Friday, March 02, 2007

MIRLN -- Misc. IT Related Legal News [11 February – 3 March 2007; v10.03]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described at

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

FBI FREEZES FUNDS OF ‘VIRTUAL WALLET’ WEB PAYMENT FIRM (The Guardian, 6 Feb 2007) -- The FBI has frozen funds held in customer accounts at Neteller, the “virtual wallet” payment processor, as part of its case against the firm’s two Canadian founders who were last month arrested and charged with racketeering and money laundering. Neteller refused to disclose how much had been frozen but company filings make clear huge sums were flowing between its US customers’ “e-wallets” and online merchants - particularly gambling websites - up until the firm was pressured to close its American operations in the wake of last month’s arrests. Over a six-month period last year the company processed transactions worth $5.1bn (£2.6bn), with about 85% involving US customers. In the past five years, Neteller came to dominate gambling transactions in America because its e-wallets allowed users to get around credit card blocks on gambling sites. Following the arrests of founders Stephen Lawrence and John Lefebvre, who face up to 20 years in jail if convicted, the decision was quickly taken to shut down US operations. Trading in the company’s shares was also suspended and remains so. The FBI claim JSL Systems, a US-based payment company owned by Mr. Lefebvre, received customer funds in the US for Neteller and then transferred them to accounts held by a Neteller company in Canada. Last month Neteller told the Guardian that wagered money no longer passed through JSL. It is unclear whether the FBI will treat some or all of the funds as proceeds of illegal gambling. One US newspaper report cited Neil Donovan, an FBI agent, saying the funds were being held in court as potential evidence. Some money may be returned to Neteller customers but no timescale was forthcoming, the report said. A spokeswoman for the Department of Justice last night refused to confirm details in the report, as did Neteller.,,2006709,00.html

DEBUNKING MYTHS ABOUT IDENTITY FRAUD (CNET, 7 Feb 2007) -- It seems that we constantly are hearing horror stories about the perils of rampant identity fraud. However, a recent survey seeks to set the record straight by saying that in the United States, the problem actually is decreasing. Javelin Strategy & Research has just released its Identity Fraud Survey Report. While identifying significant risk differentiators between age and income demographics, the report highlights an important reduction in fraudulent new account openings using private information. Interestingly, the report also says that more fraud happens via physical channels, such as in-person transactions, and by the direct theft of personal data by individuals, rather than taking place online. Let’s drill down a bit into some of the critical findings of the study, which is based on telephone interviews with 5,000 adults. Report at

U.K. DATA THIEVES FACE TWO YEARS IN PRISON (CNET, 7 Feb 2007) -- Individuals who sell or deliberately misuse others’ personal data in the U.K. could now face a penalty of up to two years in prison. The previous penalty stipulated for the charge in the Data Protection Act 1998 was a fine. Now data thieves risk up to six months in prison for a summary conviction, while for a conviction on indictment, they could get up to two years, the U.K. Department for Constitutional Affairs said Wednesday. The change comes as the British government moves to increase data sharing as a way of offering higher-quality public services to citizens.

MASS. AG LEADS MULTISTATE PROBE INTO TJX BREACH (Computerworld, 8 Feb 2007) -- Massachusetts Attorney General Martha Coakley will lead a civil investigation by dozens of states into the security breach disclosed last month by The TJX Companies Inc., the owner of T.J. Maxx and Marshalls retailers. The state’s consumer protection division is looking into the data breach, “particularly what security measures the company took to protect consumer information,” Coakley’s office said in a statement yesterday. A Coakley spokeswoman, Emily LaGrassa, added that more than 30 states have asked for details on the TJX investigation or expressed interest in joining the probe. TJX on Jan. 17 disclosed the security breach, in which one or more hackers penetrated the company’s computer network and made off with a still-unspecified number of customer records, including credit card numbers. More than three dozen banks in Massachusetts, the home state of the Framingham-based company, have reported that cards they’ve issued have been compromised. Although the attack began in May 2006, the breach was not discovered by TJX until mid-December. The company said it delayed disclosing the intrusion until January so it could contain the problem and meet confidentiality obligations to law enforcement agencies. [It keeps getting worse; there are indications that the breaches occurred also in 2005, and perhaps earlier.]

-- and --

WILL PLAINTIFFS’ BAR SOON BE SINGING “T-T-T-T-T-T-T-T-TJX” IN BREACH CASES? (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- Knowledgeable commentators (yes, we’re in a self-congratulatory mood this week) have predicted for a while that the plaintiffs’ bar will eventually succeed in a negligence suit based on a company’s failure to implement “reasonable” data security. And it appears that the “breach-chasers” may have finally found the right case. The data breach involving retail conglomerate TJX Companies, Inc. (the owner of discount chains T.J. Maxx and Marshalls, among others), first announced in mid-January, has so far drawn at least four putative class action suits in federal court in Massachusetts. While the plaintiffs in past class actions stemming from data breaches have had a difficult time establishing standing (for lack of cognizable harm) and/or damages, the TJX case might not suffer from the same weaknesses. The breach reportedly was broad in scope -- possibly involving more than 40 million credit and debit cards -- and has resulted in fraudulent debit and credit card purchases. These factors, combined with the emergence in recent years of a discernible standard of what constitutes “reasonable” security, could make this a precedent-setting case. If so, tort law in breach cases may “never ever [be] the same place,” as the old T.J. Maxx commercial went. Accordingly, companies will have even more reason to pay close attention to their data security procedures.

