gump Strauss Hauer & Feld; Cooley Godward Kronish in Palo Alto, Calif.; Seattle’s Preston, Gates & Ellis; Davis Wright Tremaine also in Seattle; The Cochran Firm New Orleans; and McKenna Long & Aldridge. Subjects can include such practice areas as electronic discovery, bankruptcy and personal injury. http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1160039129480

-- and --

SUN ASKS S.E.C. TO ALLOW BLOG FISCAL FILINGS (New York Times, 7 Oct 2006) -- The chief executive of Sun Microsystems. Jonathan I. Schwartz, has asked the Securities and Exchange Commission to allow companies to disclose significant financial information through their blogs. With a growing number of companies publishing corporate blogs or online diaries, and an S.E.C. chairman with a penchant for technological innovation, Mr. Schwartz is making the case for blogs — including his own on the Sun Web site — as a way to expand investors’ access to information. The S.E.C. currently allows blogs to be used to disseminate a company’s financial information, but the blog must reach a broad audience. In a Sept. 25 letter to the S.E.C. chairman, Christopher Cox, Mr. Schwartz noted that Sun’s Web site gets an average of nearly a million user hits a day, including the blog that he writes as chief executive and those of thousands of Sun employees. Mr. Schwartz wrote: “Its content is ‘pushed’ to subscribers. This Web site is a tremendous vehicle for the broad delivery of timely and robust information about our company.” Mr. Schwartz’s letter does not specify how many people read his blog, as opposed to the Web site in general, so more data would be needed to determine whether it meets the criterion of broad distribution under the regulation, in the S.E.C.’s view. An S.E.C. spokesman, John Nester, said that agency regulations contemplate “Web-based disclosure, and that’s why the rule does not proscribe any particular method of dissemination — so long as it is broad and nonexclusionary.” Thirty Fortune 500 companies are now publishing corporate blogs. http://www.nytimes.com/2006/10/07/technology/07blog.html?ex=1317873600&en=23c5050c29373c87&ei=5090&partner=rssuserland&emc=rss

E.U. AGREES TO EASE U.S. ACCESS TO DATA ON PASSENGERS (Washington Post, 7 Oct 2006) -- European officials agreed Friday to grant U.S. law enforcement and intelligence agencies easier access to detailed personal data on transatlantic air passengers, despite concerns about individual privacy and fears that the information could be misused. The new pact, replacing one struck down by a European Union court in May, continues arrangements by which all passenger names, credit card numbers and other personal information are passed electronically to the U.S. Customs and Border Protection agency. But it softens various restrictions on when and how that data can be passed to the CIA and other intelligence organizations. Under the new system, “if we have particular interest in a number of flights, or a specific destination, then we can therefore use that information and share it with other counterterrorism agencies,” said Jarrod Agen, a spokesman for the Department of Homeland Security, which includes the customs and border agency. The data request must have some “specificity,” he said, such as the recent alleged plot to bomb airliners flying from London. In that case, passenger information on flights from Britain to the United States could be shared with the FBI, he said. The Europeans insisted on certain data protection safeguards. The U.S. agencies sharing the information, for instance, may retain the data for no more than 3 1/2 years, the same limit that applies to the border protection agency. And not everything that an airline knows about a passenger -- special meal requests, for instance -- will be turned over. http://www.washingtonpost.com/wp-dyn/content/article/2006/10/06/AR2006100600071.html

