**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
MICROSOFT HIT BY U.S. DOT BAN ON WINDOWS VISTA, EXPLORER 7, AND OFFICE 2007 (Information Week, 2 March 2007) -- Citing concerns over cost and compatibility, the top technology official at the federal Department of Transportation has placed a moratorium on all in-house computer upgrades to Microsoft’s new Windows Vista operating system, as well as Internet Explorer 7 and Office 2007, according to a memo obtained Friday by InformationWeek. In a memo to his staff, the DOT’s CIO Daniel Mintz says he has placed “an indefinite moratorium” on the upgrades as “there appears to be no compelling technical or business case for upgrading to these new Microsoft software products. Furthermore, there appears to be specific reasons not to upgrade.” Among the concerns cited by Mintz are compatibility with software applications currently in use at the department, the cost of an upgrade, and DOT’s move to a new headquarters in Washington later this year. “Microsoft Vista, Office 2007, and Internet Explorer [7] may be acquired for testing purposes only, though only on approval by the DOT chief information officer,” Mintz writes. The memo is dated Jan. 19. In an interview Friday, DOT chief technology officer Tim Schmidt confirmed that the ban is still in effect. “We’re analyzing different client software options and also integration issues,” says Schmidt. Among the options the Transportation Department is weighing as a possible alternative or complement to Windows Vista are Novell’s Suse Linux and, for a limited group of users, Apple’s Macintosh hardware and software, he says. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197700789
WOMAN ACCUSES YAHOO OF STEALING HER IMAGE (Wired, 2 March 2007) -- An Ohio woman is demanding $20 million from Yahoo for allegedly using a photo of her without her permission for a welcome e-mail sent to new users. According to a court complaint filed Tuesday with the U.S. District Court for the Northern District of Ohio, Shannon Stovall, a resident of Ohio’s Cuyahoga County, discovered upon signing up for Yahoo’s Web-based e-mail service last October that a picture taken of her appeared in a note sent to new users. The message, according to a printout attached to the court complaint, leads off with the headline “Hooray! Your first e-mail” and a photograph containing two women, one of which is purported to be Stovall. It goes on to give Yahoo Mail users tips on how to transfer address book contacts and customize the look of their messages. The complaint charges that the image has been sent to millions of users around the world without Stovall’s authorization, violating her right to privacy and right to publicity--that is, to control the commercial use of her identity. The allegations resemble a complaint lodged by New England Patriots quarterback Tom Brady against Yahoo in December. The star athlete accused the portal of using a photograph of him from the September 2006 issue of Sports Illustrated without his permission to promote its fantasy football league. http://news.com.com/2100-1030_3-6163987.html
BBC SIGNS DEAL WITH YOUTUBE TO SHOW PROGRAM EXCERPTS (SiliconValley.com, 2 March 2007) -- The British Broadcasting Corp. began showing excerpts from its news and entertainment programs on the YouTube video-sharing Web site Friday, becoming the first international broadcaster to ink a major deal with the Google Inc.-owned portal. In an agreement that analysts described as a key step for both the BBC and YouTube, the British broadcaster is offering three branded channels on the site, including one showing up to 30 news clips a day. The deal gives the BBC access to millions more viewers and gives YouTube the credibility of the venerable British broadcaster. One of the new YouTube channels, ``BBC Worldwide,” will show clips from hit BBC programs including motor show ``Top Gear,” spy drama ``Spooks” and nature documentaries presented by David Attenborough. A second entertainment channel, simply called ``BBC,” will show clips like trailers and short features such as video diaries of actors on the popular ``Dr. Who” TV series or blogs from reporters working abroad. The third channel, ``BBC News,” will show snippets from the BBC’s commercially operated international news channel of the same name. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16819668.htm
U.S. COPYRIGHT ROYALTY BOARD REJECTS WEBCASTERS, EMBRACES SOUNDEXCHANGE (Wired blog, 4 March 2007) -- On Friday, which is generally accepted in public relations circles as the best day of the week to release controversial news, the United States Copyright Royalty Board announced new royalty rates for webcasts, effective from 2006 to 2010. The board ignored the arguments of the International Webcasting Association and other webcasters, and apparently simply endorsed the proposal of the RIAA-associated SoundExchange royalty organization, which represents the major and some indie labels. The new rates force webcasters to pay for each song streamed to each user, and increase over the next few years as follows: 2006: $0.0008 to stream one song to one listener 2007: $.0011; 2008: $.0014; 2009: $.0018; 2010: $.0019. Those fees will add up quickly for larger webcasters; the Radio and Internet Newsletter (RAIN) calculates that, assuming that the average station plays 16 songs per hour, sites would have to pay “about 1.28 cents” per listener per hour using the 2006 rate, and would owe this retroactively, in addition to licensing fees going forward. RAIN’s math indicates that the rate would render Internet radio unsustainable, or at the very least, more ad-laden than terrestrial radio -- and that’s before the songwriters’ licenses are taken into account. http://blog.wired.com/music/2007/03/us_copyright_ro.html Copyright Royalty Board report at http://www.loc.gov/crb/proceedings/2005-1/rates-terms2005-1.pdf ; from a Harvard blog: “In a move that recalls the Vogons’ decision to destroy Earth to clear the way for a highway bypass in space (from Douglas Adams’ Hitchhikers Guide to the Galaxy), the judges comprising the Copyright Royalty Board have decided to destroy the Internet radio industry so the Recording Industry won’t be inconvenienced by something it doesn’t know, like or understand.” NPR voices its objections, too: http://news.com.com/2061-10796_3-6168596.html … and then
COPYRIGHT BOARD TO RECONSIDER HIGHER ROYALTIES FOR NET MUSIC (Bloomberg, 21 March 2007) -- The Library of Congress Copyright Royalty Board agreed to reconsider a decision to increase royalties for music played on the Internet after radio broadcasters complained the new prices were too high. The judges agreed to listen to arguments submitted by National Public Radio, commercial radio broadcasters, and college stations, the board said yesterday. NPR spokeswoman Andi Sporkin provided a copy of the board’s order. http://www.boston.com/business/globe/articles/2007/03/21/copyright_board_to_reconsider_higher_royalties_for_net_music/
OPEN CALL FROM THE PATENT OFFICE (Washington Post, 5 March 2007) -- The government is about to start opening up the process of reviewing patents to the modern font of wisdom: the Internet. The Patent and Trademark Office is starting a pilot project that will not only post patent applications on the Web and invite comments but also use a community rating system designed to push the most respected comments to the top of the file, for serious consideration by the agency’s examiners. A first for the federal government, the system resembles the one used by Wikipedia, the popular user-created online encyclopedia. “For the first time in history, it allows the patent-office examiners to open up their cubicles and get access to a whole world of technical experts,” said David J. Kappos, vice president and assistant general counsel at IBM. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/04/AR2007030401263.html
MICROSOFT ATTACKS GOOGLE ON COPYRIGHT (Financial Times, 5 March 2007) -- Microsoft on Tuesday launches a fierce attack on Google over its “cavalier” approach to copyright, accusing the internet company of exploiting books, music, films and television programmes without permission. Tom Rubin, associate general counsel for Microsoft, will say in a speech in New York that while authors and publishers find it hard to cover costs, “companies that create no content of their own, and make money solely on the back of other people’s content, are raking in billions through advertising and initial public offerings”. Mr Rubin’s remarks, presaged in an article in Tuesday’s Financial Times, come as Google faces criticism and legal pressure from media companies over services allowing users to search online for books, films, television programmes and news. Viacom, the US media group, instructed YouTube, which Google owns, to remove 100,000 clips of copyright material. The Authors Guild and a group of publishers backed by the Association of American Publishers have separately sued Google for making digital copies of copyrighted books from libraries without permission. Mr Rubin will tell the AAP’s annual meeting that Google’s decision to take digital copies of all books in various library collections, unless publishers tell it not to, “systematically violates copyright, deprives authors and publishers of an important avenue for monetising their works and, in doing so, undermines incentives to create”. He will say Google is breaching copyright law because it has “bestowed upon itself the unilateral right to make entire copies of copyrighted books”. Google thinks it is acting legally because it publishes only “snippets” of copyrighted works unless it has the publisher’s permission. But Mr Rubin will say in Tuesday’s speech: “Google is saying to you and other copyright owners: ‘Trust us, you’re protected. We’ll keep the digital copies secure. We’ll only show snippets. We won’t harm you, we’ll promote you’. http://www.ft.com/cms/s/3109938c-cb61-11db-b436-000b5df10621.html Lessig’s take on this: http://www.lessig.org/blog/archives/003727.shtml
TEXAS COUNTIES ILLEGALLY POSTING SOCIAL SECURITY NUMBERS ONLINE, AG SAYS (Computer World, 5 March 2007) -- Like dozens of county governments around the country, Fort Bend County in Texas has for the past several years been posting public records containing Social Security numbers on its Web site. The records are accessible to anyone in the world with an Internet connection and are routinely sold to list brokers, real estate companies and mortgage firms. On Feb. 23, Texas Attorney General Greg Abbott ruled that such disclosure of Social Security numbers in public documents is a violation of both state and federal privacy laws and is a criminal offense punishable by jail time and fines. The ruling followed an inquiry by Fort Bend’s district attorney in 2005 about how its county clerk was expected to deal with Social Security numbers when they were present in public records. Abbott’s ruling has caused an uproar among county and district clerks in the state who are panicked by the prospect of being held criminally liable for actions they say were carried out as part of their normal business. Many have shut down or severely restricted public access to court records and are seeking help from state legislators who have hastily introduced a House bill seeking to absolve clerks of criminal and civil liabilities for disclosing confidential information. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012221&source=rss_topic17 Follow-up story from 12 March: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=285672&source=rss_topic17
INTELLECTUAL PROPERTY VERDICTS EXCEED $1.3 BILLION IN 2006 (Law.com, 5 March 2007) -- Finisar Corp. employs dozens of Ph.D.-level scientists to create technology for its high-speed data communication components and testing business, but one of the company’s most lucrative inventions may be a patent outside of its core business that generated a court victory worth $117.3 million last year. In June 2006, the Sunnyvale, Calif.-based Finisar won a $78.9 million jury verdict in a patent infringement case against broadcast satellite company The DirecTV Group Inc. of El Segundo, Calif. Although appeals are in the works, fines are racking up, including a judge’s $25 million enhancement for willful infringement and $13.4 million for prejudgment interest, post-judgment interest and a compulsory license. Finisar Corp. v. DirecTV Group Inc., No. 05-00264 (E.D. Texas). Amid a worldwide market expansion for technology products, the Finisar case is one of a burgeoning number of blockbuster verdicts in intellectual property cases. These verdicts exceeded $1.3 billion in 2006, according to VerdictSearch, an affiliate of the National Law Journal, and our own research. There’s a direct correlation between intellectual property jury verdicts and the importance of the technology protected by the patent, said Eric Maschoff, a shareholder at Workman Nydegger of Salt Lake City, who served as Finisar’s lead patent prosecution counsel on the case. “Companies are looking more and more towards their intellectual property portfolio as an asset, and they’re exploiting that asset,” Maschoff said. Lawyers report that the sheer market size of high-technology products based on the patents in those portfolios can lead to massive infringement verdicts. Companies’ rising inclination to bring such cases to trial, and the emergence of high-tech courtrooms that enable the use of animation and other visual aids, also boost the possibility of gargantuan verdicts. http://www.law.com/jsp/article.jsp?id=1172829796667
STUDY: IDENTITY THEFT KEEPS CLIMBING (Wired, 6 March 2007) -- The rate of identity theft-related fraud has risen sharply since 2003, a report from research firm Gartner suggests. Gartner’s study, released Tuesday, shows that from mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft, an increase of more than 50 percent from the estimated 9.9 million in 2003. It should be noted that the 2003 statistics and the mid-2006 statistics came from two different sources--and hence, two different statistical methodologies. The original 9.9 million figure came from the Federal Trade Commission, whereas the 15 million statistic is Gartner’s own. For its study, Gartner surveyed 5,000 U.S. adults who use the Internet. The research firm found that identity theft victims are losing more money and getting less of it back. The average loss of funds in a case of identity theft was $3,257 in 2006, up from $1,408 in 2005. Additionally, the average loss in the opening of a fraudulent new account has more than doubled over that time, from $2,678 to $5,962. http://news.com.com/2100-1029_3-6164765.html
FRANCE BANS CITIZEN JOURNALISTS FROM REPORTING VIOLENCE (IDG News Service, 6 March 2007) – The French Constitutional Council has approved a law that criminalizes the filming or broadcasting of acts of violence by people other than professional journalists. The law could lead to the imprisonment of eyewitnesses who film acts of police violence, or operators of Web sites publishing the images, one French civil liberties group warned on Tuesday. The council chose an unfortunate anniversary to publish its decision approving the law, which came exactly 16 years after Los Angeles police officers beating Rodney King were filmed by amateur videographer George Holliday on the night of March 3, 1991. The officers’ acquittal at the end on April 29, 1992 sparked riots in Los Angeles. If Holliday were to film a similar scene of violence in France today, he could end up in prison as a result of the new law, said Pascal Cohet, a spokesman for French online civil liberties group Odebi. http://news.yahoo.com/s/macworld/20070306/tc_macworld/franceban20070306_0 [Mon Dieu!]
INTEL TACTICS QUESTIONED IN E-MAIL PURGE (Information Week, 6 March 2007) -- Whether Intel suffers severe legal consequences for failing to save all potential evidence in Advanced Micro Devices’ antitrust lawsuit against the chipmaker will depend in large part on whether Intel can convince a judge it followed best practices. Intel disclosed Monday that it failed save potentially relevant e-mail. It’s scheduled to join AMD Wednesday at a status hearing to discuss the issue before U.S. District Court Judge Joseph Farnan Jr. in Delaware. The hearing stems from a 2005 lawsuit in which AMD accused its rival of improper tactics to maintain its monopoly in the PC market. At least one expert said Tuesday that the procedures Intel put into place to avoid the destruction of internal e-mails appeared to be lacking. Of particular concern was Intel’s decision early in the process to make employees responsible for moving relevant e-mail to the hard drives of their computers to avoid having them purged automatically by the e-mail system. “They’re going to have a very hard time defending their process,” Robert Brownstone, law and technology director at the law firm Fenwick & West in San Francisco, said. Whether Intel can convince the judge that it took the proper steps to save evidence is pivotal to avoid dire legal consequences that could result in millions of dollars in fines. Worse, the judge could decide during the trial to instruct the jury that they should assume that the e-mails lost would have been detrimental to Intel’s defense. Such a move could play a role in swaying the jury toward AMD. http://news.yahoo.com/s/cmp/20070307/tc_cmp/197800680 [Editor: Making employees participate in record management programs is essential; while automation can do much, individual action remains necessary in all but the most rigid, centralized companies.]
ASTRONAUT E-MAILS RAISE ACCEPTABLE USE ISSUES (NewsFactor, 7 March 2007) -- The recent release of documents collected during the investigation of the NASA astronaut love triangle are a stark reminder that even in the most disciplined work environment, e-mails can wreak havoc. Shuttle astronaut Lisa Nowak, 43, is charged with attempted kidnapping and burglary with assault. The charges stem from Nowak’s 900-mile trip from Houston to Orlando to confront Air Force Captain Colleen Shipman, 30, a woman now dating Nowak’s former boyfriend and fellow shuttle astronaut Navy Cmdr. William Oefelein, 41. Police believe that Nowak’s decision to travel to Orlando might have been triggered by her discovery of romantic e-mails exchanged by Shipman and Oefelein. Nowak had a key to Oefelein’s apartment, and used it to gain access to his apartment and computer during Super Bowl weekend, when Oefelein and Shipman were traveling. According to NASA Public Affairs Officer John Yembrick, the space agency creates two e-mail accounts for each shuttle crew member, one for work and one for personal communications, and the agency “does its best to ensure that personal e-mail is private.” The police records indicate that both Oefelein and Shipman used Yahoo for their private correspondence. However, as is typical in workplaces around the country, the private messages still traveled through NASA computers. As a result, even private astronaut e-mails are subject to the terms and conditions of the Policy on Use of NASA Information Technology Resources (JSCA 01-060), which was last revised by the agency in September 2001. In addition to prohibiting the use of government I.T. resources for games and chain letters, the NASA policy also bars “the creation, download, viewing, storage, copying, or transmission of ... sexually explicit or sexually oriented materials.” http://news.yahoo.com/s/nf/20070307/tc_nf/50578
HARSH WORDS DIE HARD ON THE WEB - LAW STUDENTS FEEL LASTING EFFECTS OF ANONYMOUS ATTACKS (Washington Post. 7 March 2007) -- She graduated Phi Beta Kappa, has published in top legal journals and completed internships at leading institutions in her field. So when the Yale law student interviewed with 16 firms for a job this summer, she was concerned that she had only four call-backs. She was stunned when she had zero offers. Though it is difficult to prove a direct link, the woman thinks she is a victim of a new form of reputation-maligning: online postings with offensive content and personal attacks that can be stored forever and are easily accessible through a Google search. The woman and two others interviewed by The Washington Post learned from friends that they were the subject of derogatory chats on a widely read message board on AutoAdmit, run by a third-year law student at the University of Pennsylvania and a 23-year-old insurance agent. The women spoke on the condition of anonymity because they feared retribution online. The law-school board, one of several message boards on AutoAdmit, bills itself as “the most prestigious law school admissions discussion board in the world.” It contains many useful insights on schools and firms. But there are also hundreds of chats posted by anonymous users that feature derisive statements about women, gays, blacks, Asians and Jews. In scores of messages, the users disparage individuals by name or other personally identifying information. Some of the messages included false claims about sexual activity and diseases. To the targets’ dismay, the comments bubble up through the Internet into the public domain via Google’s powerful search engine. The students’ tales reflect the pitfalls of popular social-networking sites and highlight how social and technological changes lead to new clashes between free speech and privacy. The chats are also a window into the character of a segment of students at leading law schools. Penn officials said they have known about the site and the complaints for two years but have no legal grounds to act against it. The site is not operated with school resources. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/06/AR2007030602705.html?sub=AR
C-SPAN ALTERS COPYRIGHT OVER PELOSI FLAP (Washington Post, 7 March 2007) -- It turns out that Republicans were right: House Speaker Nancy Pelosi did violate C-SPAN’s copyright by using its televised footage on her blog promoting Democrats. Officials for the cable TV network that provides daily gavel-to-gavel coverage of House and Senate proceedings at first said the blog was in violation, then announced it wasn’t. On Wednesday, they said that it was but that they’re changing their policy so that it won’t be in the future. The new copyright policy will allow non-commercial Internet users to share and post C-SPAN video as long as they attribute it to the public service channel. “Given our background and our history, an open approach is the most consistent with our mission,” said Rob Kennedy, C-SPAN’s president. “We are now saying under the new policy that that will be OK, for her or any blogger or citizen journalist” to post C-SPAN video online. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/07/AR2007030702133.html
VA TO CONTROL, RESTRICT USE OF MOBILE STORAGE DEVICES (GCN, 7 March 2007) -- In the next month, the Veterans Affairs Department will let employees plug into its network only those mobile storage devices issued by the CIO’s office. Robert Howard, VA CIO, yesterday said while his office already mandated these mobile devices, known as thumb drives, be encrypted, he is taking security a step further. He is requiring employees to apply and demonstrate a need for a thumb drive, and have their supervisor sign off on that need before the CIO’s office will issue the thumb drive. Howard is going even farther by issuing only 1G and 2G thumb drives and not allowing anything larger onto the network unless he approves it. “This effort is to drive down the use of thumb drives,” he said after his speech at the Information Processing Interagency Conference sponsored by the Government Information Technology Executive Conference. “This will help us eliminate future problems by shutting down an easy way to take data out of the office.” The mobile storage devices also must be certified under the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2, he added. http://www.gcn.com/online/vol1_no1/43266-1.html?topic=security
CHINA CRACKS DOWN ON ‘VIRTUAL CURRENCY’ TO STOP ILLEGAL USES (SiliconValley.com, 7 March 2007) -- Regulators have ordered Chinese Web sites to limit the use of ``virtual money” after concerns that the online credits might be used for money laundering or illicit trade. The order governing credits sold by Web sites to customers to pay for online games and other services comes amid a campaign to tighten official control over China’s online industry. The most popular Chinese online credits are ``QQ coins” issued by the Web site Tencent.com, which has 220 million registered users. A man who answered the phone Wednesday in Tencent’s publicity office refused to say how many of the credits it has sold. Financial experts cited by Chinese media said the growing popularity of ``QQ coins” could complicate the government’s ability to control the flow of real currency, and the central bank has issued a warning about the use of virtual money. News reports in January said customers are using online credits to gamble, pay for phone-sex services and to shop online. Authorities said they were looking into whether the credits were being used as a way to launder money. Regulators told Web sites to bar the use of credits for buying goods or other unauthorized purposes, according to the order, issued jointly by several ministries. It was sent to Internet companies last month and publicized by state media this week. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16852304.htm
FANTASY LIFE, REAL LAW (ABA Journal, 8 March 2007) -- Beathan Vale was concerned about his local court system, which had only one judge. As a member of the Confederation of Democratic Simulators, he took an active role in the development of his local government in the community of Neufreistadt. Ideally, Vale believed the community’s judicial branch should be modeled to resemble the U.S. Supreme Court. But its lone judge, an English barrister and fellow confederation member named Ashcroft Burnham, favored an English common-law approach. Burnham also got to personally select the court’s new appointees, and the lack of oversight didn’t sit well with Vale. Ultimately Vale prevailed. Neufreistadt rejected Burnham’s court scheme—and the idea that participation be limited to lawyers. Both men meet on a regular basis to discuss—and often debate—the direction of Neufreistadt’s legal system. Yet they have never actually seen each other in person. That’s because Neufreistadt isn’t an actual town, and Vale and Burnham aren’t real people. While they do exist, they do so within the realm of virtual reality, in an expansive cyberworld called Second Life. http://www.abanet.org/journal/redesign/03flife.html [There’s more, including discussion about a SecondLife visit by real-world Judge Posner, and about tax and copyright implications. The ABA’s Cyberspace Law Committee has launched a working group looking at SecondLife legal issues.]