-- and --

MASS. BILL WANTS STORES TO PAY MORE IN DATA BREACHES (CNET, 22 Feb 2007) -- Businesses would have to reimburse banks for costs stemming from data security breaches, under a Massachusetts bill that could be mimicked by other states and in Congress. In what appears to be the first stab at such an approach, the proposal would require any “commercial entity” that handles personal financial data to foot the bill for various banking costs caused by hacks or other intrusions into their systems. The costs would include any fees associated with canceling or reissuing credit cards, opening and closing bank accounts, and restoring customers’ account balances after fraudulent transactions. The bill defines “commercial entity” as including everything from corporations to governmental agencies to associations, whether for-profit or not-for-profit. Shifting the liability away from banks--a step beyond previous proposals--has been a focus of discussion among advocacy groups for smaller banks. These banks argue that they are absorbing all the costs associated with data leaks, and they’re distressed they have to pick up the tab for damage they didn’t even create. The proposed remedy is primarily targeted at retailers, such as discount retailer TJX Companies. These have recently reported breaches potentially affecting thousands of customers, said Steve Kenneally, director of payments and technology policy for America’s Community Bankers, which advocates for smaller banks. ACB, which supports the state bill, would prefer to see national legislation.

-- and --

BILL WOULD TIE RETAILERS TO COSTS OF ID THEFT (NPR, 26 Feb 2007) -- Massachusetts eyes a law to hold retailers accountable when thieves steal credit card information. The bill would force retailers to pay for the cost of reissuing new cards and for other expenses. Credit-card companies now absorb most of those costs. (2 minute audio program available at

NEW CYBERSECURITY CHIEF LAYS OUT GUIDANCE (Computerworld, 9 Feb 2007) -- U.S. companies and the federal government need to step up and fix the problems in their computer networks, the nation’s new cybersecurity czar told attendees during his first-ever address at RSA Conference here in San Francisco on Thursday. Within the next 10 years, the majority of the world’s communication needs will probably be handled by the Internet, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security (DHS). “This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems,” he said. “Our networks and our systems are vulnerable and they are exposed.” Garcia outlined two priorities for the year ahead. First, his office is working with federal agencies to adopt common security policies and practices. Second, he plans to work with the private sector to push forward a process called the National Infrastructure Protection Plan. This effort is intended to evaluate computer security risks on an industry-by-industry basis and outline the steps that need to be taken to address them. [Garcia] made it clear that the DHS expects U.S. companies to participate. “There are a lot of plans in Washington. This one is going to stick,” he said. “The private sector owns and operates 90% of the critical infrastructure, and it’s up to you all, not just the DHS, to secure this infrastructure.”

LAWMAKERS INTRODUCE BREACH NOTIFICATION, OTHER BILLS (PC World, 9 Feb 2007) -- Senators Patrick Leahy, a Vermont Democrat, and Bernie Sanders, a Vermont independent, introduced the Personal Data Privacy and Security Act. In addition to requiring data breach notification, the bill would also require data brokers to disclose what information they hold on individuals. The bill would allow individuals to correct information held by data brokers, and it would require companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs. Representatives Bobby Rush, a Illinois Democrat, and Cliff Stearns, a Florida Republican, introduced the Data Accountability and Trust Act this week. Their bill, with 24 co-sponsors, authorizes the U.S. Federal Trade Commission (FTC) to draw up data privacy requirements for businesses, including requirements that they have vulnerability assessments and policies for disposing of obsolete data. After a company reports a data breach, the FTC would conduct an audit of its security practices, and, like the Leahy-Sanders bill, the bill would require data brokers to disclose the information they hold on individuals and allow individuals to correct wrong information.,128887-c,techrelatedlegislation/article.html Bill at

WIFI TURNS INTERNET INTO HIDEOUT FOR CRIMINALS (Washington Post, 11 Feb 2007) -- Detectives arrived last summer at a high-rise apartment building in Arlington County, warrant in hand, to nab a suspected pedophile who had traded child pornography online. It was to be a routine, mostly effortless arrest. But when they pounded on the door, detectives found an elderly woman who, they quickly concluded, had nothing to do with the crime. The real problem was her computer’s wireless router, a device sending a signal through her 10-story building and allowing savvy neighbors a free path to the Internet from the privacy of their homes. Perhaps one of those neighbors, authorities said, was stealthily uploading photographs of nude children. Doing so essentially rendered him or her untraceable. With nearly 46,000 public access points across the country -- many of them free -- hundreds of thousands of computer users are logging on every day to wireless networks at cafes, hotels, airports and even while sitting on park benches. And although the majority of those people are simply checking their e-mail and surfing the Web, authorities said an increasing number of criminals are taking advantage of the anonymity offered by the wireless signals to commit a raft of serious crimes -- from identity theft to the sexual solicitation of children.

COMPANIES IMPLEMENT P2P SOLUTIONS TO TRANSFER DATA (BNA’s Internet Law News, 13 Feb 2007) -- The WSJ reports that companies such as GM, Coca-Cola Co. and videogame publisher Tulga Games Inc. are now using peer-to-peer technology to transmit large chunks of data like video files or software updates, to employees and customers. Instead of a costly expansion of its satellite network last year, GM turned to P2P to push videos of marketing messages and sales targets to employees overseas, especially those in regions that have limited Internet capacity.