YOUTUBE CUTS DEALS WITH CBS, UNIVERSAL MUSIC GROUP, SONY BMG (SiliconValley.com, 9 Oct 2006) -- YouTube Inc. announced deals Monday to license content from two major record companies just hours before the wildly popular video Web site agreed to be bought by Google Inc. YouTube reached deals with Vivendi’s Universal Music Group and Sony BMG Music Entertainment that will let the Web site post music videos and content from users that includes copyrighted material in exchange for sharing ad revenue. ``YouTube is committed to balancing the needs of the fan community with those of copyright holders,” said Chad Hurley, chief executive of YouTube. Meanwhile, Warner Music Group Corp. and Sony BMG announced separate licensing agreements with Google, which now operates its own video-sharing site called Google Video. Financial details of the deals were not disclosed. The dealmaking reflects how the growth of online, user-created video has emerged as a potential source of revenue for the sagging recording industry. ``The enormous popularity of these video sites made it clear that a large number of people absolutely love these sites, and so connecting artists with their fans using this viral video platform is incredibly important to us,” said Thomas Hesse, Sony BMG’s president of global digital business. YouTube had been under pressure to avoid a copyright infringement fight with the entertainment industry while negotiating with Google. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15716551.htm

-- and --

UNIVERSAL MUSIC GROUP SUES ONLINE VIDEO SITES GROUPER, BOLT (SiliconValley.com, 17 Oct 2006) -- Universal Music Group is suing the operators of two video-sharing Web sites, claiming they illegally let users share music videos and other copyright material without permission. Universal Music, the world’s largest recording company, filed separate lawsuits against Grouper Networks Inc., operator of Grouper.com, and Bolt Inc., which runs Bolt.com. Sony Corp.’s Sony Pictures Entertainment acquired Grouper for $65 million in August, and Universal Music said it may add the film studio as a defendant. In lawsuits filed Monday in U.S. District Court in Los Angeles, Universal Music claimed Grouper and Bolt actively play a role in violating copyright laws by ``copying, reformatting, distributing and creating” works derived from music videos and songs owned by the label. In one example cited in the Grouper lawsuit, a search turned up several Mariah Carey videos that could be viewed and downloaded. A video for her song ``Shake It Off,” had been viewed more than 50,000 times, the lawsuit said. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15781910.htm

CRIMINALS FIND NEW WAYS TO ATTACK ON THE INTERNET (NPR audio, 9 Oct 2006) -- Cyber-criminals are proving to be more sophisticated than ever. New avenues for attacks include social networking sites such as MySpace and devices previously not considered vulnerable, such as computer printers. http://www.npr.org/templates/story/story.php?storyId=6223908

DATA LEAKS HIT SHARE PRICES HARD (Web Wereld, 9 Oct 2006) -- Australian-based analyst Hydrasight has teamed up with Colorado-based researcher Enterprise Management Associates Inc. (EMA) to release a study on the current state of global enterprise information security. The report draws a comparison between the theft or breach of confidential information and computer-facilitated financial fraud and the impact it has on organizations in terms of share price. While the organizations studied were based in the U.S., the findings reflect a similar security environment in Australia. Scott Crawford, senior analyst with EMA, said within four weeks of public disclosure of details of an information breach, negative responses show up in the form of falling share prices. The impact can be disturbing, he added. “EMA recently followed the closing stock prices of six US companies which had disclosed an information security breach between February 2005 and June 2006. “Within a month of disclosure, the average price of these stocks fell by 5 percent, and remained in a range of 2.4 to 8.5 percent below that of the date of disclosure for another eight months,” he said. “The stocks did not recover to pre-incident levels for nearly a year.” http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html [Editor: Odd venue for this story; can readers point me to similar studies, published in U.S. outlets?]

JUDGE SAYS BORDER LAPTOP SEARCHES ARE INTRUSIVE (Nat’l Law Journal, 10 Oct 2006) -- Government officials must have reasonable suspicion under the Fourth Amendment to search someone’s laptop at U.S. borders, according to a recent ruling in Los Angeles. The decision, by U.S. District Judge Dean D. Pregerson of the Central District of California, is the first in the 9th U.S. Circuit Court of Appeals to address whether searching a person’s laptop is more than routine and therefore subject to the search and seizure protections of the Fourth Amendment. U.S. v. Arnold, No. 2:05-cr-00772 (C.D. Calif.). The ruling, on Oct. 2, also expands upon a previous decision by the 9th Circuit that permitted the search of temporary cache files in a man’s laptop. U.S. v. Romm, 455 F. 3d 990 (9th Cir., 2006). The recent decision could lead to a potential circuit split, given a conflicting 4th Circuit ruling last year in a similar case. “Everybody knows a computer is a treasure trove of information, and police look for excuses to get into them,” said John Wesley Hall Jr., managing partner of John Wesley Hall Jr. P.C. in Little Rock, Ark., who follows search and seizure cases. But one’s laptop “is such an intensive and intrusive search, judges should retain caution.” Under existing law, border officials must have a reasonable suspicion to conduct a non-routine or invasive search, such as a body cavity search or X-rays. In most cases, that standard of proof is relatively low given the nation’s heightened security concerns at the borders. (subscription required -- http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1160471117028)