CT RULES THAT SEARCH ENGINES HAVE RIGHT TO REJECT ADS (BNA’s Internet Law News, 8 March 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Delaware has ruled that a search-based advertising service may refuse to carry ads that would make it an unwilling mouthpiece for speech it deems objectionable. Just as newspapers have the right to reject content that goes against their editorial discretion, so too do search engines, Judge Joseph Farnan concluded. The court granted motions by Google Inc. and Microsoft Corp. seeking to dismiss the complaint for failure to state a claim. Case name is Langdon v. Google Inc.
THAT EMAIL YOU JUST FORWARDED MAY BE COPYRIGHTED (Steptoe & Johnson’s E-Commerce Law Week, 8 March 2007) -- One of the blessings -- and curses -- of email is how easy it is to forward information you receive to someone else you think might be interested in it. But did you ever stop to consider that the act of forwarding that email might constitute copyright infringement? According to a recent ruling by a British court, it just might. The England and Wales High Court held that a short business letter between executives of affiliated companies was “an original literary work” protected by copyright, and that when a person in a commercial dispute with the companies got hold of that letter and circulated it, he committed copyright infringement. While the letter in question was of the “snail mail” variety, the court’s reasoning would appear to apply to email as well. The ruling comes just days after a U.S. court ruled that sharing a single-user subscription to an online database could impinge upon the database owner’s copyright (and violate U.S. computer crime and privacy laws). Together, these decisions suggest that people may want to exercise caution before forwarding confidential emails or sharing access to a restricted web site. http://www.steptoe.com/publications-4315.html British ruling at http://www.bailii.org/ew/cases/EWHC/Ch/2007/111.html
SWEDEN EYES MONITORING E-MAIL, CELLPHONE CALLS (Globe & Mail, 8 March 2007) -- Sweden’s government presented a contentious plan Thursday to allow a defense intelligence agency to monitor - without a court order - e-mail traffic and phone calls crossing the nation’s borders. The government insists only a fraction of the electronic communications will be affected, but critics worry the program, designed to combat terrorism and other threats to national security, is too far-reaching. Their concerns resemble criticism of a U.S. surveillance program launched in 2001 that monitors international phone calls and e-mails to or from the United States involving people suspected by the government of having terrorist links. The Swedish proposal, which needs parliamentary approval, would give the National Defence Radio Establishment a green-light to use so-called data mining software to search for sensitive keywords in all phone and e-mail communication passing through cables or wires across the country’s borders. http://www.theglobeandmail.com/servlet/story/RTGAM.20070308.wsweden0308/BNStory/Technology/?page=rss&id=RTGAM.20070308.wsweden0308
ALL MICROSOFT UPDATES PHONE HOME (Heise Security, 8 March 2007) -- Possibly as a reaction to heise Security’s report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not. In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft’s approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information. http://www.heise-security.co.uk/news/86429 Microsoft’s privacy statement (from the update installer) at: http://update.microsoft.com/windowsupdate/v6/privacy.aspx
PATENT OFFICE CLAIMS FILESHARING A THREAT TO USER PRIVACY, NATIONAL SECURITY (ArsTechnica, 8 March 2007) -- The United States Patent Office (USPTO) released a report (PDF) this week that outlines potential privacy and security threats created by common peer-to-peer (P2P) filesharing programs like Limewire and Bearshare. The report describes several P2P software features that allegedly lead to inadvertent distribution of sensitive files and information. Citing concerns for user privacy and national security, the report insists that the mechanisms responsible for instances of inadvertent sharing should be studied in greater detail. Specifically, the report addresses “search-wizard” features, which can scan the contents of a user’s hard drive in order to automatically select folders to share on P2P networks, “partial-uninstall” features, which cause programs to remember which folders are shared even after the program has been removed and installed again, and “coerced-sharing” features, which cause programs to share downloaded files by default. The report argues that these features are designed to compel users to share files without the knowledge or consent of the user even in cases where the features can be disabled or can only be enabled by user intervention. Furthermore, the report claims that P2P programs do not sufficiently disclose the potential for inadvertent redistribution. So how do filesharing applications constitute a threat to national security? According to the report, P2P filesharing software could “compromise national security because government employees using these programs would inadvertently share files containing sensitive or classified data.” The report cites a 2005 study conducted by the Department of Homeland Security, claims that “there are documented incidents of P2P file sharing where Department of Defense sensitive documents have been found on non-US computers with no protection against hostile intelligence.” Does filesharing threaten to clog the tubes with classified documents? It may be that the government’s lax computer security standards deserve more blame than P2P programs with lousy default settings. http://arstechnica.com/news.ars/post/20070308-patent-office-claims-filesharing-a-threat-to-user-privacy-national-security.html USPTO report at http://www.uspto.gov/web/offices/dcom/olia/copyright/oir_report_on_inadvertent_sharing_v1012.pdf
JUDGE TOSSES MORGAN STANLEY SUIT THAT FEATURED EMBARRASSING E-MAILS (Advisen, 10 March 2007) -- A judge has dismissed all but one count of a sensational lawsuit against Morgan Stanley in which a former technology manager claimed he was fired for uncovering a series of embarrassing e-mails that cast doubt on the ethics and judgment of senior managers at the bank. In ruling on the suit, U.S. District Court Judge Thomas Griesa said the plaintiff, Arthur Riel, was not wrongfully dismissed in part because Morgan Stanley house rules forbidding retaliation against whistleblowers are not legally binding. “This is not a contractual promise on the part of Morgan Stanley,” Griesa wrote. Riel, a former IT employee who managed Morgan Stanley’s e-mail archive, said he was fired for uncovering the e-mails while performing his duties. Some of the e-mails entered as evidence in the case showed Morgan Stanley chief technology officer Guy Chiarello currying favor with IT vendors to obtain premium sports tickets and lavish junkets. They also showed Morgan Stanley execs pressuring the firm’s IT department to buy from vendors from whom they hoped to win investment banking business. In a ruling handed down in mid-February, Griesa dismissed seven of the eight causes of action that Riel filed against Morgan Stanley, most of them related to his termination. The remaining cause of action, an allegation of breach of contract, was left standing by Griesa. Morgan Stanley may not have heard the last from Riel, however. Records in U.S. District Court for Southern New York show that he has filed an amended complaint that contains many of his original allegations. https://www.advisen.com/HTTPBroker?action=jsp_request&id=articleDetailsNotLogged&resource_id=61672526
F.B.I. HEAD ADMITS MISTAKES IN USE OF SECURITY ACT (New York Times, 10 March 2007) -- Bipartisan outrage erupted on Friday on Capitol Hill as Robert S. Mueller III, the F.B.I. director, conceded that the bureau had improperly used the USA Patriot Act to obtain information about people and businesses. Mr. Mueller embraced responsibility for the lapses, detailed in a report by the inspector general of the Justice Department, and promised to do everything he could to avoid repeating them. But his apologies failed to defuse the anger of lawmakers in both parties. “How could this happen?” Mr. Mueller asked rhetorically in a briefing at the headquarters of the Federal Bureau of Investigation. “Who is to be held accountable? And the answer to that is I am to be held accountable.” The report found many instances when national security letters, which allow the bureau to obtain records from telephone companies, Internet service providers, banks, credit companies and other businesses without a judge’s approval, were improperly, and sometimes illegally, used. Moreover, record keeping was so slipshod, the report found, that the actual number of national security letters exercised was often understated when the bureau reported on them to Congress, as required. The repercussions were felt far beyond Mr. Mueller’s office. Democratic lawmakers, newly in control of Congress, promised hearings on the problems. Several Republicans expressed anger and dismay, as well. http://www.nytimes.com/2007/03/10/washington/10fbi.html?ex=1331182800&en=847be951c66383bf&ei=5090&partner=rssuserland&emc=rss -- and -- A REVIEW OF THE FEDERAL BUREAU OF INVESTIGATION’S USE OF NATIONAL SECURITY LETTERS (FBI’S Office of Inspector General, March 2007) http://www.usdoj.gov/oig/special/s0703b/final.pdf
STUDY: MOST FEDERAL AGENCIES FAIL TO USE WEB FOR ACCESS TO RECORDS (SiliconValley.com, 12 March 2007) -- Federal agencies have dragged their feet on implementing 10-year-old law that requires them to use the Internet to make government documents easily available, a new study says. The result is the public is blocked from easier access to information, the report says, and the cost of answering information requests is driven up. The study by the National Security Archive, for official release on Monday, found widespread failure among federal agencies to follow the Electronic Freedom of Information Act amendments that took effect in 1997. The changes constituted some of the most significant modernizations of the original 40-year-old law that first guaranteed citizens the right to government information. ``Federal agencies are flunking the online test and keeping us in the dark,” said Thomas Blanton, director of the independent, non-governmental Washington-based research institute. The study was funded by the John S. and James L. Knight Foundation, which focuses on journalism. The archive’s review of all 91 federal agencies with chief FOIA officers, along with 58 components of agencies (like the Air Force within the Department of Defense) that handle more than 500 documents a year, found:
-- Just 22 percent of federal agencies and components fully followed the law and posted on the Web all the required categories of documents (agency opinions and orders; frequently requested records; policy statements; staff guidance).
-- Just over one-third of agencies and components provided an index of their records, as required, to help locate documents.
-- Only a quarter of agencies and components provided online forms for submitting FOIA requests.
Many of the record-related Web links that do exist are wrong or missing. One FOIA fax number actually rang in the maternity ward of a military base hospital, Blanton said. A few agencies bucked the trend and showed the benefits of using the Internet, particularly the Education Department and the National Aeronautics and Space Administration, the study found. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16886085.htm
POWER OF THE INTERNET USED IN A GUANTANAMO BAY CASE (Law.com, 12 March 2007) -- The power of the Internet, most people would agree, is awesome, but has it done what the federal courts may no longer have jurisdiction to do -- helped to free a possibly innocent man held at Guantanamo Bay? The Department of Defense on Feb. 24 informed the Office of Federal Public Defender in Portland, Ore., that three of its detainee clients were now “eligible for transfer,” or are eligible to leave the island prison. One of those three is Adel Hamad, a native of Sudan declared an enemy combatant by the U.S. government whose life and legal case formed the centerpiece of what one Internet expert describes as a “visionary” video filmed and posted on YouTube by his lawyers in the Federal Public Defender’s Office. Steve Wax, head of the Portland office, said he “would only be speculating” about any impact that the video may have had on the Department of Defense’s decision. Its notice, he said, does not make clear what exactly will happen to his clients. “It’s just too early to say,” said Wa. x”We are attempting to determine what the next steps are to get our clients home as quickly as possible.” The Department of Defense did not return a phone call seeking comment on the case. When the YouTube video of Hamad was posted, Wax expressed the hope “that if enough people in positions to make decisions see the information about Mr. Hamad and they hear from other people in the country or around the world questions or expressions of concern, one of them may look again at his situation.” http://www.law.com/jsp/article.jsp?id=1173434604447&rss=newswire
HUNT ON EBAY FOR AUSTRALIAN TAX DODGERS (Australian IT, 13 March 2007) -- EBAY has handed over the personal and financial details of hundreds of its top sellers to the Australian Taxation Office. The ATO has asked for the details of eBay sellers with an annual turnover of more than $50,000. The request is understood to be part of an ATO audit to determine if sellers are avoiding GST, and could affect up to 1000 customers. EBay Australia managing director Simon Smith said the ATO had requested data for the period July 1, 2003, to June 30 last year. The request was made a month ago and sellers were informed by email yesterday. At least one seller is known to have gone into liquidation this year after a related ATO probe. EBay provided to the ATO information including members’ contact names, seller user names, phone numbers, duration of membership and monthly sales turnover for the periods in question. Mr Smith said the data had been provided in compliance with eBay’s privacy policy. One seller whose data had been requested by the ATO told The Australian the audit would help rid eBay of unscrupulous sellers. Donna Kelly, who operates online clothing store Bonditopsellers, said that by not claiming GST on sales, some sellers were undercutting more legitimate operators. http://australianit.news.com.au/articles/0,7204,21371941%5E15306%5E%5Enbv%5E,00.html
FORGET HACKERS; COMPANIES RESPONSIBLE FOR MOST DATA BREACHES, STUDY SAYS (Computerworld, 14 March 2007) -- In the five minutes it might take to read this article, about 672 electronic records containing confidential information will be compromised. By year’s end, more than 72 million records with Social Security numbers, credit card numbers, birth dates and other personal data will have been exposed. That rate is about 200,000 more records per month than last year. And the main culprit is not the oft-vilified rogue hacker, but corporate America, according to a new study by the University of Washington, Seattle. That conclusion is based on a review of 550 security breaches reported in major U.S. news media outlets from 1980 to 2006. The goal of the study was to examine the role of organizational behavior in privacy violations. It showed that internal foul-ups such as putting personally identifiable information accidentally online, missing equipment, lost backup tapes or other administrative errors were responsible for 61% of the incidents. In contrast, just 31% of the incidents were perpetrated by external hackers; 9% had unspecified causes. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=14&articleId=9013142&intsrc=hm_topic
WHOSETUBE? VIACOM SUES GOOGLE OVER VIDEO CLIPS (New York Times, 14 March 2007) -- Since it bought YouTube last October, Google has been chasing deals that would give it the right to put mainstream video programming on the site. Just a few weeks ago, Google’s chief executive, Eric E. Schmidt, seemed confident that this courtship of old-line media companies would prove fruitful. Now Google has hit a wall. Viacom, the parent company of MTV, Nickelodeon and Comedy Central, filed a wide-ranging lawsuit against Google on Tuesday, accusing it of “massive copyright infringement.” Viacom said it was seeking more than $1 billion in damages and an injunction prohibiting Google and YouTube from committing further infringement. Citing the $1.65 billion that Google paid for YouTube, the complaint said that “YouTube deliberately built up a library of infringing works to draw traffic to the YouTube site, enabling it to gain a commanding market share, earn significant revenues and increase its enterprise value.” The complaint was filed in United States District Court in New York. Google said it was still reviewing the lawsuit but repeated past assertions that copyright law shields it from liability for clips posted by its users. http://www.nytimes.com/2007/03/14/technology/14viacom.html?ex=1331524800&en=07783066fd80b464&ei=5090&partner=rssuserland&emc=rss Complaint at http://online.wsj.com/public/resources/documents/Viacom031207.pdf
-- and --
DMCA ABUSER APOLOGIZES FOR TAKEDOWN CAMPAIGN (EFF, 14 March 2007) -- Michael Crook, the man behind a string of meritless online copyright complaints, has agreed to withdraw those complaints, take a copyright law course, and apologize for interfering with the free speech rights of his targets. The agreement settles a lawsuit against Crook filed by the Electronic Frontier Foundation (EFF) on behalf of Jeff Diehl, the editor of the Internet magazine 10 Zen Monkeys. Diehl was forced to modify an article posted about Crook’s behavior in a fake sex-ad scheme after Crook sent baseless Digital Millennium Copyright Act (DMCA) takedown notices, claiming to be the copyright holder of an image used in the story. In fact, the image was from a Fox News program and legally used as part of commentary on Crook. But Crook repeated his claims and then attempted to use the same process to get the image removed from other websites reporting on his takedown campaign. “Crook’s legal threats interfered with legitimate debate about his controversial online behavior,” said EFF Staff Attorney Jason Schultz. “Public figures must not be allowed to use bogus copyright claims to squelch speech.” In addition to withdrawing current complaints against Diehl and every other target of his takedown campaign and taking a copyright law course, Crook has also agreed to limit any future DMCA notices to works authored or photographed by himself or his wife, or where the copyright was specifically assigned to him. All future notices must also include a link to EFF information on his case, as well as the settlement agreement. Crook has also recorded a video statement to apologize and publicize the dangers of abusing copyright law. “We’re pleased that Crook has taken responsibility for his egregious behavior,” said EFF Staff Attorney Corynne McSherry. “Hopefully, this will set a precedent to prevent future abuse of the law by those who dislike online news-reporting and criticism.” The settlement with Michael Crook is part of EFF’s ongoing campaign to protect online free speech from the chilling effects of bogus intellectual property claims. EFF recently filed suit against the man who claims to have created the popular line dance “The Electric Slide” for misusing copyright law to remove an online documentary video that included footage of people trying to do the dance. http://www.eff.org/news/archives/2007_03.php#005161
GOOGLE AIMS TO BOLSTER PRIVACY OF WEB SURFER DATA (Reuters, 15 March 2007) -- Google Inc., faced with a mountain of data on its users’ Web search habits, is taking steps to bolster consumer privacy protections in coming months, the company said late on Wednesday. The world’s leading provider of Web search said it is taking steps to anonymize, or obscure details, after 18 to 24 months on the surfing habits of tens of millions of Web users that could potentially be used to identify individuals. The Mountain View, California-based company collects information on Web searches, such as the keyword queries, Internet addresses and “cookies” used by Web sites and advertisers, to track Web surfing habits. “Previously, we kept this data for as long as it was useful,” Google officials said in statement to be made public on Thursday but provided to reporters on Wednesday. “Unless we’re legally required to retain log data for longer, we will anonymize our server logs after a limited period of time.” Google plans to implement the policy within the next year, it said. In order to keep Google search as easy and convenient to Web surfers as they repeatedly return to Google’s search site, the company said it is necessary to keep limited personal details that tie a user to a computer so that Google’s computers can tailor the search to the user’s interests. In promising to make these mounds of personal data anonymous after a period of up to two years, the company is responding to fears expressed by privacy advocates and some government regulators in the United States and Europe at the privacy dangers if such data were ever publicly exposed. Google also said it was taking additional steps to design privacy protections into Google products. These include an “off the record” feature in its Google Talk instant message system making it easier for users to temporarily disable the automatic archiving of conversations, and a “pause” feature in its Google Desktop software, which scours the contents of a user’s computer to make it easier to search for documents or other information. Google cautioned that data retention laws in some national or regional jurisdictions could obligate Google to retain Web server logs at some point in the future. http://news.yahoo.com/s/nm/20070315/wr_nm/google_privacy_dc_2