SKYPE SNOOP AGENT READS MOBO SERIAL NUMBERS (The Register, 11 Feb 2007) -- Skype has been spying on its Windows-based users since the middle of December by secretly accessing their system bios settings and recording the motherboard serial number. A blog entry ( made on Skype’s website assures us it’s no big deal. The snooper agent is the handiwork of a third-party program called EasyBits Software, which Skype uses to manage Skype plug-ins. Among other things, EasyBits offers DRM features that prevent the unauthorized use or distribution of plug-ins, and that’s why Skype 3.0 has been nosing around in users’ bios. Reading the serial number allows EasyBits to quickly identify the physical computer the software is running on. The practice was discontinued on Thursday, when Skype was updated to version Skype goes to great lengths ( to assure users they will not be fed spyware, which the eBay-owned VOIP provider defines as “software that becomes installed on computer without the informed consent or knowledge of the computer’s owner and covertly transmits or receives data to or from a remote host.” What’s more, we were unable to find terms of service the spells out what EasyBits does with the information it gathers on Skype users. It’s also hard to take Skype’s nothing-to-see-here notification at face value because of the lengths the software goes to conceal its snooping. As documented ( in the Pagetable blog, the Skype snoopware runs a .com file and prevents the more curious users among us from reading it. Were it not for errors it was giving users of 64-bit versions, we’d probably still be in the dark.

STUDY: P2P EFFECT ON LEGAL MUSIC SALES “NOT STATISTICALLY DISTINGUISHABLE FROM ZERO” (ARStechnica, 12 Feb 2007) -- A new study in the Journal of Political Economy by Felix Oberholzer-Gee and Koleman Strumpf has found that illegal music downloads have had no noticeable effects on the sale of music, contrary to the claims of the recording industry. Entitled “The Effect of File Sharing on Record Sales: An Empirical Analysis,” the study matched an extensive sample of music downloads to American music sales data in order to search for causality between illicit downloading and album sales. Analyzing data from the final four months of 2002, the researchers estimated that P2P affected no more than 0.7% of sales in that timeframe. The study compared the logs of two OpenNAP P2P servers with sales data from Nielsen SoundScan, tracking the effects of 1.75 million songs downloads on 680 different albums sold during that same period. The study then took a surprising twist. Popular music will often have both high downloads and high sales figures, so what the researchers wanted was a way to test for effects on albums sales when file-sharing activity was increased on account of something other than US song popularity. Does the occasionally increased availability of music from Germany affect US sales? The study looked at time periods when German students were on holiday after demonstrating that P2P use increases at these times. German users collectively are the #2 P2P suppliers, providing “about one out of every six U.S. downloads,” according to the study. Yet the effects on American sales were not large enough to be statistically significant. Using this and several other methods, the study’s authors could find no meaningful causality. The availability and even increased downloads of music on P2P networks did not correlate to a negative effect on music sales.

ELI LILLY LOSES EFFORT TO CENSOR ZYPREXA DOCUMENTS OFF THE INTERNET (EFF, 13 Feb 2007) -- A U.S. District Court judge today refused Eli Lilly’s request to ban a number of websites from publishing leaked documents relating to Zyprexa, Eli Lilly’s top-selling drug. Although the judge rejected the First Amendment arguments made by a variety of individuals eager to publish the documents, the court concluded that “it is unlikely that the court can now effectively enforce an injunction against the Internet in its various manifestations, and it would constitute a dubious manifestation of public policy were it to attempt to do so.” The order is a victory for the Electronic Frontier Foundation (EFF), which represents an anonymous individual who was previously barred by the court’s earlier orders from posting links to the Zyprexa documents on the wiki. The Zyprexa documents were leaked from an ongoing product liability lawsuit against Eli Lilly. The internal documents allegedly show that Eli Lilly intentionally downplayed the drug’s side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for “off-label” uses not approved by the Food and Drug Administration (FDA). The documents were the basis for a front-page story in the New York Times in December of last year, and electronic copies are readily available from a variety of Internet sources. EFF’s client posted links to one set of copies on a wiki devoted to the controversy that were part of extensive, in-depth analysis from a number of citizen journalists. “This ruling makes it clear that Eli Lilly cannot invoke any court orders in its futile efforts to censor these documents off the Internet,” said EFF Staff Attorney Fred von Lohmann. “We are disappointed, however, that the judge failed to appreciate that its previous orders constituted prior restraints in violation of the First Amendment.” Order at

CONGRESS SEEKS ‘BITE’ FOR PRIVACY WATCHDOG (Washington Post, 13 Feb 2007) -- Key lawmakers want to replace a White House privacy and civil liberties board created by Congress in 2004 with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. As the commission’s vice chairman, Lee H. Hamilton, said yesterday: “We felt that you had to have a voice within the executive branch that reached across all of the departments of government with strong powers to protect our civil liberties.” But the five-member Privacy and Civil Liberties Oversight Board is resisting proposals that would dramatically change its composition and powers. The battle is another sign of the changed political landscape, with the Democratic-controlled Congress pushing for stronger oversight of the Bush administration’s counterterrorism programs.

WHY VISTA’S DRM IS BAD FOR YOU (Forbes, essay by Bruce Schneier, 12 Feb 2007) -- Windows Vista includes an array of “features” that you don’t want. These features will make your computer less reliable and less secure. They’ll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won’t do anything useful. In fact, they’re working against you. They’re digital rights management (DRM) features built into Vista at the behest of the entertainment industry. And you don’t get to refuse them. The details are pretty geeky, but basically Microsoft reworked a lot of the core operating system to add copy protection technology for new media formats like HD-DVD and Blu-ray disks. Certain high-quality output paths--audio and video--are reserved for protected peripheral devices. Sometimes output quality is artificially degraded; sometimes output is prevented entirely. And Vista continuously spends CPU time monitoring itself, trying to figure out if you’re doing something that it thinks you shouldn’t. If it does, it limits functionality and in extreme cases restarts just the video subsystem. We still don’t know the exact details of all this, and how far-reaching it is, but it doesn’t look good. Technical analysis at