JURY AWARDS $11.3M OVER DEFAMATORY INTERNET POSTS (USA Today, 11 Oct 2006) -- A Florida woman has been awarded $11.3 million in a defamation lawsuit against a Louisiana woman who posted messages on the Internet accusing her of being a “crook,” a “con artist” and a “fraud.” Legal analysts say the Sept. 19 award by a jury in Broward County, Fla. — first reported Friday by the Daily Business Review — represents the largest such judgment over postings on an Internet blog or message board. Lyrissa Lidsky, a University of Florida law professor who specializes in free-speech issues, calls the award “astonishing.” http://www.usatoday.com/news/nation/2006-10-10-internet-defamation-case_x.htm

MARINE HAD REASONABLE EXPECTATION OF PRIVACY IN WORK EMAIL (BNA’s Internet Law News, 12 Oct 2006) -- BNA’s Electronic Commerce & Law Report reports that the U.S. Court of Military Appeals has ruled that a servicemember had a protected privacy interest in e-mail messages she transmitted over a government computer network, notwithstanding a logon message advising that her use of the government’s network was subject to monitoring. The court noted that the defendant alone possessed the password to her e-mail account, and the network’s logon warning mentioned only “monitoring,” not searching through e-mail messages for law enforcement purposes. Opinion at http://www.armfor.uscourts.gov/opinions/2006Term/05-5002.pdf [Strange case, especially given that it involves a military work-place.]

HIGH COURT IN BRITAIN LOOSENS STRICT LIBEL LAW (New York Times, 12 Oct 2006) -- Britain’s highest court ruled Wednesday for the first time that journalists have the right to publish allegations about public figures, as long as their reporting is responsible and in the public interest. The ruling, a unanimous judgment by the Law Lords, is a huge shift in British law and significantly improves journalists’ chances of winning libel cases in a court system that until now has been stacked against them. English judges have traditionally been so sympathetic to libel plaintiffs that many people from abroad have sued in English courts — even if the publications in question have tiny circulations here — because they have had a much better chance of winning here than at home. Newspaper editors said the decision, in the case of Jameel v. Wall Street Journal Europe, would free them to pursue stories vigorously without constant fear of lawsuits. “This will lead to a greater robustness and willingness to tackle serious stories, which is what the judges said they wanted,” said Alan Rusbridger, editor of The Guardian. Until now, he said in an interview, newspapers have had to police themselves to the point where “stories weren’t getting in the paper or were being neutered by clever lawyers who knew how to play the game.” The case concerned an article published on Feb. 6, 2002, in The Wall Street Journal and in its European edition, The Wall Street Journal Europe, which has a daily circulation of 18,000 in Britain. The article said that at the request of the United States, Saudi Arabia was monitoring bank accounts of prominent Saudi businesses and individuals to trace whether they were being used, possibly unwittingly, to siphon money to terrorist groups. One of the businesses mentioned, Abdul Latif Jameel Company Ltd., sued the newspaper, as did Muhammed Abdul Latif Jameel, its general manager and president. Under British libel law, newspapers being sued are required to prove the truth of the allegations they print — the opposite of the situation in the United States, where the burden of proof falls heavily on plaintiffs. But that was a practical impossibility in this case, a member of the panel that ruled on Wednesday, Lord Hoffmann, wrote in his decision. “In the nature of things, the existence of surveillance by the highly secretive Saudi authorities would have been impossible to prove by evidence in open court,” he said. The paper argued that the article was in the public interest — that is, important to the debate about terrorism and the authorities’ efforts to combat it. A court ruling in a case several years ago involving The Times of London first seemed to open the door to such an argument. But that decision set out what some lawyers say was a prohibitively high set of standards for newspapers and other news media to meet, forcing them to defend their reporting practices to satisfy the subjective opinions of individual English judges. In the Jameel case, a lower court jury rejected The Journal’s public-interest argument, finding that the article was defamatory. The Journal was ordered to pay £40,000 — or about $74,000 — in damages. An appeals court affirmed the ruling. The Law Lords overturned the decision. In a ringing rebuke to the lower court judge’s conclusion that the article was not in the public interest, in part because it flouted an agreement between the United States and Saudi Arabia to keep the monitoring program secret, Lord Hoffmann declared it to be “a serious contribution in measured tone to a subject of very considerable importance.” http://www.nytimes.com/2006/10/12/world/europe/12britain.html