COURT: BERTELSMANN DOESN’T HAVE TO DISCLOSE COMMUNICATIONS IN NAPSTER SUIT (SiliconValley.com, 15 March 2007) -- A federal appeals court said Wednesday that a major European media company does not have to disclose its lawyers’ private communications in connection with a $50 million loan to Napster in 2001. The ruling is part of an ongoing lawsuit by major record companies against German-based Bertelsmann AG. Universal Music Group, EMI Group PLC and others allege Bertelsmann did more than just write checks to Napster in a bid to gain a financial interest in Napster and change it into a law-abiding service. The record companies’ lawsuit claims Bertelsmann is liable for copyright infringement because it invested in a company that was openly allowing copyright infringement. Napster allowed users to browse each other’s MP3 music collections stored on their computers and pluck liberally from them, sharing and swapping 24 hours a day for free. The original Napster went off-line in 2001 after a series of court rulings. The record companies then sued Bertelsmann, and among other things wanted to see the company lawyers’ internal accounts about the loan, arguing that Bertelsmann took control of Napster and directed the infringing activities. On Wednesday, the 9th U.S. Circuit Court of Appeals overturned a lower court judge who ordered the documents to be turned over as part of the ongoing lawsuit. Attorney-client privilege can be punctured if attorneys aided in a crime or fraud, but the appeals court found that the evidence did not support a so-called ``crime-fraud exception” to the privilege. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16907646.htm
SERVICE PROVIDERS’ CDA SHIELD WITHSTANDS TWO NEW ATTACKS (Steptoe & Johnson’s E-Commerce Law Week, 15 March 2007) -- Plaintiffs’ search for chinks in websites’ Communications Decency Act (CDA) armor continues. Section 230(c)(1) of the CDA has been interpreted as giving websites and other “provider[s] or user[s] of an interactive computer service” broad immunity from suits that “treat[]” them as the “publisher or speaker of any information provided by another information content provider.” Some plaintiffs have tried to pierce, or circumvent, this shield by focusing on websites’ operational policies and practices as distinct from their “editorial” functions. But two courts recently recently rejected this novel theory. In Universal Communication Systems, Inc. v. Lycos, Inc., the First Circuit turned away plaintiffs’ contention that “the construct and operation of Lycos’s web sites contributed to the proliferation of misinformation,” finding that Lycos’ choice of “registration process” and “link structure” was “an editorial decision” protected by Section 230. And in Doe v. MySpace, Inc., a federal court in Texas found that plaintiffs’ suit was “based on MySpace’s editorial acts,” not its alleged “negligent failure to take reasonable safety measures to keep young children off of its site,” and therefore granted the social networking site’s motion to dismiss. These rulings suggest that even if a website’s use policies or technical features permit the posting of inaccurate and harmful information, website operators should still be able to claim CDA immunity for content posted by third parties. http://www.steptoe.com/publications-4333.html Universal case at http://www.steptoe.com/assets/attachments/2893.pdf; Doe case at http://www.steptoe.com/assets/attachments/2894.pdf
COLORADO WOMAN SUES TO HOLD WEB CRAWLERS TO CONTRACTS (Information Week, 16 March 2007) -- Computers can enter into contracts on behalf of people. The Uniform Electronic Transactions Act (UETA) says that a “contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.” This presumes a prior agreement to do business electronically. So what constitutes such an agreement? The Internet Archive, which spiders the Internet to copy Web sites for posterity (unless site owners opt out), is being sued by Colorado resident and Web site owner Suzanne Shell for conversion, civil theft, breach of contract, and violations of the Racketeering Influence and Corrupt Organizations act and the Colorado Organized Crime Control Act. Shell’s site states, “IF YOU COPY OR DISTRIBUTE ANYTHING ON THIS WEB SITE, YOU ARE ENTERING INTO A CONTRACT,” at the bottom of the main page, and refers readers to a more detailed copyright notice and agreement. Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away. A court ruling last month granted the Internet Archive’s motion to dismiss the charges, except for the breach of contract claim. In a post on law professor Eric Goldman’s Technology & Marketing Law blog, attorney John Ottaviani, a partner at Edwards & Angell in Providence, R.I., says the issue is “whether there was ‘an adequate notice of the existence of the terms’ and a ‘meaningful opportunity to review’ the terms.” http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198001674
UW WARNS MUSIC SHARERS (Badger Herald, 19 March 2007) -- The University of Wisconsin went against the national trends Friday by warning students about its policy regarding illegal file sharing but refusing to forward settlement letters to violators from the Recording Industry Association of America. According to Brian Rust, communications manager for the UW Division of Information Technology, the university sent an e-mail reminding students of the “appropriate use guidelines” for downloading to protect them from what could amount to thousands of dollars in out-of-court settlements. “These settlement letters are an attempt to short circuit the legal process to rely on universities to be their legal agent,” Rust said. “It basically says, you are illegally downloading and/or sharing information; and before we take legal action, you can remedy this situation and pay for the music or movies that you’ve downloaded.” Rust said DoIT receives about 10 to 20 cease-and-desist notices per day, which they are obligated to forward to their users. The notices are only warnings, Rust added, but the settlement letters brought on by the Recording Industry Association of America are more of a threat. The settlements are usually around $700 per instance, but could be as much as $3,500, according to Rust. “So you can imagine some people have probably come to that website with their credit card and paid it,” Rust said. “We do not want to be a party to that; we are not the legal agent for the recording agency, nor do we aspire to (be).” http://badgerherald.com/news/2007/03/19/uw_warns_music_share.php
HERDING THE MOB (Wired, March 2007) -- John and Nina Swanson run a business selling vintage postcards on eBay. To keep customers happy, the Swansons reply to buyers promptly and ship on time. This policy is reflected in their eBay feedback score — a rating based on responses to prior transactions. Positive comments are scored as one point. Neutral and negative remarks are recorded as zero and negative one, respectively. The Swansons have a score of over 2,000. Six years ago, University of Michigan information studies professor Paul Resnick asked the couple to participate in an experiment. Resnick wanted the Swansons to continue selling postcards through their established profile, but also to offer the same goods and services through seven fake identities. Initially these bogus profiles would have no reputation; later they would be given negative scores. The Swansons agreed. After 470 auctions, Resnick found that the Swansons’ main account, with its high customer rating, earned an average of 8.1 percent more per transaction than the fakes. It was the first hard proof that a feedback score — a number generated by a collection of unrelated people — carries quantifiable real-world value. “What we’re seeing here is a new kind of trust,” Resnick says. “It’s a kind of impersonal trust geared to situations with lots of interactions among strangers.” In other words, the crowd matters. Today we harness the masses for everything from choosing the next pop star on American Idol to perfecting open source software and assembling Wikipedia articles. But perhaps the most widespread and vital uses for group input online are in scoring systems. In addition to eBay feedback, these are the customer ratings that Amazon.com and Yahoo Shopping post with product reviews. They’re the feedback scores that Netflix tallies to help subscribers decide which movies to order. And they’re the up-or-down votes that sites like Digg and Reddit (part of the Wired Media Group, which also includes WIRED magazine) rely on to determine which stories to feed Web surfers. But as rating systems have become more popular — and, as Resnick shows, valuable — there has been what some would say is a predictable response: the emergence of scammers, spammers, and thieves bent on manipulating the mob. Call it crowdhacking. http://www.wired.com/wired/archive/15.03/herding.html
SOFTWARE PROVIDER LIABLE FOR UNAUTHORIZED PRACTICE OF LAW IN NINTH CIRCUIT (Findlaw.com, March 2007) -- Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to “know the law” and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product’s web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. During the first meeting with the petitioner’s creditors, the Chapter 7 trustee noticed mistakes, learned about the software and filed an adversary action against the software vendor alleging violations of 11 U.S.C. section 110. This action added to the list of section 110 proceedings against the software vendor, which had already run afoul of several other Chapter 7 trustees. The bankruptcy court held that collateral estoppel prevented the vendor from challenging its status as a “bankruptcy petition preparer engaged in the unauthorized practice of law,” since a previous case had gone against the vendor on this point. The Bankruptcy Appellate Panel of the 9th Circuit agreed with the bankruptcy court and affirmed based on issue preclusion. The regular Ninth Circuit panel decided to address the merits of the case, however, after accepting defendant’s argument that the website had changed since the previous case was decided. The court found that the vendor indeed qualified as a bankruptcy petition preparer, which was the first time that the Ninth Circuit had determined that a software-provider could qualify as such. Since bankruptcy petition preparers are, by definition, not attorneys, the court’s next step was to examine California law to determine whether the vendor engaged in the unauthorized practice of the law. http://technology.findlaw.com/articles/00006/010710.html Case at http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf
BIG SISTER CLINTON (2.0) (New York Times, 19 March 2007) -- Wondering what this presidential campaign might look like in the world of “Web 2.0” social networking sites? We have our answer: The buzz-generating Internet ad featuring Senator Hillary Rodham Clinton as a scary Big Brother figure, conducting her presidential campaign “conversation” on a giant screen to drone-like humans. The ad, a near-copy of an Apple spot for Macintosh in 1984, has drawn more than 438,00 viewers on YouTube in the last two weeks, (and linked by hundreds of blogs), showing the potential reach of such guerilla ad campaigns. It ends with a female athlete (who seems to be wearing an iPod) smashing the screen image of Mrs. Clinton’s face with a hammer. Then these words appear — “On January 14th the Democratic primary will begin. And you’ll see why 2008 isn’t going to be like ‘1984′” — followed by the closing text, BarackObama.com. Mr. Obama’s camp has disavowed responsibility for the ad, although there are links to it on community pages on Mr. Obama’s Web site. (And, it was apparently mashed by a 59-year-old with the YouTube username ParkRidge47; Mrs. Clinton was born in 1947 and grew up in Park Ridge, Ill., by the way.) A spokesman for Mrs. Clinton had no comment. http://thecaucus.blogs.nytimes.com/2007/03/19/big-sister-clinton-20/ YouTube clip at http://www.youtube.com/watch?v=6h3G-lMZxjo; creator unmasked: http://www.newsday.com/news/nationworld/nation/ny-usdems225139825mar22,0,1775351.story?coll=ny-uspolitics-headlines
CYBERSQUATTING COMPLAINTS RISE 25 PERCENT, U.N. SAYS (SiliconValley.com, 21 March 2007) -- The U.N. copyright agency that arbitrates more than half the world’s ``cybersquatting” cases saw a 25 percent increase in complaints last year. The World Intellectual Property Organization received 1,823 complaints in 2006 alleging abusive registrations of trademarks as Internet domain names. The growing number of professional domain name dealers who use computer software that automatically registers expired domain names or temporarily registers them without paying charges, is of concern to trademark owners, WIPO said. Since 1999, WIPO has decided in favor of the complainant in 84 percent of all cases. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16888915.htm
INSURANCE COMPANY REFUSES TO COVER LAW FIRM’S BLOG (Computerworld, 22 March 2007) -- A law firm in New Jersey has temporarily halted plans to launch a blog because its insurance company would not cover the blog under an existing malpractice insurance policy. James Paone, a partner at Lomurro, Davison, Eastman and Munoz in Freehold, N.J., said that the firm’s insurer -- The Chubb Corp. -- said several weeks ago that it would not add the blog to the existing policy. “We were in the process of beginning to set up a blog, having internal discussions about what areas of law would be the subjects,” he said. “We wanted to cover the first base, which is [Chubb’s] coverage. Our insurance carrier said [a blog] is not a risk they were interested in insuring. The entire discussion stopped.” Paone said his firm contacted Chubb to ask about insurance coverage in case someone tried to sue it over content in the blog. Now, the law firm is in the process of setting up a meeting with Chubb “so we can understand what their rationale is for saying they weren’t interested in covering that kind of risk,” Paone said. Chubb did not immediately respond to a request for comment. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014061&source=rss_topic146
CT RULES ADVERTISER CAN BE VICARIOUSLY LIABLE UNDER CAN-SPAM (BNA’s Internet Law News, 22 March 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Arizona has ruled that an advertiser can be held vicariously liable for a marketing partner’s CAN-SPAM Act violations if the advertiser had the ability to control the actions of the partner and it knew, or should have known, that the partner was violating the law. Case name is United States v. Cyberheat Inc.
NET PORN BAN FACES ANOTHER LEGAL SETBACK (CNET, 22 March 2007) -- Congress’ efforts to muzzle pornography on the Web were dealt another serious setback on Thursday, when a federal judge ruled a 1998 law was unconstitutional and violated Americans’ First Amendment rights. U.S. District Judge Lowell Reed in Philadelphia permanently barred prosecutors from enforcing the Child Online Protection Act, or COPA, saying it was overly broad and would undoubtedly “chill a substantial amount of constitutionally protected speech for adults.” The lawsuit was filed by the American Civil Liberties Union. Even though politicians enacted COPA nearly a decade ago as part of an early wave of Internet censorship efforts, the courts have kept it on ice and it has never actually been enforced. The law makes it a crime for commercial Web sites to make “harmful to minors” material publicly available, with violators fined up to $50,000 and imprisoned for up to six months. Because of an odd legal twist, COPA has been bouncing around the legal system without a final resolution. The law already has been reviewed by the U.S. Supreme Court once--which agreed with a temporary ban on enforcement--but the justices said they wanted more information about the current state of filtering technology and stopped short of a definitive ruling on its constitutionality. Reed’s 84-page opinion (PDF) appears to be intended to provide ample grounds for the Supreme Court to strike down the law for good. The opinion includes a detailed review of the current state of filtering technology and concludes the programs are “fairly easy to install” and are “more effective than ever before.” http://news.com.com/2100-1030_3-6169621.html Decision at http://www.paed.uscourts.gov/documents/opinions/07D0346P.pdf
METADATA MINEFIELD (ABA Journal, 23 March 2007) -- One of the first things Vincent Polley does after receiving a document from opposing counsel is look for metadata, the hidden information embedded in computer files. “When I get a document, I take a look for a couple of things, like who it was written by and the number of revisions it went through,” says Polley, who practices information technology law at Dickinson Wright in Bloomfield Hills, Mich., and serves on the council of the ABA Section of Business Law. “You can learn a lot about what someone is sending you that you can’t see by just looking at a document.” The potential value of metadata is hard to ignore. The Pentagon, the British government and a number of public figures were all embarrassed when metadata revealed that their public statements were at odds with private communications. Drug giant Merck was found to have altered data about its drug Vioxx through metadata mining, which helped plaintiffs in a lawsuit argue that the company had been deceptive about the drug’s safety. To Polley’s thinking, a lawyer is being remiss if he or she doesn’t look at metadata. But is snooping for hidden data in electronic documents from the other side also unethical, or at least a bit unseemly? While views on that question are divided, the ABA recently weighed in with an ethics opinion concluding that metadata is essentially fair game. The ABA Model Rules of Professional Conduct “do not contain any specific prohibition against a lawyer’s reviewing and using embedded information in electronic documents,” states the Standing Committee on Ethics and Professional Responsibility in Formal Opinion 06-442 (Aug. 5, 2006). The Model Rules serve as the basis for most state ethics codes for lawyers. Of the handful of states that have tackled the metadata issue so far, at least two have taken positions at odds with the ABA opinion. An opinion issued in 2001 by the New York State Bar Committee on Professional Ethics prohibits attorneys from using computer technology to “surreptitiously obtain privileged or otherwise confidential information” of an opposing party. (Opinion 749, issued Dec. 14, 2001.) The opinion cites New York’s equivalent to ABA Model Rule 8.4, which prohibits a lawyer from engaging in conduct “involving dishonesty, fraud, deceit or misrepresentation” or that is “prejudicial to the administration of justice.” The ABA’s ethics committee concluded that Model Rule 8.4 does not apply to a lawyer’s use of information that was received inadvertently. http://www.abanet.org/journal/redesign/04ethics.html
****RESOURCES****
FTC UNVEILS PRACTICAL SUGGESTIONS FOR BUSINESSES ON SAFEGUARDING PERSONAL INFORMATION (FTC, 8 March 2007) -- The Federal Trade Commission is offering a new guide for businesses with practical suggestions on safeguarding sensitive data. The 24-page brochure can help businesses of all sizes protect their customers’ and employees’ personal information. FTC Chairman Deborah Platt Majoras unveiled the guide today at the Privacy Summit of the International Association of Privacy Professionals in Washington, DC, where she received the Privacy Leadership Award on behalf of the agency. “Information security cannot be an afterthought for businesses,” said Majoras. “Consumers expect and deserve to have their sensitive personal information kept secure.” http://www.ftc.gov/opa/2007/03/businessguidance_pii.htm Guide at http://www.ftc.gov/infosecurity/
HOW TO SURF ANONYMOUSLY WITHOUT A TRACE (ComputerWorld, 12 March 2007) -- The punchline to an old cartoon is “On the Internet, nobody knows you’re a dog,” but these days, that’s no longer true. It’s easier than ever for the government, Web sites and private businesses to track exactly what you do online, know where you’ve visited, and build up comprehensive profiles about your likes, dislikes and private habits. And with the federal government increasingly demanding online records from sites such as Google and others, your online privacy is even more endangered. But you don’t need to be a victim. There are things you can do to keep your surfing habits anonymous and protect your online privacy. So read on to find out how to keep your privacy to yourself when you use the Internet, without spending a penny. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9012778 [Editor: My source for this article is a leading IT expert, who also wrote “I tried the privacy.net test (at http://www.privacy.net/analyze/). It was revealing, not to overload the word.”]