GOOGLE SAID TO VIOLATE COPYRIGHT LAWS (New York Times, 14 Feb 2007) -- A Brussels court ruled Tuesday that Google had violated copyright laws by publishing links to articles from Belgian newspapers without permission. Legal experts said the case could have broad implications in Europe for the news indexes provided by search engines. The ruling, which Google said it would appeal, was hailed by some newspaper industry representatives and may also have an impact on a lawsuit against Google by the news service Agence France-Presse. “As the first decision to condemn a search engine for indexing news articles, you can be sure publishers around the world are paying attention,” said Cyril Fabre, a lawyer in Paris at Alexen, a law firm specializing in Internet law and intellectual property. “The implications in Europe are particularly strong since copyright law is so uniform across the Continent.” The Brussels court ruled that Google, which operates the dominant Internet search engine, must pay 25,000 euros, or $32,600, for each day it displayed content from the plaintiff publications in violation of copyright. The court scaled back a September ruling that called for damages of up to 1 million euros a day and required Google to publish the judgment on its home page. The lawsuit, filed shortly after Google introduced the Belgian news site in January 2006, originally included two organizations representing journalists and photographers, but they reached a deal with the search engine. Google said the accord involved making use of content in new ways, but would not elaborate. Google believes that pointing to content on the Web is legal under copyright law, Mr. Elkaim added. “We have always explained that any licensing agreements Google does with content providers is for use that goes beyond indexing or referencing,” he said. Jessica Powell, a spokeswoman in London for Google, said the main complaints in the case — making reference to articles without prior permission, and the continued availability of articles in Google’s database after newspapers have restricted access to them — are issues easily rectified without legal action. Legal experts in the United States said the decision would have no direct impact there. But if upheld, they said, it could result in headaches for Google on both sides of the Atlantic. “It could set up a chain reaction, especially in European countries, where the authors’ rights are stronger,” said Pamela Samuelson, a law professor at the University of California, Berkeley, and the co-director of the Berkeley Center for Law and Policy. “If a Belgian court causes Google to change its ways, by preventing links from happening or forcing it to pay, other countries and other newspapers and other entities that have put things on the Web could say ‘me too.’ “Still, she said, “I think that argument that linking is an infringement is not a particularly strong argument.”

-- and --

GOOGLE LOOSES ROUND TWO IN BELGIAN COPYRIGHT DISPUTE (CCH Computer Law Report, 22 Feb 2007) -- The Court of First Instance in Brussels has affirmed its prior ruling that Google violated Belgian copyright law by retaining cached copies of webpages and by publishing headlines, thumbnail images, and snippets of news gathered from articles on Belgium newspaper websites. On September 5, 2006, the court held that Google’s news and cache services violated Belgium’s law relating to copyright and ancillary rights (1991) and its law on data bases (1998). The rulings prohibit the search engine from displaying portions of articles, pictures, or drawings on webpages belonging to the members of Copiepresse, a trade group representing 17 Belgian newspapers. Google News uses a robot to search for content that it automatically indexes according to common categories on its website. Although newspaper headlines, snippets of text, and some thumbnail images are visible on Google’s website, to access a full story, visitors must click on a link that takes them to the newspaper’s own website. Google cache system also uses a robot that takes snapshots of webpages as they appear at specific points in time. The cached copies, which are stored on Google’s servers, are accessible via links appearing in search results. The court ruled in favor of Copiepresse and held that Google’s cached webpages and its reproduction and publication of headlines and snippets infringed owners’ copyrights. However, the court disagreed with Copiepresse’s contention that Google must obtain prior permission from copyright holders in order to display any portion of copyrighted webpages. According to the court, the onus is on copyright holders to contact Google to request removal of infringing material. Once notified, the search engine has 24 hours to remove the content or face a fine of €1,000 per day for each work allegedly infringed. (subscription required)

EXPERTS OFFER TIPS FOR AVOIDING BLOG LAWSUITS (Computerworld, 14 Feb 2007) -- As companies increasingly use blogs, wikis, podcasts and other Web 2.0 tools to form social networking sites for their customers, partners and employees, executives must keep track of the new medium’s myriad legal risks. Information posted on corporate blogs or wikis could prompt lawsuits charging the companies with libel, copyright infringement or trademark violations, according to several lawyers that specialize in technology issues. They said that notes posted on such sites could also violate securities laws. Dennis Kennedy, a St. Louis lawyer who specializes in IT issues, said that often companies often, and unwisely, treat emerging Web 2.0 technologies like “isolated new phenomena” that isn’t directly tied to corporate operations. “You need to look at what employees are doing ... in the context of your communications policy,” Kennedy added. Robert Clothier, an attorney at Fox Rothschild LLP in Philadelphia, noted that the legal risks associated with blogs are higher for posts written by a company’s employees than by those sent in by nonemployees. Companies are not likely to be sued for libel for posts on corporate blogs by outside users unless the company significantly alters the meaning of the content, said Clothier, who specializes in First Amendment issues. Clothier offers the following tips to avoid legal problems with forays into Web 2.0:
* Establish strict policies listing, which employees can post on a corporate blog, and what subjects they can write about.
* Assign an employee to monitor blogs to make sure that policies are followed.
* Discipline employees who violate the policies.
* Remove inaccurate blog items, and post a correction.
* Determine whether the company needs libel insurance, and if so, what kind.