ICANN REFUSES TO PULL SPAMHAUS DOMAIN (The Register, 12 Oct 2006) -- Internet governance organisation ICANN has said it does not have the authority to suspend the website of The Spamhaus Project. An Illinois court last week proposed pulling Spamhaus.org in response to a lawsuit brought against the anti-spam organisation by an company it accuses of spamming. The threat of domain loss came after the anti-spam organisation refused to comply with a September ruling (http://www.spamhaus.org/archive/legal/Kocoras_order_to_Spamhaus.pdf) by a US court requiring it to pay $11.7m in compensation to e360 Insight, pull the organisation’s listing, and post a notice stating that it was wrong to say e360 Insight was involved in sending junk mail. In the proposed court order (http://www.spamhaus.org/archive/legal/e360/kocoras_order_6_10.pdf), published last week, Judge Charles Kocoras of the US District Court for the Northern District of Illinois calls on either ICANN or Tucows, the Spamhaus.org registrar, to pull or suspend the domain in response to Spamhaus’s non-compliance with the court’s original ruling. Spamhaus chief executive Steve Linford said that suspension of its domain could create an “enormous amount of damage on the internet”. ICANN’s stance (http://www.icann.org/announcements/announcement-10oct06.htm) of declining authority on the affair passes the onus onto Tucows, the Spamhaus.org registrar. Since Tucows is based in Canada, and not the US, it’s in a much better position to decline to apply the court’s request. So the threat of the loss of Spamhaus’s domain appears to have receded, at least for now. UK-based Spamhaus Project declined to defend itself in the case, arguing that the US courts lack jurisdiction. http://www.theregister.co.uk/2006/10/12/icaan_spamhuas_dispute_latest/print.html [Editor: I’ve heard that Spamhaus may have made some kind of appearance, other than a limited special appearance, in this matter, and so may be within the Court’s reach.]

-- and --

ANTI-SPAM GROUP, FACING LOSS OF DOMAIN NAME, WILL APPEAL $12 MILLION JUDGMENT (SiliconValley.com, 18 Oct 2006) -- An anti-spam group plans to appeal a federal court ruling that could jeopardize its domain name after ignoring a lawsuit earlier on jurisdictional grounds. An attorney for the Spamhaus Project, Matthew Neumeier, said Wednesday that the group will challenge an $11.7 million judgment against it as well as a court order U.S. District Court Judge Charles P. Kocoras is expected to sign ordering the spamhaus.org domain suspended. Wheeling-based e360 Insight sued Spamhaus, arguing it had improperly placed the company on a ``blacklist” of spammers. Service providers and others use Spamhaus’ list to help identify which messages to block, send to a ``junk” folder or accept. Bart Loethen, an attorney for e360 Insight, said his client is a direct marketer that does not send unsolicited e-mail. But the U.K.-based Spamhaus refused to recognize the U.S. District Court’s jurisdiction, did not bother to defend itself in the case and had no plans to comply with the monetary judgment. The company responded by asking the court to suspend the domain name. Spamhaus claims that more than 650 million Internet users benefit from its list of spammers. Losing the domain name would make it more difficult for service providers and others to obtain the list, the group contends. It’s not clear Kocoras could easily order such a suspension because the Domain Name System is in the hands of organizations and companies that are not parties to the lawsuit. Already, the Internet’s key oversight agency, Internet Corporation for Assigned Names and Numbers, issued a statement saying it does not have the ability or authority to suspend individual domain names. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15789730.htm