ARE YOU ON THE NO FLY LIST, TOO? (The Huffington Post, 2 March 2007) -- A few years after the Department of Homeland Security developed its No Fly List and No Fly Watch or “Selectee” List, the Washington Post and San Francisco Chronicle reported the screening system was based on an algorithmic software known as Sounde. xA crude, antiquated algorithm developed in 1918 to analyze U.S. Census data, Soundex is based on the English language and, as a result, has a few deficiencies when it comes to trying to match Arabic names. Soundex works, generally, by removing vowels from names and then assigning numerical values to the remaining consonants. This has been the basis for the Computer Assisted Passenger Pre-Screening System (CAPPS) and it is horrendously inadequate and matches far too many names. To see just how poorly Soundex performs, visit http://nofly.s3.com and type in your name to assess your chances of being on the No Fly or Watch List. This is the only known publicly available site for checking your name against potential terrorist identities and databases. http://www.huffingtonpost.com/jim-moore/are-you-on-the-no-fly-lis_b_42443.html
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/
Friday, March 23, 2007
Friday, March 02, 2007
MIRLN -- Misc. IT Related Legal News [11 February – 3 March 2007; v10.03]
**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
FBI FREEZES FUNDS OF ‘VIRTUAL WALLET’ WEB PAYMENT FIRM (The Guardian, 6 Feb 2007) -- The FBI has frozen funds held in customer accounts at Neteller, the “virtual wallet” payment processor, as part of its case against the firm’s two Canadian founders who were last month arrested and charged with racketeering and money laundering. Neteller refused to disclose how much had been frozen but company filings make clear huge sums were flowing between its US customers’ “e-wallets” and online merchants - particularly gambling websites - up until the firm was pressured to close its American operations in the wake of last month’s arrests. Over a six-month period last year the company processed transactions worth $5.1bn (£2.6bn), with about 85% involving US customers. In the past five years, Neteller came to dominate gambling transactions in America because its e-wallets allowed users to get around credit card blocks on gambling sites. Following the arrests of founders Stephen Lawrence and John Lefebvre, who face up to 20 years in jail if convicted, the decision was quickly taken to shut down US operations. Trading in the company’s shares was also suspended and remains so. The FBI claim JSL Systems, a US-based payment company owned by Mr. Lefebvre, received customer funds in the US for Neteller and then transferred them to accounts held by a Neteller company in Canada. Last month Neteller told the Guardian that wagered money no longer passed through JSL. It is unclear whether the FBI will treat some or all of the funds as proceeds of illegal gambling. One US newspaper report cited Neil Donovan, an FBI agent, saying the funds were being held in court as potential evidence. Some money may be returned to Neteller customers but no timescale was forthcoming, the report said. A spokeswoman for the Department of Justice last night refused to confirm details in the report, as did Neteller. http://technology.guardian.co.uk/news/story/0,,2006709,00.html
DEBUNKING MYTHS ABOUT IDENTITY FRAUD (CNET, 7 Feb 2007) -- It seems that we constantly are hearing horror stories about the perils of rampant identity fraud. However, a recent survey seeks to set the record straight by saying that in the United States, the problem actually is decreasing. Javelin Strategy & Research has just released its Identity Fraud Survey Report. While identifying significant risk differentiators between age and income demographics, the report highlights an important reduction in fraudulent new account openings using private information. Interestingly, the report also says that more fraud happens via physical channels, such as in-person transactions, and by the direct theft of personal data by individuals, rather than taking place online. Let’s drill down a bit into some of the critical findings of the study, which is based on telephone interviews with 5,000 adults. http://news.com.com/Debunking+myths+about+identity+fraud/2010-1029_3-6156841.html?tag=nefd.top Report at http://www.javelinstrategy.com/2007/02/06/identity-fraud-has-dropped-since-2003-survey-shows/#more-613%202007
U.K. DATA THIEVES FACE TWO YEARS IN PRISON (CNET, 7 Feb 2007) -- Individuals who sell or deliberately misuse others’ personal data in the U.K. could now face a penalty of up to two years in prison. The previous penalty stipulated for the charge in the Data Protection Act 1998 was a fine. Now data thieves risk up to six months in prison for a summary conviction, while for a conviction on indictment, they could get up to two years, the U.K. Department for Constitutional Affairs said Wednesday. The change comes as the British government moves to increase data sharing as a way of offering higher-quality public services to citizens. http://news.com.com/2100-1029_3-6157219.html
MASS. AG LEADS MULTISTATE PROBE INTO TJX BREACH (Computerworld, 8 Feb 2007) -- Massachusetts Attorney General Martha Coakley will lead a civil investigation by dozens of states into the security breach disclosed last month by The TJX Companies Inc., the owner of T.J. Maxx and Marshalls retailers. The state’s consumer protection division is looking into the data breach, “particularly what security measures the company took to protect consumer information,” Coakley’s office said in a statement yesterday. A Coakley spokeswoman, Emily LaGrassa, added that more than 30 states have asked for details on the TJX investigation or expressed interest in joining the probe. TJX on Jan. 17 disclosed the security breach, in which one or more hackers penetrated the company’s computer network and made off with a still-unspecified number of customer records, including credit card numbers. More than three dozen banks in Massachusetts, the home state of the Framingham-based company, have reported that cards they’ve issued have been compromised. Although the attack began in May 2006, the breach was not discovered by TJX until mid-December. The company said it delayed disclosing the intrusion until January so it could contain the problem and meet confidentiality obligations to law enforcement agencies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010884&source=NLT_PM&nlid=8 [It keeps getting worse; there are indications that the breaches occurred also in 2005, and perhaps earlier.]
-- and --
WILL PLAINTIFFS’ BAR SOON BE SINGING “T-T-T-T-T-T-T-T-TJX” IN BREACH CASES? (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- Knowledgeable commentators (yes, we’re in a self-congratulatory mood this week) have predicted for a while that the plaintiffs’ bar will eventually succeed in a negligence suit based on a company’s failure to implement “reasonable” data security. And it appears that the “breach-chasers” may have finally found the right case. The data breach involving retail conglomerate TJX Companies, Inc. (the owner of discount chains T.J. Maxx and Marshalls, among others), first announced in mid-January, has so far drawn at least four putative class action suits in federal court in Massachusetts. While the plaintiffs in past class actions stemming from data breaches have had a difficult time establishing standing (for lack of cognizable harm) and/or damages, the TJX case might not suffer from the same weaknesses. The breach reportedly was broad in scope -- possibly involving more than 40 million credit and debit cards -- and has resulted in fraudulent debit and credit card purchases. These factors, combined with the emergence in recent years of a discernible standard of what constitutes “reasonable” security, could make this a precedent-setting case. If so, tort law in breach cases may “never ever [be] the same place,” as the old T.J. Maxx commercial went. Accordingly, companies will have even more reason to pay close attention to their data security procedures. http://www.steptoe.com/publications-4252.html
-- and --
MASS. BILL WANTS STORES TO PAY MORE IN DATA BREACHES (CNET, 22 Feb 2007) -- Businesses would have to reimburse banks for costs stemming from data security breaches, under a Massachusetts bill that could be mimicked by other states and in Congress. In what appears to be the first stab at such an approach, the proposal would require any “commercial entity” that handles personal financial data to foot the bill for various banking costs caused by hacks or other intrusions into their systems. The costs would include any fees associated with canceling or reissuing credit cards, opening and closing bank accounts, and restoring customers’ account balances after fraudulent transactions. The bill defines “commercial entity” as including everything from corporations to governmental agencies to associations, whether for-profit or not-for-profit. Shifting the liability away from banks--a step beyond previous proposals--has been a focus of discussion among advocacy groups for smaller banks. These banks argue that they are absorbing all the costs associated with data leaks, and they’re distressed they have to pick up the tab for damage they didn’t even create. The proposed remedy is primarily targeted at retailers, such as discount retailer TJX Companies. These have recently reported breaches potentially affecting thousands of customers, said Steve Kenneally, director of payments and technology policy for America’s Community Bankers, which advocates for smaller banks. ACB, which supports the state bill, would prefer to see national legislation. http://news.com.com/2100-7348_3-6161536.html
-- and --
BILL WOULD TIE RETAILERS TO COSTS OF ID THEFT (NPR, 26 Feb 2007) -- Massachusetts eyes a law to hold retailers accountable when thieves steal credit card information. The bill would force retailers to pay for the cost of reissuing new cards and for other expenses. Credit-card companies now absorb most of those costs. (2 minute audio program available at http://www.npr.org/templates/story/story.php?storyId=7599116)
NEW CYBERSECURITY CHIEF LAYS OUT GUIDANCE (Computerworld, 9 Feb 2007) -- U.S. companies and the federal government need to step up and fix the problems in their computer networks, the nation’s new cybersecurity czar told attendees during his first-ever address at RSA Conference here in San Francisco on Thursday. Within the next 10 years, the majority of the world’s communication needs will probably be handled by the Internet, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security (DHS). “This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems,” he said. “Our networks and our systems are vulnerable and they are exposed.” Garcia outlined two priorities for the year ahead. First, his office is working with federal agencies to adopt common security policies and practices. Second, he plans to work with the private sector to push forward a process called the National Infrastructure Protection Plan. This effort is intended to evaluate computer security risks on an industry-by-industry basis and outline the steps that need to be taken to address them. [Garcia] made it clear that the DHS expects U.S. companies to participate. “There are a lot of plans in Washington. This one is going to stick,” he said. “The private sector owns and operates 90% of the critical infrastructure, and it’s up to you all, not just the DHS, to secure this infrastructure.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9010939&taxonomyId=17&intsrc=kc_li_story
LAWMAKERS INTRODUCE BREACH NOTIFICATION, OTHER BILLS (PC World, 9 Feb 2007) -- Senators Patrick Leahy, a Vermont Democrat, and Bernie Sanders, a Vermont independent, introduced the Personal Data Privacy and Security Act. In addition to requiring data breach notification, the bill would also require data brokers to disclose what information they hold on individuals. The bill would allow individuals to correct information held by data brokers, and it would require companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs. Representatives Bobby Rush, a Illinois Democrat, and Cliff Stearns, a Florida Republican, introduced the Data Accountability and Trust Act this week. Their bill, with 24 co-sponsors, authorizes the U.S. Federal Trade Commission (FTC) to draw up data privacy requirements for businesses, including requirements that they have vulnerability assessments and policies for disposing of obsolete data. After a company reports a data breach, the FTC would conduct an audit of its security practices, and, like the Leahy-Sanders bill, the bill would require data brokers to disclose the information they hold on individuals and allow individuals to correct wrong information. http://www.pcworld.com/article/id,128887-c,techrelatedlegislation/article.html Bill at http://www.epic.org/privacy/pdf/DPSA2007.pdf
WIFI TURNS INTERNET INTO HIDEOUT FOR CRIMINALS (Washington Post, 11 Feb 2007) -- Detectives arrived last summer at a high-rise apartment building in Arlington County, warrant in hand, to nab a suspected pedophile who had traded child pornography online. It was to be a routine, mostly effortless arrest. But when they pounded on the door, detectives found an elderly woman who, they quickly concluded, had nothing to do with the crime. The real problem was her computer’s wireless router, a device sending a signal through her 10-story building and allowing savvy neighbors a free path to the Internet from the privacy of their homes. Perhaps one of those neighbors, authorities said, was stealthily uploading photographs of nude children. Doing so essentially rendered him or her untraceable. With nearly 46,000 public access points across the country -- many of them free -- hundreds of thousands of computer users are logging on every day to wireless networks at cafes, hotels, airports and even while sitting on park benches. And although the majority of those people are simply checking their e-mail and surfing the Web, authorities said an increasing number of criminals are taking advantage of the anonymity offered by the wireless signals to commit a raft of serious crimes -- from identity theft to the sexual solicitation of children. http://www.washingtonpost.com/wp-dyn/content/article/2007/02/10/AR2007021001457.html
COMPANIES IMPLEMENT P2P SOLUTIONS TO TRANSFER DATA (BNA’s Internet Law News, 13 Feb 2007) -- The WSJ reports that companies such as GM, Coca-Cola Co. and videogame publisher Tulga Games Inc. are now using peer-to-peer technology to transmit large chunks of data like video files or software updates, to employees and customers. Instead of a costly expansion of its satellite network last year, GM turned to P2P to push videos of marketing messages and sales targets to employees overseas, especially those in regions that have limited Internet capacity.
SKYPE SNOOP AGENT READS MOBO SERIAL NUMBERS (The Register, 11 Feb 2007) -- Skype has been spying on its Windows-based users since the middle of December by secretly accessing their system bios settings and recording the motherboard serial number. A blog entry (http://share.skype.com/sites/security/2007/02/skype_extras_plugin_manager.html) made on Skype’s website assures us it’s no big deal. The snooper agent is the handiwork of a third-party program called EasyBits Software, which Skype uses to manage Skype plug-ins. Among other things, EasyBits offers DRM features that prevent the unauthorized use or distribution of plug-ins, and that’s why Skype 3.0 has been nosing around in users’ bios. Reading the serial number allows EasyBits to quickly identify the physical computer the software is running on. The practice was discontinued on Thursday, when Skype was updated to version 3.0.0.216. Skype goes to great lengths (http://www.skype.com/download/adwarefree/) to assure users they will not be fed spyware, which the eBay-owned VOIP provider defines as “software that becomes installed on computer without the informed consent or knowledge of the computer’s owner and covertly transmits or receives data to or from a remote host.” What’s more, we were unable to find terms of service the spells out what EasyBits does with the information it gathers on Skype users. It’s also hard to take Skype’s nothing-to-see-here notification at face value because of the lengths the software goes to conceal its snooping. As documented (http://www.pagetable.com/?p=27) in the Pagetable blog, the Skype snoopware runs a .com file and prevents the more curious users among us from reading it. Were it not for errors it was giving users of 64-bit versions, we’d probably still be in the dark. http://www.theregister.co.uk/2007/02/11/skype_bios_snoop/print.html
STUDY: P2P EFFECT ON LEGAL MUSIC SALES “NOT STATISTICALLY DISTINGUISHABLE FROM ZERO” (ARStechnica, 12 Feb 2007) -- A new study in the Journal of Political Economy by Felix Oberholzer-Gee and Koleman Strumpf has found that illegal music downloads have had no noticeable effects on the sale of music, contrary to the claims of the recording industry. Entitled “The Effect of File Sharing on Record Sales: An Empirical Analysis,” the study matched an extensive sample of music downloads to American music sales data in order to search for causality between illicit downloading and album sales. Analyzing data from the final four months of 2002, the researchers estimated that P2P affected no more than 0.7% of sales in that timeframe. The study compared the logs of two OpenNAP P2P servers with sales data from Nielsen SoundScan, tracking the effects of 1.75 million songs downloads on 680 different albums sold during that same period. The study then took a surprising twist. Popular music will often have both high downloads and high sales figures, so what the researchers wanted was a way to test for effects on albums sales when file-sharing activity was increased on account of something other than US song popularity. Does the occasionally increased availability of music from Germany affect US sales? The study looked at time periods when German students were on holiday after demonstrating that P2P use increases at these times. German users collectively are the #2 P2P suppliers, providing “about one out of every six U.S. downloads,” according to the study. Yet the effects on American sales were not large enough to be statistically significant. Using this and several other methods, the study’s authors could find no meaningful causality. The availability and even increased downloads of music on P2P networks did not correlate to a negative effect on music sales. http://arstechnica.com/news.ars/post/20070212-8813.html
ELI LILLY LOSES EFFORT TO CENSOR ZYPREXA DOCUMENTS OFF THE INTERNET (EFF, 13 Feb 2007) -- A U.S. District Court judge today refused Eli Lilly’s request to ban a number of websites from publishing leaked documents relating to Zyprexa, Eli Lilly’s top-selling drug. Although the judge rejected the First Amendment arguments made by a variety of individuals eager to publish the documents, the court concluded that “it is unlikely that the court can now effectively enforce an injunction against the Internet in its various manifestations, and it would constitute a dubious manifestation of public policy were it to attempt to do so.” The order is a victory for the Electronic Frontier Foundation (EFF), which represents an anonymous individual who was previously barred by the court’s earlier orders from posting links to the Zyprexa documents on the zyprexa.pbwiki.com wiki. The Zyprexa documents were leaked from an ongoing product liability lawsuit against Eli Lilly. The internal documents allegedly show that Eli Lilly intentionally downplayed the drug’s side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for “off-label” uses not approved by the Food and Drug Administration (FDA). The documents were the basis for a front-page story in the New York Times in December of last year, and electronic copies are readily available from a variety of Internet sources. EFF’s client posted links to one set of copies on a wiki devoted to the controversy that were part of extensive, in-depth analysis from a number of citizen journalists. “This ruling makes it clear that Eli Lilly cannot invoke any court orders in its futile efforts to censor these documents off the Internet,” said EFF Staff Attorney Fred von Lohmann. “We are disappointed, however, that the judge failed to appreciate that its previous orders constituted prior restraints in violation of the First Amendment.” http://www.eff.org/news/archives/2007_02.php#005122 Order at http://eff.org/legal/cases/zyprexa/zyprexa_judgement.pdf
CONGRESS SEEKS ‘BITE’ FOR PRIVACY WATCHDOG (Washington Post, 13 Feb 2007) -- Key lawmakers want to replace a White House privacy and civil liberties board created by Congress in 2004 with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. As the commission’s vice chairman, Lee H. Hamilton, said yesterday: “We felt that you had to have a voice within the executive branch that reached across all of the departments of government with strong powers to protect our civil liberties.” But the five-member Privacy and Civil Liberties Oversight Board is resisting proposals that would dramatically change its composition and powers. The battle is another sign of the changed political landscape, with the Democratic-controlled Congress pushing for stronger oversight of the Bush administration’s counterterrorism programs. http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021201430.html
WHY VISTA’S DRM IS BAD FOR YOU (Forbes, essay by Bruce Schneier, 12 Feb 2007) -- Windows Vista includes an array of “features” that you don’t want. These features will make your computer less reliable and less secure. They’ll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won’t do anything useful. In fact, they’re working against you. They’re digital rights management (DRM) features built into Vista at the behest of the entertainment industry. And you don’t get to refuse them. The details are pretty geeky, but basically Microsoft reworked a lot of the core operating system to add copy protection technology for new media formats like HD-DVD and Blu-ray disks. Certain high-quality output paths--audio and video--are reserved for protected peripheral devices. Sometimes output quality is artificially degraded; sometimes output is prevented entirely. And Vista continuously spends CPU time monitoring itself, trying to figure out if you’re doing something that it thinks you shouldn’t. If it does, it limits functionality and in extreme cases restarts just the video subsystem. We still don’t know the exact details of all this, and how far-reaching it is, but it doesn’t look good. http://www.forbes.com/security/2007/02/10/microsoft-vista-drm-tech-security-cz_bs_0212vista.html Technical analysis at http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
GOOGLE SAID TO VIOLATE COPYRIGHT LAWS (New York Times, 14 Feb 2007) -- A Brussels court ruled Tuesday that Google had violated copyright laws by publishing links to articles from Belgian newspapers without permission. Legal experts said the case could have broad implications in Europe for the news indexes provided by search engines. The ruling, which Google said it would appeal, was hailed by some newspaper industry representatives and may also have an impact on a lawsuit against Google by the news service Agence France-Presse. “As the first decision to condemn a search engine for indexing news articles, you can be sure publishers around the world are paying attention,” said Cyril Fabre, a lawyer in Paris at Alexen, a law firm specializing in Internet law and intellectual property. “The implications in Europe are particularly strong since copyright law is so uniform across the Continent.” The Brussels court ruled that Google, which operates the dominant Internet search engine, must pay 25,000 euros, or $32,600, for each day it displayed content from the plaintiff publications in violation of copyright. The court scaled back a September ruling that called for damages of up to 1 million euros a day and required Google to publish the judgment on its home page. The lawsuit, filed shortly after Google introduced the Belgian news site in January 2006, originally included two organizations representing journalists and photographers, but they reached a deal with the search engine. Google said the accord involved making use of content in new ways, but would not elaborate. Google believes that pointing to content on the Web is legal under copyright law, Mr. Elkaim added. “We have always explained that any licensing agreements Google does with content providers is for use that goes beyond indexing or referencing,” he said. Jessica Powell, a spokeswoman in London for Google, said the main complaints in the case — making reference to articles without prior permission, and the continued availability of articles in Google’s database after newspapers have restricted access to them — are issues easily rectified without legal action. Legal experts in the United States said the decision would have no direct impact there. But if upheld, they said, it could result in headaches for Google on both sides of the Atlantic. “It could set up a chain reaction, especially in European countries, where the authors’ rights are stronger,” said Pamela Samuelson, a law professor at the University of California, Berkeley, and the co-director of the Berkeley Center for Law and Policy. “If a Belgian court causes Google to change its ways, by preventing links from happening or forcing it to pay, other countries and other newspapers and other entities that have put things on the Web could say ‘me too.’ “Still, she said, “I think that argument that linking is an infringement is not a particularly strong argument.” http://www.nytimes.com/2007/02/14/business/14google.html?ex=1329109200&en=744fe208cddd4bdd&ei=5090&partner=rssuserland&emc=rss
-- and --
GOOGLE LOOSES ROUND TWO IN BELGIAN COPYRIGHT DISPUTE (CCH Computer Law Report, 22 Feb 2007) -- The Court of First Instance in Brussels has affirmed its prior ruling that Google violated Belgian copyright law by retaining cached copies of webpages and by publishing headlines, thumbnail images, and snippets of news gathered from articles on Belgium newspaper websites. On September 5, 2006, the court held that Google’s news and cache services violated Belgium’s law relating to copyright and ancillary rights (1991) and its law on data bases (1998). The rulings prohibit the search engine from displaying portions of articles, pictures, or drawings on webpages belonging to the members of Copiepresse, a trade group representing 17 Belgian newspapers. Google News uses a robot to search for content that it automatically indexes according to common categories on its website. Although newspaper headlines, snippets of text, and some thumbnail images are visible on Google’s website, to access a full story, visitors must click on a link that takes them to the newspaper’s own website. Google cache system also uses a robot that takes snapshots of webpages as they appear at specific points in time. The cached copies, which are stored on Google’s servers, are accessible via links appearing in search results. The court ruled in favor of Copiepresse and held that Google’s cached webpages and its reproduction and publication of headlines and snippets infringed owners’ copyrights. However, the court disagreed with Copiepresse’s contention that Google must obtain prior permission from copyright holders in order to display any portion of copyrighted webpages. According to the court, the onus is on copyright holders to contact Google to request removal of infringing material. Once notified, the search engine has 24 hours to remove the content or face a fine of €1,000 per day for each work allegedly infringed. (subscription required)
EXPERTS OFFER TIPS FOR AVOIDING BLOG LAWSUITS (Computerworld, 14 Feb 2007) -- As companies increasingly use blogs, wikis, podcasts and other Web 2.0 tools to form social networking sites for their customers, partners and employees, executives must keep track of the new medium’s myriad legal risks. Information posted on corporate blogs or wikis could prompt lawsuits charging the companies with libel, copyright infringement or trademark violations, according to several lawyers that specialize in technology issues. They said that notes posted on such sites could also violate securities laws. Dennis Kennedy, a St. Louis lawyer who specializes in IT issues, said that often companies often, and unwisely, treat emerging Web 2.0 technologies like “isolated new phenomena” that isn’t directly tied to corporate operations. “You need to look at what employees are doing ... in the context of your communications policy,” Kennedy added. Robert Clothier, an attorney at Fox Rothschild LLP in Philadelphia, noted that the legal risks associated with blogs are higher for posts written by a company’s employees than by those sent in by nonemployees. Companies are not likely to be sued for libel for posts on corporate blogs by outside users unless the company significantly alters the meaning of the content, said Clothier, who specializes in First Amendment issues. Clothier offers the following tips to avoid legal problems with forays into Web 2.0:
* Establish strict policies listing, which employees can post on a corporate blog, and what subjects they can write about.