U.K. COMPANY FINED OVER LAPTOP THEFT (CNET, 14 Feb 2007) -- Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee. The Financial Services Authority (FSA) hit Nationwide with the fine on Wednesday, following an investigation into the theft, which occurred in November 2006 at the employee’s house. According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft. “Firms’ internal controls are fundamental in ensuring customers’ details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up to date to prevent lapses in security,” said Margaret Cole, director of enforcement at the FSA. “The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security,” Cole added.

CT SAYS ACCESS THAT EXCEEDS LICENSE BASIS FOR COPYRIGHT SUIT (BNA’s Internet Law News, 15 Feb 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a subscriber to a medical articles database who leveraged a single-user subscription to distribute to multiple persons copies of the licensed content may be liable for both copyright infringement and computer fraud. Case name is Therapeutic Research Faculty v. NBTY Inc.

NINTH CIRCUIT TAKES A MULLIGAN ON EMPLOYEE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 15 Feb 2007) -- The Ninth Circuit last summer held in United States v. Ziegler that an employee had no reasonable expectation of privacy in his workplace computer where the employer had a policy and practice of regularly monitoring employees’ computer usage. Accordingly, it affirmed the district court’s denial of the employee’s motion to suppress evidence of child pornography seized by police from the employee’s workplace hard drive, even though that evidence was obtained by entering the employee’s locked private office. We criticized the court’s reasoning at the time, and suggested that the decision would have been on sounder footing if the court had based its judgment the employer’s consent to the search. Well, someone in chambers must be an ECLW fan, because on January 30 the Ninth Circuit panel rescinded its earlier opinion and issued a new one, reaching the same result but on the ground of employer consent. While some may think this decision is a big win for employee rights, in fact it is probably a more important victory for employers, since it preserves companies’ ability to control the terms of access to their network by both employees and the government. New 9th Circuit opinion at$file/0530177.pdf?openelement

PRIVACY GROUPS HIT ISP DATA STORAGE BILL (, 15 Feb 2007) -- Led by Rep. Lamar Smith of Texas, eight Republican U.S. House members have filed legislation that would give Attorney General Alberto Gonzales broad powers to require Internet service providers (ISPs) to retain customer data. Under the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2007 (SAFETY Act), the attorney general would be required to issue ISP data retention requirements, powers Gonzales has sought since last year as part of the Department of Justice’s (DoJ) campaign against online child pornography. According to the bill (H.R. 837), ISPs would be required to retain, at a minimum, subscriber names, addresses, telephone numbers and Internet protocol addresses to “permit compliance with court orders that may require production of such information.” The DoJ would determine the length of time the data must be retained. Most ISPs currently retain minimum customer data for six months or less. Gonzales has said he favors at least a two-year retention requirement. Privacy advocates worry that the vagueness of the bill’s language could allow the DoJ to expand upon the minimum data requirements to include more customer data such as most frequently visited websites, instant messages and e-mail correspondence. “This is a real First Amendment and privacy threat,” John Morris, director of Internet Standards at the Center for Democracy and Technology (CDT), told “This proposal gives the attorney general unbounded discretion to create whatever data retention requirements he wants. There’s no restraint.”

-- and --

JUSTICE DEPARTMENT TAKES AIM AT IMAGE-SHARING SITES (CNET, 2 March 2007) -- The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET has learned. That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to by several people who attended the meeting. A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address. Only universities and libraries would be excluded, one participant said. “There’s a PR concern with including the libraries, so we’re not going to include them,” the participant quoted the Justice Department as saying.

-- and --

EUROPE’S PLAN TO TRACK PHONE AND NET USE (New York Times, 20 Feb 2007) -- European governments are preparing legislation to require companies to keep detailed data about people’s Internet and phone use that goes beyond what the countries will be required to do under a European Union directive. In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal. A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller’s precise location during an entire mobile phone conversation. Even now, Internet service providers in Europe divulge customer information — which they normally keep on hand for about three months, for billing purposes — to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content. But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe’s communications networks. European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals’ privacy rights. Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder. Mr. Fleischer said: “It’s ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end.” In the Netherlands, the proposed extension of the law on phone company records to all mobile location data “implies surveillance of the movement of large amounts of innocent citizens,” the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution. Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months.

GOOGLE FIGHTS FOR RIGHT TO USE TRADEMARKED SEARCH KEYWORDS (Information Week, 15 Feb 2007) -- Is Google guilty of trademark infringement when one of its advertisers purchases a competitor’s trademark as a search keyword that triggers its ad, even though Google doesn’t present the trademarked term in the ad itself? That’s a question Google and Rescuecom has been litigating since September 2004. In September 2006, the judge in the case granted Google’s motion to dismiss, but Rescuecom appealed. Earlier this week, Google filed a brief in the ongoing case that makes a clear and compelling argument for why Google’s sale of trademarked search keywords as ad triggers is legitimate. Michael H. Page, an attorney representing Google on behalf of Keker & Van Nest LLP, asserts that businesses associate their products with competitors all the time and that doing so doesn’t create confusion in the minds of consumers -- which is what trademark law aims to prevent. “Generic brands are placed next to known brands on store shelves for the express purpose of diverting customers from the brand they are seeking to another, and their manufacturers pay for that placement,” explains Page in the brief. “Advertisers deliberately select magazine ad placements next to articles about their competitors. ... All manner of companies pay for coupon placements selected based on a customer’s purchase of their competitors’ products. And so on. Of course they are seeking to ‘hijack’ or ‘divert’ consumers who have indicated an interest in their competitors’ products. That’s the point of contextual advertising -- to target ads at consumers who are actively interested in your type of product, rather than indiscriminately at the world at large.” But none of these examples, Page points out, falsely identifies the source of goods or services and thus does not represent a violation of trademark law. Google isn’t using the term “Rescuecom” as actual text in its ads. It’s merely allowing advertisers to be seen when a searcher is inquiring about a competitor. Rescuecom’s counterargument doesn’t quite seem so strong. Rescuecom’s attorney, Edmund J. Gegan, suggests that consumers inured to cutthroat competition at the mall are essentially clueless online and see no distinction between paid placement on a search results page and organic search results. Google’s brief at