-- and --

COURT DECLINES TO ISSUE ORDER AGAINST ICANN OR TUCOWS (ICANN, 20 Oct 2006) -- On 19 October 2006, United States District Court Judge Charles P. Kocoras, presiding over the e360Insight v. The Spamhaus Project matter in the Northern District of Illinois, issued an order denying e360Insight’s (“e360”) motion asking the Court to, among other things, suspend www.spamhaus.org. The Court explained that the relief e360 sought was too broad to be warranted under the circumstances. First, the Court noted that since there is no indication that ICANN or Tucows acted in concert with Spamhaus, the Court could not conclude that either party could be brought within the ambit of Federal Rule of Civil Procedure 65(d), which states that an order granting an injunction is “binding only upon the parties to the action, their officers, agents, servants, employees, and attorneys, and upon those persons in active concert or participation with them.” Second, the Court stated that a suspension of www.spamhaus.org would cut off all lawful online activities of Spamhaus, not just those that are in contravention of the injunction the Court previously issued against Spamhaus. http://www.icann.org/announcements/announcement-1-19oct06.htm

DOCUMENTS REVEAL SCOPE OF U.S. DATABASE ON ANTIWAR PROTESTS (New York Times, 13 Oct 2006) -- Internal military documents released Thursday provided new details about the Defense Department’s collection of information on demonstrations nationwide last year by students, Quakers and others opposed to the Iraq war. The documents, obtained by the American Civil Liberties Union under a Freedom of Information Act lawsuit, show, for instance, that military officials labeled as “potential terrorist activity” events like a “Stop the War Now” rally in Akron, Ohio, in March 2005. The Defense Department acknowledged last year that its analysts had maintained records on war protests in an internal database past the 90 days its guidelines allowed, and even after it was determined there was no threat. A department spokesman said Thursday that the “questionable data collection” had led to a tightening of military procedures to ensure that only information relevant to terrorism and other threats was collected. The spokesman, Maj. Patrick Ryder, said in response to the release of the documents that the department “views with great concern any potential violation” of the policy.

ARE YOUR BUSINESS PARTNERS AN IT THREAT? (CFO.com, 16 Oct 2006) -- It’s hard for any company to do business these days without partners. Even vendors are routinely described as partners. But for the people within your company responsible for your network and computer systems, partners are more aptly described as a giant security headache. According to a recent survey released by Cybertrust, a global information security services firm based in Herndon, Va., nearly 75 percent of the respondents — which included a range of managers and professionals in the IT, security and business fields — felt their business partners increased the level of information security risk to their organizations. “Though we expected IT and security professionals to have a much higher perception of risk,” the surveyors confess, “results imply a fairly consistent sentiment of concern at all organizational levels.” When asked to name the most worrisome risks stemming from business partnerships, the survey sample cited network intrusions (68 percent), data theft (64 percent), virus infections (49 percent) and fraud (43 percent). They also noted that 32 percent of the organizations in the study reported a security incident involving a business partner in the last year. “There’s often a gap in information security between what people perceive as a risk and what really is a risk,” observes Cybertrust senior vice president for marketing Jim Ivers. “So the fact that there’s a one-in-three chance that a partner can generate a problem for you is a pretty significant figure.” The surveyors also discovered that 13 percent of the respondents reported terminating a relationship with a partner because of information security concerns. http://www.cfo.com/article.cfm/8047276?f=home_featured