* Assign an employee to monitor blogs to make sure that policies are followed.
* Discipline employees who violate the policies.
* Remove inaccurate blog items, and post a correction.
* Determine whether the company needs libel insurance, and if so, what kind. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011280&source=NLT_AM&nlid=1
U.K. COMPANY FINED OVER LAPTOP THEFT (CNET, 14 Feb 2007) -- Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee. The Financial Services Authority (FSA) hit Nationwide with the fine on Wednesday, following an investigation into the theft, which occurred in November 2006 at the employee’s house. According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft. “Firms’ internal controls are fundamental in ensuring customers’ details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up to date to prevent lapses in security,” said Margaret Cole, director of enforcement at the FSA. “The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security,” Cole added. http://news.com.com/2100-1029_3-6159349.html
CT SAYS ACCESS THAT EXCEEDS LICENSE BASIS FOR COPYRIGHT SUIT (BNA’s Internet Law News, 15 Feb 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a subscriber to a medical articles database who leveraged a single-user subscription to distribute to multiple persons copies of the licensed content may be liable for both copyright infringement and computer fraud. Case name is Therapeutic Research Faculty v. NBTY Inc.
NINTH CIRCUIT TAKES A MULLIGAN ON EMPLOYEE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- The Ninth Circuit last summer held in United States v. Ziegler that an employee had no reasonable expectation of privacy in his workplace computer where the employer had a policy and practice of regularly monitoring employees’ computer usage. Accordingly, it affirmed the district court’s denial of the employee’s motion to suppress evidence of child pornography seized by police from the employee’s workplace hard drive, even though that evidence was obtained by entering the employee’s locked private office. We criticized the court’s reasoning at the time, and suggested that the decision would have been on sounder footing if the court had based its judgment the employer’s consent to the search. Well, someone in chambers must be an ECLW fan, because on January 30 the Ninth Circuit panel rescinded its earlier opinion and issued a new one, reaching the same result but on the ground of employer consent. While some may think this decision is a big win for employee rights, in fact it is probably a more important victory for employers, since it preserves companies’ ability to control the terms of access to their network by both employees and the government. http://www.steptoe.com/publications-4252.html New 9th Circuit opinion at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/1B9EE38656401781882572720080706B/$file/0530177.pdf?openelement
PRIVACY GROUPS HIT ISP DATA STORAGE BILL (InternetNews.com, 15 Feb 2007) -- Led by Rep. Lamar Smith of Texas, eight Republican U.S. House members have filed legislation that would give Attorney General Alberto Gonzales broad powers to require Internet service providers (ISPs) to retain customer data. Under the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2007 (SAFETY Act), the attorney general would be required to issue ISP data retention requirements, powers Gonzales has sought since last year as part of the Department of Justice’s (DoJ) campaign against online child pornography. According to the bill (H.R. 837), ISPs would be required to retain, at a minimum, subscriber names, addresses, telephone numbers and Internet protocol addresses to “permit compliance with court orders that may require production of such information.” The DoJ would determine the length of time the data must be retained. Most ISPs currently retain minimum customer data for six months or less. Gonzales has said he favors at least a two-year retention requirement. Privacy advocates worry that the vagueness of the bill’s language could allow the DoJ to expand upon the minimum data requirements to include more customer data such as most frequently visited websites, instant messages and e-mail correspondence. “This is a real First Amendment and privacy threat,” John Morris, director of Internet Standards at the Center for Democracy and Technology (CDT), told internetnews.com. “This proposal gives the attorney general unbounded discretion to create whatever data retention requirements he wants. There’s no restraint.” http://www.internetnews.com/bus-news/print.php/3660201
-- and --
JUSTICE DEPARTMENT TAKES AIM AT IMAGE-SHARING SITES (CNET, 2 March 2007) -- The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned. That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting. A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address. Only universities and libraries would be excluded, one participant said. “There’s a PR concern with including the libraries, so we’re not going to include them,” the participant quoted the Justice Department as saying. http://news.com.com/2100-1028_3-6163679.html
-- and --
EUROPE’S PLAN TO TRACK PHONE AND NET USE (New York Times, 20 Feb 2007) -- European governments are preparing legislation to require companies to keep detailed data about people’s Internet and phone use that goes beyond what the countries will be required to do under a European Union directive. In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal. A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller’s precise location during an entire mobile phone conversation. Even now, Internet service providers in Europe divulge customer information — which they normally keep on hand for about three months, for billing purposes — to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content. But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe’s communications networks. European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals’ privacy rights. Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder. Mr. Fleischer said: “It’s ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end.” In the Netherlands, the proposed extension of the law on phone company records to all mobile location data “implies surveillance of the movement of large amounts of innocent citizens,” the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution. Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months. http://www.nytimes.com/2007/02/20/business/worldbusiness/20privacy.html?ex=1329627600&en=7c382d290b81c578&ei=5090&partner=rssuserland&emc=rss
GOOGLE FIGHTS FOR RIGHT TO USE TRADEMARKED SEARCH KEYWORDS (Information Week, 15 Feb 2007) -- Is Google guilty of trademark infringement when one of its advertisers purchases a competitor’s trademark as a search keyword that triggers its ad, even though Google doesn’t present the trademarked term in the ad itself? That’s a question Google and Rescuecom has been litigating since September 2004. In September 2006, the judge in the case granted Google’s motion to dismiss, but Rescuecom appealed. Earlier this week, Google filed a brief in the ongoing case that makes a clear and compelling argument for why Google’s sale of trademarked search keywords as ad triggers is legitimate. Michael H. Page, an attorney representing Google on behalf of Keker & Van Nest LLP, asserts that businesses associate their products with competitors all the time and that doing so doesn’t create confusion in the minds of consumers -- which is what trademark law aims to prevent. “Generic brands are placed next to known brands on store shelves for the express purpose of diverting customers from the brand they are seeking to another, and their manufacturers pay for that placement,” explains Page in the brief. “Advertisers deliberately select magazine ad placements next to articles about their competitors. ... All manner of companies pay for coupon placements selected based on a customer’s purchase of their competitors’ products. And so on. Of course they are seeking to ‘hijack’ or ‘divert’ consumers who have indicated an interest in their competitors’ products. That’s the point of contextual advertising -- to target ads at consumers who are actively interested in your type of product, rather than indiscriminately at the world at large.” But none of these examples, Page points out, falsely identifies the source of goods or services and thus does not represent a violation of trademark law. Google isn’t using the term “Rescuecom” as actual text in its ads. It’s merely allowing advertisers to be seen when a searcher is inquiring about a competitor. Rescuecom’s counterargument doesn’t quite seem so strong. Rescuecom’s attorney, Edmund J. Gegan, suggests that consumers inured to cutthroat competition at the mall are essentially clueless online and see no distinction between paid placement on a search results page and organic search results. http://www.informationweek.com/showArticle.jhtml?articleID=197006579&articleID=197006579 Google’s brief at http://blog.ericgoldman.org/archives/2007/02/rescuecom_v_goo_1.htm
NIST RELEASES INFO SECURITY DOCUMENTS (Government Computer News, 16 Feb 2007) -- The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs. NISTIR 7359, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program. PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards. It gives a maturity level in nine primary topic areas:
* Information security management and culture
* Information security planning
* Security awareness, training and education
* Budget and resources
* Life cycle management
* Certification and accreditation
* Critical infrastructure protection
* Incident and emergency response
* Security controls
http://www.gcn.com/online/vol1_no1/43141-1.html?topic=security&CMP=OTC-RSS
Reports at http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf and http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf
VIEWERS FAST-FORWARDING PAST ADS? NOT ALWAYS (New York Times, 16 Feb 2007) -- People with digital video recorders like TiVo never watch commercials, right? It turns out that a lot of people with digital video recorders are not fast-forwarding and time-shifting as much as advertisers feared. According to new data released yesterday by the Nielsen Company, people who own digital video recorders, or DVRs, still watch, on average, two-thirds of the ads. One big reason is that many people with DVRs still tune in to watch about half of their shows at the scheduled start time, meaning they must sit through commercials. And even when people watch recorded shows later, many are not fast-forwarding through the ads. On average, Nielsen found, DVR owners watch 40 percent of commercials that they could skip over — perhaps because they like ads, don’t mind them or simply can’t be bothered. “People are actually playing back more of the commercials than we thought,” said Steve Sternberg, executive vice president and director of audience analysis at Magna Global Media Research, an ad-buying agency. “People are buying DVRs not because they want to time-shift all of their viewing and skip all commercials, but because they want to time-shift some of their viewing.” While the new data may well be fodder for cocktail party chatter, it also has major financial implications. Largely because many advertisers thought that people with DVRs were not watching their ads, they have not been paying for time-shifted viewing on DVRs. Now the networks could use the new information to try to charge more. And advertisers may begin pressing networks to rethink commercial breaks — maybe making them shorter. http://www.nytimes.com/2007/02/16/business/16commercials.html?ex=1329282000&en=ac19fdde5f3cdef3&ei=5090&partner=rssuserland&emc=rss
DRIVER’S LICENSE EMERGES AS CRIME-FIGHTING TOOL, BUT PRIVACY ADVOCATES WORRY (New York Times, 17 Feb 2007) -- On the second floor of a state office building here, upstairs from a food court, three facial-recognition specialists are revolutionizing American law enforcement. They work for the Massachusetts motor vehicles department. Last year they tried an experiment, for sport. Using computerized biometric technology, they ran a mug shot from the Web site of “America’s Most Wanted,” the Fox Network television show, against the state’s database of nine million digital driver’s license photographs. The computer found a match. A man who looked very much like Robert Howell, the fugitive in the mug shot, had a Massachusetts driver’s license under another name. Mr. Howell was wanted in Massachusetts on rape charges. At least six other states have or are working on similar enormous databases of driver’s license photographs. Coupled with increasingly accurate facial-recognition technology, the databases may become a radical innovation in law enforcement. Other biometric databases are more useful for now. But DNA and fingerprint information, for instance, are not routinely collected from the general public. Most adults, on the other hand, have a driver’s license with a picture on it, meaning that the relevant databases for facial-recognition analysis already exist. And while the current technology requires good-quality photographs, the day may not be far off when images from ordinary surveillance cameras will routinely help solve crimes. Critics say the databases may therefore also represent a profound threat to privacy. “What is the D.M.V.?” asked Lee Tien, a lawyer with the Electronic Frontier Foundation and a privacy advocate. “Does it license motor vehicles and drivers? Or is it really an identification arm of law enforcement?” Anne L. Collins, the Massachusetts registrar of motor vehicles, said that people seeking a driver’s license at least implicitly consent to allowing their images to be used for other purposes. The databases are primarily intended to prevent people from obtaining multiple licenses under different names. That can help prevent identity theft and stop people who try to get a second license after their first has been suspended. “We don’t look at hair,” Ms. Conlon said. “We do look at lips, noses, ears.” The database’s second function, as a resource for law enforcement agencies, is growing in popularity. Police chiefs from around the state e-mail digital photographs for comparison with the database, sometimes several times a day. Other sorts of images are not useful — yet. “A video surveillance camera is probably not going to give it to you,” Mr. Smith said. In time, though, the combination of facial recognition and other information — from financial records, mobile phones, automobile positioning devices and other sources — may do away with the ability to move anonymously through the world, Mr. Tien, the privacy advocate, said. “The real question with biometrics,” he said, “is that they are part of a cluster of technologies that will allow for location tracking in both public and private places.” http://www.nytimes.com/2007/02/17/us/17face.html?ex=1329368400&en=8782b7320b2e7a40&ei=5090&partner=rssuserland&emc=rss
BROADBAND ADOPTION PASSES HALFWAY MARK IN U.S. (CNET, 18 Feb 2007) -- U.S. residential broadband penetration is expected to exceed 50 percent in 2007--and the U.K. isn’t far behind. By the end of 2007, more than 60 million U.S. households will be connected--around 55 percent--according to market researcher Parks Associates. During 2006, broadband subscriptions grew by more than 20 percent in the U.S. and by the end of the year around 50 million households had fat pipes. The U.K. isn’t far behind, though, as around 49 percent of households have a broadband connection, according to Point Topic figures from the third quarter of 2006. In Europe there are still large discrepancies in broadband penetration rates that are exacerbating the digital divide. Residential broadband uptake varies from 73 percent in Iceland to 1.4 percent in Moldova. Worldwide, the country with the greatest residential broadband connectivity is South Korea. More than 88 percent of Korean households had a broadband connection by the third quarter of last year. http://news.com.com/2110-1034_3-6160422.html
EBAY FIGHTS PLAN TO REPORT USERS TO IRS (Financial Times, 19 Feb 2007) -- Ebay is fiercely resisting a Bush administration plan it says will force it to snitch on customers who are not paying tax on billions earned on the popular online auction site. The Treasury estimates it could collect $2bn in unpaid tax if companies such as eBay reported American users who carry out more than 100 transactions worth at least $5,000 a year to the Internal Revenue Service. But an eBay spokesperson said: “We do not believe it is our responsibility to serve as the go-between. We believe that it is the seller’s responsibility.” The company pointed out that many users file self-employment and business tax returns based on their eBay income. Ebay said it would co-operate with IRS investigations into specific persons but would not voluntarily report its customers’ sales “en masse”. http://www.ft.com/cms/s/33e0a1e0-c026-11db-995a-000b5df10621,_i_rssPage=81cea682-52a8-11da-8d05-0000779e2340.html
LEGAL DEPARTMENTS TELL FIRMS: GET ON THE TECH TRAIN (Law.com, 21 Feb 2007) -- When Aon Corp. slashed its outside counsel roster from about 400 to 23 law firms in 2005, it quizzed the firms about their tech offerings. “We asked them about extranets, e-billing and litigation management,” says David Cambria, director of legal operations at the Chicago-based insurance giant. But Cambria says that he didn’t really care whether firms had all of those products. He had another agenda: “I wanted to know if [the firms] were playing in the same pool as me,” says Cambria. When they crafted the tech section of their request for proposal, Cambria and his colleagues started from the assumption that all the firms they were interviewing had experienced, capable lawyers. But “we wanted to take it to a higher level, and the most successful firms were the ones that told us how they’d help us do what we do better, with technology,” he says. What’s changed? Traditionally a cost center, legal departments have come under increasing pressure to keep costs down at the same time that they’re struggling to keep their technology current. “General counsel are being held to budgets,” says Woods Abbott, senior manager of legal operations-corporate at Raytheon Co. This year’s survey, our fourth in which we queried the technology heads of Fortune 500 corporations, shows that in many respects, law departments have had a technical awakening, and finally are getting the goodies everyone else in corporate America takes for granted. http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1171965782119
MUSIC COMPANIES TARGET COLLEGES IN LATEST DOWNLOADING CRACKDOWN (SiliconValley.com, 21 Feb 2007) -- Cracking down on college students, the music industry is sending thousands more complaints to top universities this school year than it did last year as it targets music illegally downloaded over campus computer networks. A few schools, including Ohio and Purdue universities, already have received more than 1,000 complaints accusing individual students since last fall -- significant increases over the past school year. For students who are caught, punishments vary from e-mail warnings to semester-long suspensions from classes. The trade group for the largest music labels, the Recording Industry Association of America, identified at the request of The Associated Press the 25 universities that received the most copyright complaints it sent so far this school year. The trade group long has pressured schools to act more aggressively against online pirates on campus. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16746514.htm
VIRTUAL CHILD PORN MAY BE A CRIME IN NETHERLANDS (CNET, 21 Feb 2007) -- Virtual enactments of child pornography may be a crime under Dutch law if it encourages child abuse, the public prosecutor said Wednesday. In the virtual world of Second Life, a popular Internet destination, everyone under the age of 18 is supposed to be limited to a “teen grid.” However, it would be relatively easy for children to get onto the adult grid if they wished since there is no proof of age required. In the adult section, some users participate in “age play,” in which adult users can create child-like characters and have virtual sex that would be illegal in the real world. “There are possibilities to prosecute because it possibly incites child abuse,” said Kitty Nooij, the spokesman for public prosecutor, who is in charge of national vice cases. With the increasing popularity of virtual worlds, there are fears people may turn to them to carry out activities considered illegal in the real world. There is no Dutch case law about virtual child pornography in writing, drawings or computer animation. In the United States, where Second Life creator Linden Lab is based, the U.S. Supreme Court struck down a law in 2002 which would ban computer-generated images that depict minors engaged in sexual conduct. http://news.com.com/2100-1028_3-6161025.html
FLA. BAR OKS CLIENT TESTIMONIALS ON LAW FIRM WEB SITES (Law.com, 22 Feb 2007) -- After nearly four years of debate, The Florida Bar board of governors has tentatively approved a proposed rule on law firm Web sites that would let lawyers publish client testimonials and claims about their past successes. The proposed rule would largely free law firm Web sites from the state’s restrictive rules governing lawyer advertising in such media as television, radio, direct mail and Yellow Pages. But lawyer Web sites still would have to comply with general Bar rules regarding truthfulness and lack of deception. The proposal still must be passed by the board of governors in a second reading and approved by the Florida Supreme Court. Under the proposed rule approved late last month, the inside pages of law firm Web sites -- but not the home page -- could include testimonials, references to past results and statements characterizing the quality of the services, as long as the statements are truthful, not misleading and come with disclaimers. The disclaimers must say that past results do not guarantee a future success. http://www.law.com/jsp/article.jsp?id=1172052183457&rss=newswire