NIST RELEASES INFO SECURITY DOCUMENTS (Government Computer News, 16 Feb 2007) -- The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs. NISTIR 7359, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program. PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards. It gives a maturity level in nine primary topic areas:
* Information security management and culture
* Information security planning
* Security awareness, training and education
* Budget and resources
* Life cycle management
* Certification and accreditation
* Critical infrastructure protection
* Incident and emergency response
* Security controls
Reports at and

VIEWERS FAST-FORWARDING PAST ADS? NOT ALWAYS (New York Times, 16 Feb 2007) -- People with digital video recorders like TiVo never watch commercials, right? It turns out that a lot of people with digital video recorders are not fast-forwarding and time-shifting as much as advertisers feared. According to new data released yesterday by the Nielsen Company, people who own digital video recorders, or DVRs, still watch, on average, two-thirds of the ads. One big reason is that many people with DVRs still tune in to watch about half of their shows at the scheduled start time, meaning they must sit through commercials. And even when people watch recorded shows later, many are not fast-forwarding through the ads. On average, Nielsen found, DVR owners watch 40 percent of commercials that they could skip over — perhaps because they like ads, don’t mind them or simply can’t be bothered. “People are actually playing back more of the commercials than we thought,” said Steve Sternberg, executive vice president and director of audience analysis at Magna Global Media Research, an ad-buying agency. “People are buying DVRs not because they want to time-shift all of their viewing and skip all commercials, but because they want to time-shift some of their viewing.” While the new data may well be fodder for cocktail party chatter, it also has major financial implications. Largely because many advertisers thought that people with DVRs were not watching their ads, they have not been paying for time-shifted viewing on DVRs. Now the networks could use the new information to try to charge more. And advertisers may begin pressing networks to rethink commercial breaks — maybe making them shorter.

DRIVER’S LICENSE EMERGES AS CRIME-FIGHTING TOOL, BUT PRIVACY ADVOCATES WORRY (New York Times, 17 Feb 2007) -- On the second floor of a state office building here, upstairs from a food court, three facial-recognition specialists are revolutionizing American law enforcement. They work for the Massachusetts motor vehicles department. Last year they tried an experiment, for sport. Using computerized biometric technology, they ran a mug shot from the Web site of “America’s Most Wanted,” the Fox Network television show, against the state’s database of nine million digital driver’s license photographs. The computer found a match. A man who looked very much like Robert Howell, the fugitive in the mug shot, had a Massachusetts driver’s license under another name. Mr. Howell was wanted in Massachusetts on rape charges. At least six other states have or are working on similar enormous databases of driver’s license photographs. Coupled with increasingly accurate facial-recognition technology, the databases may become a radical innovation in law enforcement. Other biometric databases are more useful for now. But DNA and fingerprint information, for instance, are not routinely collected from the general public. Most adults, on the other hand, have a driver’s license with a picture on it, meaning that the relevant databases for facial-recognition analysis already exist. And while the current technology requires good-quality photographs, the day may not be far off when images from ordinary surveillance cameras will routinely help solve crimes. Critics say the databases may therefore also represent a profound threat to privacy. “What is the D.M.V.?” asked Lee Tien, a lawyer with the Electronic Frontier Foundation and a privacy advocate. “Does it license motor vehicles and drivers? Or is it really an identification arm of law enforcement?” Anne L. Collins, the Massachusetts registrar of motor vehicles, said that people seeking a driver’s license at least implicitly consent to allowing their images to be used for other purposes. The databases are primarily intended to prevent people from obtaining multiple licenses under different names. That can help prevent identity theft and stop people who try to get a second license after their first has been suspended. “We don’t look at hair,” Ms. Conlon said. “We do look at lips, noses, ears.” The database’s second function, as a resource for law enforcement agencies, is growing in popularity. Police chiefs from around the state e-mail digital photographs for comparison with the database, sometimes several times a day. Other sorts of images are not useful — yet. “A video surveillance camera is probably not going to give it to you,” Mr. Smith said. In time, though, the combination of facial recognition and other information — from financial records, mobile phones, automobile positioning devices and other sources — may do away with the ability to move anonymously through the world, Mr. Tien, the privacy advocate, said. “The real question with biometrics,” he said, “is that they are part of a cluster of technologies that will allow for location tracking in both public and private places.”

BROADBAND ADOPTION PASSES HALFWAY MARK IN U.S. (CNET, 18 Feb 2007) -- U.S. residential broadband penetration is expected to exceed 50 percent in 2007--and the U.K. isn’t far behind. By the end of 2007, more than 60 million U.S. households will be connected--around 55 percent--according to market researcher Parks Associates. During 2006, broadband subscriptions grew by more than 20 percent in the U.S. and by the end of the year around 50 million households had fat pipes. The U.K. isn’t far behind, though, as around 49 percent of households have a broadband connection, according to Point Topic figures from the third quarter of 2006. In Europe there are still large discrepancies in broadband penetration rates that are exacerbating the digital divide. Residential broadband uptake varies from 73 percent in Iceland to 1.4 percent in Moldova. Worldwide, the country with the greatest residential broadband connectivity is South Korea. More than 88 percent of Korean households had a broadband connection by the third quarter of last year.