MICROSOFT TO RELEASE PRIVACY GUIDELINES (Washington Post, 16 Oct 2006) -- Microsoft Corp. is preparing to release privacy guidelines based on its own internal practices in hopes of getting companies to adopt more cohesive standards for safeguarding people’s personal information. Microsoft will issue the hefty document Thursday, urging commonsense practices such as clearly telling customers why a company collects personally identifiable information like e-mail addresses or phone numbers. Among other things, the document also calls for companies to make a business case for why the information is needed and recommends they delete data no longer needed for that purpose. Microsoft also recommends internal practices that can help keep personal information such as credit card numbers from accidentally getting into the wrong hands. The company wants to work with other companies to eventually establish some more generally agreed-upon guidelines, although it’s unclear how long that will take. http://www.washingtonpost.com/wp-dyn/content/article/2006/10/16/AR2006101600817.html Guidelines released at http://www.microsoft.com/downloads/details.aspx?FamilyID=c48cf80f-6e87-48f5-83ec-a18d1ad2fc1f&displaylang=en

WIKIPEDIA CO-FOUNDER PLANS ‘EXPERT’ RIVAL (CNET, 16 Oct 2006) -- One of Wikipedia’s founders and closest critics is launching an alternative to the free online encyclopedia this week. Larry Sanger, a co-founder of Wikipedia and the site’s former editor-in-chief, is launching a rival site called Citizendium. It will include user registration and editorial controls to govern user-submitted articles, unlike the free-for-all submission process that reigns on Wikipedia. With “gentle” controls in place, Sanger said Citizendium will naturally weed out so-called trolls from posting obscenities or biased information. “Wikipedia is amazing. It has grown in breadth and depth, and the articles are remarkably good given the system that is in place. I merely think that we can do better,” Sanger said. “There are a number of problems with the system that can be solved, and by solving those we can end up with an even better massive encyclopedia.” Citizendium is not starting from scratch. It will be a “fork” of the open-source code of Wikipedia, meaning that it will replicate the existing database of articles and then evolve, through user participation, into a new compendium of its own. According to its FAQ, Citizendium does not aim to harm Wikipedia. http://news.com.com/2100-1038_3-6126469.html Citizendium FAQs at http://www.citizendium.org/#wikiciti

MICROSOFT TO CATCH UP ON ITS READING (CNET, 18 Oct 2006) -- Kirtas Technologies, a maker of high-speed scanners and digitization software, signed a deal Tuesday with Microsoft to scan works for its Windows Live Book Search project. The Cornell University Library also signed on Tuesday with Microsoft as a partner, agreeing to let its collection be scanned. The project, when complete, will make public domain works, as well as copyrighted material from publishers who opt-in, freely available through Microsoft’s online Web application. The works scanned by Kirtas will become available via Windows Live Book Search starting in early 2007. Cornell librarians will have a hand in choosing which versions of books to scan and overseeing quality control of the digitization process, according to Cornell. The program is a direct competitor to Google Book Search, which already has many works available online in full text, and has enlisted libraries including the New York Public Library and Oxford University in its endeavor. Google, however, has taken the opposite approach to Microsoft, requiring publishers to opt-out if they do not want their copyrighted works to be scanned. The method has resulted in several lawsuits in different countries. Google has argued that Google Book Search does not allow full access to copyrighted works, as it does with public domain works--many of which are available as free PDF books that can be read or printed in their entirety. http://news.com.com/2100-1032_3-6127081.html