RAISING, AND LOWERING, THE BAR ON CELL PHONE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 22 Feb 2007) -- When can police search an electronic communications device that is owned by an employer, but is used daily by an employee? As we previously reported, the Ninth Circuit’s recent ruling in United States v. Ziegler left open the possibility that, given an employer’s policy of monitoring computer use, the user of a computer kept in a common space might not have a reasonable expectation of privacy in the device. But, in United States v. Finley, the Fifth Circuit recently found that an employee “had a reasonable expectation” that the call records and text messages on his cell phone would remain private from law enforcement and the general public, even though his employer owned the phone and could have read the messages on it after it was returned. Nonetheless, because the government’s search of the phone was conducted incident to a lawful custodial arrest, the court concluded that no search warrant was required and the search was “reasonable” under the Fourth Amendment. Combined with recent cases holding that Customs agents at the border can search the contents of a laptop with little or no reason, this case suggests that when the government wants to “reach out and touch someone,” it can reach the content on one’s electronic gadgets, too. http://www.steptoe.com/publications-4265.html Finley case at http://www.ca5.uscourts.gov/opinions%5Cpub%5C06/06-50160-CR0.wpd.pdf
FEDERAL COURT REAFFIRMS IMMUNITY OF BLOGGERS FROM SUITS BROUGHT AGAINST COMMENTERS (ACS blog, 26 Feb 2007) -- Section 230 of the Communications Decency Act provides that “[no] provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” A recent decision of the First Circuit has reaffirmed the broad protection this statute provides to bloggers and message board administrators. In Universal Communication Systems v. Lycos, a company who had allegedly been victimized by defamatory statements on a message board regarding the value of its stock sued Lycos, which operated the board. The message board allowed users to post comments with minimal moderation, and no one from Lycos was responsible for the allegedly defamatory statements. Examining the impact of Sec. 230 on this case, the court noted that “Congress intended that, within broad limits, message board operators would not be held responsible for the postings made by others on that board,” adding that allowing bloggers and message board operators to be sued for the statements of commenters on their sites would have an “obvious chilling effect” on speech. Accordingly, the court dismissed the complaint against Lycos. http://www.acsblog.org/economic-regulation-employment-federal-court-reaffirms-immunity-of-bloggers-from-suits-brought-against-commenters.html Opinion at http://www.ca1.uscourts.gov/pdf.opinions/06-1826-01A.pdf
ADDING TO SECURITY BUT MULTIPLYING THE FEARS (New York Times, 26 Feb 2007) -- Foreigners arriving at the American border must present both index fingers for fingerprinting, but that will soon change. The Department of Homeland Security now wants 10 fingers. The two-print system was largely a biometric backup, an added level of security to supplement and verify a passport or a visa. The 10-print system adds a powerful investigative tool. “When we have a fingerprint of a terrorist who has left behind a bomb or an I.E.D. in Iraq or has left his fingerprint in a safe house somewhere, we don’t always have the two index fingers,” Paul Rosenzweig, a Department of Homeland Security official, said at a briefing in December. “It could be the pinkie or the thumb. And thus by moving to a 10-print system, we will enhance our ability to use biometrics to enable us to identify threats before they occur in the United States.” Call it biometric mission creep. People concerned about privacy and civil liberties say they fear the creation of gigantic biometric databases ripe for data-mining abuse. They note that Mr. Rosenzweig was a supporter of the Total Information Awareness program at the Defense Department, which had planned, as the Pentagon put it, to create “ultralarge all-source information repositories.” The program was shut down in 2003 because it scared people. The administration’s last-ditch defense of that effort was telling, too. It changed the name to the Terrorism Information Awareness program. There is a pattern here, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “These techniques that are sold to us as necessary to identify terrorists inevitably become systems of mass surveillance directed at the American people,” Mr. Rotenberg said.
****RESOURCES****
BADWARE WEBSITE CLEARINGHOUSE (stopbadware.org) -- Badware doesn’t just appear on users’ computers out of thin air - instead, much of it (maybe even most of it) is hosted on websites that then distribute it to consumers who visit those sites. Given the importance of websites as a means of spreading badware to unsuspecting users, StopBadware.org has expanded our mission to include shining a light on websites themselves, not just on the applications they host for download. In that vein, we’ve launched the Badware Website Clearinghouse -- a collaborative effort to build a comprehensive list of websites that host, link to, or otherwise distribute badware. Websites can host or distribute badware in a variety of ways. They may be sites that intentionally distribute bad applications for profit; or sites featuring ads, often provided by third parties, that - if clicked on - will attempt to automatically install harmful software; or sites that have been hacked and can download dangerous code onto visitors’ computers without the site owner even knowing the badware is there; and a whole range of sites in between. For a comprehensive definition of what constitutes a badware website, check out our Website Guidelines. Although the list of websites in this Clearinghouse is hosted by StopBadware.org, we’re not the only ones contributing to it. This list contains both websites that StopBadware itself has tested and found to contain badware or badware links, as well as thousands of sites that trusted third parties have independently examined, found to be hosts or distributors of badware, and provided to us for posting. Sites that StopBadware has tested itself and determined to contain or link to badware are marked with a [Red_smaller]; sites marked with a [Undetermined_smaller] were reported to StopBadware by one or more trusted third parties whose name(s) appear in a separate column to the left of the site’s url. http://stopbadware.org/home/clearinghouse
WIKIS FOR THE LEGAL PROFESSION (ABA Law Practice Management, Feb 2007) -- If you hang around lawyers talking about “Web 2.0” long enough or read our articles, the word “wiki” is eventually bound to pop out. In fact, it’s hard to have a discussion about Web 2.0 and the new Internet technologies without discussing wikis; they may be one of the oldest tools of the Web 2.0 phenomenon. It’s also a safe bet that few of you reading this article have any real experience with using a wiki, or how a wiki might be useful to the practicing lawyer. Why should lawyers use wikis? They may help lawyers both as consumers and as producers. Most lawyers will get the most value from using wikis created by others. The classic example is the Wikipedia. Wikis can be seen as constantly updated collections of useful information arranged in an encyclopedic or similarly organized way, with hyperlinks to related internal and external information. On the producer side, perhaps the greatest potential of the wiki tool for lawyers is its use as a collaborative tool or even an information or knowledge platform, especially as a way to gather and manage “unstructured” information easily and quickly. The key feature of wikis in this regard is that multiple authors and editors are able to work together to create a collection of information or even collaborative documents. This month The Strongest Links focuses on wikis. We’ve scoured the Net for some of the best links on wikis -- we’ll discuss and point you to resources about what a wiki is and how it works, how to pronounce “wiki,” how a lawyer can use one in his or her practice, and how this tool is an extremely powerful platform for collaborating with others on the Internet…. http://www.abanet.org/lpm/lpt/articles/slc02071.shtml
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
FBI FREEZES FUNDS OF ‘VIRTUAL WALLET’ WEB PAYMENT FIRM (The Guardian, 6 Feb 2007) -- The FBI has frozen funds held in customer accounts at Neteller, the “virtual wallet” payment processor, as part of its case against the firm’s two Canadian founders who were last month arrested and charged with racketeering and money laundering. Neteller refused to disclose how much had been frozen but company filings make clear huge sums were flowing between its US customers’ “e-wallets” and online merchants - particularly gambling websites - up until the firm was pressured to close its American operations in the wake of last month’s arrests. Over a six-month period last year the company processed transactions worth $5.1bn (£2.6bn), with about 85% involving US customers. In the past five years, Neteller came to dominate gambling transactions in America because its e-wallets allowed users to get around credit card blocks on gambling sites. Following the arrests of founders Stephen Lawrence and John Lefebvre, who face up to 20 years in jail if convicted, the decision was quickly taken to shut down US operations. Trading in the company’s shares was also suspended and remains so. The FBI claim JSL Systems, a US-based payment company owned by Mr. Lefebvre, received customer funds in the US for Neteller and then transferred them to accounts held by a Neteller company in Canada. Last month Neteller told the Guardian that wagered money no longer passed through JSL. It is unclear whether the FBI will treat some or all of the funds as proceeds of illegal gambling. One US newspaper report cited Neil Donovan, an FBI agent, saying the funds were being held in court as potential evidence. Some money may be returned to Neteller customers but no timescale was forthcoming, the report said. A spokeswoman for the Department of Justice last night refused to confirm details in the report, as did Neteller. http://technology.guardian.co.uk/news/story/0,,2006709,00.html
DEBUNKING MYTHS ABOUT IDENTITY FRAUD (CNET, 7 Feb 2007) -- It seems that we constantly are hearing horror stories about the perils of rampant identity fraud. However, a recent survey seeks to set the record straight by saying that in the United States, the problem actually is decreasing. Javelin Strategy & Research has just released its Identity Fraud Survey Report. While identifying significant risk differentiators between age and income demographics, the report highlights an important reduction in fraudulent new account openings using private information. Interestingly, the report also says that more fraud happens via physical channels, such as in-person transactions, and by the direct theft of personal data by individuals, rather than taking place online. Let’s drill down a bit into some of the critical findings of the study, which is based on telephone interviews with 5,000 adults. http://news.com.com/Debunking+myths+about+identity+fraud/2010-1029_3-6156841.html?tag=nefd.top Report at http://www.javelinstrategy.com/2007/02/06/identity-fraud-has-dropped-since-2003-survey-shows/#more-613%202007
U.K. DATA THIEVES FACE TWO YEARS IN PRISON (CNET, 7 Feb 2007) -- Individuals who sell or deliberately misuse others’ personal data in the U.K. could now face a penalty of up to two years in prison. The previous penalty stipulated for the charge in the Data Protection Act 1998 was a fine. Now data thieves risk up to six months in prison for a summary conviction, while for a conviction on indictment, they could get up to two years, the U.K. Department for Constitutional Affairs said Wednesday. The change comes as the British government moves to increase data sharing as a way of offering higher-quality public services to citizens. http://news.com.com/2100-1029_3-6157219.html
MASS. AG LEADS MULTISTATE PROBE INTO TJX BREACH (Computerworld, 8 Feb 2007) -- Massachusetts Attorney General Martha Coakley will lead a civil investigation by dozens of states into the security breach disclosed last month by The TJX Companies Inc., the owner of T.J. Maxx and Marshalls retailers. The state’s consumer protection division is looking into the data breach, “particularly what security measures the company took to protect consumer information,” Coakley’s office said in a statement yesterday. A Coakley spokeswoman, Emily LaGrassa, added that more than 30 states have asked for details on the TJX investigation or expressed interest in joining the probe. TJX on Jan. 17 disclosed the security breach, in which one or more hackers penetrated the company’s computer network and made off with a still-unspecified number of customer records, including credit card numbers. More than three dozen banks in Massachusetts, the home state of the Framingham-based company, have reported that cards they’ve issued have been compromised. Although the attack began in May 2006, the breach was not discovered by TJX until mid-December. The company said it delayed disclosing the intrusion until January so it could contain the problem and meet confidentiality obligations to law enforcement agencies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010884&source=NLT_PM&nlid=8 [It keeps getting worse; there are indications that the breaches occurred also in 2005, and perhaps earlier.]
-- and --
WILL PLAINTIFFS’ BAR SOON BE SINGING “T-T-T-T-T-T-T-T-TJX” IN BREACH CASES? (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- Knowledgeable commentators (yes, we’re in a self-congratulatory mood this week) have predicted for a while that the plaintiffs’ bar will eventually succeed in a negligence suit based on a company’s failure to implement “reasonable” data security. And it appears that the “breach-chasers” may have finally found the right case. The data breach involving retail conglomerate TJX Companies, Inc. (the owner of discount chains T.J. Maxx and Marshalls, among others), first announced in mid-January, has so far drawn at least four putative class action suits in federal court in Massachusetts. While the plaintiffs in past class actions stemming from data breaches have had a difficult time establishing standing (for lack of cognizable harm) and/or damages, the TJX case might not suffer from the same weaknesses. The breach reportedly was broad in scope -- possibly involving more than 40 million credit and debit cards -- and has resulted in fraudulent debit and credit card purchases. These factors, combined with the emergence in recent years of a discernible standard of what constitutes “reasonable” security, could make this a precedent-setting case. If so, tort law in breach cases may “never ever [be] the same place,” as the old T.J. Maxx commercial went. Accordingly, companies will have even more reason to pay close attention to their data security procedures. http://www.steptoe.com/publications-4252.html
-- and --
MASS. BILL WANTS STORES TO PAY MORE IN DATA BREACHES (CNET, 22 Feb 2007) -- Businesses would have to reimburse banks for costs stemming from data security breaches, under a Massachusetts bill that could be mimicked by other states and in Congress. In what appears to be the first stab at such an approach, the proposal would require any “commercial entity” that handles personal financial data to foot the bill for various banking costs caused by hacks or other intrusions into their systems. The costs would include any fees associated with canceling or reissuing credit cards, opening and closing bank accounts, and restoring customers’ account balances after fraudulent transactions. The bill defines “commercial entity” as including everything from corporations to governmental agencies to associations, whether for-profit or not-for-profit. Shifting the liability away from banks--a step beyond previous proposals--has been a focus of discussion among advocacy groups for smaller banks. These banks argue that they are absorbing all the costs associated with data leaks, and they’re distressed they have to pick up the tab for damage they didn’t even create. The proposed remedy is primarily targeted at retailers, such as discount retailer TJX Companies. These have recently reported breaches potentially affecting thousands of customers, said Steve Kenneally, director of payments and technology policy for America’s Community Bankers, which advocates for smaller banks. ACB, which supports the state bill, would prefer to see national legislation. http://news.com.com/2100-7348_3-6161536.html
-- and --
BILL WOULD TIE RETAILERS TO COSTS OF ID THEFT (NPR, 26 Feb 2007) -- Massachusetts eyes a law to hold retailers accountable when thieves steal credit card information. The bill would force retailers to pay for the cost of reissuing new cards and for other expenses. Credit-card companies now absorb most of those costs. (2 minute audio program available at http://www.npr.org/templates/story/story.php?storyId=7599116)
NEW CYBERSECURITY CHIEF LAYS OUT GUIDANCE (Computerworld, 9 Feb 2007) -- U.S. companies and the federal government need to step up and fix the problems in their computer networks, the nation’s new cybersecurity czar told attendees during his first-ever address at RSA Conference here in San Francisco on Thursday. Within the next 10 years, the majority of the world’s communication needs will probably be handled by the Internet, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security (DHS). “This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems,” he said. “Our networks and our systems are vulnerable and they are exposed.” Garcia outlined two priorities for the year ahead. First, his office is working with federal agencies to adopt common security policies and practices. Second, he plans to work with the private sector to push forward a process called the National Infrastructure Protection Plan. This effort is intended to evaluate computer security risks on an industry-by-industry basis and outline the steps that need to be taken to address them. [Garcia] made it clear that the DHS expects U.S. companies to participate. “There are a lot of plans in Washington. This one is going to stick,” he said. “The private sector owns and operates 90% of the critical infrastructure, and it’s up to you all, not just the DHS, to secure this infrastructure.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9010939&taxonomyId=17&intsrc=kc_li_story
LAWMAKERS INTRODUCE BREACH NOTIFICATION, OTHER BILLS (PC World, 9 Feb 2007) -- Senators Patrick Leahy, a Vermont Democrat, and Bernie Sanders, a Vermont independent, introduced the Personal Data Privacy and Security Act. In addition to requiring data breach notification, the bill would also require data brokers to disclose what information they hold on individuals. The bill would allow individuals to correct information held by data brokers, and it would require companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs. Representatives Bobby Rush, a Illinois Democrat, and Cliff Stearns, a Florida Republican, introduced the Data Accountability and Trust Act this week. Their bill, with 24 co-sponsors, authorizes the U.S. Federal Trade Commission (FTC) to draw up data privacy requirements for businesses, including requirements that they have vulnerability assessments and policies for disposing of obsolete data. After a company reports a data breach, the FTC would conduct an audit of its security practices, and, like the Leahy-Sanders bill, the bill would require data brokers to disclose the information they hold on individuals and allow individuals to correct wrong information. http://www.pcworld.com/article/id,128887-c,techrelatedlegislation/article.html Bill at http://www.epic.org/privacy/pdf/DPSA2007.pdf
WIFI TURNS INTERNET INTO HIDEOUT FOR CRIMINALS (Washington Post, 11 Feb 2007) -- Detectives arrived last summer at a high-rise apartment building in Arlington County, warrant in hand, to nab a suspected pedophile who had traded child pornography online. It was to be a routine, mostly effortless arrest. But when they pounded on the door, detectives found an elderly woman who, they quickly concluded, had nothing to do with the crime. The real problem was her computer’s wireless router, a device sending a signal through her 10-story building and allowing savvy neighbors a free path to the Internet from the privacy of their homes. Perhaps one of those neighbors, authorities said, was stealthily uploading photographs of nude children. Doing so essentially rendered him or her untraceable. With nearly 46,000 public access points across the country -- many of them free -- hundreds of thousands of computer users are logging on every day to wireless networks at cafes, hotels, airports and even while sitting on park benches. And although the majority of those people are simply checking their e-mail and surfing the Web, authorities said an increasing number of criminals are taking advantage of the anonymity offered by the wireless signals to commit a raft of serious crimes -- from identity theft to the sexual solicitation of children. http://www.washingtonpost.com/wp-dyn/content/article/2007/02/10/AR2007021001457.html
COMPANIES IMPLEMENT P2P SOLUTIONS TO TRANSFER DATA (BNA’s Internet Law News, 13 Feb 2007) -- The WSJ reports that companies such as GM, Coca-Cola Co. and videogame publisher Tulga Games Inc. are now using peer-to-peer technology to transmit large chunks of data like video files or software updates, to employees and customers. Instead of a costly expansion of its satellite network last year, GM turned to P2P to push videos of marketing messages and sales targets to employees overseas, especially those in regions that have limited Internet capacity.