EBAY FIGHTS PLAN TO REPORT USERS TO IRS (Financial Times, 19 Feb 2007) -- Ebay is fiercely resisting a Bush administration plan it says will force it to snitch on customers who are not paying tax on billions earned on the popular online auction site. The Treasury estimates it could collect $2bn in unpaid tax if companies such as eBay reported American users who carry out more than 100 transactions worth at least $5,000 a year to the Internal Revenue Service. But an eBay spokesperson said: “We do not believe it is our responsibility to serve as the go-between. We believe that it is the seller’s responsibility.” The company pointed out that many users file self-employment and business tax returns based on their eBay income. Ebay said it would co-operate with IRS investigations into specific persons but would not voluntarily report its customers’ sales “en masse”.,_i_rssPage=81cea682-52a8-11da-8d05-0000779e2340.html

LEGAL DEPARTMENTS TELL FIRMS: GET ON THE TECH TRAIN (, 21 Feb 2007) -- When Aon Corp. slashed its outside counsel roster from about 400 to 23 law firms in 2005, it quizzed the firms about their tech offerings. “We asked them about extranets, e-billing and litigation management,” says David Cambria, director of legal operations at the Chicago-based insurance giant. But Cambria says that he didn’t really care whether firms had all of those products. He had another agenda: “I wanted to know if [the firms] were playing in the same pool as me,” says Cambria. When they crafted the tech section of their request for proposal, Cambria and his colleagues started from the assumption that all the firms they were interviewing had experienced, capable lawyers. But “we wanted to take it to a higher level, and the most successful firms were the ones that told us how they’d help us do what we do better, with technology,” he says. What’s changed? Traditionally a cost center, legal departments have come under increasing pressure to keep costs down at the same time that they’re struggling to keep their technology current. “General counsel are being held to budgets,” says Woods Abbott, senior manager of legal operations-corporate at Raytheon Co. This year’s survey, our fourth in which we queried the technology heads of Fortune 500 corporations, shows that in many respects, law departments have had a technical awakening, and finally are getting the goodies everyone else in corporate America takes for granted.

MUSIC COMPANIES TARGET COLLEGES IN LATEST DOWNLOADING CRACKDOWN (, 21 Feb 2007) -- Cracking down on college students, the music industry is sending thousands more complaints to top universities this school year than it did last year as it targets music illegally downloaded over campus computer networks. A few schools, including Ohio and Purdue universities, already have received more than 1,000 complaints accusing individual students since last fall -- significant increases over the past school year. For students who are caught, punishments vary from e-mail warnings to semester-long suspensions from classes. The trade group for the largest music labels, the Recording Industry Association of America, identified at the request of The Associated Press the 25 universities that received the most copyright complaints it sent so far this school year. The trade group long has pressured schools to act more aggressively against online pirates on campus.

VIRTUAL CHILD PORN MAY BE A CRIME IN NETHERLANDS (CNET, 21 Feb 2007) -- Virtual enactments of child pornography may be a crime under Dutch law if it encourages child abuse, the public prosecutor said Wednesday. In the virtual world of Second Life, a popular Internet destination, everyone under the age of 18 is supposed to be limited to a “teen grid.” However, it would be relatively easy for children to get onto the adult grid if they wished since there is no proof of age required. In the adult section, some users participate in “age play,” in which adult users can create child-like characters and have virtual sex that would be illegal in the real world. “There are possibilities to prosecute because it possibly incites child abuse,” said Kitty Nooij, the spokesman for public prosecutor, who is in charge of national vice cases. With the increasing popularity of virtual worlds, there are fears people may turn to them to carry out activities considered illegal in the real world. There is no Dutch case law about virtual child pornography in writing, drawings or computer animation. In the United States, where Second Life creator Linden Lab is based, the U.S. Supreme Court struck down a law in 2002 which would ban computer-generated images that depict minors engaged in sexual conduct.

FLA. BAR OKS CLIENT TESTIMONIALS ON LAW FIRM WEB SITES (, 22 Feb 2007) -- After nearly four years of debate, The Florida Bar board of governors has tentatively approved a proposed rule on law firm Web sites that would let lawyers publish client testimonials and claims about their past successes. The proposed rule would largely free law firm Web sites from the state’s restrictive rules governing lawyer advertising in such media as television, radio, direct mail and Yellow Pages. But lawyer Web sites still would have to comply with general Bar rules regarding truthfulness and lack of deception. The proposal still must be passed by the board of governors in a second reading and approved by the Florida Supreme Court. Under the proposed rule approved late last month, the inside pages of law firm Web sites -- but not the home page -- could include testimonials, references to past results and statements characterizing the quality of the services, as long as the statements are truthful, not misleading and come with disclaimers. The disclaimers must say that past results do not guarantee a future success.