JUDGE IN LIBEL SUIT SAYS 1-YEAR STATUTE OF LIMITATIONS APPLIES TO WEB (SiliconValley.com, 18 Oct 2006) -- A one-year statute of limitations for bringing libel lawsuits in Texas also applies to articles posted on the Internet, a federal judge has ruled. The ruling by U.S. District Judge David Godbey is being hailed as an important decision that gives online media the same protections as traditional print and broadcast organizations. Godbey ruled Monday that the one-year clock begins ticking when an article first appears on the Internet and ends a year later, even if the article in question remains available for reading on the Internet. It’s the second time a federal judge recently determined that the Texas libel limits also apply to Internet-based media. A lawyer for Belo Corp., a defendant in the case, praised the decision as a critical step for online media. ``The ruling is important because it allows Internet publishers -- not limited to newspapers -- to engage in the free exchange of ideas without being exposed to defamation claims based on articles viewable in the present but first posted to the Internet years earlier,” said Russell Coleman, a Belo lawyer. In dismissing the suit against The Dallas Morning News, personal finance columnist Scott Burns and parent company Belo, Godbey wrote that he ``sees no rational reason for distinguishing between the Internet and other forms of traditional mass media.” http://www.siliconvalley.com/mld/siliconvalley/news/editorial/15789726.htm

GET YOUR DAILY PLAGUE FORECAST (Wired, 19 Oct 2006) -- Web-based maps are handy for keeping tabs on weather and traffic, so why not for disease outbreaks, too? The new Healthmap website digests information from a variety of sources ranging from the World Health Organization to Google News and plots the spread of about 50 diseases on a continually updated global map. It was developed as a side project by two staffers at the Children’s Hospital Informatics Program in Boston -- physician John Brownstein and software developer Clark Freifeld. While working on a state-funded program to track disease outbreaks in Massachusetts, the two discovered some inconsistencies in how information is reported. Some sources, such as ProMed-mail, provide very specific data that is verified by medical experts, but the process can be lengthy. At the other extreme, newspaper articles and blog entries come out far more quickly, but they are more likely to contain errors such as unconfirmed reports about avian flu infections in a country. “You always have this trade-off between timeliness and specificity,” said Brownstein. To cheat the trade-off, the pair developed a site that collects data from various sources: the slow and accurate as well as the fast and approximate. Freifeld created a computer program that scans text from RSS news feeds and web page “screen scrapes” to find information about a disease and where it was reported. Using Google Maps, the site places icons that correspond to individual disease reports. http://www.wired.com/news/technology/0,71961-0.html?tw=rss.index

WHY US LAWYERS MUST BE FORTUNE-TELLERS (FT.com, 19 Oct 2006) -- From Hewlett-Packard to UnitedHealth and beyond, have America’s lawyers failed its corporations? Where were the lawyers while the Silicon Valley crowd mortgaged its future for a few lousy stock options? And what about HP: with legions of attorneys paid six-figure salaries, was it really so hard to avoid breaking the law? Backdating stock options is not always illegal and even the gumshoe shenanigans at HP may not qualify as a black and white violation of US law. Therein lies the problem: corporate lawyers live in a perpetual grey area; not even Messrs Sarbanes and Oxley wrote every commandment in stone. There are large gaps between what is required or forbidden by law and what may be done “legally”, and corporate lawyers are asked to bridge that divide every day. Take the options backdating scandal: getting stock on the cheap by picking a fake option date is just the kind of thing most normal mortals would agree should be illegal - and in some cases it clearly was (where there was deliberate falsification of records or failure to disclose to investors what was done). But many more of the 100-odd companies tarred with the brush of options miscreant quite likely did nothing that broke the (rather ambiguous) law. The Securities and Exchange Commission, the Internal Revenue Service and the accountants had no problem with the practice at the time; how were the lawyers meant to know the regulatory winds would shift against them? Warren Buffett thinks the law is not enough: he told Berkshire Hathaway managers recently to “start with what is legal but always go on to what we would feel comfortable about being printed on the front page of our local paper”. And anyone who thinks that would turn lawyers into glorified PR men need look no further than the model rules of the American Bar Association: rule 2.1 states that “in rendering advice, a lawyer may refer not only to the law but to other considerations such as moral, economic, social and political factors that may be relevant to the client’s situation”. http://www.ft.com/cms/s/c9527e3e-5f0e-11db-afac-0000779e2340,_i_email=y.html

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.