SKYPE SNOOP AGENT READS MOBO SERIAL NUMBERS (The Register, 11 Feb 2007) -- Skype has been spying on its Windows-based users since the middle of December by secretly accessing their system bios settings and recording the motherboard serial number. A blog entry (http://share.skype.com/sites/security/2007/02/skype_extras_plugin_manager.html) made on Skype’s website assures us it’s no big deal. The snooper agent is the handiwork of a third-party program called EasyBits Software, which Skype uses to manage Skype plug-ins. Among other things, EasyBits offers DRM features that prevent the unauthorized use or distribution of plug-ins, and that’s why Skype 3.0 has been nosing around in users’ bios. Reading the serial number allows EasyBits to quickly identify the physical computer the software is running on. The practice was discontinued on Thursday, when Skype was updated to version 3.0.0.216. Skype goes to great lengths (http://www.skype.com/download/adwarefree/) to assure users they will not be fed spyware, which the eBay-owned VOIP provider defines as “software that becomes installed on computer without the informed consent or knowledge of the computer’s owner and covertly transmits or receives data to or from a remote host.” What’s more, we were unable to find terms of service the spells out what EasyBits does with the information it gathers on Skype users. It’s also hard to take Skype’s nothing-to-see-here notification at face value because of the lengths the software goes to conceal its snooping. As documented (http://www.pagetable.com/?p=27) in the Pagetable blog, the Skype snoopware runs a .com file and prevents the more curious users among us from reading it. Were it not for errors it was giving users of 64-bit versions, we’d probably still be in the dark. http://www.theregister.co.uk/2007/02/11/skype_bios_snoop/print.html
STUDY: P2P EFFECT ON LEGAL MUSIC SALES “NOT STATISTICALLY DISTINGUISHABLE FROM ZERO” (ARStechnica, 12 Feb 2007) -- A new study in the Journal of Political Economy by Felix Oberholzer-Gee and Koleman Strumpf has found that illegal music downloads have had no noticeable effects on the sale of music, contrary to the claims of the recording industry. Entitled “The Effect of File Sharing on Record Sales: An Empirical Analysis,” the study matched an extensive sample of music downloads to American music sales data in order to search for causality between illicit downloading and album sales. Analyzing data from the final four months of 2002, the researchers estimated that P2P affected no more than 0.7% of sales in that timeframe. The study compared the logs of two OpenNAP P2P servers with sales data from Nielsen SoundScan, tracking the effects of 1.75 million songs downloads on 680 different albums sold during that same period. The study then took a surprising twist. Popular music will often have both high downloads and high sales figures, so what the researchers wanted was a way to test for effects on albums sales when file-sharing activity was increased on account of something other than US song popularity. Does the occasionally increased availability of music from Germany affect US sales? The study looked at time periods when German students were on holiday after demonstrating that P2P use increases at these times. German users collectively are the #2 P2P suppliers, providing “about one out of every six U.S. downloads,” according to the study. Yet the effects on American sales were not large enough to be statistically significant. Using this and several other methods, the study’s authors could find no meaningful causality. The availability and even increased downloads of music on P2P networks did not correlate to a negative effect on music sales. http://arstechnica.com/news.ars/post/20070212-8813.html
ELI LILLY LOSES EFFORT TO CENSOR ZYPREXA DOCUMENTS OFF THE INTERNET (EFF, 13 Feb 2007) -- A U.S. District Court judge today refused Eli Lilly’s request to ban a number of websites from publishing leaked documents relating to Zyprexa, Eli Lilly’s top-selling drug. Although the judge rejected the First Amendment arguments made by a variety of individuals eager to publish the documents, the court concluded that “it is unlikely that the court can now effectively enforce an injunction against the Internet in its various manifestations, and it would constitute a dubious manifestation of public policy were it to attempt to do so.” The order is a victory for the Electronic Frontier Foundation (EFF), which represents an anonymous individual who was previously barred by the court’s earlier orders from posting links to the Zyprexa documents on the zyprexa.pbwiki.com wiki. The Zyprexa documents were leaked from an ongoing product liability lawsuit against Eli Lilly. The internal documents allegedly show that Eli Lilly intentionally downplayed the drug’s side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for “off-label” uses not approved by the Food and Drug Administration (FDA). The documents were the basis for a front-page story in the New York Times in December of last year, and electronic copies are readily available from a variety of Internet sources. EFF’s client posted links to one set of copies on a wiki devoted to the controversy that were part of extensive, in-depth analysis from a number of citizen journalists. “This ruling makes it clear that Eli Lilly cannot invoke any court orders in its futile efforts to censor these documents off the Internet,” said EFF Staff Attorney Fred von Lohmann. “We are disappointed, however, that the judge failed to appreciate that its previous orders constituted prior restraints in violation of the First Amendment.” http://www.eff.org/news/archives/2007_02.php#005122 Order at http://eff.org/legal/cases/zyprexa/zyprexa_judgement.pdf
CONGRESS SEEKS ‘BITE’ FOR PRIVACY WATCHDOG (Washington Post, 13 Feb 2007) -- Key lawmakers want to replace a White House privacy and civil liberties board created by Congress in 2004 with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. As the commission’s vice chairman, Lee H. Hamilton, said yesterday: “We felt that you had to have a voice within the executive branch that reached across all of the departments of government with strong powers to protect our civil liberties.” But the five-member Privacy and Civil Liberties Oversight Board is resisting proposals that would dramatically change its composition and powers. The battle is another sign of the changed political landscape, with the Democratic-controlled Congress pushing for stronger oversight of the Bush administration’s counterterrorism programs. http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021201430.html
WHY VISTA’S DRM IS BAD FOR YOU (Forbes, essay by Bruce Schneier, 12 Feb 2007) -- Windows Vista includes an array of “features” that you don’t want. These features will make your computer less reliable and less secure. They’ll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won’t do anything useful. In fact, they’re working against you. They’re digital rights management (DRM) features built into Vista at the behest of the entertainment industry. And you don’t get to refuse them. The details are pretty geeky, but basically Microsoft reworked a lot of the core operating system to add copy protection technology for new media formats like HD-DVD and Blu-ray disks. Certain high-quality output paths--audio and video--are reserved for protected peripheral devices. Sometimes output quality is artificially degraded; sometimes output is prevented entirely. And Vista continuously spends CPU time monitoring itself, trying to figure out if you’re doing something that it thinks you shouldn’t. If it does, it limits functionality and in extreme cases restarts just the video subsystem. We still don’t know the exact details of all this, and how far-reaching it is, but it doesn’t look good. http://www.forbes.com/security/2007/02/10/microsoft-vista-drm-tech-security-cz_bs_0212vista.html Technical analysis at http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
GOOGLE SAID TO VIOLATE COPYRIGHT LAWS (New York Times, 14 Feb 2007) -- A Brussels court ruled Tuesday that Google had violated copyright laws by publishing links to articles from Belgian newspapers without permission. Legal experts said the case could have broad implications in Europe for the news indexes provided by search engines. The ruling, which Google said it would appeal, was hailed by some newspaper industry representatives and may also have an impact on a lawsuit against Google by the news service Agence France-Presse. “As the first decision to condemn a search engine for indexing news articles, you can be sure publishers around the world are paying attention,” said Cyril Fabre, a lawyer in Paris at Alexen, a law firm specializing in Internet law and intellectual property. “The implications in Europe are particularly strong since copyright law is so uniform across the Continent.” The Brussels court ruled that Google, which operates the dominant Internet search engine, must pay 25,000 euros, or $32,600, for each day it displayed content from the plaintiff publications in violation of copyright. The court scaled back a September ruling that called for damages of up to 1 million euros a day and required Google to publish the judgment on its home page. The lawsuit, filed shortly after Google introduced the Belgian news site in January 2006, originally included two organizations representing journalists and photographers, but they reached a deal with the search engine. Google said the accord involved making use of content in new ways, but would not elaborate. Google believes that pointing to content on the Web is legal under copyright law, Mr. Elkaim added. “We have always explained that any licensing agreements Google does with content providers is for use that goes beyond indexing or referencing,” he said. Jessica Powell, a spokeswoman in London for Google, said the main complaints in the case — making reference to articles without prior permission, and the continued availability of articles in Google’s database after newspapers have restricted access to them — are issues easily rectified without legal action. Legal experts in the United States said the decision would have no direct impact there. But if upheld, they said, it could result in headaches for Google on both sides of the Atlantic. “It could set up a chain reaction, especially in European countries, where the authors’ rights are stronger,” said Pamela Samuelson, a law professor at the University of California, Berkeley, and the co-director of the Berkeley Center for Law and Policy. “If a Belgian court causes Google to change its ways, by preventing links from happening or forcing it to pay, other countries and other newspapers and other entities that have put things on the Web could say ‘me too.’ “Still, she said, “I think that argument that linking is an infringement is not a particularly strong argument.” http://www.nytimes.com/2007/02/14/business/14google.html?ex=1329109200&en=744fe208cddd4bdd&ei=5090&partner=rssuserland&emc=rss
-- and --
GOOGLE LOOSES ROUND TWO IN BELGIAN COPYRIGHT DISPUTE (CCH Computer Law Report, 22 Feb 2007) -- The Court of First Instance in Brussels has affirmed its prior ruling that Google violated Belgian copyright law by retaining cached copies of webpages and by publishing headlines, thumbnail images, and snippets of news gathered from articles on Belgium newspaper websites. On September 5, 2006, the court held that Google’s news and cache services violated Belgium’s law relating to copyright and ancillary rights (1991) and its law on data bases (1998). The rulings prohibit the search engine from displaying portions of articles, pictures, or drawings on webpages belonging to the members of Copiepresse, a trade group representing 17 Belgian newspapers. Google News uses a robot to search for content that it automatically indexes according to common categories on its website. Although newspaper headlines, snippets of text, and some thumbnail images are visible on Google’s website, to access a full story, visitors must click on a link that takes them to the newspaper’s own website. Google cache system also uses a robot that takes snapshots of webpages as they appear at specific points in time. The cached copies, which are stored on Google’s servers, are accessible via links appearing in search results. The court ruled in favor of Copiepresse and held that Google’s cached webpages and its reproduction and publication of headlines and snippets infringed owners’ copyrights. However, the court disagreed with Copiepresse’s contention that Google must obtain prior permission from copyright holders in order to display any portion of copyrighted webpages. According to the court, the onus is on copyright holders to contact Google to request removal of infringing material. Once notified, the search engine has 24 hours to remove the content or face a fine of €1,000 per day for each work allegedly infringed. (subscription required)
EXPERTS OFFER TIPS FOR AVOIDING BLOG LAWSUITS (Computerworld, 14 Feb 2007) -- As companies increasingly use blogs, wikis, podcasts and other Web 2.0 tools to form social networking sites for their customers, partners and employees, executives must keep track of the new medium’s myriad legal risks. Information posted on corporate blogs or wikis could prompt lawsuits charging the companies with libel, copyright infringement or trademark violations, according to several lawyers that specialize in technology issues. They said that notes posted on such sites could also violate securities laws. Dennis Kennedy, a St. Louis lawyer who specializes in IT issues, said that often companies often, and unwisely, treat emerging Web 2.0 technologies like “isolated new phenomena” that isn’t directly tied to corporate operations. “You need to look at what employees are doing ... in the context of your communications policy,” Kennedy added. Robert Clothier, an attorney at Fox Rothschild LLP in Philadelphia, noted that the legal risks associated with blogs are higher for posts written by a company’s employees than by those sent in by nonemployees. Companies are not likely to be sued for libel for posts on corporate blogs by outside users unless the company significantly alters the meaning of the content, said Clothier, who specializes in First Amendment issues. Clothier offers the following tips to avoid legal problems with forays into Web 2.0:
* Establish strict policies listing, which employees can post on a corporate blog, and what subjects they can write about.
* Assign an employee to monitor blogs to make sure that policies are followed.
* Discipline employees who violate the policies.
* Remove inaccurate blog items, and post a correction.
* Determine whether the company needs libel insurance, and if so, what kind. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011280&source=NLT_AM&nlid=1
U.K. COMPANY FINED OVER LAPTOP THEFT (CNET, 14 Feb 2007) -- Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee. The Financial Services Authority (FSA) hit Nationwide with the fine on Wednesday, following an investigation into the theft, which occurred in November 2006 at the employee’s house. According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft. “Firms’ internal controls are fundamental in ensuring customers’ details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up to date to prevent lapses in security,” said Margaret Cole, director of enforcement at the FSA. “The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security,” Cole added. http://news.com.com/2100-1029_3-6159349.html
CT SAYS ACCESS THAT EXCEEDS LICENSE BASIS FOR COPYRIGHT SUIT (BNA’s Internet Law News, 15 Feb 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a subscriber to a medical articles database who leveraged a single-user subscription to distribute to multiple persons copies of the licensed content may be liable for both copyright infringement and computer fraud. Case name is Therapeutic Research Faculty v. NBTY Inc.
NINTH CIRCUIT TAKES A MULLIGAN ON EMPLOYEE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- The Ninth Circuit last summer held in United States v. Ziegler that an employee had no reasonable expectation of privacy in his workplace computer where the employer had a policy and practice of regularly monitoring employees’ computer usage. Accordingly, it affirmed the district court’s denial of the employee’s motion to suppress evidence of child pornography seized by police from the employee’s workplace hard drive, even though that evidence was obtained by entering the employee’s locked private office. We criticized the court’s reasoning at the time, and suggested that the decision would have been on sounder footing if the court had based its judgment the employer’s consent to the search. Well, someone in chambers must be an ECLW fan, because on January 30 the Ninth Circuit panel rescinded its earlier opinion and issued a new one, reaching the same result but on the ground of employer consent. While some may think this decision is a big win for employee rights, in fact it is probably a more important victory for employers, since it preserves companies’ ability to control the terms of access to their network by both employees and the government. http://www.steptoe.com/publications-4252.html New 9th Circuit opinion at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/1B9EE38656401781882572720080706B/$file/0530177.pdf?openelement
PRIVACY GROUPS HIT ISP DATA STORAGE BILL (InternetNews.com, 15 Feb 2007) -- Led by Rep. Lamar Smith of Texas, eight Republican U.S. House members have filed legislation that would give Attorney General Alberto Gonzales broad powers to require Internet service providers (ISPs) to retain customer data. Under the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2007 (SAFETY Act), the attorney general would be required to issue ISP data retention requirements, powers Gonzales has sought since last year as part of the Department of Justice’s (DoJ) campaign against online child pornography. According to the bill (H.R. 837), ISPs would be required to retain, at a minimum, subscriber names, addresses, telephone numbers and Internet protocol addresses to “permit compliance with court orders that may require production of such information.” The DoJ would determine the length of time the data must be retained. Most ISPs currently retain minimum customer data for six months or less. Gonzales has said he favors at least a two-year retention requirement. Privacy advocates worry that the vagueness of the bill’s language could allow the DoJ to expand upon the minimum data requirements to include more customer data such as most frequently visited websites, instant messages and e-mail correspondence. “This is a real First Amendment and privacy threat,” John Morris, director of Internet Standards at the Center for Democracy and Technology (CDT), told internetnews.com. “This proposal gives the attorney general unbounded discretion to create whatever data retention requirements he wants. There’s no restraint.” http://www.internetnews.com/bus-news/print.php/3660201
-- and --
JUSTICE DEPARTMENT TAKES AIM AT IMAGE-SHARING SITES (CNET, 2 March 2007) -- The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned. That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting. A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address. Only universities and libraries would be excluded, one participant said. “There’s a PR concern with including the libraries, so we’re not going to include them,” the participant quoted the Justice Department as saying. http://news.com.com/2100-1028_3-6163679.html
-- and --
EUROPE’S PLAN TO TRACK PHONE AND NET USE (New York Times, 20 Feb 2007) -- European governments are preparing legislation to require companies to keep detailed data about people’s Internet and phone use that goes beyond what the countries will be required to do under a European Union directive. In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal. A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller’s precise location during an entire mobile phone conversation. Even now, Internet service providers in Europe divulge customer information — which they normally keep on hand for about three months, for billing purposes — to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content. But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe’s communications networks. European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals’ privacy rights. Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder. Mr. Fleischer said: “It’s ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end.” In the Netherlands, the proposed extension of the law on phone company records to all mobile location data “implies surveillance of the movement of large amounts of innocent citizens,” the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution. Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months. http://www.nytimes.com/2007/02/20/business/worldbusiness/20privacy.html?ex=1329627600&en=7c382d290b81c578&ei=5090&partner=rssuserland&emc=rss
GOOGLE FIGHTS FOR RIGHT TO USE TRADEMARKED SEARCH KEYWORDS (Information Week, 15 Feb 2007) -- Is Google guilty of trademark infringement when one of its advertisers purchases a competitor’s trademark as a search keyword that triggers its ad, even though Google doesn’t present the trademarked term in the ad itself? That’s a question Google and Rescuecom has been litigating since September 2004. In September 2006, the judge in the case granted Google’s motion to dismiss, but Rescuecom appealed. Earlier this week, Google filed a brief in the ongoing case that makes a clear and compelling argument for why Google’s sale of trademarked search keywords as ad triggers is legitimate. Michael H. Page, an attorney representing Google on behalf of Keker & Van Nest LLP, asserts that businesses associate their products with competitors all the time and that doing so doesn’t create confusion in the minds of consumers -- which is what trademark law aims to prevent. “Generic brands are placed next to known brands on store shelves for the express purpose of diverting customers from the brand they are seeking to another, and their manufacturers pay for that placement,” explains Page in the brief. “Advertisers deliberately select magazine ad placements next to articles about their competitors. ... All manner of companies pay for coupon placements selected based on a customer’s purchase of their competitors’ products. And so on. Of course they are seeking to ‘hijack’ or ‘divert’ consumers who have indicated an interest in their competitors’ products. That’s the point of contextual advertising -- to target ads at consumers who are actively interested in your type of product, rather than indiscriminately at the world at large.” But none of these examples, Page points out, falsely identifies the source of goods or services and thus does not represent a violation of trademark law. Google isn’t using the term “Rescuecom” as actual text in its ads. It’s merely allowing advertisers to be seen when a searcher is inquiring about a competitor. Rescuecom’s counterargument doesn’t quite seem so strong. Rescuecom’s attorney, Edmund J. Gegan, suggests that consumers inured to cutthroat competition at the mall are essentially clueless online and see no distinction between paid placement on a search results page and organic search results. http://www.informationweek.com/showArticle.jhtml?articleID=197006579&articleID=197006579 Google’s brief at http://blog.ericgoldman.org/archives/2007/02/rescuecom_v_goo_1.htm
NIST RELEASES INFO SECURITY DOCUMENTS (Government Computer News, 16 Feb 2007) -- The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs. NISTIR 7359, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program. PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards. It gives a maturity level in nine primary topic areas:
* Information security management and culture
* Information security planning
* Security awareness, training and education
* Budget and resources
* Life cycle management
* Certification and accreditation
* Critical infrastructure protection
* Incident and emergency response
* Security controls
http://www.gcn.com/online/vol1_no1/43141-1.html?topic=security&CMP=OTC-RSS
Reports at http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf and http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf
VIEWERS FAST-FORWARDING PAST ADS? NOT ALWAYS (New York Times, 16 Feb 2007) -- People with digital video recorders like TiVo never watch commercials, right? It turns out that a lot of people with digital video recorders are not fast-forwarding and time-shifting as much as advertisers feared. According to new data released yesterday by the Nielsen Company, people who own digital video recorders, or DVRs, still watch, on average, two-thirds of the ads. One big reason is that many people with DVRs still tune in to watch about half of their shows at the scheduled start time, meaning they must sit through commercials. And even when people watch recorded shows later, many are not fast-forwarding through the ads. On average, Nielsen found, DVR owners watch 40 percent of commercials that they could skip over — perhaps because they like ads, don’t mind them or simply can’t be bothered. “People are actually playing back more of the commercials than we thought,” said Steve Sternberg, executive vice president and director of audience analysis at Magna Global Media Research, an ad-buying agency. “People are buying DVRs not because they want to time-shift all of their viewing and skip all commercials, but because they want to time-shift some of their viewing.” While the new data may well be fodder for cocktail party chatter, it also has major financial implications. Largely because many advertisers thought that people with DVRs were not watching their ads, they have not been paying for time-shifted viewing on DVRs. Now the networks could use the new information to try to charge more. And advertisers may begin pressing networks to rethink commercial breaks — maybe making them shorter. http://www.nytimes.com/2007/02/16/business/16commercials.html?ex=1329282000&en=ac19fdde5f3cdef3&ei=5090&partner=rssuserland&emc=rss
DRIVER’S LICENSE EMERGES AS CRIME-FIGHTING TOOL, BUT PRIVACY ADVOCATES WORRY (New York Times, 17 Feb 2007) -- On the second floor of a state office building here, upstairs from a food court, three facial-recognition specialists are revolutionizing American law enforcement. They work for the Massachusetts motor vehicles department. Last year they tried an experiment, for sport. Using computerized biometric technology, they ran a mug shot from the Web site of “America’s Most Wanted,” the Fox Network television show, against the state’s database of nine million digital driver’s license photographs. The computer found a match. A man who looked very much like Robert Howell, the fugitive in the mug shot, had a Massachusetts driver’s license under another name. Mr. Howell was wanted in Massachusetts on rape charges. At least six other states have or are working on similar enormous databases of driver’s license photographs. Coupled with increasingly accurate facial-recognition technology, the databases may become a radical innovation in law enforcement. Other biometric databases are more useful for now. But DNA and fingerprint information, for instance, are not routinely collected from the general public. Most adults, on the other hand, have a driver’s license with a picture on it, meaning that the relevant databases for facial-recognition analysis already exist. And while the current technology requires good-quality photographs, the day may not be far off when images from ordinary surveillance cameras will routinely help solve crimes. Critics say the databases may therefore also represent a profound threat to privacy. “What is the D.M.V.?” asked Lee Tien, a lawyer with the Electronic Frontier Foundation and a privacy advocate. “Does it license motor vehicles and drivers? Or is it really an identification arm of law enforcement?” Anne L. Collins, the Massachusetts registrar of motor vehicles, said that people seeking a driver’s license at least implicitly consent to allowing their images to be used for other purposes. The databases are primarily intended to prevent people from obtaining multiple licenses under different names. That can help prevent identity theft and stop people who try to get a second license after their first has been suspended. “We don’t look at hair,” Ms. Conlon said. “We do look at lips, noses, ears.” The database’s second function, as a resource for law enforcement agencies, is growing in popularity. Police chiefs from around the state e-mail digital photographs for comparison with the database, sometimes several times a day. Other sorts of images are not useful — yet. “A video surveillance camera is probably not going to give it to you,” Mr. Smith said. In time, though, the combination of facial recognition and other information — from financial records, mobile phones, automobile positioning devices and other sources — may do away with the ability to move anonymously through the world, Mr. Tien, the privacy advocate, said. “The real question with biometrics,” he said, “is that they are part of a cluster of technologies that will allow for location tracking in both public and private places.” http://www.nytimes.com/2007/02/17/us/17face.html?ex=1329368400&en=8782b7320b2e7a40&ei=5090&partner=rssuserland&emc=rss
BROADBAND ADOPTION PASSES HALFWAY MARK IN U.S. (CNET, 18 Feb 2007) -- U.S. residential broadband penetration is expected to exceed 50 percent in 2007--and the U.K. isn’t far behind. By the end of 2007, more than 60 million U.S. households will be connected--around 55 percent--according to market researcher Parks Associates. During 2006, broadband subscriptions grew by more than 20 percent in the U.S. and by the end of the year around 50 million households had fat pipes. The U.K. isn’t far behind, though, as around 49 percent of households have a broadband connection, according to Point Topic figures from the third quarter of 2006. In Europe there are still large discrepancies in broadband penetration rates that are exacerbating the digital divide. Residential broadband uptake varies from 73 percent in Iceland to 1.4 percent in Moldova. Worldwide, the country with the greatest residential broadband connectivity is South Korea. More than 88 percent of Korean households had a broadband connection by the third quarter of last year. http://news.com.com/2110-1034_3-6160422.html
EBAY FIGHTS PLAN TO REPORT USERS TO IRS (Financial Times, 19 Feb 2007) -- Ebay is fiercely resisting a Bush administration plan it says will force it to snitch on customers who are not paying tax on billions earned on the popular online auction site. The Treasury estimates it could collect $2bn in unpaid tax if companies such as eBay reported American users who carry out more than 100 transactions worth at least $5,000 a year to the Internal Revenue Service. But an eBay spokesperson said: “We do not believe it is our responsibility to serve as the go-between. We believe that it is the seller’s responsibility.” The company pointed out that many users file self-employment and business tax returns based on their eBay income. Ebay said it would co-operate with IRS investigations into specific persons but would not voluntarily report its customers’ sales “en masse”. http://www.ft.com/cms/s/33e0a1e0-c026-11db-995a-000b5df10621,_i_rssPage=81cea682-52a8-11da-8d05-0000779e2340.html
LEGAL DEPARTMENTS TELL FIRMS: GET ON THE TECH TRAIN (Law.com, 21 Feb 2007) -- When Aon Corp. slashed its outside counsel roster from about 400 to 23 law firms in 2005, it quizzed the firms about their tech offerings. “We asked them about extranets, e-billing and litigation management,” says David Cambria, director of legal operations at the Chicago-based insurance giant. But Cambria says that he didn’t really care whether firms had all of those products. He had another agenda: “I wanted to know if [the firms] were playing in the same pool as me,” says Cambria. When they crafted the tech section of their request for proposal, Cambria and his colleagues started from the assumption that all the firms they were interviewing had experienced, capable lawyers. But “we wanted to take it to a higher level, and the most successful firms were the ones that told us how they’d help us do what we do better, with technology,” he says. What’s changed? Traditionally a cost center, legal departments have come under increasing pressure to keep costs down at the same time that they’re struggling to keep their technology current. “General counsel are being held to budgets,” says Woods Abbott, senior manager of legal operations-corporate at Raytheon Co. This year’s survey, our fourth in which we queried the technology heads of Fortune 500 corporations, shows that in many respects, law departments have had a technical awakening, and finally are getting the goodies everyone else in corporate America takes for granted. http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1171965782119
MUSIC COMPANIES TARGET COLLEGES IN LATEST DOWNLOADING CRACKDOWN (SiliconValley.com, 21 Feb 2007) -- Cracking down on college students, the music industry is sending thousands more complaints to top universities this school year than it did last year as it targets music illegally downloaded over campus computer networks. A few schools, including Ohio and Purdue universities, already have received more than 1,000 complaints accusing individual students since last fall -- significant increases over the past school year. For students who are caught, punishments vary from e-mail warnings to semester-long suspensions from classes. The trade group for the largest music labels, the Recording Industry Association of America, identified at the request of The Associated Press the 25 universities that received the most copyright complaints it sent so far this school year. The trade group long has pressured schools to act more aggressively against online pirates on campus. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16746514.htm
VIRTUAL CHILD PORN MAY BE A CRIME IN NETHERLANDS (CNET, 21 Feb 2007) -- Virtual enactments of child pornography may be a crime under Dutch law if it encourages child abuse, the public prosecutor said Wednesday. In the virtual world of Second Life, a popular Internet destination, everyone under the age of 18 is supposed to be limited to a “teen grid.” However, it would be relatively easy for children to get onto the adult grid if they wished since there is no proof of age required. In the adult section, some users participate in “age play,” in which adult users can create child-like characters and have virtual sex that would be illegal in the real world. “There are possibilities to prosecute because it possibly incites child abuse,” said Kitty Nooij, the spokesman for public prosecutor, who is in charge of national vice cases. With the increasing popularity of virtual worlds, there are fears people may turn to them to carry out activities considered illegal in the real world. There is no Dutch case law about virtual child pornography in writing, drawings or computer animation. In the United States, where Second Life creator Linden Lab is based, the U.S. Supreme Court struck down a law in 2002 which would ban computer-generated images that depict minors engaged in sexual conduct. http://news.com.com/2100-1028_3-6161025.html
FLA. BAR OKS CLIENT TESTIMONIALS ON LAW FIRM WEB SITES (Law.com, 22 Feb 2007) -- After nearly four years of debate, The Florida Bar board of governors has tentatively approved a proposed rule on law firm Web sites that would let lawyers publish client testimonials and claims about their past successes. The proposed rule would largely free law firm Web sites from the state’s restrictive rules governing lawyer advertising in such media as television, radio, direct mail and Yellow Pages. But lawyer Web sites still would have to comply with general Bar rules regarding truthfulness and lack of deception. The proposal still must be passed by the board of governors in a second reading and approved by the Florida Supreme Court. Under the proposed rule approved late last month, the inside pages of law firm Web sites -- but not the home page -- could include testimonials, references to past results and statements characterizing the quality of the services, as long as the statements are truthful, not misleading and come with disclaimers. The disclaimers must say that past results do not guarantee a future success. http://www.law.com/jsp/article.jsp?id=1172052183457&rss=newswire
RAISING, AND LOWERING, THE BAR ON CELL PHONE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 22 Feb 2007) -- When can police search an electronic communications device that is owned by an employer, but is used daily by an employee? As we previously reported, the Ninth Circuit’s recent ruling in United States v. Ziegler left open the possibility that, given an employer’s policy of monitoring computer use, the user of a computer kept in a common space might not have a reasonable expectation of privacy in the device. But, in United States v. Finley, the Fifth Circuit recently found that an employee “had a reasonable expectation” that the call records and text messages on his cell phone would remain private from law enforcement and the general public, even though his employer owned the phone and could have read the messages on it after it was returned. Nonetheless, because the government’s search of the phone was conducted incident to a lawful custodial arrest, the court concluded that no search warrant was required and the search was “reasonable” under the Fourth Amendment. Combined with recent cases holding that Customs agents at the border can search the contents of a laptop with little or no reason, this case suggests that when the government wants to “reach out and touch someone,” it can reach the content on one’s electronic gadgets, too. http://www.steptoe.com/publications-4265.html Finley case at http://www.ca5.uscourts.gov/opinions%5Cpub%5C06/06-50160-CR0.wpd.pdf
FEDERAL COURT REAFFIRMS IMMUNITY OF BLOGGERS FROM SUITS BROUGHT AGAINST COMMENTERS (ACS blog, 26 Feb 2007) -- Section 230 of the Communications Decency Act provides that “[no] provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” A recent decision of the First Circuit has reaffirmed the broad protection this statute provides to bloggers and message board administrators. In Universal Communication Systems v. Lycos, a company who had allegedly been victimized by defamatory statements on a message board regarding the value of its stock sued Lycos, which operated the board. The message board allowed users to post comments with minimal moderation, and no one from Lycos was responsible for the allegedly defamatory statements. Examining the impact of Sec. 230 on this case, the court noted that “Congress intended that, within broad limits, message board operators would not be held responsible for the postings made by others on that board,” adding that allowing bloggers and message board operators to be sued for the statements of commenters on their sites would have an “obvious chilling effect” on speech. Accordingly, the court dismissed the complaint against Lycos. http://www.acsblog.org/economic-regulation-employment-federal-court-reaffirms-immunity-of-bloggers-from-suits-brought-against-commenters.html Opinion at http://www.ca1.uscourts.gov/pdf.opinions/06-1826-01A.pdf
ADDING TO SECURITY BUT MULTIPLYING THE FEARS (New York Times, 26 Feb 2007) -- Foreigners arriving at the American border must present both index fingers for fingerprinting, but that will soon change. The Department of Homeland Security now wants 10 fingers. The two-print system was largely a biometric backup, an added level of security to supplement and verify a passport or a visa. The 10-print system adds a powerful investigative tool. “When we have a fingerprint of a terrorist who has left behind a bomb or an I.E.D. in Iraq or has left his fingerprint in a safe house somewhere, we don’t always have the two index fingers,” Paul Rosenzweig, a Department of Homeland Security official, said at a briefing in December. “It could be the pinkie or the thumb. And thus by moving to a 10-print system, we will enhance our ability to use biometrics to enable us to identify threats before they occur in the United States.” Call it biometric mission creep. People concerned about privacy and civil liberties say they fear the creation of gigantic biometric databases ripe for data-mining abuse. They note that Mr. Rosenzweig was a supporter of the Total Information Awareness program at the Defense Department, which had planned, as the Pentagon put it, to create “ultralarge all-source information repositories.” The program was shut down in 2003 because it scared people. The administration’s last-ditch defense of that effort was telling, too. It changed the name to the Terrorism Information Awareness program. There is a pattern here, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “These techniques that are sold to us as necessary to identify terrorists inevitably become systems of mass surveillance directed at the American people,” Mr. Rotenberg said.
****RESOURCES****
BADWARE WEBSITE CLEARINGHOUSE (stopbadware.org) -- Badware doesn’t just appear on users’ computers out of thin air - instead, much of it (maybe even most of it) is hosted on websites that then distribute it to consumers who visit those sites. Given the importance of websites as a means of spreading badware to unsuspecting users, StopBadware.org has expanded our mission to include shining a light on websites themselves, not just on the applications they host for download. In that vein, we’ve launched the Badware Website Clearinghouse -- a collaborative effort to build a comprehensive list of websites that host, link to, or otherwise distribute badware. Websites can host or distribute badware in a variety of ways. They may be sites that intentionally distribute bad applications for profit; or sites featuring ads, often provided by third parties, that - if clicked on - will attempt to automatically install harmful software; or sites that have been hacked and can download dangerous code onto visitors’ computers without the site owner even knowing the badware is there; and a whole range of sites in between. For a comprehensive definition of what constitutes a badware website, check out our Website Guidelines. Although the list of websites in this Clearinghouse is hosted by StopBadware.org, we’re not the only ones contributing to it. This list contains both websites that StopBadware itself has tested and found to contain badware or badware links, as well as thousands of sites that trusted third parties have independently examined, found to be hosts or distributors of badware, and provided to us for posting. Sites that StopBadware has tested itself and determined to contain or link to badware are marked with a [Red_smaller]; sites marked with a [Undetermined_smaller] were reported to StopBadware by one or more trusted third parties whose name(s) appear in a separate column to the left of the site’s url. http://stopbadware.org/home/clearinghouse
WIKIS FOR THE LEGAL PROFESSION (ABA Law Practice Management, Feb 2007) -- If you hang around lawyers talking about “Web 2.0” long enough or read our articles, the word “wiki” is eventually bound to pop out. In fact, it’s hard to have a discussion about Web 2.0 and the new Internet technologies without discussing wikis; they may be one of the oldest tools of the Web 2.0 phenomenon. It’s also a safe bet that few of you reading this article have any real experience with using a wiki, or how a wiki might be useful to the practicing lawyer. Why should lawyers use wikis? They may help lawyers both as consumers and as producers. Most lawyers will get the most value from using wikis created by others. The classic example is the Wikipedia. Wikis can be seen as constantly updated collections of useful information arranged in an encyclopedic or similarly organized way, with hyperlinks to related internal and external information. On the producer side, perhaps the greatest potential of the wiki tool for lawyers is its use as a collaborative tool or even an information or knowledge platform, especially as a way to gather and manage “unstructured” information easily and quickly. The key feature of wikis in this regard is that multiple authors and editors are able to work together to create a collection of information or even collaborative documents. This month The Strongest Links focuses on wikis. We’ve scoured the Net for some of the best links on wikis -- we’ll discuss and point you to resources about what a wiki is and how it works, how to pronounce “wiki,” how a lawyer can use one in his or her practice, and how this tool is an extremely powerful platform for collaborating with others on the Internet…. http://www.abanet.org/lpm/lpt/articles/slc02071.shtml
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Subscribe to:
Posts (Atom)