RAISING, AND LOWERING, THE BAR ON CELL PHONE PRIVACY (Steptoe & Johnson’s E-Commerce Law Week, 22 Feb 2007) -- When can police search an electronic communications device that is owned by an employer, but is used daily by an employee? As we previously reported, the Ninth Circuit’s recent ruling in United States v. Ziegler left open the possibility that, given an employer’s policy of monitoring computer use, the user of a computer kept in a common space might not have a reasonable expectation of privacy in the device. But, in United States v. Finley, the Fifth Circuit recently found that an employee “had a reasonable expectation” that the call records and text messages on his cell phone would remain private from law enforcement and the general public, even though his employer owned the phone and could have read the messages on it after it was returned. Nonetheless, because the government’s search of the phone was conducted incident to a lawful custodial arrest, the court concluded that no search warrant was required and the search was “reasonable” under the Fourth Amendment. Combined with recent cases holding that Customs agents at the border can search the contents of a laptop with little or no reason, this case suggests that when the government wants to “reach out and touch someone,” it can reach the content on one’s electronic gadgets, too. Finley case at

FEDERAL COURT REAFFIRMS IMMUNITY OF BLOGGERS FROM SUITS BROUGHT AGAINST COMMENTERS (ACS blog, 26 Feb 2007) -- Section 230 of the Communications Decency Act provides that “[no] provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” A recent decision of the First Circuit has reaffirmed the broad protection this statute provides to bloggers and message board administrators. In Universal Communication Systems v. Lycos, a company who had allegedly been victimized by defamatory statements on a message board regarding the value of its stock sued Lycos, which operated the board. The message board allowed users to post comments with minimal moderation, and no one from Lycos was responsible for the allegedly defamatory statements. Examining the impact of Sec. 230 on this case, the court noted that “Congress intended that, within broad limits, message board operators would not be held responsible for the postings made by others on that board,” adding that allowing bloggers and message board operators to be sued for the statements of commenters on their sites would have an “obvious chilling effect” on speech. Accordingly, the court dismissed the complaint against Lycos. Opinion at

ADDING TO SECURITY BUT MULTIPLYING THE FEARS (New York Times, 26 Feb 2007) -- Foreigners arriving at the American border must present both index fingers for fingerprinting, but that will soon change. The Department of Homeland Security now wants 10 fingers. The two-print system was largely a biometric backup, an added level of security to supplement and verify a passport or a visa. The 10-print system adds a powerful investigative tool. “When we have a fingerprint of a terrorist who has left behind a bomb or an I.E.D. in Iraq or has left his fingerprint in a safe house somewhere, we don’t always have the two index fingers,” Paul Rosenzweig, a Department of Homeland Security official, said at a briefing in December. “It could be the pinkie or the thumb. And thus by moving to a 10-print system, we will enhance our ability to use biometrics to enable us to identify threats before they occur in the United States.” Call it biometric mission creep. People concerned about privacy and civil liberties say they fear the creation of gigantic biometric databases ripe for data-mining abuse. They note that Mr. Rosenzweig was a supporter of the Total Information Awareness program at the Defense Department, which had planned, as the Pentagon put it, to create “ultralarge all-source information repositories.” The program was shut down in 2003 because it scared people. The administration’s last-ditch defense of that effort was telling, too. It changed the name to the Terrorism Information Awareness program. There is a pattern here, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “These techniques that are sold to us as necessary to identify terrorists inevitably become systems of mass surveillance directed at the American people,” Mr. Rotenberg said.

BADWARE WEBSITE CLEARINGHOUSE ( -- Badware doesn’t just appear on users’ computers out of thin air - instead, much of it (maybe even most of it) is hosted on websites that then distribute it to consumers who visit those sites. Given the importance of websites as a means of spreading badware to unsuspecting users, has expanded our mission to include shining a light on websites themselves, not just on the applications they host for download. In that vein, we’ve launched the Badware Website Clearinghouse -- a collaborative effort to build a comprehensive list of websites that host, link to, or otherwise distribute badware. Websites can host or distribute badware in a variety of ways. They may be sites that intentionally distribute bad applications for profit; or sites featuring ads, often provided by third parties, that - if clicked on - will attempt to automatically install harmful software; or sites that have been hacked and can download dangerous code onto visitors’ computers without the site owner even knowing the badware is there; and a whole range of sites in between. For a comprehensive definition of what constitutes a badware website, check out our Website Guidelines. Although the list of websites in this Clearinghouse is hosted by, we’re not the only ones contributing to it. This list contains both websites that StopBadware itself has tested and found to contain badware or badware links, as well as thousands of sites that trusted third parties have independently examined, found to be hosts or distributors of badware, and provided to us for posting. Sites that StopBadware has tested itself and determined to contain or link to badware are marked with a [Red_smaller]; sites marked with a [Undetermined_smaller] were reported to StopBadware by one or more trusted third parties whose name(s) appear in a separate column to the left of the site’s url.

WIKIS FOR THE LEGAL PROFESSION (ABA Law Practice Management, Feb 2007) -- If you hang around lawyers talking about “Web 2.0” long enough or read our articles, the word “wiki” is eventually bound to pop out. In fact, it’s hard to have a discussion about Web 2.0 and the new Internet technologies without discussing wikis; they may be one of the oldest tools of the Web 2.0 phenomenon. It’s also a safe bet that few of you reading this article have any real experience with using a wiki, or how a wiki might be useful to the practicing lawyer. Why should lawyers use wikis? They may help lawyers both as consumers and as producers. Most lawyers will get the most value from using wikis created by others. The classic example is the Wikipedia. Wikis can be seen as constantly updated collections of useful information arranged in an encyclopedic or similarly organized way, with hyperlinks to related internal and external information. On the producer side, perhaps the greatest potential of the wiki tool for lawyers is its use as a collaborative tool or even an information or knowledge platform, especially as a way to gather and manage “unstructured” information easily and quickly. The key feature of wikis in this regard is that multiple authors and editors are able to work together to create a collection of information or even collaborative documents. This month The Strongest Links focuses on wikis. We’ve scoured the Net for some of the best links on wikis -- we’ll discuss and point you to resources about what a wiki is and how it works, how to pronounce “wiki,” how a lawyer can use one in his or her practice, and how this tool is an extremely powerful platform for collaborating with others on the Internet….

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: